Is Data Center Operational Technology the weak link in the fight against cyber attacks?

Throughout industry, Industrial Control Systems (ICS) have long been targeted with cyber crime but now, more malicious and sophisticated strains of malware and ransomware are specifically targeting Operational Technology (OT) environments.

This is as the data center industry develops and forward-thinking operators are using techniques and approaches typical of more complex industrial facilities to drive innovation. Increasingly at Dial we are seeing this because while the infrastructure in a data center is focused on keeping the computers going, there is usually little or no focus on the security around the Operational Technology.

We recommend that organisations consider reclassifying Data Center Operational Technology (DCOT) environments to the same level or more, as corporate networks.

There is also a question around whose responsibility these networks are. Is it the engineering department because it is to do with the mechanics of the building? Is it the IT department because it has cyber written on it? Or is it security because they are in charge of protecting the building? In reality, responsibility should sit at the top of the organisation as the stakes are so high.

The true impact

The impact of any kind of security breach can be extremely damaging both financially and through longer term damage to brand reputation. It is somewhat ironic that in the data center world, the focus is firmly on avoiding downtime which is measured in seconds, minutes and for a serious outage, hours. When it comes to recovery from a cyber breach, though, it is measured in days, weeks, and months – it is a totally different landscape.

Financial impacts are similarly compounded. The Uptime Institute reports that one in ten major outages at a data center costs over £1m. However, the average cost of downtime is dwarfed when we start to look at the costs associated with a cyber breach. For example, in April 2020, IT services and data center provider, Cognizant, was hit by a ransomware attack that, it forewarned investors in July 2020, could cost it between $50m and $70m.

In addition to ransoms and operational recovery costs, there may be severe fines imposed as a result of subsequent regulatory investigation. For example, the EU GDPR sets a maximum fine of €20 million or 4% of annual global turnover – whichever is greater – for infringements. This type of regulation is already extending beyond personal data theft and is considering the impact to safety and disruption to national critical infrastructure.

However, the biggest loss to a data center in the end is that of trust. If the very company that houses its customers’ precious IT assets has allowed a data breach in its own systems or facility infrastructure, the resultant loss in confidence can be difficult to recover from and it is not a situation that a responsible stakeholder can ignore.

An open door

The fact is that there are scores of vulnerabilities in and around the data center facility itself, where increasingly clever hackers are able to get in and cause devastation, and where you are unlikely to be protected. Your DCOT comprises all the equipment and services embedded in your building, from your biometric, security and CCTV to your critical power and cooling, Internet of Things (IoT) devices and sensors, fire and life safety systems, remote monitoring tools, building management systems as well as control systems on multiple networks, which have many protocols and platforms such as BacNet, ModBus, SCADA, TCPIP, Distributed Control Systems (DCS), Remote Terminal Units (RTU) and Programmable Logic Controllers (PLC).

In many cases, a building’s equipment will be at least partly maintained and serviced by external suppliers, in some cases remotely. With these engineers, from both operator and client teams entering the facilities with uncontrolled hardware, and the prolific use of IoT devices and out-of-band network facilities on plant and equipment, it is often an easy target for hackers.

It will get worse

As the sophistication of the data center infrastructure develops, and many smart building techniques integrated with control and automation systems are adopted, there is further risk that attackers will use evermore imaginative ways to find a back door even to the most highly secure, so-called ‘dark’ sites.

Conclusion

Data centers are amongst the most critical infrastructures in society because the data held in these facilities is increasingly vital to the way communities run. They are used to support utilities, hospitals and healthcare, food manufacturers, the logistics and transport industries, education, defence, and communications – all examples of key sectors that affect the very fabric of how the world runs. As a result, tomorrow is too late to start looking at the risk to DCOT, which underpins the facilities and organisations need to act fast.

Mike West CEO at DIAL Ltd

DIAL Ltd, the specialist company that provides a range of advisory and cyber security services to corporates, investment funds and owners and operators in the data center market and the wider digital infrastructure arena.