Free Cyber Security Analysis

For those with a significant stake or role in a data centre business, whether it’s for their own organisation or for others, it is important to understand that there is a very real cyber risk threatening data centre operators, creating a pre-eminent risk to their critical facility networks. Whilst some may hide behind the veil of physical security, (certain data centres mention being ‘the most secure facilities in the world’, with sophisticated multi-layer protection zones and high-end systems), ironically the IoT devices used on these networks can be used by cyber criminals to get access to the broader DCOT network.

DCOT – the weak link?

Throughout industry, Industrial Control Systems (ICS) have long been targeted with cyber crime but now, more malicious, and sophisticated strains of malware and ransomware are specifically targeting Operational Technology (OT) environments.

This is as the data centre industry develops and forward-thinking operators are using techniques and approaches typical of more complex industrial facilities to drive innovation.

Increasingly at Dial, we are seeing this because while the infrastructure in a data centre is focused on keeping the computers going, there is usually little or no focus on the security around the Operational Technology. We recommend that organisations consider reclassifying Data Centre Operational Technology (DCOT) environments to the same level or more, as corporate networks.

There is also a question around whose responsibility these networks are. Is it the engineering department because it is to do with the mechanics of the building? Is it the IT department because it has cyber written on it? Or is it security because they are in charge of protecting the building? In reality, responsibility should sit at the top of the organisation as the stakes are so high.

The true impact

The impact of any kind of security breach can be extremely damaging, both financially and through longer term damage to brand reputation. It is somewhat ironic that in the data centre world, the focus is firmly on avoiding downtime which is measured in seconds, minutes and for a serious outage, hours. When it comes to recovery from a cyber breach, though, it is measured in days, weeks, and months – it is a totally different landscape.

Financial impacts are similarly compounded. The Uptime Institute reports that one in ten major outages at a data centre costs over £1m. However, the average cost of downtime is dwarfed when we start to look at the costs associated with a cyber breach. For example, in April 2020, IT services and data centre provider, Cognizant, was hit by a ransomware attack that, it forewarned investors in July 2020, could cost it between $50m and $70m.

In addition to ransoms and operational recovery costs, there may be severe fines imposed as a result of subsequent regulatory investigation. For example, the EU GDPR sets a maximum fine of €20 million or 4% of annual global turnover – whichever is greater – for infringements. This type of regulation is already extending beyond personal data theft and is considering the impact to safety and disruption to national critical infrastructure.

However, the biggest loss to a data centre in the end is that of trust. If the very company that houses its customers’ precious IT assets has allowed a data breach in its own systems or facility infrastructure, the resultant loss in confidence can be difficult to recover from and it is not a situation that a responsible stakeholder can ignore.

An open door

The fact is that there are scores of vulnerabilities in and around the data centre facility itself, where increasingly clever hackers are able to get in and cause devastation, and where you are unlikely to be protected. Your DCOT comprises all the equipment and services embedded in your building, from your biometric, security and CCTV to your critical power and cooling, Internet of Things (IoT) devices and sensors, fire and life safety systems, remote monitoring tools, building management systems as well as control systems on multiple networks, which have many protocols and platforms such as BacNet, ModBus, SCADA, TCPIP, Distributed Control Systems (DCS), Remote Terminal Units (RTU) and Programmable Logic Controllers (PLC).

In many cases, a building’s equipment will be at least partly maintained and serviced by external suppliers, in some cases remotely. With these engineers, from both operator and client teams entering the facilities with uncontrolled hardware, and the prolific use of IoT devices and out-of-band network facilities on plant and equipment, it is often an easy target for hackers.

Not just about data security

Whilst those of us in the data centre sector are fortunate enough to be working in a growing industry that is now essential to the fabric of society, and one of the foundations of our increasingly digital lives, we must recognise that an attack on the data centre infrastructure is an attack on all the businesses it supports, irrespective of the size, scale, or location of the facility.

This isn’t just about data security. It’s about being a core component of the technology supply chain, which increasingly contains SMEs as well as major corporates. Data centre operators could be forgiven for thinking that it’s the larger companies that are at risk of cyber attack but this simply is not true. Mid-sized organisations are essential components in any supply chain and they experienced the biggest increase in average breach cost, and smaller organisations had higher than average costs per employee. These are possibly the organisations that have taken fewer steps to protect themselves.

It will get worse

As the sophistication of the data centre infrastructure develops, and many smart building techniques integrated with control and automation systems are adopted, there is further risk that attackers will use evermore imaginative ways to find a back door even to the most highly secure, so-called ‘dark’ sites.

Our world is now about novel and new cyber attacks and never-before-seen events, and so the landscape has become massively challenging for security teams to defend. With low and slow, hard-to-detect techniques, through to machine speed attacks, where criminals weaponise AI, it is clear that human speed responses are no longer adequate.

Conclusion

Data centres are amongst the most critical infrastructures in society because the data held in these facilities is increasingly vital to the way communities run. They are used to support utilities, hospitals and healthcare, food manufacturers, the logistics and transport industries, education, defence, and communications – all examples of key sectors that affect the very fabric of how the world runs. As a result tomorrow is too late to start looking at the risk to DCOT, which underpins the facilities and organisations need to act fast.

Sadly, our connected world has become a lucrative playground for criminals who can launch attacks on victims in multiple countries and jurisdictions, with little fear of being caught.

 

Mike West is the CEO at DIAL Ltd, the specialist company that provides a range of advisory and cyber security services to corporates, investment funds and owners and operators in the data centre market and the wider digital infrastructure arena.

 

Throughout industry, Industrial Control Systems (ICS) have long been targeted with cyber crime but now, more malicious and sophisticated strains of malware and ransomware are specifically targeting Operational Technology (OT) environments.

This is as the data centre industry develops and forward-thinking operators are using techniques and approaches typical of more complex industrial facilities to drive innovation. Increasingly at Dial we are seeing this because while the infrastructure in a data centre is focused on keeping the computers going, there is usually little or no focus on the security around the Operational Technology.

We recommend that organisations consider reclassifying Data Centre Operational Technology (DCOT) environments to the same level or more, as corporate networks.

There is also a question around whose responsibility these networks are. Is it the engineering department because it is to do with the mechanics of the building? Is it the IT department because it has cyber written on it? Or is it security because they are in charge of protecting the building? In reality, responsibility should sit at the top of the organisation as the stakes are so high.

The true impact

The impact of any kind of security breach can be extremely damaging both financially and through longer term damage to brand reputation. It is somewhat ironic that in the data centre world, the focus is firmly on avoiding downtime which is measured in seconds, minutes and for a serious outage, hours. When it comes to recovery from a cyber breach, though, it is measured in days, weeks, and months – it is a totally different landscape.

Financial impacts are similarly compounded. The Uptime Institute reports that one in ten major outages at a data centre costs over £1m. However, the average cost of downtime is dwarfed when we start to look at the costs associated with a cyber breach. For example, in April 2020, IT services and data centre provider, Cognizant, was hit by a ransomware attack that, it forewarned investors in July 2020, could cost it between $50m and $70m.

In addition to ransoms and operational recovery costs, there may be severe fines imposed as a result of subsequent regulatory investigation. For example, the EU GDPR sets a maximum fine of €20 million or 4% of annual global turnover – whichever is greater – for infringements. This type of regulation is already extending beyond personal data theft and is considering the impact to safety and disruption to national critical infrastructure.

However, the biggest loss to a data centre in the end is that of trust. If the very company that houses its customers’ precious IT assets has allowed a data breach in its own systems or facility infrastructure, the resultant loss in confidence can be difficult to recover from and it is not a situation that a responsible stakeholder can ignore.

An open door

The fact is that there are scores of vulnerabilities in and around the data centre facility itself, where increasingly clever hackers are able to get in and cause devastation, and where you are unlikely to be protected. Your DCOT comprises all the equipment and services embedded in your building, from your biometric, security and CCTV to your critical power and cooling, Internet of Things (IoT) devices and sensors, fire and life safety systems, remote monitoring tools, building management systems as well as control systems on multiple networks, which have many protocols and platforms such as BacNet, ModBus, SCADA, TCPIP, Distributed Control Systems (DCS), Remote Terminal Units (RTU) and Programmable Logic Controllers (PLC).

In many cases, a building’s equipment will be at least partly maintained and serviced by external suppliers, in some cases remotely. With these engineers, from both operator and client teams entering the facilities with uncontrolled hardware, and the prolific use of IoT devices and out-of-band network facilities on plant and equipment, it is often an easy target for hackers.

It will get worse

As the sophistication of the data centre infrastructure develops, and many smart building techniques integrated with control and automation systems are adopted, there is further risk that attackers will use evermore imaginative ways to find a back door even to the most highly secure, so-called ‘dark’ sites.

Conclusion

Data centres are amongst the most critical infrastructures in society because the data held in these facilities is increasingly vital to the way communities run. They are used to support utilities, hospitals and healthcare, food manufacturers, the logistics and transport industries, education, defence, and communications – all examples of key sectors that affect the very fabric of how the world runs. As a result, tomorrow is too late to start looking at the risk to DCOT, which underpins the facilities and organisations need to act fast.

Mike West CEO at DIAL Ltd

DIAL Ltd, the specialist company that provides a range of advisory and cyber security services to corporates, investment funds and owners and operators in the data centre market and the wider digital infrastructure arena.

 

With the digital economy already accounting for 7% of the UK’s GDP and the estimated spend on the Internet of Things (IoT) being in excess of £20bn in 2021, it is clear that the data centre market in the UK and around Europe is on a long-term upward trend. This article will look at the opportunities this creates for the investment community and some of the issues they should consider.

I have been in the industry since the late 90s, building data centres for public and private companies, and more recently large scale, cloud campuses. I set up DIAL to help investors make the right decisions and profit from the huge opportunities available in the data centre market. This is a challenging, fragmented and complex industry, and so, in addition, I have created the DIAL advisory board which brings together a team of highly regarded subject experts from across all elements of the data centre lifecycle in all major geographical regions. Each member of the team is handpicked and, as well as being specialists in their field, they are also successful and established business people in their own right.

There is a great deal of consolidation in the industry and a huge amount of money available to be invested, with potentially massive returns. The challenge for a new investor in this space is where to start and how to maximise the returns.

For investors and operators, getting the strategy right, particularly at the front end is key, and we also discuss how they can monetise ideas and how to future proof the overall investment.

Large scale mergers and acquisitions (M&As) tend to include older, established assets alongside the recently developed, more attractive sites. In order to maximise the overall investment, these older assets need to be carefully reviewed and the opportunities for modernisation, repurposing and future proofing assessed accurately. This is where the long term investment values can rise over time and improve the overall returns.

The cost of land is clearly one of the key considerations for investors, as are sustainability and power issues. For new investors, the cost of land can be prohibitive as well as the competitive nature of acquiring it. This competition is from existing entrants, new investors and the cloud providers who are land banking, so it is important to note that whilst recent trends have been towards large scale data centre projects, there is now the emergence of smaller regional digital centres supporting Edge computing.

There are many small and medium sized facilities in commercial and corporate buildings, along with POP sites that once supported legacy services that are reaching, or are already beyond, the end of their useful lives, and these locations are often well suited to Edge computing, another key upward trend in the digital economy.

DIAL is able to bridge the gap between commercial and technical real estate and distributed computing to create innovative technical and funding solutions for these new regional initiatives, providing investors with more opportunities and a broader range of initial funding levels.

New technology trends are also an important consideration for investors, constructors and operators. They need to ensure that what they are building is going to be able to adapt to the new technology trends. When you’re looking at designing and deploying facilities, whilst you may not know that a certain technology is going to dominate in the future, you do need to understand how easy it is to repurpose the facility for day one, and what that might look like in the future.

Investors should also consider the availability, sustainability and surety of power. The recent long term power outages in the north of England would have troubled any local Edge data centre. The sustainability challenge is more complex as different countries are adopting differing approaches and legislation – the impact of these differences will be an important factor going forward and will need to be monitored very carefully.

However I firmly believe that the number one issue for anyone involved in the data centre industry is cybersecurity. Data is growing exponentially and it’s becoming more and more valuable, and the security of that data is more important than it’s ever been. At the moment, organisations aren’t doing enough to mitigate the huge risk that cybersecurity presents. When you consider what intelligence agencies and governments around the world are saying, and what organisations like the World Economic Forum are saying, then this is the challenge for society, not just the data centre industry.

In conclusion there are opportunities in this sector for all different types of investors, from entry level to investors that already have big investments in commercial real estate. For the latter group they often want to understand what the opportunity is for them to leverage their existing assets and how they can be a part in the digital economy as it continues to grow. We are here to help.

Mike West

CEO at Digital Infrastructure Advisors Ltd (DIAL)

Download our paper to learn more about this new threat to Data Centres.

Most people think that Cyber Attacks are only on data systems, but this is now old news. The equivalents to Data Centre Operational Technology (DCOT) in other industries are being used by Cyber Criminals to wreak havoc.

It’s time to take a look at the DCOT, which is around the building and infrastructure that houses the racking, to see where the threats to your Data Centre lie.

Examples such as the major Cyber Attack on Honda in June 2020 demonstrate that specific ransomware is being designed to attack industrial control system networks – their equivalent of DCOT. In this example, Honda announced that it was forced to put production on hold at plants in the UK, North America, Italy and Japan, which suggests that it was their manufacturing systems that were attacked, rather than their business systems.

Our Managing Director Mike West says: “The biggest loss to a Data Centre in the end, is that of trust. If the very company that houses its customers’ precious IT assets, has allowed a data breach in its own systems or facility infrastructure, the resultant loss in confidence can be difficult to recover from. With technology companies standing to lose more than the average in terms both of money and reputation, it is not a situation that a responsible stakeholder can ignore.”

In our paper, we look at the specific risks to Data Centres through the Operational Technology, the potential costs based on industry examples to date, the sizes and locations of Data Centres that are most under threat, a recent case study, and some potential solutions to consider.

Download DCOT Cyber Threat Paper

You can set up an initial virtual presentation of around an hour, which outlines our solution to this threat, by contacting mike.west@dia.ltd or call +44 (0) 7768 557 191

Financial due diligence

DIAL were appointed by a leading US Investment Firm, as part of a proposed debt refinance transaction, to carry out a Fast-track due diligence assignment on a Regional Datacenter Operator in South Central USA.

Expertise. Support. Processes.

Data center financial due diligence

The key objectives of the assignment was to review the primary aspects of the business plan over the term of the proposed finance and included

Highly responsive expertise

Given the fast-track nature of the assignment an initial desktop study was carried out followed by site visits, with daily updates and summary reports. Despite the fast-track and high-level nature of the assignment the DIAL team were able to provide valuable insight, helping the investor to make a better-informed decision on this deal, whilst providing valuable advice to the operator during the process.

How the client benefited

In this example we see the Investment team, taking the time to better understand underlying infrastructure and how it impacts the business plan and asset value going forward. The DIAL team are uniquely positioned to understand the multi-faceted nature of existing facilities and provide insight to the risks, but also opportunities, for the operator which could deliver better upside for the investor. Moving forward we see investors becoming more ‘hands on’ and using the DIAL team to support their investments.
How you can benefit from our expertise.

Whilst recent trends have seen a focus on large scale Data Centre projects, we also see the emergence of the regional data centre and telco market. Although many small and medium sized facilities in commercial buildings and POP sites supporting legacy services are reaching the end of their service life, the locations are often well suited to Edge computing requiring a complete refresh and updated approach. DIAL is bridging the gap between commercial and technical real estate and edge computing to create innovative technical and funding solutions.

How the client benefited

In this example we see the Investment team, taking the time to better understand underlying infrastructure and how it impacts the business plan and asset value going forward. The DIAL team are uniquely positioned to understand the multi-faceted nature of existing facilities and provide insight to the risks, but also opportunities, for the operator which could deliver better upside for the investor. Moving forward we see investors becoming more ‘hands on’ and using the DIAL team to support their investments.
How you can benefit from our expertise.

Whilst recent trends have seen a focus on large scale Data Centre projects, we also see the emergence of the regional data centre and telco market. Although many small and medium sized facilities in commercial buildings and POP sites supporting legacy services are reaching the end of their service life, the locations are often well suited to Edge computing requiring a complete refresh and updated approach. DIAL is bridging the gap between commercial and technical real estate and edge computing to create innovative technical and funding solutions.

How you can benefit from our expertise

Whilst recent trends have seen a focus on large scale Data Centre projects, we also see the emergence of the regional data centre and telco market. Although many small and medium sized facilities in commercial buildings and POP sites supporting legacy services are reaching the end of their service life, the locations are often well suited to Edge computing requiring a complete refresh and updated approach. DIAL is bridging the gap between commercial and technical real estate and edge computing to create innovative technical and funding solutions.

Satisfying real estate, IT and investment criteria objectives

DIAL was appointed and acting in partnership with an international real estate and infrastructure fund to explore an interesting commercial property acquisition with a data centre twist on the US West Coast.

Expertise. Support. Processes.

Virtual develoment manager

The DIAL team acted as the investment fund’s virtual development manager to assess the long term potential of the deal and in particular the option of developing a modern data centre facility.

The deal was based on the disposal of a commercial building by a global 500 company, the building incorporated a corporate data centre with the complication that an existing occupier of the data centre was required to continue to deliver services after the building was sold.

In order to act quickly DIAL established a JV business to support the deal and to negotiate with the real estate broker, whilst investigating and evaluating the options for the site.

An international team was assembled to evaluate the site options and provide valuations of the building based on the development options.

Our Objectives

The primary objective was to establish the suitability of redeveloping the existing building as a modern data centre and creating an additional facility on the adjacent land.

The technical team engaged with the local planning authorities and power providers to establish the parameters for the development and established a new site master plan based on modern data centre requirements and the local market opportunity.

Creative thinking

The resulting evaluation identified a number of challenges and limitations with the initial data centre development ambitions so alternative development options were also evaluated.

The DIAL team reworked the financial model based on a sale and partial leaseback model working with the incoming investors to take a medium term view on returns based on a scaled back data centre development and re-purposing the building for commercial office use as the base case. If needed the DIAL team would take operational responsibility of the data centre for the duration of the ICT providers contract to minimise risk othe lease back element of the proposed transaction.

Cyber Essentials logo Dark Trace logo