The proliferation of data centers and increasing reliance on cloud services bring the question of physical and cybersecurity protection of this critical infrastructure into sharp focus. End-user spending on global data center infrastructure is projected to reach $200 billion in 2021 according to the latest forecast from Gartner, Inc (Ref 1). It is timely therefore to look at how best to secure both cyber and physical assets that are critical to the operation of data centers.
With the increasing use of external systems, remote administration and the need to access performance, diagnostic and network management data, a number of possible attack vectors are opened up. Furthermore, wireless networks and growing deployments of IoT devices can potentially provide attack channels that are not well understood or obvious.
Traditional network segmentation and firewalls provide some protection but still present vulnerabilities, especially from state-sponsored actors with the resources to succeed. Smaller data centers with commensurately lower security coverage are vulnerable to cyber and physical attack through much less sophisticated means. For example, a disgruntled customer or staff member.
In this article, I will look at how data center operators and security personnel can effectively raise the level of cybersecurity and physical security (specifically, physical site access control) and why convergence between cyber and physical functions can make you more resilient and better prepared to identify, prevent, mitigate, and respond to threats.
Throughout history, the military defense sector has been highly security aware and cybersecurity solutions developed for this market not surprisingly offer the strongest level of security available today. These solutions are now being made available to the open marketplace, both for enterprise and critical infrastructure operators.
The following picture illustrates a number of the cybersecurity components that can add considerable heft to your data center security and which we will look at, including data diodes, zone guards and file screening tools.
Some of the typical pain points encountered in securing the operations of a data center arise from:
Solutions for providing the highest level of cyber protection can be divided into two main categories:
VPN Encryptors and Cross Domain Solutions consisting of products for unidirectional traffic control and bi-directional traffic control. In conjunction with these, highly effective file screening and sanitation solutions exist as well as content disarming and reconstruction tools.
Since the eighties, data diodes have been diligently, and discreetly working behind the scenes around the world to help keep critical infrastructure and operations safe. Data diodes, also known as unidirectional network gateways, are network appliances that allow raw data to travel in only one direction in order to guarantee information security and to ensure the protection of critical digital systems from inbound cyberattacks.
Despite their significant role in the cybersecurity chain, these devices are not widely known. That is beginning to change however due to factors including the growing interconnectedness of networks, evolving attacks targeted at critical infrastructure and more recently, through governments mandating their use to protect various industry sectors.
Data diodes were traditionally found in high security military, space agency and government domains but are now becoming widely adopted in sectors such as data centers, oil and gas, power generation, distribution and renewables, water supply and treatment, aircraft (between flight control units and in-flight entertainment systems), airports, manufacturing, engineering systems and cloud connectivity for Industrial IoT (IIoT). Given the ease of incorporating data diodes into a network, they present data centers with a quick way of uplifting security.
Every data center needs to import Network Time in order to synchronise all servers to use exactly the same time. Securing the channel used for NW Time import with a data diode makes it impossible to use this channel for extraction of any data and thereby mitigates the risk of opening this communication channel. This is illustrated in the following graphic:
Data diodes can also be used for securing access to data center system performance and reporting data. By incorporating data diodes, reporting and monitoring data sent to SOC (Security Operations Center) is immediately afforded a secure, one-way data transfer facility without sacrificing domain integrity. With this channel established, no malicious back channel traffic or access is physically possible. This also allows more flexible, role-based operations. Unlike firewalls, most data diodes contain no software or configurations and are therefore not at risk of manipulation either by misconfiguration or intentional malpractice.
Even the most secure environments need to import Operating System and other Software updates. This poses a risk of malware being imported as part of the update process. This risk can be eliminated by using a sanitation solution that cleans all files before permitting them access into key parts of the network. This can be achieved with a File Security Screener in conjunction with multiple data diodes, File Server, Anti Malware Scanning, Content Disarming and Reconstruction and Solution Engine.
The following illustration shows a typical application:
Some system operations activities require real-time filtering of permitted traffic in both directions. In these situations, it is important to ensure a secure channel for enabling system administration.
This is addressed with ZoneGuard technology over a VPN encrypted connection as illustrated in Figure 5. This facilitates remote management of data center systems through highly secure VPN-tunnels (up to level: SECRET) and Access Control and content filtering by ZoneGuard RDP-services. In this scenario, confidentiality and integrity of the interfaced systems is assured while allowing secure access to several different systems in diverse security domains from a single computer.
Users in a protected network are afforded access to resources in a lower classified network including Internet integrity thus protecting the secure domain from unwanted internet traffic.
Given many operators of critical infrastructure are heavily reliant on third-party contractors to service, maintain and update core systems and equipment, this in itself creates risk. One reason for this is the increasing complexity of the systems being maintained coupled with minimal in-house knowledge. We also see a much higher level of remote access today - often necessitated by travel restrictions or cost imperatives. Many of the clients we work with have very little visibility of the actions of their vendors and which parts of the network they are accessing and changing. In effect, the service agreement is based on "good faith". Furthermore, once the vendor has remote access to the network via a jump box of some sort, they are then often able to access other sensitive areas - without the operator necessarily being aware.
To that end, we recommend a Secure Remote Access platform for operators with this level of third party access. This will ensure that the operator has visibility of remote access sessions, changes that are being made and alerting for misconfigurations or dangerous activities. These sessions can be recorded as well for further peace of mind.
Data diodes and File Screener technology have a role to play in the data center for ensuring safe ways to back up data, as well as providing a way to safely restore the data into production should the production environment be compromised.
Secure, one-way production data backup can be achieved with a unidirectional data diode. This will ensure that no malware, destructive data or simple administrative errors can change the information flow. For secure backup data restoration, we recommend a File Security Screener with multiple diodes, File Server, Anti Malware Scanning, Content Disarming and Reconstruction and Solution Engine as shown in Figure 6.
Most data processing facilities will communicate with outside partners, suppliers, vendors and other entities. It is very important for these communication channels to be protected and prevented from enabling malicious attacks. Depending on the nature of the connection, various security solutions can be used from VPN encryptors to bidirectional gateways that filter traffic and block unwanted content.
With the right architecture (with an example provided in Figure 7) it will be possible to ensure simple future-proof key management, establish Silent mode reception to avoid detection, create low bandwidth and jitter resilience and versatile high-availability including failover and power outage resilience.
Cybersecurity is one part of the security mix for data centers but the other critical component is physical security. The best cybersecurity in the world is of no use if data center access can easily be readily breached or if there are weak, or no controls in place for vetting employees, contractors and visitors coming to the site. This is further exacerbated at remote sites where physical security is reliant on automated entry systems and where there may be no employees or security officers present.
In this section, I will look at physical access security and tools which have been designed to manage these security risks.
Security experts have been working to spread awareness of the need to improve physical security for critical infrastructure sites. For example, in recent times an executive order was issued from the White House declaring a national emergency in order to defend the power grid. Facilities such as power plants, dams, water treatment works and manufacturing sites need to be accessed by a range of employees and contractors, meaning that thorough security badging and entry-vetting procedures for these facilities are crucial in order to protect the people, systems, assets and ultimately, operations of these sites.
Data centers should also be assessed in the same way given the important services they provide to many companies around the world and the calamity that would ensue should these services go down. A critical data center taken offline through a cyberattack would result in a massive reputational hit for the operator not to mention the financial loss that would accompany it.
To achieve a higher level of security, standard site entry badging procedures need to be reassessed. A common practice at critical infrastructure sites is to issue badges or access privileges to staff or contractors based on a basic identification (ID) check. This ID check is typically undertaken directly by operations staff or by a contracting organisation. There are several security vulnerabilities inherent in this scenario as considered below.
If the initial ID check is simply a visual inspection of the staff or contractor’s photo ID, or a scan of the barcode on the ID, this fails to meet the threshold for full authentication of the document. Barcodes and photos on ID documents can be forged with relative ease, meaning that a facility with weak ID inspection procedures can unwittingly grant access to a person with a fraudulent ID.
Any additional biometric security enrolment the organisation then performs will be rendered pointless, as the person’s face, fingerprint, or retinal scan will be registered in the system along with a fake identity.
A more secure process - ID Authentication - uses multiple light sources and a global document library to confirm the ID document’s unique security features, and also confirms that the machine-readable data encoded in the document matches the printed data. By ensuring that only badges are issued to holders of properly authenticated ID documents, critical infrastructure operators can be more certain they are keeping their facilities secure.
Finally, critical infrastructure organisations will also benefit from the ability to check the names of people requesting badges against government and regulatory watch lists, as well as any internal watch lists they may keep (such as banned contractors, disgruntled former staff, access privilege lists etc.). This helps ensure that criminals, wanted suspects, foreign agents, banned contractors and former employees are not unknowingly admitted into the system.
Combining these three measures - ID authentication, facial matching, and watch list checks facilitate the goal of ensuring that critical infrastructure sites do not grant access to individuals who do not belong there. The technology powering these measures should be able to be integrated with a property’s visitor management and badging systems, helping make the enrolment and authentication process extremely efficient even with this heightened level of security. Typically, a workflow engine found in such a technology tool platform would support this along with other security orchestrations such as email alerting when suspicious behaviours occur.
Better security can be maintained at critical remote sites as well, even when security staff are not present to handle access control. The same facial matching technology used at enrolment can be installed at the remote location - implemented with a simple webcam or IP camera - to automatically compare the face of a badge holder with the picture on file in the system.
This prevents stolen or improperly loaned badges from being used to gain access at unstaffed entry points. A “match” result can trigger the system to grant access, while a “no-match” result can be set to trigger customized security alerts and workflow events. Workflow-based systems enable integration into a company's alerting and enrolment systems to enhance the security posture for vetting site for entering staff, contractors and visitors.
An additional layer of security can be applied during the enrolment process by using facial matching technology to confirm that the person presenting a photo ID is its rightful holder. Using a genuine ID document of a “lookalike” person is another common way for bad actors to gain access to places where they don’t belong, and security personnel do not always spot the differences between the ID photo and the person in front of them.
The ever-evolving threats to critical infrastructure that we are seeing are targeting both physical and cybersecurity vulnerabilities. Too often we see companies who have gone to considerable lengths to secure their digital assets and infrastructure only to be exposed when it comes to physical security coverage – or vice versa. This is often a result of, or exacerbated by the fact that the teams running physical and cybersecurity functions are not aligned. In fact, the two “fiefdoms” quite often exist in splendid isolation from each other. In small organisations, this is less of a problem as the same person(s) most probably are looking after physical and cybersecurity and possibly everything else. For larger operations, this kind of functional misalignment can limit a comprehensive approach to security.
Modern data centers are transitioning dramatically from what we have seen in the past. Gone are the days of air-gapped cyber and physical security. Data centers are monitored and managed through a network of hundreds or even thousands of sensors used for real-time telemetry—heating and cooling, maintenance alerts, physical security, and much more. Yet, in addition to introducing new opportunities for enhanced operational efficiencies and greater visibility and control, digital transformation presents new challenges. Manipulation of heating and ventilation controls (HVAC) could result in critical infrastructure systems being shut down or compromised. I have written previously about the risks inherent in Building Management Systems (BMS), HVAC and Access Control Systems and I will let the reader explore this further at their leisure (see further information at: www.ddetechnology.com/knowledgebase_bms.
Physical cameras can also be hacked and commandeered to disguise a robbery or unauthorized entry into a secure location. Data centers must be diligent to ensure physical and cyber systems are protected in a unified way, and that their convergence does not create additional risks. Furthermore, data centers will begin to see advanced technologies such as artificial intelligence (AI) and machine learning (ML) deployed to pinpoint anomalies in both physical and cybersecurity and to enact real-time controls and remediation processes. (Ref 4)
The adoption and integration of the Internet of Things (IoT) and Industrial Internet of Things (IIoT) devices has led to an increasingly interconnected mesh of cyber-physical systems (CPS), which expands the attack surface and blurs the once clear functions of cybersecurity and physical security. Meanwhile, efforts to build cyber resilience and accelerate the adoption of advanced technologies can also introduce or exacerbate security risks in this evolving threat landscape.
Together, cyber and physical assets represent a significant amount of risk to physical security and cybersecurity — each can be targeted, separately or simultaneously, to result in compromised systems and/or infrastructure. Yet physical security and cybersecurity divisions are often still treated as separate entities. When security leaders operate in these siloes, they lack a holistic view of security threats targeting their enterprise. As a result, attacks are more likely to occur and can lead to impacts such as exposure of sensitive or proprietary information, economic damage and even loss of life in some cases. (Ref 5)
For data center operators with large-scale operations upon which many customers are dependent, we recommend considering a converged approach to overall security. A focus on convergence will force a formal collaboration between potentially disjointed security functions and identify gaps for remediation.
According to CISA, an integrated threat management strategy reflects an in-depth understanding of the cascading impacts to interconnected cyber-physical infrastructure. As rapidly evolving technology increasingly links physical and cyber assets — spanning sectors from energy and transportation to agriculture and healthcare — the benefits of converged security functions outweigh the challenges of organizational change efforts and enable a flexible, sustainable strategy anchored by shared security practices and goals.
Much of this article has discussed best practices around securing critical infrastructure. Given the growing reliance on data centres for managing internal and cloud-based systems and data, applying the same mindset to securing both your physical and cyber assets which underpin your operations will ensure that your overall data center security is taken to the next level.
DDE Technology has considerable experience advising customers and deploying cybersecurity software and hardware solutions including threat monitoring systems and site entry authentication and visitor access solutions for industrial, IoT, IIoT and ICT domains across a range of industries including data center operations, power generation and transmission, water supply and treatment, aviation, casino resorts, defence, oil and gas and banking and finance.