Modern data center infrastructure management (DCIM) platforms and other new tools put more power in the hands of facility managers.
As a result, data centers are getting faster, more scalable, and more efficient. But this comes with a higher risk of cyberattacks against physical infrastructure.
Earlier this year, researchers at cybersecurity firm Cyble found more than 20,000 instances of data center infrastructure management systems exposed to the Internet.
Attackers who can gain access to DCIM systems can tamper with cooling systems, for example, which can cause servers to overheat and become damaged. They can also interrupt backup processes or upload malicious backup files. If uninterruptible power supply systems have dashboards accessible via the Internet, attackers can shut down the UPS.
“When it comes to data center infrastructure, our approach is: If it’s connected, it’s a potential vulnerability,” said Chris Caruso, CISO at Cyxtera Technologies, a global data center and colocation provider.
And it’s not their own systems that data centers need to keep an eye on, Caruso said.
“Vendors should also work closely with third-party vendors to ensure those partners are doing everything they can to protect their systems and networks,” he noted.
It’s also important for managers to stay abreast of the latest developments in cybersecurity, he said, as “the threat landscape is always evolving.”
Data center managers can obtain threat intelligence from various sources, he said, including the Cybersecurity and Infrastructure Security Agency (CISA).
The new threat of windshield wipers
The Russian invasion of Ukraine has introduced a new wave of threats, called windshield wipers.
According to ESET security researchers, attacks like HermeticWiper and IsaacWiper pretend to be ransomware, but then instead of decrypting files when the ransom is paid, everything is destroyed.
“These types of threats are often focused on the servers and computers in a data center, but many other types of devices that data centers rely on could be affected,” said Shawn Taylor, vice president of threat defense. from Forescout Technologies, a cyber security firm. “They include uninterruptible power systems, HVAC controllers, and physical security devices like card readers and IP cameras.”
These types of devices can be highly vulnerable due to underlying flaws in the communications stacks these devices rely on to perform their function, he added.
Forescout’s Global Vendere Labs cyber intelligence dashboard shows that UPS systems are among the riskiest devices in existence today.
In fact, last week CISA issued a joint alert with the Department of Energy warning against threat actors. attack internet connected UPS devicesoften through unchanged usernames and passwords.
To protect against such attacks, CISA recommends survey the data center environment for UPS and similar systems and remove Internet management interfaces.
If the device must be accessible, then the agency recommends that data centers implement compensating controls. For example, devices can be placed behind a virtual private network. CISA also suggests that data centers enforce the use of multi-factor authentication and use strong, long passwords or passphrases.
The agency also recommends checking if the username and password are still set to factory defaults. Apparently, that’s a common thing.
But there are many other devices and components that could be accessed through the web, Taylor said, including HVAC and physical security systems.
Often this access is there so vendors and manufacturers can support or patch them remotely, he said. “Data centers need to know at all times which of their systems are exposed to the Internet.”
Physical infrastructure is often a blind spot for cybersecurity
Data center cybersecurity teams typically focus on the security of networks, servers, and other technology infrastructure.
That scope needs to be expanded, said Nasser Fattah, chair of the North American steering committee at Shared Assessments, a consortium of companies that provides tools and certification for third-party risk management.
“This overall data center inventory should include everything,” he said, “including power, HVAC, fire suppression, UPS, CCTV, etc., because these solutions can be connected to the IT and data network, in one way or another, which can become an unauthorized access point.”
Today, data centers use smart connected devices for everything from temperature control to surveillance, all of which can be exploited to cause disruptions and outages, he added.
“To make matters worse, IoT devices are often not included in the patch cycle, leaving them vulnerable to vulnerabilities,” Fattah said.
In fact, many IoT devices don’t even have upgradeable firmware, said Charles Everette, director of cyber defense at Deep Instinct, a cyber security provider. “Or updates haven’t been developed or released in favor of replacing it with just a new device or hardware by manufacturers.”
This means that IoT devices quickly become obsolete, he said, and security risks and flaws grow as they age.
“These devices are commonly hijacked and weaponized for multiple different cyberattacks,” Everette added. “I have personally seen instances where third-party vendors were given access to maintain or support these devices, which inadvertently gave them access to critical protected production environments due to security and network segmentation. We’ve even seen third-party providers get access to monitor through a separate device via radio, satellite, or cell phone, which then allows backdoor access to these protected environments.”
These kinds of scenarios create a haven for cybercriminals, he said. The door is literally left wide open.
In fact, according to last summer SANS 2021 OT/ICS Cybersecurity Survey70% of respondents rated the risk to their OT environment as high or severe, up from 51% in 2019.
The biggest risks of OT and ICS? Ransomware and other financially motivated crimes, followed by state-sponsored attacks.
Additionally, the lack of visibility into OT and ICS environments meant that 48% of respondents did not even know if they had experienced a cybersecurity incident in the previous year, up from 42% in 2019.
The biggest cybersecurity challenge, according to the survey, was the difficulty of integrating legacy OT technologies with modern IT systems.
The top initial attack vector was external remote services at 37%, followed by public application vulnerabilities at 33% and internet-enabled devices at 29%.
Spearfishing attachments ranked fourth at 27%.
But there has been some progress. According to the survey, 51% of compromises are now detected within 24 hours, up from 36% in 2019.