The security of critical facilities in data centres is a growing concern in this rapidly modernising age.
Ed Ansett has more than 30 years’ experience working as an electrical engineer in the construction industry, and has spent the better part of two decades focused exclusively on data centre engineering.
Having been an overseer of numerous design projects for data centre power systems with a company called EYP, he co-founded i3 Solutions in 2012.
Siliconrepublic.com spoke to Ansett prior to his appearance at this week’s Data Centres Ireland conference, where he will discuss the oft-neglected security of mission-critical facilities and assets within data centres, in a world where cybercrime is growing in sophistication.
The evolution of data centres
Ansett has seen data centres evolve in a myriad of ways since he entered the industry, and he himself has often been at the forefront of innovation. He co-created the Block Redundant design for data centres, which made such design a much more economical endeavour.
He said that in the beginning, “there were no rules at all … other than the basic regulations and the physics so, way back in the day, you were basically designing new topologies”.
He continued: “These topologies are now being used every day but, at that stage, they were completely new. What’s happened over the years is that when computer equipment started to be built with multiple power supplies, it created an opportunity to make things far more reliable from a power systems point of view.
“Then we went through a phase where everybody was over-designing, and that lasted about 10 years, from 2000 to 2010. People were putting too much infrastructure in at great cost.”
Ansett said that nowadays, there is much more of a focus on getting the right infrastructure in at the right capacity.
Why infrastructural security matters
Ansett is passionate about the need for more awareness around the security of data centre infrastructure, namely the power, cooling and control systems that keep everything ticking over.
“People aren’t aware of it as a whole, what the weaknesses are. There is some information out there but not a lot.
“I discovered during the course of an audit of a piece of critical national infrastructure that you could shut the data centre down remotely using the Wi-Fi system that controlled the cooling – so, you could get into the cooling system without getting into the data centre.”
He explained that this discovery led to investigation and discussions with various people about whether there was a systemic problem, “and it turns out there was”. Ansett said that the systems have very weak encryption and user identification credentials, noting that they are often run by engineers who are generally not trained in cybersecurity.
The security of these critical systems exists in security purgatory, Ansett said. “This area of cybersecurity falls between information cybersecurity and data cybersecurity that we all think of, and engineering, so it’s creating a lot of problems.”
Taking threats seriously
This kind of cyber threat can cause a whole host of issues, according to Ansett. “People can cause disruption; instead of shutting down an application, people can shut down multiple applications at once.”
Ansett also said you can’t always trust that the failover or secondary system will work perfectly in the event of an attack on your mission-critical data centre infrastructure. “You don’t want to put too much store in the idea that if a company’s data centre is down, that they will have another one that will just failover.
“All too often in enterprise data centres, the failover is not as strong as it should be, so you could theoretically get into a cooling system and shut it down at random; you could shut it down then and there, or you could shut it down in couple of weeks for three hours.” These are all situations that could put your business at risk and diminish consumer trust.
Reducing risks to the data centre
As with all security measures, you can’t eliminate the risk of an attack but it can certainly be reduced.
Ansett said there are things that people are (or should be) already doing. “They need to ensure their external perimeter, typically being a connection to the public internet that is secured, and ensure nobody has remote access except those who need the permissions.”
In the age of remote working, Ansett conceded that it’s not really possible to disallow remote access to mission-critical facilities, but measures such as two-factor authentication can help keep your data centre safe. He added that, in his view, the real threat is not the internet itself, but wireless devices that could allow users to remotely access the backbone of a data centre’s infrastructural system.
As well as diligence, the other key thing to do, according to Ansett, is to have a system that monitors the infrastructure networks sitting on the backbone and keeps an eye out for unusual traffic. In that way, once you have an issue, you’ll know about it pretty soon.
Ansett noted recent legislation passed by the New York State Department of Financial Services, which explicitly mentioned environmental controls as part of a wider look at cybersecurity protocols for financial services companies in the US.
Although it is not a widely known area at present, legislation such as this will help to raise awareness of potential security holes in data centres all over the world.
Ansett concluded: “It’s not exactly buried in the small print, but it’s not the headline item either.”