The number of data breaches and hacks is constantly increasing. The question is, how long will it be until someone hacks the most vulnerable piece of the IT pipeline. Today I’d like to talk about security, or more specifically, facilities security, or more specifically still, facilities network security. Ok. Let me step back a minute while I define my terms.
A data center often has more than one network in it. There is the normal data pipeline that runs between servers. There’s the SAN which connects the servers to the storage. Then there is a network that connects the CRAC units, the UPS units, the switchgear and the other facilities systems. This is the facilities network.
These facilities networks are some of the least protected networks in all of networking. All of these units communicate together using SNMP or Modbus or BacNet or some other protocol. The problem with all of these protocols is that they transfer their data unencrypted. Also, a lot of the equipment on these networks operate with factory default passwords years after they are initially installed. I can name several default four digit passwords off the top of my head.
In fact, the passwords are readily available in the service manuals which you can search for online for free. Shutting down these units could cause your servers to overheat and literally shut down your data center.
These units don’t even need to be connected to the internet to be compromised. Stuxnet, for instance, is a worm that can infiltrate a facilities network and search for certain PLC’s within that network. Once these PLC’s are infected they can make their equipment spin at such high speeds that the bearings wear out and the equipment is destroyed. This was probably introduced into the Iranian nuclear enrichment centers and it probably made its way onto the network via a USB drive.
In a similar scenario, the US government showed that it is possible to cause a generator to explode using only a switchgear PLC. In 2007 at the Idaho National Laboratory they conducted what was known as the Aurora test. According to Wikipedia, “The experiment used a computer program to rapidly open and close a diesel generator’s circuit breakers out of phase from the rest of the grid and cause it to explode.” Many data centers employ diesel generators and PLCs which would be vulnerable to this type of intrusion.
But there are ways to protect your facilities networks. For instance, Agile Data Sites, a provider in Princeton NJ, relies on a dedicated team of IT networking professionals to administer and monitor our facilities networks. They monitor network traffic and are better equipped to deal with intrusions than facilities operators. The facilities people are essentially just users, not administrators.
They also create VLANs that can isolate our systems to contain viruses if they should break out. Third, they create a network topology that firewalls the facilities network from the rest of the network, and use robust encryption and security credentials for access. Fourth, they change their passwords! A password that includes the word “password” is just negligence.
There are many more ways to protect a facilities network. If you’re not careful, you could be the first big victim of the facilities hack that we’ve all been worried about for years.
About the Author
Jeff Plank is President/CEO of Agile Data Sites, LLC. He has more than 20 years experience in the hosting, collocation and managed services industry for both IBM and AT&T. Jeff served as EVP and CTO for Directlink, taking the company from startup to an extremely successful data center services provider with responsibilities including managing operations, sales, marketing and overall organizational direction.