Cyber-attacks can come from anywhere and lurk undetected for years - says Peter Dempsey, Axis Communications - so it is imperative that data centers arm themselves with resilient security hardware to avoid breaching ever-more stringent regulations.
For cyber criminals, data centers represent a lucrative and attractive prize, whether the aim of the attack is to steal data, disrupt critical systems, or deploy ransomware. A data center represents a huge number of systems, processes, and hardware devices, and a chink in the armor of any of these is all it takes. If it can be exploited, it will be – and there are many potential avenues of entry.
Over 20,000 Data Center Infrastructure Management (DCIM) systems have been found- to be publicly exposed, and these could allow an attacker to disrupt a data center by altering temperature and humidity thresholds. Some Uninterruptible Power Supply (UPS) systems have also been found to be vulnerable, giving hackers access to data center power. And data centers are filled with Internet of Things (IoT) devices which could act as attack vectors. Data centers must be aware of their vulnerability and strive to protect every part of their infrastructure.
APT31 – Prepare for undercover attacks
Many data centers could already have been silently compromised. Attackers are increasingly deploying sophisticated ‘living off the land’ (LOTL) attacks which make use of the core tools of computer systems rather than installing their own malicious files. This kind of infiltration is difficult to spot, and indeed can stay undetected for years until the bad actor is ready to strike1.
These actors can be major entities. In many cases LOTL payloads originating from state-sponsored agents have been found lurking on critical networks. The UK National Cyber Security Centre has now implicated the state-sponsored hacking group, APT31, of attempting to target a group of MPs. In a list of other targets, the APT31 cyber-threat extends to the UK economy, critical national infrastructure and supply chains2.
This highlights the need for data center managers to take a proactive approach to security, one which does not simply lean on known cybersecurity principles but employs active monitoring and strict due diligence. And it is especially important in today’s regulatory environment.
NIS2 - Detecting data anomalies in critical infrastructure
The NIS 2 Directive (NIS2) and the Cyber Resilience Act reclassify data centers as critical infrastructure. They now fall into the same category as healthcare, energy, and transportation, and will meet the same level of scrutiny over their governance. Data center operators, whether under the jurisdiction of such legislation or not, have no choice but to tighten their defenses.
The behavior of every piece of hardware, software, and firmware within a network must be regularly analyzed in order to spot even the most innocuous-seeming unusual activity. This detective work must also extend beyond the bounds of the data center, because NIS2 applies to the activities of collaborators as well as critical entities. This includes equipment vendors and, crucially, every step in their supply chain.
Finding supply chain vulnerabilities
If an attacker cannot infiltrate a data center through direct means, it may attempt to inject a malicious payload on equipment which is yet to be deployed. IoT devices are fertile ground for criminals: they are network-attached by default and often not inspected with the same level of detail as more obvious attack vectors would be. As with LOTL payloads, malicious IoT devices may simply hide in plain sight because they allow attackers to piggyback on implicit trust.
Supply chain attacks are incredibly dangerous and growing, exceeding direct malware attacks by 40%3 in 2022. There is no longer any way to justify any implicit trust: vendors must demonstrate the security and purity of their supply chain in detail and take action to ensure that unauthorized modifications do not happen. Data centers, in turn, must reevaluate every vendor relationship to ensure they are not caught out.
Thankfully modern technology allows suppliers to demonstrate the legitimacy of their hardware quite cleanly. Trusted platform module hardware protects signed firmware, offering confidence in a device’s integrity along the chain. Secure boot prevents unauthorized firmware from running at all. And some devices can store cryptographic keys and certificates securely within, strengthening their security credentials while simplifying the process of managing one’s defenses.
Dealing with regulatory pressure
Regulations such as NIS2 basically offer data centers no choice but to act now or face massive fines. Their terms make data center directors liable not only for internal breaches but for those caused by some third-party security lapses. Security must be reevaluated from top to bottom.
Strong physical security through cameras, thermal and radar detection, and access control is clearly vital, because an attacker on site could cause untold disruption. But logical security is just as vital to ensure attackers do not reach one’s site virtually. Every piece of hardware and software, whether within the scope of the regulations or not, should be catalogued, analyzed, prioritized, and documented on a regular basis.
Compliance needs to be substantiated with a clear record – and vendors must supply this too. No supplier of any value would wish to issue anything which is not on the level; working with vendors that care about their products is the path for data centers to create a smarter, safer world.