Cyberattacks can come from anywhere and lurk undetected for years, so it is imperative that data centres arm themselves with resilient security hardware to avoid breaching ever-more stringent regulations, says Peter Dempsey of Axis Communications.
For cyber criminals, data centres represent a lucrative and attractive prize – whether the aim of the attack is to steal data, disrupt critical systems, or deploy ransomware. A data centre represents a huge number of systems, processes and hardware devices, and a chink in the armour of any of these is all it takes. If it can be exploited, it will be – and there are many potential avenues of entry.
Over 20,000 Data Centre Infrastructure Management (DCIM) systems have been found publicly exposed, and these could allow an attacker to disrupt a data centre by altering temperature and humidity thresholds. Some UPS systems have also been found to be vulnerable, giving hackers access to data centre power. Data centres are also filled with Internet of Things (IoT) devices which could act as attack vectors. Data centres must be aware of their vulnerability and strive to protect every part of their infrastructure.
APT31: Prepare for undercover attacks
Many data centres could already have been silently compromised. Attackers are increasingly deploying sophisticated ‘living off the land’ (LOTL) attacks which make use of the core tools of computer systems rather than installing their own malicious files. This kind of infiltration is difficult to spot, and indeed can stay undetected for years until the bad actor is ready to strike.
These actors can be major entities. In many cases, LOTL payloads originating from state-sponsored agents have been found lurking on critical networks. The NCSC has now implicated a state-sponsored hacking group, APT31, of attempting to target a group of MPs. In a list of other targets, the APT31 cyber-threat extends to the UK economy, critical national infrastructure and supply chains.
This highlights the need for data centre managers to take a proactive approach to security, one which does not simply lean on known cybersecurity principles, but employs active monitoring and strict due diligence. And it is especially important in today’s regulatory environment.
NIS2: Detecting data anomalies in critical infrastructure
The NIS 2 Directive (NIS2) and the Cyber Resilience Act reclassify data centres as critical infrastructure. They now fall into the same category as healthcare, energy and transportation, and will meet the same level of scrutiny over their governance. Data centre operators, whether under the jurisdiction of such legislation or not, have no choice but to tighten their defences.
The behaviour of every piece of hardware, software and firmware within a network must be regularly analysed in order to spot even the most innocuous-seeming unusual activity. This detective work must also extend beyond the bounds of the data centre, because NIS2 applies to the activities of collaborators as well as critical entities. This includes equipment vendors and, crucially, every step in their supply chain.
Finding supply chain vulnerabilities
If an attacker cannot infiltrate a data centre through direct means, it may attempt to inject a malicious payload on equipment which is yet to be deployed. IoT devices are fertile ground for criminals: they are network-attached by default and often not inspected with the same level of detail as more obvious attack vectors would be. As with LOTL payloads, malicious IoT devices may simply hide in plain sight because they allow attackers to piggyback on implicit trust.
Supply chain attacks are incredibly dangerous and growing, exceeding direct malware attacks by 40% in 2022. There is no longer any way to justify any implicit trust: vendors must demonstrate the security and purity of their supply chain in detail and take action to ensure that unauthorised modifications do not happen. Data centres, in turn, must reevaluate every vendor relationship to ensure they are not caught out.
Thankfully modern technology allows suppliers to demonstrate the legitimacy of their hardware quite cleanly. Trusted platform module hardware protects signed firmware, offering confidence in a device’s integrity along the chain. Secure boot prevents unauthorised firmware from running at all. And some devices can store cryptographic keys and certificates securely within, strengthening their security credentials while simplifying the process of managing one’s defences.
Dealing with regulatory pressure
Regulations such as NIS2 basically offer data centres no choice but to act now or face massive fines. Their terms make data centre directors liable not only for internal breaches but for those caused by some third-party security lapses. Security must be reevaluated from top to bottom.
Strong physical security through cameras, thermal and radar detection, and access control is clearly vital, because an attacker on-site could cause untold disruption. But logical security is just as vital to ensure attackers do not reach one’s site virtually. Every piece of hardware and software, whether within the scope of the regulations or not, should be catalogued, analysed, prioritised, and documented on a regular basis.
Compliance needs to be substantiated with a clear record – and vendors must supply this too. No supplier of any value would wish to issue anything which is not on the level; working with vendors that care about their products is the path for data centres to create a smarter, safer world.
