Network-connected, data center physical infrastructure equipment – i.e., the power, cooling, and environmental/security-monitoring devices found in the IT space – are necessary for ensuring availability and making operation of the data center efficient. However, these network connections, particularly if poorly designed and implemented for a cybersecurity perspective, could be used by cyber criminals as an attack surface. A typical installation is composed of widely distributed, network-connected hardware devices communicating to network gateways, firewalls, and on premise or remote infrastructure management (DCIM) servers. These connections may extend to mobile devices, corporate IT and facility management systems, and 3rd party cloud services.
Schneider Electric White Paper 216, Cybersecurity Guidance for Data Center Power and Cooling Infrastructure, provides information on the hardening and protection of connected data center infrastructure devices and their networks.
It does so by using a simple 3-step, lifecycle-based framework. The figure below summarizes the cybersecurity guidance described in detail in the paper. The orange, blue, and green pie slices represent the 3 steps.
Of course, a broader security strategy would also include guidance on people, process, and physical security, as well. But the focus of this paper and blog post are specifically on the hardening of the devices and their communication network.
Note, for those managing a portfolio of smaller, highly distributed edge IT sites, see also Schneider Electric White Paper 12, “An Overview of Cybersecurity Best Practices for Edge Computing”.
The following provides a very high-level summary of the key takeaways for each of the 3 steps.
1. Operations Technology (OT) Network Design
The design phase of a new data center or retrofit project should start with an evaluation of the device and software vendors’ cybersecurity acumen. This comes down to interviewing them and reading their documentation that conveys how they manage cybersecurity risks through their design and development practices, as well as how they support their products once deployed in the field. In the end, you’re looking for vendors who embrace a “security-first” corporate culture that impacts everything from staff hiring and training, as well as product design, testing, and technical support. Do they use a secure development lifecycle (SDL)? Are they relying on independent technology validation? How are they monitoring and accessing their security capabilities? These are some of the questions you should be asking.
Next, a secure network begins with adopting a “defense in depth” (DiD) strategy for the network design. This layered approach starts with hardening the perimeter of the network by using firewalls to control the flow of info into and out of the network through the use of user-defined configuration rules. You should always place network-connected power and cooling devices behind firewalls and other security protection appliances that limit access to only authorized remote connections.
Hardening the OT network itself begins with logically (virtually) separating the OT network from other corporate, guest, or public networks and implement secure network access controls. This is often done through VLANs (virtual local access networks). Measures for detecting network compromises, such as network intrusion detection and prevention systems, should be specified in the design of the network. Use trusted time servers to synchronize all device clocks. A data center infrastructure management (DCIM) monitoring tool or network scanning solution should be used that is capable of creating an asset inventory map.
2. Device setup and installation
Step 2 involves workstation and device hardening, which includes user account management and the configuration of cybersecurity features of each system component, including configuring network firewalls, hardening network-connected infrastructure devices, configuring user accounts for devices and management software, and enabling threat detection as mentioned above. Step 2 focuses on the devices, management software, and the workstations/mobile devices used to access them. Fundamentally, it is about controlling access and ensuring device security settings do not make it easy for cybercriminals to find a way into the system. User account management involves removing default logins, replacing default passwords, disabling everyone’s access by default and adding permissions as needed, etc. For much more detailed guidance on digital identity management, see NIST Special Publication 800-63 and NIST Appendix A on Strength of Memorized Secrets.
Enabling and configuring security-related features or settings in the device network management card (NMC) and management software platform is also obviously a critical cybersecurity aspect of setup and installation. NMC cards and software tools typically provide multiple means to communicate. Secure protocols and encryption should always be used and there should be a means to protect passwords and catchphrases by hashing or through encryption. Further, devices should be configured for automatic updates of firmware and device firewalls should be enabled and configured appropriately.
3. Operations and maintenance
It is a common mistake to put much of your effort and focus on design, but not enough on on-going vigilance and maintenance to keep protection measures and technology up to date. This requires operational discipline and executive management support. At a fundamental level, there are five principal tasks for the operations team responsible for cybersecurity of the infrastructure once it is operational:
- Keeping firmware and software updated
- Use a DCIM monitoring tool that offers a security assessment feature
- Enable auto-updates where possible
- Employ a patch monitoring tool if testing/validation of new FW or sw is required
- Maintaining security settings and data backups
- Use DCIM security assessment to identify insecure network settings
- Maintain backups and store properly
- Monitoring for suspicious activity
- Regularly monitor system logs of intrusion detection systems
- Responding to a breach
- Develop, maintain, practice incident response plans (IRPs) and related emergency operating procedures (EOPs)
- Disposing of end-of-life devices and servers
- Follow vendor procedures to ensure device data and log files are properly disposed of
Read White Paper 216 to learn much more about reducing the cybersecurity risks of your network-connected data center power and cooling infrastructure devices. For those data centers who either do not have the resources or who wish to have 3rd party expert support and validation, there are vendors, like Schneider Electric, who offer cybersecurity services. These solutions can run the gambit from consulting services (e.g., gap analysis, policy & procedure development), to network design, device hardening, training of operations teams, as well as monitoring and maintenance services (e.g., firewall & device monitoring, OT security information and event management).