As I’ve mentioned in recent blog posts, my conversations with end-users about DCIM have included as much discussion about the company’s approach to ensuring customer’s security as they have about the actual features and benefits of data center management software.
Suffice to say, as the world connects more and more smart devices to the internet, the number of potential vulnerabilities will increase in linear fashion. The software world may be a contributing factor in this escalation, as highlighted by so-called “insecurity experts”, SEC Consult. Their research, published on TechEye, identified the copying of code as presenting a challenge.
I said in a recent opinion piece in DatacenterDynamics magazine, I don’t want to add my voice to the doomsayers about the Internet of Things. My view is that the IoT will be a major agent for positive change. However, I did note that during one of the company’s regular knowledge exchanges, a colleague from Invensys – a Schneider Electric business specialising in industrial control and automation systems and software – voiced the idea that IoT should probably stand for the Internet of Threats!
It turns out that a proportion of the intelligent devices which are ubiquitous throughout manufacturing and processing industry, were installed with no security protocols. Of-course, those who originally commissioned their use did so on the assumption that the devices were being used in a closed, secure loop. But recent cyber security breaches have taught us that even the most humble industrial (and office) equipment can be subverted for malicious purposes.
We should be looking to protect the data center from generic attacks and the best way of doing this is not to leave the security door wide open or roll out the welcome mat. Since much internet security advice is targeted at IT, it seems to me that some best practice for data center and facility professionals is overdue. In compiling my Top 5, I’ve tried to focus on basic things that data center owners and operators can do, and which can go a long way to protecting their company and its reputation. Other than time and employee costs many of these are “free”:
As I mentioned above, complexity increases the number of attack surfaces. An easy way to reduce this number is by turning off the default functionality which is not being used, or by turning off and disconnecting equipment which is either not in use or serves no real purpose.
Adopt the view that published default usernames and passwords are 100% compromised and therefore should be changed when devices are being configured; therefore eliminate default credentials (passwords, SNMP community strings, etc.). Replace them using strong passwords and wherever possible use different user names and passwords for different people.
Isolate the facility network from the enterprise network, if possible build a separate physical network for the data center and hide it behind a physical firewall. By not connecting it to the corporate network hackers can be kept away from mission critical equipment.
Ensure that the latest firmware is installed on all devices, and revisit this on an ongoing basis to keep up with the latest security patches. Do not make it easy for known vulnerabilities to be exploited.
5. Lock down
Physically secure critical equipment and create an access control plan and use it! Some of the security protocols used on equipment are thirty years old, developed at a time when we didn’t have security concerns. By putting equipment behind closed doors with access control, you go a long way to making them secure.
In compiling the above, I’ve made the assumption that active scanning tools (networks scans, intrusion detection and penetration logs, email scanners and antivirus software) will have been implemented by IT as part of sensible enterprise protection measures. But if you work in the data center and are unsure about this, definitely go check!
Incidentally, if you have ideas that you think could be usefully added to the list, please leave me a comment.