Engineering Grade Protection for Data Center OT Systems

Protecting Data Centers From Industrial OT Threats
Picture of Andrew Ginter

Andrew Ginter

Engineering Grade Protection for Data Center OT Systems by Andrew Ginter, VP Industrial Security

Uptime is a very important Key Performance Indicator (KPI) for data centers, and the physical infrastructures in data centers are essential to uptime – electric power systems, backup power, fire suppression, physical access control, cooling and more. Managing cybersecurity for these infrastructures is different from managing security for information systems – while problems with a new software version or security update can be “backed out” to preserve uptime, damaged high-voltage transformers and cavitation damage to cooling systems cannot be restored from backups.

Cyber-Informed Engineering

This means that the physical infrastructure of data centers is more of an engineering domain than an information processing domain. While the engineering profession has been criticized for being slow to embrace cybersecurity risks and solutions, a new initiative is changing that. The Cyber-Informed Engineering (CIE) initiative at the Idaho National Laboratory is (1) working to make the engineering profession much more aware of cybersecurity issues and solutions and (2) working to apply powerful engineering techniques to cyber risks – techniques and technologies that have historically been used to address only physical threats. For example – mechanical vibration sensors electrically connected to a large cooler’s cut-off switch can be used as a last-resort safety system, protecting cooling systems from damage. Large cooling systems that move liquids risk cavitation damage if they are operated at too high a speed. A mechanical fail-safe eliminates the risk of damage to the cooler when a cyber attack both mis-operates the cooler and disables the cyber safeties designed to protect the cooler from damage.

Network Engineering

Network engineering is part of this new CIE initiative. Network engineering uses engineering-grade protections to prevent cyber attacks from entering data center OT networks in the first place. This is important because data centers are all about uptime and reliability. In the cooler example above, what happens when mechanical fail-safes engage to protect the cooler? Things shut down – the infrastructure that is essential to continuous data center operations is shut down to protect it from damage. It is a good thing that engineering-grade measures prevent threats to worker safety and equipment damage. But if we want our uptime preserved, we need more. We need to prevent cyber attacks from entering OT networks in the first place and triggering these fail-safe shut-downs.

While network engineering includes a number of engineering-grade tools for the prevention of cyber attacks from entering OT networks, the most widely-applicable tool is the unidirectional gateway. The gateways are deployed at consequence boundaries – connections between networks with physical consequences vs. networks with only business consequences. In data centers, the gateways are deployed most commonly at IT/OT interfaces. Unlike software firewalls, hardware-enforced unidirectional gateways provide engineering-grade unidirectionality – OT data is copied to IT networks in real time, with zero risk that cyber attacks (like ransomware) from IT can penetrate through the gateways back into OT networks to put uptime at risk, or to put the physical equipment that is essential to uptime at risk.

“…hardware-enforced unidirectional gateways provide engineering-grade unidirectionality – OT data is copied to IT networks in real time, with zero risk that cyber attacks from IT can penetrate through the gateways back into OT networks.”

The World Is Changing

Data centers are changing the world, and the world is changing around data centers. Environmental and climate concerns are driving change to the design of computers, power systems, power supplies, cooling systems and many other aspects of data centers. Concerns about the rapid increase in cyber attacks with OT / physical consequences are driving a push towards engineering-grade protections for worker safety, for equipment protection, and for network protection in OT systems. Data center owners and operators are responding to all of these changes – because reducing environmental impacts and reducing cyber threats to uptime are both essential to competitiveness in a very demanding industry. The increased use of unidirectional gateway technology is a reflection of the latter trend – at the junction of engineering and cybersecurity.
Share

Stay up to date

Subscribe to our blog and receive insights straight to your inbox