Virtually all incidents start at a data center. Yet the OT security of data centers in particular is often substandard. This has to change, Secior believes. OT security must play a much greater role in the security strategy of organizations and providers of data center services.
Organizations put their data and run their workloads in a data center. This may be a data center that is part of the organization, a colocation data center or a data center of one of the major public cloud players. It is obviously important that these data and workloads are secure there. That’s why data centers are usually equipped with pretty impressive-looking physical security. In addition, monitoring tools and cybersecurity tools are used to ensure that no one can break into the servers and other IT systems running in the data center.
However, according to Fred Streefland and Sander Nieuwmeijer of the Dutch start-up Secior (pronounced secure), physical security and IT security isn’t enough. The OT environment is often wide open to attackers. Secior wants to address this for data centers. We spoke at length with the CEO (Streefland) and founder (Nieuwmeijer) of this new company.
Lots of expertise within Secior
Both Streefland and Nieuwmeijer can most certainly be considered seasoned professionals within their fields of expertise. Streefland has a long track record in the security industry, both on the client side and on the vendor side. He has held CISO and CSO roles at LeaseWeb, Palo Alto Networks and Hikvision.
Nieuwmeijer started building data centers and computer rooms all over Europe more than 20 years ago. He kept this up for about 18 years. In total, he says he and his team have built several hundred. He has done this for governments and businesses, such as a temporary data center for the Dutch Tax Office when they were in the process of rebuilding their two own data centers. Besides being the founder of Secior, Nieuwmeijer also owns DC People. This company seconds workers to data centers.
OT systems often poorly or not secured
As mentioned above, there is a lot of focus on securing and sealing IT systems and environments. However, in all his years as a data center builder, Nieuwmeijer saw that there was virtually no focus on OT security. Even though this is a major attack surface. OT systems such as cooling systems and UPSs connect to a network. That also makes them potential targets for attacks. “You see in Shodan that many of those systems are wide open,” Nieuwmeijer points out.
In addition to the inherent lack of security in OT systems, there’s also the M&A activities in the world of data centers. That is, many commercial data centers are acquired by a larger competitor. This ‘stacking’ of multiple sites makes the risk a little higher still. It makes it a lot harder to keep a good overview of all the sites. Further, many older data centers have equipment that may be decades old. Much of this legacy equipment consists of systems that have no security whatsoever. The fact that little or nothing has been done about this does not surprise Nieuwmeijer. “Especially in data centers, the mantra is that you don’t touch something if it is running well,” he states.
OT components are usually managed remotely, or at least through a network connection. That means ports are open. It’s impossible to avoid this, Nieuwmeijer points out, but it has an impact on security. It is perfectly possible to find a good balance in this, but it requires people with knowledge of the matter. That is often a problem as well. We are talking about a facility’s infrastructure, which is often managed by someone who usually knows nothing about cybersecurity. Yet they run the sites.
Data centers are vulnerable
Streefland and Nieuwmeijer are adamant: “Data centers are vulnerable.” To indicate just how vulnerable, Streefland points out that in a single data center they detected no less than 150,000 sensors that were not part of the IT environment. This was purely OT and IoT. At the end of the day, every one of these sensors is a potential way to get in.
When we talk about the vulnerability of OT environments, it is usually not so much about the ‘traditional’ cyber attacks we have become used to. That is, it is not about stealing data or extorting organizations for large sums of money (or Bitcoin). An attack via OT systems can be done to sabotage a data center. In fact, data centers today are critical infrastructure. That makes it interesting especially for state-sponsored attacks on other countries.
Streefland cites a current example at this point: “In Ukraine, we actually saw attacks with malware that specifically targeted the data centers there.” If you want to take out this kind of critical infrastructure, it makes no sense at all to enter through IT systems. Accessing a cooling system and changing its settings makes much more sense. This causes the entire data center to overheat and as such be out of service altogether. This type of access isn’t merely imaginary either, Streefland mentions. “There are a lot of cooling systems in use around the world with Carel network cards in them with admin/admin as the password,” he gives as a concrete example. That makes it very easy for attackers to gain access to those systems.
This kind of sabotage may be fairly simple on paper, but we haven’t actually heard of it. Does that mean it isn’t such a big problem after all? That appears to be the question many people running data centers still ask, with ‘no’ as the implicit answer, Streefland and Nieuwmeijer observe. Yet it is not inconceivable that there have already been problems in this area. However, data centers are not likely to bring this out into the open. They do not want to ruin their good name. That could seriously hurt business, and lead to the loss of customers.
OT security will become mandatory
Until now, securing a facility’s infrastructure was something you could do as a data center, but which was not actually monitored. That is going to change, Nieuwmeijer indicates. Not with something like the ISO27001 standard, which he calls a showpiece, or a sham. ISO27001 was and is nothing more than a checklist that contributes absolutely nothing to actual security. The EU NIS2 Directive is much more serious about OT security. Within that framework, directors also become personally liable. That will undoubtedly result in a higher position of OT security on the list of priorities of companies. In addition, we already know that insurers will stop covering damages inflicted by state hackers in April 2023.
Once you decide to take OT security in your data center more seriously, it’s also good not to look at it in an overly traditional way. For example, we usually measure availability of a datacenter in terms of redundancy, or the amount of equipment you put in a datacenter. “However, higher redundancy also results in a larger attack surface,” Nieuwmeijer points out. In other words, you could question whether this approach to redundancy is still the right one. Especially when you consider that equipment reliability has increased tremendously. It may well be that you no longer need as many UPSs in a data center as you used to. If you put fewer UPSs in, the attack surface is also smaller.
Secior wants to be the European cybersecurity expert for data centers
At the moment it is still difficult to convince data centers of what Secior has to say, according to Streefland and Nieuwmeijer. Given the developments around NIS2, this is about to change. We saw an example of what might happen in Estonia in 2007. That country faced a major attack from Russia on its critical infrastructure. In response, the agency in Estonia that handled this (RIA) identified a number of critical infrastructure organizations. These have to do an annual digital risk assessment. And they have to pass it, too. There will be something similar in other countries.
At Secior, they don’t want to wait for NIS2 to force data centers into compliance, Streefland and Nieuwmeijer indicate. They want to have their managed service well established in the market before then. Conceptually, Secior’s services are not difficult to understand. “It starts with overview, then insight and then action,” Streefland summarizes. You start by mapping out what you all have in place. To do that, Secior works with Nozomi Networks, Claroty, Armis Security and Awen Collective, among others. Once they know this, they can gain insight into where the vulnerabilities are, in order to address them if necessary.
Only the technology for scanning and monitoring comes from a third party. The rest of Secior’s proposition consists of knowledge they have themselves. Secior’s goal is simple, according to Streefland: “We want to be for data centers throughout Europe what Fox-IT has become for the financial sector in the Netherlands.” That means that after the initial scan of the environment, a service can be purchased in which Secior continuously monitors the customers’ environments from its own SOC and can respond immediately if something is wrong.
Who is responsible for OT security?
Secior focuses (for now) primarily on OT security. This means another security layer for customers to work with, and also an additional cost. Why can’t organizations purchase OT security from IT security vendors and service providers? That would make life less complicated. According to Streefland, IT and OT security are two fundamentally different disciplines. If only because of the fact that the former deals a lot with issues such as ransomware, while the latter focuses much more on sabotage.
OT also impacts human lives much more quickly. After the ransomware attack on Colonial Pipeline, that company immediately shut down its entire OT environment for a reason. Whereas with standard ransomware you lose data or pay a lot of money, the sabotage of an oil pipeline can cost human lives. Nieuwmeijer also cites an incident in a Google data center at this point. There, something went wrong with the power supply, causing an arc flash and seriously injuring employees. Now as far as we know, this was not the result of a hack, but it does indicate that human lives can be at stake. In other words, it is not unwise to place OT security with a supplier that really specializes in it.
Finally, it is also good to think carefully about how to approach OT security optimally inside organizations. How do you do that? We put this question to Streefland and Nieuwmeijer at the end of our conversation. “For a data center, I would recommend making one person responsible for IT and OT security,” Streefland answers. This is because of the fact that everything is interconnected. Cameras, access control and rack locks, everything connects to the IT environment. It makes sense to make one person responsible for that. Streefland also readily admits that there is no silver bullet on this point. One company can do it, another cannot. In any case, it will be a challenge to assign the two different disciplines to the same person.
All in all, there is a lot to be done in the field of OT security of data centers, as far as Streefland and Nieuwmeijer are concerned. Not only that, but it will also be mandatory to do so in the foreseeable future, given the developments around NIS2. It is wise to stay ahead of the curve and look at this sooner rather than later. Secior certainly is, and now data centers can be, too.
TIP: Earlier this year, we published an extensive article about Armis Security, one of the parties Secior works with. Click here to read that article.