Breaking down data centre security
Fri 28 Apr 2017 | Ian Bitterlin
Ian Bitterlin, a UK Chartered Engineer with more than 25 years’ experience in data centre power and cooling, suggests the easiest way to disable a data centre, with a little Hollywood glamour…
Data centre security comes in two main parts, physical and data. They can be related, much like the break in through the roof of a London data centre and the theft of several servers, although it turned out that the thieves were interested in the microprocessors rather than the data on the hard-drives. Data security applies to most businesses, but especially those storing personal and financial details, e.g. a credit card processing centre, and that security is achieved by data encryption, firewalls and anti-virus software etc, although recent history has regularly shown that it is far from infallible; witness the tens of thousands of ‘stolen’ credit card data sets reported every few months.
I have had my main card cancelled and replaced with a new number three times in the last 18 months, although I have no idea if the data breach is with the card, the network or the data centre. It appears that a data security system created by man can be broken by a teenager who doesn’t like daylight– a modern form of Bletchley Park.
Physical security is far more obvious: metal fences topped with razor wire, CCTV around the perimeter, no vehicles allowed inside the fence other than delivery trucks through a ram-raid-proof vehicle trap, man-trap turnstile, security entrance with bullet-proof glass, no visitors without 48 hours notice and photo ID, biometrics, one-way air-lock with weight measurement, zoned access cards and internal CCTV – the list can go on.
The one thing that no one can protect against is a direct lightning strike to the facility – proven by Google
Then the subtleties, like a blast-wall between any adjacent road and the data centre building, or ensuring that the vehicle entrance is after a tight turn and not at the end of a street where a vehicle can gain sufficient momentum to break through the perimeter, or building a steel mesh into the walls to resist the ‘man with an aggressive machine’ (as was called Intrusion Level 5).
The physical security also extends to electrical protection including EMP (Electro Magnetic Pulse, not necessarily from a nuclear device but also from a vehicle-mounted, high-energy electromagnetic radiation source), even bonding that steel mesh in the walls to ground/earth to create a Faraday Cage or fitting ‘Tempest’ filters; at its simplest, fitting surge protection to limit damage to ICT hardware from grid-borne transients. The one thing that no one can protect against is a direct lightning strike to the facility – proven by Google, but that is another story.
How to disable a data centre
So, what is the easiest way to ‘disable’ a data centre, if you can’t create lightning strikes? It is rather easier than many people might think. I used the word ‘disable’ to differentiate between data theft in any form and putting the facility out of action. I was recently engaged to advise on just that scenario and the client had in mind the classic ideas of hacking into the BMS system, or directly into the UPS, generator and cooling system controllers, and turning things off remotely. That may be a nice idea for a Hollywood tech thriller but no one in their right mind would connect such systems to the outside world via the internet or phone line.
Remote alarming and reports (all one way) may be acceptable but control systems (for UPS, etc) that have been available for 25 years having the capability to turn-off the system remotely have never found willing users. However, the answer is simple and does not involve entering the facility either physically or via a communication link. It lies in the basic definition of a data centre. For example, when starting the EU CoC, EN50600 or ISO 30134, a disproportionate amount of time was spent trying to define what a data centre ‘was’. All sorts of interested parties wanted to exclude server rooms or place a lower limit on cabinets or a minimum kW rating etc.
Disabling a dish isn’t difficult as they are usually in plain sight and a large calibre assault rifle will make a fatal impact
However, if we look back to 2001 a typical internet data centre plan for 1,000 cabinets at 2kW per cabinet can, today, be out-computed by a single 2kW server – such has been the power of Moore’s Law and its simple derivative, Koomey’s Law. No doubt 1,000 cabinets fulfilled any definition of a data centre so, today, most people agree that any facility that has three crucial elements is a data centre; those elements being compute, storage and I/O. Some folks also advocate that it should have a dedicated power supply, grounding system and cooling system but the latest low-energy designs (such as Google and Facebook) tend to show that, under certain circumstances, those additional items are nice to have rather than essential.
So, to disable a facility simply needs us to remove one element. Disabling compute or storage will require us to break in, either physically or via the connectivity but to remove the connectivity itself disables the facility totally until bulk communications can be restored.
Data transmission rates have made satellite dishes nearly useless for bulk data links and only a few (mainly military/security) facilities have them. Anyway, disabling a dish isn’t difficult as they are usually in plain sight and a large calibre assault rifle will make a fatal impact in well under 10 seconds.
But you don’t need a weapon to disable fibre connectivity (although a hand-grenade probably does a better job), since a few gallons of petrol in a fibre access pit will severely damage the fibre, but the delivery process is identical. Walking around the facility will identify the access pits and most are even labelled as such in their cast lids. Having a fibre map/plan is more certain and may well identify strategic fibre connection points that are further away and out of site of the primary CCTV. For example, up a main-road to a POP, motorway, canal or railway line.
Identify all the pits, coordinate each lid to be lifted at the same time (e.g. in the middle of the night when escape is not hampered by traffic) and empty one jerry-can of petrol into each pit, light the blue touch-paper and retire quickly. The facility may lose some data in transit but will be, to all intents and purposes, untouched but useless for several days if not a week or two.
I guess that locked/welded lids and pits fitted with detection and fire-suppression is a future market opportunity but may well infringe local regulations in many locations. But, what man builds, another man can tear down. I think I feel a screenplay coming along.
Consulting Engineer & Visiting Professor, Leeds University
Critical Facilities Consulting