Protecting Data Centre Embedded Systems from External Cyber Attack

Data Centres make extensive use of embedded control systems. They are typically found in cooling systems, generators, switchgear, motor control centres, UPS, fire systems and security systems.

Embedded control systems for the purposes of data centres include such things as programmable logic controllers (PLC), distributed control systems (DCS), supervisory controls, data acquisition (SCADA) systems or any other type of software based plant control system.

Cyber-attacks on embedded systems are typically routed through Internet connections, enterprise network connections or connections to other networks. In a data centre context there are several target areas that must be protected to prevent access to the control network layer. When the control network layer comprising either a data centre infrastructure management system (DCIM) or building automation system (BAS) is linked to the Internet or to a lesser extent an enterprise network it becomes vulnerable to attack on field devices using embedded controllers.

Embedded devices are hardware based critical systems that require special treatment in terms of data security. This cannot be achieved via normal enterprise IT security systems since the controllers are highly interrupt dependent real time edge devices that preclude the use of encryption block algorithms.

With the proliferation of DCIM systems in data centres and increasing use of external communication devices to access data histories and asset performance data within the DCIM (or BAS) it is essential to ensure the embedded control systems are adequately protected.

Cyber-attacks on embedded systems are not new. Probably the most publicized being the Stuxnet worm that reportedly caused one-fifth of Iran’s nuclear centrifuges to tear themselves apart. Industrial control systems companies are particularly prone to attack especially where the target is critical infrastructure affecting governments or other strategically important assets. As a result of government efforts there are now standards and guidelines aimed to protect embedded control systems in industrial and control industries; which can be applied to data centres.

In a forthcoming paper entitled Protecting Data Centre Embedded Systems from External Cyber Attack we examine how to apply effective defensive counter-measures to protect data centre embedded systems.