The Covid-19 pandemic and its knock-on effects have had a massive impact on the data centre industry, forcing it to adapt in a very short space of time – from coping with increased demand for capacity to the complexities of hybrid-cloud working. But one thing that perhaps hasn’t kept up with this momentum has been cybersecurity.
Faced with a growing trend of mergers and acquisitions, many operators are now struggling to cope with new cybersecurity challenges.
Data Centre Review spoke to Steven Brown, Segment Director for Schneider Electric’s software strategy, to find out more about how data centres can adopt best practices to build robust cybersecurity strategies and increase their resilience.
DCR: What’s the state of play of cybersecurity in the sector as it currently stands?
SB: Our relationship with digital tools in the last couple of years has changed tremendously, which has been well-documented – and along with that, unfortunately, malicious cyber activity has grown as well.
Now, if you bring that specifically to the data centre space, one of the key vectors, in my opinion, is that data centres are the closest nexus of facility and IT equipment.
I think, on the OT side – across many industries but especially in ours – there’s been significant upskilling. I mean, we’re all being trained in phishing attacks and changing passwords and multi factor authentication, etc.
But on the other side, the critical infrastructure that automates and manages the data centre, I think we’ve seen that lag a little bit.
As we look at data centres, we anticipate the future to be resilient, adaptive, sustainable and efficient. Along those four dimensions, there are going to be a lot of changes – and cybersecurity is going to need to evolve and be a resilient piece of that future data centre story.
DCR: Why do you think we’ve seen this lag between IT and OT?
SB: If you think of the intersection of threat, vulnerability and consequence – those three elements determine what a cybersecurity risk is.
The threat is the attack vector. The vulnerability is what potential equipment, or lack of patches, or potential known vulnerabilities are there that could be utilised in a cyber threat. And then consequence is a very fairly logical part of that. That’s going to be the biggest differentiator between IT and OT.
Security on the IT side – we’re talking about servers, switches, storage, virtual databases, that kind of infrastructure. The biggest consequence, not to minimise it in any way, is going to be data privacy, confidentiality, financial interests and so on. Whereas consequence on the OT side can often involve human health safety, and it’s a much more visceral impact.
Now with data centres, it’s a little ambiguous that nexus between the two of them, and I think that’s led to this position where because we’re not, for example, rail, transit, infrastructure, which have a very clear potential consequence, it’s further contributed towards this lag in OT security.
But i you think about the potential interruption around a data centre – the lack of availability, the potential impact on downstream IT workloads – it’s definitely something that we need to take more seriously in cyberspace.
DCR: So what challenges does this recent surge of mergers and acquisitions pose to cybersecurity, and how can data centres mitigate them?
SB: Mergers and acquisitions of any industry are going to be tough, and integration is a highly specialised and focused field to make sure that the IT infrastructure is merged.
In the data centre space, you’re going to find yourself with different methods of procedures for different data centres; you’re going to find yourself with a multi-vendor installed base. And on the OT side, occasionally with proprietary protocols, or at least a significant multi-protocol environment. So if you’re trying to harmonise that, it’s definitely a big effort and requires dedicated focus.
If you think about cybersecurity, it’s really the combination of people, processes and technologies to set a resilient posture. Along each of those vectors, it’s going to be a case of looking at this sprawling environment that you’ve assembled through M&A, and then leveraging people, processes and technologies to do four things:
- Permit, and make sure that access to the network is properly authenticated and delegated at any point;
- Protect, which is implementing specific controls as part of the operations systems for ongoing protection;
- Detect, which is monitoring the operating environment to detect and communicate threats proactively;
- Respond, which is building a response plan.
Those four parts are the essential elements to a robust cybersecurity posture.
DCR: What should operators be thinking about when building an effective cybersecurity plan?
SB: There are some very OT-forward industries – like transit, energy, water, wastewater – that, given their criticality, have established best practices for cyber. So the good news is that we don’t have to reinvent the wheel in the industry.
Personally, I look to the IEC 62 443 standard, which hasn’t been widely adopted in the data centre space. I look at that standard, and we need to make sure that we’re adopting it. And it’s really clear guidance; it’s got basically seven foundational requirements and four standardised security levels for OT. With that infrastructure in place, you can adapt the level of cyber deployment depending on the criticality.
IEC 62 443 also outlines foundational requirements for vendors and solution providers – like Schneider Electric – systems integrators, who may be putting all of this technology together, and then the end-users themselves. So everyone will be singing from one hymn sheet, as they say.
DCR: How will operators go about rolling out cybersecurity strategies?
SB: Organisationally, there are definitely things that you’ll have to do. The good news, though, is that a lot of it is enforcement of basic best practices. The vast majority of cyber threats would be mitigated or at least slowed down – for example, if measures like multifactor authentication were enabled, which is a fairly straightforward thing, and fairly easy to enforce.
But I do think that some of the trends in the data centre industry are really going to require a centralised organisational impact on cyber.
Just to give you one example; I mentioned that data centres of the future are going to be more resilient, adaptive, sustainable and efficient. That adaptive part really means right sizing, it means allowing tenants – if you’re a colocation provider – to move workloads between on-premises, and the colo, to the public cloud. Suddenly that has major network implications, where you need to be able to accommodate those kinds of moves of workloads, and yet rapidly secure and ensure that data centres are resilient.
Historically, data centres have had a very flat network. So this idea that, if you were able to get into the ops network – they don’t really bifurcate a lot of different parts of it. So that’s one thing that’s going to have to change; data centres will have to have multiple layers of network hardening.
I think there was a day and age where resiliency in data centres just meant – if I lose power, can I stay on? But now it means – if I can’t get anybody on site, can I, for example, securely reboot an ATS switch?
So it’s making sure that you have those technology solutions in place throughout the data centre lifecycle. I think those are the essential elements to ensure that you’re setting yourself up for success in this new world.
DCR: How do you see data centres evolving their cybersecurity strategies in the future?
SB: I think you’re going to see ‘resilient by design’. Data centre providers will be leveraging vendors who are pushing for secure by design solutions. I think you’re going to see data centres becoming more automated, with more connected devices so that you get that granular visibility, whether it’s to build a better sustainability dashboard, or to run your data centre more efficiently.
But as you do that, you obviously introduce these new vectors. I think over the next two to five years, within the standard design of data centres, cybersecurity is going to be firmly coupled to this – it’s going to be part of the data centre construction itself.