We know. As far as security goes, you’re the boss. All the passwords are carefully chosen and changed on a regular basis. Security patches are installed on time. Rights and permissions are carefully curated. You’re set.

But chances are, somebody could still kill your data center by zapping the power or messing with the HVAC infrastructure. Considering that data centers have already been knocked offline by lightning or by air-conditioning systems that failed on their own, it’s not surprising to think that, someday, someone might do the same thing on purpose. (Hackers have already done it on a television program.)

“The underlying equipment that typically supports data-center networks—backup generators, thermostats, air conditioners, and the like—are vulnerable to a cyberattack that would have the potential to take down the entire operation,” writes Robert McMillan in the Wall Street Journal. “While networked computers are upgraded frequently, the equipment in this underlying layer may be on a refresh schedule measured in decades. They use hoary communication standards that lack basic security features such as password protection.”

According to McMillan, a recent survey found nearly 20,000 such systems—including some for schools, hospitals, retailers and others—are accessible through the Internet, with no username or password required, presumably due to lackadaisical security practices. And Cyber Security at Civil Nuclear Facilities: Understanding the Risks, a report earlier this year from London-based independent policy institute Chatham House, found that nuclear power facilities often still used default passwords on equipment, leaving a security vulnerability. This makes those systems—and everything connected to them—vulnerable to an attack.

In addition, heating and cooling systems themselves have started offering remote access, which is convenient for staff but offers another route for attackers, warns Bob Jennings, head of global critical infrastructure protection cybersecurity for Verizon’s RISK enterprise. “We have an area of pretty critical infrastructure—operational technology and control systems—which covers heating and air conditioning controls, factory floors, robotics within work facilities,” he tells ZDNet. “Traditionally these were always isolated systems that people couldn’t get access to—now the heating and air conditioning guy can dial in from his office.”

This isn’t a new issue—for example, organizations such as the SANS Institute have been warning about the cybersecurity of the electrical grid since at least 2001. But in this era of the Internet of Things, where everything seems to be connected to everything, it’s an even larger problem. “The widespread availability and proliferation of these devices means that once a device is compromised, it’s very difficult for a company to flip a switch and update the millions of devices just like it sold around the world,” writes John Dixon in TechCrunch. “It also means that hackers can use one insecure device to leapfrog their way into broader connected networks, allowing a single device to compromise sensitive data ranging from bank and health information to even access to broader corporate assets as the line between work and home continues to blur.”

A report earlier this year from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) of the U.S. Department of Homeland Security found 245 incidents in such systems in 2014, primarily in the energy industry. “The 245 incidents are only what was reported to ICS-CERT, either by the asset owner or through relationships with trusted third-party agencies and researchers,” the report warned. “Many more incidents occur in critical infrastructure that go unreported.”

Even technologically sophisticated companies such as Google aren’t immune. The company learned in 2013 that the HVAC system in its Sydney office was using an older version of its management software, which enabled a security consultant to gain access to its passwords—and, in the process, a map of the building’s entire HVAC system. Researchers have even found ways to hack into computers not connected to the Internet using heat.

At the turn of the century—the previous century—organizations used to have a “vice president of electricity” to ensure that the power kept flowing, writes Randy Rayess in TechCrunch. As electricity became more of a commodity, the position faded away.

Related Posts