Cyber

Protecting premises against digital crime

Data is a valuable good and keeping it safe is becoming more challenging as cyber criminals refine their tactics. While keeping data center servers safe will, in most cases, be the responsibility of the tenant, the landlord may be liable for damage or loss if the operational technology (OT) of the data center is compromised.

In modern data centers, all facilities and environments will be monitored and controlled centrally via data center infrastructure management platforms (DCIM). These software platforms can provide unauthorized access points for hackers to perform cyber-attacks. If the landlord is responsible for the cooling and ventilation of the server rooms, and a cyber-criminal finds an entry point to the operating system, they could cause significant damage. Disrupting the cooling system can cause servers to overheat and fail. The same applies to the main power feed. Bad actors are known to gain access to internet-connected uninterruptible power supply (UPS) devices which if disconnected could have a similarly devastating effect for the data center. Data centers that get taken offline can face costly service interruptions, hardware damages, customer data losses, and even potential lawsuits. Each device and point of access can introduce opportunities for unauthorized access. Apart from affecting the operability, temperature, humidity, or voltage, changes can, in a worst-case scenario also cause physical damage to the equipment. Any such event can constitute a breach of contractual duties and consequently result in the loss of a client, income, and reputational damage.

More often than not, there is no architect or engineer comparing the components of utilities’ equipment for their cyber resilience. Components are assembled and connected to ensure operability, but what is usually missing is a professional/security engineer to test the system from a cyber security perspective­­.­ Furthermore, lax security measures have in the past allowed unchanged default usernames and passwords. Bad actors have been taking advantage of them and gained access to internet-connected UPS devices.

Data center operators are also usually responsible for the physical security of the premises. If security management systems for video surveillance, access controls, and threat detection are compromised, unauthorized individuals might also gain access to data center controls and operations.

Real estate insurance policies nowadays exclude cyber risks, and a separate insurance solution will be required to reduce the data centers exposure. However, data center operators should follow strict risk management processes, not least to attain good terms and conditions for a cyber insurance policy.

Recommendations:

  • Review the equipment used from a cyber risk perspective to assess and mitigate the exposure
  • Adopt a strong cyber risk framework as part of the overall security posture
  • Start by translating potential risks into monetary terms and then prioritizing the worst risks for remediation
  • New strategies for risk mitigation include cyber risk quantification and management tools
  • Map out the facility’s OT, including its many connected devices and points of access
  • Review security protocols for critical systems involving infrastructure management, electrical management, building management, and security management
  • Regularly update and patch software applications
  • Consider segmenting data center OT networks (apart from IT networks) to increase security
Previous page
Next page