Control System Cybersecurity & What It Means to Buildings
Cyber threats to buildings/data centers include data issues: compromise, exfiltration and denial-of-service. Control system cyber threats to data centers have focused on the Internet-connected building control systems. However, there are other control system cyber threats to data centers that have not been addressed and have actually caused data center damage.
Control system network vulnerabilities include the use of standardized cyber vulnerable communications protocols such as Modbus/TCP, BACnet and SNMP (Simple Network Management Protocol). These protocols have been demonstrated to be vulnerable to cyberattacks and, in the case of Modbus, there are no security features built into the protocol. Hardware vulnerabilities include the Aurora vulnerability and Uninterruptible Power Supplies (UPS).
Aurora vulnerabilities occur when electric substation breakers are opened and then reclosed out-of-phase with the grid. This will generate large torques and current spikes that will damage or destroy and Alternating Current (AC) equipment connected to those breakers. The Aurora demonstration proved there could be physical damage from an attack though the operators were blind because the attack was not see from the SCADA system. An actual Aurora event affected a data center when the data center experienced multiple Aurora events over a multi-day span. The events originated from the utility which was outside the facility’s control. The Aurora events damaged chiller motors with one of the motors out of operation for weeks. The controller logs showed no breaker operation though the mechanical counter showed breaker operation. (This is similar to what occurred with the March 2007 INL test.) Aurora vulnerabilities originate from outside the data center. Data centers have assumed that the electric utility substations feeding the data centers have addressed Aurora. However, this is generally not true. Building owners need to understand what their power companies are doing to mitigate the Aurora vulnerability.
UPS smooth the voltage from the backup generators, so the servers are only fed the design voltage, rather than the fluctuating voltages and frequency produced by a local generator as the load varies. It also supplies interim power when power is lost from “house loads” until backup generators/batteries kick in. UPS are remotely accessible yet are assumed to be secure and available. Compromising the UPS can directly lead to data center equipment damage. SNMP management cards are an integral part of most every company’s power management system. SNMP cards were developed about 25 years ago with the advent of SNMP version 1. The majority of all SNMP cards are still running version 1, which has no security, or version 2, which has minimal security. Even cards that support version 3 can be compromised by a competent hacker.
In the December 2015 Ukrainian cyber attack, the attackers discovered a network connected to a UPS and reconfigured it so when the attacker caused a power outage, it was followed by an event that would also impact the power in the energy company’s buildings or data centers/closets. The outage left nearly 250,000 people without power and caused enormous suffering to many residents within a wide area.
On May 2017, British Airways reported that their Boadicea House data center experienced a major power outage due to an electrical grid power surge. However, National Grid confirmed there were no problems with its transmission network. Scottish and Southern Electricity Networks, the local electricity distribution network operator, also recorded no problems on the local distribution side. Further, no other companies near the area of the British Airways data center reported any type of power anomaly.
Consequently, any change in power had to occur from within the data center. According to the head of Group IT at BA's owner International Airlines Group, a subsequent investigation found that a UPS was over-ridden resulting in a hard power shutdown. While the UPS is supposed to act as the first line of defense in an actual power event, it can also be used at the first line of attack in a cyber/physical attack. In this case, all UPS-supported power to servers and network equipment in the data center was shut down. This resulted in the total immediate loss of power to the facility, bypassing the backup generators and batteries. This meant that the controlled contingency migration to other facilities could not be applied.
After a few minutes of this shutdown of power, the UPS was just as mysteriously turned back on in an unplanned and uncontrolled fashion. The result was both the battery supply and the generator supply being connected in series to the power bus feeding the racks. That resulted in the data center’s servers being fed 480v instead of 240v, causing physical damage to the servers and significantly exacerbated the problem.
All network-connected power systems, not just UPS, can be cyber vulnerable. Other power systems that are cyber vulnerable because of their reliance on Modbus/TCP and SNMP communications include Power Distribution Units (PDU), Smart Breakers, Automatic Transfer Switches, generator systems and many others – all of which can used for buildings.
The common thread between Aurora and the UPS attacks are the systems designed to protect mission critical systems were co-opted to be used as attack vectors against the systems they were meant to protect. UPS and generator systems are very expensive pieces of power infrastructure that are used to protect critical system/facilities but they have weak links with their communications cards, which typically cost less than $1000.
In order to ensure that a UPS, generator or other critical power system cannot be hijacked and used as a weapon, it is critical to understand the cyber threats to this equipment and employ appropriate cyber protection to both monitor and protect these systems.
This Week’s Sponsor
The challenges created by the new lease accounting standards will not end with transition and adoption of the new rules. Your approach to accounting and financial reporting — and even the necessary capabilities of your technology — will never be the same again. Download Trimble’s whitepaper to find out what’s at the heart of making compliance a long-term success.
UPCOMING REALCOMM WEBINARS
REAL ESTATE INFORMATION ANALYTICS – Harnessing the Power of the Data - 2/7/2019
It started with spreadsheets and pivot tables, moved to databases, then to data warehouses, onto analytics and business intelligence. Now, analytics often refers to machine learning and artificial intelligence. In the end it is simply about collecting and maintaining accurate comprehensive data and applying some form of sophisticated analysis to gain insight and make better decisions. Combining internal and external data can provide organizations with a better understanding of individual assets, portfolios and markets. This webinar will gather the industries’ most experienced professionals who will discuss how data disruption and leveraging data will allow you to better position yourself for significant growth. Product options, data strategies, personnel requirements and more will be addressed.
Andrew Weakland is the Director of Systems Development for W. P. Carey, a net-lease REIT focused on providing long-term sale-leaseback and build-to-suit solutions for companies in the U.S. and Northern and Western Europe. Andrew specializes in bringing emerging technologies into the real estate space to drive competitive advantage while maintaining the cohesiveness of the overall enterprise technology footprint.
As the Director of Information Technology at Woolbright Development, Luis Ramos is responsible for the corporate technology strategy, which includes the IT infrastructure and enterprise application platforms. Additionally, he is also responsible for implementing technology solutions toward the company’s existing business processes, and helping create new efficiencies throughout the company's business model. Since his arrival in 2004, his team has been responsible for the constant development of various industry-focused proprietary software applications and tools. These award-winning technologies have fundamentally changed the way commercial real estate has been done at Woolbright.
Prabhu’s career spans over 18 years of product, business, and customer experience focused on enterprise-scale software for IoT-based connected services, sustainable building solutions, and telecom network management. Prior to becoming an entrepreneur, he was the Director of the IoT division of Zoho Corporation. At Zoho, he was responsible for and directly oversaw strategy, innovation, product, marketing and revenue operations of end-to-end telecom and IoT building solutions.