​Control systems should be a security priority: i3Solutions

When it comes to cybersecurity, discussions should include talk of control systems that sit on the perimeter of a datacentre, according to i3Solutions' CEO.
Written by Asha Barbaschow, Contributor

Ed Ansett, CEO of IT consultancy firm i3Solutions, believes industrial control systems that manage datacentres should be given more attention when it comes to security.

Ansett said often control systems such as heating, ventilation, and air conditioning (HVAC) equipment have not been designed with cybersecurity in mind, which has left the critical infrastructure vulnerable to attack.

"Everyone's been focusing on the IT side to security and they continue to -- and rightly so. But [the control systems] use a whole different set of protocols and those protocols are used in the datacentre as well, but they don't fall under IT," Ansett said.

"These protocols -- and it's well known but not publicised -- are vulnerable because they were not designed with security in mind, they were designed to do things way back in the day."

Using a cooling system as his example, Ansett said the purpose of it is to cool the datacentre down, adding that it also has to monitor and control various elements such as pumps, switches, and the air handling units.

"They don't typically connect to the IT system but the thing is not that they're not connected but the fact that they're using these protocols which are not strong from a security point of view. They are easily broken into and can easily be maliciously tampered," he said. "This could result in the malfunctioning of the datacentre which is pretty disastrous."

Taking a control system down could potentially wipe out the critical infrastructure of a datacentre, according to Ansett.

"An IT system doesn't work without power and cooling and if you take that away it's not like one server, one rack, or one business process -- you will take everything out," he said. "I'm not crying wolf here.

"When we first got into this I was reluctant to raise it because I thought if I raised it I'm going to make people that have got bad things in mind aware of an attack platform that they might not be aware of, but I thought about that long and hard and came to the conclusion that it was going to happen sooner or later so I may as well get it out in the open and get people's attention so that they deal with it before it happens."

Citing research by Forrester, Ansett said that 50 percent of attacks on a business are from inside a firewall.

"You've got to take that on board. We're not just talking about a bunch of hacks trying to break into a datacentre and shut down the UPS," he said. "According to the research anyway, you have to pay attention to the fact that something may go into the datacentre to do upgrades and end up with a datacentre failure as a result of an infection."

In what is one of the most well-known breaches in recent times, US retailer Target experienced the theft of at least 40 million customer records containing financial data such as debit and credit card information in November 2013.

The breach had compromised 11 gigabytes of data containing the names, mailing addresses, phone numbers, email addresses, and payment card information of up to 70 million people.

It was reported that the hackers who broke into Target's network began with the theft of the credentials of Target's HVAC contractor to pull off the heist.

Ansett said that there are other instances similar to Target's tale, despite not being reported.

"The thing about this is that it will secretly gather steam," he said. "This security hole isn't going to take out an application or a business process; it will shut down a complete datacentre at random.

"Everybody is exposed to this. It's not a question of have I got a problem, it's a question of who hasn't got a problem."

Editorial standards