Should Data Centers Have Common Physical Infrastructure Security Standards?

If the industry doesn’t formulate a set of standards for securing critical infrastructure, regulators might.

Security regulations exist for several industries – HIPAA for medical, PCI for credit cards and payment processing, but nothing for the security of data center physical infrastructure. At least not that’s required. The International Society of Automation IEC 62443 standard gives security requirements for industrial control systems. It’s the strongest standard available to manufacturers currently and at least would provide a base minimum standard for companies to adhere to. The IEC 62443 standard is strong – the strongest available.

Some data centers have their own regulations within their specific areas within which they must comply. But when it comes to having a general one for all, no universal standard exists and nothing is enforced. The industry would be better off if it did and they would also be better off if they had a say in it for themselves versus the federal government intervening and setting regulations for them. Having a standard for all vendors would help with compatibility and interoperability.

Data Centers Vulnerable to Cyberattacks 

If having a standard for the sake of interoperability isn’t enough motivation, concern over the high-profile cyberattacks served up on the news every day ought to be. Many involved in the industry feel the mandatory, irreplaceable role that physical infrastructures play in all our lives makes having a security standard of critical importance. Life as we know it in the US depends upon these systems. Yet, physical infrastructure’s exposure to the Internet makes them just as vulnerable to cyberattack every day as other parts of the data center.

Awareness of these risks has caused more vendors to agree that better security and conformance through stronger standards is necessary.

Security has become increasingly threatened as both IT and operational technology (OT) systems have become increasingly interconnected. Elements of physical infrastructure – backup generators, power systems, air conditioning, and other areas are connected with IT.

"There has always been a strange disconnect between physical and IT security in most organizations," agreed Saurabh Sharma, VP at Virsec Systems, a San Jose-based cybersecurity company. Different groups are in charge, and they use different technology.

"Clearly there should be similar standards between physical security products – which often directly connect to IT systems, and IT systems which increasingly control physical industrial equipment," he said.

Eaton isn't the only company paying attention to cybersecurity, Sharma said. Schneider Electric, Rockwell Automation, and ABB are also stepping up. Rockwell, for example, announced in November that it received the ISA/IEC 62443-2-4 certification.

Many Members Already in Agreement That Standards Are Needed

The end of last month, twenty-three (23) companies became new members of the Global cybersecurity Alliance in support of implementing the ISA/IEC 62443 standards and released an implementation guide accordingly. The founding companies of the Alliance are Schneider, Rockwell, Honeywell, Johnson Controls, Claroty, and Nozomi Networks. Another alliance is coming together as well, the Operatoinal Technology Cyber Security Alliance, which launched in October in Zurich. Those founding members are ABB, Check Point Software, BlackBerry Cylance, Forescout, Fortinet, Microsoft, Mocana, NCC Group, Qualys, SCADAFence, and Splunk.

But in order to succeed, participation is essential. As long as it’s voluntary and optional, its strength can’t be optimal. Infrastructure cybersecurity must be an integral part of daily best practices. These alliance efforts are good steps in the right direction but much more is needed to mitigate the threats facing these organizations today.

Read entire Should Data Centers Have Common Physical Infrastructure Security Standards article

Further resources:

GreyEnergy Spy APT Mounts Sophisticated Effort Against Critical Infrastructure

Prediction Series #2: Companies are unprepared for cyber attacks that continue to threaten ICS/SCADA systems

ICS vulnerabilities could be exploited to cause severe operational impact report warns