Topics:
The ongoing fighting in the Middle East has elevated data centers, of all things, to the status of being a military target. A report in Fortune on March 9 said that two Amazon Web Services (AWS) data centers in the United Arab Emirates and another in Bahrain were targeted by Iranian missiles or drones. Both facilities were knocked out of commission and the resulting service outages affected companies throughout the region.
The speculation is that since the U.S. military has workloads running on AWS, the data centers were deliberately targeted to measure the resulting military impact, the Fortune article said.
That’s bad news not only for the military, but for manufacturers and other critical industries going forward. Data centers might be the most valuable technology currency out there and if it’s true they’re already viable targets for air strikes, the time may soon be approaching when they’re equally viable targets of cyberattacks during conflicts.
For manufacturing organizations, more and more are utilizing data centers for critical operations every day. Sensors on key assets collect and transmit data into the cloud (ultimately, a data center). That information is analyzed in milliseconds and the results produce ML models that predict failures and help business and shop floor leaders minimize downtime and improve productivity. Those same sensors in other areas of the manufacturing shop floor handle inventory tracking and logistics, ensuring that a highly automated supply chain is uninterrupted.
Physical damage or destruction to a commercial data center from a missile has far-reaching geopolitical and economic impacts.
The Fortune report states that commercial cloud computing is part and parcel of supporting military operations; AI is heavily used for intelligence assessments, target identification, and battle simulations, the report said. In that light, a commercial data center is instantly a vital strategic asset. Manufacturers and other enterprises in critical infrastructure sectors are simultaneously impacted in the event of such an attack, potentially causing societal chaos and immediate disruption of service; Fortune reports outages stemming from the AWS air strikes impacted banking, enterprise software, and other web-facing applications.
We should also consider the same impacts from a cyberattack against a data center. Data centers are ripe for disruption given the vast computing infrastructure present and the businesses and processes they support. From a cyber-physical systems (CPS) perspective, we need look no further than the damage and disruption possible from an incident involving building management systems (BMS) that support a data center.
BMS control systems centrally manages everything from power, to lighting, heating and cooling systems, and physical access to data center facilities. The computer room environmental controls keep servers, switches, and other networking gear running at safe, optimal levels. Power management speaks for itself in a data center. With AI creeping into every process and every enterprise system, the demands for power are going to surge exponentially, and that surging risk must be supported and protected.
Data center cybersecurity must not only concentrate on the understood IT principles of confidentiality, integrity, and availability to protect servers, switches, and routers, but must also deploy purpose-built CPS protection to lock down BMS and other supporting operational technology (OT).
Assuming organizations have a reliable and redundant inventory of OT assets, it’s imperative that they be virtually segmented vertically and horizontally on the network. In the event of a cyberattack, this allows asset operators to quickly isolate compromised systems and minimize an attacker’s ability to move laterally or vertically on the internal data center network.
Access controls (physical and virtual) and strong authentication are a must to lock down and control who has access to crown-jewel systems and data. Organizations must operate on a principle of least privilege and assign access based on roles and other privileges outlined—enforced and audited—by policy.
Secure remote access is another critical defense that must be in place. Data centers and other enterprises rightly cannot connect BMS controllers and other OT technology directly to the internet. They must be layered behind a secure access solution, one that meets business risk and compliance requirements (i.e., auditing capabilities, session recording, the ability to disconnect remote sessions as they happen, etc.). Attackers can easily infiltrate any internet-facing OT and CPS systems, and with the help of AI attack these assets at scale. This is an ever-growing risk that data centers and other enterprises such as critical manufacturing must mitigate.
Finally, the paradigm completely changes when it comes to physical attacks during a kinetic conflict. No firewall can protect a data center from a missile. As Fortune writes, cyber and physical security measures that are in place today largely are meant to protect against human access sabotage. Will we see a day where commercial data centers that also house military intelligence and analysis will be guarded by missile defenses or these data centers with military applications need to be housed in a solid granite mountain bunker?
Sam Winter-Levy, a fellow at the Carnegie Endowment for International Peace, is quoted as saying that physical attacks on data centers “are only going to become more common moving forward as AI becomes more and more significant.” He also called the Middle East strikes “a harbinger of what’s to come.”
Let this be food for thought for any security leader responsible for the protection of critical infrastructure assets.
Jim LaBonty is the retired Director and Head of Global Automation Engineering for Pfizer's Global Engineering & Technology division. In this role he primarily focused on establishing the strategic direction and harmonizing control system solutions across 42 manufacturing sites globally, including securing the development of Pfizer's COVID-19 vaccine. Previously, LaBonty held senior engineering and system architect roles at Rockwell Automation, Eli Lilly & Company, and Eastman Kodak Company. He now leverages his decades of experience to help firms with their corporate OT cyber strategy and global program execution, with the goal of protecting manufacturing.
