The world has evolved to become extremely cyber-reliant. And the Data Centers (DC) that comprise the cloud, GenAI/AI, CRM software, entertainment, financial, government and healthcare operations are now ground zero for targeted Stuxnet-like attacks—which would have catastrophic results.
If a cluster of hyper scale DCs were to go offline, it could stop the US economy—and potentially global economy—in its tracks, much like the 9/11 World Trade Center attacks stopped air travel. Today, Integrated Data Center Management (IDCM) implementations prepare and build out redundant systems to maintain all functional operations, including risk management and mitigation. At the center of the IDCM is Operational Technology (OT) command and control data.
Data Center Security Risks
We often look at processing, cooling, connectivity, and access as primary DC concerns. In reality, electricity is the main chokepoint. The disruption or complete loss of, core infrastructure electrical power is the most critical DC failure. We already know that the the US’s critical infrastructure, which includes the electrical grid, is currently at risk.
Because of this, DCs have mitigated electric grid power source failures by building out massive on-site power generation facilities. Even with these mitigation efforts, what if the chillers/cooling systems lost power, then the standby power did not start causing transfer batteries to quickly drain out leaving no time for a controlled shut down? Almost immediately, the residual heat without cooling will reach temperatures capable of destroying racks of critical equipment.
The Impact of an Attack
We don’t have to go back far in time to see how such a DC catastrophic failure could happen. The Stuxnet computer work was focused on sabotaging the specific industrial control systems used in Iran’s nuclear enrichment facilities, particularly the Siemens Step7 PLCs. The threat actor leveraged a “blind spot” that resulted in a cyber-attack that was successful without any detection from the monitoring systems.
In this instance, none of the cyber security detection solutions were alerted because it did not come in from the Internet or injected by a thumb drive. It was delivered as part of a routine spare part replacement, which is basic maintenance.
With access to the intranet from an OT device, the worm quickly spread to other computing devices. Stuxnet was a sophisticated worm representing four zero day attacks with a checklist of activities. To achieve its goal, Stuxnet needed to understand the specific configurations and operational details of the PLCs and where to find the targeted Siemens Step7 PLCs.
Stuxnet started its reconnaissance by collecting specific information about the systems it infected. This information included details about the configuration and operation of the industrial control systems stored in unencrypted, active SQL databases. However, the primary goal was not to steal data, but to leverage the collected information (data) to learn and refine its sabotage operations.
Stuxnet’s primary operations were focused on manipulating the PLCs and the real-time data being fed to SCADA systems; it did interact with internal SQL databases. It accessed and modified/manipulated configuration data that indirectly affected operational databases by ensuring they logged falsified data. However, it did not target traditional IT databases for data theft or direct manipulation.
Evolving Threats to Data Centers
Stuxnet and its variants, Duqu and Flame, in addition to new threat variants including those based upon GenAI, pose a threat to IDCM software applications and their active, on-demand data. The majority of that data is stored in plaintext to support active operations.
The Mitre Att&ck map starts with reconnaissance whereby hackers, once in, search for data and possible defenses. Once past the defenses, plaintext SQL databases can be manipulated, stolen or invisibly controlled by remote threat actors.
Today’s most dangerous IDCM application threats are SQL injection and cross-site scripting. SQL injection tools enable hackers or worms to automate their attack processes and quickly exploit vulnerabilities. It’s called “SQL” injection because the adversary is trying to find a vulnerability in the application to directly talk to the SQL database, bypassing application safeguards.
Ending DB Attacks With Encryption
But, what if the IDCM application spoke to its critical data through an API which can be secured and monitored?
With new Searchable Encryption technology, users can perform computations on AES-256 encrypted data while the data remains fully encrypted. Solutions based on Searchable Symmetrical Encryption allow for database operations (create, read, update & delete) without needing to decrypt that data.
If the Iranian’s nuclear enrichment facilities SCADA systems had Searchable Encryption, the Stuxnet reconnaissance effort would have revealed no usable data and could have stopped the attack immediately. The entire intranet and its devices would have remained concealed behind encrypted data.
A Searchable Encryption solution aligned with the Federal Data Center Enhancement Act of 2023 use of technology requirements, “regularly assess the application portfolio of the covered agency and ensure that each at-risk legacy application is updated, replaced, or modernized, as appropriate, to take advantage of modern technologies”.
Today all data centers are at risk, vulnerable to IoT & OT data that is not secure. A Stuxnet-like worm or a skilled hacker will find many challenges in searching for data necessary to execute their attacks upon a system with Searchable Encryption. It’s time to ensure our data centers are secure-by-design since they are critical infrastructure with many attack vectors, motivated attackers, and most of the world’s critical data.
Related News: