Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Physical Security of a Data Center

This blog has been repurposed from the March-April 2020 edition of InTech.


Data centers are centralized locations housing computing and networking equipment, which is also known as information technology (IT) equipment and network infrastructure. Network infrastructure comprises gateways, routers, switches, servers, firewalls, storage systems, and application delivery controllers for managing and storing data and applications. Data centers store large amounts of data for processing, analyzing, and distributing—and thereby connect organizations to service providers. Many organizations rent space and networking equipment in an off-site data center instead of owning one. A data center that caters to multiple organizations is known as a multi-tenant data center or a colocation data center, and is operated by a third party.

Industrial facilities with on-premise data centers need to secure the hardware and software within them. There are two types of security: physical security and software security.

Physical security is the protection of people, property, and assets, such as hardware, software, network, and data, from natural disasters, burglary, theft, terrorism, and other events that could cause damage or loss to an enterprise or institution. Software security involves techniques to prevent unauthorized access to the data stored on the servers. Because new malicious software (malware) is being developed year after year to break the various firewalls protecting the data, security techniques need to be upgraded periodically.

Physical security controls

Physical security of a data center comprises various kinds of built-in safety and security features to protect the premises and thereby the equipment that stores critical data for multi-tenant applications. For the safety and security of the premises, factors ranging from location selection to authenticated access of the personnel into the data center should be considered, monitored, and audited vigorously. To prevent any physical attacks, the following need to be considered:

  • proximity to high-risk areas, such as switch yards and chemical facilities
  • availability of network carrier, power, water, and transport systems
  • likelihood of natural disasters, such as earthquakes and hurricanes
  • an access control system with an anti-tailgating/anti-pass-back facility to permit only one person to enter at a time
  • single entry point into the facility.

Organizations should monitor the safety and security of the data center rack room with authenticated access through the following systems:

  • closed-circuit television (CCTV) camera surveillance with video retention as per the organization policy
  • vigilance by means of 24×7 on-site security guards and manned operations of the network system with a technical team
  • periodic hardware maintenance
  • checking and monitoring the access control rights regularly and augmenting if necessary
  • controlling and monitoring temperature and humidity through proper control of air conditioning and indirect cooling
  • uninterruptible power supply (UPS)
  • provision of both a fire alarm system and an aspirating smoke detection system (e.g., VESDA) in a data center. A VESDA, or aspiration, system detects and alerts personnel before a fire breaks out and should be considered for sensitive areas.
  • water leakage detector panel to monitor for any water leakage in the server room
  • rodent repellent system in the data center. It works as an electronic pest control to prevent rats from destroying servers and wires.
  • fire protection systems with double interlock. On actuation of both the detector and sprinkler, water is released into the pipe. To protect the data and information technology (IT) equipment, fire suppression shall be with a zoned dry-pipe sprinkler.
  • cable network through a raised floor, which avoids overhead cabling, reduces the heat load in the room, and is aesthetically appealing. 

Data center infrastructure

Raised floor systems are required to route cables and chilled-air piping and ducting beneath data center racks. The floor load for a data center is shown in figure 1, which is an engineering plan for a typical data center. The plan encompasses the five critical systems that are part of a data center:

 

Figure 1. Engineering plan and space design of data center.

 

 The electrical system includes the electrical panels, such as power distribution units (PDUs), UPS, backup diesel generation panels, and lighting panels, that are housed in the electrical room.

The heating, ventilation and air conditioning (HVAC) systems may include roof-top units and air handling units to distribute conditioned air. Split units or variable refrigerant flow might also be used for temperature control. Cooling the raised floor area and between racks is achieved by a computer room air conditioner that sucks in the hot air above the racks and supplies cold air through the grills in the raised floor.

The fire detection and suppression system includes fire alarm detection and fire protection systems, as well as dry protection systems (such as FM 200) for sensitive areas, such as the server areas. Security systems include CCTV, video, and other access control systems, such as biometrics and perimeter monitoring systems. Plant communication systems and other notification systems are used for making emergency announcements, such as for evacuation.

Data center tiers

Data center tiers are an indication of the type of data center infrastructure to be considered for a given application. It is a standardized methodology used to define uptime of a data center. A data center tier, or level, in other words, is used for differentiating key data center requirements, the focus being redundant components, cooling, load distribution paths, and other specifications. It is a measure of data center performance, investment, and return on investment. 

 

Figure 2. Data center tiers.

 

Each of these tiers can be defined precisely (figure 2). Tier 1 is the simplest architecture, while Tier 4 is a robust architecture with redundancy at all levels and hence is less prone to failures. Each higher tier is built over the previous tiers with all their features.

Tier 1 is a type of data center that has a single path for utility sources, such as power and cooling requirements. It also has one source of servers, network links, and other components. Tier 2 is a type of data center that has a single path for utility sources, such as power and cooling, as well as redundant capacity components, such as servers and network links, to support IT load. It is more robust than Tier 1 in terms of the hardware, and gives users a customizable balance between cost management and performance.

Tier 3 is a type of data center that has a redundant path for utility sources, such as power and cooling systems, and an N+1 availability (the amount required plus backup). Redundant capacity components, such as servers and network links, support the IT load so no disruption to service is envisaged during repair. However, unplanned maintenance can still cause problems. A Tier 4 data center is completely fault tolerant and has redundant hot standby for every component and utility source. Unplanned maintenance does not cause disruption in service.

Security in data center

Security of a data center begins with its location. The following factors need to be considered: geological activity like earthquakes, high-risk industries in the area, risk of flooding, and risk of force majeure. Some of these risks could be mitigated by barriers or redundancies in the physical design. However, if something has a harmful effect on the data center, it is advisable to avoid it totally.

The most optimal and strategic way to secure a data center is to manage it in terms of layers (figure 3). Layers provide a structured pattern of physical protection, thus making it easy to analyze a failure. The outer layers are purely physical, whereas the inner layers also help to deter any deliberate or accidental data breaches. 

Figure 3. The four layers of data center physical security.

 

The security measures can be categorized into four layers: perimeter security, facility controls, computer room controls, and cabinet controls. Layering prevents unauthorized entry from outside into the data center. The inner layers also help mitigate insider threats.

First layer of protection: perimeter security. The first layer of data center security is to discourage, detect, and delay any unauthorized entry of personnel at the perimeter. This can be achieved through a high-resolution video surveillance system, motion-activated security lighting, fiber-optic cable, etc. Video content analytics (VCA) can detect individuals and objects and check for any illegal activity. Track movements of people and avoid false alarms.

Second layer of protection: facility controls. In case of any breach in the perimeter monitoring, the second layer of defense restricts access. It is an access control system using card swipes or biometrics. High-resolution video surveillance and analytics can identify the person entering and also prevent tailgating. More complex VCA can read license plates, conduct facial recognition, and detect smoke and fire threats.

Third layer of protection: computer room controls. The third layer of physical security further restricts access through diverse verification methods including: monitoring all restricted areas, deploying entry restrictions such as turnstile, providing VCA, providing biometric access control devices to verify finger and thumb prints, irises, or vascular pattern, and using radio frequency identification. Use of multiple systems helps restrict access by requiring multiple verifications.

Fourth layer of protection: cabinet controls. The first three layers ensure entry of only authorized personnel. However, further security to restrict access includes cabinet locking mechanisms. This layer addresses the fear of an “insider threat,” such as a malicious employee. After implementing the first three layers well, cabinets housing the racks inside the computer room also need to be protected to avoid any costly data breach.

There are multiple significant considerations for the critical fourth layer, like providing server cabinets with electronic locking systems. To ensure secured access, the same smart card can be used to access the cabinets. In addition, biometrics may be provided. The above systems can be linked with the networked video cameras to capture the image of the person and his or her activities, and log the data automatically for further analysis and audit. PTZ cameras can be preset to positions based on cabinet door openings.

An integrated IP network of the four layers of security can create an effective, efficient, and comprehensive system for any application. Further integration with the Internet allows for centralized searching, storing, recording, sending, sharing, and retrieving capabilities.

Best practices

A data center audit involves an asset inventory and creates a library of accurate, up-to-date information about all of the equipment in the data center—from servers and cabinets to storage devices. The following are some of the best practices for building up security at a data center facility.

  • Conduct regular audits. Internal audits check the implemented systems and processes. An external audit is used to check the commitment of internal audits. Audits should check for any vulnerabilities in the data center facilities that are provided to ensure security. Check to see if access control systems, CCTV cameras, and electronic locks are functioning and are being maintained. Check if any job role changes in the employees call for an update in the procedures and systems.
  • Strengthen access control systems. As an outcome of the audit checks, any facility requiring extra protection should receive additional security. For example, multiple verification methods for personnel entry into a certain area may be recommended, such as an access card and fingerprint or retinal recognition. Make an audit of the entire facility to check if the access control system needs to be tightened.
  • Enhance video surveillance. Video cameras should include both indoor and outdoor areas of the facility. Similar to the access control systems, coupling these with 24-hour surveillance by security staff can significantly enhance the safety of the facility.
  • Enforce security measures. This requires employee training on the security measures to be followed and the consequences if procedures are violated.
  • Establish redundant utilities. Create redundancy in utilities like electricity and water and distribute the same to avoid common-mode failures and to achieve high availability of the systems.

Physical security comprises a four-layer protection that provides a defense-in-depth approach in case control is bypassed. Controls include administrative decisions such as site location, facility design, and employee control/assigning the access level. Physical controls include perimeter monitoring, motion detection, and intrusion alarms. Technical controls include smart cards used for access control, CCTV systems, and intrusion detection systems.

Most organizations focus on software security and firewalls. However, a breach in physical security could cause the theft of data and devices that will make software security useless. It is important to conduct a risk assessment study in compliance with ISO 27001 and implement appropriate security controls to ensure a secure data center.

C. Shailaja
C. Shailaja
C. Shailaja is technology principal and discipline head (instrumentation and controls) for TATA Consulting Engineers Ltd in Chennai, India.

Related Posts

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) and ISA/IEC 62443 Comparative Analysis

The Utilities Technology Council and Cumulys recently prepared a report in partnership with the ISA Globa...
Kara Phelps Dec 13, 2024 7:00:00 AM

Securing PLCs Through the Backplane: Balancing Performance and Simplicity

With the increasing convergence of operational technology (OT) and information technology (IT), the need ...
Ashraf Sainudeen Dec 6, 2024 7:00:00 AM

Practical Insights for Implementing Control System Security

Introduction In this blog post, we’ll share practical insights from operational experience in managing cy...
Pinakin Gokhale Nov 29, 2024 7:00:00 AM