Greetings and welcome back! This week we continue our series on the effect of the New York Cybersecurity Law for Financial Services Companies on the need to protect Information Technology (IT) systems as well as Industrial Internet of Things (IIoT) systems. Specifically, we look at the New York Cybersecurity Law & Your Rack Systems.
New York State authorities took significant input from experts in IT security and IIoT security in formulating this Law. As we discussed last week the key thing to remember about this law is the following:
Under the New York Cybersecurity Law, “Information Systems” are defined to include all IT systems as well as all IIoT power, cooling and security systems that support them.
Many notable examples of cyberattacks have already taken place through IIoT power and environmental control systems including:
- Ukrainian Power Plant Cyberattack – an Uninterruptible Power Supply (UPS) system used in combination with switchgear caused a massive blackout throughout much of the Ukraine.
- Staminus Cloud System Cyberattack – a rack-mounted Power Distribution Unit (PDU) used to enter the cloud-based servers in a rack, stealing millions of dollars-worth of data records.
- SCADA/BMS Cyberattacks – case studies of 5 attacks on industrial systems and the results on the affected businesses
The ease with which UPS, PDU and Environmental Control Systems is well documented by the related links. In addition, a thorough review of attack vectors against UPS, PDU and Air Conditioning Systems was well documented fully 5 years ago in a White Paper written by Dr. Patrick Traynor of the Georgia Institute of Technology. In this paper, the vulnerability of the SNMPv3 communication protocol is thoroughly discussed. SNMPv3 is the latest version of SNMP and was largely believed by users to be secure.
Other possible attack sequences on various types of IIoT systems have also been proven to be possible. A number of government and university studies that have documented vulnerabilities to such attack sequences as shown below:
- Aurora Generator Attack – documented by Department of Homeland Security to show a plausible attack that can destroy a generator system
- Programmable Logic Controller (PLC) Cyberattack – a Malware Worm developed solely to live on and spread among PLC’s without using a PC or Server
- PLC Physical Attack – using the pin control mechanisms to render I/O unavailable
Because actual attacks are taking place and because new vulnerabilities to attacks are continually being discovered, the US Government has launched a branch of the Department of Homeland Security to provide information in this area. This organization is known as the Industrial Control System Computer Emergency Response Team (ICS-CERT) and it publishes alerts, advisories and regular reports on the latest products which have been found to have cyber or physical vulnerabilities. The ICS-CERT website contains a searchable database for present and historical reports written on IIoT power, cooling and control systems.
So what does this mean for securing your rack systems? The New York Cybersecurity Law says the following:
you must secure all IT and IIoT support systems from each of the following threats:
- Confidentiality – protecting the cyber and physical security of all data. This includes both data that is at rest and data that is in transit
- Integrity – protecting the intended state of the data from being compromised by cyber or physical means or altered in any way
- Availability – ensuring uninterrupted operations of all systems that support the continuous access to data for all hours and times in which it is needed on a continuous basis
This means that you Must secure all communications to and from each of the following rack IIoT systems:
- Rack Power Distribution Units (PDUs)
- Rack Uninterruptible Power Supplies (UPS)
- Rack Cooling Systems
It is clear from the attacks that have already taken place through these types of systems that they must be protected with a firewall that is specifically suited to protect the confidentiality of their communications and the integrity of the systems themselves. It is also clear that these power and cooling systems must be monitored to protect their availability to ensure the uptime of all IT systems.
RackGuardian stands alone in the market as the only product to include the ability to protect and monitor any type of rack IIoT system. This insures the security and availability of the IT systems that these IIoT systems support. RackGuardian is simple to install and use and affordable for all budgets. Please feel free to call one of our experts to see how RackGuardian can protect your rack systems, whether you have one rack or hundreds.
Until Next Week,