Quantifying the Cost of Physical Risk to Data Centers and liaison with Cyber Risk

In preparation for this blog, I was researching physical security and cyber-physical events to hyperscale datacenters, and the following from Data Center Knowledge I found relevant and interesting. They shared their perspectives on the Top 5 Data Center Security Risks for 2023. The top 5 are:

• • Overstretched cybersecurity personnel
  • Ransomware declining, but sophistication increasing
  • Attacker’s capability increasing, requiring better cyber protections
  • Compliance
  • Physical data center risks

The fifth item is what I’m most interested in. It supports my previous blog Datacenters - Cyber and Physical Security that the operational technology (OT) (aka., the grayspace) inside the data center is a risk to be aware of. Without having to target the customer-facing services and applications within the datacenter, it is possible to cause significant business interruption and potential for premature equipment failure/damage by targeting the physical infrastructure that runs air, water, HVAC, electricity and their associated systems.

I spoke about out-of-band attacks focused on datacenter OT systems a few weeks ago at Data Center World in Washington, DC called “Financially Quantifying Risk to Data Center OT Systems from both Cyber and Physical Security Threats”. It was well attended with many questions and interest in using financial risk to help justify improved mitigations.

Recently, I’ve been working with progressive hyperscale datacenter owners concerned about both the cybersecurity and physical security of their facilities. For several years they have contracted leading consultants to deliver Cybersecurity Risk Assessments for the automation, control, and OT systems in the data center. The benefit is a thorough list of cybersecurity vulnerabilities and findings, but there are several challenges they encountered:

• • The cost to repeat this third-party assessment annually at every hyperscale data center facility they have globally, was increasing YoY.
  • The assessment and its results are updated once a year. Leaving gaps through the rest of the year on changes in the threat landscape.
  • Physical security is out of scope of cyber assessments, and cybersecurity is out of scope of physical security assessments. They’ve invested heavily in physical security controls to restrict physical access to networks or USB ports, but don’t get recognition for it as a compensating control.

This triggered their desire to contact DeNexus to leverage our Cyber Risk Quantification and Management (CRQM) platform DeRISK to help with:

1. 1. Use data from their existing OT cybersecurity solutions to increase the timeliness of their risk assessment. Instead of once a year, they could monitor the effect of threat landscape changes to their risk on the weekly/monthly basis.
   2. Automate portions of the risk assessment process by feeding it with their existing OT network, vulnerability, firewalls and communications data.
   3. Evaluate the financial exposure to both physical and cybersecurity risks to their facility.

With the aid of hyperscale data center experts and owners, DeNexus built the world’s first Cyber-Physical Risk Quantification and Management platform for Data Center facilities. Instead of physical and cybersecurity being siloed, their financial risks are harmonized together and available in a single pane of glass.

How does it work? First, we create an attack graph of the physical security zones and their relationships, along with their associated security controls. These controls include the delay capabilities of barriers and access controls, the detection capabilities of alarm systems, video cameras, & guards, and lastly the response time to each area of the facility.

The image above is a representation of physical security zones, their relationships, and the investment in Delay-Detect-Response controls from Public Access on the left to the Data Center Buildings (DCB), Data Halls (DH), and Electrical Rooms (ER) on the right.

Within the DeRISK platform, similar to how we model cybersecurity attacks to ICS/OT systems, we simulate the potential for data center losses due to physical attacks.

In the simplified model example above, DeRISK for Data Center facilities is capable of simulating the physical security attacks, alongside the physical security safeguards, and then estimate the risk of Equipment Damage and Business Disruption to the facility caused by an external outside attempting to bypass physical security controls, showing it in both monetary units (i.e. dollars) and datacenter production units (i.e. MWh).

This financial quantification of both cybersecurity and physical security risk enables a new level of decision-making for those responsible for security. This includes:

• • Which data center facility has the greatest cybersecurity risk (loss potential)?
  • Which data center facility has the great physical risk?
  • Should we invest more in cyber or physical security for this facility?
  • What-If I implement a new security mitigation project to improve X, what is the reduction of potential loss? Which project provides the best ROI?

To learn more about financial quantification of risk for Power Generation, Electric Transmission & Distribution, Manufacturing, Airports, and Data Centers, contact us at www.denexus.io and request a demo.