Net Environmental Benefit (NEB); A Data Center Metric to Satisfy Greenpeace

Environmentalists crack me up.  I dated one once when I was in the Navy.  I’ll call her Mary for the purposes of this story.   One evening during our brief relationship, I was telling Mary some (unclassified) stories about submarine life.  I casually mentioned that we spend a lot of time shooting sea slugs for practice.  Mary was shocked and appalled. 

For those of you unfamiliar with subs, when you test torpedo firing systems on a fast attack you fill the torpedo tubes with seawater and fire the “slug” of water as if it were an actual torpedo.  It’s a good simulation and completely harmless.  However, in Mary’s imagination, we were prowling the ocean floor, hunting unwary sea slugs and blowing them into watery oblivion. I probably should have corrected Mary’s thinking but it was too much fun watching her agonize over the harmless sea creatures we were cruelly using for target practice.

That should be the end of the story…but it’s not.  Mary and I broke up after a few weeks.  She didn’t seem to take it too badly at the time.  But, the next time our crew returned to port, we found flyers under the windshield wipers on every car in long term parking.  The flyers pleaded in bold letters, “Save the Sea Slugs!” and went on to describe the Navy’s cruel vendetta against harmless marine animals.  The flyer demanded that naval officials cease the caviler and unnecessary destruction of sea life.  Oh my, how we laughed!

I hoped that I was done with this type of nonsense when I left the Navy and entered the data center industry.  No such luck.  Environmentalist juggernaut Greenpeace has been after Facebook for building data centers in areas where the percentage of electricity generated by coal is too high for their tastes.  Greenpeace rallied over 180,000 followers to their “Unfriend Coal” campaign.  Never mind that Facebook’s data centers are among the most energy efficient and environmentally sustainable buildings ever built.  Never mind that Facebook has shared every efficiency strategy that they employed through the Open Compute project. As a result of Open Compute, the entire data center industry has been able to achieve a more efficient posture.

Facebook has not been the only data center to draw fire from Greenpeace.  Greenpeace has also targeted Apple’s data centers.  Never mind that the Apple data centers are marvels of energy efficiency and sustainable design.  Never mind that Apple is building the largest end user owned solar array in the country at their Maiden, NC data center.  Never mind that Apple is also building the largest biogas/fuel cell installation (outside of utility) in the US at the same data center.  The commitment to the development of green/alternative energy technology demonstrated by Apple is unparalleled.   

In Greenpeace’s misguided and myopic view, data centers consume large amounts of electricity and are therefore bad.  The reality is that these facilities are on the bleeding edge of energy conservation and sustainable design.  These data center are monuments to the fact that the companies that built them and the data center industry as a whole cares deeply about conservation is actively advancing building efficiency to staggering new levels.    

Greenpeace is also missing the big picture at an even more profound level.  Environmentalists should actually applaud the construction of data centers.  Here’s why; data centers are built and applied to existing business models because data center technology provides a business delivery efficiency improvement over the previous business paradigm.  These improvements in business delivery efficiency (usually) result in a net environmental benefit. 

For example; Facebook builds a bunch of data centers and suddenly 800M people share 60B photos online.  As a result, the kiosks, drug stores and grocery stores that used to process film and print photos on paper see that business almost completely disappear.  The home photo printer industry also flattens and begins to decline.  That’s a massive business delivery paradigm shift.  Digital photo sharing on this scale is only possible by applying data center technology.  Now, imagine the net environmental impact of all of those people NOT driving their film or memory card to the store, NOT consuming photo developing chemicals, NOT mailing pictures to relatives, NOT purchasing replacement ink for their printers.  How many miles were not driven?  How many toxic chemical not used?

Amazon is another great example.  Brick and mortar book stores and print media in general are in decline.  Amazon built a more efficient business model to deliver that content to readers.  That business model was enabled by the application of data center technology.  Again, how many miles to the book store were NOT travelled?  How many buildings NOT constructed?  How many trees were NOT felled for their paper?

Both of these examples only scratch the surface of the net environmental benefit enabled by data center technology.

What the data center industry (and the companies that use the technology) need is a new metric.  I’ll call it Net Environmental Benefit (NEB).  NEB will encompass all of the benefits that are enabled by data centers and boil it down to handy three digit integer in units of megatons of carbon.  It will be a bear to calculate but next time the Greenpeace nitwits start protesting, Facebook can roll out its astronomical NEB and squash them with it.

A novel approach to data center staffing

Equipment failures in data center environments never happen at opportune times.  For example, your UPS isn’t likely to fail at 2:00 in the afternoon on a Tuesday when everyone you need to respond to the causality is conveniently in the building.  Unfortunately, Murphy’s Law demands that failures will occur at the worst possible time.  Calamity invariably strikes when critical personnel are vacationing, snug in their beds or hopelessly bogged down in cross town traffic. 

This unfortunate (and statistically improbable) truth is one of the reasons the Uptime Institute’s Tier Standard: Operational Sustainability requires 7×24 staffing for higher Tier Level data centers.  In order to achieve true high uptime, personnel often need to take immediate, appropriate action.  Having key personnel respond to alarms by getting in their cars and driving to the facility just doesn’t cut it and is not a recipe for maximum uptime.

True story; a single-shift data center I worked with was struck by a midnight critical power failure during a severe ice storm.  The facility manager tried to drive to the data center but ended up sliding off an icy road and into a ditch.  The brave facility manager tried to talk a security guard through transferring critical power to an alternate source via cell phone as paramedics loaded him into the back of an ambulance.  Needless to say, the facility was dark for a painfully long time on that night.

Unfortunately, around the clock data center staffing is an expensive proposition.  Most staffing models require at least seven people to safely staff a 7×24 data center.  (With a staff of seven you will still have coverage gaps related to vacations and sick days.)  When you factor burden rates for seven well trained data center engineers, 7×24 staffing can easily exceed $1M/year.

Many data centers find these costs prohibitively high and look for ways to have key personnel handy at a reasonable price.  For example, the data center that experienced the ice storm now puts key personnel in nearby hotels when there’s a threat of inclement weather.  Since only a portion of data center failures are weather related, this strategy is a half step at best.

A few data centers in Europe have found a novel way to tackle the issues of having critical personnel around when they are needed.  London based data centers are anticipating a perfect storm of high data usage, paralyzing gridlock and unprecedented strain on electrical transmission infrastructure during the upcoming Olympics.  In order to ensure that key personnel are not stranded opposite a wall of tourists and sports fans, colocation provider Interexion has purchased a number of sleep pods and placed them in the data center.

Photo: Interexion

Interexion is not alone in adopting this strategy.  PodTime, the manufacturer of the sleeping pods is reporting that they have sold 19 units to 3 colocation providers since February of this year.     

These pods look pretty comfy to me.  However, I spent months on end sleeping in considerably closer quarters aboard US Navy submarines.  What I’m wondering is where these guys clean up.  Fortunately, there are probably emergency safety showers in the battery room.  Seems reasonable to me.  But then, I’ve showered under considerably worse conditions too.  ;0)  Would you sleep in a pod for your data center?

Cyber Security for Data Center Infrastructure Webinar

I’ll be speaking at AFCOM Data Center World in Vegas next month.  If you can’t make it to Vegas (or you simply can’t wait to hear me talk about cyber security) please join the FREE Meet-A-Speaker Webinar.

I’ll be discussing cyber weapons that target ICS/SCADA systems and their potential to disrupt data center infrastructure.

Details and registration information can be found here.

Some of the information I’ll be covering can be found in my blog post on this subject here.

Hope you can make it!

AT&T Announces New Construction in NC Data Center Cluster

On Wednesday, AT&T announced plans to build a 900,000 square foot data center facility in Cleveland County, NC. 

I’ve posted a number of times on activity in the North Carolina data center cluster.  AT&T will be joining a distinguished roster of data centers that have decided to set up shop in North Carolina.  The list includes; 

  • T5 Data Centers (Wholesale data center provider)
  • Wipro Infocrossing (Managed services and cloud provider)
  • Disney
  • Google
  • Facebook
  • Apple
  • Cisco
  • EMC
  • American Express
  • NetApp
  • IBM

Why all the data center construction in North Carolina?  A number of factors make this area a prime location.

  • Utility incentives friendly to data centers
    • Electricity is cheap, cheap, cheap!  (3.9-4.6 cents/kw-hr)
    • Electrical grid is reliable with multiple substation feeds available
    • Forward thinking utility provider Duke Energy
      • Solid long term plan for nuclear and renewable energy production
      • Industry leader in deployment of “green energy” and “smart grid” technologies
      • Waived utility connection fees
    • Fresh water is plentiful and inexpensive
    • Existing civil infrastructure require only small inprovements to support data centers (roads, city water, county water, waste water etc…)
    • Plenty of fiber. (AT&T, RST, PalmettoNet, TWC, DukeNet, Zayo & others)
  • Climate and environment
    • Cool climate is favorable to “free cooling” strategies
    • Area is geologically stable and not prone to earthquakes
    • Area is not prone to weather related natural disasters
    • Plenty of sunshine for solar.  (Apple recently announced a 20MW solar farm for their Maiden, NC data center)
  • NC government incentives friendly to data centers
    • Generous tax breaks
    • Waiving of building, zoning and development permit fees

Congrats to our friends in NC!  Another amazing win. 

Microsoft looking for data center property in Atlanta?

The Atlanta Business Chronicle is reporting that Microsoft may be scouting the Atlanta area for a new data center campus.  It appears that Microsoft is seeking 50-60 acres in the Lithia Springs area just east of downtown Atlanta. 

Lithia Springs is already home to a number of large data centers including Google, Synovus and Savvis

50-60 acres is huge chunk of land for data center development and indicates that Microsoft may be considering a very significant development in the Atlanta area.  

Important Nuclear Power Meeting Today in Atlanta

Representatives from the Southern Company are meeting with US Nuclear Regulatory Commission (NRC) officials today in Atlanta.  The NRC is expected to give its final verdict on a critical (pun intended) construction license for two new reactors at Plant Vogtle in South Georgia.

Plant Vogtle following construction

If approved, the reactors at Vogtle will be the first new American reactors in 30 years.

Protesters have started gathering outside the Federal building in Atlanta.  Fears that arose as a result of the Fukushima Daiichi disaster (follow the link for some amazing NatGeo pictures from inside Fukushima) 11 months ago are at the top of the protester’s rhetoric.  The protesters include at least 9 groups that intend to challenge the project in Federal court. 

The new reactors will be Westinghouse’s Generation III+, AP1000 design.  The long term plan for America’s fleet of aging nuclear reactors includes the replacement of the pre-1970’s era General Electric boiling water reactor design with the advanced safety and technology package found in the AP1000.  The Vogtle project will be a significant first step in the badly needed technology refresh for American nuclear power.

One would think that protesters with Fukushima fears would be eager to see these new safer reactor technologies deployed.  Even the most ardent environmentalists have started to see the light that nuclear power has advantages over fossil fuel power generation technologies.  These warming views on nuclear power have been reinforced in recent weeks by controversies surrounding hydraulic fracturing or “fracking” for natural gas and Federal roadblocks to use of oil extracted from Canadian tar sands.  

If approved, Vogtle Units 2 and 3 could be a major boon to economic development throughout the Southeastern Region.  According to Georgia Trend Magazine, “Site construction employment is expected to peak at 3,500 jobs during 2013 and 2014, with 800 new permanent employees needed to staff the new units when they begin operation in 2016 and 2017.”

In addition, the availability of plenty of electrical power will be an attractive feature for all types of industrial and commercial enterprises looking for new location.  Data center site selection criteria, in particular, values the availability of cheap, reliable and plentiful power very highly. 

Hopefully, the NRC will approve Southern Company’s construction license and the construction of Vogtle Units 2 and 3 will move forward.  This will lead to:

  • High paying construction jobs
  • Long term employment opportunities for nuclear trained personnel
  • New incentives for employers seeking to locate in the Southeast
  • A favorable environment for future data center construction
  • More reliable and safe nuclear power technology deployed in the US
  • And (of course) reduced dependence on foreign oil          

   

Digital Realty purchases another Atlanta Data Center

The Atlanta Business Chronicle is reporting that wholesale data center giant Digital Realty (DLR) has completed the purchase of “a 334,000-square-foot data center near Hartsfield-Jackson Atlanta International Airport in a $63 million sale leaseback transaction…”

DLR and the Atlanta Business Chronicle were careful not to release too many specifics about the data center.  However, if you have worked in the Atlanta data center market for any length of time you know they are probably talking about the Delta Airlines Data Center on Doug Davis Drive down in Hapeville.

According to the Business Chronicle, the seller was a ““major airline” that will continue to use 167,000 square feet of space in the building. The rest the data center facility is leased to a “leading provider of critical transaction processing solutions to companies operating in the global travel industry.””

If the acquired data center is the Delta Airlines data center, that leading provider of “critical transaction processing solutions” would be Travelport.  Delta and Travelport have shared the Hapeville data center for some time.

This acquisition should be good news for everyone involved.  Digital Realty is a top tier data center firm that intimately understands the role of data centers in the success of a business venture.  Their expertise and experience should ensure that the Delta data center is efficiently and expertly operated.  In addition, the sale of the building should provide Delta with a fresh injection of capital for technology upgrades.

This acquisition is the 3rd Atlanta data center owned by Digital Realty.  The others being:

  • 375 Riverside Dr, Atlanta
  • 101 Aquila Way, Atlanta

Digital Realty’s portfolio of properties includes nearly 100 data centers in North America and 12 more in Europe and Asia.  Their construction practice has built “over $2.5 billion in data center facilities for companies ranging in size from small collocation firms to Fortune 500 corporations.”

4 ½ Data Center Industry Predictions for 2012

2011 is finally gone and 2012 is off to a roaring start.  Here in the blogosphere the bloggers and pundits are busily making predictions about what the New Year has in store for the data center industry.  I’m as guilty as the next guy when it comes to the urge to prognosticate. And, I have a few predictions that I’m not seeing anywhere else.  In no particular order, here we go…

1.         Another Bad Year for Natural Disasters

2011 was a terrible year for natural disasters.  No region of the US was spared this year as wildfires torched the west, floods ravaged the mid-west, tornadoes devastated the south and blizzards paralyzed the North.  According to the NOAA, the US set a new record with 12 weather/climate related disasters that caused greater than $1B in damage.  Total damage from these 12 events approached $52 billion and resulted in the tragic loss of 646 lives. The previous record for billion-dollar weather/climate disasters in one year was 9, set in 2008.

Unfortunately, I’m predicting that 2012 will be just as bad.  Here are a few of my reasons:

  • The graph above indicates (to my untrained eye) a general upward trend.  Call it climate change, global warming, the Mayan end of days or the wrath of vengeful creator.  I care not.  The undeniable fact is; the planet is getting a bit pissy these days. 
  • 15 named storms are predicted to form in the Atlantic during the 2012 hurricane season (Colorado State University).  If 2011 hurricanes Lee and Irene are indicative of 2010 storms, we could be in a wet and windy hurt locker in 2012.
  • NCEP Climate Forecast System (CFS) models predict La Nina to redevelop during the fall of 2012.  This weather pattern has historically resulted in severe Pacific weather patterns and droughts in the central part of the US.
  • Solar scientists are predicting that the sun will reach a period of maximum sun spot and solar flare activity in 2012 solar maximum.  This could lead to geomagnetic storms and power failures.

Climate and weather disasters are clearly bad news for our economy, the general population and for data centers that haven’t spent enough on their electrical and mechanical resiliency.  The utilities that we all depend will be less reliable and fuel costs could soar. 

However, well prepared colocation providers and data center constructors should see steady work as companies with funded DR plans and critical infrastructure seek shelter from the storms.  Which, in turn, should help lead to…    

2.         Another big year for data center construction

2011 was a good year for the data center design and build industry.  Some of the “pent up demand” that we all talked about in 2010 finally let loose.  Data centers started popping all over the place.  Wholesale data center providers such as Digital Realty and Dupont-Fabros ramped up production and colocation providers expanded their capacity as quickly as possible.  Despite the boom in data center construction, demand outstripped supply in most markets throughout 2011.  (As I pointed out here.)

I’m predicting 2012 will be even better.  (Hopefully, wildly better!)  Cloud and virtualization technologies will continue to mature and make the “server closet” a concept of the past. Startups and SMBs will continue to turn to the waiting arms of cloud/colocation providers rather than spend their limited time and resources managing and building their own stacks of silicon.

In the consumer marketplace, data hogging services such as voice recognition, digital publishing, social media photo sharing, online gaming and music from the cloud will continue to be in high demand.  This demand in particular will result in many more of the “industrial size” data centers we saw built by Internet titans like Amazon, Google and facebook in 2011.

Data center construction will be good here in the States.  However, our growth will be dwarfed by activity emerging markets.  As Christian Belady points out in this graph, the global data center market will grow vastly faster than the US and European markets.  Look for activity in China to skyrocket.

 

3.         Increase in cyber attacks on critical infrastructure

Cyber attacks on infrastructure of national significance will be a major concern.  The Stuxnet worm demonstrated that a hacker could cause catastrophic physical damage to critical infrastructure from the comfort of his desk and with complete anonymity.  Unfortunately, the technology that enabled Stuxnet has started to proliferate and new malware has already been found that exploits similar vulnerabilities. 

Cyber criminals and other bad actors have started turning their attention toward the possibilities for mischief in the rich and untapped fields of Industrial Control Systems (ICS).  Cyber weapons have that exploit weaknesses in the ICSs that manage vital systems such our power grids, water supplies and chemical plants will proliferate and increase in potency.

Fortunately, I predict that the US power grid will remain safe.  Our water supply needs work but will probably remain secure as well.  However, facilities that utilize ICS-SCADA technology and are not currently implementing security measures may have a serious problem.  If you don’t think that data centers fall into that category, please see my article on the subject.  (Even better, come hear my presentation on the subject at AFCOM Data Center World in March 2012.  Vegas Baby!)    

4.         Data center efficiency efforts will shift from facilities it IT

In the last 10 years, the concepts of energy efficiency and sustainable design have gone from completely inconsequential to completely consuming in the minds of data center professionals.  You can’t pick up a trade magazine or swing a cat in a data center conference without hearing some pitch about green data centers. 

When smart people focus on an issue, smart ideas are generated. When the data center industry started focusing on energy efficiency, astounding and innovative ideas became reality.  As a result, average data center PUE went from near 2.8 in 2000 to near 1.4 in 2011.

A few deeply committed (and deeply funded) data center companies have started hitting average PUEs around 1.14.  I predict that these amazing efficiencies are close to the end of the path for data center electrical and mechanical energy efficiency.  It may be possible to shave a few more hundredths off but the cost of getting there makes it a losing proposition from a business standpoint.    Google senior director of data center construction Joe Kava calls it the asymptotic range, the “point where it (PUE) is flattening out” meaning the gains are becoming smaller and smaller.

In order to continue to drive additional efficiency into data center operations, data center energy efficiency programs will shift focus from facilities to the IT side of the data center.  End users will demand more efficiency from server and chip manufactures. We will see:

  • Server utilization will become a larger topic. 
  • Data center analytics will enable the identification of underutilized and “Zombie servers”
  • New data center efficiency metrics will be launched that measure the effectiveness of a data center’s server utilization
  • New server architectures based on energy sipping ATOM and ARM chip technology will gain market share
  • Promising advances will be made in the area of Near Threshold Computing (NTC)

4½          Cuba emerges as the Technology hub of the Caribbean, Central and South American markets.

This is my bold, and thoroughly baseless, prediction for 2012.  It’s so bold and baseless that I’m only counting it as half a prediction.  (ala Jeffery Gitomer

This year will see the end of the Castro regime in Cuba.  Capitalism and technology will move in swiftly as soon as Fidel exits stage left.  I expect Equinix and QTS construction in Havana before the end of the year.  Demand for managed/cloud services from the new Cuban casinos, resorts and business will be the spark that will eventually transform Havana into the Silicon Valley of the Caribbean, Central and South American markets. 

There you have it; 4 ½ predictions for 2012.  (I wish I could have come up with a nice round number like 10 or even 5.)  Overall, I am confident that we will continue to see fantastic growth in the data center industry.  I also expect that growth to be fueled by innovative and unexpected feats of engineering and technology.  Now get out there do smart stuff! 

Happy New Year and may you all prosper and find adventure in the days to come!

Peak 10 Breaks Ground On New South Florida Data Center. A Word About Data Center Standards and Compliance

Data center hosting and cloud services provider Peak 10 has broken ground on a new data center in Ft. Lauderdale, FL.

Some of the vital statistics on the new facility include:

  • Peak 10’s 22nd data center
  • 11,000 square feet (Peak 10’s presence in south Florida will total 33,000 square feet.)
  • Multiple levels of security
  • Uninterruptible power
  • HVAC systems
  • Fire suppression
  • Around-the-clock monitoring and management.
  • Interconnected with Peak 10’s private network
  • SSAE 16 and PCI compliant

For those unfamiliar with SSAE 16, this is the new version of SAS70.  For those unfamiliar with SAS70, SAS 70 is an auditing standard that was developed by the American Institute of Certified Public Accountants (AICPA).  SAS 70, when applied to data centers, demonstrates that the data center operator has adequate controls and safe guards in place to host or process data related to their customer base. SAS 70 is not a certificate, but an opinion on the nature of those controls.

SSAE 16 is becoming a pretty big deal in the data center hosting industry.  It should provide Peak 10 with a competitive advantage in the marketplace for a couple of reasons;

  • The south Florida hosting industry caters to businesses located in the Caribbean, Central and South America.  SSAE 16 is an internationally recognized standard.
  • SSAE 16 is especially important to the healthcare, insurance and financial services industries.  You can’t swing a cat in South Florida without hitting a healthcare, insurance or financial services firm.

The Peak 10 data center will also be PCI compliant.  The Payment Card Industry (PCI) Security Standard is another important standard for financial services, e-commerce and retail industries.  This is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, ATM, and POS cards.

The Peak 10 corporation is also compliant with a number of other important standards including:

  • Sarbanes Oxley (SOX)– A Federally mandated accounting standard important for auditing of publicly traded US companies.
  • HIPAA/HITECH– A Federally mandated standard that addresses the privacy and security concerns associated with the electronic transmission of health information
  • Gramm-Leach-Bliley (GLBA)-A federally mandated standard that is important to commercial banks, investment banks, securities firms, and insurance companies.

The Florida data center is one of many growth moves announced by Peak 10 in 2011.  Others include completion of data centers in Nashville, TN and Louisville, KY and ground breaking in Nashville, TN.

Congratulations to the good folks at Peak 10 for quickly becoming a major player in the Southeast data center hosting and cloud marketplace.

 

 

The Threat of Cyber Attacks on Data Center SCADA Systems

Earlier this year, shortly after the discovery of the STUXNET cyber weapon, I wrote an article for Mission Critical Magazine (MCM) titled, “The SCADA Worm Threat to Mission Critical Infrastructure”.  In the article, I explained how STUXNET had demonstrated a new and profoundly dangerous threat to Industrial Control Systems (ICS) such as SCADA (Supervisory Control and Data Acquisition).  I urged the data center community to recognize that data center electrical and mechanical infrastructure is potentially vulnerable to this type of cyber attack.  Furthermore, I warned that data centers can be very enticing targets for criminals, terrorists and foreign nationals utilizing cyber weapons.  I predicted that SCADA cyber attacks in general would become more common and that data centers could become targets for data theft, extortion and sabotage through their SCADA systems.

Since the release of the article, a number of trends have reinforced my view that SCADA systems are becoming increasingly vulnerable.  Events of concern include:

  • Proliferation of STUXNET SCADA worm technology.  On September 1, 2011 a new SCADA worm, dubbed Duqu, was discovered.  The Duqu worm bears close resemblance to the STUXNET worm in complexity, design and execution.  However, Duqu was configured for a completely different (and currently unknown) target.  Initial analysis indicates that Duqu may be designed to steal data as a precursor to a STUXNET type cyber attack.   The similarity to STUXNET indicates that Duqu’s designers either designed STUXNET or had access to the STUXNET source code.
  • Rise of hactivist interest in ICS cyber attacks.  In September of 2011, a US Department of Homeland Security (DHS) bulletin provided evidence that the hacking collective “anonymous” “had recently expressed an interest in targeting industrial control systems (ICS).”  It is doubtful that anonymous will have the capacity to execute a STUXNET level cyber attack in the near future.  However, their interest in exploiting ICS technology is indicative of an increase in awareness and activity within the hacking community regarding ICS systems.
  • SCADA hacking malware (almost) demonstrated at TakeDownCon In May 2011, security researchers from NSS Labs were planning to demonstrate how to write “industrial-grade” SCADA malware at a Dallas information security conference.  The researchers claimed, “We will demonstrate how motivated attackers could penetrate even the most heavily fortified facilities in the world, without the backing of a nation state.”  SCADA manufacturer Siemens and the US Department of Homeland Security requested that the researchers not continue with the demonstration citing public safety concerns.  The NSS Labs researchers complied with the DHS request.
  • Additional SCADA vulnerabilities made public.  In March 2011, security researcher Luigi Auriemma posted full-disclosure advisories and details regarding proof-of-concept attacks for thirty five new SCADA vulnerabilities.  Auriemma posted these to the publicly available securityfocus.com (Bugtraq), an open bulletin board for Symantec customers, end users, developers and partners.
  • Powerful SCADA Hacking “Toolkit” released.  In March 2011, Gleg, a Russian security firm offered for sale a software package known as The Agora SCADA+ Pack.  The software contained 22 modules exploiting 11 zero-day vulnerabilities.  The pack included data applicable to a wide variety of SCADA system manufacturer’s devices and software.  The package also allegedly contains analysis of SCADA system “weak points” such as hard-coded passwords and problems with smart chips.

Clearly, cyber criminals are beginning to focus their attention on SCADA systems and are busy developing new exploits and malware

The vulnerability of SCADA systems represents a particularly grave threat to infrastructure of national significance.  Vital infrastructure such as electrical grids, refineries, water treatment plants and chemical processing plants rely heavily on ICS and/or SCADA.  The consequences of a successful cyber attack on this infrastructure are potentially dire.  Fortunately, some national governments have recognized that the SCADA cyber vulnerability represents an emerging threat to national security and have taken steps to close security gaps.   The US Federal Government, for example, has launched extensive cyber security initiatives and programs to address vulnerabilities in our national infrastructure.  US-CERT, a division of the US DHS, has become one of the world’s leading cyber security organizations.

SCADA systems are not limited to industries of significance to national security.  In fact, variations of these systems can be found in nearly every industrial and commercial environment.  Data centers are no exception.  Most commonly, data centers utilize SCADA technology to control the automated functions of their critical electrical switchgear.  Switchgear in these facilities usually feature multiple, redundant power paths to allow for maintenance and to provide operational resilience in the event of a system component failure.  In order to function effectively, this type of switchgear must monitor system conditions such as voltage, amperes and frequency.  If one of the monitored parameters falls out of a preset tolerance band the switchgear automatically performs an action or series of actions to correct the abnormal condition.  For example, in the event of a loss of mains power to the switchgear, standby generators start and a number of circuit breaker position change in order to deliver generator power to the critical load.  The system of sensing devices, Programmable Logic Controllers (PLCs), and computers that monitors and controls the switchgear is known as SCADA.

For many years, data centers and other users of SCADA systems operated without significant threat from hackers, malware and cyber criminals.  These systems benefitted from a flawed security principle known as security through obscurity or hiding in plain sight.  SCADA systems utilize communication protocols (for example MODBUS) that are not widely known by hackers and malware developers.  Furthermore, the systems monitored and controlled by SCADA are often extremely complex and require extensive training to understand and operate.  It was considered unlikely that an intruder in the system would have the engineering knowledge needed to effectively infiltrate the system and cause lasting damage.  These system characteristics amounted to a degree of obscurity that did not seem to require extensive cyber security.

The security of SCADA systems also benefitted from a persistent question of motive.  Hackers and malware are typically associated with the theft of sensitive corporate secrets, personal information or financial data.  This type of data is not stored in Industrial Control Systems.   Thus, ICS manufacturers and operators assumed that their systems would not be hacked because they contained no data that might justify the work required by a hacker.

Additional security was assumed because SCADA systems are not typically connected to the Internet.  However, these systems are routinely accessed for software upgrades, data exports and system configuration changes.  Additionally, many SCADA systems share network infrastructure with other corporate networks.  This practice allows the SCADA system to share data with other corporate assets and avoids the cost of a separate, dedicated network for the SCADA system.  However, these practices compromise security integrity for these systems.

Given the assumed security through obscurity, the lack of traditionally targeted data content and the lack of direct Internet connection the primary security threat to SCADA systems appeared to come from accidental misuse by poorly trained operators or deliberate misuse by disgruntled employees.  The solution to this type of security problem consisted of restricting access to the SCADA controller using rudimentary (usually default) passwords and physical security.

In 2010, the appearance of STUXNET shattered the illusion of security for operators of SCADA systems.  The STUXNET cyber weapon was a piece of malware (specifically a worm) which was engineered to target a uranium purification facility in Iran.  The STUXNET worm utilized USB drives and autonomous replication capability to infect the SCADA system in the highly secure facility.  The systems were infected despite the fact that they were not connected to the Internet.  Once inside the system, the malware cunningly hid itself in system memory, reprogrammed Programmable Logic Controllers (PLCs) and sent false data to the system SCADA controller or Human Machine Interface (HMI).  The new PLC programming caused momentary speed changes in the high speed uranium purification centrifuges in use at the facility.  These speed changes had the combined effect of rendering batches of purified uranium unusable and causing catastrophic physical damage to the centrifuges.  The net effect of the attack was to set the Iranian nuclear power program back by years.  When the worm was finally discovered months after its payload was delivered, the international cyber security community promptly labeled STUXNET a “game changer” and the first “cyber super weapon”.  

For the first time, malware had been successfully deployed against a SCADA target and caused catastrophic physical damage to the controlled system.  Clearly, the obstacles of obscurity and complexity could no longer be counted on to keep SCADA systems secure.  The creators of STUXNET had demonstrated that these obstacles were irrelevant to highly motivated and educated malware developers.  Clearly, a lack of Internet connection could no longer be considered adequate protection for SCADA systems. Trojans, worms and other malware can infect SCADA systems via secondary network connections and via devices used to perform necessary maintenance tasks.  Clearly, the question of motive was answered.  SCADA technology had been adopted by so many critical industries that abundant motive could be found to justify building the tools needed to crack these systems.

The complexity and sophistication of the STUXNET worm indicated that it was the work of a national intelligence agency.  However, many cyber security professionals began discussing the longer term ramifications of the existence of such powerful SCADA worm malware.  Drawing on their experience with the development and spread of conventional worms and viruses, experts warned that now that this type of weapon had been deployed, the techniques and source code would be replicated and repurposed by a widening array of cyber criminals.  Because SCADA technology can be found in nearly every industrial environment and because these systems usually lack even rudimentary cyber security features, experts warned that attacks on these systems would quickly become commonplace.

Some cyber professionals argued that operators of SCADA systems that are NOT part of the national infrastructure are actually at greater risk than targets of national security significance.  Ralph Langner (the man who “solved” STUXNET) of Langner Communications, warned that cyber criminals using SCADA worm malware would avoid public infrastructure targets in favor of poorly protected private enterprises with sizable financial resources.  Langner predicted, “The next cyber weapon will be considerably cheaper, since much of the attack vector and the specifics of how to use automation equipment will simply be copied.  Sabotage with the motivation of extortion will get a commonplace scenario.  At this time targets are no longer limited to critical infrastructure but will especially cover the private sector — a TARGET-RICH AREA where it cannot be assumed that organizations will install countermeasures large scale in a reasonable amount of time.”

Fortunately, some private industries are actively hardening their SCADA infrastructure against cyber attack.  Many electric utilities, chemical manufacturing plants, water treatment facilities and oil & gas infrastructures, at the urging of the U.S. Congress and in cooperation with agencies such as US-CERT, have taken many steps to secure their systems.  In addition, a number of professional cyber security firms have emerged to specifically address SCADA vulnerability for these industries.  However, the data center industry has largely been slow to implement meaningful security measures.  Ironically, an industry that is profoundly conscious of the cyber security threats aligned against the IT assets on the raised floor seems to be unconcerned regarding the security issues relative to the SCADA in the facilities space.

In the current political and cultural climate there are a variety of groups that may develop the motive and skill to target data center SCADA infrastructure for cyber attack.  These groups include:

  • Nations engaged in cyberwar.  In 2007 a Blue Horizons paper, titled, “State Actor Threats in 2025” was prepared by the US Air Force.  The paper identified a number of scenarios that could threaten the United States in the future.  The scenario with “the highest potential for a state actor to inflict catastrophic damage to the US” is known as Phantom Menace.  In this scenario, cyber attacks are used, “against the enemy so that the civilian electricity network, traffic dispatching network, financial transaction network, telephone communications network, and mass media network are completely paralyzed, this will cause the enemy nation to fall into social panic, street riots, and a political crisis.”  Each of the targeted infrastructure assets identified could be crippled by attacks that shut down the data centers that control those industries.
  • Corporations and nations engaged in industrial espionage.  In 2010, Google revealed that for the second half of 2009 it had been under constant cyber attack.  Security professionals at McAfee named the attack Operation Aurora and identified the attacks as an advanced persistent threat (APT), (a classification of attack that also includes the STUXNET malware.) Google indicated that the cyber attack originated in China.  Operation Aurora was not limited to Google assets but also included assaults on other major American companies.  Adobe Systems, Juniper Networks and Rackspace have publicly confirmed that they were targeted. According to media reports, Yahoo, Symantec, Northrop Grumman, Morgan Stanleyand Dow Chemicalwere also among the targets.  In an era where state actors can attack public companies using cyber weapons, it is not inconceivable that data center infrastructure could be jeopardized.  Nations and companies could gain competitive advantage over their adversaries by disrupting operations at their data centers.
  • Cybercriminals targeting data center infrastructure for purposes of extortion.  As Ralph Langner pointed out, malware has become a common weapon used by criminal organizations.  As SCADA cyber weapons proliferate, it is expected that the technology will find its way into the hands of criminals that will use the technology to extort funds from corporations.  In my article in MCM, I outlined a possible scenario where a SCADA worm could be used to destroy an emergency generator at a data center. The damage would be followed up with a threat of more damage unless a hefty extortion threat is complied with.
  • Social activists seeking to disrupt credit and banking infrastructure.  The news during the autumn of 2011 was dominated by stories of “Occupy” protesters in major American and European cities.  Fortunately, these protest groups lack a cohesive political message or effective leadership.  However, these groups represent a general rise in antipathy toward banking and commerce organizations.  A cyber attack on commerce infrastructure such as a stock exchange or credit card processing data center would meet the apparent aims of these groups.  The Occupy protesters may find support for such an attack from environmental activists who view data centers as major consumers of “dirty” electrical energy.

The trend regarding SCADA attacks is clear.  The weapons used to perpetrate these attacks are becoming more widely spread and more powerful.  Simultaneously, the expertise and techniques required to successfully deploy these weapons is becoming more common.  Finally, the number of groups that could benefit from deploying one of these weapons against a data center is increasing.  Each of these trends points toward a bleak future for the unprepared data center.