Data centers are critical infrastructure, and need to be regulated as such

Nextgov ran an excellent article last week, pointing out that data centers are very dependent on OT (especially power and cooling systems), even though the systems running in those data centers are all IT systems. The lesson I drew from the article (although it wasn’t stated like this) was that, not only are data centers critical infrastructure, but their OT side should be regulated as critical infrastructure. In other words, while I don’t think critical infrastructure regulations should be applied to the IT systems in the data centers, they should be applied to the OT systems that keep the IT systems running.

There’s another relevant lesson that the US learned the hard way this summer: OT systems aren’t limited to a bunch of strange-looking devices that don’t run an OS you’ve ever heard of (or in some cases, don’t run any OS at all), and that don’t normally run a networking protocol you’ve ever heard of. As the Colonial Pipeline attack showed, and as a 2018 ransomware attack on a large US electric utility also showed, a serious attack on IT can shut down systems that are critical to operations, forcing the OT network to be shut down as well.

So any systems that support the operations of a critical infrastructure provider – whether it be a pipeline, a utility, a key software supplier like SolarWinds, a cloud services provider, a data center provider…and other industries, I’m sure – should be in scope for critical infrastructure regulation. And this applies to systems that aren’t actually OT systems, like the Intel-type servers running Windows and Linux in the electric utility’s control centers discussed in the link above. These all had to shut down in 2018 due to a devastating ransomware attack on the utility’s IT network, even though they weren’t infected by the ransomware (of course, control centers in electric utilities are already subject to NERC CIP compliance, and it could certainly be argued that the CIP requirements are aimed much more directly at IT-type systems in control centers, than they are at OT-type systems in substations and generating stations).

I define critical infrastructure systems as those that are necessary for the smooth and continuous operation of critical processes – large scale data processing, production and delivery of electric power, etc. Both IT and OT systems can be critical infrastructure systems. In my opinion, all critical infrastructure systems should be regulated.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. Nor are they shared by the CISA’s Software Component Transparency Initiative, for which I volunteer as co-leader of the Energy SBOM Proof of Concept. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.