Partner POV | Cybersecurity in Data Centers: The Critical Role of Rack PDUs
In this article
Article written by, Justin Blumling, Technical Sales Engineer, Panduit.
In a hyperconnected world, cybercrime seems to be a daily news topic. Over the years, I have been the recipient of several letters from companies entrusted with my personal data, only to hear my information was compromised by a network breach. My mortgage servicer reported $2.4 billion in revenue in 2022; however, this size and sophistication didn't stop my name, address, social security number, bank accounts and transactional history from falling into the wrong hands.
As criminals progress from personal data to enterprise stakes, a data center presents a worthwhile target. Nearly every operational technology in a data center has been digitized and networked. The wrong person with the right access could open a breaker, close a damper or change a thermal setpoint. Every networked device including power, cooling or otherwise requires vigilance against compromise.
The past has shown that any network device can be a future target, and the rack power distribution unit (PDU) is one of highest value targets in data center infrastructure and the last mile in the data center power chain.
Rack PDUs are commercial power strips that provide electricity to servers. There are different families of PDUs and each has a different level of intelligence. The most popular variety is a switched PDU, which allows users to control individual power outlets (turn on, off, reboot). This control is desired for convenience, such as rebooting an unresponsive device that may be hundreds of miles away or enforcing deployment rules (getting approval from an administrator before plugging in a server). However, without proper authorization and control of switched PDUs, there is a tangible risk to operations. For an enterprise, the interruption of transactions or client-facing applications is often mentioned in thousands of dollars per minute. Should a criminal achieve this access on a PDU, their leverage would be considerable.
How can users balance the functional convenience of a switched PDU with the risk of unauthorized use?
Here are some actionable steps:
The Critical Role of AAA Security Framework
Authentication, Authorization, and Accounting (AAA Security Framework): While this framework is long established, it can occasionally fail to trickle down to operational hardware like rack PDUs. While organizations must push adoption to these devices, the rack PDU supplier must support the popular AAA protocols, including LDAP and Radius. Both LDAP and RADIUS can facilitate Role-Based Access Control (RBAC).
Calls and interactions with the PDUs API, if deployed, should be equally authenticated and secure.
Ensuring Security and Code Integrity for Rack PDUs
Code Integrity: Users should require PDU vendors to demonstrate firmware integrity. Code signing is one such process that uses cryptography to verify the authenticity of firmware before it's installed, ensuring that it hasn't been tampered with.
Importance of Third-Party Cybersecurity Certifications
Third-Party Certifications: Using words like "secure" in marketing material is one thing. It's another to have this claim vetted by a neutral third party. Potential accreditations for cybersecurity review include USGv6 (for IPV6 networks), UL2900-1, and IEC 62443-4-2. This way, users can verify that the sales pitch has been independently verified.
Implementing Robust Encryption for Secure Data Transmission in Rack PDUs
Robust Encryption: Protocols like HTTPS, SSH, SNMPv3 and TLS 1.3 should be the default practice for data transmission. Users should verify that the PDU supplier supports 802.1x MIL-grade security and 256 AES Encryption.
Utilize Firmware Maintenance for Enhanced PDU Security
Ongoing Firmware Maintenance: Outdated firmware is an easy target. Updates frequently include fixes for security vulnerabilities, but firmware maintenance can be cumbersome. A given data center may have devices from dozens of manufacturers, each with its own release schedule and update nuances. While the PDU manufacturer can't do anything about the other vendors, they should recognize this challenge and make their update process as frictionless as possible. One such example is a secure, automated process in which a trusted source on the customer's network recognizes a new firmware file is available and pushes that code to all PDUs upon receiving proper approval from an administrator.
Elevating Physical Security for Rack PDUs
Physical Security: While network security is the emphasis of this piece, safeguarding individual racks shouldn't be overlooked, especially in multi-tenant environments. Rack PDUs can come with an ecosystem of sensors, including intelligent rack handles to prohibit unauthorized cabinet access and can include dual authentication protocols.
Secure Rack PDUs for Optimal Data Center Security
Without IT and servers doing the useful "work" of the data center, the millions of dollars spent on the upstream infrastructure are for naught. Millions of additional dollars could be lost if rack PDU control gets into the wrong hands. Nothing is closer to the IT infrastructure than a rack PDU. For this reason, users and their PDU suppliers must collaborate closely, with users demanding the most robust security possible, while vendors continually invest in technology and expertise to stay ahead of threats.