In addition to security at the information technology level, many IT managers underestimate the physical dangers that can paralyse the technical infrastructure in server and technical rooms and data centres.
These include, for example, smouldering fires from faulty insulation, water ingress, excessive temperature, humidity or unauthorised access to non-public areas. Often, a lack of physical protection leads to problems during the ISO 27001 audit.
We have compiled a checklist of 10 questions that IT systems in mission critical infrastructure should fulfil.
Self-test: How secure is my critical infrastructure? – 10 simple questions:
1. Is IT housed in a specially prepared server room or data centre?
Risk: Rooms for IT use should be made or adapted for the special requirements and have the following features: Fire doors and appropriate fire protection measures, secure windows, adapted electrical circuits, no water-carrying pipes, no extraneous additional uses.
2. Is the occurrence of fires reported at an early stage and can measures be taken immediately?
Risk: A large proportion of fires occur in electrical systems and equipment. These usually develop slowly through smouldering fires. Electrical distribution systems, UPS systems, air conditioning systems and power supplies are potential fire hazards.
3. If the room temperature rises, is the relevant department informed at an early stage so that countermeasures can be taken? Does the department receive real-time information about the room climate?
Risk : If the air conditioning system fails, the servers may overheat. This usually leads to a total IT failure within a short time. Other critical conditions are too high humidity or condensation after air conditioning failures.
4. Are water leaks caused by burst pipes or a defective air conditioning system automatically reported before damage occurs?
Risk: The ingress of water into server rooms due to flooding or defects in heating systems and air-conditioning units etc. can lead to a total IT failure within a very short period of time.
5. In the event of a power failure, is it known how long it will last and whether the UPS is working correctly?
Risk: In the event of a voltage failure, the UPS may unexpectedly malfunction, leading to a total IT failure. Voltage fluctuations are often also caused by industrial equipment and can lead to UPS or power supply failures. 6.
6. Have active measures been taken against break-ins and is it still possible to react immediately in the event of an incident?
Risk: Burglary or theft are the most obvious threats. Here, in addition to the physical theft of hardware, logical access and attacks can also occur. Accessible consoles represent critical points of attack here.
7. Can it be traced who was in the room, when and for how long?
Risk: IT rooms must be adequately secured against unauthorised access and this must be documented wherever possible. Very often, attacks on IT take place from within the companies themselves. 8.
8. Do those responsible receive real-time notifications at all times in the event of failures of active components or network connections?
Risk: The failure of active or passive components such as routers, switches and telephone systems can lead to massive disruptions in the IT infrastructure. System failures of several hours to days can quickly cause very large damages here. 9.
9. Are effects of human error reported automatically at an early stage and can these messages also be transmitted independently of your IT?
Risk: Incorrect operation, open windows, disregard of technical instructions, clumsy behaviour – all this regularly leads to expensive IT failures. Organisational measures help to avoid this, supported by fast and redundant notification of irregularities to several people.
10. Can events be traced and reconstructed at any time (even over several months) in order to avoid future errors?
Risk: Documentation and recording of normal and critical system states over months or years are often basic requirements of QA and certification systems. Complete documentation may relieve you of liability risks.
Dangers are underestimated, holistic solutions are easy to implement
Many municipal utilities, suppliers and CRITIS operators underestimate the physical hazards to which their critical infrastructures are exposed. In order to ensure the necessary security, scalable “all-in-one systems” are needed that can grow with the increasing requirements. However, sufficient basic protection is already possible with manageable investment and installation costs. This includes an integrated system of holistic monitoring of environmental parameters such as temperature, humidity, dew point, voltage, fire and intrusion, as well as access management with permanent video surveillance. If the components are IP-capable, those responsible can access the various areas such as access, alarm, climate, energy and video via an online dashboard and control them conveniently and remotely in real time. This means that even decentralised systems can be managed centrally with little personnel effort.