In addition to security at the information technology level, many IT managers underestimate the physical hazards that can paralyze the technical infrastructure in server and equipment rooms.

These include, for example, smoldering fires from faulty insulation that can lead to a fire, water intrusion, excessive temperature and humidity, or unauthorized access to non-public areas. The lack of physical security is also the part of the ISO 27001 audit for implementing a required information security management system (ISMS) where auditors most often find the greatest deficiencies. According to a study by Hewlett-Packard, about 77% of all companies experience system failures each year, and there are a number of reasons for them. In addition to software failures and human error, physical hazards in particular are among the most well-known causes.

We have compiled a checklist of 10 simple points that IT systems in server rooms of municipal utilities, utilities and CRITIS operators should meet.

Self-test: How secure is my critical infrastructure? – 10 simple questions:

1. Is the IT located in a specially prepared server room or a data center?
Risk: Rooms for IT should be manufactured or adapted for the special requirements and have the following features: Fire doors and appropriate fire protection measures, secure windows, adapted electrical circuits, no water-carrying pipes, no additional uses of a different nature.

2. Is the development of fires reported at an early stage and can measures be initiated immediately?

Risk: A large proportion of fires occur in electrical systems and equipment. These usually develop slowly through smoldering fires. Electrical distribution systems, UPS systems, air conditioning systems and power supplies are potential hazards for fires.

3. If the room temperature rises, is the responsible department informed at an early stage so that countermeasures can be initiated? Does this department receive information about the room climate in real time?

Risk : If the air conditioning system fails, the servers may overheat. This usually leads to a total IT failure within a short time. Other critical conditions are excessive humidity or condensation after air conditioning failures.

4. Are water leaks caused by burst pipes or a defective air conditioning system automatically reported before damage occurs?

Risk: The ingress of water into server rooms due to flooding or defects in heating systems and air conditioning units, etc. can lead to a total IT failure within a very short time.

5. In the event of a power failure, is it known how long it will last and whether the UPS is operating correctly?
Risk
: In the event of a voltage failure, the UPS may unexpectedly malfunction, resulting in a total IT failure. Voltage fluctuations are often also caused by industrial equipment and can lead to UPS or power supply failures.

6. Have active measures been taken against burglaries and can they still be responded to promptly in the event of an incident?

Risk: Burglary or theft are the most obvious threats. In addition to the physical theft of hardware, logical access and attacks can also occur here. Accessible consoles represent critical points of attack here.

7. Can it be traced who was in the room when and for how long?

Risk: IT rooms must be adequately secured against unauthorized access and this must be documented wherever possible. Very often, attacks on IT take place from within the companies themselves.

8. Do responsible parties receive real-time notifications at all times in the event of failures of active components or network connections?

Risk: The failure of active or passive components such as routers, switches and telephone systems can cause massive disruptions to the IT infrastructure. System failures of several hours to days can quickly cause very large damages here.

9. Are effects of human error automatically reported at an early stage and can these messages also be transmitted independently of your IT?

Risk: Incorrect operation, open windows, disregard of technical instructions, clumsy behavior – all this regularly leads to expensive IT failures. Organizational measures help to prevent this, supported by fast and redundant notification of irregularities to several people.

10. Can events be traced and reconstructed at any point in time (even over several months) to avoid future failures?

Risk: Documentation and recording of normal and critical system conditions over months or years are often basic requirements of QA and certification systems. Complete documentation potentially relieves you of liability risks.

Threats are underestimated, holistic solutions are easy to implement
Many municipal utilities, providers and CRITIS operators underestimate the physical threats to which their critical infrastructures are exposed. To ensure the necessary security, scalable “all-in-one systems” are needed that can grow with the increasing requirements. However, sufficient basic protection is already possible with manageable investment and installation costs. This includes an integrated system consisting of holistic monitoring of environmental parameters such as temperature, humidity, dew point, voltage, fire and intrusion as well as access management with permanent video surveillance. If the components are IP-based, those responsible can access the various areas such as access, alarm, climate, energy and video via an online dashboard and control them conveniently and remotely in real time. This means that even decentralized systems can be managed centrally with little personnel effort.