Tuesday, January 24, 2017

Internet of Things, and the CISO

With IoT Proliferation, Does Corporate Security and the CISO Need to Adapt?

By Ed Higgins


The answer to the question above in one word is: Yes.

With the many clever innovations introduced by IoT, comes the need for copious amounts of creative thinking surrounding information security strategy in order to effectively embrace IoT while simultaneously ensuring information confidentiality, integrity, and availability.

The Internet of Things is not going away. It's much too ubiquitous and presents a great opportunity for innovation and benefits for us all (for home, for work, and for industry). I believe most Chief Information Security Officers (CISOs) clearly understand this and want to support IoT. But doing so will require clearly defined rules, appropriate controls and countermeasures, and a certain amount of legitimate paranoia.

I believe CISOs are (or should be) working actively with stakeholders within their respective organizations to fully understand the business's longterm strategy surrounding IoT, in order to adapt their policies, practices, and guidelines to embrace the benefits of IoT advancement while continuing to protect sensitive data, ensure secure operations of the business, comply with regulations, and meet the security standards and business vision already established in their companies.

In many cases, existing security policies and guidelines, at least those which are fairly modern to begin with, can be leveraged and adapted to address IoT, much the same as when the topic of "visitor wireless area networks" was among our list of challenges. But topics involving classification, data integrity, detection controls, risk profiling, impact breadth, and incident response mechanisms all have to be reworked to address the deeper and widening threat landscape. This includes addressing broader security implications now introduced by the IoT product manufacturer. Some security pros argue, and I tend to agree with them, that the number and placement security intrusion detection and data leakage prevention systems could double or triple in complexity and volume-handling requirements due to the impact of IoT.


In a previous article entitled, "IoT, When My Thermostat Becomes a Weapon", I wrote about the potential security concern for when insecure IoT devices enter the home network, where there also exists a VPN connection to the workplace. This could directly impact the business's security posture, since a compromised home LAN could become an attack surface through the business VPN. In talking with many CISOs during the RSA Conference 2017 (week of Feb 13 - 17), not many had even yet considered this potential risk. I believe CISO's should review their detective controls and security policy regarding VPN and home-office workers in order to ensure that adequate security controls such as strong authentication, complex passwords, inactivity logout, as well as VPN, anti-malware tools are functioning on the home-user's PC.

Additionally, many IoT devices are created by new startup product businesses, or even by crowd-funded operations whose primary objective is to produce very cool stuff fast. It is crucial, I believe, that we must evaluate and scrutinize the security postures and data management practices of the IoT product companies, since they essentially become a potentially risky extension of our corporate security landscape.

I hope you enjoyed this article.

Stay tuned, and stay safe,

Ed

Monday, January 23, 2017

IoT: When my Home's Thermostat Becomes a Weapon

IoT: When my Home's Thermostat Becomes a Weapon


By Ed Higgins
January 23, 2017
As I consider the Internet of Things (IoT), I think of things like smart-watches, internet baby cameras, home thermostats, and other neat technologies. I recently pondered a broad range of security concerns and thought it might be fun to explore these questions a bit further and share some thoughts and suggestions. 

What's the security situation with all my cool gadgets? 
My home's thermostat is smart and connected to the Internet. This gadget is a wonderful innovation and part of the virally expanding portfolio of Internet of Things (or IoT) devices. You all know about these, and likely have one or many in your own home or apartment. In fact, industry studies suggest that each person on the planet will own at least five IoT gadgets by 2020. 
My thermostat allows me to alter my home's temperature and check the current settings from the convenience of my cell phone. All cool (pun intended), right? Well, this convenience raises some secondary important concerns and a completely new set questions. But, hold these particular thoughts for a minute. A smart thermostat is technically a system, complete with an operating system, a wireless network interface, ability to control another system, and it offers configurable settings (schedule, override, notifications, etc).
With an operating system; one must safeguard the OS against unauthorized access, root kits and malware infiltration which can infect the system and alter its intended behavior.
With a wireless network interface; one must deny access to outsiders or bad actors. In the case of a wireless network, let us not forget that a bad actor could hijack your thermostat from the seat of their car parked outside your house. However, a bad actor would more likely gain access via the internet, either through a poorly configured firewall (or no firewall), or via open insecure ports on an internet router. Quick question, when was the last time you logged into your Internet Router and checked its settings? Thought so. Regardless of the method a bad-guy may use to get into your local area network (LAN), he or she being there is not good. Once on your LAN the bad actor can and will discover every vulnerable device and shared file on the LAN including any VPN connections to your employer, for which the latter raises some distinct problems and liabilities for both the employee and the employer. 
With a device that can control another device; one must understand the downstream devices that can be controlled by the IoT device (aka, the furnace/AC controlled by the thermostat) and that compromising the controlling device (aka, the thermostat) gains immediate access to control any downstream controlled-device (aka, the furnace/AC system).
With a device that has alterable settings (a configuration table, so to speak); one must safeguard the table from unauthorized alteration. But there's one challenge with safeguarding these settings on many IoT devices. The last time I checked my thermostat there was no password protection. Thus once I connect to the thermostat, I can change any setting without challenge.
Now, let's come back to the point I asked you to hold onto: the cell phone app that allows me to control my thermostat from afar. Yes, there is a third-party involved between me (my cellphone) and my thermostat. It's the thermostat manufacturer's service that connects us. In principle, my thermostat connects to the manufacturer, and my cell phone app connects to the same place, and we're matched by a lookup code that associates us.

What about the thermostat manufacturer?
The manufacturer's security infrastructure surrounding this "meeting place" becomes one of the most critical components in the mix. I guess I really need to trust my thermostat manufacturer, right? Have they designed reasonable security into the product? Do they have security personnel dedicated to the job and constantly monitoring and testing the environment? Have they secured their product development networks and customer-portal networks? Lots of questions, few answers come to mind.
A commercial product manufacturer's network will likely be more secure than most home wireless networks. But, it's important you know that we as consumers become completely and immediately reliant upon the security that the manufacturer has designed their products, and that they implemented and applied appropriate layers of security within their networks to protect their thermostat (or whatever product) from being infiltrated by an outsider. 
I don't think very many consumers pay much attention to this aspect of certain IoT devices, likely because coolness sometimes overrides the messy topic of security. If you think about how rapidly brand new IoT technologies and start-ups come onto the scene, you have to wonder: have they really implemented a secure infrastructure and hardened their products and services to adequately protect your data and your network? I don't know about you, but this makes me wonder.

So What Could a Hacked Thermostat Do Anyway?

What if my thermostat manufacturer's system or network is hacked? Millions of subscribers' thermostats (or worse, the downstream controlled furnace) could all be compromised as a result. What if a bad actor were to alter the temperature in every smart thermostat to the maximum possible setting (say, 99 degrees) and leave it there until you pay the ransom? A team at DEF CON demonstrated this very scenario just this past summer. Or, what if a bad actor compromised all thermostats to initiate a massive distributed denial of service attack on another victim, perhaps a targeted business, or Internet DNS servers (which actually occurred very recently)?
If this attack was for the purpose of a ransomware scenario, then the sure-fire home solution is to simply shut off the thermostat and replace it with a different device or a non-tech variant. This eliminates the problem entirely. But this fix is not as easily accomplished in commercial businesses or hospitals, where the complexity and impact is far greater.
What if all the smart thermostats turned on all furnaces at the same time? Could this cause a significant measurable drain on our electrical power grids? Perhaps, not so much at the present time, because not every home has a smart thermostat, nor are they all the same brand of smart thermostat. But given the time and the motive, the capability definitely exists for a bad actor to infiltrate a broad range of smart thermostat brands, business HVAC systems, and other targets, and create a coordinated attack through exploitation of many brands of thermostats and smart devices. This would become a new type of attack, and certainly one that could be categorized as being among the aspirations of nation state bad actors rather than being attributed an individual bad actor. 
There are things about things that we just don't yet know.
All these "what-ifs" could actually occur. And, over time, they will in one form or another.  

So, Could My Thermostat Steal My Data? Actually, yes.
There are additional concerns beside using thermostats as a ransomeware devices, or as "mules" in a distributed denial of service botnet attack against a 3rd party. What if a bad actor hacked the thermostat manufacturer's network and introduced a malicious thermostat OS update with the ability to steal data from devices on your LAN, or the ability to spread malware to them? 
Perhaps a bad actor configures the hacked thermostat to function normally but with an additional malicious feature. What if a hacked thermostat were to become a data leakage device sitting inside your LAN with the sustained ability to forward every piece of electronic data from every device on your LAN (your PCs, your file shares, your media devices, etc.) sending it all to a malicious site somewhere in the ether. This type of attack may not need to steal data very quickly, but go undetected for weeks or perhaps months or years without being detected as it siphons data in bits and pieces in a sustained attack. While the latter type of attack is a bit more sophisticated in its approach, the operating system and technology present in many small micro-controlled systems (e.g. Linux and Java) could make the smart thermostat a formidable place for such an attack to begin.
In a similar manner to the hacked thermostat, what if the bad-actor infiltrated the respective cell phone app with a malicious version, with the ability harvest all your contacts, credit card info, and other sensitive data stored in your cell phone? 
When you think about this, and use your imagination, the possibilities along with the potential nightmares are endless.
My Home's LAN is not that interesting to a "bad actor", Right? Wrong.
Actually, your home network is pretty interesting to bad actors. Home local area networks are changing in many ways. With more connected devices such as IoT devices, increased data storage devices (local and cloud connected), and media sharing devices, your network is a very interesting place. Home network Internet connection speeds have dramatically increased to impressive levels, thanks to powerful fiber optics and advanced consumer bandwidth plans that rival many commercial business networks. Most home networks today boast extremely fast download connection speed (in many cases greater than 100Mb). More importantly to the aspect of data theft, these also boast the same high-capacity bandwidth for uploads as well. Thus, the home owner's local area network may have 100Mb or greater down/up with very little security beyond the Internet router. Unlike commercial business networks, the home network typically does not employ advanced security perimeter controls such as intrusion detection systems, data leakage prevention, enforced access control policy mechanisms. This is why it is an attractive place for bad actors. In other words, once a bad actor gets access past your cable router, they would potentially have access to a wide open network, complete with an extremely fast Internet connection by which they could establish as a beachhead to launch other attacks, and attack you.
Think of the many hundreds of millions of home networks out there for a bad actor to choose from, most of which are wide open territory. Now think of the volume of IoT gadgets out there. Early predictions regarding IoT growth reveals that the number of IoT gadgets will reach 20.8 billion devices by 2020 (reference: Gartner, 2015). Intel Security predicted the number to be in the range of 20 to 30 billion devices by 2020. That's a lot of IoT devices spanning perhaps billions of relatively insecure home networks across the globe. Most recently, security firms have adjusted their predictions to nearly 50 billion IoT devices by 2020. This leads me to wonder: do we really know the prolific potential of global IoT sprawl?

A Few Good Steps You Can Take...

Using just the above examples we could fill many whiteboards with attack profiles and scenarios, line diagrams, and pathways to potentially catastrophic damage. And we need to conduct this type of out-of-box thinking to get inside the heads of bad-actors to anticipate what they are thinking, in order to understand how they operate and adapt. While it is unreasonable to think that home users will implement advanced security technology found in commercial business networks, there are some very good basic steps that everyone can and should consider to ensure their security. 
A good first step that home users should consider is locking down your internet gateway (the router) by restricting access with a complex passworddisabling external remote management portsdisabling the DMZ function if you don't need oneapplying the latest security firmware updates, and restricting inbound ports to only those that you really need. Also, disable inbound ICMP requests (we call these ping requests) so that your router doesn't respond to pings from the outside. This will provide a level of stealth since your router won't answer to pings. Incidentally, a ping request is among the first steps a bad actor takes to determine which IP addresses are responsive or not. You should also buy and install a good anti-virus/anti-malware software for all of your PCs, and keep it enabled and always up to date. You should also consider configuring a password on your devices that share files (e.g. media, file servers, home PCs, etc).
Lastly, it is important to try to maintain a current and reasonable awareness about emerging potential security threats and what you can do to minimize them. For example, news of recent examples of phishing attacks have been shared on the internet, local news and mainstream media. Remember to not click on links contained in messages from people you don't know. Even when someone you know sends an obscure message containing a link or attachment, think twice about clicking it since their PC could be compromised and potentially trying to spread malware to you and others. 
With respect to security and the Internet of Things, I consider myself a "cautious IoT embracer" which means, I try to understand and answer as many of the questions presented here to understand the risks, and adapt my security countermeasures to manage them. Good security and IoT can and will coexist. We just need to think creatively and thoroughly as we embrace both.
I hope you enjoyed this article and hope it was helpful.
Stay tuned, and stay safe.
Ed

Tuesday, January 17, 2017

Obama's Legacy in Internet Security: The Good, Bad, and Ugly

I just read NextGov's new article summarizing President Obama's accomplishments in Internet security.  What he did, what he didn't do, and how it all turned out.  The good, the bad, and the ugly.

Below is an excerpt from the article, centered around the following question, which sums it up well.

Are We Better Off Than We Were Eight Years Ago?

"That question—are we better off in cyberspace now than we were eight years ago?—was a particularly troubling one for cyber experts consulted by Nextgov."

Their answer, by and large, was a qualified........ No.


“We’re better off in terms of policies and institutions to deal with cybersecurity, but worse off with regard to the threat landscape and the actual security environment,” said Tim Maurer, co-lead of the Cyber Policy Initiative at the Carnegie Endowment for International Peace.
“There’ve been improvements on protecting us from attacks on critical infrastructure,” said Adam Segal, director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations. “I think those are much less likely than before. But, overall, the progress has not kept up with the pace of the threat.”
Even Michael Daniel, the president’s cybersecurity coordinator, whom many experts credited with shepherding major advances during four-and-a-half years in the post, was not entirely sanguine.
“I think we’re clearly more capable and I think in many ways, we’re more aware and we are safer in many ways,” Daniel told Nextgov. “But our vulnerability has continued to expand as well …The landscape is more serious and more dangerous.”  " ] 
source ~NextGov 

Stay tuned, and stay safe

Ed

Wednesday, December 28, 2016

Are passwords DEAD?

Many compromises, well all of them, are caused by exploiting a weakness.  And, passwords are by far the most common weakness.


By Ed Higgins

When will the problem of password compromises be solved?


Perhaps never. But, come on people! We mustn't make it so easy for a novice bad-hacker to steal your personal data, identity, credit and bank card accounts, email accounts, Facebook and Twitter accounts, PCs, and other stuff by neglecting your duty to use complex pass-phrases instead of passwords like: password, or password123.  Did you know that these example simple passwords can be guessed by brute force in a matter of .0001 seconds? And using the same password for every account is bad, because once a hacker gains control of one account, their primary objective in most cases is to gain access to as much as possible with certain focus on tangible things like credit and bank accounts. Hence once the bad actor accesses, say for example, your email account, they will determine all of your other accounts associated with that email address in just a matter of minutes (most cases, this process is automated).

They say, "Security Problems Exist When the Human Touches the Computer".  This is not entirely true, since modern IT and Security groups work together to harden systems, by closing default ports, implementing security controls and policies on the systems, and testing them periodically for existing and new vulnerabilities.  By installing anti-virus software on your personal computer, you are essentially improving its security beyond its default settings.  But, any mistake such as an open port, a open shared service, or a weak password on an administrative user account can create a tiny chink in the armor by which a bad actor will quickly detect and exploit.

We need to get past simple passwords, and think of pass-phrases and use of special characters. Take the following sentence for example, or make use a sentence that you can remember and recall readily.

"Today was the best day of my month, because it is sunny outside!"

Now take the first character of every word in the sentence and splice them together to produce a pass-phrase as follows. Yes, it would be cool to include the quotation marks, comma, and exclamation point.

"Twtbdomm,biiso!"

The above pass-phrase would be considered a "strong password" and could literally take a hacker a thousand years attempting to crack using automated brute force methods. If everyone would employ password creation practices such as the above, then we'd like cut down the number of individual attacks perhaps as much as by 80%. There are other methods for cracking user accounts, but the above is a great start and a strong pass-phrase is the only defense against sophisticated password cracking mechanisms.

Since 1996, I have repeated the mantra, sometimes on deaf ears: "Security is Everyone's Responsibility".  It's not the responsibility of the sys admin, not the help desk, not the CISO, not the email system manager, but YOU. Sadly, your negligence to heeding the warnings of the aforementioned people, is often the cause given to good IT and Security personnel who get fired because an larger incident that you likely caused.

Think about the recent security breach during a political campaign where one or two weak passwords were compromised allowing thousands of sensitive data and  emails to become leaked to the public.  One simple password caused an embarrassing flood of private conversations, political strategies, and potentially nefarious campaign activities to become revealed thereby contributing to a political candidate losing an election.

People can be a tremendous asset or they can be a tremendous liability. Admittedly, many systems today do not allow the user to create a simple password. And these systems also require password changes at frequent but reasonable intervals, denying use of previous passwords, etc. But, there remain some systems that allow simple passwords. Your own PC is such an example.

There will come a day when ALL systems have more advanced controls such that there will be no such thing as a password, or even pass-phrases. These will be replaced by technologies that you carry with you. Examples of these, called multi-factor (or 2 factor) provide a hardware token (a USB device or a card) and you also provide a pin. Another example of multi-factor also includes fingerprint or retina scan technology which use a part of your body as the second factor. describe 2 factor as "bring something (your device, or you person), know something (your pin)" Each of these separately don't offer much security, but together they create a more powerful combination. Critical systems within corporate environments and governments have employed multi-factor authentication for many years.

As long as passwords are used as a security measure between the world and your information, you owe it to yourself, your employer, and your family to at least use a strong pass-phrase.

I hope you enjoyed this article, and hope it was helpful. 

Stay tuned, and stay safe

Ed


Wednesday, August 17, 2016

Predicted Solar Flares a Security Risk? Really?

Lions and Tigers and Solar Flares, Oh My!


By Ed Higgins


This post may seem a little off-topic, science fictitious, or perhaps it might read a bit like a joke, but nonetheless, I wonder, in our assessment of IT security planning have we seriously considered natural disaster risks such as solar flares?

As a kid of the 70's, I remember that at certain times my CB Radio (remember those?) could receive signals from locations a few thousand miles away which was well beyond the capability of my radio and antenna.  Or, I remember those times when the television reception was just not that good at all, terrible in fact?  These things were all directly related to  solar activity, sun spots, and solar flares.

So, now, we fast forward to current time, a time in which we are heavily dependent on electricity, computers, cellular, digital telecommunications, wireless, satellite communications, radio frequency and infrared devices, and anything pretty much magnetic.

In the past 10 years, we've seen our list of technology requirements grow as has our dependence on these and the resources that support them. Think for a minute... What would your life, right now, be like without a computer, network or cell phone for a week or perhaps several months?  How about no television or satellite communications?  What about our business transactions, electronic commerce, banking and trading? What if there were no electricity for several weeks or perhaps months because our energy grid management systems were broken, not able to automatically open and close the power switches along the grid that deliver electricity to our homes and businesses?  What if energy produced by hydro, wind, nuclear, coal-fired generators were all halted because the microcomputers that control them were all fried and disconnected.  Alarmist? Perhaps a bit. Thought-Provoking? Definitely. At least, I Think So!

Our Nation's energy businesses have all been diligently implementing controls and plans to protect us from the infamous "cyber attack" on our electrical grid systems. But, what if this particular threat was the least of our worries?  Driven by NERC CIP, regulators mandate that energy producers improve Critical Infrastructure Protection, or the cyber-security controls that surrounds critical infrastructure systems that control things such as the energy grid,  water treatment facilities, air filtration fans, and toxic materials disposal. These regulations greatly address the security risks of outages caused by terrorist act, accident, malicious hacker, and other cyber-villains.

While cyber attack is a very legitimate potential threat to our infrastructures, what if the bigger threat was the "11-year cycle of predictably repeated and historically accurate events relating to solar flares and sun spots that goes back millions of years"..

In these most recent of years, and at no other time in history have we all grown to be so very very dependent on microcomputer systems, cellular, and networks which are all most fragile to mass effects of solar flare activity.

In 1859, a solar eruption occurred that was so powerful  it set fire to hundreds of telegraph  offices...  people got nasty electric  shocks simply because  they were working with metal objects.  In 1859, however, we had no televisions, cell phones, power grid management systems, smart-meters, etc so arguably the impact was less visible.

Now continue these 11-year recurring events forward to modern times.....

In 2003, and the most recent peak in solar events, we experienced outages that included computer system failures, magnetic data backup tape failures, electricity outages to homes and businesses, disrupted television and satellite operations, and greatly disrupted radio signals.

NASA and the scientific community accurately predicted the solar events, however the only means of reducing the risks were to simply shut  off high-risk devices. NASA  temporarily shut down certain radar and satellite tracking antennae to avoid their destruction. NASA even grounded space shuttle programs to protect astronauts from the severe threat of deadly radiation exposure as space is not protected by the magnetic field that protects the Earth.

Check out these interesting and informative videos on the solar flare phenomena:
       
  1. Attack of the Sun
  2.    
  3. Nasa Warns Of Super Solar Storm

As we explore and deploy all of the new methods for acquiring  and producing energy... thus  expanding our power grid to accommodate wind  farms...solar arrays...  new nuclear plants ... and other renewable  energy sources. This grid will get larger... and smarter.... With microprocessors inside almost every device...communicating and negotiating  with one another...  running everything from air conditioners to power  plants.

A sudden surge of solar activity could strike the grid     directly...inflicting substantial damage on   our "smart power economy".

A similar storm today, or in 2013 when peak solar flare events are  predicted, could easily cause several trillion  dollars  in damage to  our sensitive high-tech infrastructure, potentially thousands of times greater  than   hurricane Katrina.

Modern information security strategies are focused on physically and  logically protecting data, keeping systems up during brief outages, recovering a destroyed data center to another with waiting equipment, preventing intruders or  insiders from stealing company secrets or sensitive information such as  customer credit cards, health records, et cetera ad nauseam  ad  infinitum.

Our Disaster Recovery Plans and Business Continuity  Plans tend to focus on events with which we  have some prior experience, like the horrible tragedies of September 11th, hurricane Katrina, and even the threat of widespread pandemic influenza. But, what about the global impact on a modern-day solar flare event?  How will we respond? What will we do when these naturally occurring  solar flares generate similar interference as they have over previous  11-year cycles for past millions of years, but this time they cripple the computerized devices that we have become so dependent upon?

Thoughts?  Provocative? Alarming?  Ho-hum?  Let me know...

I hope you enjoyed this article, and hope it was helpful.

Until next time,

Ed

Friday, November 6, 2015

You Have to Measure Before You Can Improve

Power In The Data Center

You Have to Measure Before You Can Improve


By Ed Higgins

Power Monitoring is the first step to savings in your Data Center.

As global competition intensifies, companies are increasingly turning to technology to help turn mountains of data into a competitive edge. With soaring energy prices and the need for round-the-clock data center services, enterprises must find ways to increase energy efficiency and reduce costs. In addition, escalating power consumption by large data centers and the population in general means additional power is not always available to expand computing services. Although power is becoming the most significant cost in running a data center, most data center managers lack the tools to accurately measure power consumption. All of these factors, along with a growing concern for environmental stewardship, are forcing the need for better power-monitoring technologies.

The cost of power is increasing. Power is now the single largest operating cost in the data center. The impending Carbon tax are forcing companies to truly understand their energy use patterns to reduce power usage due to increased costs associated with energy consumption. With today’s limited IT budgets, any energy savings means more money for revenue generating activities that can help bolster the bottom line.

Power failures are expensive and detrimental to business. The high cost of data center downtime due to power failure is another threat that plagues data center managers. Any downtime of the equipment in data centers supporting today’s global companies and organizations can mean millions of dollars in lost revenue, as well as withering customer confidence. Data loss or corruption resulting from power-related issues is equally damaging to a company’s revenue and reputation.

Why It’s Important to Monitor Power

You need to measure it before you can fix it. Analysts continue to rank energy efficiency as the number one concern of data center owners and operators. The truth is, however, you simply can’t improve something, especially energy efficiency, if you’re not measuring it. Energy efficiency projects often pay for themselves in energy savings, but if you don’t know how much energy you’re using and how much it costs, it is very difficult to justify new technologies and best practices or to assess the savings of those new methods. Without a baseline and then continued measurements, it is impossible to determine where to optimize, to evaluate the results of the optimizations, or to show the improvements to management, government agencies, or customers. In addition, you need to be able to identify energy consumption peaks and lows and determine how they relate to operations and key internal and external events (such as marketing campaigns, accounting cycles, and changing weather patterns) to enable you to adequately plan for these events.

A number of organizations, including The Green Grid and the Uptime Institute, are working to develop standards to help companies become more energy efficient. The Green Grid’s Power Usage Effectiveness (PUE) metric is becoming a standard for data center energy efficiency, but PUE cannot be reasonably determined if energy consumption cannot be measured. Measuring at the device plug (after all of the power conversion, switching, and conditioning is performed) is the best way to calculate PUE. Finally, measuring at the device plug is sometimes the only way to accurately measure power usage in a data center—particularly if the data center shares power with other areas in the building.

By measuring power usage you can:

• Identify potential cost savings and set goals
• Identify current power costs and set a baseline
• Implement efficiency improvement projects
• continuously measure to determine success
• Accurately bill departments and tenants
• Balance 3 phase power systems

Data center managers need to understand it to work with it. In most data center today, data center management and facilities management are still handled by two different departments, which means data center managers operate without fully understanding the ramifications of infrastructure changes.
Another reason to monitor power is to avoid costly downtime and loss of data. Systems consuming an inordinate amount of energy might be signalling a performance problem. On the other hand, inadequate power can cause stability problems. The ability to monitor power usage provides yet another tool to help data center staff actively solves potential problems, thereby possibly saving millions of dollars in losses.

The Benefits of Power Monitoring and Management

Increase profitability with lowered energy and operating costs. Even a small drop in energy consumption can deliver substantial cost savings over time.

Ensure accurate chargeback. Collocation providers charge tenants for energy usage. Monitoring power provides accurate data on usage, making it easier to compute charges. Clients are more likely to accept these charges if they are provided with accurate statements. A full accounting of energy usage can also help departments understand how effectively they are using the compute resources they purchase. Power usage data is also enabling service providers to implement a different pricing model determined by such categories as power factor. Tenants with legacy equipment having a bad power factor are charged at a higher rate for excess power usage. This will increase the Collocation provider’s green credentials.

When you understand power usage in the data center, you can also begin to intelligently balance phases on your 3 phase power system to optimize energy use and reduce costs. There are a number of benefits that make efficient load phase balancing a worthwhile objective. One such instance would be increased feeder capacity. The loading on a feeder section is synonymous with the most heavily loaded phase and, in the case of significant imbalance, feeder capacity is used inefficiently. Balancing between phases tends to equalize the phase loading by reducing the largest phase peak while increasing the load on the other phases. This equates to releasing feeder capacity that can be used for future load increases without reinforcing feeder conductors.

Additionally, phase balancing reduces feeder losses because any phase peak reduction affects the losses for the phases as the square of the current magnitude. A feeder section with 1-ohm resistance that has phase currents of 50A/100A/150A will have 35kW in losses. When balanced at 100A/100A/100A, the loss reduces down to 30kW. The same effect is even more evident in the reduction of reactive power losses because the X/R ratio of most feeder sections is greater than 1.

Phase balancing also improves the voltage on a feeder by equalizing the voltage drops in each phase along the feeder. This released feeder capacity provides more reserve loading capacity for emergency loading conditions. It is realistic to assume that the benefits in improved use of feeder capacity and improved voltage quality are of more significance than the value of loss reduction except when loading is already high.

Typically, balancing is accomplished by selecting the phase of the supply for each load so that the total load is distributed as evenly as possible between the phases for each section of feeder.

In summary, the only way to achieve power savings in the data center is to first actively measure current and power at as many granular points as is reasonably possible. From there, you will begin to see the areas of low-hanging fruit (typically the fruits represent 20%) for which you can implement strategies for cost reduction, whether this be consolidation, virtualization, elimination, or advances tactics such as integral power-capping vehicles which instruct systems to "slow-down" when right conditions are met.   Only the best DCIM solutions can provide the real-time monitoring capability to give you this insight.

I hope you enjoyed this article, and hope it was helpful.

Until next time,
Ed



Wednesday, September 3, 2014

Will You Throw Up When Your Security Incident Hits The Evening News?

Reporting Security Breaches: Back in 2003 and Now.  What's  changed?


By Ed Higgins

In 2003, an article was posted that presented a hypothetical university security incident in which hundreds of thousands of historic student records and payment card information was compromised. The systems were in place (although nothing is 100%), the personnel were trained, but the study suggested that the university was not prepared to address the public when the story broke on the 6pm Evening News.

So, what has changed? Have laws and regulations been prescriptive enough to educate businesses, universities, and other establishments on their requirements to disclose the incident to the public?

Do entities know what to do when "it" happens? How to notify the victims? Do you notify the victims? You can't really hide it from the public it and keep it private, can you?  Did you know that for several years United States laws, such as California SB-1386, mandate disclosure of a security breach to potentially affected victims. No more head in the sand....


The depth and speed at which cyber crimes occur has significantly changed.  Formerly a form of crash-and-dash, today's cyber criminals operate more stealthy with better tools performing significant reconnaissance before they strike. No longer about fame [the notoriety of spray-painting a web page], these criminals carry out well planned, focused and financially motivated attacks, striking at the perfect moment.


The key to adequate incident response today is speed to identify, stop, and address the situation often using outside private investigators for independence as well as competence in the subject matter. This all has to happen much much much much faster than in the past. Bureaucratic organizations move aside!

Based on studying the incident response processes and situations during real-life actual incident investigations with hundreds of clients, I would suggest that we have a lot of work to do. We kinda need to reinvent our incident detection and response processes.


I hope you enjoyed this article, and I hope it was helpful.  


Until next time, "Watch Out For Yourself".

Ed