HVAC Security Controls

HVAC Security Controls

I have received a few responses from my haiku idea. One came from a fellow, whose poetic skills I admire, and poked a little fun at me. He offered the following as an example:

The servers are hot!
The data center is warm!
What will happen now?

It made me smile and, actually, was rather timely. As data centers in the northern hemisphere move into the summer months, our attention turns towards air conditioning. HVAC (Heating, Ventilation, and Air-conditioning) falls under physical security. Returning to the haiku, the servers are hot. What will happen now? A denial of service.

Some┬ábasic controls can be built around HVAC systems to prevent a DoS. The first few revolve around redundancy. HVAC systems should be dedicated and spec’d with ample capacity to cool the room in question. Internal redundancy can be achieved by dual compressors and controllers. External redundancy can be achieved by dedicate n+1 power lines and dual intake vents. Speaking of intakes, these should be in a protected space to prevent tampering or build up of debris. The HVAC itself should be in a physically secure location.

In summary, here is a checklist of items for an InfoSec pro to audit with his facilities personnel:

  • Dedicated HVAC
  • n+1 tonnage capacity
  • Internal redundancy
  • External redundancy (power/air feeds)
  • Positive pressurization (vent the area of dust, debris, and possible smoke)
  • Physical security of the HVAC unit
  • Physical security of the HVAC intake vents
  • Clear supply and return vents

Regards and keep cool,

J Wolfgang Goerlich

Posted by