Claroty, the cyber-physical systems (CPS) protection company, today published new research from its award-winning threat research team, Team82 that reveals vulnerabilities in two different types of equipment used primarily in data centres–power supply devices and HVAC controllers. The research finds that if the vulnerabilities were to be successfully exploited to their fullest potential, attackers could cause costly downtime and devastating impacts on the operations that power modern society. Team82’s research was originally presented at SANS ICS Security Summit in Orlando, FL in the session, “New Kind of Critical Infrastructure—Uncovering Vulnerabilities in AI Data Centre Equipment.”

The High Stakes of Securing Data Centres

Outages are an intolerable risk for data centre technology leaders, driving security teams’ need to ensure their infrastructure is resilient to attacks, because protecting the data centre means keeping digital business running continuously. Should data centres experience any downtime, costs could exceed hundreds of thousands of dollars per hour. Adding even greater criticality to the operational uptime of data centres, the world is becoming more reliant on AI powering daily lives—a massive workload that is powered by data centres. This makes data centres an increasingly lucrative target to threat actors who, at the same time, are leveraging AI-enabled threats as they seek to cause disruption, making data centres increasingly considered as critical infrastructure by industry and government.

Vulnerabilities in Data Centre Equipment Present a Critical Uptime Threat

The first set of findings shows two critical vulnerabilities in Vertiv’s uninterruptible power supply (UPS) network cards—devices that keep critical equipment running in the event of a power outage. Data centres rely on them to keep servers, routers, and control systems stable and protected from power spikes or drops, allowing devices to stay online or shut down safely. If successfully exploited, since virtually all computing equipment relies on UPS devices to stay online during power issues, any compromise could mean complete operational disruption.

Read the full research in “Attacking UPS Network Cards to Take Down Data Centres.”

The second part of the research involves a chain of severe, highly exploitable vulnerabilities in the widely deployed Trane Tracer SC+–an automated HVAC controller. The vulnerabilities discovered by Team82 were buried deep within the device’s architecture and, if weaponised, could allow unauthenticated remote code execution (RCE), potentially giving an attacker complete control over a critical building management system from the outside.

Read the full research in “Turning Up the Heat: Hacking Trane HVAC Controllers.”

“The types of vulnerabilities found in Team82’s research represent why data centres must make a fundamental shift in how they redefine their cyber and operational resilience goals, given that a single cyber incident can lead to physical disruption, create safety hazards, or cause catastrophic downtime,” said Amir Preminger, CTO of Claroty and head of Team82. “Our research shows that the risk to data centre stability is very real and very present. Data centre operators must move quickly to treat CPS protection as a business imperative to drive risk reduction and maintain operational uptime.”

All findings were responsibly disclosed to Trane and Vertiv, which worked with Team82 on remediation to address all issues prior to publication.