<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div><div style="direction: inherit;"><span style="background-color: rgba(255, 255, 255, 0);">Hi Chris,</span></div><div style="direction: inherit;"><div style="direction: inherit;"><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div style="direction: inherit;"><span style="background-color: rgba(255, 255, 255, 0);">I think anybody who's been closely following "mr robot" is now aware that explosive/combustible material is already inside Datacentres without having to smuggle it in.</span></div><div style="direction: inherit;"><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div style="direction: inherit;"><span style="background-color: rgba(255, 255, 255, 0);">Also note that volatile materials are going to decompose with trace amounts of gas that may register on the VESDA systems in most DC's.. assuming someone is paying attention and has the means and motivation to look for it.</span></div><div style="direction: inherit;"><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div style="direction: inherit;">I suspect that for would-be attackers exerting the same effort into digital attacks has a higher return on investment with a lower chance of detection.</div><div style="direction: inherit;"><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div style="direction: inherit;"><span style="background-color: rgba(255, 255, 255, 0);">John</span></div><div style="direction: inherit;"><br></div></div></div><div><br>On 25 Sep. 2016, at 8:18 pm, chrismacko80 <<a href="mailto:chrismacko80@gmail.com">chrismacko80@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div><span>Dear Industry Colleagues,</span><br><span></span><br><span>In the last week, in reflection of previous data centre tours I have</span><br><span>undertaken across the country and the risks that face us all within</span><br><span>the IT industry, a concern came to mind in our physical security layer</span><br><span>in relation to data centre facilities. It is my understanding</span><br><span>currently in Australia (and for other countries as per discussions</span><br><span>with colleagues), colocated computer equipment provided by customers</span><br><span>is not inspected nor scanned for any potentially damaging substances</span><br><span>before being installed within data centres, by organisations providing</span><br><span>these services. At times, singular servers may be extremely bulky, and</span><br><span>there may also be occasions when customers provide multiple racks</span><br><span>fully equipped that is positioned within the data centre without any</span><br><span>closer inspection apart from basic identification checks, as per</span><br><span>understanding of information provided from some of our largest data</span><br><span>centres. Considering this, I feel it's a risk that we don't scan</span><br><span>equipment as it is being delivered/installed, similar to airports, in</span><br><span>particular when it has been delivered locally.</span><br><span></span><br><span>It's my understanding as an industry we spend billions each year</span><br><span>securing our data security layer within data centres, however it</span><br><span>appears that even with the strictest data centre audits (including by</span><br><span>government risk assessors), these have not scrutinised this risk to</span><br><span>any degree. I'm not aware if the Attorney General's department nor our</span><br><span>federal or state governments perform any such checks when equipment is</span><br><span>being installed into their own data centre facilities. I also don't</span><br><span>believe I ever saw any such risk considered under any data centre</span><br><span>rating specification. As a point, what good is bullet-proof glass</span><br><span>within the foyer of a data centre and specific outline of the</span><br><span>construction of a goods lift, when there is a greater threat for</span><br><span>potentially damaging substances to be wheeled into a data centre</span><br><span>within equipment without scrutiny.</span><br><span></span><br><span>I would also ask the question whether our financial market is exposed</span><br><span>in any way to this risk, and whether the Australian Stock Exchange</span><br><span>sufficiently scans computer equipment delivered for installation into</span><br><span>its' data centre facilities in particular by third party customers. I</span><br><span>don't know the answer. I hope they do, if not, the question really</span><br><span>needs to be asked, why not?</span><br><span></span><br><span>Quoting from ASX document</span><br><span>(<a href="http://www.asx.com.au/documents/professionals/alc-connectivity-guide.pdf">http://www.asx.com.au/documents/professionals/alc-connectivity-guide.pdf</a>)</span><br><span>which is available on their website currently;</span><br><span></span><br><span>"The Australian Liquidity Centre (ALC) is a state-of-the-art data</span><br><span>centre and financial markets community located just outside Sydney’s</span><br><span>CBD. It enables ASX customers to connect with each other and the</span><br><span>Australian and global financial markets like never before.</span><br><span></span><br><span>Offering one central location for fast, simple connection to the</span><br><span>financial markets community, the ALC provides low latency connectivity</span><br><span>options to domestic and global liquidity sources, ASX market data and</span><br><span>all ASX markets.</span><br><span></span><br><span>The ALC is designed to maximise the potential of its community. It</span><br><span>houses all of ASX’s primary trading, clearing and settlement systems</span><br><span>as well as providing hosting facilities for its customers which</span><br><span>include buy and sell-side firms, market infrastructure and liquidity</span><br><span>venues, information and technology vendors, and infrastructure and</span><br><span>network service providers."</span><br><span></span><br><span>I've reached out to several colleagues within the industry, who also</span><br><span>agree the lack of scanning of potentially damaging substances is a</span><br><span>serious concern, I'd ask that you consider your thoughts on this risk</span><br><span>in regards to safeguarding our technology and investments made by all</span><br><span>involved, and what you believe should be done to address this risk</span><br><span>moving forward.</span><br><span></span><br><span>Kind regards,</span><br><span></span><br><span>Chris Macko</span><br><span>_______________________________________________</span><br><span>AusNOG mailing list</span><br><span><a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a></span><br><span><a href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a></span><br></div></blockquote></body></html>