I would also point out that Cessna airplanes and hot air balloons rigged with Go-Pros are also flying over your data center almost every day. In addition to just regular citizens flying recreationally, taking photos and video for their families, there are also professional photography companies taking high resolution photos for the likes of Bing’s “Bird’s Eye View” in its mapping product. And don’t even get me started about these new high resolution LEO photography satellites that our government and private agencies are flying.
So if all of that is happening already why should we protect our data centers from drones? And for that matter is it eve possible for data centers to be protected from drones?
Protecting your Data Center from Drones
I recently flew my own Phantom 3 Professional drone over Facebook’s Fort Worth Data Center. The aerial footage from the Phantom turned out great. The sun was in the right position and there was little wind. I couldn’t have been happier with how it turned out. So I whipped together a little video for The Geek Pub thinking some of my audience might enjoy it and posted it to The Geek Pub channel on YouTube. You can see a freeze frame from that video below.
To my surprise, a few days later I got an inbox message on Facebook from Facebook asking me to come onsite to take a tour of the facility by one of their employees. Long story short, I ended up on the phone with this guy a few days later and the topic eventually turned to drones, and how it related to data center security.
Drones and Data Center Security
Now before we go any further, Facebook was very cool headed about this situation. They were nothing but over the top friendly. That’s not to say that they were 100% happy about a drone flying over their facility taking video. They did have some concerns with security and proprietary information possibly getting into the hands of their competitors.
Let’s start first with where this stands legally, based on FAA regulations and state and local laws. Since I am not into breaking the law, or even being into grey areas of the law, the first thing I did when I bought my drone was register it with the FAA and read the Texas laws on flying drones. The law here in Texas is pretty simple:
- Follow the FAA regulations: Fly at or below 400 ft, keep the drone within visual line of sight, stay 5 miles away from airports
- Fly the drone at 400 ft over gas & oil refineries and power plants, and do not interfere with their operation
- Do not fly the drone over public stadiums or other large crowds of people
That’s pretty much it in Texas. You own the land that you live on or do business on, but you do not own the airspace above it. Imagine if a fleet of hot air balloons flew over your home at 200 ft. It wouldn’t even cross your mind to call the police. You can be certain there are GoPro cameras attached to the balloons, and you can be sure at least some of the pilots are taking pictures with zoom lenses attached to DSLR cameras!
So why is it that the thought of a drone scares us so much? Two reasons! First, blame the media. They have spent the last year vilifying drones. It makes for a great news story. And they don’t care about anything else. Second, because they are getting extremely popular and affordable. Almost anyone can own and operate a drone. Not just anyone can fly a Cessna airplane or hot air balloon over your home (or business). This means the flights were far and few between and generally flying over your home was a coincidence, or just random luck of the draw. With drones, it is likely the structure, or home it flew over was targeted as a point of interest. That’s not always true, because they may be simply flying over your home or data center to get to another point of interest, but its much more likely.
That being said, many in the legal profession are advising drone operators to maintain an altitude of at least 200 feet when flying over property they don’t own. There is going to be a big difference if you wind up in court and you were flying your drone up to someone’s bedroom window, or flying 200 foot over the top of their house. Also, please keep in mind that I am only working with Texas law in this article, and I am not a lawyer. You should consult one in your state for legal advice.
Data Center Drone Risks
So at this point you’re probably saying “Well if most states are like Texas (and they are) then there’s not a whole lot we can do? So exactly what is the point?”
Let’s start by determining what our risks are. It’s not as simple as ignoring the problem. I also doubt the laws are going to change much to protect your data center either. And you might be surprised when you hear me say “I don’t want stricter laws on drones.” What? That’s right. Benjamin Franklin said “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.” and he is absolutely right. It’s on us as operators of data centers to make sure that they are secure and that confidential things stay confidential. We don’t leave the IP address of our data center’s management console(s) on the home page of our website do we?
The Risks of Drone Flyovers on Data Centers
Step 1 is that we need to make sure that there is no information on the outside of our data center that could be used by a competitor or an attacker:
- Do not have IP address labels on any equipment on the roof, sides, or anywhere exterior of the building. That sounds simple, but I can’t tell you how many times I have seen vendors install a modem, switch, router, DSLAM, satellite dish, IP camera, access point, or other network device outdoors only to have a label with the management IP address right on the side of it.
- Do not place any confidential information in sight of windows or sky lights. Not everyone is going to be ethical about their flyover and maintain 200 ft.
- Security vehicles (or at least some portion of them) should be unmarked.
- Some security patrols should be plain clothed.
Step 2 is to protect what enters and exits the building:
- Deliveries should be covered to keep its contents secure. Even better would be box truck only deliveries with a secure loading dock and sealed delivery door and cover. The kind where the box truck connects to your loading dock preventing anyone from seeing what comes off of the truck.
- Deliveries from UPS/Fedex/USPS/etc. should be delivered to a secure loading dock, rather than carried across a parking lot to the front lobby.
- Technicians entering and exiting the building should use unmarked vehicles and have the parts delivered separately to the loading dock.
Step 3 is to protect information from competitors:
- Do not display brand names and logos on the outside of the building. If you don’t want your competitor (or a hacker) to know what generator, chiller, air handler, or antenna arrays you’re using, make sure they are covered or at least have the logos removed.
- Do not provide visibility to sensitive items from windows or sky lights (in fact just don’t have windows or sky lights in your data center at all!)!
Step 4 is to assume your data center has a drone flying over it 100 times a day:
- You should already have security practices in place, both physical and virtual, that are designed to stop hackers and keep corporate espionage at bay. These same practices should assume that a drone is just part of the mix that will be used. You shouldn’t have your security guards leave and arrive at the same time every day, or on an easily discoverable shift pattern. Assume that drones will be used to help discover that pattern or schedule.
- Everything in your data center should be securely encrypted using the latest encryption standards. Assume that a drone will flyover the top of your building carrying a modified HAM or 802.11a/c/b/g/n receiver listening for your proprietary and confidential data.
- Make sure that radios used to communicate internally and externally are encrypted so that drones (or someone standing across the street) can’t listen in using a HAM radio or other listening device. In the same vein do not use a PA system that broadcasts audio messages externally to the facility grounds (or at least make sure those messages are vague enough to not give away your secrets).
Step 5 is to assume at some point a hacker will land a drone on top of your data center, or use it to drop hacking equipment on the roof or grounds of the facility:
- Do regular sweeps of the grounds and roof to make sure no unauthorized equipment has appeared or been installed.
- Make sure there are no open electrical outlets, network jacks, or cable connections exposed outside of the building for a hacker to connect to. Make sure that all equipment in in a protective housing to prevent it from being unplugged, or allowing a “man-in-the-middle” device to be installed.
- Make sure all wiring, both electrical and low voltage/data are inside the building, or secured inside protective conduits.
You Won’t Stop the Drone Flyovers of your Data Center
The bottom line is that unless you are the government with sweeping authority you won’t be able to stop the drone flyovers of your data center. You should instead not even try. You should assume it is happening every day, and make sure that your facility and grounds are hardened against such threats. Disruptive technologies come along quite often. Drones are just the latest. As operators of data centers we should be forever vigilant in the protections we put in place to maintain them, and keep them secure. We should assume the worst will happen, and always be prepared for it.
One Last Thought
I suspect some of you are asking why I would be against making it illegal to fly a drone over a data center (or whatever other structure you are trying to protect). I look at this as very similar to the gun debate. We are never going to take guns away from criminals. It just won’t happen. Do you think for one minute if we make data centers no fly zones that criminals will obey that law? Of course they won’t. Which means legal or illegal we have to be prepared to address the threat to our facilities. If they outlawed drone flyovers tomorrow, nothing should change with how you operate and secure your facility from drones. In fact, maybe you should consider flying your own security drones over your data center!
I think you’re right. There’s no reason to expect that criminals are going to follow the law. There’s also zero reason to expect the government will do the right thing. They’ll make some knee jerk reaction law that helps no one. Great read!
Maggie – you’re right. The last thing we need is a government response to drones. We need business to take reasonable precautions. You wouldn’t leave the front doors to your jewelry store unlocked at night would you? 🙂
I don’t want to come across as an asshat, I really don’t but if Facebook is dumb enough to have not already protected themselves against drone threats then I don’t want my data on their servers. I suspect they are smarter than that.
Yes. Such great insight! And I agree, the government and the FAA need to leave the drones be. The hot air balloon analogy is perfect!