Beyond Cyber: Tackling Physical Threats to Data Centres

As more systems and applications are run in the cloud, many people might imagine data to be suspended somewhere in the ether, unbound by physical constraints. However, the name ‘cloud’, which comes from what a cluster of servers look like when drawn on a system diagram, is not a reference to location. These systems are very much located in the physical world, running on hardware housed in huge data centres which face all the physical threats typically associated with valuable assets.

Globally, the number of data centres continues to increase and the UK alone recently announced ￡6.3bn of investment by US companies into UK data centre technology. Fuelled by breakthroughs in AI models and a data-hungry economy, these facilities now play a central role in national infrastructure. The UK’s recent designation of data centres as critical national infrastructure (CNI) underscores just how vital these sites have become and why they require the highest levels of protection.

While almost all data centre attacks to date have been cyber in nature, physical threats remain a significant risk. Although it was triggered by an internal network failure, the 2021 Facebook outage illustrated the critical nature of physical access, as employees were locked out of data centres at a critical time, unable to enter and fix the issue, prolonging the impact to their business and customers. We also note an increase in Russia’s targeting of data centres in Ukraine as their cyberattacks fail to be effective. As cybersecurity software improves it is not unreasonable to forecast a similar shift in attack nature in other geographies. The current figures on physical threats are to be applauded as signs of success, but the risk is very much still there.

Not only is the attack surface increasing as data centre numbers grow, but so too are the attack vectors. With drones now easily adapted for nefarious purposes and Open Source Intelligence (OSINT) tools making data centres easier to locate for anyone with an internet connection, physical threats are no longer the preserve of large and well equipped state actors. Beyond traditional measures like fencing and access management, organisations now require robust, tech-enabled defences to secure both the perimeter and the interior.

We should remind ourselves that software runs on hardware anchored firmly in the physical realm. Proactive, layered security planning from access control to technical surveillance and penetration testing is essential. Technical and physical mitigation must also be combined with education and staff training to ensure all employees are aware of the threat. Working with experts who understand both the digital and physical dimensions of security is the best step forward in safeguarding these indispensable assets.