Data Center Infrastructure: The Overlooked Cyber-physical Attack Surface Beneath the Cloud  

Data Center Infrastructure: The Overlooked Cyber-physical Attack Surface Beneath the Cloud  

Data center construction is booming, driven by cloud migration and a surge in AI workloads that demand enormous compute, storage and network bandwidth, along with the precise environmental control that keeps it all running without interruption.

That business criticality has made data centers high-value targets for sophisticated attackers. Yet security attention tends to concentrate on two things: the cloud environments where AI workloads run, and the rows of always-on servers (often tenant-owned, but under the operator’s watch). Meanwhile, the building management, physical security and OT systems that deliver power and cooling, the systems that keep a data center alive, remain a blind spot.

Data center owners and operators face three primary challenges tied to that blind spot:

  • Limited insight into a vast, largely unprotected OT and IoT attack surface, and how to defend it
  • Dependence on a stable energy supply, which is governed by separate cybersecurity regulations for utilities
  • Designation as critical infrastructure, which carries strict cyber-physical security requirements

Here’s how to work through each one so you can reduce cyber risk, maintain operational resilience, and actually deliver on your uptime guarantees.

Cybersecurity for the Systems Behind the Servers

A large data center runs on hundreds of cyber-physical systems governing everything from heating and ventilation to cooling to the uninterruptible power supply. From there, layer on the CCTV, badge access, fire suppression and other IoT scattered across the campus. These systems are more connected than ever, to IT networks and frequently to the internet, often without anyone realizing it and with default credentials still in place. Many are managed remotely by third-party vendors with around-the-clock access. Others are barely maintained at all.

“Cybersecurity requires visibility across the system of systems. The power plant, backup power, cooling and physical access systems each have potential for misuse that could affect data center and grid stability,” — World Economic Forum.

Left to run as separate, loosely monitored systems rather than one interdependent infrastructure, there is an increased risk of attackers finding exactly the leverage they need to reach their objectives. Compromise the cooling facilities, for instance, and you can overload circuits and force a shutdown that takes the racks down with it.

Top Cyber-physical Risks for Data Centers

Data centers have the potential to draw attackers of every kind, from financially motivated ransomware crews to state-aligned groups intent on disrupting the services that depend on them. What leaves them so exposed is the OT and IoT layer beneath the servers: increasingly connected, serviced remotely and in some cases even reachable from the internet, these assets open access paths that quietly sidestep IT controls and can escalate into serious disruption or widespread outages.

Internet-exposed DCIMs at the Core of Operations

The data center infrastructure management (DCIM) system ties together IT and facility systems to monitor power, cooling, server racks and environmental sensors. Because it sits in a gray zone between IT and facilities, it is easy to overlook, and in some cases are even exposed to the internet. Research by Cyble in 2022 found 20,000 DCIM tools and applications reachable from the open internet, many still guarded only by default factory passwords.

Cooling Systems that Maintain Precise Conditions

Whether the cause is a cyberattack or a simple malfunction, a cooling outage triggers a rapid temperature climb. Operators may have only 15 to 20 minutes to shut servers down before the heat damages them beyond repair.

Exploitable OT/IoT Devices

Assets like CCTV cameras and temperature sensors run stripped-down operating systems with minimal encryption or authentication, which lets attackers slip past perimeter controls, gain an initial foothold and pivot toward critical systems. We have already seen where that leads. In the 2021 Verkada breach, attackers reached the live feeds of roughly 150,000 internet-connected cameras across businesses, hospitals and other facilities. A camera is rarely the ultimate target, but it is very often the way in.

Remote Maintenance by Third-party Vendors

Dozens of vendors hold remote access to OT and IoT systems across the data center. On any given day, a steady stream of technicians logs in for maintenance, frequently with minimal security between them and the systems they service.

Securing the Substation that Powers AI

Data centers need a continuous, stable energy supply, and AI workloads make that need acute, because they are extraordinarily power hungry. To keep up, larger facilities increasingly want a dedicated supply they can control for redundancy, uptime and cost. Even smaller sites keep backup generators. Hyperscale campuses almost always build their own purpose-built substation, and a single campus can draw city-scale power. Colocation providers may also build and operate substations of their own.

That appetite is now large enough to reshape the grid itself. Data centers have become one of the fastest growing and most complex sources of electricity demand. The International Energy Agency estimates they consumed about 1.5% of global electricity in 2024, with consumption up roughly 12% in a single year. The World Economic Forum describes data centers as large-scale “prosumers” that both draw power and, through on-site generation, produce it, with complex implications for grid resilience. The specific danger is abruptness: large loads that suddenly join or drop off the grid can create instability that traditional planning never had to anticipate.

It has already happened once. On July 10, 2024, a transmission-line fault in Northern Virginia, the densest data center market on earth, caused roughly 1,500 MW of data center load to drop to backup power almost simultaneously. According to NERC’s incident review, the sudden loss pushed grid frequency and voltage upward and forced operators to act to keep the system stable. The grid, NERC noted, has not historically had to plan for losing that much load in an instant.

Data Center Operators as Regulated Utilities

Given the amount of energy data centers consume and their impact on the grid, regulators are no longer standing by. On May 4, 2026, NERC issued a rare Level 3 “Essential Action” alert after observing customer-initiated large load reductions and significant oscillations that play out in seconds, leaving operators little or no room to respond and threatening the reliability of the bulk power system. The alert lays out seven actions that registered entities must implement, with responses due by August 3, 2026. It’s paired with a new voluntary guideline, Risk Mitigation for Emerging Large Loads, that NERC frames as a reliability bridge while it updates its formal standards.

For data center providers, this is where physical scale becomes a compliance question. When an operator builds and runs its own substation or on-site generation that interconnects with the bulk power system, it can cross the line from “large customer” into NERC-registered-entity territory, inheriting NERC Critical Infrastructure Protection (CIP) obligations and the ongoing, defensible proof of compliance they require. In other words, the substation that guarantees your uptime can put your OT under the same cybersecurity regime as a utility. Either way, the controls behind that power, the relays, the generation and the building systems, are now part of both your reliability story and your regulatory one.

Cybersecurity Regulatory Compliance for Critical Infrastructure

Data centers are now formally classified or regulated as critical infrastructure, or critical national infrastructure (CNI), across most major economies. Wherever data centers cluster, cybersecurity oversight follows.

A Holistic Approach to Data Center Cybersecurity  

For owners and operators, the implication is hard to miss: a cybersecurity strategy aimed only at IT and the cloud is not enough. Many of the most consequential risks live in the cyber-physical systems that keep a data center running, not in the servers it houses. The fix is to treat IT, OT and IoT as a single connected risk surface, and to extend the same monitoring depth you already apply to the cloud down to the physical plant beneath it.

This is where the Nozomi Networks platform earns its place. It maps every OT and IoT asset in the facility; ranks vulnerabilities by genuine operational risk; watches power, cooling and physical security systems continuously for threats and anomalies; and adds AI-driven SOC assistance so analysts can spend their time where it counts, helping operators hold the line on both SLAs and compliance.

To learn how we can help you secure the infrastructure that powers AI, contact us today.

No items found.