Opinion

Are we treating data centres like CNI – or just hoping firewalls will do?

Ben Harris
Ben Harris
Partner at Avella Security and former UK Special Forces and Royal Marine Commando

Ben Harris, Partner at Avella Security and former UK Special Forces and Royal Marine Commando, says the UK’s regulatory shift is a wake-up call to test fences, doors and OT systems as hard as we test networks.

The UK’s data centres are the backbone of our digital economy and national resilience. They host the systems that run everything from military operations and emergency services to AI platforms, NHS records, and the banks we depend on daily. But with that importance comes risk, and today, that risk is no longer just digital.

Driven by geopolitical tension, grey-zone warfare, and activist disruption, a new kind of threat is emerging: hybrid sabotage. It’s the combination of cyber intrusion and physical attack. Strategically planned, often state-aligned, and increasingly aimed at our critical infrastructure.

The fact is that data centres should now be considered as part of our critical infrastructure. The Government’s recent decision to include data centres in the Cyber Security and Resilience Bill is more than symbolic. It’s an overdue recognition that these sites are part of our Critical National Infrastructure (CNI). But it should also be seen as a major red flag, and a wake-up call for operators, to realise cyber protection alone is no longer enough.

If operators continue to treat physical and cyber security as parallel but separate domains, we risk leaving the door wide open, sometimes literally, for attackers who know how to exploit both.

The rise in cyber-physical sabotage is real

Around the world, hybrid attacks are becoming more precise and more frequent. In Ukraine, coordinated drone strikes have targeted infrastructure sites. In the Middle East, low-tech incursions are paired with digital surveillance to locate vulnerabilities.

Real world examples show how determined individuals with minimal tools and some insider knowledge can compromise a facility faster than most cyber adversaries, with a far longer lasting impact. The breach at RAF Brize Norton, where two individuals, using basic tools and repurposed fire extinguishers, accessed an active runway, disabled aircraft engines with paint, and left undetected, had a real tactical impact.

Modern adversaries don’t think in silos. They use physical access to exploit digital systems and digital tools to plan and enable real-world attacks. Yet many UK data centres still rely on outdated assumptions: that perimeter fencing, keycard access, or an onsite guard is enough to deter today’s attackers.

Five steps every data centre operator must take

To meet the hybrid threat, operators need to test their physical defences as rigorously as they test their firewalls. That begins with rethinking resilience not just as a compliance task, but as an adversarial challenge, because the adversaries are already adapting.

Here’s what that means in practice:

1. Unify physical and cyber security governance

In most data centres, cybersecurity and physical security are managed by separate teams. That siloed model no longer works. Operators must transition to a unified security framework, incorporating integrated threat detection, shared risk models, joint incident response, and centralised accountability.

2. Design infrastructure for containment, not just prevention 

Resilient data centres should be designed to contain threats through strict segmentation, isolated backups, and regularly tested recovery drills.

3. Secure building management and facility OT systems 

Today’s data centres rely on IP-connected Operational Technology. These systems often sit outside core cyber monitoring, making them low-hanging fruit for attackers. Treat your critical building management and infrastructure OT with the same protection as your production environments: monitor them, patch them, and isolate them.

4. Test your physical security like you test your networks 

Cyber red teaming is standard. Physical red teaming is less so. But it only takes one person slipping through a gate, using a copied ID badge, or following someone inside without being checked to undo millions spent on cybersecurity. Operators should routinely test physical access controls, conduct realistic covert intrusion simulations, and ensure frontline staff are trained to recognise suspicious behaviour, not just digital anomalies.

5. Train for real-world hybrid scenarios

Run training that reflects real-world situations, such as a cyberattack occurring during a protest or the spread of false information while an alarm is sounding. These types of mixed threats are becoming increasingly common, so your teams need to be prepared for them.

Remember regulation isn’t everything

Being added to the UK’s Cyber Security and Resilience Bill is a positive step, but waiting for compliance deadlines is not a measure of resilience. The most secure operators are already moving faster: fusing physical and cyber posture, running red teams across both domains, and embedding security into every layer of infrastructure design.

Security is no longer about systems – it’s about strategy

The reality is this: data centres are not just digital infrastructure, they are strategic assets, and increasingly, strategic targets. The organisations that run them must evolve accordingly.

As someone who’s operated in environments where threats are asymmetric, unexpected, and deeply strategic, I’ve seen how attackers exploit the gaps between protocols. They don’t care about your audit report. They care about access, impact, and optics.

So, if your cyber team is hardened but your back gate is unsecured… they’ll find it.

If your SOC can detect a DNS anomaly in milliseconds, but your staff miss a suspicious van parked near a power supply… they’ll exploit it.

And if your incident response plan assumes a digital-only breach, you’ll be caught flat-footed when the real threat enters through a fire exit.

Take action and unify defences

The UK’s regulatory shift is a start. But the risk is evolving faster than the policy. Every data centre operator now has a short window to get ahead of the threat. To break down silos, test their resilience under real-world conditions, and unify their defences before attackers do it for them.

This isn’t about paranoia. It’s about preparation. Because in a world where data is power, the facilities that house it will always attract those who seek to undermine it: digitally, physically, and often both at once.

Categories
OpinionData Analytics & Security
Previous article
Could AR be the answer to faster, more resilient data centre builds?

Related Articles

Artificial IntelligenceCloud & Hybrid ComputingCoolingData Analytics & SecurityData Centre Design & OperationsEdge ComputingGreen IT & SustainabilityIndustryNetworking & ConnectivityPowerSkills & Training

Top Stories

Benefits of registering with Data Centre Review

Receive two newsletters each week

Magazine sent directly to your inbox

Invites to exclusive events

Register

Your go-to source for all the latest developments within the data centre industry.

Artificial IntelligenceCloud & Hybrid ComputingCoolingData Analytics & SecurityData Centre Design & OperationsEdge ComputingGreen IT & SustainabilityIndustryNetworking & ConnectivityPowerSkills & Training

HTML tutorial
Access the Digital Edition now



SJP logo
© SJP Business Media 2025