Increased Threats Against Data Centers From Terrorists, Thieves Have Developers Prioritizing Security

Data centers are becoming high-profile targets, making physical security a priority for data center developers. 

Physical security has always been a consideration for data center operators, but these facilities are facing a wider range of threats than ever before. While the industry used to tout its “security through obscurity,” the rapid digital transformation of the past three years has raised the sector’s profile in the public’s consciousness and made data centers and their high-tech tenants appealing targets to an array of politically and ideologically motivated actors.

In this environment, developers are making sure they have the ability to incorporate the specific security demands of the largest hyperscalers in their designs, a must if they want any chance of landing them as tenants. At the same time, data center builders have seen an increase in security incidents, as long lead times on equipment mean more valuable machinery sitting at construction sites for longer periods of time.

Beyond the loss of material, these incidents can delay projects by months and lead to hundreds of thousands of dollars in lost revenue, according to experts speaking at Bisnow's DICE South event Oct. 20 at The Westin Dallas Downtown.  

“Data centers have this really unique spot where they represent something that domestic terrorists and criminals both want, but for different reasons,” said David Grantham, chief deputy intelligence and technology officer for Tarrant County, Texas. “One wants material. To the other, data centers represent storage of personal information, privacy violation, government intrusion … you name it.”

Security professionals say physical threats against data centers are growing in number and severity, with some of the more high-profile incidents making headlines.

In 2021, the FBI arrested a man they say purchased C4 explosives with the intent of destroying an Amazon Web Services data center in Loudoun County, Virginia, after the company refused to host a website favored by far-right extremist groups. In March, Swiss police began providing extra security at a data center hosting the SWIFT financial system after the service dropped Russian banks following the invasion of Ukraine. 

Data center tenants are acutely aware of the problem. Strengthening security was the top concern of 700 IT professionals surveyed by data center maintenance provider Service Express.

There may be more threats than ever, but concerns around physical security are nothing new for data center operators, designers and builders. The industry has long been secretive about the location of facilities and the identity of the tenants whose servers are housed within.

Measures like security fencing, sophisticated access and surveillance systems — even robotic guard dogs, in the case of one Utah data center — have been standard for years. But as the profile of the industry has grown, so has the sophistication of potential attackers.

“You can go on Reddit or any of the other alternative messaging websites and you've got details of our buildings: If you want to target a data center, here's how the cooling system works, if you want to take that part down, or the power systems or the water supply for the cooling plant,” said Tim Atchison, NTT Global Data Centers’ regional security manager for the Western U.S. “It's becoming a much more dynamic threat environment.”

In response to these threats, the hyperscale cloud and social media companies driving the industry’s record leasing numbers — mainly AWS, Google, Microsoft and Meta — have developed increasingly complex and customized security specifications and protocols for data centers that house their IT infrastructure.

For major data center providers, which increasingly live and die with their ability to develop facilities for these hyperscalers faster than their competitors, this means incorporating these shifting specs and standards into their designs and prioritizing favored security systems in their procurement processes. 

“We have to meet the expectations of the hyperscale clients, or we don't even get a seat at the table,” Atchison said. “So it's important for us to update our standards, keep them current and move with the trends in the industry, or we're at a significant disadvantage.”

Atchison said that in order to win hyperscale bids, adhering to the tenant’s specific security standards, from specific biometric scanners to design elements that discourage would-be attackers, now needs to be treated with the same importance as any of the data center’s critical systems. This adds yet another layer of complexity to a design and build process that has already become significantly more convoluted in recent months due to supply chain constraints and labor shortages.

“We'll go through plans one page at a time and ensure that everything is exactly where it should be to meet the client requirement,” Atchison said. “We have to essentially visualize the facility from every pathway in to make sure we're meeting the compliance that our clients are expecting.”

Panelists at DICE South said they are also seeing an uptick in security incidents during the construction process itself, although in this case, the threats aren't from politically or ideologically motivated attackers but from thieves.

As data center build-outs become ever more common, criminal syndicates are increasingly aware of what kinds of equipment and building materials may be left on job sites unsecured. And long lead times are forcing builders to order equipment further in advance, meaning expensive gear can sit on build sites — tempting targets — for much longer than in the past. 

“Because we have long lead times on certain items, it's important that we secure those items,” Atchison said. “When we're bringing in transformers and just leaving them in a lot, that's a lot of copper that's sitting right there.”

The financial impact of these security breaches extends well beyond the cost of the lost items, experts say. Supply chain constraints mean replacing stolen items can cause significant delays. In the midst of a severe labor shortage, even small delays due to theft can throw carefully orchestrated construction logistics into chaos. 

“It’s causing shutdowns of anywhere from a day to a couple of weeks, and that really does have an impact on the schedule and the cost of your projects and when you're able to go live and turn over a site to a customer,” said Amy Dunton, a business development manager with security barrier provider Ameristar. “If you have to shut down, there's not only added cost to that, but also, where does that leave you with the GC or contractors that you have scheduled that might now have to go somewhere else?”

According to Dunton, avoiding this kind of theft is generally a matter of common-sense solutions, such as ensuring that valuable equipment and other potential targets of theft are secured or kept out of sight. But when it comes to implementing more effective security measures in completed facilities, experts say the data center industry does itself a disservice through a culture of secrecy.

Operators are hesitant to share insights into the specifics of their security practices for fear of revealing proprietary designs or systems. Similarly, security incidents are often kept quiet out of embarrassment or fear of reputational damage. 

“If you're sharing information, we can tell you the trends we’re seeing, such as that they are targeting cooling systems,” Tarrant County’s Grantham said. “But they don’t want to share information because it's either embarrassing or it could hurt the value of the company if it became known.”