Why Physical Security is Not Enough to Protect UK Data Centres

With data centres now deemed as critical infrastructure, organisations must evolve beyond traditional security to combat sophisticated cyber threats. By Jon Mort, CTO, The Adaptavist Group,

  • Tuesday, 19th November 2024 Posted 2 weeks ago in by Phil Alsop

The UK government recently granted data centres Critical National Infrastructure (CNI) status, recognising their vital role in powering the British economy and underpinning other essential public services such as healthcare and finance. Data centres join the CNI lineup alongside industries like energy, water, transport, and health, and are now entitled to financial support from the government in the event of critical incidents.

Although all industries with CNI status share common characteristics, data centres face unique, compounded security challenges. Traditional CNI industries like water or transport mainly focus on physical risks, such as infrastructure damage, but data centres are uniquely susceptible to both physical and severe cyber-attacks. 

What separates data centres is that, while they still face physical security challenges (equipment failure, flooding or fires can lead to significant outages and millions in losses), they are also highly susceptible to cyber-attacks. Unlike industries where physical risks dominate, data centres are critical digital hubs, amplifying the damage potential of cyber-attacks across multiple sectors.

Physical security measures, though necessary, are only the first line of defence in what should be a multi-layered digital defence system. Think of a data centre like a modern bank. While vault doors and security cameras are essential, the greatest threats are not limited to physical break-ins and threats; they wield code.

Taking a cyber-first approach to security

Recent incidents like the NHS ransomware attack have shown how quickly cyber threats can spread throughout highly interconnected systems, highlighting the need for cyber resilience among services powered by data centres. However, to achieve this new approaches are required.

Ransomware, malware, DDoS, and other attacks add layers of complexity to the risk landscape in CNI industries. For data centres, which underpin many of these critical services, the increased use of AI, intricate software ecosystems, and cloud infrastructure further compound this risk, making advanced, multi-layered defences essential.

Protecting data centres from these new and evolving cyber risks requires a shift from reactive defence to proactive, preventative action. As the UK government promotes economic growth and the proliferation of data centres, developing guidelines to meet the expanding complexity of digital infrastructure and the greater risk of cyberattacks is critical.

Security must be integrated from start to finish, from design and development to deployment and operation. This is the only way to ensure risks are identified and reduced before they become breaches, guaranteeing a more secure and resilient digital ecosystem.

Meeting the challenges of complexity

The growth of AI-driven software and cloud-based infrastructure has exposed the UK's businesses and national infrastructure to a wider array of vulnerabilities. Cybercriminals increasingly exploit software, networks, and human behaviour weaknesses to penetrate systems and disrupt critical services, making these interconnected systems increasingly challenging to secure.

This makes regular vulnerability assessments essential for uncovering and preventing attacks. Assessing both hardware and software configurations in addition to third-party dependencies can help organisations pinpoint potential weaknesses before they can be exploited.

With human error becoming a common factor in cybersecurity breaches, prioritising employee training and strengthening internal procedures is also essential. Organisations must equip their staff with the skills to recognise threats like phishing attacks, which can significantly improve the overall security of data centres. Given that many breaches are linked to preventable mistakes in processes, a strong focus on education can help avoid similar issues.

Moreover, encouraging a culture where employees feel empowered to report concerns and take initiative, regardless of their role in the company, fosters a more secure and comfortable environment. This kind of open communication enhances not only security but the organisation's ability to address problems swiftly and effectively.

Next Steps for Essential Data Protection

Security certifications play a pivotal role in establishing trust and maintaining high-security standards. Obtaining these certifications forces organisations to implement rigorous procedures, ensuring adherence to best practices that strengthen data centre security.

Documentation is a key aspect of this process, ensuring policies, protocols, and incident responses are well-documented and accessible. Such thorough documentation not only standardises operations but also serves as a critical tool during post-incident analysis, helping to minimise damage and speed up recovery efforts in the event of a breach.

Cross-sector collaboration between governments and industries is essential for developing robust practices that safeguard both physical assets and the digital services supported by data centres. Governmental regulatory guidance should emphasise improving operational resilience, ensuring IT systems are well-prepared to withstand cyber threats.

Future-Focused Cybersecurity

As cyber threats become increasingly sophisticated, organisations must take a future-focused approach to securing data centres. Moving beyond the physical realm, there needs to be increased focus on securing interconnected systems, including cloud platforms, software, and AI applications. This can only be achieved through a holistic cybersecurity framework that considers regular assessments, comprehensive training, and collaboration with both private and public sectors. To ensure resilience in the digital age, data centres must adapt to evolving threats and continuously improve their cybersecurity stance and strategy.