As data centers continue to grow in popularity, they also become susceptible to more attacks, both physical and cyber in nature. In this Q&A article, former law enforcement officer Brian Higgins of Group77 discusses some of the concerns that facility managers of data centers must worry about.
FN: With so many different variations of attacks, it might be difficult to focus on what to adjust or prioritize. What are some of the most prominent vulnerabilities with these facilities? What are common targets?
Higgins: Data centers tend to have a consistent set of physical vulnerabilities. These weaknesses are not usually found at the front door, but at the edges of operations.
Perimeter gaps and stand-off distance: The outer perimeter is often the first and sometimes weakest layer of defense. Inadequate fencing, poor lighting or limited stand-off distance can allow intruders to approach buildings undetected. Facilities built on constrained sites may lack sufficient buffer zones, making them vulnerable to vehicle incursions or ramming attacks.
Loading docks and service entrances: Loading docks are among the most common targets. They are designed for throughput, not confrontation, and typically see frequent contractor traffic. Tailgating, unsecured roll-up doors and inconsistent guard coverage create opportunities for unauthorized access or reconnaissance.
Power infrastructure: Electrical substations, transformers and generator yards are prime targets because they offer impact with relatively low effort. Disabling external power feeds or backup systems can take a data center offline without ever breaching the main structure. These assets are often outside hardened envelopes and protected by minimal barriers.
Other common vulnerabilities, include fiber and communications pathways, rooftop and mechanical systems, insider and credential abuse and security technology blind spots.
The reality is that most data center incidents do not involve dramatic break-ins or armed assaults. They hinge on overlooked details — an unlocked gate, an unmonitored transformer, a contractor entrance assumed to be low risk. Those small vulnerabilities can have very large consequences.
FN: Should businesses bridge the gap between physical and cyber awareness, and how can this be managed?
Higgins: For years, physical security and cybersecurity have operated in parallel universes — separate teams, separate tools and separate conversations. That separation is becoming increasingly untenable.
Attackers already understand the convergence. They know that a stolen badge can be as valuable as stolen credentials, and that disabling a camera system may be easier through a network than with a bolt cutter. Meanwhile, organizations that treat physical and cyber threats as distinct, separate problems often miss early warning signs.
Bridging physical and cyber awareness does not mean merging teams overnight. It means creating shared visibility and responsibility. There are two effective approaches for this:
Integrated monitoring: Physical access events, video alerts and environmental alarms are visible alongside cyber logs and network alerts. This allows analysts to correlate events instead of investigating in isolation.
Joint threat modeling: Physical and cyber teams should assess facilities together, identifying where a physical breach could enable a digital one or where a cyber compromise could disable physical safeguards.
Businesses that bridge physical and cyber awareness move from defending assets to managing risk holistically. They spot patterns earlier, respond faster, and recover more effectively.
As data centers grow more complex, the question is no longer whether businesses should bridge the gap between physical and cyber awareness, but how quickly they can do it.
FN: What are some preparations that data centers and other institutional and commercial facilities can take to negate these attacks? What steps can be followed to prevent any of these attacks in the future?
Higgins: As threats against data centers become more deliberate and more sophisticated, preparation has shifted from a defensive afterthought to a strategic priority. The most resilient businesses are no longer asking how to respond to an attack, but how to prevent one.
Start with layered defense: Effective protection begins with depth. No single barrier, guard or system is sufficient on its own. Facilities that perform best under stress rely on multiple, reinforcing layers: perimeter fencing with stand-off distance, controlled vehicle access, monitored entry points and hardened building envelopes. Each layer is designed to delay, detect and deter — buying time for response.
Harden the “soft” assets: The most critical preparation often involves assets outside the main data hall. Electrical substations, generators, fuel tanks, cooling plants and fiber entry points should receive the same attention as the primary facility. This includes physical barriers, tamper detection, lighting and surveillance.
Control access: Access management remains one of the most effective preventive measures. Strict badge controls, anti-tailgating technology, escort requirements for vendors and regular credential audits reduce the risk of insider misuse and credential abuse.
Design for vehicle threats: Facilities can reduce risk through traffic calming measures, reinforced gates, crash-rated barriers, and thoughtful site layout that separates public roads from critical infrastructure.
Invest in detection, not just deterrence: Cameras, sensors, and alarms are only effective if they are actively monitored and tied to clear response protocols. Overlapping camera coverage, intrusion detection on fences and gates and monitoring of utility spaces help ensure that suspicious activity is identified early.
Train for reality, not theory: Preparedness lives or dies with people. Regular drills, tabletop exercises and joint scenarios involving security, facilities, IT and leadership build muscle memory. These exercises should reflect realistic threats, not just fire alarms or power failures.
Integrate planning: Many preventive steps sit at the intersection of physical and cyber domains. Shared situational awareness between teams helps spot early indicators that might otherwise be dismissed.
Plan for recovery, not just prevention: No preparation eliminates risk entirely. Smart facilities plan for rapid recovery by pre-staging replacement parts, maintaining vendor agreements and rehearsing restoration procedures.
Preventing future attacks is less about predicting the next tactic and more about closing known gaps. Organizations that continuously assess, test and adapt their defenses reduce not only the likelihood of attack, but the consequences when something goes wrong.
In a world where uptime equals trust, preparation is no longer a security function alone. It is a core business imperative.
Alexis Sheprak is a freelance writer based in Royal Oak, Michigan.
The Looming Threat Landscape for Data Centers
Vulnerabilities Loom for Data Center Security
