Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of Data Centre Solutions is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The Data Centre Solutions Video magazine contains the latest Zoom interviews with experts in the industry.
Artificial intelligence is reshaping the data centre industry. From consumer chatbots to business-spanning agentic systems, the skyrocketing use of AI is creating ever-greater infrastructure requirements. Morgan Stanley estimates that around £2.2tn will be spent on data centres supporting AI between 2025 and 2029. The demands of AI are at the forefront of the exponential data centre growth forecast for the next few years.
But alongside the increasing footprint, the growth of AI also risks making data centres a more viable target for cyber threat actors. The more we rely on AI, the greater the impact of a disruptive attack on data centres hosting critical AI capabilities. Data centres have already been recognised as critical national infrastructure, and they must be ready to face the same threats as critical sectors like energy, water and healthcare.
Why AI data centres are attractive targets – and why availability is the real risk
AI has become an essential strategic asset, going beyond individual organisations to shape economic competitiveness, industrial innovation and national capability. As a result, the infrastructure that enables AI carries significance well beyond the data centre perimeter.
Disrupting a facility that concentrates enormous compute power, energy consumption and economic value can ripple through dependent services, markets and entire sectors. Taking out the centres supporting major AI providers like Google and OpenAI would be just as disruptive as hitting traditional critical CNI like a power grid.
When AI platforms that organisations depend on suddenly become unavailable, the disruption is immediate and highly visible. Development pipelines stall, analytics platforms go dark, and downstream services are affected at scale. In an AI-driven economy, even temporary outages can translate into significant financial loss, reputational damage and loss of confidence.
That makes AI data centres attractive not only to financially motivated attackers seeking to disrupt for ransom payments, but also to more advanced groups working on behalf of nation states to undermine a rival’s technological and economic advantage.
Power, cooling, water, and automation are the cyber-physical backbone of AI data centres
Safe data centre operation depends on a tightly coupled web of automation systems. HVAC, building management systems, power controls, environmental monitoring and a variety of smart management systems, continuously assess conditions and make real-time decisions to keep temperatures and loads within safe limits. A data centre can have hundreds of such devices, from controllers via redundant communication networks to SCADA (Supervisory Control And Data Acquisition) platforms, their relative data bases, backups systems, electricity generation / distribution equipment and much more.
AI workloads place unprecedented strain on the physical infrastructure that keeps data centres operational. High-density compute demands enormous amounts of electricity and generates extreme heat, pushing facilities far beyond the operating profile of traditional enterprise environments.
While the industry is adapting to these increased demands, the long lead time for new centres means that most facilities will always be slightly beyond the curve. Building a data centre is one thing, but building a power station to feed it if the local grid is insufficient is another, with different time, complexity, and vulnerability factors.
These complex environments are also heavily reliant on third-party suppliers for maintenance, both on-site and through remote access. Each access point adds another attack path that can be exploited by cyber threat actors.
Sites can also be disrupted by targeting the surrounding infrastructure supporting power and water needs. Disrupting any part of this cyber-physical backbone need not cause physical destruction to have consequences. Even subtle interference can degrade cooling efficiency or trigger precautionary shutdowns, directly affecting availability. As AI data centres grow in scale and complexity, these physical dependencies become inseparable from cybersecurity risk.
Regulation is catching up – but clarity is still emerging
Governments and regulators have very much recognised the growing importance of data centres, particularly those supporting AI. There is an understanding that they are strategic assets rather than neutral infrastructure, and must be protected as such.
Across Europe and the UK, frameworks such as NIS2, the Critical Entities Resilience Directive (CER) and proposals to designate certain data centres as critical national infrastructure all point in the same direction. Expectations around resilience, governance and incident preparedness are rising.
At the same time, there is still uncertainty about how these facilities will be classified and regulated in practice. Data centres are economically critical, but they do not always fit neatly into existing categories designed for energy or water utilities. Questions remain over whether they will be treated as essential or important entities, and what that means for operators and their suppliers.
What is clear is that regulatory scrutiny is increasing faster than detailed technical guidance. Operators must take the initiative to secure their sites, rather than waiting for formal guidance.
What securing AI data centres really requires
Securing the CPS (Cyber Physical Systems) aspects of AI data centres requires a shift away from IT-only security models towards an approach that reflects their hybrid nature, and that will surely also include OT/ICS cybersecurity expert systems and capabilities. If automated systems that manage power, cooling or environmental controls are compromised by a cyber-attack, the issue stops being a conventional cyber incident and quickly becomes an operational one. Availability, safety and continuity take precedence over data confidentiality.
This means treating AI data centres as integrated IT and OT estates in the same way as other critical cyber-physical fields like energy.
Ultimately, resilience depends on understanding the environment first and securing what matters most.
Specific cyber and operational risk management and risk reduction programs must be adopted and must prioritise deep visibility into the operational assets that keep facilities running, including how systems interact and which components are truly critical to uptime. Tightly controlled and auditable vendor remote access is also important.
This visibility should be achieved through specialised security capabilities designed for managing cyber-physical systems. Data centres have the advantage of being relatively new builds compared to many ageing sites in other fields, but compatibility with standard domain tools remains an issue. IT tools can’t be used in industrial automation environments.
Security efforts should prioritise impact, focusing on the assets and processes whose failure would force shutdowns or disrupt dependent services. Strong segmentation between IT & OT and external access paths is essential. Monitoring, alerting and blocking the ability for threat actors to travel from one environment to another are means of risk reduction alongside exposure management and progressive vulnerabilities management. All can reduce the blast radius of a breach.
AI data centres must be treated as critical infrastructure
AI data centres now sit at the centre of economic growth, innovation and digital transformation.
As a result, the consequences of disruption extend far beyond the data centre perimeter, and operators must be prepared for the same level of threat facing other critical national infrastructure.
