War in Middle East raises concerns about physical data center security

The war with Iran has added a new dimension to data center security: aerial attack. AWS data centers in Dubai and Bahrain were targeted in drone attacks by Iran earlier this month. The chance of a drone attack on an AWS facility, or any other, for that matter, inside the United States is extremely low but not impossible. So, do data center operators need to start putting surface-to-air missile batteries around their facilities? First of all, they can’t by law. And second, that’s not the real threat, says John Bekisz, vice president of the data center and critical infrastructure practice at Guidepost Solutions, which works directly with operators on physical security strategy. However, there is the potential for physical attacks by other means, such as car bombs and smuggled explosives. Data centers have been a target long before Iran directed drones at them. “Data centers are high-value assets, and our clients see them as targeted facilities. We do consider them critical infrastructure, and we protect them as such, right? And that includes not just physical deterrence, physical protection, but also data protection, right? Redundancies, failovers, things like that,” Bekisz said. Bekisz said that there have been incidences where data centers have been breached by intruders, but they were quietly kept out of the media so as to not raise alarm, because these are the exception rather than the rule and no real harm was done. The most common issue that Guidepost talks about with its clients is insider threats, which can be anyone that is rightfully permitted into your data center. Data centers have very strict rules regarding movement of visitors, but employees pretty much have free rule of the place. “Insider threat could be someone simply putting a USB stick in a server or having access to a data device that they’re not supposed to,” he said. “A threat actor could potentially cause harm within the facility, whether that’s mechanical, electrical, plumbing spaces or the data halls themselves is our number one preventative item that we’re trying to thwart.” When it comes to external threats, Guidepost looks after vehicle-borne IEDs and vehicle ramming, even if it’s accidental. That’s why data centers have high, anti-climb perimeter fences, multi-layered gates. and vehicle barriers that are put in place help to prevent any unwanted vehicles outside of the facility. “It’s a lot of what we call Crime Prevention Through Environmental Design,” said Bekisz. “It’s a theory that we utilize in our industry for ensuring that we are detecting and thwarting individuals before they are willing to commit some type of offensive action or some type of unwanted behavior.” That includes simple things like lighting right or reducing the visibility of the data center through shrubs and trees and berms and using that in consortium with physical preventative devices. Drones are a growing problem, even if they are not being used in kamikaze attacks. Bekisz said the only thing you can do is put in drone detection, so you have some type of device in the air in the area of your facility, and then you call for support from local emergency services. AI can also help by offering video surveillance that’s far more involved than passive CCTV systems or video surveillance. Modern security is leveraging artificial intelligence to identify patterns and abnormalities within that data so facilities can now bring to the attention of a security officer something that’s an abnormality or not normally supposed to occur. “We want the officer to spend more time responding to and dealing with incidents, not necessarily just sitting there and waiting for something to happen,” said Bekisz. Data center operators need to ensure that they are performing regular threat assessments on their facilities, risk assessments on their facilities, so that they are aware every single day, said Bekisz. “Threat vectors change. When something new occurs, they need to make sure that if they need to modify or update their security posture, that they’re aware of what’s happening in the industry and in the globe, performing those risk assessments,” he said.