Article

Why data centers are high-value targets for cyber attacks

Why data centers are high-value targets for cyber attacks

Ask a room of data center operators about cybersecurity and you will hear a dozen answers, many circling one theme: tenant responsibility. But that’s only half the story. As data centers surge in size, density, and interconnection, they have become part of our critical infrastructure, making the facilities themselves high-value targets.

In brief

Data centers have become high-value cyber targets as AI-driven demand increases their scale, density and interconnection, widening the attack surface across facilities, systems, suppliers and control planes.

Operators cannot rely solely on tenants to manage cyber risk: the resilience of the physical plant, including power, cooling, backups and building management systems, remains a core operator responsibility.

Attacks on operational technology could cause serious disruption, from missed SLAs and tenant outages to physical damage such as overheating GPU clusters if cooling systems are compromised.

Strong cyber defence requires tested incident response plans, clear recovery time objectives, validated backups, IT/OT segregation, continuous monitoring and the ability to sustain minimum viable operations during an attack.

Regulatory and contractual expectations are rising, particularly around incident reporting, resilience and accountability, making cyber preparedness central to maintaining trust in data centers as critical digital infrastructure.

By the end of 2025, the U.S. was host to between 4,000 and 5,000 data centers, and the EU to more than 2,000, with capacity accelerating to feed AI compute. Scale breeds complexity, complexity widens the attack surface, and adversaries notice. Cybercriminals, nation-state actors, and financially motivated threat actors follow opportunity; they don’t stop at the cage door. A resilient posture demands a broader view of shared responsibility, one that spans the physical plant, control planes, supply chains, and the operational technology that keeps the lights on.

Why are data centers an ideal target for cyber criminals?

Data centers are attractive targets precisely because scale multiplies exposure. As facilities expand in footprint, density, and interconnection, every additional rack, application programming interface (API), contractor badge, and control interface compounds the attack surface a threat actor can probe. That exposure is intensified by dependency on tightly integrated operational technology: power distribution, cooling systems, building management, and backups. While each subsystem is engineered for reliability, in combination they can create cascading single points of failure if compromised in a coordinated campaign.

The stakes are high. Even brief disruptions can trigger missed service level agreements, contractual non-performance, and downstream harm to tenants who cannot deliver their own services. More severe intrusions risk physical damage: tampering with cooling controls, for example, could disrupt airflow or disable chillers, forcing shutdowns or causing graphics processing unit (GPU) clusters to overheat. 

Critically, these core-facility risks cannot be papered over through lease terms or pushed onto tenants. The resilience of the plant itself, from its control planes to redundancies and its ability to respond to an incident, remains the operator’s burden and a central pillar of sector-wide cyber readiness.

Additionally, this allocation of responsibility is increasingly reflected in regulations. In the EU, for example, data center operators, and cloud computing and managed service providers, may each be subject to cybersecurity risks management and incident reporting obligations under the NIS2 framework.

The keys to good diligence and cyber defense

Foundational cyber hygiene still matters and can stop many attacks; preparedness begins well before an incident. Operators can develop, test, and regularly revise an incident response plan with scenario-specific playbooks (e.g., for ransomware, control failures, and distributed denial of service (DdoS) attacks that overwhelm networks with fake traffic, etc.). 

Moreover, operators should understand system interdependencies and failure modes across both information technology and operational technology so teams understand what breaks together, what can be isolated, and how to maintain minimum viable operations.

Knowing what your minimum viable operation is remains critical to determining recovery time objectives or recovery time objectives (RTOs). And RTO is more than just a buzzword, it is top of mind for regulators in this space, especially for those investigating after attacks. Regulators are expecting defined RTOs for critical services. These can only be approximated when operators measure and rehearse failovers to backups. In addition, operators need to regularly validate backup integrity, immutability, and restoration time rather than discovering them mid-incident!

It is important to seriously consider how containment between IT and operational technology (OT) systems will look. How effectively and quickly can these systems be segregated in an attack situation? What workarounds are in place in the event of an IT shutdown? For more sophisticated operations, consider moving to a Zero Trust strategy, especially for OT. Also on this point, think about how systems will be recovered. Can an investigation be run remotely? 

Another key practice is continuous monitoring and logging across both IT and OT assets. Logs should be kept and centrally tracked; mid-incident is not the time to pull local logs off numerous systems. 

Operators should plan for their legal and tenant obligations. Contracts and SLAs should anticipate incident realities, including coordinated security responsibilities (i.e., between tenants and critical suppliers), notifications, and regulatory reporting. The latter, in particular, is becoming increasingly legalized with numerous incident-reporting obligations coming online globally. In the EU, for example, the NIS2 framework requires operators to make an initial notification shortly after becoming aware of a significant incident, followed by more detailed reporting on its severity, impact, root causes and any remediation measures taken.

Relatedly, operators must understand how any existing insurance products, including cyber coverages, will defray the costs associated with a cyberattack and whether any gaps exist. 

What do operators need to look out for?

The lesson for operators is straightforward: treat the facility itself as an asset with cyber vulnerabilities. Scale, interdependence, and the convergence of IT and OT make modern data centers uniquely exposed, and no amount of lease language will shift all that risk. What does move the needle is disciplined execution of the basics applied with the specificity that critical infrastructure demands. 

As AI accelerates compute growth and adversaries spot the opportunity, resilience becomes less about perfect prevention, which is impossible, and more about rapid containment and secure recovery. Operators who can demonstrate how they will isolate an attack, sustain minimum viable operations, and hit defined RTOs will not only satisfy regulators and tenants, they will preserve trust in the digital backbone those tenants rely on. 

A version of this article was originally published by Dow Jones Risk Journal

Related capabilities