Physical security and cybersecurity have historically been managed as distinct disciplines in data center operations — separate teams, separate budgets, separate incident response plans. For mission-critical AI infrastructure, this separation is increasingly a liability, as the systems that control physical access, cooling, and power are themselves networked, software-driven, and therefore exposed to cyber risk in ways earlier generations of purely mechanical or analogue building systems were not.
Where Physical and Cyber Risk Now Genuinely Converge
Modern building management systems, cooling control platforms, and physical access control systems are built on networked software architectures, often incorporating remote monitoring and management capability for operational convenience. This convenience comes with a corresponding expansion of the facility's cyber attack surface — a successful intrusion into a building management system could, in principle, affect cooling performance, power distribution, or physical access control, with consequences that are physical, not merely informational.
This convergence means a comprehensive security strategy for a mission-critical facility has to treat physical and cyber risk as a single, integrated discipline, rather than two parallel programmes that happen to share a building.
Practical Elements of an Integrated Approach
- Building management and cooling control systems should be held to the same cybersecurity hygiene standards — patching, network segmentation, access control — historically reserved for core IT systems
- Physical access control should be integrated with broader identity and access management practices, ensuring consistent policy enforcement across both physical and digital access pathways
- Incident response planning should explicitly address scenarios where a cyber intrusion has physical consequences, or where a physical security breach is used as a vector for a subsequent cyber intrusion
- Vendor and third-party access — for maintenance, monitoring, or support — needs governance that treats these external parties as a genuine attack surface, not an exception to normal security policy
A facility with excellent perimeter fencing and an unpatched, internet-connected cooling control system has not solved its security problem — it has simply moved the vulnerability somewhere less visible.
Critical Infrastructure Designations Are Raising the Bar
As more jurisdictions extend critical infrastructure designations to large data center facilities, specific regulatory security and resilience obligations increasingly apply — obligations that typically assume, correctly, that physical and cyber risk cannot be addressed in isolation from one another. Facilities anticipating or already subject to these designations should expect compliance requirements that explicitly demand integrated, rather than siloed, security governance.
Building Converged Security Into Facility Design
Designing for converged cyber-physical security from the outset — rather than bolting cybersecurity controls onto a physical security system designed without that consideration — is considerably more effective and less costly than retrofitting integration after a facility is already operational. DATAPERT incorporates this integrated security perspective into the advisory work we conduct as part of broader data center development programmes. Start a project to discuss a cyber-physical security strategy for a mission-critical facility.
