This relatively chaotic period has made data center operators increasingly worried about their facilities’ physical security. This had been true even before FBI announced the AWS data center bombing plot it foiled by arresting the alleged bomber-to-be.
Whether their current sense of unease is leading operators to action of some sort is unclear. Most of the ones we’ve talked to are, understandably, tight-lipped about any specific precautions they may have been taking beyond the standard security best practices.
"Data centers were always something out of sight and out of mind, but that’s not the case today," Fred Burton, formerly a State Department counter-terrorism deputy chief and US Diplomatic Security Service special agent, said. "You can do some tremendous cyber-stalking."
Burton is now executive director of the Ontic Center for Protective Intelligence, which provides a software platform that feeds physical-threat intelligence to organizations’ security teams.
A data center operations executive with one of the largest colocation providers in the US, who spoke with DCK on condition of anonymity, said customer inquiries about the company’s security processes in the wake of the pandemic and following the AWS incident have risen.
“Any time you have some of these national press events it causes a heightened state of review with our customers,” he said. “It’s a significant concern for our customer base.”
But the company hasn’t made any changes in response. “It just reinforces the practices we have and the work we’ve already done on design and operations, on continual drilling, and on the relationships we maintain with local and national law enforcement,” he said.
A senior engineering executive with the same colocation provider, who also spoke on condition of anonymity, said site security has always been a factor in selecting locations for new data centers.
“It’s been that way for decades now,” he said. “It’s one of the things we look at when picking a site,” in addition to business needs, networking, and power infrastructure.
Pandemic, Social Unrest, Economy Drive Up Threat Levels
More than 70 percent of chief security officers and physical security decision makers Ontic recently surveyed (sample size: 300) said physical-threat activity has "dramatically increased" since the beginning of 2020. More than one-third of respondents said physically protecting corporate data was their biggest security challenge and about the same percentage said they were worried about reduced security headcoun due to the economy.
Still, 80 percent said they expect their physical security budget to increase this year, most of them attributing the increase at least partially to the pandemic. On top of the pandemic, there were concerns related to political unrest, both due to racial-justice activism and far-right protests and attacks.
Just under one-third said a growing amount of physical threats and company backlash spurred by political unrest kept them up at night – before news of the AWS data center bombing plot broke.
Even if a data center isn’t a political target, the current economic disruption can exacerbate regular physical-security threats, Burton told DCK.
Earlier this month, a fired security employee at a Microsoft data center in Cheyenne, Wyoming, returned to the facility with a gun. Employees were told to hide and eventually evacuated the building. The gunman was arrested.
Burton’s advice to data center security managers is to use this moment of heightened anxiety as an opportunity to review physical security at their facilities. "You want to make sure that you have a good physical security footprint and that you are actively looking for threats that may affect your facilities," he said.
Even those who are already following best practices could look at ways to become more efficient and to liaison with groups like the FBI's InfraGard. It’s also prudent to reach out to local law enforcement.
"You can ask them for enhanced patrols around your facilities," Burton said. "Depending on the [police] workload, in some cities it may be impossible, but in my experience, if you go to them and ask for help, you tend to get that help. And make sure you’re taking advantage of localized reporting about general crime and mayhem."
The AWS data center bombing plot is a reminder of the vulnerabilities in the data center sector, he said.
"In my career I've unfortunately experienced the carnage that can be caused, and this was the kind of incident you want to be on the forward leaning end of," he said. "Ferreting out threat information is hard work, and neutralizing plots before they develop is one of the biggest challenges in this space. So, job well done by the FBI."
A Teachable Moment
The story’s high profile could open a window of opportunity for security managers to convince senior management to “fund security properly,” Leo Taddeo, CISO at colocation provider Cyxtera Technologies, suggested.
"You want to make sure you have as much physical security as possible, a larger guard force, having the facility further away from areas that can be used to launch attacks," Taddeo told DCK.
"The data center industry can take lessons from other sectors, like the oil industry. Oil drilling and exploration takes place in some unstable areas of the world."
The politically motivated AWS data center bombing plot represents a new threat escalation, he said. "The domestic-terrorism aspect is clear in this case. I think this is new. I have not heard of something like this before."
Other types of critical infrastructure have previously been targeted domestic terrorists, he said. "Data centers being more and more closely aligned with infrastructure [today] brings them into the target set for a domestic terrorist," he said.
Physical Security Is Part of Being in the Data Center Business
All the existing basic principles of physical security still apply.
"You should have proper procedures and make sure that procedures are followed," Taddeo said. "You should have connections with law enforcement." Data center operators should be prepared for protests, active shooters, and run-of-the-mill criminals as a matter of standard practice.
He declined to say whether Cyxtera has been making any changes to its data center physical security practices. "That would be something we’d rather not talk about," he said. "We take it seriously; we’re committed to it. But specifics is something we’d rather not [discuss].”
At least in the US, physical attacks on data centers by either foreign powers or domestic terrorists haven’t been common. "A nation-state isn’t going to risk having a physical presence in the US to conduct a physical attack, so those attacks have thankfully been limited to cyberattacks," he said.
Flexential, a major US data center provider, constantly evaluates threats and adapts as needed, all part of its regular risk-management program, David Kidd, its senior VP of governance, risk, and compliance, told DCK.
"As a part of our risk management program, we are constantly evaluating potential threats to our operations and adapting as needed," he said. "We have an excellent team of professionals focused to secure our operations and protect our customers IT infrastructure."
Incidents like the AWS bombing plot, as well as last year’s vehicle-bomb explosion in downtown Nashville (FBI released a report on the incident two months ago), are the types of threat intelligence Flexential considers when responding to ongoing changes in the security landscape, he said.
"Flexential data centers are designed, built, and operated to be highly available and highly secure," Kidd added. "Data center access is carefully controlled in coordination with our customers to provide vetted access to customer information systems. Access to critical infrastructure space is further limited to support our commitment to uptime. To respond to potential threats, Flexential has implemented a risk-based, layered security program from the site perimeter inward to individual IT systems."
Other major data center providers DCK contacted for this story, including Equinix, Digital Realty, CyrusOne, Switch, Iron Mountain, and TierPoint, among others, either declined to comment or did not respond.