Recent Research Findings on OT Cybersecurity for Data Centers

Data centers rely on a range of operational technology (OT) systems – including building management systems (BMS) that control HVAC and cooling, uninterruptible power supplies (UPS) and power distribution, fire suppression, and physical security systems like cameras and access controls.

These OT components are critical to keeping servers running safely, yet historically they were isolated (“air-gapped”) and not designed with robust security in mind.

In recent years, however, the convergence of IT and OT networks and the push for remote monitoring have eroded that isolation, expanding the cyber attack surface inside data centers. Threat actors – from cybercriminal gangs to state-sponsored groups – have increasingly shifted focus beyond traditional IT targets to also target data center OT infrastructure such as cooling and power systems.

Several research and consulting organizations have recognized this trend and published comprehensive analyses of data center OT cybersecurity in the past two years. These reports provide a global (excluding China/Africa) view of the risks, technical security measures, and emerging procurement trends among data center operators – especially those beyond the hyperscalers (i.e. cloud giants like AWS, Google, Microsoft, Meta).

Below, we summarize key findings from these sources, and how large colocation and enterprise data center operators (e.g. Equinix, Digital Realty, CoreSite, Iron Mountain, etc.) are approaching OT security.

• Uptime Institute “Data Center Security” Research (2023–2025): The Uptime Institute – known for its global data center surveys – has devoted multiple recent reports to cyber risks in data centers.
  • An April 2024 briefing noted that cyberattacks were responsible for up to 20% of data center outages caused by IT/network issues, and that such incidents are on the rise. Notably, Uptime warns that attackers are expanding beyond IT systems to “include critical operational technology infrastructure, such as power and cooling systems,” making OT security essential for preventing outages.
  • Uptime’s 2023 Data Center Security Survey found nearly 50% of operators have enabled remote monitoring on key OT systems (UPS, generators, cooling controls, fire systems, physical security), though only ~12% allow any remote control of those systems. This indicates that while data centers are connecting OT devices to gather telemetry (for efficiency and predictive maintenance), most are still cautious about permitting remote commands, in order to reduce risk.
  • Uptime’s analysts have stressed that OT outages are far harder to recover from than IT outages – you can’t simply restore a chiller or generator “from backup” – so a successful cyberattack on OT could cause catastrophic, long-term facility downtime.
  • In a June 2025 report, Uptime dispelled the “seven fallacies” that give operators a false sense of security, warning that legacy unpatched devices and converged IT/OT networks leave many data centers more exposed than management realizes.
  • Uptime also notes that regulatory pressure is mounting: new rules like the EU’s NIS2 directive and DORA require improved cyber controls and incident reporting for critical digital infrastructure. Yet as of late 2024, only 12% of data center operators reported being in compliance with NIS2 requirements – highlighting a gap that is now driving increased investment in security and alignment between IT and facility teams.
    

• Dragos “Threat Perspective: Data Center Operations” (2024): Dragos, an OT cybersecurity firm, released threat intelligence focused on data center OT in 2024.
  • A Dragos analysis pointed out that data center cooling systems (HVAC/chillers) and power infrastructure are plausible targets for adversaries aiming to disrupt operations. They cite leaked Iranian documents and known malware (the PIPEDREAM toolkit’s OPC-UA modules) as evidence that advanced threat groups have researched or developed tactics against building management systems used in data centers.
  • Real-world incidents in 2023 underscore the risk: for example, a lightning-induced power sag in August 2023 knocked out chiller systems at Microsoft Azure data centers in Australia, forcing a 12-hour shutdown of servers. And in October 2023, a cooling system failure at an Equinix facility in Singapore overheated parts of the site, knocking critical banking services offline for hours (2.5 million ATM and payment transactions failed during the outage).
  • While those particular outages were not known to be cyberattacks, Dragos emphasizes that a skilled attacker could intentionally trigger similar outcomes. They warn that some threat groups have the capability to manipulate common data center OT protocols, and a successful attack on cooling or power could “cripple an entire facility” and cascade to many businesses reliant on that data center.
  • Dragos’s report (available to their Intel customers) provides actionable recommendations for protecting essential OT – including adopting “5 Critical Controls for World-Class OT Cybersecurity” covering ICS incident response plans, defensible network architecture (segmentation), OT network monitoring, secure remote access, and risk-based vulnerability management.
  • In summary, the Dragos research delivers a comprehensive threat review for data center owners, highlighting both recent incidents and the tactics attackers might use against facilities.

• Data Center Industry Analyses (Datacenter Knowledge, etc.): Trade publications have also addressed this topic.
  • In a Sept 2024 DataCenter Knowledge article, Jose Seara (an OT risk expert) writes that “any digital device inside a data center that’s connected to a network could become a pathway for cyber-attacks” – not just the servers, but also “smart HVAC systems, fire suppression controls, electrical devices, and even security cameras.” The piece cites research by Cyble Labs finding 20,000+ data center OT systems (DCIM software, cooling controllers, power monitors, etc.) exposed online in 2022 – illustrating how many facilities had internet-facing controls vulnerable to attack.
  • The author notes attackers might attempt to disrupt cooling systems (to overheat servers) or tamper with internet-connected UPS units – a known risk that led CISA to warn in 2022 about default passwords on UPS devices being exploited. In fact, unsecured UPS units have been an Achilles heel; the U.S. CISA reported that malicious actors were actively scanning for and accessing UPS control interfaces via unchanged default creds. Such incidents have pushed operators to harden these systems (e.g. isolating or password-protecting UPS/IP-PDU management ports).
  • DataCenter Knowledge and others also mention that over 55% of data center operators experienced some kind of outage in the past three years – and while not all are cyber-related, the high rate of outages keeps resilience top-of-mind. Notably, in Uptime’s 2023 survey about 75% of operators reported cybersecurity incidents over three years, with stolen credentials being the most common attack vector.
  • Together, these industry analyses reinforce that OT cybersecurity is now seen as integral to data center uptime and resilience – a shift from years past when physical infrastructure was often considered separately from “cyber” concerns.
    

• Global OT Security Surveys (Fortinet, SANS, etc.): Broad operational technology security surveys also offer insight into trends relevant to data centers.
  • Fortinet’s 2023 State of OT and Cybersecurity report (a global survey of 500+ OT-heavy organizations) found that 75% had at least one intrusion in the past year. Alarmingly, nearly one-third of respondents said a cyberattack had impacted both their IT and OT systems – a sign that attackers are pivoting through IT/OT converged environments. This echoes the data center context, where the IT/OT boundary is a new frontline for attack if not properly segmented.
  • Fortinet notes the proliferation of IP-connected OT devices (almost 80% reported 100+ IP-enabled OT assets) is making security more complex, often resulting in a sprawl of tools that are hard to manage consistently. However, most organizations are now actively investing in solutions: 76% of OT teams said security technologies have improved their efficiency and visibility.
  • One clear trend is organizational alignment – 95% of companies plan to put OT security under the CISO’s responsibility (rather than siloed under operations) within a year. We see this in practice as well: for instance, Equinix (a global colo provider) recently created dedicated ICS/OT Security Manager roles to oversee facility control systems security across their data centers. Analysts view this shift positively, as it brings OT into the fold of enterprise cybersecurity governance.
  • Likewise, a SANS 2023 OT/ICS survey (Dean Parsons) reported growing adoption of OT-specific monitoring and incident response practices, though many sites still overestimate their network segregation.
  • In summary, the consensus of these surveys is that OT cyber risk is universally high, and organizations (hyperscaler or not) are responding by upskilling, consolidating security oversight, and deploying more specialized OT security tools.
    

Physical Disruptions: The primary risk of OT-focused cyberattacks is causing physical infrastructure failure – for example, cutting off power or shutting down cooling, which can lead to overheating and equipment damage.

• Research highlights that a successful attack on cooling systems could force a data hall to shut down within minutes (studies show server rooms overheat in ~5 minutes without cooling). Attackers might achieve this by manipulating BMS controls or malware targeting industrial control protocols.
• Dragos notes that malware frameworks like PIPEDREAM have modules (e.g. “MOUSEHOLE” for OPC-UA manipulation) that could potentially be used to maliciously change data center PLC setpoints or turn off chillers/generators.
• Even inadvertent incidents demonstrate the impact: when cooling failed at an Equinix Singapore site in 2023, banking systems lost access to data center services and millions of transactions failed until cooling was restored.
• Similarly, tampering with UPS or power distribution could trigger outages. Data centers depend on UPS units for uninterrupted power, and if an attacker remotely deactivates or overloads them, it can drop critical loads. The U.S. government explicitly warned that internet-connected UPS systems were being targeted via manufacturer default logins, underscoring how seemingly mundane facility devices are avenues for attack.

Supply Chain and Third-Party Risks: Another risk factor is the supply chain for OT components.

• A January 2025 DataCenterDynamics piece (by Schneider Electric’s cybersecurity lead) points out that attackers might compromise equipment before it’s even installed – e.g. inserting malicious firmware or counterfeit parts into power meters, breakers, or security cameras destined for data centers.
• Gartner predicts that by 2025, nearly 45% of organizations will have experienced a software supply-chain attack. In response, some vendors now embed hardware encryption chips in devices (like smart power meters) to ensure they can’t be tampered with during manufacturing. Data center operators are urged to vet suppliers and demand such protections to mitigate the threat of compromised OT gear.
• Additionally, third-party remote access is a concern: many facilities allow vendors to remotely support BMS, cooling, or security systems. If those connections are not secured (e.g. VPN with MFA, jump hosts, or unidirectional links), they could serve as a beachhead for attackers.
• Uptime Institute observes that managers often assume their OT is “air-gapped,” but in reality true air gaps are rare – data from OT does flow out for monitoring and maintenance, which can create a pathway back in for intruders if not properly controlled.
• In fact, Uptime’s survey found that nearly half of data centers now stream OT sensor data to IT systems or cloud apps for analytics. This one-way flow is usually intended to be outbound-only, but any misconfiguration or bi-directional link could let attackers “pivot” from an IT breach into OT networks.
• Thus, IT/OT convergence – while beneficial for smart operations – introduces new risks if not accompanied by strong security at the interface.

Target Profile (Hyperscalers vs. Others): Hyperscale cloud operators (e.g. Google, Amazon, Microsoft) have massive campuses that make enticing targets (their sheer scale and the critical data they host up the stakes).

• These firms generally invest heavily in bespoke security engineering for both IT and OT. Non-hyperscalers (colocation and enterprise data centers) may not have the same in-house engineering resources, but they are by no means safe from attack. In fact, a “second tier” of large operators (Equinix, Digital Realty, CyrusOne, Iron Mountain, etc.) has become very cognizant of OT risks in the last two years.
• Many have not publicly detailed their security measures, but job postings and partnership news give clues. For example, Equinix’s listing for an OT Infosecurity Manager described responsibilities like designing secure ICS network configurations, overseeing OT incident response, and implementing new security technologies across its global sites. Digital Realty’s blogs have discussed zero-trust for OT/IIoT and converged security monitoring – indicating they counsel clients to treat facility systems with the same rigor as IT systems.
• In short, colocation providers are ramping up OT security to meet enterprise customer demands and regulatory expectations, aiming to close any gap between their practices and hyperscalers’ best-in-class approaches. An analyst insight captured this well: despite rapid growth in cloud/IT security spending, “the cybersecurity of facilities and related systems hosting these gigantic computing centers still needs to be developed.”
• There is now a concerted effort industry-wide to develop that facet.

Across these reports, a consistent theme is that data center operators must implement layered, defense-in-depth protections for OT – adapting traditional ICS security frameworks to the data center context. Key technical measures highlighted include:

• Network Segmentation and the Purdue Model: Practitioners are revisiting the classic Purdue Model of ICS network architecture to separate OT devices from general IT networks.
  • At minimum, facilities are advised to keep building control networks (for cooling, power, security systems) on isolated VLANs or physical networks, with strict firewall rules and no direct internet access.
  • Uptime Institute notes that many operators claim their OT is “air-gapped” when in reality it’s only separated by a firewall – which still needs proper configuration to block any inbound traffic from IT levels.
  • Data center OT networks should employ unidirectional gateways or data diodes where possible – these hardware devices allow telemetry data to flow out to IT monitoring systems, but physically prevent any command traffic from flowing back into the OT side.
  • Industry reports indicate that many colocation and enterprise data centers are adopting unidirectional gateway technology for exactly this reason. This ensures that even if an IT network is compromised, attackers cannot reach into the OT environment through the monitoring link. When interactive remote access is needed for OT (e.g. vendor support), best practice is to use jump hosts in a DMZ, multi-factor authentication, and strict time-limited access approvals – or avoid remote control entirely unless absolutely necessary.
  • In 2023, only about 1 in 8 data centers permitted any form of remote control over OT, reflecting a cautious stance in the industry.
  • Segmentation also means internal separation: power systems, cooling systems, and security systems ideally should be on different network segments, limiting lateral movement even within OT.
  • As one data center CEO quipped, “we treat the BMS network like it’s an Internet of its own – zero trust between every controller” (illustrating the growing adoption of zero-trust principles for OT). This aligns with guidance from OT security surveys: implement robust asset inventory and network access control (NAC) so that only authenticated devices and users can communicate in OT environments.
• Monitoring, Detection, and Incident Response: Given that no defense is foolproof, data center operators are also investing in detecting intrusions and having response plans.
  • OT-specific threat detection tools (offered by firms like Nozomi Networks, Dragos, Armis, etc.) are being deployed to passively monitor traffic on BMS/SCADA networks and alert on anomalies. A SANS 2023 study found a significant increase in ICS network monitoring adoption, though many organizations still lacked full visibility.
  • The Uptime Institute recommends that data center OT security strategy include “detect, respond, recover” capabilities analogous to IT SOC practices. However, because an OT incident can have immediate physical consequences, there is extra emphasis on prevention and engineering safeguards: for example, mechanical safety controls (like pressure relief valves or generator governors) should be in place so that even if an attacker issues a malicious command, physical fail-safes limit the damage.
  • Data centers are updating their incident response plans to incorporate scenarios like “ICS malware causes cooling outage” or “remote compromise of security camera system” – something that historically might not have been in the playbook. Dragos urges all industrial operators, including data centers, to practice tabletop exercises for OT incidents and ensure their IR teams have ICS expertise. Indeed, one of Dragos’s critical controls is having an ICS-specific incident response plan that coordinates IT and facilities teams.
  • On the detection side, even simple measures are making a difference: some operators now log and review physical sensor data for signs of sabotage (e.g. unexplained temperature spikes might indicate a rogue command to a cooling unit). Others are integrating OT alerts into their Security Information and Event Management (SIEM) systems alongside IT logs, so that suspicious patterns (like a surge in BMS network traffic or a door control system going offline unexpectedly) are noticed in context.
  • In summary, data centers are moving toward a more proactive stance – not assuming an air-gap will save them, but actively hunting for threats in the OT environment and drilling on how to contain an incident to avoid a full-blown outage.
• Patching and Hardening OT Assets: Another technical focus is closing the easy exploits in OT equipment. Many building automation devices (PLC controllers, HVAC control panels, camera DVRs, etc.) historically have weak default credentials or outdated firmware.
  • The baseline cyber hygiene for OT is improving: data center operators report more regular vulnerability scanning of their facility networks and applying firmware updates during maintenance windows whenever feasible. Uptime’s experts encourage treating “OT environments around data centers… with the same patching cadence as IT systems”.
  • In practice, patching PLCs or BMS software can be challenging (due to uptime requirements), but operators are increasingly conducting risk assessments to identify which OT assets must be updated vs. which can be isolated/monitored if they can’t be patched immediately.
  • Strong authentication and device configuration hardening are also being enforced: for example, data center facility teams are disabling unused services on BMS servers, changing all default passwords on embedded devices (as the UPS case taught), and enabling encryption on OT communications where supported. Some sites are even implementing MFA for BMS logins and ensuring that vendors do the same for any remote connections.
  • Another best practice is conducting periodic security assessments of OT systems – either hiring ICS security consultants or using frameworks like IEC 62443 to evaluate control system maturity. In the past two years, there’s been growth in third-party audits focusing on data center critical environments. For instance, some insurance underwriters now ask large data centers about their OT security measures (similar to how cyber insurers assess IT security), prompting operators to shore up gaps in exchange for better coverage terms.
• Protecting Physical Access and Integrating with Cyber: Lastly, securing the physical layer continues to be important, with a twist: modern physical security systems themselves are networked and vulnerable.
  • Reports call for a unified strategy so that physical security controls (badges, biometrics, CCTV) are protected from cyber tampering. An attacker who can disable cameras or door locks via the network could facilitate a physical intrusion. Therefore, data centers are segmenting security management systems on the OT network and monitoring them for anomalies (e.g. a camera going offline unexpectedly might be a sign of malware).
  • Convergence of physical and cyber security teams is a notable trend – some organizations have merged these functions or at least established clear communication channels, recognizing that a breach could span both domains. Digital Realty, for example, wrote about ensuring “physical and cyber systems are protected in a unified way” so that convergence doesn’t create new risks. This includes measures like alarm systems to alert the cyber team if someone is tampering with cable racks or sensors, and vice versa, alerting security guards if a cyber alarm indicates potential sabotage of safety systems.

To address the above risks, data center operators (especially non-hyperscalers) have been investing in new solutions and services over the last two years. Noteworthy procurement and strategy trends include:

• Dedicated OT Security Solutions: Organizations are evaluating and buying products specifically designed for ICS/OT cybersecurity. This includes network monitoring tools (passive intrusion detection for OT networks), asset discovery solutions that map out all OT devices, and anomaly detection systems using AI to flag unusual control signals.
  • According to Fortinet’s 2023 survey, nearly 80% of OT teams already use over 100 IP-enabled devices and are looking to consolidate their toolsets for managing them. A recommended approach is to work with vendors that offer an integrated platform covering asset management, segmentation enforcement, and even OT-specific Security Operations Center support. We are seeing vendors like Fortinet, Cisco, Tenable (with OT-specific modules), Dragos, Nozomi, and others being considered in data center RFPs.
  • Vendor consolidation is a goal – rather than a patchwork of one-off solutions, data centers want a platform that can tie into their existing IT security operations. For example, some have procured add-ons to their DCIM (Data Center Infrastructure Management) software that enhance security monitoring, while others deployed standalone OT SOC services.
  • The trend is also toward solutions that can enforce segmentation (e.g. policy gateways between IT and OT, or NAC appliances that control device connections) as part of a zero-trust posture.
• Cyber Risk Quantification and Insurance: Interestingly, a new category of service has emerged: cyber risk quantification for physical infrastructure.
  • Companies like DeNexus have built platforms to model the financial impact of OT cyber scenarios in data centers. In 2023, DeNexus worked with a “tier-one hyperscale data center operator” to uncover “hidden risks” and assign dollar values to different OT failure events. The idea is that by quantifying risk (in terms of potential outage costs, equipment damage, safety liabilities, etc.), data center operators can prioritize investments and justify budgets for security upgrades.
  • This has procurement implications: boards are more willing to fund, say, a new OT monitoring system or a retrofit of secure controls when they see how it reduces a modeled risk of a $10M outage. Likewise, the insurance industry is beginning to ask data centers for evidence of OT cyber controls. We have heard of some colocation providers engaging consultants to perform cyber audits of their facilities to both improve security and demonstrate due diligence to customers/regulators. All of this signals a more mature, quantified approach to managing OT risks – moving it from an obscure facilities issue to a board-level discussion with dollars attached.
• Organizational and Outsourcing Moves: Another trend is in how companies source the expertise needed for OT security. Many data center firms that lack large internal security teams are turning to consulting and managed services.
  • For instance, some have contracted OT cybersecurity specialists to assess their HVAC and power systems, or to provide continuous threat monitoring as a service. Consulting firms (the big ones like Deloitte, IBM, as well as niche OT security boutiques) have in the last two years published white papers and offered services geared at data center and critical facility security.
  • One example: Deloitte in 2023 ran seminars on “cyber physical convergence in data centers,” advising operators on governance and technical controls (though specifics are often behind closed doors).
  • On the hiring front, as noted earlier, companies like Equinix have created internal roles for ICS security, and others have upskilled their facility engineers with cybersecurity training (SANS’s GICSP certification – Global Industrial Cyber Security Professional – is now a desired qualification for data center operations staff).
  • The Fortinet report’s finding that 95% of orgs will shift OT security responsibility under CISOs means we’re seeing more cross-pollination: IT security leaders getting involved in procurement decisions for generators and cooling systems, ensuring those come with cybersecurity features (like encrypted control interfaces or support for modern auth).
  • In short, data center operators are investing not just in products but in people and processes – whether via hiring, training, or partnering with consultants – to cover the OT security gap.
• Compliance-Driven Investments: As mentioned, new regulations and standards are forcing hands.
  • In the EU, NIS2 (effective 2024) classifies many data center and cloud infrastructure providers as essential services that must implement state-of-the-art cybersecurity and report incidents.
  • Faced with the possibility of hefty fines, European and multinational data center firms have allocated budget to bolster OT protections. This includes procurement of threat intelligence services (to stay ahead of OT threat actors) and incident response retainers specializing in ICS.
  • Even outside explicit laws, customer requirements act as a driver: enterprise clients (especially in regulated industries like finance or healthcare) now often ask their co-location or cloud providers about facility cybersecurity measures.
  • To remain competitive, data center operators are acquiring certifications or attestation reports for cybersecurity. For example, some pursue ISO/IEC 27001 with extensions for ICS, or Uptime Institute’s own “Management & Operations Stamp” now includes security criteria.
  • All these factors have led to a notable uptick in OT security spending since 2022, with analysts estimating double-digit growth in the market for data center facility security solutions. As Gartner observed, the overall cybersecurity market (~$200B globally) is expanding to cover cyber-physical systems, an area which previously lagged but is now catching up out of necessity.
    

Operational Technology cybersecurity has become a front-and-center issue for data center operators in the past two years. Research from Uptime Institute, Dragos, industry analysts and others paints a clear picture: threats to data center OT – from HVAC and chillers to power and security systems – are real and growing. Unlike the hyperscale cloud giants (who have huge resources to throw at the problem), many colocation and enterprise data centers historically underinvested in this area, but that is rapidly changing.

Today, non-hyperscalers are elevating their OT security posture through dedicated roles, new technologies, and revamped policies, recognizing that a cyber-induced outage of a chiller plant or power chain can be just as damaging as a traditional data breach. The technical measures being implemented (segmented networks, one-way gateways, monitoring platforms, strict remote access controls, regular patching, etc.) directly address the pathways attackers might use to infiltrate or disrupt facility systems. Meanwhile, procurement trends show data centers embracing integrated OT security solutions and expert services – whether via purchasing ICS detection tools, engaging consultants, or adopting risk quantification platforms – to mitigate these risks in a systematic, budget-backed way.

In summary, several comprehensive reports (many accessible with subscription or via industry publications) underscore a few key takeaways:

(1) Data center OT systems are not invulnerable “behind air-gaps” as once assumed – they are increasingly connected and thus vulnerable.

(2) Cyber attacks on OT can lead to severe physical and financial consequences (prolonged outages, equipment damage, downstream service failures) that most organizations are not willing to tolerate.

(3) Therefore, operators globally (excepting regions like China/Africa not covered in these reports) are investing in closing the OT security gap through a combination of modern tech and best practices – essentially applying the same rigor to the “critical environment” as has long been applied to IT systems.

This alignment of facility and cybersecurity not only protects against emerging threats, but also improves overall resilience and trust in the digital infrastructure. As the Uptime Institute succinctly put it, a successful attack on data center OT could be catastrophic – so preventive security and robust incident preparedness are now viewed as core to data center operations.