How vulnerable are data centres to physical attacks?
Three facilities struck so far. The cost of a kamikaze drone is less than 1% of a rack of GPUs.
As AWS data centres in the UAE and Bahrain are damaged by drone strikes, how are data centres in Singapore protected against physical threats?
With three data centres hit so far, it is reasonable to conclude that the facilities were not struck by chance. Consider this: a US$20,000 drone costs less than 1% of a rack of GPUs.
Physical protection
Modern data centres come with multiple levels of physical security.
Singapore's MAS TRM Guidelines (pdf) call for an assessment of vehicular ramming risk, which has led some data centres to install anti-ram bollards or crash-rated barriers. Mantraps, designed to prevent tailgating, use two interlocking doors that trap a person in a small entryway so only one verified individual can pass through at a time.
Networked cameras running 24/7 are the norm in protected facilities, with AI-powered people tracking and facial recognition for additional protection. I was stunned when I first learned that some Google data centres are even protected by underfloor laser intrusion detection systems.
Defending against drone attacks
In Singapore, data centres are multi-storey buildings ringed by high fences. With cameras manned around the clock and other security features, intruders are unlikely to get in.
Less so for aerial drones, especially if they are weaponised for kamikaze attacks. Several components that are especially vulnerable are typically left exposed, including chillers and cooling towers on rooftops, backup generators along building floors, and battery rooms on the ground floor or basement in newer facilities.
Even assuming data halls are not breached, taking out any of these systems would result in an eventual data centre shutdown.
Closing thoughts
As a thought experiment, it quickly becomes evident that data centres are extraordinarily vulnerable to military-grade drones. I doubt such attacks would culminate in data loss, however.
Given the vulnerable systems mentioned, I don't see how downtime and shutdowns are preventable against a determined and well-resourced adversary. Will what happened this week change how data centres are designed?
