Data centres are the beating heart of the digital economy. They host the information that powers AI models, financial transactions, cloud platforms, and critical national infrastructure. Operators are rightly investing heavily in sustainability and efficiency, from closed-loop and waterless cooling to AI-driven thermal management. Yet while the industry debates water use and energy consumption, a more immediate risk often goes unnoticed: the cybersecurity of the very systems that keep data centres cool and operational.
Modern cooling systems are not standalone units. They are tightly integrated into building management systems (BMS) and data centre infrastructure management (DCIM) platforms that manage temperature, humidity, and airflow across racks. These systems rely on industrial protocols such as BACnet, which were designed for connectivity and efficiency rather than security.
If compromised, an attacker does not need to exfiltrate data to cause damage. A simple manipulation of set points, fan speeds, or humidity levels could degrade performance or even trigger fire suppression systems. In environments where uptime is everything, the ability to disrupt cooling can be as impactful as cutting power.
Evidence of adversary interest in data centre cooling systems
There is growing evidence that cybercriminals and state-backed groups recognise the leverage cooling systems provide. Communications between DCIM devices and known extortion groups in Europe have been observed, while malware associated with the WASSONITE threat group has included functionality targeting configuration management databases, often linked to cooling and building automation.
The path in is often mundane. Campaigns have already been observed where stolen data centre IT staff credentials were used to enable unauthorised access to management devices with OT capability. Elsewhere, adversaries have exploited known Microsoft Exchange vulnerabilities to compromise building automation systems. The lesson is clear: attackers understand how to pivot from IT into OT environments, and cooling is an attractive lever.
Why this matters now
Data centre operations are critically dependent on a complex ecosystem of OT equipment, including HVAC and building management systems. As operators adopt closed-loop and waterless cooling to improve efficiency, these systems are increasingly tied into BMS and DCIM platforms. This expands the attack surface of networks that were once more segmented. A compromise of these systems could directly affect temperature, humidity or airflow, with clear implications for the availability of services that critical infrastructure asset owners rely on.
The good news is that the steps required to defend cooling systems are well understood and achievable. Companies should align to the ‘Five Critical Controls for World-Class OT Cybersecurity’ identified by the SANS Institute.
That means developing incident response plans tailored for OT environments, which address the engineering systems at the heart of a data centre. It requires a defensible architecture, with segmentation between IT and OT, the use of industrial DMZs, and the removal of unnecessary access points. Operators should also invest in continuous ICS network monitoring, with visibility into industrial protocols such as BACnet and OPC UA to detect suspicious activity.
Resilience also depends on secure remote access, including multi-factor authentication and controlled jump-host environments for vendors and third parties. Finally, risk-based vulnerability management ensures that critical assets are either patched, mitigated, or closely monitored for exploitation, even where systems cannot easily be taken offline.
Taken together, these controls provide a framework for protecting data centre cooling and building systems without slowing the drive for efficiency and innovation.
Looking ahead
The conversation around data centres often focuses on power usage and water consumption. Both matter. But resilience is about more than efficiency metrics. A hacked cooling system can cause as much disruption as a regional power outage.
As the UK expands its data centre capacity to fuel AI ambitions and digital transformation, cybersecurity must be designed into the physical systems that keep those facilities stable. Cooling is not just an operational detail. It is a potential target — and protecting it is essential to ensuring the sector’s growth is sustainable, resilient, and secure.
Conor McLaren is a senior threat intelligence analyst at Dragos
Read more: Why resilience in automotive cybersecurity must stretch beyond data protection
