IT and facility teams are often misaligned when it comes to cybersecurity. Managers may think their facility is secure if operational technology (OT) systems are patched and “air-gapped”, but risks from remote access and third-party attacks are often overlooked. Higher levels of OT security may help but may also restrict essential access to equipment.

European regulators are now enforcing better cybersecurity. The Digital Operational Resilience Act (DORA) and Network and Information Security 2 (NIS 2) require organizations to implement best practices and report on incidents and threats. DORA relates to financial services resiliency (see Will legislation change how finance uses public cloud?); NIS 2 relates to cybersecurity specifically. Both regulations require management of third-party risk — and both bear the threat of severe fines and management penalties. However, currently, only 12% of operators utilize or conform to NIS 2 (Uptime Institute Data Center Security Survey 2024).

Most EU member states should have transposed NIS 2 into national law by October 17, 2024. This year (2025) will be a critical year for compliance, and organizations must have implemented the 10 essential security measures in NIS2 Article 21, including:

1. Policies on risk analysis and information system security.
2. Incident handling.
3. Business continuity and crisis management.
4. Supply chain security, including direct suppliers or service providers.
5. Security in network and information systems, including vulnerability handling and disclosure.
6. Cyber risk management policies and procedures.
7. Basic cyber hygiene practices and cybersecurity training.
8. Cryptography and encryption policies.
9. Human resource security, access control and asset management.
10. Multi-factor authentication and secure voice, video, text and emergency communications.

Data center attack vectors

Attacks on critical infrastructures are estimated to account for 70% of all cyber incidents today (IBM X-Force Threat Intelligence Index 2024). The most common critical infrastructure attacks are on public-facing applications (29%) and phishing into valid accounts (25%). Many of these attacks install malware or ransomware. One-third of CI attacks exploit authorized tools to capture user credentials, gain remote access and steal data.

The Uptime Institute Data Center Security Survey 2024 found that IT systems and IT partner-related attacks account for nearly two-thirds of the most impactful cybersecurity incidents for operators. OT and operational procedures account for a third of incidents but are rising due to a growing number of attacks on third-party vendors and suppliers.

Figure 1 shows how cyberattack vectors can compromise third parties, infiltrate the data center and then move laterally between IT and OT systems.

Figure 1 Cyberattack vectors and how they infiltrate the data center

IT operations threats

Cyberattacks can compromise software as a service, edge and colocation sites, private and public cloud services, and endpoint devices used by data center IT.

• Novel “zero day” attacks resulting in unidentified malware being installed on partner software systems, which then circumvents the data center firewall.
• Endpoint devices and other IT infrastructure running unsupported or legacy software can be easily compromised. They may be completely unprotected against novel attacks.
• IT misconfigurations and authentication vulnerabilities occurring within legacy IT infrastructure, which can be exploited when migrating applications and workloads to the cloud.
• Connected IT and OT devices resulting in malware moving laterally through the data center, particularly if vulnerabilities have not been discovered or isolated.

OT operations threats

Cyberattacks can also compromise OT equipment of critical third-party suppliers (such as equipment vendors), and services (such as water and power providers). Vulnerabilities include:

• OT networks, which are not secure by design. Many OT networks rely on insecure protocols, leaving them open to attack from malicious actors or human error.
• Air gaps provide security by physically separating OT networks from IT. However, they are increasingly bypassed for remote access support. Attacks can then exploit vulnerabilities in either OT or IT networks.
• Remote management of OT equipment relies on connecting to an insecure OT network over the internet. In June 2024, the US Cybersecurity and Infrastructure Security Agency (CISA) advised against using virtual private networks (VPNs), having discovered 22 known exploited vulnerabilities.

Attacks can include:

• State-sponsored denial of service (DoS) attacks on critical power and water utilities. IT that is cut off from power or cooling (water) will quickly overheat, increasing risk to equipment and data.
• Infiltrating third-party vendor supply chains could compromise equipment, introducing malicious components, while creating a backdoor for attackers.
• Attacks on third-party equipment vendors could compromise embedded software. OT systems relying on this software, such as building management systems and supervisory control and data acquisition (SCADA), could become disabled or experience a data breach.

This update addressed key points presented at the LEET Security CISO conference in December 2024. Further research on cybersecurity and NIS 2 will be produced shortly. 

Other related reports published by Uptime Institute include:
Will legislation change how finance uses public cloud? 
Critical national infrastructure status: what does it mean? 

Note: The regulatory analysis provided in this Update is the opinion of Uptime Intelligence. Data center operators should validate the interpretations with their legal staff and any relevant regulatory authorities.