Safeguarding the digital world starts with physical protection

Published: Thursday, 10 March 2022 09:22

Tiago Dias looks at the importance of data centres / centers, arguing that many should now be seen as critical infrastructure, given the impacts that lack of availability can have. In this piece Tiago looks at the key risks impacting data centres and how these can be mitigated against.

The COVID-19 pandemic has accelerated the transition from the physical to the digital world; both in our work and leisure we are spending an increasing amount of time operating online. This trend is massively increasing the demand for, and investments in, digital infrastructure such as data centres.

Statistics from the most recent Jones Lang LaSalle’s Data Centres Report highlight the surge in these investments, as across Europe they have risen by around a third last year alone. TechUK, a UK-based industry body, has also reported record levels of construction in this space currently happening in the UK.

Arguably, data centres could potentially now be considered as an essential part of a country’s critical infrastructure; they are critical to the function of advanced globalised economies and as such, they need to stay continuously operational, well protected, and secure.

If the risks that data centres face are not managed effectively, the disruption can be severe. This was evident after a fire at a large data centre in France last year, which forced millions of websites offline – including government agencies, banks, and retailers. Similar incidents in the UK, US, or other developed economies could have an equally significant impact.

Fortunately, there are several key lessons that organizations managing or operating data centres could take on, to help protect their facilities and reduce the likelihood of widescale disruption.

Start from a good base with security by design

It is vital that data centres are developed with resilience in mind and dealing with climate risk is an integral aspect of this. Data centres are certainly not immune from the impact of a changing climate, as they can be affected in various ways. For example, if a data centre is located in an area often impacted by flooding, windstorms, or wildfires – risks which can cause significant property damage for unprotected facilities – such events may become more destructive as the result of a changing climate. Numerous scientific projections indicate extreme rainfall (and associated flooding) is going to become more likely in some regions, whereas other areas are becoming drier and more susceptible to wildfires.

To mitigate these climate risks, it’s critical to understand the exposure level of different regions – selecting a low-risk location is a good first step to becoming more climate resilient. If this isn’t possible, businesses should make sure they have the right physical protective measures in place to defend data centres from climate risk (e.g., flood barriers, which can provide a cost-effective solution to stop and reduce any potential water damage).

The design and construction materials used when building data centres also plays a role in producing a resilient facility. The use of non-combustible materials is of course essential but should be complemented by suitable compartmentalisation of rooms and floors within the data centre. There is also a benefit in sealing off a penetration in walls and ceilings, such as that caused by cable passages, as these can create a break in the fire shield. Finally, any facility should be equipped with an adequate fire detection system and properly designed and installed automated fire protection solution.

Cooling management, is the number one issue for data centre providers

As data centres consume a high amount of power, they generate a lot of heat, which in turn increases the risk of a fire. Efficient cooling systems are therefore essential in reducing fire risk. These systems need to be constantly maintained to provide uninterrupted cooling and protection – without this system in place temperatures can quickly rise, damaging the operational capacity of the computers.

Building management systems are usually identified as critical assets and must be protected from tampering. Researchers at Cycle have found over 20,000 Data Centre Infrastructure Management (DCIM) tools are ‘public facing’ including heating ventilation and cooling systems (HVAC), and Uninterruptible power supply (UPS) systems. As a result, hackers and malicious threat groups can quickly access cooling units of the data centre and overheat the data units.

Seek to reduce the fuel load

Equipment within a data centre should always be designed with fire risk in mind. This is particularly crucial when computers are housed with more combustible versions of cables, insulation and air filters than would normally be recommended. The presence of batteries should also be accounted for, as these can increase the fuel load at a facility and the associated fire risk. At FM Global, we recommend avoiding the use of plastic in this context, and instead favouring products with low combustibility and low smoke production in the event of a fire.

What about water?

Water and highly sophisticated IT equipment together are not exactly the best combination. Which is why data centres should ideally be designed and built to ensure they provide protection from wind, rain, and flood – features such as well-fastened roofs as well as walls and doors designed to keep the elements out can all provide a benefit.

Additionally, a gas-based extinguishing system may also be preferable to conventional sprinkler systems in the event of a fire. However, they are only appropriate if a fire can be detected very quickly. In situations where a fire is already significant, a conventional sprinkler system is necessary (despite the use of water), as the priority should be to suppress the fire as effectively as possible.

Holding up-to-date contingency and business continuity plans is key

In addition to the above lessons, it is crucial to have practised contingency and business continuity plans, as even the best protected buildings may face a risk event.

These plans should provide instructions to help employees understand how to de-energise each area or piece of equipment at the data centre. This step may be necessary to prevent overheating due to a cooling problem or an electrical fire from restarting after it has been initially extinguished. Business continuity plans should therefore, account for the possibility of essential equipment shutting down, anticipating a worst-case scenario and establishing steps to limit disruption. Training staff properly is also a key aspect of this, as the human element can always play a role in the event of a major risk.

Initiating these simple lessons can be the difference between a data centre experiencing a minor risk event and a fire taking a facility entirely offline. The growing importance of data centres should be accompanied by businesses initiating the right risk management solutions, which can in turn reduce the risk of these critical pieces of infrastructure being taken offline and causing widespread disruption.

For more information: See FM Global Property Loss Prevention Data Sheet 532 - Data Centres and Related Facilities, which provides engineering guidelines to help data centre operators reduce the chance of property loss due to fire, weather conditions, and equipment failure.

The author

Tiago Dias, EMEA Cyber Consultant, FM Global.