Why Australia's data-centre growth must be matched by cybersecurity investment

In Australia, the national conversation around data centres is dominated by a question of ‘speeds and feeds’ — that is, how many megawatts are coming online and which hyperscalers are investing and building in our region. But that’s not the only important discussion we should be having about data centres.

The rapid growth in the industry is creating very real cybersecurity risks, especially when it comes to foreign-owned facilities. Together, the public and private sectors need to change the collective narrative and increase awareness of these risks, because data centres are not simply ‘digital sheds’ that store our information — they form the cyber-physical backbone of our nation. If that backbone is brittle, the entire digital economy — from telehealth in rural areas to high-frequency trading in the CBD — is at risk.

The underestimated security risks in data centres

When it comes to data centres, we often forget about the ‘invisible’ attack surface. Most people imagine that cybercriminals attacking a data centre would go straight for the sensitive files. But frequently, hackers look for non-traditional pathways to gain entry into these networks. For example, the building management systems (BMS) and electrical power monitoring systems (EPMS) responsible for powering and cooling chips in data centres are increasingly being targeted. These systems provide attackers with alternative entry points to the network and then allow them to move laterally to other, more critical systems.

Essentially, in the race to keep up with AI-driven demand, the BMS and EPMS have become the industry’s ‘soft underbelly’. Research shows that 75% of BMS devices have known exploitable vulnerabilities. In this instance, an attacker doesn’t need to go straight for the crown jewels (the data); they simply need to turn off the HVAC systems or chillers, or trip the main circuit breakers. In a high-density AI environment, a total cooling failure can lead to hardware damage in minutes.

Real-world scenarios: what’s at stake?

Let’s consider the impacts of an attack on a major data centre in Australia using a ‘cascading failure’ scenario.

In the first instance, an attacker uses a compromised credential from a third-party vendor (such as an elevator maintenance provider) to access the BMS of a major Sydney data centre. Instead of a ‘smash and grab’ for data, the attackers subtly manipulate the chilled water setpoints that regulate the building’s temperature. The servers begin to throttle due to heat, which causes a massive spike in latency for a major Australian bank’s real-time payment gateway. Simultaneously, the cooling pumps are forced into a cycling loop that causes a surge in local power draw, tripping a nearby power substation.

The result? It’s not just a cyber outage: it’s a local blackout, a financial system freeze, and physical damage to millions of dollars of GPU infrastructure. This example perfectly illustrates why digital risk is now physical risk as well.

The resource–resilience nexus

It’s not only the obvious risks, like cyber attacks and outages, that organisations should be concerned about. In major capital cities like Sydney and Melbourne, data centres are projected to triple their share of the energy grid by the end of the decade. So that introduces broader risk in the form of:

1. Operational disruption: If a data centre can’t actively manage its energy use, especially during high-demand periods such as heatwaves, it can put the wider community’s power supply at risk, rather than helping keep it stable.
2. Supply chain dependencies: Australia is overly reliant on a handful of global vendors for specialised OT components (like massive industrial UPS systems or AI-optimised cooling units). A delay in a single proprietary component can stall a $500 million expansion or, worse, leave a facility unable to recover from a hardware failure.
3. Physical risk: As facilities get larger, they become more attractive targets for physical sabotage or hybrid threats, whereby a cyber attack is combined with a physical attack on a local substation, for example.

The convergence of IT and OT technology

Data centres rely on a complex web of technology to operate. At the facility level, you have power systems, back-up generators, cooling systems and other electrical equipment that support the physical building. At the IT level, you have the servers, storage and equipment that handle data, plus systems that keep them powered and cool. Lastly, you have distributed energy resources (DER), which consist of extra power sources like generators and batteries that operate independently from the main grid.

As data centres have grown larger and more capable, this technology has become increasingly connected — exposing the facilities to greater cyber risk. Systems that used to be isolated, such as power, cooling and generators, are now connected to the internet, which has created more entry points for attackers.

The problem is, common security tools are not equipped to handle these complex cyber-physical networks. They leave blind spots, which are vulnerable to attack. Furthermore, a lack of understanding and collaboration between internal teams is exacerbating this issue. Facility managers are purely focused on maintaining power and cooling, often without regard for cyberthreats, while security teams are purely focused on protecting the data itself, and often lack visibility into the physical equipment powering the data centre. This lack of visibility can significantly increase the level of cyber risk. After all, you cannot secure what you cannot see.

For example, if the IT team has zero visibility into the programmable logic controllers (PLCs) managing the back-up generators, this creates a massive security blind spot. Attackers could subsequently target the PLCs as a way to get into the network undetected.

Securing data centres against increasing cyber risk

Introducing a CPS protection program is essential to bridge the gap between different teams (and priorities) within organisations. An effective CPS protection program should bring facility managers, electrical engineers and C-suite leaders into the same room as the CISO to build a unified strategy for protecting their cyber-physical systems.

By aligning these teams under a shared mission of exposure management, organisations can move beyond a reactive patching approach, towards a more proactive, ‘whole-of-facility’ view. When IT and OT teams speak the same language and share the same visibility, you transform security from a friction point into a foundational pillar of national infrastructure reliability.

Image credit: iStock.com/alacatr