Too Big to Fail – Hyperscale Data Centres Bring New Infrastructure Security Imperatives to Australia

By Mike Fisher*

The security implications of huge data centres as an integral component of national infrastructure have moved to centre stage with the wave of investment announcements arriving on our shores.

Among the latest news was the announcement CDC Data Centres signed the biggest data centre deal in Australian history, a 555 MW contract equivalent to 40 per cent of all existing data centre capacity in the nation. The new capacity, to be delivered from 2028, will form part of CDC’s projected capacity pipelines exceeding 2.6 GW.

Landmark announcements such as this – and the recent news that NSW is positioning itself to become a world-leading data centre – are driven by the boom in Australia’s Artificial Intelligence sector, driven by demand from local and international companies for secure, high-density AI infrastructure.

Understandably, the expanded needs have caught the attention of the entire development community involved in planning, construction, and management of such facilities. This community extends from architects and designers, systems engineers, builders and developers, facility managers and – importantly – CEOs, MDs, Risk Managers, Security Managers and the host of individuals and groups concerned with delivering a cyber-secure and physically protected facility.

Why is this important?

High security portals, such as the Circlelock, pictured, are ideal for high-security biometric integration to provide top levels of protection against unauthorised access to a data centre’s most sensitive areas as part of a layered physical security protection. In other applications requiring higher throughput, but still high levels of security, high security revolving doors such as the Tourlock are better suited

These facilities house massive amounts of data for governments, financial institutions, and global tech companies. Because of this concentration of essential personal, corporate, and State data, a single successful security breach can have catastrophic, widespread impact. Failure could disrupt digital banking, logistics, and communication services essential to society.

In fact, hyperscale data facilities are no longer standalone data centre businesses – they have become critical components of our national infrastructure.

In the same way that our financial institutions have become too large and too important to our society to fail, so the cyber and physical security of data centres is now a matter of Government regulation and compliance. These statutory responsibilities to protect big data fall under the Security of Critical Infrastructure Act (SOCI Act), which all providers to the industry have a legal Duty of Care to understand and act upon.

The Boon Edam Group, of which I am part, has particular expertise in physical security priorities that must be addressed in compliance with such codes, nationally and internationally. Our experience is earned as a provider of security entrance systems to several of the world’s largest and most influential “Big Tech” companies, dominating different sectors of the digital economy. This experience in physical security – the other side of the coin from cybersecurity – addresses physical data security in facilities ranging from in-house and dispersed networks, through to the needs of the very largest mega facilities of the types arriving here.

Components of “mega-scale” security

• High-Value Target for Cyber Attacks: Data centres are prime targets for ransomware, Distributed Denial of Service (DDoS) attacks, and Advanced Persistent Threats (APTs) aimed at stealing data or computing resources.
• Physical Security Risks and Sabotage: Because they are centralised nodes, physical damage – whether from sabotage, vandalism, or environmental factors – can disrupt services for thousands of clients.
• Insider Threats: With massive infrastructures, insider threats (disgruntled employees or contractors abusing access privileges) pose a significant danger, requiring tight control over employee vetting and access.
• Sophisticated Threat Landscape: Operators face daily threats, from advanced cyberattacks on AI-managed systems, through to potential physical sabotage of cooling systems or power infrastructure.
• Grid Stability Risks: Large data centres are becoming so ;arge that they can behave as “digital mega-loads” on the power grid. Security lapses can lead to unexpected shutdowns that cause significant grid instability, potential blackouts, and financial loss.
• Dependency Risks: Data centres are increasingly dependent on interconnected network services, meaning a breach in one segment can quickly spread throughout the entire enterprise or supply chain. Thus, layered protection, extending beyond just one part of a facility, must also cover multiple and sometimes dispersed choke points.
• Defence-in-Depth: Security models are employed not just at the entrance, but are layered throughout the facility, in layered security layouts providing protection at appropriate levels covering everything from lobby and general areas access, through to critical server cabinets and power substations that drive these energy-hungry facilities, as well as the large and essential HVAC plants that cool them.
  

  A layered approach to physical security includes perimeter security, revolving doors at the front door, speed gates in a lobby or reception area, and high security revolving doors or portals to protect data rooms, server rooms, and high value areas

• Stringent Access Controls: Government and high-risk data centres often employ biometric authentication and prohibit devices with wireless functionality. Stronger access security manages selective entry for employees, contractors, and visitors with biometrics, two-factor authentication (2FA), and mobile credentials. Access security is validated through regular, rigorous penetration testing and audit procedures. Cyber-physical integration combines layered physical security measures with cybersecurity solutions to prevent both internal and external threats.
• Complete Physical Protection: Security includes layers extending inwards from perimeter entry, through security entrances and electronically authorised speed lane access to higher-volume traffic areas, through to revolving security entrances and the ultimate mantrap entry systems for critical areas complementing trained security personnel, often using AI-enhanced video surveillance.

Such need for strong physical protection of data centres is validated both by the data industry’s own peak body, Data Centres Australia, and by the Federal Government’s Home Affairs Critical Infrastructure Security Centre’s recently published Risk Advisory for Critical Infrastructure.

Data Centres Australia welcomed the Australian Government’s release of national expectations for data centres and AI infrastructure developers. It notes that data centres are already subject to robust security obligations under the Security of Critical Infrastructure (SOCI) Act, which imposes mandatory reporting, risk management and compliance requirements on operators of critical data infrastructure.

This is important, given that the recent Risk Advisory from the Government’s Critical Infrastructure Security Centre notes infrastructure networks continue to be targeted globally by a widening array of threat actors.

In the Advisory’s timely statutory guidance, “The Data Storage or Processing Sector is a vulnerable target in many ways. For example, even in a high security environment like that of data centres, malicious insiders have a level of access that could enable significant disruption. As a result, stakeholders within the Sector must adapt their risk management strategies to ensure risks to the operation of assets critical to the nation’s economic and social wellbeing are being appropriately captured.”

In support of these objectives, our global experience demonstrates how intelligently applied layered entrance security can complement and enhance manned security, while reducing costs by using technology for continuous monitoring and control, allowing security personnel to focus on higher-value tasks and response activities.

Because of the critical nature of the data stored, and the vast number of users they serve, these facilities are high-value targets requiring advanced, proactive security measures that go far beyond traditional data centre safeguards.

Download Boon Edam’s white paper, “Best practices for data centre security and efficiency” for more insights into data centre security. Contact the Author for personal attention to your needs.

About the Author

*Mike Fisher is Managing Director of Boon Edam Australia, which is part of the privately owned international Royal Boon Edam group, which provides architectural revolving door and layered security solutions to some of the world’s largest companies, Fortune 500 companies, and companies in Australia, New Zealand, and Papua New Guinea including financial, data and telecommunications, Federal and State Government, hospitality, health and age care, logistics, retail, and distribution facilities. Boon Edam Australia operates under Master security licence number: 000104487.

About Royal Boon Edam

With work environments becoming increasingly global and dynamic, smart, safe entry has become the centre of activity in and around many buildings. Royal Boon Edam is a global market leader in reliable entry solutions. Headquartered in the Netherlands, with 150 years of experience in engineering quality, we have gained extensive expertise in managing the transit of people through office buildings, airports, healthcare facilities, hotels, and many other types of buildings. We are focussed on providing an optimal, sustainable experience for our clients and their clients. By working together with you, our client, we help determine the exact requirements for the entry point in and around your building.

You can find more news about Boon Edam on www.boonedam.com.au/news