Securing the UK’s Data Centres Against Escalating Hybrid Sabotage

November 2025, Ben Harris, Partner

Published on: Intelligent Data Centres

Data centres are the backbone of the UK’s digital economy, and as such, they are prime targets for a new breed of threat: hybrid sabotage, where physical intrusion and cyber exploitation are combined to cause real operational disruption. Hybrid sabotage, driven by geopolitical tension, grey-zone warfare and activist disruption, is a growing threat that is strategically planned, often state-aligned, and increasingly aimed at critical infrastructure.

It is not surprising, therefore, that data centres are now part of the UK’s critical infrastructure.

The UK government is preparing to introduce the Cyber Security and Resilience Bill (CSRB), a landmark piece of legislation that will, for the first time, bring data centres formally into scope of the UK’s cyber-regulatory regime. For industries that rely on data centres, such as finance, healthcare, utilities, government and cloud services, this legislation introduces stronger resilience standards, faster incident reporting and greater supply chain accountability.

Ben Harris, Partner at Avella Security and a former UK Special Forces and Royal Marine Commando, shares his insights on how data centre operators must rethink their security strategy to meet the emerging hybrid sabotage threat and build stronger resilience.

What do you mean by hybrid sabotage, and why is it such a concern for data centres?

Hybrid sabotage combines physical and digital attack methods. It’s not just about hacking a server or breaching a gate; it’s when attackers use one domain to exploit vulnerabilities in the other.

Data centres are increasingly strategic assets, so adversaries are targeting them in ways that exploit both physical access and digital systems. Most security teams still treat cyber and physical security as separate entities, which leaves exploitable gaps.

Can you give examples of the types of attacks operators should be worried about?

Around the world, hybrid attacks are becoming more precise and more frequent. In Ukraine, co-ordinated drone strikes have targeted infrastructure sites. In the Middle East, low-tech incursions are paired with digital surveillance to locate vulnerabilities.

Real-world examples show how determined individuals with minimal tools and some insider knowledge can compromise a facility faster than most cyber adversaries, with a far longer-lasting impact. For instance, the breach at RAF Brize Norton, where two individuals, using basic tools and repurposed fire extinguishers, accessed an active runway, disabled aircraft engines with paint and left undetected, had a real tactical impact.

Another example is the cutting of Microsoft’s undersea cables in the Red Sea. These are the digital arteries of the global economy, funnelling much of the world’s traffic through a narrow, unstable stretch of ocean. The disruption caused cloud slowdowns for services like Microsoft Azure and showed just how fragile our connectivity really is.

This incident is part of a broader rise in ‘sub-war’ hybrid tactics – sabotage that falls short of open conflict but causes strategic damage. It highlights two truths: global chokepoints are highly exposed, and our economies are so dependent on seamless connectivity that even a temporary break can have cascading consequences.

Modern adversaries don’t think in silos. They use physical access to exploit digital systems and digital tools to plan and enable real-world attacks. Yet many UK data centres still rely on outdated assumptions: that perimeter fencing, keycard access or an on-site guard is enough to deter today’s attackers.

How should data centre operators adapt to this evolving threat?

Operators need a strategic, integrated approach. Here are five key steps they must take:

1. Unify physical and cybersecurity governance

   In most data centres, cybersecurity and physical security are managed by separate teams. That siloed model no longer works. Operators must transition to a unified security framework, incorporating integrated threat detection, shared risk models, joint incident response and centralised accountability.

   
   

2. Design infrastructure for containment, not just prevention

   Resilient data centres should be designed to contain threats through strict segmentation, isolated backups and regularly tested recovery drills.

   
   

3. Secure building management and facility OT systems

   Today’s data centres rely on IP-connected Operational Technology. These systems often sit outside core cyber monitoring, making them low-hanging fruit for attackers. Treat your critical building management and infrastructure OT with the same protection as your production environments: monitor them, patch them and isolate them.

   
   

4. Test your physical security like you test your networks

   Cyber red teaming is standard. Physical red teaming is less so. But it only takes one person slipping through a gate, using a copied ID badge, or following someone inside without being checked to undo millions spent on cybersecurity. Operators should routinely test physical access controls, conduct realistic covert intrusion simulations and ensure frontline staff are trained to recognise suspicious behaviour, not just digital anomalies.

   
   

5. Train for real-world hybrid scenarios

   Run training that reflects real-world situations, such as a cyberattack occurring during a protest or the spread of false information while an alarm is sounding. These types of mixed threats are becoming increasingly common, so your teams need to be prepared for them

   
   

What role does regulation play in improving security?

Regulation sets a baseline, but proactive preparation is critical.

The CSRB encompasses both cyber and physical resilience, holding the entire supply chain ecosystem accountable from IT vendors to contractors with site access.

It’s essential because the two are completely intertwined. For years, organisations have focused on cyberdefences – firewalls, patching and monitoring – while treating physical security as a separate discipline. The CSRB makes clear that you cannot have one without the other: resilience means securing both the racks and the roof.

The UK’s regulatory shift is a start. But the risk is evolving faster than policy. Waiting for compliance deadlines is not a measure of resilience. The most secure operators are already moving faster: fusing physical and cyber posture, running red teams across both domains and embedding security into every layer of infrastructure design.

How does thinking of data centres as strategic assets change security priorities?

It shifts security from a technical checklist to a strategic function. Data centres are not just digital infrastructure; they are strategic assets and increasingly, strategic targets.

From my experience operating in environments where threats are asymmetric, unexpected and deeply strategic, I’ve seen how attackers exploit gaps between protocols. They don’t care about your audit report. They care about access, impact and optics.

So, if your cyber team is hardened but your back gate is unsecured… they’ll find it.

If your SOC can detect a DNS anomaly in milliseconds, but your staff misses a suspicious van parked near a power supply… they’ll exploit it.

And if your incident response plan assumes a digital-only breach, you’ll be caught flat-footed when the real threat enters through a fire exit.

Strategic thinking involves planning for how adversaries might combine digital and physical tactics and designing defences to anticipate those scenarios.

What’s the most common mistake operators make in preparing for hybrid threats?

Underestimating the interplay between cyber and physical security. Many assume that protecting networks alone is enough or that gates and guards suffice. Hybrid threats exploit whichever domain is weaker. Security must be holistic, covering both digital and physical dimensions seamlessly.

What’s your advice for operators today?

Don’t wait. Break down silos, test defences in realistic scenarios, unify teams and embed security into every layer of infrastructure.

Data centre operators must be prepared and get real about a world where data is power, and attackers will test every vulnerability – digitally, physically or both at once.