国产视频

Close

GettyImages-143135053 (1)

Securing the Backbone of Artificial Intelligence: Protecting Data Centers

Table of Contents

Cyber Threats

The different pieces of a data center鈥攖he purposes or types, the five key components, and additional considerations鈥攊nfluence a data center鈥檚 vulnerabilities and risks, and all need to be secured for a cyber-secure AI data center. This includes the requirements of AI workloads: the models, weights, and training data.

Additionally, while not a foundational requirement, increasingly complex and large data centers utilize data center infrastructure management (DCIM) software to efficiently maintain and manage the facilities. DCIMs will be useful for AI data centers in the following capacities:1

  • Intelligent capacity search enables quickly finding which device or rack has the capacity for additional AI deployment.
  • Predictive analysis predicts the impact of AI workloads on rack capacity and power usage.
  • Automatic server power budgeting calculates the required power for servers.
  • Dynamic single-line power diagrams depict power capacity and load to support redundancy planning and protect against break trips.

There is also newer software designed specifically for certain hardware mostly found in AI data centers, such as Trend Vision One鈥擲overeign and Private Cloud (SPC) for GPUs and TensorFlow for TPUs, further emphasizing the importance of cyber-secure software and applications deployed in AI data centers.2

A Security Framework for AI Data Centers

In considering all the pieces inside an AI data center, this report proposes the following framework with six layers of security: (1) hardware & compute, (2) network & storage, (3) model & data, (4) software & application, (5) physical access, and (6) geopolitical.

Some elements may require cybersecurity considerations at multiple layers depending on the threats they face. For example, training data in AI data centers requires security at the model & data layer from cyberattacks, at the physical access layer from infiltrators who physically enter the facilities to steal the data, and at the geopolitical layer from state-sponsored actors who are targeting AI training data for their own AI sovereignty. Figure 3A below maps the data center pieces at risk at each of the security layers.

Figure 3A_Lee
Graphic by Alex Bri帽as/国产视频.

This section of the report will dive into the different threats faced by both traditional and AI data centers and map them to the six-layer framework.

Traditional Data Center Threats

Data centers are high-value targets because they can store important data, provide critical services, and run networks, applications, security, and virtual machines. As previously mentioned in Table 1, data centers support mission-critical applications at banks and health care systems, allow cloud-based services to be scalable, process data for autonomous vehicles and the Internet of Things, and enable communication services. It is not an understatement to say that data centers are the backbone of all online services. Thus, a disruption or outage at data centers鈥攚hether caused intentionally by threat actors or unintentionally by human error or process failures鈥攃an be costly for data center operators, risking financial loss, reputation damage, regulatory penalties, and loss of customers.3 For example, in 2021, when data center outages cost companies an average of $100,000 per incident, Amazon Web Services experienced a five-hour data center outage due to a failure in network devices in the US-EAST-1 Region, costing the company $34 million in revenue.4

Both sophisticated nation-state actors and financially motivated cyber criminals target data centers with disruption attacks, ransomware incidents, and data breaches.5 Four common cyberattacks on data centers are listed in Table 2 along with examples of incidents.6

Distributed denial of service (DDoS) attacks rely on network connectivity to be able to target and overload a system or service, making defense at the network & storage layer critical.7 A ransomware attack targets and encrypts data, highlighting the importance of cybersecurity at the model & data layer.8 A supply chain attack can make both hardware and software inside a data center vulnerable, proving hardware and software layers to be crucial.9 Social engineering attacks depend on threat actors gaining a form of access into the data center whether through calling and deceiving the target鈥檚 customer support or manipulating employees to install remote access Trojans (RAT)鈥攎alware that gives hackers remote access into and control of a targeted system鈥攐r through backdoors into data center components.10 Social engineering attacks necessitate model & data as well as physical access layers of security. Furthermore, the 2017 DDoS campaign against Google and the 2018 Supermicro supply chain attack referenced in Table 2 involved actors in China, requiring consideration of the geopolitical layer that will be further detailed in the Changing World Threats section.

Threat actors can also combine these types of attacks in one operation. For example, in 2024, the German data center power supply company Bender experienced a ransomware attack in which hackers infiltrated its operating systems and gained unauthorized access to account, financial, and banking data.11 This incident, which affected the power and operations of a data center, was a combination of ransomware and supply chain attacks.

Beyond the four common types of cyberattack, there is another type of attack that data centers are particularly vulnerable to: side-channel attacks, a cybersecurity attack that collects information from a system鈥檚 process and execution or attempts to influence a system鈥檚 program.12 In data centers, side-channel attacks include measuring or surveilling fan power or the sounds a CPU makes, or using sensors that measure the electromagnetic field. These attacks can show threat actors CPU-level activity, the data architecture, and data usage, requiring security at the hardware & compute layer. In July 2025, global semiconductor company Advanced Micro Devices reported that four new processor vulnerabilities could allow hackers to conduct timing-based side-channel attacks, and cybersecurity company CrowdStrike labeled these weaknesses as critical threats.13

Finally, there are two specific types of risks also critical to data center security. The first is insider risk, defined by the Cybersecurity and Infrastructure Security Agency as 鈥渢he potential for an insider to use their authorized access or understanding of an organization to harm that organization,鈥 whether intentional or unintentional.14 Insider risk can be mitigated by limiting access to trusted people, and it requires cyber defense at the physical access layer. The second is supply chain risk. Beyond supply chain attacks described earlier in this section, there is an added risk because a majority of the components in a data center are developed by third-party suppliers. At the hardware layer, data centers rely on a global network of hardware suppliers, which creates risks of counterfeit and flawed hardware even without a threat actor鈥檚 interception or attack.15 At the software layer, third-party tools and applications hosted on data centers can have vulnerable code, making the selection of third-party suppliers as well as secure design of applications and code critical.16 Figure 3B below maps traditional data center cyberattacks and risks to the proposed six layers of security.

Figure 3B_Lee
Graphic by Alex Bri帽as/国产视频.

AI Data Center Threats

In addition to all the threats that traditional data centers face, AI data centers face unique threats. Specifically: (1) The hardware & compute layer needs to consider ASIC and AI-specific hardware-level attacks, such as memory-level and TPU-specific attacks, and (2) the data layer needs to expand to include model security since AI model weights and training data are in AI data centers.

At the hardware & compute layer, defending against supply chain attacks and vulnerabilities, as well as side-channel attacks, are still critical. AI data centers need trusted and secured GPUs and ASICs, which, like CPUs, rely on a global supply chain.17

Once the hardware is inside the AI data center, the sounds from GPUs can reveal information to threat actors about those GPUs, model architecture, and architecture weights.18 A common GPU side-channel attack is keystroke inference, through which hackers monitor GPU-based rendering workloads to get access to keystrokes and user inputs.19 Tim Fist, director of emerging technology at the Institute for Progress, highlighted that 鈥淕PUs are more vulnerable than CPUs to memory-level attacks.鈥20 GPUs do not always have sufficient memory isolation, which means that memory can be carried from one process to another and allow threat actors to get access to model weights and training data.21 There is also GPU-specific malware that can execute malicious code on a GPU鈥檚 memory and could bypass traditional CPU security tools. Notably, in January 2025, Nvidia announced that seven new vulnerabilities were found in its GPUs, with three of them being of high severity.22

GPU vulnerabilities can be found in traditional data centers because large-scale centers deploy GPUs. On the other hand, TPUs鈥攚hich are also subject to the side-channel and memory-level attacks mentioned above鈥攁re uniquely designed for AI and were first deployed internally by Google in 2015.23 In early 2025, a TPU-specific side-channel attack, TPUXtract, was discovered. TPUXtract exploits unintentional TPU data leaks to enable a threat actor to infer an AI model鈥檚 parameters, essentially allowing AI model exfiltration and intellectual property (IP) theft.24

Given that the hardware & compute layer threats enable hackers to extract information about the AI model and weights deployed in the AI data center, the threats at the data layer can extend to the model layer. When data is exfiltrated from a traditional data center, the impacts can include the loss of sensitive data, regulatory issues, and reputational damage.25 When AI model information and IP are accessed and stolen, the impacts expand to include risking the integrity and confidentiality of the AI model. Threat actors can manipulate exfiltrated models to create vulnerabilities and bias decision-making.26 Additionally, as it becomes increasingly evident that AI will influence geopolitics, the global economy, national security, and human lives, the importance of protecting models becomes critical.27 This point will be further described in the Changing World Threats section.

Model threats include AI training and model weight exfiltration through traditional ransomware and social engineering attacks. Furthermore, AI models face specific model-level threats:28

  • Data poisoning attacks: accidentally or purposefully including incorrect data in the AI training dataset, leading to erroneously trained AI models
  • Model inversion attacks: recovering training data from AI models by querying models, examining the outputs, and extracting information
  • Model stealing attacks: querying AI models and using the outputs to train a replacement model trained like the original model
  • Model poisoning attacks: modifying model parameters or architecture to create a backdoor or change the model鈥檚 behavior29

At a high level, AI hardware-specific cyber threats and model threats expand cyber threats to AI data centers. Figure 3C below maps cyberattacks specific to AI data centers to the proposed six layers of security.

Figure 3C_Lee
Graphic by Alex Bri帽as/国产视频.

Changing World Threats

As data centers and their components change to meet the requirements of AI data centers, the world continues to transform as well, introducing new or enhanced threats for emerging AI data centers.

The first type of change is in volatile geopolitics. While traditional data centers also face geopolitical threats and are targeted by nation-state actors, these threats are heightened for AI data centers due to AI鈥檚 significance for national security and economic competitiveness. With the advent of the AI race, the concept of sovereign AI鈥攖he ability of a nation to develop, use, and govern its own AI models and related infrastructure鈥攊s on the rise, and many believe that sovereign AI is crucial for national security and economic competitiveness.30

In April 2025, the U.S. Department of Defense highlighted that the Joint Staff is implementing AI to improve military operations, to improve a commander鈥檚 decision-making and responsiveness, and to streamline processes.31 The potential for AI technologies to help counter threats across all sectors, including critical energy infrastructure, will only embed AI deeper into critical infrastructure.32 In terms of economic competitiveness, technological innovation results in high-level economic improvement, and with AI specifically, automation of routine tasks and AI-supported creative and technical work are predicted to further innovation, allow for strategic tasks, and improve a nation鈥檚 economy.33

These uses for AI indicate that if actors stole AI models, weights, or training data, sensitive data related to the military, economy, critical infrastructure, and more would be leaked. Additionally, stolen AI models can help hackers create deepfakes or convincing phishing emails for enhanced psychological warfare and disinformation campaigns, election interference, cybercrime and financial fraud, and critical infrastructure attacks.34

As AI becomes a key component of national security and economic competitiveness, AI data centers become key assets to protect from foreign adversaries, especially from sophisticated cyber threat actors sponsored by Russia, China, Iran, and North Korea. Nation-state threat actors are well resourced and sophisticated, posing a serious threat to even the biggest U.S. companies and critical industries, as CrowdStrike鈥檚 chief security officer Shawn Henry stated in 2023.35 For example, the Chinese state-sponsored hacking group Salt Typhoon successfully gained access to an unprecedented amount of information from the largest U.S. telecommunications companies and accessed information on high-value targets like Donald Trump and JD Vance.36

Unfortunately, like most businesses and companies, AI data centers鈥 commercial operators are typically not equipped to defend against such sophisticated operations. In 2024, OpenAI emphasized the importance of increasing AI data center and infrastructure security.37

Even before an AI data center is operational, there is potential for sabotage attempts, given that Chinese companies exclusively manufacture many AI data center components, such as most transformer substations critical for power systems. This means that Chinese companies could install backdoors into the hardware components. In addition, most AI-specific GPUs are made in Taiwan, which is threatened by China as part of a larger national sovereignty debate. Historically, Taiwan Semiconductor Manufacturing Company (TSMC) technologies and products have been unlawfully transferred to mainland China. There are also concerns and a strong suspicion that the Chinese Communist Party (CCP) has infiltrated TSMC and U.S. labs with spies.38

Once an AI data center is operational, geopolitical threats continue as AI data centers are vulnerable to state-sponsored disruption and exfiltration attacks due to an insufficient level of cybersecurity.39 For example, Russia has sophisticated cyber capabilities to infiltrate AI data centers, steal models, and potentially run a model in its own infrastructure.40

Despite the potential state-sponsored targeting of AI data centers, companies and nations are risking increased threats by building AI data centers abroad and joint centers shared with other countries. Figure 4 below shows the number of AI data centers in different countries, and also reveals that Asia has the most.41 In January 2025, the United States and the United Arab Emirates (UAE) announced a partnership to build a data center in Abu Dhabi, which will be the largest AI data center outside the United States.42 Concerningly, the Persian Gulf is a part of China鈥檚 Digital Silk Road 2.0, and the UAE has adopted Chinese 5G technology and city-wide surveillance programs, potentially giving the CCP access to the AI data center. Companies also choose to build AI data centers abroad in locations that have cheap energy and land, such as Malaysia.43

The second type of change is evolving technologies. As previously mentioned, the capabilities of AI data centers have conversely enabled an increasingly robust system, which wielded by U.S. competitors, increases risks to critical data center infrastructures. Threat actors are using AI tools to enhance phishing campaigns, research target networks, conduct post-compromise activities, and support coding tasks.44 They are also using AI-generated deepfakes to bypass multifactor authentication.45

AI models themselves can also pose a threat to data centers through AI self-exfiltration. Traditional data centers face threats from backdoors installed into data center components, allowing a threat actor to exfiltrate or access sensitive information. AI data centers face an additional threat of backdoors installed into AI models through model poisoning, which could enable threat actors to steal the model weights and information. In addition, model self-exfiltration is a novel threat that refers to AI models deceiving the user and cybersecurity measures in place in order to self-leak its model weight and sensitive data.46 Typical methods to protect model weights鈥攕uch as air gaps鈥攎ay not stop model self-exfiltration because the model may take over the system.47 This new threat鈥攁 novel form of data exfiltration and leakage鈥攆urther necessitates enhanced model security.

Besides AI, there are other technological evolutions in the works that will enhance threats to AI data centers, such as quantum computing, which will soon require next-generation cryptography.48 Figure 3D below maps changing world threats to the proposed six layers of security, and Figure 3E compiles Figures 3B鈥3D to map the different types of threats across the layers.

Figure 3D_Lee
Graphic by Alex Bri帽as/国产视频.
Figure 3E_Lee
Graphic by Alex Bri帽as/国产视频.
Citations
  1. 鈥淒ata Center Infrastructure Management,鈥 Sunbird, accessed June 16, 2025, .
  2. Agam Shah, 鈥淭rend Micro, Nvidia Partner to Secure AI Data Centers,鈥 DarkReading, June 6, 2024, .
  3. 鈥淒ata Center Threats and Vulnerabilities,鈥 Check Point Software Technologies, accessed June 18, 2025, .
  4. Rich Miller, 鈥淧roblems With AWS Network Devices Caused Widespread Cloud Outage,鈥 Data Center Frontier, December 8, 2021, ; Bill鈥疜leyman, 鈥淭he Data Center Ransomware Attack That Costs You Everything,鈥 Data Center Knowledge, September鈥1,鈥2023, .
  5. Beth Maundrill, 鈥淐ybersecurity Implications of Data Centres as Critical National Infrastructure,鈥 Infosecurity Europe, October 28, 2024, .
  6. 鈥淒atacenter Vulnerabilities:鈥7 Life鈥慍hanging Attacks You Must Know,鈥 Enterprise Engineering Solutions Corporation, accessed July鈥15,鈥2025, ; Catalin鈥疌impanu, 鈥淕oogle Says It Mitigated a 2.54鈥疶bps DDoS Attack in 2017, Largest Known to Date,鈥 ZDNet, October鈥16,鈥2020, ; Daryna Antoniuk, 鈥淚ndonesia鈥檚 National Data Centre Encrypted鈥疻ith鈥疞ockBit Ransomware Variant,鈥 The Record, June鈥24,鈥2024, ; Curtis鈥疐ranklin, 鈥淩eport: In Huge Hack, Chinese Manufacturer Sneaks Backdoors Onto Motherboards,鈥 DarkReading, October鈥5,鈥2018, ; 鈥淎pplication Attacks,鈥 Contrast Security, accessed July 15, 2025, ; Abdelrahman Esmail, 鈥淐ryptojacking via CVE鈥2023鈥22527: Dissecting a Full鈥慡cale Cryptomining Ecosystem,鈥 Trend Micro, August 28, 2024, ; 鈥淐yber Attacks on Data Center Organizations,鈥 Resecurity, February鈥20,鈥2023, .
  7. Josh Fruhlinger and Lucian Constantin, 鈥淒DoS Attacks: Definition, Examples and Techniques,鈥 CSO, May 17, 2024, .
  8. Kurt鈥疊aker, 鈥淚ntroduction to Ransomware,鈥 CrowdStrike, March 4, 2025, .
  9. 鈥淭hird鈥慞arty Data Breaches: What You Need to Know,鈥 Mitratech, January 7, 2025, .
  10. Computer Security Resource Center, 鈥淪ocial Engineering,鈥 National Institute of Standards and Technology, accessed July 15, 2025, ; 鈥淲hat Is a Remote Access Trojan?,鈥 Fortinet, accessed July鈥15,鈥2025, ; 鈥淒ata Center Threats and Vulnerabilities,鈥 Check Point Software Technologies, accessed June 18, 2025, .
  11. Sebastian Moss, 鈥淒ata Center Power Supply Business Bender Hit by Ransomware Attack,鈥 Data Center Dynamics, December 3, 2024, .
  12. Scott Robinson, Gavin Wright, and Alexander S. Gillis, 鈥淲hat Is a Side-Channel Attack?,鈥 TechTarget, April 8, 2025, .
  13. Gyana Swain, 鈥淎MD Discloses New CPU Flaws That Can Enable Data Leaks via Timing Attacks,鈥 CSO, July 10, 2025, .
  14. Maundrill, 鈥淐ybersecurity Implications of Data Centres,鈥 ; 鈥淒efining Insider Threats,鈥 Cybersecurity and Infrastructure Security Agency, accessed June 18, 2025, .
  15. Matt Vincent, 鈥淗ow Tariffs Could Impact Data Centers, AI, and Energy amid Supply Chain Shifts,鈥 Data Center Frontier, April 3, 2025, ; 鈥淪ecuring the Hardware Supply Chain,鈥 OPSWAT, accessed June 18, 2025, .
  16. 鈥淒ata Center Threats and Vulnerabilities,鈥 Check Point Software Technologies, .
  17. 鈥淩eimagining Secure Infrastructure for Advanced AI,鈥 OpenAI, May 3, 2024, .
  18. Tim Fist, interview by Seungmin Lee, April 24, 2025.
  19. 鈥淕PU Vulnerability: Side-Channel Attacks,鈥 Liquid Web, accessed July 15, 2025, .
  20. Tim Fist, interview by Seungmin Lee, April 24, 2025.
  21. 鈥淕PU Vulnerability: Side-Channel Attacks,鈥 Liquid Web, .
  22. Davey鈥疻inder, 鈥淣vidia Security Warning鈥擜ct Now as 7 New GPU Vulnerabilities Confirmed,鈥 Forbes, January鈥28,鈥2025, .
  23. Chaim Gartenberg, 鈥淭PU Transformation: A Look Back at 10 Years of Our AI-Specialized Chips,鈥 Google Cloud, July 31, 2024, .
  24. Nate Nelson, 鈥淲ith 鈥楾PUXtract,鈥 Attackers Can Steal Orgs鈥 AI Models,鈥 DarkReading, December 13, 2024, .
  25. 鈥淩isks of Data Exfiltration,鈥 SentinelOne, .
  26. 鈥淐ase Study: How TPUXtract Leveraged Keysight Tools for AI Model Extraction,鈥 .
  27. Satariano and Mozur, 鈥淭he Global AI Divide,鈥 .
  28. 鈥淭op 14 AI Security Risks in 2024,鈥 SentinelOne, accessed June 18, 2025, .
  29. 鈥淭op 14 AI Security Risks in 2024,鈥 .
  30. Muath鈥疉lduhishy, 鈥淪overeign鈥疉I: What鈥疘t鈥疘s, and 6 Strategic Pillars for Achieving It,鈥 World Economic Forum, April鈥25,鈥2024, .
  31. Wes Shinego, 鈥淒efense Officials Outline鈥疉I鈥檚 Strategic Role in National Security,鈥 U.S. Department of Defense, April 23, 2025, .
  32. Shingeo, 鈥淒efense Officials Outline鈥疉I鈥檚 Strategic Role in National Security,鈥 .
  33. Alduhishy, 鈥淪overeign鈥疉I,鈥 .
  34. Shlomit鈥疻agman, 鈥淲eaponized AI: A New Era of Threats and How We Can Counter It,鈥 Harvard Kennedy School Ash Center, April鈥8,鈥2025, .
  35. Carrie Pallardy, 鈥淲hat CISOs Need to Know 国产视频 Nation-State Actors,鈥 InformationWeek, December 12, 2023, .
  36. Erica鈥疍.鈥疞onergan and Michael鈥疨oznansky, 鈥淎 Tale of Two Typhoons: Properly Diagnosing Chinese Cyber Threats,鈥 War on the Rocks, February 25, 2025, .
  37. 鈥淩eimagining Secure Infrastructure for Advanced AI,鈥 .
  38. Jeremie Harris and Edouard Harris, America鈥檚 Superintelligence Project (Gladstone AI, April 2025), .
  39. Billy Perrigo, 鈥淓xclusive: Every AI Datacenter Is Vulnerable to Chinese Espionage, Report Says,鈥 Time, April 22, 2025, .
  40. Harris and Harris, America鈥檚 Superintelligence Project, .
  41. Satariano and Mozur, 鈥淭he Global AI Divide,鈥 ; Zoe Hawkins, Vili Lehdonvirta, and Boxi Wu, 鈥淎I Compute Sovereignty: Infrastructure Control Across Territories, Cloud Providers, and Accelerators,鈥 SSRN, June 24, 2025, .
  42. Amy鈥疓unia, 鈥淲ill 鈥楳assive鈥 Gulf Deals Cement the U.S. Lead in the Race for Global AI Dominance?,鈥 CNN, May鈥22,鈥2025, .
  43. Tye鈥疓raham and Peter鈥疻.鈥疭inger, 鈥淗ow China鈥檚 Tech Giants Wired the Gulf,鈥 Defense One, May 13, 2025, ; Butts, 鈥淢alaysia Is Emerging as a Data Center Powerhouse,鈥 .
  44. Google Threat Intelligence Group, 鈥淎dversarial Misuse of Generative AI,鈥 Google Cloud, January鈥29,鈥2025, .
  45. Andersen Cheng, 鈥淭he Race to Build Data Centers Is On鈥揌ere鈥檚 How We Keep Them Secure,鈥 TechRadar Pro, December 4, 2024, .
  46. Marius Hobbhahn, 鈥淪cheming Reasoning Evaluations,鈥 Apollo鈥疪esearch, January 23, 2025, .
  47. Austin Carson, interview by Seungmin Lee, April 17, 2025.
  48. Cheng, 鈥淭he Race to Build Data Centers Is On,鈥 .

Close

Cyber Threats

View as PDF

Table of Contents

Close

Securing the Backbone of Artificial Intelligence: Protecting Data Centers