Sreekumar Narayanan
Chief Growth Officer,
BNB Security & Automation solutions
The ‘data center’ is no longer just rows of servers. It’s a system of systems – power, cooling, networks, densities and under growing environmental and regulatory pressure. For Corporate Security, that means your risk surface is both digital (IT – Information Technology) and physical/ industrial (OT – Operational Technology). The job is to keep computing safe and available while proving you are doing it responsibly.
Below is a pragmatic guide to what’s changing, the risks to own and how to govern them in India – grounded in current standards and data.
What changed and why Corporate Security is on point
● Density & liquids: AI (Artificial Intelligence) workloads push racks beyond 100 kW (kilowatts) per rack in cutting-edge deployments. Cooling is increasingly hydronic (liquid based) using CDUs (Coolant Distribution Units), pumps, valves and leak detectors all of which live on your OT (Operational Technology) network and require security, logging and response just like servers do.
● Power remains the #1 root cause of major incidents: Uptime Institute’s 2024 analysis finds on-site power distribution faults account for ~54% of impactful outages, ahead of cooling and cyber causes; most serious events still start as physical failures that cascade into IT impact.
● Standards assume IT+OT convergence: NIST (National Institute of Standards and Technology) SP 800-82 Rev.3 is the reference guide for OT security; ISA/ IEC 62443 formalizes ‘zones & conduits’ segmentation for industrial networks; CISA (Cybersecurity and Infrastructure Security Agency) CPGs – Cross-Sector Cybersecurity Performance Goals prioritize high-impact controls for mixed estates.
● Telemetry is getting standardized: Redfish 2024.4 (DMTF – Distributed Management Task Force) added leak detectors, liquid-cooling events and CDU controls to its schemas so plants can send consistent, machine-readable alarms. That’s a big win for SOC (Security Operations Center) automation.
● India-specific levers matter: The DPDP Act (Digital Personal Data Protection Act, 2023) raises the bar for governance and logging; the Green Energy Open Access Rules, 2022 allow eligible consumers (now ≥100 kW, not 1 MW) to directly procure renewable power relevant to ESG (Environmental, Social & Governance) targets and incident communications. The CEA (Central Electricity Authority) CO₂ Baseline Database lets you compute emissions (for CUE – Carbon Usage Effectiveness) with India-specific factors.
● Bottom line: Security can’t be ‘IT only.’ You must own converged risk across IT, OT and physical security and prove it with metrics.
Threat landscape
● Power-chain fragility: Grid instability, switchgear and busway failures, UPS (Uninterruptible Power Supply) misconfigurations, selective-coordination mistakes – these remain the leading triggers of high-impact outages. Plan for electrical reality first.
● OT ransomware & remote-access abuse: Attackers increasingly target BMS (Building Management System), PLCs (Programmable Logic Controllers), drives and vendor remote portals to cause availability events. NIST SP 800-82r3 profiles these exposures and countermeasures.
● Cooling manipulation: Changing setpoints, disabling pumps/ fans or spoofing sensors can throttle AI halls quickly; leaks or over-pressure can create safety issues.
● Supply-chain risk: Firmware for drives and CDUs, cloud portals, spare seals and fluids – trust is often implicit but exploitable.
● Insiders & physical bypass: Tailgating, cage intrusion, under-floor tampering, badge misuse – still common in busy Colo (colocation) environments.
● Data-in-use risk: Sensitive model weights and PII processed on shared accelerators without confidential computing; poor evidence trails impede investigations.
Risk statements the board should explicitly own
● Loss of cooling or power – from cyber or physical causes can escalate to thermal runaways and outage.
● Compromise of OT networks (BMS/ CDU/ PLC) enables adversaries to affect safety, availability and integrity.
● Third-party dependencies (Colo landlords, OEM cloud portals, remote support) create implicit trust paths.
● Telemetry blind spots across IT/ OT/ physical domains delay detection and impede forensics.
● Regulatory & ESG exposure (DPDP obligations, carbon/ water reporting) threatens licenses, customers and reputation.
Control baseline
Architecture & Segmentation
● Implement ISA/ IEC 62443 ‘zones & conduits’ that separate Corporate IT, OT-Core (BMS, CDUs, chillers, drives, PLCs), Security Systems (PACS – Physical Access Control System, VSS – Video Surveillance System), tenants/ guests. Only allow explicit, documented conduits; inspect protocols where practical.
● Terminate all vendor remote access in a DMZ (Demilitarized Zone) you control; require MFA (Multi-Factor Authentication), just-in-time tokens, session recording and time-boxed access windows.
Identity & Least Privilege
● PAM (Privileged Access Management) for BMS/ PLC/ CDU/ HMI (Human-Machine Interface) accounts; absolutely no shared logins.
● Badge + biometric + escort policy for white space; tool control & change tickets for hands-on work.
Secure Configuration & Patch
● Maintain golden configs and approved firmware lists for OT devices; test in a lab twin before production.
● Quarterly vulnerability review; hot-patch only with risk-of-change sign-off and a rollback plan (OT changes can be safety-critical). NIST SP 800-82r3 is explicit on operational constraints – follow it.
Monitoring & Detection
● OT visibility: passive network monitoring (no intrusive scans), protocol-aware sensors; alert on setpoint changes outside SOP (Standard Operating Procedure) bands.
● Unified telemetry: stream Redfish 2024.4 liquid-cooling events (e.g., LeakDetectors, flow/ ΔP anomalies, CDU controls), BMS alarms, PACS/ VSS and server logs into the SOC/ SIEM (Security Information and Event Management). Redfish gives you vendor-agnostic messages; insist on it in RFPs.
● CPGs (CISA Performance Goals): prioritize asset inventory, immutable logging, backup/ restore drills, phishing resistance.
Safety & Reliability Interlocks
● Leak → isolate the affected segment automatically (target ≤60 s); over-temp → rollback setpoints; pump/ VFD (Variable-Frequency Drive) fault → auto-start standby. These should be hard-wired or controller-local where possible.
● Power path: selective coordination verified; IR (infrared) scans; breaker maintenance; align with Uptime’s outage findings.
Privacy & Compliance (India)
● Map data flows to DPDP Act (2023) duties (notice/ consent, children’s data, significant data fiduciary obligations, logging/ retention). Security incidents may carry privacy impact; coordinate Legal + SOC.
Detection & Response
Cooling anomaly (OT): Verify via TT (Temperature Transmitters)/ DP (Differential-Pressure)/ FT (Flow Transmitters). Lock setpoints; start standby pumps; isolate suspect conduit. Notify tenants; begin forensic capture (Redfish/ BMS/ PACS logs). If leak → trigger segment isolation; if trend persists → staged compute load-shed.
Power irregularity (Electrical): Follow switchgear alarm path; confirm with metering; failover checklist (UPS/ gensets); capture BMS/ relay logs; freeze change windows.
Ransomware in OT/ IT: Isolate at zone boundary; fallback to local/ manual control (paper SOPs at panels); restore from immutable backups; involve OEMs only through bastion with recording.
Physical intrusion: PACS/ VSS alerts → lockdown affected cage/ row; reconcile badge trails with network changes; collect work permits/ tool logs.
Command & control: Use a single Incident Commander with Safety, Facilities/ OT, IT, Physical Security, Legal/ Comms; first duty is safety & availability. Keep NTP (Network Time Protocol) sync to preserve evidence timelines.
Third-party & supply-chain assurance
● Colo & Cloud Landlords: publish xUE (PUE – Power Usage Effectiveness, WUE – Water Usage Effectiveness, CUE – Carbon Usage Effectiveness) monthly and disclose your renewable share; in India, state CEA (Central Electricity Authority)-aligned carbon factors and GEOA (Green Energy Open Access) usage if applicable.
● OEMs/ integrators: Remote access only via your bastion; quarterly SBOM (Software Bill of Materials) and firmware attestations; clear end-of-life plans for fluids/ seals (PFAS-free trajectories if relevant).
● Telemetry clause: All CDUs, pumps and leak sensors expose events via Redfish 2024.4 (or open equivalent), real-time stream + 400-day retention.
Metrics the board will understand
● Availability: MTTD/ MTTR (Mean Time to Detect / Recover) by domain; number of avoided trips (cooling / power) attributed to interlocks.
● Security posture: % OT assets with named owner / patch level; % vendor sessions recorded; phishing rate and time-to-revoke creds.
● xUE & energy: monthly PUE / WUE / CUE; emissions computed with CEA factors; progress toward 24/7 CFE (Carbon-Free Energy) using GEOA PPAs / RECs (Renewable Energy Certificates).
● Exercises: two cross-domain drills per year; track response times and fixes closed.
India-specific governance hooks you can use
● DPDP Act (2023): Make SOC playbooks privacy-aware (breach thresholds, notices, cross-border transfer records).
● CEA CO₂ Baseline Database: Use the latest version (v19 / v20) to compute CUE; publish in customer reports.
● Green Energy Open Access: If you (or your landlord) are eligible, point to GEOA PPAs in ESG reporting; it shows credible progress toward lower CUE.
People & culture
● Cross-training: IT learns OT basics (setpoints / alarms / interlocks); OT learns incident handling and evidence.
● Table-tops to live drills: simulate ‘cooling manipulation + power anomaly;’ capture how quickly teams lock setpoints, start standby and isolate segments.
● Contractor onboarding: badge ethics, no USBs, supervised work on critical paths, tool counts and immediate log review after work windows.
What ‘good’ looks like on day-1
● Thermal & hydraulic: stable supply within ±0.5 °C; ΔT ≥ 8 K; rack flow within ±5%; differential pressure stable under transients.
● Safety interlocks: leak isolation under ≤ 60 s in test; over-temp rollback observed; standby pumps auto-start proven.
● Telemetry: Redfish / BMS / OT events visible in SIEM; time-synced logs retained ≥ 12–24 months.
● Security: zones & conduits diagrammed; PAM / MFA live; vendor DMZ enforced; immutable backups tested quarterly.
● Reporting: xUE and GEOA / CEA references present in the executive dashboard.
Quick reference to the frameworks you will quote in meetings
● NIST SP 800-82 Rev. 3: Comprehensive OT security guidance for ICS / OT environments and countermeasures; maps threats and mitigations and stresses safety / availability.
● ISA / IEC 62443: The architecture language for OT (zones, conduits, SLs – security levels).
● CISA CPGs: Prioritized controls for quick posture wins and board-level transparency.
● Uptime Institute 2024: Power is still the leading cause of impactful outages (useful when prioritizing budget to electrical reliability).
● Redfish 2024.4: Now includes liquid-cooling events, LeakDetectors and CDU controls; insist on it in RFPs to reduce telemetry blind spots.
● DPDP Act 2023 / CEA CO₂ Baseline / GEOA: India’s governance and energy levers that connect risk to ESG.
Two short stories
● The ‘one-degree’ lift: An Indian site installed missing FT / TT / DP sensors, then raised warm-water setpoints by 1 °C per week within vendor envelopes. Over 90 days, chiller hours fell; pumps ran slower and steadier. After two drills, the team’s confidence – not just the PUE – was the big win.
● The leak that stayed small: During maintenance, a quick-disconnect seal failed at a rack manifold. Rope LD (Leak Detection) tripped; the segment valve auto-closed under 60 s; N+1 pumps kept flows within tolerance. Two servers were swapped, zero tenant impact, clean evidence in SIEM for the RFO (reason for outage) deck.
Final word
Treat your data center as a cyber-physical organism. The most expensive incidents still start in the power room, but the most preventable ones start with segmentation, interlocks, telemetry you can trust and drills that build muscle memory. If you measure it, drill it and report it, you can control it and prove to your board, customers and regulators that India’s AI-era infrastructure is fast, resilient and responsible.
References (selected)
● NIST SP 800-82 Rev. 3 (Guide to OT Security). Core guidance for ICS / OT environments and countermeasures. NIST Publications.
● ISA / IEC 62443 (Zones & Conduits). Foundation for OT segmentation architectures. gca.isa.org.
● CISA Cross-Sector Cybersecurity Performance Goals. High-impact baseline practices for all sectors. CISA.
● Uptime Institute, 2024 Global Data Center Survey / Outage Analysis. On-site power distribution is the leading cause of impactful outages (~54%). Uptime Institute.
● DMTF Redfish 2024.4. Added liquid-cooling events, LeakDetectors and CDU controls; standardizes DC telemetry. dmtf.org.
● DPDP Act, 2023. India’s digital personal data protection law; obligations and governance. MeitY.
● CEA CO₂ Baseline Database (v19 / v20). Emission factors for India’s grid (use in CUE). Central Electricity Authority.
● Green Energy Open Access Rules, 2022. Open-access threshold reduced to 100 kW; pathway for renewable procurement. Press Information Bureau.
