The rapid adoption of generative AI has fueled the rise of larger and more sophisticated data centers running on unified IT/OT infrastructure. This level of integration has been a boon for malicious actors, who are increasingly exploiting vulnerabilities in less secure OT protocols to target critical systems in the facility[1]. A renewed focus on cybersecurity has led operators to consider robust network protection as a foundational requirement for survival.

Deploying secure-by-design hardware and incorporating zero-trust architecture into the power chain and cooling loops is the cornerstone of a robust cybersecurity framework for AI data center networks. Every power meter, gateway, and switch should be treated as a potential entry point that requires hardware-level defense.

Navigating a New Threat Landscape

In the past, facilities operated as a collection of isolated systems, which provided sufficient network protection against most threats. In today’s AI facilities, the demand for real-time telemetry has introduced an array of legacy assets into the network to optimize cooling and power efficiency. This interconnectivity of IT and OT systems exposes legacy industrial protocols like Modbus and BACnet to a whole new generation of AI-enhanced malware[2].

The behavior and execution of these autonomous threats have also evolved from simply crashing a system to slowly withering defenses and targeted sabotage. For example, by subtly altering the setpoints of a liquid cooling distribution unit (CDU) or spoofing the telemetry of a backup generator, an attacker can trigger a compute crash during a critical AI training run. The pain point for operators is clear. How to secure infrastructure filled with legacy devices that were never built with modern cybersecurity in mind?

Enforcing Zero Trust in the Power Chain

With the rise of more sophisticated threats, zero trust has become the leading security principle. No device is trustworthy by default and all access must be authorized. Applying zero trust to the facility’s power chain means that every communication between a PDU and the DCIM, or a UPS and the EPMS, must be encrypted and authenticated. However, putting this into practice poses major challenges when dealing with serial-based legacy hardware.

Secure-by-design hardware eliminates this hurdle by layering built-in security measures on top of their intended function. Secure terminal servers allow operators to safely incorporate legacy assets into a zero-trust framework by encrypting vulnerable serial data streams with secure protocols such as TLS 1.2. Enforcing strict access control at the serial port level adds another layer of security to ensure that only authorized management systems can issue commands to critical power infrastructure.

Hardening Security at the Edge

Locally tailored security measures are no longer enough to handle the complex threats aimed at modern data centers. The industry is instead gravitating towards internationally recognized security standards. Specifically, the IEC 62443 framework is considered the global benchmark for cybersecurity in industrial automation and control systems[3].

For data center operators, choosing IEC 62443-4-2 certified hardware is a guarantee that devices meet strict security requirements, including:

• Secure Boot: Ensures only authorized firmware runs on the device.
• User Authentication: Robust password management and multi-factor authentication (MFA) support.
• Network Access Control: The ability to disable unused ports and services to minimize the attack surface.

With IEC 62443 certified hardware, operators can establish a robust, standardized security environment that can be further broken down into individual defense zones to protect mission-critical subsystems. This segmented architecture prevents network breaches from affecting vital components, such as cooling and power systems.

Secure Edge Telemetry for a Data-driven Defense

While AI is being used to design more sophisticated attacks, it is also the greatest tool for defense. However, an AI-driven security platform is only as effective as the data it receives from the edge. To effectively detect and respond to an attack, the security system needs access to high-fidelity, accurate telemetry in real time.

Deploying an elaborate connectivity fabric serves as the neural network, connecting sensors at the edge and sending aggregated telemetry data to the defense platform. To ensure the integrity of collected data, it’s important that telemetry from edge devices is encrypted so response mechanisms are always acting on authentic input. If a sensor reports a temperature spike, the system must be 100% certain that the data hasn't been spoofed to mask an attack elsewhere.

Resilience Through Security

In the generative era, a data center’s value is measured by its uptime. As threats against AI infrastructure target interconnected physical components, defense strategies must evolve accordingly. Building a resilient DCI backbone requires protecting every system, from the smallest sensor to the largest switchgear, using secure-by-design hardware and robust authentication mechanisms.

For more information on how Moxa can help you secure your data center backbone, check out our brochure.