Critical National Infrastructure (CNI) was once protected by redundancy, such as dual power feeds, backup generators, mirrored systems and contingency plans. However, today’s threat landscape has outgrown yesterday’s engineering assumptions.
Modern CNI, including data centres, utilities, distribution networks, transport systems and the digital ecosystems that bind them, is now a strategic target for state actors deploying military‑grade technologies. The UK’s recent exposure of a covert Russian submarine operation in and around British waters highlights how CNI can be targeted and the importance of resilience by design, not just physical protection. To survive this evolving threat environment, we need a new mindset: we need to start thinking like the adversary.
Interconnected smart ecosystems
Smart cities and smart ecosystems have brought extraordinary benefits, but they have also introduced deeply interconnected vulnerabilities. A failure in one smart ecosystem node can cascade across utilities, mobility, communications and data services, creating ecosystem‑level disruption.
These interdependencies have created a target‑rich environment for sophisticated attackers, who exploit weak seams between information technology (IT), Operational Technology (OT), Internet of Things (IoT) and cloud infrastructure. Our latest guidance on smart ecosystems (Smart Ecosystems: Designing Resilience in an AI‑Enabled, Data‑Centric World) delves into these vulnerabilities in greater detail.
Data centres as strategic targets
Nowhere is this more acute than in data centres, the digital backbone through which government, defence, commerce and society now operate.
As AI becomes the brain of national ecosystems and data centres grow in scale and concentration, they have become critical dependencies with strategic exposure. To a hostile actor, these are no longer industrially neutral facilities; they are high‑value, high‑impact choke points. The Control Risks Data Centre Resilience Framework outlines the five key risk areas to focus on for building true data-centre resilience.
Beyond redundancy, towards true resilience
Traditional resilience has focused on maintaining uptime through backup systems, failover paths and mirrored environments. However, this model assumes disruptions are technical, accidental or isolated. It does not anticipate coordinated hybrid attacks that combine cyber intrusion, physical disruption, supply-chain compromise and geopolitically driven threats.
Resilience today means operational survivability is under intelligent attack. It requires understanding not only how systems work, but how they fail. This involves identifying the components, dependencies or interfaces, such as power feeds, cooling nodes, switching fabric, identity systems and remote management ports, whose compromise would cause catastrophic, rather than manageable, disruption.
Resilience means designing for more than just redundancy, it requires hardening, sometimes using military‑style measures such as buried cable routes, blast‑resistant switching rooms, bunker‑style Meet-Me-Rooms (MMRs) and physically segmented power and cooling zones.
Get upstream, stay left of bang
Too often, resilience is only considered once systems are already in place.
In smart ecosystems, it is during the design stage where vulnerabilities and dependencies are baked in. Planners and developers must get upstream by:
- Tracing dependencies
- Modelling failure cascades
- Determining cyber‑physical security long before the first cable is laid
Ecosystem‑level interdependence means a data centre failure is not simply a technical event, it can ripple across cities, industries and national platforms. Attackers already understand this dynamic. They pull at various threads to see which unravels. Planners, developers and operators must be just as deliberate in their thinking.
A call to action
CNI operators, data centre developers and national planners must adopt a new posture: think like the adversary, protect like the military and build like the future depends on it, because it does. The winners of the next decade will be those who move beyond a redundancy approach toward true resilience that is adaptive and intelligent, ecosystem‑aware and designed from the first concept sketch to withstand coordinated, state‑level attacks. It is time to pull at the threads, before someone else does.