Chapter 11.2
Physical Security: Siting, Zones & Kinetic/Drone Threats
Physical security is a siting decision before it is a fence decision: where you put the slab, how you stack the concentric zones, and whether you can legally shoot down a drone are choices made years before the first attack — and in 2026 they are no longer hypothetical, because hyperscale AI facilities have been hit by drones in combat.
What you'll decide here
- Where on the threat spectrum your facility actually sits — opportunistic theft and vandalism, organized sabotage of single-points-of-failure, or nation-state kinetic/aerial attack — and therefore which zones and counter-measures are justified versus wasted.
- The concentric-zone model you commission to: how many layers, where the access-control and biometric chokepoints fall, and which assets (weights storage, OT cores, the utility tie) sit in the innermost zone.
- Whether the aerial threat is in scope — and if so, that you can only legally *detect* and not *defeat* a drone unless you are a narrow set of federal (and, post-2026-NDAA, certified state/local) actors, which forces a detect-and-respond posture and a relationship with law enforcement rather than a kinetic one.
- How much kinetic and sabotage resilience to design into the single-points-of-failure outside the fence — the substation, the gas tie, the fiber entrances, the water make-up — where a $500 angle grinder or a cheap quadcopter can strand hundreds of megawatts.
- That access control, cameras, and the building-management/EPMS plane are now treated as operational technology (OT) on a segmented network — because the physical-security system is itself a cyber attack surface into the facility.
Physical security for an AI data center used to be a checklist item: a fence, a guard, a badge reader, some cameras, and a SOC 2 line item that said controlled access. That framing is obsolete. The reason is partly value-density — a single hall now concentrates billions of dollars of accelerators and, more importantly, model weights whose theft is a strategic, not a financial, event (the asset taxonomy and adversary tiers are set in Chapter 11.1). But the sharper reason is that the threat became kinetic. In March 2026, during the escalation following Operation Epic Fury, Iranian one-way attack drones struck commercial cloud infrastructure in the Gulf — two AWS facilities in the UAE took direct hits and a Bahrain site took blast damage, with AWS reporting structural damage, disrupted power delivery, and fire-suppression water damage (DefenseScoop, Mar 2026). Analysts called it the first publicly confirmed combat strike on a hyperscale data center run by a US company. The lesson generalized fast: civilian compute now sits at the intersection of economic and political pressure, which makes it a target.
This chapter walks physical security outward-to-inward and then upward into the air. We start with siting — the most irreversible physical-security decision, made before any zone exists. We build the concentric-zone model and place access control, biometrics, and surveillance within it. We then take the two threats that the perimeter model handles badly — aerial (drones) and kinetic/sabotage against single-points-of-failure outside the fence — and close on the physical-cyber convergence that turns the security system itself into an OT attack surface.
Siting as a physical-security decision
The earliest physical-security choice is where the slab goes, and it is made for power and latency reasons (the reordered siting hierarchy is in Chapter 3.1) long before a security engineer is in the room. That is the problem: by the time security is consulted, the standoff distance, the airspace overhead, the proximity to a hostile border, and the routing of the utility tie are already fixed in concrete. Standoff — the distance from the public road or fence line to the critical building — is the cheapest blast and small-arms mitigation that exists, and it is free at scoping time and ruinously expensive to retrofit. A rural power-first campus on cheap stranded megawatts often gets generous standoff for free; an urban latency-first inference site on expensive real estate frequently has none, with the loading dock opening onto a public street.
Siting also sets the threat tier you must design against, and this is where the global, vendor-neutral view matters. A facility in a politically stable interior region defends mostly against opportunistic theft, insider misuse, and protest activity. A facility within drone or missile range of an active or latent conflict — the Gulf, parts of Eastern Europe, contested maritime regions — must design against a kinetic adversary, which changes everything from glazing to dispersal architecture. The 2026 Gulf strikes are the proof: the same hyperscaler's facility is a fence-and-badge problem in one region and a war-infrastructure problem in another. The siting decision pre-selects which of those two buildings you are operating, and you cannot move a slab.
The concentric-zone model
The organizing pattern for everything inside the fence is concentric zones — nested rings, each crossing requiring stronger authentication and granting access to higher-value assets, so a single credential never reaches the crown jewels and a breach of one ring buys the adversary only the next ring, not the core. This is defense-in-depth expressed physically. The number of zones is the design variable: a Tier-2 inference colo might run three; a facility holding frontier weights at a high Weights Security Level (the RAND framework in Chapter 11.1) will run five or more, with a two-person rule and a mantrap on the innermost door. The principle is that asset value sets ring depth — you push the highest-value assets (weights storage, the OT/control core, the key-management hardware) to the center and make the path to them long, observed, and authenticated at every step.
| Zone | Boundary | Primary controls | Assets protected | What a thin layer costs you |
|---|---|---|---|---|
| 0 — Approach | Public road to fence line | Standoff, berms, vehicle barriers, lighting, ANPR cameras | Standoff distance itself | Vehicle-borne blast reaches the building; no warning time |
| 1 — Perimeter | Fence / wall line | Anti-climb fence, intrusion detection (PIDS), CCTV with analytics, patrols | The campus envelope | Cut-and-climb intrusion undetected; trespass to inner zones |
| 2 — Site / yard | Inside the fence | Gatehouse, badge + vehicle inspection, mantrap at building face | Substation, generators, fuel, fiber vaults | Sabotage of un-fenced single-points-of-failure (see below) |
| 3 — Building | Building shell | Badge + biometric, anti-tailgating, visitor escort, no public lobby | Office, NOC, staging, loading dock | Tailgating and social-engineering reach the white space |
| 4 — Data hall | White space door | Two-factor (badge + biometric) mantrap, anti-passback, escorted vendors | Racks, cages, network core | An insider or escorted vendor reaches racks unobserved |
| 5 — Cage / core | Cage, weights store, OT room | Two-person rule, dedicated biometric, tamper-evident cabinets, full audit | Model weights, HSM/KMS, OT/EPMS controllers | Theft of weights or OT compromise — a strategic loss |
Read the table as a depth budget. Every ring you add buys detection time and forces the adversary to defeat another distinct control type — which is why the value is in heterogeneity, not just count: a badge reader on every door is one control defeated five times; a badge plus biometric plus a two-person rule plus tamper-evident hardware is four different defeats. The economic tie-back is direct: zones are cheap to specify at design time and expensive to retrofit, so the depth budget is a density-ramp decision — a hall scoped today for three zones cannot easily grow a weights-bearing fifth zone later without re-planning circulation, doors, and the OT room. If there is any chance the facility hosts frontier weights, reserve the innermost-zone footprint now, the same way you reserve floor loading and water for a cooling ramp.
Access control, biometrics, and surveillance
The zone model is only as good as the chokepoints that enforce it. Three control families do the work, and each carries a decision with a downstream cost. Access control — badges, PINs, and increasingly mobile credentials — is the backbone, but its failure modes are tailgating and credential sharing, which is why the meaningful controls are anti-tailgating mantraps, anti-passback (you cannot badge in twice without badging out), and turnstiles rather than swing doors at the high-value boundaries. Biometrics — fingerprint, facial, iris, vein — raise the bar from something you have (a clonable badge) to something you are, and biometrics is the fastest-growing segment of the physical-security spend precisely because credential theft is the cheap attack. But biometrics imports its own decisions: a privacy/data-residency obligation on the biometric template (which is personal data under GDPR and equivalents — see governance in Chapter 11.1), a false-reject rate that throttles legitimate throughput, and a spoofing surface that demands liveness detection.
Surveillance is the third leg, and 2026 changed its economics: AI video analytics turn cameras from a forensic record (useful only after the fact) into a real-time detector — loitering, line-crossing, abandoned-object, and crowd analytics that alert before the breach completes. The fork here is record-and-review versus detect-and-respond. A passive CCTV estate is cheap and exonerates you in the post-mortem; an analytics-driven estate is more expensive, generates false positives that must be staffed, but compresses the detection-to-response time that is the whole point of the concentric model. For a high-value facility the answer is detect-and-respond, because the depth budget you bought in the zone model is wasted if nobody is watching the rings in real time.
Aerial threats and counter-UAS
The perimeter model assumes the threat arrives along the ground. Drones break that assumption: they ignore standoff, fence, and mantrap entirely and arrive over the top, on the one axis the concentric zones do not cover. The 2026 Gulf strikes are the proof-of-concept at the nation-state end of the spectrum, but the more pervasive risk is cheaper — a commercial FPV quadcopter or a fixed-wing one-way drone costing a few hundred dollars can carry a small charge to a rooftop chiller, a transformer yard, or a CDU plant, or simply hover with a camera over a yard the fence was supposed to protect. The asymmetry is the entire story: a sub-$1,000 airframe against a facility worth hundreds of millions, attacking exactly the un-hardened single-points-of-failure (cooling, power tie, fuel) that the ground perimeter leaves exposed.
Here the decision is sharply constrained by law, and this is the single most important thing an operator must internalize: in the United States you may legally detect a drone, but you may not defeat one. Defeating a UAS — jamming, spoofing, capturing, or downing it — collides with federal statutes (the Wiretap Act, 18 U.S.C. §32 on aircraft sabotage, and FAA airspace rules), and the authority to do so has historically been reserved to a narrow set of federal agencies. The FY2026 NDAA opened the first crack in that wall, creating a statutory path for certified state, local, and tribal law enforcement to deploy counter-UAS after DOJ training — but a private data center operator still has no legal authority to take a drone down. The consequence is decisive for design: your counter-UAS program is a detect-classify-alert-and-coordinate program, not a kinetic one. You build airspace awareness and a fast line to the agencies who can act; you do not build a jammer you are not allowed to switch on.
| Capability | Function | Legal status for a private US operator (2026) | Design implication |
|---|---|---|---|
| RF / radar / acoustic detection | Detect & track approaching UAS | Permitted (passive detection) | Build airspace awareness into the SOC; integrate with CCTV |
| Optical / EO-IR classification | Identify payload, intent, model | Permitted | Cue response and evidence; feed law-enforcement handoff |
| RF jamming / spoofing | Sever the control link, force land | Prohibited — federal authority only (NDAA opened narrow LE path) | Cannot deploy; rely on coordinated LE / federal response |
| Kinetic / capture / net | Physically down or capture | Prohibited for private operators | Out of scope; harden the targets instead |
| Hardening & dispersal | Reduce consequence of a hit | Fully permitted | The operator's real lever: rooftop hardening, geo-dispersal, redundancy |
Because mitigation is mostly off the table for the operator, the engineering response shifts from stopping the drone to surviving the hit, and that is a resilience decision, not a security-guard decision. Two levers dominate. Hardening the exposed single-points-of-failure: protective screens or cages over rooftop chillers and CDUs, blast-resistant transformer enclosures, and structural separation so a rooftop strike does not propagate into the white space. Dispersal and redundancy: the West Point analysis of the 2026 strikes argued the durable defense is architectural — spread critical capacity across multiple sites and power/cooling trains so no single drone-deliverable charge takes down the workload. This is the same logic the reliability chapters apply to random failures (goodput-over-availability in Chapter 12.2), now applied to a deliberate adversary: the cheapest way to beat a $500 drone is to make sure hitting any one target does not matter.
Kinetic and sabotage resilience: the targets outside the fence
The most under-defended attack surface is not the data hall — it is the cluster of overlooked single-points-of-failure that sit outside the building and often outside the fence: the substation and the utility tie, the on-site generators and their fuel, the behind-the-meter gas connection, the fiber entrance vaults, and the make-up water supply. A saboteur does not need to reach a rack to take the facility down; an angle grinder on a substation, a rifle round through a transformer radiator, or a few minutes with the fiber vault strands the entire load. The grid data makes the prize concrete: a single substation fault has dropped roughly 1,500 MW of data-center load, and 1.5 GW fell off the system in 82 seconds in a 2024 Virginia event (NERC). That is the consequence of a successful hit on the tie — and because a large-load interconnection takes three to seven-plus years to replace (Chapter 4.3), the substation is not just a single-point-of-failure, it is an irreplaceable one on any useful timescale.
The decision fork is how far to extend the concentric-zone model and the hardening budget to these external assets. The cheap, often-skipped controls are: pulling the substation and fuel inside the fenced and monitored Zone 2 rather than leaving them on a public easement; ballistic-rated or screened transformer enclosures; diverse, physically-separated fiber entrances (so cutting one vault does not isolate the site); and intrusion detection on the yard, not just the building. The consequence of skipping them is that you have built five concentric zones around the racks and left the thing that powers them sitting on the roadside. The physics of these failure modes — the synchronized load step, the thermal runaway from a disabled CDU — are dual-use: the same events appear as random faults in the reliability chapters and as deliberate weapons in the OT-attack chapter. Transient physics is in Chapter 4.5; the destructive-attack treatment of OT systems is in Chapter 11.10.
Deep dive: cage and rack controls — the last meter, and the insider problem
Inside the data hall, the concentric model gets granular, and the threat profile shifts from outsider to insider and escorted-vendor — which is the dominant unaddressed vector treated fully in Chapter 11.1 and the human-layer chapter. At the cage and rack level the controls are: lockable cages and cabinets with electronic access logging (who opened which cabinet, when, mapped to a ticket); tamper-evident seals on the cabinets holding weights-bearing storage and the HSM/KMS hardware; a two-person rule on the innermost cabinets so no single credential — even a privileged one — opens the crown jewels alone; and full audit of every cage entry, retained and reviewed, not just recorded. The point of cage controls is that the perimeter and zone model assume the adversary is outside; cage controls assume the adversary already has legitimate access to the hall and is trying to reach a specific cabinet.
The decision here is granularity-versus-friction. Per-cabinet electronic locks and two-person rules slow legitimate maintenance and add cost, so a low-value colo cage runs a simple lock and a camera. A weights-bearing cage at a high Weights Security Level runs per-cabinet logging, tamper-evidence, and a two-person rule, accepting the operational friction because the asset is a strategic one whose theft cannot be undone. This is where physical security and the weight-protection discipline meet: the at-rest protection of weights in Chapter 11.8 assumes the physical cabinet they live in is itself a controlled, audited, tamper-evident boundary — the cage control is the physical floor under the cryptographic ceiling.
Physical-cyber convergence: the security system as OT
The final decision is the one most likely to be missed, because it inverts the chapter: the physical-security system is itself a cyber attack surface. Access-control panels, biometric readers, the CCTV/VMS estate, and — most dangerously — the building-management system (BMS) and electrical-power-management system (EPMS) that the security team often co-owns are all networked devices running embedded firmware, frequently on flat networks with default credentials and vendor remote-access tunnels. They are operational technology, and they must be treated as OT: segmented off the corporate and production networks, patched, monitored, and access-controlled the same way any other control plane is. The convergence cuts both ways. An attacker who compromises the access-control system can unlock the doors the concentric model relies on; an attacker who reaches the BMS/EPMS can manipulate cooling and power directly — turning a cyber intrusion into a physical, destructive event (the forced load step, the disabled CDU, the BESS runaway).
The fork is organizational as much as technical: who owns the security/BMS network, and is it on the OT-segmentation program or orphaned as facilities IT? The 2026 best practice — and the convergence that the industry guidance now emphasizes — is a single converged security function where physical and cyber are not separate fiefdoms, the cameras and door controllers live behind the same microsegmentation as any other OT, and the BMS/EPMS sits inside the OT zones of the Purdue model rather than on a flat facilities VLAN. The downstream cost of the un-converged organization is the seam: a physical team that owns the cameras but not their network security, and a cyber team that does not know the door controllers exist, leaves exactly the gap a converged adversary walks through. Network segmentation and the zero-trust treatment of these planes is in Chapter 11.7; the destructive OT-attack physics and the safety-instrumented-system independence that a compromised control plane cannot override are in Chapter 11.10; the cooling-controls plane specifically in Chapter 5.12.
Deep dive: cameras and door controllers are OT, not appliances
It is tempting to treat IP cameras, NVRs, and badge panels as plug-and-play appliances — they ship working, they are bought by facilities, and they are rarely on the CISO's asset inventory. That is precisely why they are a favored foothold. They run embedded Linux or RTOS firmware that is patched late or never; they ship with documented default credentials; many phone home to vendor clouds over outbound tunnels that bypass perimeter controls; and they are often dual-homed between the security VLAN and something more sensitive. A compromised camera is a quiet pivot point inside the building network; a compromised door controller can unlock the mantrap that the entire concentric-zone model depends on; a compromised VMS can blind the SOC during a physical intrusion.
The control set is ordinary OT hygiene applied to gear nobody thought of as OT: inventory every device and put it on the asset register; segment the physical-security and BMS/EPMS networks away from corporate and production (microsegmentation per Chapter 11.7); kill default credentials and disable or proxy vendor remote-access tunnels; patch firmware on a managed cadence with provenance checks (the firmware-integrity discipline of Chapter 11.4 applies to a door controller as much as to a BMC); and monitor east-west traffic so a camera that suddenly talks to a domain controller raises an alarm. The unifying idea: the device that enforces your physical security is also a host on your network, and an adversary who owns it owns both planes at once.
Anti-patterns
The same physical-security mistakes recur, each from reasoning about one layer in isolation:
- Hardening the core, ignoring the tie. A flawless five-zone interior wrapped around a substation, fuel farm, and fiber vault sitting un-fenced on a public easement. The adversary strands hundreds of megawatts without ever touching a rack — and the transformer is a multi-year, sometimes irreplaceable loss.
- Buying a counter-UAS weapon you cannot legally fire. Procuring jammers or kinetic interceptors that a private US operator has no authority to deploy, instead of investing the budget in detection, law-enforcement coordination, rooftop hardening, and dispersal — the things that are both legal and effective.
- Orphaning the security network. Treating cameras, door controllers, and the BMS/EPMS as facilities appliances outside the OT-segmentation program, leaving default credentials and vendor tunnels as the seam between the physical and cyber teams that a converged adversary walks through.
- Designing zones for today's facility. Scoping three zones for a current-generation inference hall, then being unable to grow a weights-bearing fifth zone when the workload moves up the value chain — the physical-security equivalent of the density-ramp trap, where the irreversible substrate (circulation, doors, OT room) was never reserved.