By Nate Ernst, Autonomy Global Ambassador – Energy
On March 1, 2026, Iranian Shahid drones struck data centers in Bahrain. The attack targeted cooling infrastructure, power systems and rooftop equipment directly. Amazon Web Services flagged operational issues across its Bahrain and UAE regions in the aftermath. The drones used were militarily derived. The tactics they demonstrated are commercially reproducible.
That is not a distant problem. It is a preview.
U.S. data center operators are watching the same threat mature domestically, and most have no program to address it. The hardware required to execute a comparable attack is available on Amazon. Preliminary targeting data is publicly accessible through satellite imagery. And the legal framework that would permit a private operator to defeat a drone in U.S. airspace does not yet exist. What does exist is a narrow but meaningful window to get ahead of this. Here is what data center security teams need to understand.
Why Data Centers Rank as High-Value C-UAS Targets
The drone threat to critical infrastructure has grown faster than most organizations’ awareness of it. Power generation facilities reported more than 13,000 unauthorized incursions in 2024, a 45 percent increase from the prior year. NFL game incidents climbed from 67 in 2018 to 2,845 in 2023. Airport control towers file more than 100 reports monthly. These numbers reflect a threat that has moved well past edge-case nuisance into routine operational concern.
Data centers occupy a specific position on the target spectrum. Unlike substations or pipeline compressor stations, they combine multiple characteristics that make them uniquely attractive to threat actors.
Cooling units, HVAC systems, generators, and antennas sit exposed on rooftops, unprotected from above. A small drone carrying a modest payload does not need to breach a perimeter fence. It needs to drop something on a chiller. A single point of failure at a hyperscale facility can cascade quickly. Downtime at a large facility can exceed one million dollars per hour, a fact that nation-state actors and domestic extremists understand well. For many threat actors, disruption is the mission and destruction is a bonus.
No physical reconnaissance is required to plan an attack. Facility footprints, power infrastructure layouts and approach corridors are documented online. An adversary can plan an operation from a hotel room using satellite imagery and publicly available engineering data. Domestic actors opposing data center construction and expansion are already flagged in threat reporting as a specific attack vector. This means the ideological motivation exists entirely independent of foreign state actors.
The Bahrain attack removed any remaining theoretical dimension from this conversation. Consumer off-the-shelf equipment combined with freely available information can equal weaponized unmanned aircraft systems. That equation does not change based on which country the facility is in.
U.S. Law Permits Detection, Not Defeat, A Distinction That Defines Your Program
The first thing data center security teams must accept is that as a private entity in the United States, you cannot legally defeat a drone in U.S. airspace. Kinetic countermeasures, jamming, spoofing, and directed-energy systems are currently reserved for DHS, DOD, DOJ, and other designated entities only. The FCC prohibition on non-federal use of jammers and spoofers is not an administrative technicality. Violating it carries serious legal exposure.
This is not a permanent limitation. Policy is moving. But today, every program must be built around detection and coordinated response.
Detection is still worth doing, and worth doing rigorously. A well-run detection program accomplishes things that matter operationally. Advanced warning changes what a security team can do. A drone that appears on a sensor feed before it reaches the rooftop is a fundamentally different situation from discovering one after the fact. Pattern-of-life data collected over months establishes what normal looks like over a facility. It makes anomalies identifiable and incidents defensible in court or in front of federal partners.
Detection also demonstrates due diligence. If something happens, the question that insurers, lawyers, and regulators will ask is whether a program was in place. A sensor log is evidence that it was. Operators who build a detection program now, run it consistently, and develop institutional knowledge around it also position themselves to add defeat capability the moment regulations permit. The detect-only posture today becomes detect-and-defeat tomorrow, provided the groundwork is there.
Detection is not a reason to feel secure. It is a reason to act. What a team does with detection data, how it responds, who gets notified, and how fast, determines whether awareness translates into protection.
Target Hardening for Data Centers: Steps That Require No Regulatory Approval
Alongside detection, physical hardening represents the most actionable near-term investment for data center operators. Most of it requires no regulatory approval whatsoever.
Hardening means placing physical barriers around the most vulnerable rooftop assets. Tensioned cables over cooling equipment, mesh caging over generators, and concrete enclosures around critical power infrastructure all raise the difficulty of a precision strike. These measures do not require defeating the drone. They require making the target harder to hit accurately. A drone that detonates or impacts twenty feet from a cooling unit instead of directly on it produces a materially different outcome.
Obscuration means making critical subsystems harder to locate and identify from above. Physical camouflage, decoys, screening vegetation, and concealment of rooftop markings complicate an adversary’s ability to navigate to a specific target. Perimeter extension means pushing the detection envelope outward so that any threat must travel farther through observable airspace before reaching anything critical. More distance means more time. More time means more options.
None of these efforts require special authority. They require a site assessment and a program budget conversation. The physical measures are low in cost relative to the consequences they are designed to reduce.
Sensor Technology and Fusion: Building a Reliable Drone Detection Program
No single detection technology will detect and track all drone activity. That is the structural reality of how these systems work. Any program design that ignores it will underperform.
Remote ID sensors deploy quickly and identify aircraft that broadcast compliant remote ID signals. They struggle against non-broadcasting drones and custom-built platforms, which are precisely the higher-threat category. Radar detects non-emitting targets and operates across most weather conditions, but it requires line of sight, needs tuning for site-specific clutter, and can perform poorly in the wrong environmental context. Micro-Doppler analysis improves target discrimination but adds cost and complexity.
Electro-optical and infrared sensors provide visual confirmation and payload cueing, though they are weather-limited and require line of sight. Acoustic sensors are low-cost and capable of detecting audible aircraft signatures, but they can be unreliable in noisy urban or industrial environments. Multi-sensor fusion platforms integrate data from multiple sensor types, reduce false alarms through corroboration, and give operators a single operational picture. They add cost and integration complexity, but they transform a collection of individual sensors into a coherent program.
The practical implication for most data center operators is a layered architecture with Remote ID as the baseline. Depending on total asset footprint and site-specific threat analysis, lower-risk locations may function adequately with a single sensor while others require a multi-sensor approach. The optimal configuration depends on each site, the surrounding airspace, environmental factors, and the threat profile that an honest assessment produces.
Section 2209 and the FAA Rulemaking Window Data Centers Cannot Afford to Miss
Section 2209 of the FAA Reauthorization Act is the most consequential near-term development in the C-UAS regulatory space. It directs DHS to establish a process through which non-federal entities operating critical infrastructure can apply for specific airspace restrictions over their assets, designated as Unmanned Aircraft Flight Restrictions (UAFR) and Special Unmanned Aircraft Flight Restrictions (SUAFR). While this is not an authority for private asset owners to use defeat technologies, it marks a significant step toward that authority in future rulemakings.
The comment deadline for this Notice of Proposed Rulemaking is July 6, 2026, and data center operators should be in that docket. Comments can be filed at regulations.gov.
The comment period is the practical window to make the case that data centers constitute critical infrastructure warranting protection under this framework. A well-argued comment does not need to be long. It needs to establish the economic consequence of a successful UAS attack on a facility of scale. Operators who coordinate a collective comment with industry peers carry more weight in the docket than individual filings making the same argument in isolation.
How to Build a Data Center C-UAS Program: The Sequence That Determines Success
Program stand-up is a process, not a purchase. The single most common mistake is organizations skipping directly to procurement without first defining what they are trying to detect, in what environment, and against what threat profile. That sequence produces expensive sensors without programs behind them.
Education comes first. Security teams need to understand the threat landscape, the technology options, and the regulatory framework before any technology purchase. Solicitation follows. Issue an RFI or RFP to qualified vendors, require actual performance data from comparable facilities, demand FCC and FAA compliance documentation, and treat this like any other critical procurement. Shortlisted systems should be validated in the specific operating environment against the specific threat scenarios the site faces, not in a vendor-controlled demonstration.
Response policy gets built in parallel with technology selection. Detection without a response protocol is operationally useless. The program must define who gets notified, in what order, what those people are authorized to do, and how the response connects to local law enforcement and federal partners. Standard operating procedures need to exist before an incident occurs, not after one forces the conversation.
Commissioning and sustained maintenance complete the cycle. Systems require ongoing maintenance. Operators require recurrent training. Pattern-of-life runs and red-team exercises need to happen on a defined schedule. A commissioned system running unattended for eighteen months is not a C-UAS program. It is an expensive sensor with degrading effectiveness.
Data Center Operators Who Wait Will Build Their Programs Under Pressure
The trajectory is clear. Drone incursions will continue to increase. Threat actors are diversifying, from hobbyists and corporate espionage operators to organized domestic extremists and state-affiliated actors. The hardware available to execute an attack grows more capable and less expensive every year.
Regulatory authority for private operators is moving in the right direction, but slowly. State and local law enforcement capabilities are maturing unevenly. Major cities that hosted events like the FIFA World Cup accelerated their capability, but most jurisdictions have not. Broad local C-UAS defeat capability, realistically, remains years away.
In that gap, data center operators are not defenseless. Detection is legal and available now. Physical hardening is legal and available now. Building institutional knowledge, vendor relationships, and interagency connections that will enable defeat capability when regulations permit is work that can begin today.
The Bahrain attack demonstrated that the threat is not theoretical, that the tactics are reproducible, and that the hardware is accessible. It also demonstrated that detection and hardening have value. The attack succeeded, but a more mature program could have shortened the response time, limited the impact, and built the forensic record needed to support federal action.
Operators who treat the drone threat to data centers as a future problem will find themselves building programs reactively, under pressure, after something has already happened. That is a worse outcome in every dimension. The tools to start are available. The regulatory window is open. The time to act is now.