AI cybersecurity from the ground up - Part 3 'America's Superintelligence Project' gladstone.ai

brencronin
May 12
7 min read

Updated: 4 minutes ago

Gladstone AI, an organization focused on mitigating national security threats from advanced AI systems, including weaponization and loss of control, recently released a report titled America’s Superintelligence Project. The report highlights a range of risks associated with AI development, particularly the strategic implications of AI dominance by authoritarian regimes such as China.

The first section of the report focuses on AI data center vulnerabilities, emphasizing both environmental and physical security concerns. The report identified several risks specific to AI data centers and provided deeper insight into some of them. Two notable examples of these data center risks include:

Supply Chain Risks: Some supply chain examples featured were, critical components such as power transformers and chips used in server Baseboard Management Controllers (BMCs) pose supply chain vulnerabilities. These components are often sourced internationally and may be susceptible to compromise or disruption.
Physical Security Gaps: Data centers located in dense urban environments may lack the physical standoff distance needed to mitigate threats. This makes them more vulnerable to:
- Kinetic attacks (e.g., physical sabotage or targeting)
- TEMPEST-style attacks, which involve intercepting and analyzing electromagnetic emissions from electronic devices to extract sensitive data.

Gladstone AI argues that without proper safeguards, such vulnerabilities could be exploited, either directly or indirectly, to compromise national security and erode trust in critical AI infrastructure.

Understanding BMC Security Risks and Supply Chain Concerns

A BMC is essentially a micro-server embedded within a larger server. Its primary function is to monitor and control system environmentals such as power supplies, fans, temperature sensors, and BIOS settings. Baseboard Management Controller (BMC) attacks are not new, they have previously been linked to state-level interference, including reports of Chinese involvement in hardware supply chain compromises.

To understand its importance, it helps to consider the "crash cart" analogy. In traditional data centers, crash carts, mobile units with a keyboard, mouse, and monitor, were wheeled to servers for direct interaction during outages or maintenance. BMCs replace the need for physical presence by enabling remote server access over IP, offering keyboard, video, and mouse (KVM) functionality.

Modern BMCs also support web interfaces and SSH access, allowing administrators or systems to poll data, monitor temperatures, detect hardware failures, and remotely manage systems, even when the main server is down. A networked BMC is essential for large-scale server deployments, where managing each server with a crash cart becomes impractical. Moreover, crash carts lack support for remote monitoring and automation.

Common server vendors brand their BMC implementations as follows:

Dell – iDRAC (Integrated Dell Remote Access Controller)
HP – iLO (Integrated Lights-Out)
Supermicro – IPMI (Intelligent Platform Management Interface)

Data center Supply Chain and Firmware Vulnerabilities

According to the Gladston Report, over 70% of BMC components, typically Arm-based 'System on Chips' SoCs with embedded control logic, are manufactured in China. This raises legitimate concerns about hardware-level tampering or supply chain compromise. A high-profile example includes Bloomberg’s 2018 article “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies,” which alleged that the PLA inserted malicious chips into Supermicro server motherboards. These chips reportedly enabled unauthorized remote access, and the breach was detected only through anomalous network traffic analysis traced back to BMC interfaces. While the report remains controversial, because some sources at the tech companies allegedly compromised did not corroborate the story, the risk is real.

As someone who worked extensively with Supermicro servers during that era, we disabled the switch ports connected to BMC interfaces, a little annoying and was part of the reason why we eventually switched server hardware to Dell.

The BMC Attack Surface

BMCs present a consistent vulnerability for both red teamers and adversarial actors due to several persistent weaknesses. The BMC attack surface further underscores the importance of security solutions like Network Detection and Response (NDR), which offer visibility in areas where it may be lacking, such as with BMCs that lack common support for Endpoint Detection and Response (EDR) systems. Some of the most common weaknesses found in the BMC attack surface are:

Separate firmware from the main OS, often left unpatched
Weak authentication, including default or easily guessable credentials
Lack of BMC built-in support Endpoint Detection response (EDR) capabilities.

While BMC access typically doesn’t lead to direct data exfiltration because the BMC systems do not store data, it can also enable attackers to:

Disrupt availability, e.g., by turning off power supplies or manipulating fans
Pivot into internal systems if the management network isn’t properly isolated

BMCs offer powerful management capabilities, but they should have rigorous access control, patching, and network segmentation to remain secure.

"Ripping the Transformers"

The original article emphasizes the sabotage of critical electrical components, particularly those with long lead times, such as power transformers. This form of attack falls into the category of Denial-of-Service (DoS) availability attacks, aiming to disrupt a data center's ability to power its servers. The end goal? Impair and delay AI system operations by cutting off the essential power supply.

While attacking a transformer could be a significant disruption, causing high costs and downtime for the operator, most modern data centers are built with redundancy. A single transformer failure would not necessarily result in complete power loss because they are typically configured with N+1 (set of components share a common backup), 2N (Every component has a sister pair as a backup), or 2N+1 redundancy (Every component has a sister pair as a backup plus a shared backup). To be fair sophisticated attackers would take out the backup components as well.

For example, if utility-delivered power is disrupted due to transformer sabotage, the facility would likely failover to diesel backup generators. These are designed to maintain operations during utility outages. Additionally, utility companies maintain emergency transformer reserves to respond to disasters such as hurricanes, floods, or wildfires, which means recovery from transformer failure, while slow, is possible.

However, to meaningfully compromise complete operations, multiple power infrastructure components would need to be taken offline. In this example the transformers, and diesel generators or powers switches.

Targeting Data Center Operating Conditions

A more sophisticated and insidious form of attack could involve manipulating the operating conditions of critical components, such as gradually altering cooling systems to impact chip temperature variations to induce early failure or reduce reliability. This method is harder to detect and mimics natural wear and tear, making it ideal for covert sabotage.

A historic example of this type of attack is the Stuxnet worm, which targeted Iran’s nuclear centrifuges. Stuxnet manipulated the rotation speeds of centrifuges in a precise sequence (speeding up and slowing down) that caused them to fail prematurely. Importantly, the attackers also compromised the supervisory control systems, ensuring the altered operational conditions were not visible to plant operators, masking the damage.

Hardware + Monitoring System Compromise

As we explore deeper into data center supply chain attacks, a clear pattern emerges: attacks that succeed at scale often involve both the physical components and the systems used to monitor them. Whether it's a transformer, generator, or temperature control sensor, the true risk lies in coordinated compromise, disrupting not just the infrastructure itself, but the visibility and telemetry used to manage it.

Data Center Locations, TEMPEST, and Wireless Security

The Gladstone paper also underscores the importance of physical and wireless security for AI data centers, citing TEMPEST as a critical but often overlooked concern. TEMPEST is a name used by the U.S. National Security Agency (NSA) and recognized by NATO, referring to the threat of compromising sensitive information through unintentional electromagnetic emissions, such as radio signals, electrical noise, acoustic vibrations, or subtle power fluctuations.

These emanations can be intercepted and exploited to eavesdrop on secure systems.

To mitigate TEMPEST threats, highly secure facilities are often built with specialized shielding for walls, windows, and infrastructure to contain any leaking signals. However, the Gladstone paper notes that AI frontier data centers typically lack these protections, largely due to the high cost and time of TEMPEST-compliant construction.

A recent example of a sophisticated wireless intrusion, dubbed the “Nearest Neighbor Attack,” was detailed by cybersecurity firm Volexity. In this case, Russian state-aligned Advanced Persistent Threat (APT) actors successfully breached their ultimate target by first compromising a nearby organization located in an adjacent building. From there, they leveraged wireless access, without needing to be in direct range of the final target, bypassing traditional techniques like war driving.

This incident raises a critical question: How secure are the small businesses or "mom-and-pop" shops operating near major data centers in rural areas? These types of businesses often lack robust cybersecurity defenses and can become weak entry points for adversaries targeting high-value infrastructure nearby.

One critical factor is stand-off distance, the physical buffer between a facility and any external observer. Greater stand-off distances reduce the feasibility of signal interception. The report recommends building AI data centers in rural, inland areas where land is more available, allowing for larger perimeters and increased physical isolation. Interestingly, this trend is already occurring, but primarily for economic reasons rather than security. Many frontier AI data centers are being developed in low-cost, energy-efficient rural areas, including:

OpenAI's StarGate – Abilene, Texas
xAI's Colossus – Rural Memphis, Tennessee
Meta's facility – Richland Parish, Louisiana
New builds – Nebraska, Iowa, and rural areas near Columbus, Ohio

Offense Informs Defense

A central theme in the report is the critical importance of regular red team assessments for AI frontier data centers and labs. Red teams emulate real-world adversaries, often discovering novel and unforeseen attack vectors that challenge assumptions and expose hidden vulnerabilities.

These exercises are not just simulations; they are learning tools. Every successful exploit uncovered by a red team offers direct insight into how an actual attacker might operate. This feedback loop embodies a foundational cybersecurity principle: “Offense informs Defense.” By understanding how systems are broken, defenders can build stronger, more resilient protections.