G 0.2 — Unfavourable Climatic Conditions

Friday evening in midsummer: the air conditioning in a server room fails. Over the weekend no one notices. On Monday morning the monitoring dashboard shows dozens of alerts — three of eight servers have shut down automatically after thermal overload, two hard drives are permanently damaged. Restoring the affected databases takes four days.

Unfavourable climatic conditions are among the most frequently underestimated threats to IT infrastructure. The BSI lists them as elementary threat G 0.2. Heat, cold, humidity and rapid temperature swings act gradually — the damage is often noticed only once systems have already failed.

What’s behind it?

Every electronic device has a specified temperature range within which it operates reliably. As soon as the ambient temperature exceeds or falls below those limits, malfunctions, performance drops or irreversible hardware damage become likely.

Heat is the most common trigger. Modern processors and memory modules generate considerable waste heat. Without adequate cooling the temperature in server rooms rises to critical levels within hours. Thermal throttling first reduces performance — if the temperature continues to rise, systems shut down automatically. Hard drives react particularly sensitively: elevated temperatures accelerate the wear of mechanical components and measurably increase the error rate.

Risk factors

Frost and cold — Below-freezing temperatures can stress solder joints, damage LCD displays and cause condensation when cold devices are suddenly moved into warm environments.
High humidity — From around 80% relative humidity, condensation water forms on circuit boards and contacts. Short circuits and accelerated corrosion follow.
Low humidity — Below 30% relative humidity, the risk of electrostatic discharge rises. A single spark can destroy sensitive semiconductor components.
Rapid temperature swings — In spring and autumn, opened windows in server rooms cause sharp temperature jumps. The resulting condensation can lead to failures within minutes.

Dust deposits on cooling fins and in fans gradually reduce cooling performance (interaction with G 0.4). A fouled air-conditioning unit may fall 30–40% short of its rated capacity. Equally problematic: server rooms originally designed for a lower heat load that have been filled over the years with ever more hardware.

Practical examples

Air conditioning fails on the weekend. The sole air-conditioning unit in a server room has a compressor defect. Because no temperature monitoring with alerting exists, no one notices the failure until Monday morning. Room temperature has risen above 45 °C. Several hard drives and a storage controller are permanently damaged. The redundant air-conditioning unit that was supposed to step in according to the plan was never installed for cost reasons.

Condensation from open windows. In a small company the server sits in the attic floor. On a warm autumn day an employee ventilates the room through wide-open windows. At night the temperature falls below 5 °C. The next morning the circuit boards of the switch are wet with condensation. The switch fails intermittently and causes network problems whose cause is only found after days.

Heat build-up from dust accumulation. In a server room the dust filters of the air conditioning have not been changed in two years. Effective cooling capacity gradually declines. On a hot summer day the remaining capacity is no longer sufficient. The servers throttle their performance, business-critical applications respond extremely slowly. The connection between dirty filters and performance problems is recognised only after a week.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 12 mapped controls below in the section ‘ISO 27001 Controls Covering This Threat’.)

Prevention:

A.7.5 — Protecting against physical and environmental threats: Climate control, cooling and environmental protection for IT infrastructure.
A.7.11 — Supporting utilities: Monitoring and redundancy of building utilities, including air conditioning.
A.7.13 — Equipment maintenance: Regular servicing of air-conditioning and ventilation systems.
A.7.8 — Equipment siting and protection: Consider placement and environmental conditions when siting IT hardware.

Detection:

A.7.7 — Clear desk and clear screen: Tidy IT rooms make it easier to spot environmental problems (dust accumulation, blocked ventilation).
A.8.10 — Information deletion: Controlled decommissioning of heat-damaged media prevents uncontrolled data loss.

Response:

A.8.13 — Information backup: Backups enable recovery when media are damaged by climatic influences.
A.8.14 — Redundancy of information processing facilities: Geo-redundant systems secure availability despite site-specific climate problems.

BSI IT-Grundschutz

G 0.2 is linked in the BSI IT-Grundschutz catalogue to the following modules:

INF.2 (Data centre and server room) — Requirements for climate control, temperature monitoring and redundant cooling.
CON.6 (Deletion and destruction) — Correct disposal of heat-damaged storage media.
SYS.4.5 (Removable media) — Storage conditions for media (temperature, humidity).
INF.5 (Room and cabinet for technical infrastructure) — Climatic requirements for technical rooms and distribution cabinets.

Sources

BSI: The State of IT Security in Germany — Annual report with current threat statistics
BSI IT-Grundschutz: Elementary Threats, G 0.2 — Original description of the elementary threat
ISO/IEC 27002:2022 Section 7.5 — Implementation guidance on protection against physical and environmental threats

ISO 27001 Controls Covering This Threat

A.5.14 Information transfer A.7.5 Protecting against physical and environmental threats A.7.7 Clear desk and clear screen A.7.8 Equipment siting and protection A.7.10 Storage media A.7.11 Supporting utilities A.7.12 Cabling security A.7.13 Equipment maintenance A.7.14 Secure disposal or re-use of equipment A.8.10 Information deletion A.8.13 Information backup A.8.14 Redundancy of information processing facilities

Frequently asked questions

At what temperature do servers fail?

Most servers are specified for an operating temperature of 18–27 °C (ASHRAE A1 class). From around 35 °C many systems automatically throttle performance (thermal throttling). From 40–45 °C safety mechanisms shut down the hardware to prevent permanent damage. Without protective mechanisms, processors, hard drives and power supplies risk damage.

Why is high humidity dangerous for IT equipment?

High humidity (above 80% relative humidity) leads to condensation on circuit boards and contacts. The moisture can trigger short circuits, accelerate corrosion and compromise the insulation of components. Rapid temperature swings are especially dangerous because they produce condensation water instantly.

How often should the air conditioning in the server room be serviced?

Air-conditioning systems in server rooms should be serviced by specialists at least every six months. Filters are cleaned or replaced, refrigerant pressure is checked and sensors are calibrated. Continuous temperature and humidity monitoring with alerting is also advisable.