Leo Simonovich is vice president and global head of industrial cyber and digital security at Siemens Energy.
In the past year and a half, the business world has repeatedly seen cyber services become sudden showstoppers.
A Crowdstrike update paralyzed air and rail travel around the world. Hospital billing ransomware held U.S. healthcare systems hostage. Even Downdetector.com went down in the face of Cloudflare interruptions.
These critical technology stacks supporting the global economy are invisible to the end customer — until something breaks.
The current business super-cycle centered on energy and data centers offers an all-too-rare opportunity to reduce risks to critical infrastructure. Nearly all the technology stacks that enable — and sometimes suddenly disable — business are built atop data centers and their need for constant, reliable electricity. Decisions made today will affect the reliability of that power and the cost of providing that reliability for decades to come.
Companies and countries are racing to build out data center and energy infrastructure to support AI innovation. This race rightly emphasizes speed and scale, but data center developers and their energy partners would be wise to ramp up cybersecurity efforts to match the pace of development.
Designing cybersecurity controls during a new build process almost always gives better results than retrofits.
Retrofitting existing sites for better cybersecurity remains a long-running headache in the energy sector. These sites often feature decades-old machines built when air gapping made sense, remote logins were science fiction and devices rarely shared data with each other. The technical barriers to securing such sites are so high that many customers cannot make meaningful progress without outside help.
Many companies struggle even to maintain a current and accurate inventory of the devices legitimately allowed to exchange data over their industrial network. Using the same build-first, secure-later approach in our next round of infrastructure development sets up future leaders for another decade of expensive retrofits or unexpected outages.
For energy businesses focused on delivering power to data centers, cybersecurity will make or break the business plan.
U.S. electricity customers experienced an average of 11 hours of power outages in 2024, nearly twice as many as the annual average across the previous decade, according to the Energy Information Administration. For a level 4 data center the availability standard is 99.995%, allowing roughly 8 minutes of outages per year for any reason. Capturing premiums and avoiding penalties built into data center contracts will depend on meeting high reliability standards. Power providers will need confidence that their cybersecurity controls will block all but the most sophisticated attacks.
Cybersecurity providers will need to ensure updates match the pace of attacker innovation — and avoid compatibility issues.
The need for continuous electricity supply already drives design choices for data centers. Many data centers plan to produce power on site, instead of sourcing it from the grid. Others are building battery backups and generators to cover unavoidable outages. Compared to these investments, the cost of strong cybersecurity is trivial.
To be sure, even the strongest cybersecurity measures cannot guarantee a perfect power delivery record.
Malicious use of AI is already reducing the skill level required to launch sophisticated attacks, and attacker innovation will continue into the future. Designing cybersecurity architecture into new infrastructure can mitigate these risks by ensuring the strongest protections surround the most critical systems, planning for future maintenance and updates, and segmenting networks to limit the extent of damage when any given device or user account becomes compromised.
We can and should build the next generation of infrastructure better. But we have to hurry. Data center demand for electricity is growing four times as fast as demand from all other industries. Progress will not wait — cybersecurity must be planned and deployed at the same breakneck pace as new electricity infrastructure.
