As data centres become increasingly embedded in the critical infrastructure backbone supporting economies, energy systems and AI-driven digital services, they are introducing cybersecurity and resilience risks that extend far beyond traditional IT threats. The analysis noted that tighter integration with OT (operational technology) and power infrastructure is forcing operators to move beyond perimeter-based security models and adopt continuous monitoring, cyber-physical resilience planning and coordinated protection of energy systems to reduce the risk of cascading disruption across essential services.
“The interdependence between data centres and energy systems makes it important to understand and manage cyber risks to energy infrastructure, including on-site power production at data centre facilities,” Leo Simonovich, vice president and global head for industrial cyber and digital security at Siemens Energy, and Filipe Beato, manager for technology and innovation at the World Economic Forum, wrote in a post this week. “Understanding what resilience looks like for data centres, their on-site energy systems and their interactions with regional electricity grids will bolster the resilience of current and future critical infrastructure.”
The analysis also highlighted that surging electricity demand from AI workloads is reshaping how governments and industry view data centres, with growing recognition that they should be treated as strategic national infrastructure rather than conventional real estate assets. The post added that cyber resilience is becoming inseparable from energy resilience, particularly as geopolitical tensions, AI-driven threats and attacks targeting critical infrastructure continue to intensify globally.
They observed that data centre resilience underpins availability of data services, covering everything from online advertising to business logistics, invoicing, digital banking, and more.
“Data centres must be able to repel, detect and clear cyber threats without interrupting these services. Designing or operating data centre energy systems without considering cybersecurity can introduce or overlook vulnerabilities,” the post detailed. “To provide data services, some portion of the data centre facility must be connected to external networks. This continuous exposure to the internet requires security architecture that protects on-site energy systems.”
Simonovich and Beato identified that power plant systems and their backups must also be monitored because these systems will be digitally managed. “Monitoring sensor and production data together with security event data can help discover threats and vulnerabilities before damage can occur. Even hardened systems should be monitored.”
They added that cybersecurity requires visibility across the system of systems. “The power plant, backup power, cooling and physical access systems each have potential for misuse that could affect data centre and grid stability. Visibility across these systems can help to quickly identify and address high-consequence anomalies better than if each system is monitored separately.”
The post also accounted for the rapid pace of data centre deployment in highly-regulated regions like the U.S., which tends to incentivize on-site power generation. Guiding new power production and transmission lines through the necessary regulatory hurdles takes time, but investors in AI (artificial intelligence) innovation call for speed. At the same time, supply chain constraints can delay the purchase and deployment of heavy equipment like gas turbines.
They also noted that developers can transition from small, immediately available generators to sources like wind, solar or nuclear power as these slower-to-construct systems come online. Integrating multiple energy sources has the advantage of diversifying risk, but requires careful attention to ensure visibility across the system of systems for cybersecurity monitoring.
Highlighting that data center and electricity sector resilience are interconnected, the analysis recognizes that data centres must operate backup power systems during grid outages, and grid operators must build systems capable of handling data centre load variability. Both sectors benefit when the electric grid delivers uninterrupted, low-cost power. This mutual benefit should drive cooperation on resilience.
Power outages and cyber incidents could potentially occur simultaneously. But building resilience into the relationship between data centres and the electricity sector and continuing to engage across sectors as each sector’s requirements evolve can help address the solvable engineering challenges that will transform these events from major emergencies into minor incidents.
The House Homeland Security Committee’s Subcommittee on Cybersecurity and Infrastructure Protection also examined in a recent hearing whether data centres should be designated as a standalone critical infrastructure sector amid rising concern over their growing strategic importance and exposure to cyber and physical threats.
During the hearing, lawmakers and industry experts argued that the rapid expansion of AI-driven cloud infrastructure, combined with increasing dependence on hyperscale providers such as Amazon Web Services, Microsoft Azure and Google Cloud, has exposed gaps in the current federal framework for protecting data centres. Witnesses warned that disruptions to major facilities could have cascading consequences across national security, energy, communications and economic systems, while some experts called for a dedicated coordinating structure and clearer federal oversight similar to the U.K’s approach to data centre protection.
Earlier this week, the WEF, in collaboration with KPMG, published a report examining how AI is reshaping cyber defence while warning that its effectiveness depends on strategic deployment, strong governance and sustained human oversight. The report outlines key questions facing executives and chief information security officers while assessing the opportunities and risks tied to agentic AI. It argues that organisations must align AI adoption with enterprise strategy, strengthen operational readiness, rigorously test deployments and continuously refine and scale systems as they mature.
