Introduction
The critical role of data centers in sustaining global economic health and societal function has been widely acknowledged and scrutinized. Increasingly recognized as critical infrastructure, data centers operate around the clock to support global digital commerce and information systems, including financial markets, healthcare networks, and essential government services. As digital infrastructure continues to advance, data centers are entering a new era shaped by artificial intelligence (AI) and high-performance computing. These facilities require uninterrupted, stable electricity from their serving utilities to maintain operational efficiency. This dependency creates a reciprocal relationship in which the reliability and security of the utility directly impact the reliability and security of the data center, and vice versa.
The Threat Landscape
Cybersecurity threats affecting both utilities and data centers—vulnerabilities that can result in significant downtime and service disruptions—are well documented and remain a critical concern for infrastructure resilience (North American Electric Reliability Corporation [NERC], 2025). The inherent relationship between data centers and electric utilities includes shared connections that could introduce cybersecurity vulnerabilities. Conversely, physical security threats are often overlooked as a significant threat but can lead to similar, yet arguably more prolonged and devastating outages, simply because of the actual physical damage or destruction to equipment and facilities. Once an adversary physically destroys a transformer or turbine, they worsen existing supply chain disruptions for critical electric equipment, which can take months or even years to replace (Wood Mackenzie, 2024). Utilities are effective at restoring power, often planning for and recovering from major weather events within days or weeks. However, the damage is primarily focused on downed lines and pole-mounted transformer infrastructure, not high voltage transformers, and turbines. Datacenters depend on stable, reliable power. Utilities rely on a stable, forecastable load. Increasingly, the health of the grid, financial stability, global medical diagnosis and delivery systems, and critical emergency services depend upon both. When current production and delivery timelines for high-voltage transformers and gas turbines, which can stretch up to 2–5 years (Wood Mackenzie 2025), are considered, the vulnerability of the interdependent relationship between data centers and electric utilities becomes increasingly clear.
Grid Specific Physical Attacks
Perhaps no single event highlights the escalating threat posed to the electric sector than the sophisticated armed attack on an important substation in Metcalf, California in 2013 that led to the damage of 17 high voltage transformers, as well as an AT&T communications vault that included supervisory control and data acquisition fiber (Public Utility Commission of California, 2008). Had it not been for backup systems, the consequences could have been significantly more severe. After the attack, investigators drew inferences that multiple attackers were involved because of the scope and scale of the attack (to date, no charges have been filed) (Smith, 2014). Moreover, forensic evidence identified that the rounds that were used were 7.62x39mm cartridges commonly associated with Kalashnikov-pattern assault rifles, such as the AK-47. This documented attack indicates that adversaries targeting the electric sector may operate as coordinated groups, equipped with high-power weapons and possessing communications expertise. This attack then became a reference point for the highest-level threat the sector faced, though understanding of the attacker’s motivation was absent.
An Evolving Threat
The following events help clarify the evolution and sophistication of attackers and their methods against the bulk power system (BPS). In December of 2022, attackers damaged two separate substations in Moore County, North Carolina, in a coordinated firearms attack, causing a power outage for approximately 45,000 residents lasting nearly five days. The attack also resulted in a death, which has since been ruled a homicide (to date, no charges have been filed) (Byrn, 2023). In February of 2023, two individuals with white nationalist beliefs researched and planned a firearms attack against up to five substations in the Baltimore, Maryland, area with the intent to cripple Baltimore, but were ultimately arrested before they could execute their plan (U.S. Department of Justice, 2023).
Additionally, in November 2024, a Tennessee man with white supremacist affiliations was arrested and convicted of planning and attempting to use a drone to deliver explosive devices to blow up substations to inflict more damage to the system compared to a firearm attack (U.S. Department of Justice, 2025).
Datacenters and Utilities: Critical Interdependencies
Interdependency is the state of being mutually dependent upon the other (Merriam-Webster, n.d.). In the current environment, datacenter load requests are surging nationwide, leading to critical resource adequacy and capacity concerns for utilities and grid operators due to the energy they need to operate. When coupled with extreme weather-related events, the stress on the BPS is real. And that is just from operational concerns. National energy leaders have also highlighted the “escalating toxic soup” of cyber and physical attacks to the grid (Howland, 2025) . A cyber or physical attack on a load-serving entity, typically an electric utility, can be devastating to a data center’s operations and finances due to lost compute time, as well as downstream societal impacts from lost access to critical services. Conversely, an attack against a datacenter—an end-use customer reliant on the electric grid—that induces voltage and frequency fluctuations can have equally disruptive effects on a utility’s grid responsibilities at the local, regional, and potentially national levels. This is not abstract thinking; operational anomalies have already occurred that strained these dependencies, although they were not actual attacks (NERC, 2025). The impacts of even minor interruptions can often be measured in millions of dollars. The life, health, and safety implications of prolonged grid or information system outages are significant and warrant continued attention in infrastructure planning and risk mitigation. Previous incidents have demonstrated that voltage irregularities in the system can cause data centers to disconnect, which can introduce instability into the electric grid. While these types of incidents are being heavily studied operationally, this also highlights a bidirectional security risk dynamic where threats can emerge from both the grid and its end-use customers.
Interdependency Must Lead to Coordination
The connection between data centers and utilities continues to evolve, as both sectors work to align operational priorities and deepen their understanding of each other’s constraints. From a business and planning perspective, data centers seek access to stable, reliable power at predictable prices, and utilities want assurance that data centers will follow through on planned build-outs and that their load requests are accurate. While meaningful coordination between the two industries is materializing to balance these operational concerns, it is now time for joint security coordination to be part of a holistic security mindset.
Potential Pathways to Shared Security
Electric utilities embrace some of the most robust cyber and physical security requirements of any regulated industry, particularly for designated critical infrastructure facilities. Many large investor-owned utilities that will be servicing data centers have mature security operations. This includes centralized security operations centers (SOCs) staffed around the clock, responsible for improving an organization’s cyber and physical security posture by preventing, detecting, and responding to threats.
Many of these utilities have adopted commonly used threat identification and training tools to support risk assessment and preparedness. These tools help identify their critical facilities, define unacceptable consequences associated with those assets, and analyze potential adversaries, including their capabilities and tactics. The first step in this process is critical facility identification. Though the critical facility identification process is commonly employed across industries, utilities are learning to implement it in a more detailed and nuanced way that protects not just the facility, but also the return on investment (ROI) for security dollars spent. To do this, they utilize the Design Basis Threat (DBT) process or other assessment tool to identify the facilities that need the highest level of protection—diamonds—versus the facilities that are not as critical to protect—pencils. Diamonds are those facilities, or specific pieces of equipment within a facility, that are so critical they cannot be lost or interrupted and require the highest level of protection. It is important to note that the key to protecting diamonds is to understand what you are protecting them against.
Design Basis Threat (DBT)
DBT is a concept and tool that evolved from the nuclear security function. DBT is defined by the International Atomic Energy Association (IAEA) (International Atomic Energy Agency [IAEA], 2016) as :
“…a comprehensive description of the motivation, intentions and capabilities of potential adversaries against which protection systems are designed and evaluated. A DBT is derived from credible intelligence information and other data concerning threats but is not intended to be a statement about actual, prevailing threats. Historically, States have used DBTs in their regulatory system to achieve appropriate allocations of resources to the protection of nuclear material and nuclear facilities against malicious acts by potential adversaries that could result in high consequences, particularly radiological consequences or consequences of proliferation; however, a DBT can also be used to protect any asset with associated high potential consequences (e.g., other radioactive material of high activity).”
The key statement is “a DBT can also be used to protect any asset with associated high potential consequences” (i.e., it is not just applicable to nuclear facilities).
The electric sector views things in terms of unacceptable consequences for a particularly important asset, down to a specific piece of equipment in a specific location.
Once a critical facility or piece of equipment has been identified, the next step is to define the relevant adversary and what their motivations and capabilities are. This definition informs protection strategies by clarifying what requires safeguarding and at what level, or by acknowledging the risks of not doing so. The process must be guided by reasonable, credible, and documentable sources of information and intelligence about adversary capabilities. It also must be iterative. It needs to be reevaluated on a regularly scheduled basis to ascertain and evaluate new adversarial tactics, techniques, and procedures (TTPs). As previously noted, TTPs change and evolve over time, so should your DBT.
Once a utility has identified its critical facility or piece of equipment, along with the motivation, sophistication, and TTPs of credible adversaries, it can begin designing a physical protection system aimed at deterring, detecting, delaying, and ideally preventing a successful attack on what is truly important—diamonds. This approach reflects a structured process within the electric sector, one that has evolved over time and is now codified through mandatory reliability & security standards for utilities.
A Model for Improved Collaboration & Security
In addition to threat and vulnerability tools and processes to maintain their security, utilities adhere to Critical Infrastructure Protection (CIP) Standards. CIP Standards are mandatory and enforceable electric Reliability Standards issued by the North American Electric Reliability Corporation, a not-for-profit international regulatory authority whose mission is to assure the effective and efficient reduction of risks to the reliability and security of the grid (NERC, 2025). CIP standards are a subset of Reliability Standards that encompass cyber and physical security. NERC specifically defines and enforces these standards to assure the reliability and security of the bulk power system (NERC, n.d.). They create a baseline of security requirements and measures that utilities follow, and that are evolutionary rather than static. The standards contain specific requirements coupled with best practices that inform cyber and physical security efforts across all levels of the electric sector, whether applicable or not. Alternatively, parts of the standards could be useful for datacenters to understand how their interdependent utility partner conducts the cyber and physical security process that helps to assure their reliable power delivery—the lifeblood of their operations. The suite of standards is public and addresses the following areas:
CIP-002 – Bulk Electric System Categorization
CIP-003 – Security Management Controls
CIP-004 – Personnel & Training
CIP-005 – Electronic Security Perimeters
CIP-006 – Physical Security of BES Cyber Systems
CIP-007 – System Security Management
CIP-008 – Incident Reporting & Response Planning
CIP-009 – Recovery Plans for BES Cyber Systems
CIP-010 – Configuration Change Management and Vulnerability Assessments
CIP-011 – Information Protection
CIP-012 – Communications between Control Centers
CIP-013 – Supply Chain Risk Management
CIP-014 – Physical Security
CIP-015 – Internal Network Security Monitoring
NERC’s standard development processes emphasize engagement with its registered entities, which are the utilities that serve the electric load. When new standards are proposed or considered for revision, experts from across the NERC community, including Regional Entities and utilities, collaborate through technical working groups to assess and develop best practices. These efforts support both the implementation of specific standards and the broader evaluation of emerging technologies and methodologies to enhance BPS reliability and security.
Best Practices for Best Protection
From the utility construct, teaching datacenter security practitioners how the industry implements measures to protect the electricity supply is an important step toward understanding the techniques and methodologies that utilities use to enhance BPS reliability and security. Sharing information about threats, coordinating Design Basis Threat understanding, integrating tabletop exercises, and developing pick-up-the-phone, real-time relationships is necessary for real-world, severe-event understanding and mitigation. For electric utility security practitioners, gaining insight into how data centers implement their protection strategies and technologies could equally yield valuable information for enhancing security operations for BPS reliability and security. In the absence of such collaboration, missed opportunities for alignment may increase the risk of service interruptions. While protecting business practices and proprietary information remains essential, both sectors have historically operated within such constraints, and these considerations need not hinder effective coordination. A central challenge is that neither sector fully understands the operational or security complexities and vulnerabilities of the other. As their interdependence grows, collaboration offers a pathway to strengthening both grid reliability and data-processing continuity, outcomes that serve the broader interests of global society.
Risk Registries Highlight Areas for Collaboration
A Risk register illustrates how datacenter and utility security are interconnected and how much more they potentially could be. Risk registers are a well-established security methodology that ties identified vulnerabilities to specific controlling rules and regulations, as well as identifies and enumerates mitigations. Areas of similarity abound between the datacenter and utility security architectures. Using a low, medium, and high likelihood and consequence matrix, the following risk registry example offers observations that may be informative for future collaboration and development between datacenter and utility security staffs:
| Severity | Risk Type | Likelihood | Consequence | Risk Owner | Mitigation(s) |
|---|---|---|---|---|---|
| High | Physical Attack on utility facilities or equipment that can affect datacenter operations | Medium | High/Extreme – loss of revenue operations, accessibility of critical operational systems, downstream data outages | Utilities | CIP-014 techniques applied to all identified critical facilities that interconnect to datacenters. Joint training. |
| High | Physical Attack on datacenter systems, facilities, or equipment that can affect utility operations leading to system instability | Low (no referenceable data points currently) | High – outages, instability, cascading within an interconnection | Datacenters | Collaboration & coordination between datacenter and utility security personnel pre-event. Joint training. |
| High | Cyberattack on utility systems affecting datacenter operations | High | High – loss of revenue operations, accessibility of critical operational systems, downstream outages | Utilities | Robust implementation and management of CIP cyber standards. Cyber team collaboration with datacenter customers. Develop robust notification protocols for real-time incident collaboration. Joint training. |
| High | Cyberattack on datacenter systems affecting utility operations | Medium | High – outages, instability, cascading within an interconnection | Datacenters | Collaboration with utilities to see if CIP Standards can assist with security. Develop robust notification protocols for real-time incident collaboration. Joint training. |
This risk registry example, while limited, highlights that impacts need to be assessed and studied. Cyberattacks, while highly impactful, may be faster to recover from. However, physical attacks can result in permanent damage to critical equipment, potentially triggering additional vulnerability risks such as supply chain constraints for essential assets like high voltage transformers and gas turbines.
Shared Telemetry Data to Inform Security Awareness
Sourced-based telemetry data could be shared between utility providers and datacenters in several diverse ways to improve security before, during, and after a critical event. Both industries are deeply aware of and monitor their respective telemetry streams to identify threats before they manifest, triage them as they occur, and analyze them to prevent additional events. Examples of the value of shared telemetry data between datacenters and utilities include:
Security
Cybersecurity – network traffic for real-time anomaly detection between security staffs.
Physical security – access control alerts for mutually critical areas for security and system operator team verification, clearance, or alert.
Operational
Electrical Power – voltage and frequency to detect anomalies on either side and communicate quickly and effectively.
Load and demand – real-time load information visibility to supplement 15-minute forecasts.
Ramp Rate Monitoring – particularly during shared load times (utilities’ normal commercial residential operations, datacenters’ high compute times).
Power Quality – Harmonics – to detect nonlinear anomalies.
These are just a few examples of how telemetry collaboration, sharing, and integration have the potential to increase security for both industries.
Interdependency, Collaboration, & Conclusions
This article outlines the evolving interdependency between data centers and utilities, two sectors whose operational needs, responsibilities, and security are increasingly intertwined. Datacenters need steady power, and lots of it, while utilities depend on accurate load data to deliver that power reliably. Both industries share a public duty to support life, health, and safety through secure, reliable, and resilient infrastructure. The pursuit of modern life without reliable and secure power to enable the continuous operation of these critical systems is not only unimaginable, but it must also be prevented. To strengthen the safety and security of not just datacenters and utilities, but global society, the following recommendations should be viewed as a set of best practice collaborations:
- Relationships. Utilities and datacenters should have designated roles to develop and maintain security relationships and identify and magnify best security practices, as well as identify vulnerabilities.
- Put it in writing. Clearly define and document roles and responsibilities so organizational commitment is maintained over time.
- Organize. Create joint committees and/or working groups among key roles and subject matter experts that meet at a regular cadence to share threat, vulnerability, and mitigation information.
- Share. Develop and routinize methods and procedures to share critical threat, vulnerability, and system anomaly information as close to real-time as possible.
- Practice. Collectively, train, document, and maintain integrated tabletop exercises to manifest responsible “person-to-person” always available contacts in the event of actual events and to establish joint incident management protocols.
- Compare and contrast. Datacenters and utilities should learn each other’s security protocols such as ISO/IEC 27001 and CIP Standards for understanding and identification of best practices that can be mutually beneficial.
Asset owners and operators of critical infrastructure have a shared responsibility in maintaining modern life. Utilities have long recognized this responsibility and operate in a regulatory framework that enforces it. As data centers continue to mature and become increasingly vital across key sectors such as finance, healthcare, and governmental operations, their security posture also increasingly impacts broader segments of modern life, including the reliability and security of the electric grid. Given this deepening interdependency, security coordination should move beyond conceptual dialogue and become a national imperative.