As the energy sector adds new infrastructure to keep up with AI data center expansion, security and reliability expectations are drifting out of sync.
Leo Simonovich, Vice President and Global Head of Industrial Cyber and Digital Security at Siemens, explains why the industry should treat data centers as critical infrastructure and design security into projects from the start.
The approach Simonovich recommends involves improving end-to-end visibility, validating protections through safe testing, and strengthening recovery so cyber incidents do not cascade into operational disruption.
The energy sector is in the midst of a massive "supercycle," driven by a single, voracious consumer: the AI-driven data center. Beyond increasing demand, expansion is reshaping power systems. But it's also exposing a fundamental mismatch between the grid's current design and the unique, rigid demands of new infrastructure.
For an expert's take, we spoke with Leo Simonovich, the Vice President and Global Head of Industrial Cyber and Digital Security at Siemens Energy. Responsible for setting the strategic direction for the company’s industrial security business, Simonovich has a unique vantage point on these growing risks. From his perspective, the industry must fundamentally re-evaluate how it classifies these assets before insecure practices become entrenched.
"We must think of data centers as critical infrastructure," Simonovich says. "In just a few years, they will make up between 10 and 15 percent of the grid. And yet they're not being treated that way today.” For many across the industry, the push toward greater connectivity stems from core business objectives: "operational efficiencies, new revenue models, and decarbonization."
The squirrel incident: But that pursuit of progress also contributes to an expanded attack surface. In the electric grid, "a single point of failure can have cascading effects," Simonovich notes, "as we've seen with past blackouts caused by a squirrel eating a line."
A tale of two grids: Now, that fragility is compounded by a misalignment between what data centers demand and what the grid can deliver, he explains. "An average U.S. customer sees about five hours of blackouts or outages a year. But a data center at level 4 reliability at 99.995% can only tolerate 5 to 8 minutes of outages a year."
But the dissolution of traditional silos between IT and OT creates a two-front war. On one side, a "brownfield" of legacy infrastructure running unpatchable systems like Windows 95 is being accessed by remote teams and third-party supply chains. On the other side is a "greenfield" of rapid expansion where security is often neglected.
A fundamental oversight: "With the speed at which big turbines are being purchased, and projects get underway, what is shocking is that security is an afterthought," Simonovich explains. The result is an industry that is effectively operating in the dark—the specific failure that led to the shutdown of the Colonial Pipeline.
To address this visibility gap, Simonovich advocates a "single pane of glass" that holistically monitors IT, OT, and building automation. Because AI is a cyber threat that lowers the barrier to entry for attackers, it allows them to exploit these complex environments. In response, Simonovich proposes a three-part framework.
Physics-aware monitoring: Also called "process security analytics," this approach combines physical asset data with network logs to provide context. It allows operators to distinguish between a true anomaly and a false alarm—knowing "what is truly anomalous and impactful to operations, and what is frankly noise because somebody forgot to turn on the VPN tunnel."
Simulation over discovery: Traditional "pen testing" (poking around to see what breaks) is impossible in a live data center environment, Simonovich says. "You need a different technique. Use a digital twin to replicate the infrastructure and then simulate attacks in that environment." This enables simulation-based threat modeling without risking downtime.
Systemic resilience: With more than half of operators experiencing at least one major cyber attack a year, the "CD in a vault" backup method is obsolete. The industry requires real-time backup and restore capabilities, supported by a "dedicated cloud environment specific to energy, with unique, DoD-like requirements."
Ultimately, with the physical infrastructure of the AI boom being poured today, the window to build that security in is closing fast. "It's much easier to build security in than to bolt it on," Simonovich concludes, "and it never works as well when it's bolted on."
