In a recently published report, credit rating agency Moody’s said that global investment in data centers will surpass $3 trillion over the next five years, driven by AI capacity growth and hyperscaler demand. But as big tech companies, banks, and institutional investors pour capital into these infrastructure projects, data center developers and their financial sponsors cannot afford to underinvest in cybersecurity.
Summary
In a recently published report, credit rating agency Moody’s said that global investment in data centers will surpass $3 trillion over the next five years, driven by AI capacity growth and hyperscaler demand. But as big tech companies, banks, and institutional investors pour capital into these infrastructure projects, data center developers and their financial sponsors cannot afford to underinvest in cybersecurity. Data centers are no longer isolated real estate or IT assets; they are strategic, interconnected infrastructure supporting our manufacturing, national security, and communication systems. A disruption at the cyber layer, whether through ransomware, supply-chain compromise, or a targeted attack on operational technology (OT), can cascade well beyond a single facility.
Moody’s said that data center investments made by the six largest U.S. hyperscalers (cloud computing providers) — Microsoft Corp., Amazon.com Inc., Alphabet Inc., Oracle Corp., Meta Platforms Inc. and CoreWeave Inc. — approached $400 billion last year. The credit ratings firm anticipates that annual global investment into these infrastructure projects will grow by $200 billion over the next two years.
In a separate report published earlier this year, global real estate conglomerate Jones Lang LaSalle forecasted similar investment flows into data centers worldwide, projecting that “nearly 100 GW of new data centers will be added between 2026 and 2030, doubling global capacity.” JLL also said that this infrastructure investment “supercycle,” one of the largest in the modern era, will result in $1.2 trillion in real estate asset value creation and the need for roughly $870 billion of new debt financing.
Moreover, JLL forecasts that data center tenants will spend an additional $1 trillion-$2 trillion to upgrade GPUs and networking infrastructure. Fueling this infrastructure boom are the surging computing demands of the AI race. While AI only represented a quarter of data center workloads last year, JLL projects that figure will double to 50% of all data center workloads by 2030. On this note, the JLL report said “the interconnected nature of data centers means the AI-fueled expansion is reshaping a number of sectors including power, technology and real estate.”
Additionally, the “transition from AI training to inference will redistribute workloads from centralized clusters to distributed regional hubs, fundamentally altering capacity planning and geographic deployment strategies,” according to the JLL report. Amidst this data center boom, “energy infrastructure has emerged as the critical bottleneck constraining expansion,” JLL said.
The report also noted that “grid limitations now threaten to curtail growth trajectories, making behind-the-meter generation and integrated battery storage solutions essential pathways for sustainable scaling.” Taken in aggregate, these projections reveal that data centers now sit in the middle of institutional-scale capital outlays, mission-critical enterprise cloud and AI computing workloads, energy grid functionality, water consumption, and consumer power affordability. What is often underappreciated in this convergence is how fragile the operational balance has become.
Data centers are no longer isolated real estate or IT assets; they are strategic, interconnected infrastructure supporting our manufacturing, national security, and communication systems. A disruption at the cyber layer, whether through ransomware, supply-chain compromise, or a targeted attack on operational technology (OT), can cascade well beyond a single facility, rippling into grid stability, cloud service availability, downstream economic activity, and public safety.
As data centers become focal points of energy demand and digital dependency, their cybersecurity posture becomes inseparable from the resilience of the broader industrial and energy ecosystem that sustains them. For investors and stakeholders, this reality reframes cybersecurity from a discretionary operating cost into a foundational component of asset durability and risk management. Cybersecurity maturity now directly influences uptime guarantees, regulatory exposure, insurability, financing terms, and long-term valuation.
With that context established, the following sections will explore where the most significant cybersecurity risks are emerging, and how data center operators and their financial backers should be responding. Specifically, we will elaborate on data center-grid convergence hazards, the criticality of supply-chain risk management, and secure-by-design architecture considerations that engineering stakeholders should take into account.
The Data Center-Grid Convergence
The cybersecurity challenge facing the data center supercycle stems from the way these campuses are becoming tightly coupled with both the public power grid and their own industrial control systems. This dynamic threatens to transform what used to be isolated IT outages into events that can ripple across multiple organizations and infrastructures to devastating effect. As hyperscale and AI-optimized facilities proliferate, their need for constant, high-quality electricity increasingly shapes grid planning and reliability, and large campuses start to function less like traditional real estate and more like critical energy infrastructure nodes.
This shift is happening just as grid headroom is tightening. The North American Electric Reliability Corporation (NERC) has warned that the outlook for electric grid reliability is worsening, with demand from new data centers and other large loads expected to outpace energy supply growth in the years ahead. In other words, a cyber incident that trips a major data center, disrupts its behind-the-meter generation, or degrades its industrial control systems is no longer just a facility-level problem; it can propagate into regional reliability, contract penalties, and even broader economic disruption.
At the same time, the OT fabric that keeps these sites running (e.g. building and energy management systems, cooling and environmental controls, and battery and generator management) creates a dense layer of cyber-physical exposure that adversaries can exploit or that system errors can aggravate. Global insurer Marsh notes that data centers depend on OT systems such as energy management and building management systems to regulate power, temperature, and access, and that events in these systems, whether from human error or cyberattack, can cause physical damage and significant business interruption.
Despite no evidence of adversarial cyber interference, the 2021 OVHcloud data center fire in Strasbourg, France destroyed an entire facility and disrupted services for thousands of customers across Europe. This incident illustrated how failures in fire protection and related cooling systems can rapidly escalate into catastrophic loss. In modern campuses, those safety functions are orchestrated through interconnected and increasingly remote-access-enabled OT systems that must be engineered, monitored, and secured with the same rigor as the servers they protect.
The modern convergence of IT, OT, remote access, automated systems and grid-facing assets means data centers are now embedded in a wider net where cyber risk can metastasize into outages and real-world asset damage, with cascading impacts on critical services that rely on their uptime. Therefore, secure-by-design architectures for both the grid-side interface and on-site OT are not optional hardening measures but prerequisites for keeping a rapidly expanding and increasingly fragile energy–data infrastructure from becoming a converged point of failure.
Supply-Chain Integrity First
Underpinning this convergence is the less visible but equally critical foundation of hardware and supply-chain integrity. AI-optimized campuses will depend on massive volumes of GPUs, high-density servers, network appliances, OT controllers, and edge devices, many of which are designed, manufactured, or assembled in jurisdictions that sit at the center of great-power competition.
Reports have warned that critical data center components are often mostly or exclusively built in China, raising the risk that state-aligned actors could introduce backdoors, malicious firmware, or simply weaponize delivery timelines to create strategic outages. For developers and operators, secure-by-design now has to start at procurement. Overall, security-conscious procurement entails the enforcement of stringent vendor due diligence, diversifying away from single-country choke points, validating hardware and firmware before deployment, and aligning sourcing strategies with evolving export controls and national-security guidance on high-risk equipment.
At scale, this means treating the bill of materials (BoM) for a modern data center like a living threat surface, not a static spreadsheet. Builders need traceability from chip and board manufacture through integration, shipping, and installation, with controls such as approved vendor lists, tamper-evident logistics, and mandatory firmware attestation before devices are allowed onto sensitive OT or AI clusters.
Procurement teams should have escalation paths when they encounter opaque supply chains, unexplained cost deltas, or “gray-market” alternatives for constrained components, and they need playbooks for rapidly substituting vendors when geopolitical shocks, sanctions, or export controls suddenly make a product line unacceptable.
Just as importantly, governance around supply-chain risk must be elevated to the same level as power, cooling, and uptime guarantees in contracts with hyperscalers and large tenants. Secure-by-design campuses will embed requirements for hardware provenance, firmware update hygiene, and ongoing vulnerability disclosure into master service agreements and construction/operations contracts, with clear accountability for remediation when a supplier is implicated in espionage or sabotage activity.
In a world where nation-state rivalries can play out through subtle manipulations of hardware, code, or timing rather than overt attacks, data center sponsors who cannot prove supply-chain integrity will face growing pressure from regulators, insurers, and investors who increasingly see hardware trust as a prerequisite for the resilience of AI and cloud infrastructure.
Engineering Campuses that Are Secure by Design
Once component hardware has been vetted, engineering campuses that are secure by design begins with assuming adversaries will first target internet-exposed and OT edge devices. From there, security architects must design an environment that makes it difficult for any foothold at the edge to be leveraged by attackers to effect a grid-scale disruption or safety-critical failure.
As geopolitically motivated campaigns against energy infrastructure accelerate, including recent Russia-nexus attacks on the Polish power system and Romania’s national oil pipeline operator, it is increasingly clear that both state-linked and criminal groups see energy and digital infrastructure as leverage points in a wider contest. In Poland last December, actors linked to the Russia-sponsored Sandworm advanced persistent threat group (APT) focused on the distributed edge of the grid, compromising remote terminal units (RTUs), firewalls, and communications gateways at substations and distributed energy facilities.
This precedent-setting cyberattack—the first to directly target distributed energy resources in a NATO member’s power system—is indicative of the current threat landscape for Western critical infrastructure. For defenders, Sandworm’s campaign underscores how fragile edge devices are and how vital it is to harden the gateways that sit at the OT boundary. From an engineering standpoint, the first pillar of secure by design in data center campuses is disciplined network segmentation that treats OT as a distinct, high-consequence domain rather than an extension of corporate IT.
OT networks should be carved into functional and geographic zones. In practice, these zones should separate, for example, building management from generator controls, from battery systems, from grid-interconnection protection, with tightly controlled conduits between them. These zones should also be enforced by OT-aware firewalls and protocol-constrained paths that allow only the specific traffic required for operations.
Within this model, hardware-enforced unidirectional gateways and data diodes offer uniquely risk-adjusted protection at key boundaries. By allowing telemetry and process data to flow outward from OT to IT and monitoring systems while physically blocking any return path, data diodes, in particular, sharply reduce the chances that a web-based intrusion or enterprise IT admin compromise can be leveraged to effect an OT cyber disaster.
In practice, this means placing data diodes at the key demarcation points—between the data center’s OT and corporate IT, between on-site generation controls and the broader campus, and at interfaces with utility systems—so operators preserve visibility into power, cooling, and safety systems without exposing those domains to bidirectional network risk.
A second foundational element of secure-by-design campuses is a clear, continuously maintained OT asset inventory that captures every PLC, RTU, relay, drive, building controller, gateway, sensor, and engineering workstation, along with its network location, firmware version, vendor, and criticality. Effective segmentation and defensible architecture depend on knowing what you have and how it communicates.
Data center operators cannot isolate critical power and cooling functions, or confidently place diodes and firewalls, if they do not understand which devices participate in those functions and which paths they rely on. For data centers that increasingly blend traditional industrial equipment with dense building-automation and smart-edge devices, this inventory must fully cover the same class of gateways and field devices that were abused in the Polish grid attack, because those are often the first points adversaries probe.
When asset inventories are linked to configuration and vulnerability management, operators can quickly identify exposed OT devices when new flaws are disclosed, locate high-risk remote access paths, and prioritize segments for additional hardening, monitoring, or unidirectional enforcement.
Beyond segmentation and inventory, secure-by-design engineering must also account for the increasing implementation of remote access gateways and the mass-automation of industrial functions within data centers. In practice, this requires treating every orchestration platform, management API, and remote session as a potential high-impact control path. Furthermore, this approach entails consolidating OT access through hardened jump hosts with strong authentication and just-in-time privileges; sharply limiting what automation tools and bots are allowed to change on OT networks.
This framework also demands the enforcement of strict segregation between automation platforms and safety-critical or protection functions. Operationally, it means continuously monitoring automated and remote actions (with human-in-the-loop checks for high-risk operations) and hardening configuration-management workflows so that ‘infrastructure as code’ for OT cannot be silently tampered with or abused at scale.
Lastly, secure-by-design systems architecture demands OT-aware visibility that can actually see and understand what is happening on control networks, rather than treating them as opaque black boxes. That means instrumenting OT segments with monitoring tuned to industrial protocols and behaviors, correlating alerts with asset context, and wiring those insights into playbooks that can quickly isolate, triage, and, when needed, physically replace compromised edge devices before an intrusion escalates into an operational incident.
Safeguarding the Supercycle
Taken together, the threat modeling, procurement, and design best practices detailed in this blog do more than reduce cyber risk in the abstract: they directly constrain the blast radius of the kinds of geopolitically charged campaigns that increasingly threaten data center reliability and campus safety.
This guidance arms data center developers, operators, and investors with a concrete, systems-level blueprint for building AI-era campuses that remain resilient even as the surrounding energy and threat landscape becomes more contested and unforgiving.
For banks and institutional sponsors, the numbers behind the data center supercycle are both compelling and uncompromising: trillions of dollars in construction, fit-out, and power capacity are being deployed on the assumption that AI demand will translate into durable, high-availability cash flows.
Through this lens, underinvesting in cybersecurity is not a marginal operational risk but a direct threat to covenants, refinancing options, insurance coverage, and ultimately asset valuation when outages, safety incidents, or regulatory findings undermine the investment thesis. Given the inevitability of refinancing initiatives that will be needed to support these projects, the campuses that will command the lowest cost of capital over the next decade will be those that can credibly demonstrate secure-by-design architectures.
The most bankable data center developments will be those that can prove campus-wide OT governance, and defensible supply-chain practices, not just impressive power usage efficiency (PUE) metrics and fast build schedules. The next phase of this supercycle will only raise the stakes. As developers and utilities explore pairing energy-hungry data centers with small modular reactors (SMRs) and other non-traditional generation, the security and risk profile of these campuses will begin to converge with that of nuclear and high-hazard industrial facilities, bringing new regulatory expectations and adversary interest.
In InfraShield’s next blog, we will examine how SMR–data center co-location changes the threat model, how the definition of “secure by design” shifts when nuclear systems sit alongside AI clusters, and how operators, investors, and regulators should rethink resilience when compute and generation become an integrated asset.
About the Author: Jeffrey Knight is Director of Global Critical Infrastructure Services at InfraShield. Jeff brings more than 35 years of experience in nuclear engineering and cybersecurity across the Department of Defense (DoD), SWIFT, the NRC, and the Department of Energy (DOE) National Laboratory complex.
Follow us on LinkedIn:
An alternative version of this blog was recently published in CyberScoop:
