- Accueil
- / Publications
- / Articles
- / The Hidden Risk for Data Centers That No One is Talking About
The Hidden Risk for Data Centers That No One is Talking About
-
septembre 01, 2025
-
The AI revolution has triggered a global rush to build new data centers. With power demands expected to double by 2030, meeting this surge will require an additional 945 terawatt-hours of capacity—roughly equal to Japan’s electricity use today.1 This unprecedented demand is fueling what could be a $1 trillion-a-year infrastructure boom before the decade is out, and investors are rushing to stake their claim.
The opportunity is undeniable. Data centers have become the backbone of the digital economy, supporting everything from cloud storage to AI training. In prime markets, data center vacancy rates are below 2%, and wholesale rents have climbed more than 50% since 2021.2,3 But the same pressures driving this growth—infrastructure constraints and technical complexities, both of which are compounded by the race to scale—also magnify the risks.
Investors face five-to-seven-year timelines to realize returns, yet securing adequate power connections can take three years and construction another 18 to 24 months before the first switch is flipped. In that compressed timeframe, a single disruption—whether from a power shortage, cybersecurity incident, or supply chain delay—can derail the investment case.
This is the first article in a series on the major risks facing large-scale data center developments. Power constraints, supply chain pressures, and shortages of skilled workers all merit attention. But one threat, sometimes underestimated until it’s too late, cuts across all the others: the threat of cyber attacks.
Cybersecurity as the New Reliability
In the data center sector, reliability has always been viewed as an engineering issue, solved through redundant power feeds, backup generators, and cooling systems. But as operational technology becomes increasingly network-connected, reliability depends as much on cybersecurity as on mechanical design. The difference between delivering the 99.9995% uptime that customers demand from Tier 4 centers and suffering a catastrophic outage may come down to how well a facility defends the systems that keep it running.
The stakes are even higher for AI workloads, which require 100% uptime. The chipsets, or GPUs, that drive AI’s massive calculations can overheat and fail within seconds if cooling is interrupted. A cyber attack on supervisory controls could trigger such a failure in an instant—overriding safety protocols, cutting generators, or manipulating chiller setpoints to induce overheating. In healthcare, the result could be surgeries disrupted mid-procedure by the loss of real-time imaging; in finance, trades frozen mid-session; in defense, mission-critical communications disabled.
The complexity that enables uptime can also be its weak point. Liquid cooling—essential in dense AI clusters because air systems can’t dissipate the heat of tightly packed GPUs—solves the thermal problem but introduces new risks. AI-driven facility management can improve efficiency but, if corrupted, could be turned against the very systems it oversees. In the end, automation is a double-edged sword that can deliver reliability—or weaponize it.
For investors, their due diligence must now consider cyber resilience as part of reliability. It’s no longer enough to verify Tier 4 certification or inspect redundancy diagrams. Assessments must examine whether—and how—control systems are separated from outside networks, how often they are tested against modern attack scenarios, and how quickly operators can detect and respond to an incident.
The best-run facilities are moving from annual, compliance-focused security testing to continuous, adaptive stress testing—often using multiple independent providers to prevent threat actors from spotting predictable patterns. These facilities integrate operating teams and IT security teams so a breach in one domain cannot cascade into the other. They design human-machine workbenches that give operators real-time insight into both operating status and cybersecurity posture. These facilities don’t just promise more uptime—they build resilience against the full spectrum of threats that can take a modern data center down.
The Cybersecurity Blind Spot
The most insidious dangers are those that strike remotely, exploiting the systems that control power, temperature, and access. In a world where data centers support critical infrastructure, an incident could affect everything from defense networks to consumer banking and many other critical applications we take for granted.
Modern data centers are marvels of automation, often run from remote control centers linked by complex networks. The classic line about future factories being staffed by a man and a dog—the man to feed the dog, the dog to keep the man from tinkering—has come true. Walk through a 4-megawatt section of a larger complex, and you might find it almost deserted. Power distribution, cooling, and security are all managed through interconnected systems. This is operational technology today, where supervisory controls run massive industrial processes. They’re also prime targets for adversaries.
History is replete with worst-case scenarios. The Stuxnet attack on Iranian nuclear facilities, the Ukrainian power grid breach, and the Triton malware incident at a Saudi petrochemical plant all targeted operational technology with devastating effects.4,5,6 Although there are no reported cases of such an event at a data center, a similar incident could be used to create power surges or overheating that fry GPUs—components so sensitive that they tolerate no downtime.
The threats are changing, too. As AI takes on more facility management, its algorithms become another entry point for threat actors to exploit. If corrupted, the same AI that optimizes performance could just as easily sabotage it.
While major cybersecurity incidents at data centers are still rare—and even then, underreported—the risk is growing as operators expand into new geographies. Current safeguards like stress tests are essential but insufficient. A single, predictable test from the same vendor each year can give a false sense of security in a threat environment that changes daily.
What’s more, not all stress tests are equal. Some focus on compliance—verifying uptime or bandwidth guarantees—while others push systems to failure to find hidden flaws. Leading operators rotate test providers, simulate hybrid physical-cyber attacks, and train staff to treat anomalies as potential intrusions, not glitches.
What Investors Should Require
For investors, conducting due diligence on a data center’s cybersecurity profile is no longer a compliance checklist. The right questions go beyond uptime guarantees and certifications to include:
- How frequently are cybersecurity assessments performed? And are they conducted by multiple providers? With global tensions heightening cyber risks, facilities in emerging regions like the Middle East or smaller U.S. states may require more frequent, rotating evaluations from diverse experts.
- Are the operational systems physically (“air-gapped”) and digitally sealed off from the internet? This would make remote hacking much harder.
- What is the response plan for a suspected cyber intrusion? A fast, disciplined response can be the difference between a blip and a multimillion-dollar outage.
- How is AI managed, and what safeguards protect it from manipulation? Without guardrails, the same AI that optimizes efficiency could be weaponized to take a facility down.
Facilities that can answer these questions aren’t just promising uptime—they’re promising resilience. Those that can’t are betting on hope, not on defense.
More than Real Estate with Servers
The data center investment boom is real, driven by the insatiable demand for AI computing power and digital-led transformations. But beneath the surface lie risks that can upend the best-laid plans. The winners will be those who recognize that data centers are not just real estate with servers, but complex operational systems requiring sophisticated protection. By factoring cyber threats into their due diligence, investors can share in the upside of the AI era while potentially avoiding many pitfalls that can turn opportunity into regret.
Footnotes:
1: Franke, Andreas, “Global data center power demand to double by 2030 on AI surge: IEA,” S&P Global, (April 10, 2025).
2: “North America Data Center Trends H1 2025: AI & Hyperscaler Demand Lead to Record-Low Vacancy,” CBRE, (August 19, 2025).
3: “Data Center Asking Rents Surged as Much as 54% Over Eight Months,” CBRE, (March 28, 2024).
4: Kushner, David, “The Real Story of Stuxnet,” IEEE Spectrum, (February 26, 2013).
5: Bock, Patrice, et.al, “Ukrainian power grids cyberattack,” International Society of Automation, (March/April 2017).
6: Perlroth, Nicole, and Clifford Krauss, “A Cyberattack in Saudi Arabia Had a Deadly Goal. Experts Fear Another Try,” New York Times, (March 15, 2018).
Related Insights
Related Information
Date
septembre 01, 2025
Contacts
Senior Managing Director, Global Head of Cybersecurity
Senior Managing Director, Global Head of Data Center Construction, Projects & Assets