Siemens Energy VP: Data Center Security Starts With A Unified Blueprint Across IT, OT, And Power

Data centers are the engine of today's digital economy, and their power consumption is climbing sharply as compute demands associated with artificial intelligence accelerate. Global data center electricity consumption soared by 17% in 2025 alone and is projected to roughly double to 950 terawatt-hours by 2030, according to the IEA. That growth is creating a parallel construction boom in energy infrastructure, carrying with it a set of cybersecurity risks the industry has been slow to address.

Leo Simonovich, Vice President and Global Head of Industrial Cyber and Digital Security at Siemens Energy, has spent nearly two decades working at the intersection of operational technology and cybersecurity. He leads the company’s efforts on industrial cybersecurity, including energy infrastructure and its recent AI-driven boom. To Simonovich, the AI boom is accelerating the convergence between the IT world of corporate networks and the OT world of physical equipment, and the security conversation has not kept up.

Much of the current buildout is happening behind the meter, with facilities generating their own power on-site rather than drawing from the traditional grid. In these settings, no existing regulatory regime mandates a cybersecurity baseline. "When you talk to folks that are the offtakers and consumers of artificial intelligence and cloud, they think that data centers are, frankly, building envelopes that look like warehouses," Simonovich said. "They often don't think of them as having a power plant right next door."

• The warehouse illusion: The disconnect between how data centers are perceived and how they actually function is at the heart of the security gap. Frontier AI labs and hyperscalers talk in megawatts. They understand the energy dependency. Power outages remain the leading cause of impactful data center downtime, accounting for 45% of incidents. But the fragmented ecosystem of construction firms, equipment suppliers, project owners, and operators means no single party sees the full picture. "They each think about their own piece of the puzzle," Simonovich said. "And we need to think of security more holistically, because connectivity is a lot more holistic in nature as well."

• The ownership vacuum: Without a single party responsible for end-to-end security, hybrid data center and energy environments become difficult to defend. "Is it the folks that are doing the project to build the data center? Is it the folks that are going to operate it? Is it ultimately the offtaker? Is it all three?" Simonovich asked. "And how do we recognize that risk?" The answer, in most cases, is that no one has full visibility into how the system behaves as a whole.

The physical exposure is compounded by the convergence of IT and OT environments. As these worlds come together, a cyberattack against one part of the system can cascade into the other. "It's not enough to secure the cooling infrastructure, the building automation system, or the networks. You also have to secure the operational technology that's right next door, because many of these assets are connected to one another and could potentially be the jumping-off point to cause disruption."

• Start with risk, not compliance: For organizations, the instinct is often to anchor security planning in whatever regulatory requirements apply. Simonovich argues that's the wrong starting point. "Our experience has been that compliance and risk are often not the same thing," he said. "You have to start with a risk-based approach no matter what you do." That approach needs to account for the systemic nature of what is being built, the downstream effects of an incident, and the long tail of maintaining these assets over time. In an environment where the regulatory picture remains fragmented and behind-the-meter facilities sit outside traditional grid-level oversight, waiting for mandates means accepting exposure by default.

• Visibility before everything else: Traditional network monitoring in OT environments often functions as a lagging indicator, alerting defenders only after an attacker has already reached the physical equipment. "By the time you see the anomalies in the network, it's oftentimes too late because somebody's already inside your production environment," Simonovich said. His team at Siemens Energy uses an approach he calls ''process security analytics," which combines visibility into how control systems and physical assets behave with how network traffic and commands flow. The goal is to correlate activity across both layers so that threats surface before they manifest as production failures, rather than after.

Simonovich's framework for closing these gaps runs across the full lifecycle of a data center, from initial design through construction and into ongoing operations. A core principle is that security posture will degrade over time, and any approach that treats go-live as the finish line will fall short.

• Design for the whole campus: Before construction begins, project stakeholders need to align on a unified security blueprint that spans both the data center and the adjacent power infrastructure. "In the design phase, it's important for whoever is doing the building to take a step back," Simonovich said. "Let's build the security blueprint that looks across the building side and the power plant side." That means defining the level of protection across building systems and energy generation assets together, not planning them in parallel. Defense in depth starts here, with strict network segmentation to prevent lateral movement. Simonovich pointed to real-world attacks where an intruder gained access through an HVAC system or smart meter and ultimately obtained credentials for IT infrastructure. Flat networks make that progression trivial.

• Assume the build phase will erode your baseline: Construction timelines for major data center projects run one to three years. "There's a recognition that it takes one to three years and lots of things can happen around that time," Simonovich said. "Security posture is going to degrade over time." New vulnerabilities surface, novel attack methods emerge, and manufacturers find weaknesses in equipment that may already be installed. Gap assessments and penetration testing during the build phase are essential to catch the drift.

• Monitor what matters in operations: Once a facility goes live, continuous monitoring becomes the primary mechanism for understanding how risk evolves. But Simonovich argues that conventional network monitoring alone leaves defenders a step behind. "It's not enough to look at network data or traditional IT data flows. You actually have to look at the impacts on production of energy," he said. "We have to look at two sides of the equation. One is how assets and control systems behave. On the other hand, how networks behave and how commands on one lead to impact on the other." His team's process security analytics methodology builds on that correlation, allowing defenders to identify the alerts that demand immediate action and filter out the noise.

Much of the data center buildout is being driven by AI demand, but Simonovich believes the same technology is becoming a meaningful part of the defensive toolkit, particularly in operational technology environments where adoption has lagged behind IT. The conversation about AI-powered security has mostly taken place in the IT space. In OT, where the stakes involve physical equipment and energy production, defenders have been slower to adopt.

"A good first step in the visibility equation is to actually make better sense of the anomalies and the threats, contextualize those using artificial intelligence," Simonovich said. "What AI is really good at is being able to connect the pieces of the puzzle between what happens around the turbine or the asset, what happens around the process, and what happens around the network." For CISOs managing expanding hybrid perimeters, the challenge is operating across regulatory uncertainty, rapid technology change, and threats that grow more sophisticated by the quarter. Getting a unified view across those fronts is what separates reactive security from the kind that can actually get ahead. "What I want CISOs to recognize is that there's a set of tools available today in the OT space to help the defenders get the advantage," he said.