AI demand and net-zero ambitions are combining to fuel increased interest in new nuclear and other forms of low-carbon electricity generation. Big tech companies are investing in small modular reactors (SMRs) and even exploring recommissioning old nuclear power stations. Large new nuclear power stations continue to be constructed.
At the same time, energy networks are being targeted by state actors as part of hybrid warfare and sub-threshold disruption campaigns that are below the threshold for an active state of war to exist, also known as “grey zone” activities. Data centres supporting AI are normally highly resilient, designed to operate for extended periods without power from the grid. However, targeted physical and cyber-physical attacks on energy infrastructure could challenge this resilience. Assessment of the most serious national-level risks offers interesting context but is limited as a reference point for private sector operators. Systemic risks are not fully understood. Innovation that produces efficiencies may also offer attractive new targets for adversaries. Resilience regulation has evolved to acknowledge not just the physical aspects of cybersecurity but also direct sabotage, requiring operators to better understand physical risks to their assets and develop mitigation plans. Whatever national or regional rules apply, private sector organisations need a coherent approach.
How should we think about high-impact, low-probability risks from targeted threats affecting critical infrastructure services? How can we better understand systemic risk across cyber and physical domains? How do we convert postulated strategic risk into prioritised actions?
Going beyond compliance
Interpretation and compliance with regulations like the EU’s Network and Information Systems Directive (NIS2) and Critical Entities Resilience Directive (due to come into effect for designated critical entities, including the energy and digital infrastructure sectors, in July 2026) is a start, but operators need to plan beyond mere compliance. Because impacts go beyond individual enterprises, public and private sectors must enhance their coordination to coherently knit together national-level strategic risks and operational-level risks. Over the last 20 years, security cooperation between asset operators and national technical authorities and regulators has evolved – this must now include co-operation between subject matter experts and the military. Using high-level risk registers as a starting point, then drilling down to plausible scenarios applicable to operators, can flush out actionable decisions that address risk. Modern data science can be used to elucidate complex systemic risks at scale. At an operational level, cyber risk quantification and physical risk quantification can be used to measure risk, including financial impacts, with more confidence, enabling better mitigation options.
Power hungry data centres
The UN’s International Energy Agency (IEA) stated in its 2024 World Energy Outlook that “a substantial increase in electricity consumption from data centres appears inevitable.” In the UK, around 500 data centres currently consume 2.5% of all electricity. In Ireland, the figure is 21%. Those figures are projected to reach 6% and 30% respectively by 2030. In the US, the figures are estimated to grow from 4% in 2024 to between 4.6% and 9.1%. High loads are required for both cooling and computation, for example generative AI searches use 10 times more power than normal Google searches. Despite gains in efficiency over the last decade, these more active servers demand substantial cooling. And, of course, more people and technologies are using AI, so we need more data centre capacity. The IEA reported the average increase in installed servers was 4% per year from 2010 to 2020, but since 2020 this could be up to around 15% per year. However, from a security and resilience perspective, the concentration of data centres within national electricity grids poses a more relevant challenge. US data centres are highly concentrated regionally, for example in Virginia.
Low-carbon needs
Data centres are under pressure to reduce carbon footprints by using low-carbon sources. Every big tech company has made a commitment to net zero ambitions. Nuclear continues to provide low-carbon “firm” load to the grid, with new nuclear projects backfilling nuclear plants that are nearing their end-of-life. In the UK nuclear new builds include Hinkley Point C and Sizewell C. Globally, there is increasing interest in SMRs to provide reliable low-carbon generation for data centre hubs. Nuclear is a good option for data centres because it supplies reliable baseload and is highly resilient and secure by design, due to stringent nuclear safety and security requirements. Amazon Web Services chief executive Matt Garman recently cited nuclear power as a “great solution” to data centre needs and “an excellent source of zero-carbon, 24/7 power.” This seems like a sensible partnership for data centres, which are also designed to be extremely resilient (driven by high availability requirements). However, nuclear power stations take time to build, partly because of those same stringent safety and security requirements.
Data and electricity interconnectors can increase overall resilience and help keep up with demand. For offshore generation, offshore hybrid assets (OHAs) can provide more efficient connections from multiple sources. However, the benefit of connecting energy networks is balanced by the potential vulnerabilities of single-node targets for adversaries.
National-level risks, the UK example
The UK government publishes a National Risk Register (NRR), which is a public-facing version of a non-public National Security Risk Assessment. Like all risk registers, especially ones that translate to a 5×5 matrix, it needs to be understood in context. As a strategic overview with very broad scope, it is not a detailed decision support tool, and – unlike its classified cousin, which is continuously updated – it has only been published publicly twice: once in 2023 and again in January 2025. Out of the 89 risks it describes, only a very few moved at all from 2023 to 2025. But it’s still good to know what types of risk government worries about and that may be a starting point for scenario planning. The register identifies a selection of big-ticket items that should at least give pause for thought. Examples of these risk’s include:
- Failure of National Electricity Transmission System (NETS) (any cause)
- Regional Failure of Electricity Network (any cause)
- Conventional or Cyber attacks on infrastructure (including electricity, gas, civil nuclear or fuel supply)
Systemic risk and sabotage
While there is a danger of assigning too much precision to strategic risks, there is also peril in not being precise enough about operational risks that can contribute to systemic failure. Low-carbon energy sources and increased interconnection are valuable ways of meeting AI power needs with net-zero ambitions. However, these approaches may inadvertently create vulnerabilities and offer attractive opportunities for adversaries who may be willing to use physical and cyber means to disrupt essential services. The interconnected nature of these risks is recognised by governments, exemplified by resilience-focused legislation. The private sector’s control of most aspects of critical national infrastructure in the face of state-sponsored sabotage techniques means that private-public collaboration efforts must operate on all levels, from the strategic to the tactical. Users and typical low-carbon generation components include:
- Data Centres: Data centres are generally both highly secure and highly resilient by design. A core design principle is that grid power should not be relied upon; therefore, in theory AI applications can continue to be powered continuously if an uninterruptible power supply is in place and there is fuel and oil for the generators. And even then, multiple data connections mean that critical applications don’t rely on a single data centre. This generally makes for a low return on risk investment for adversaries for a single act of physical sabotage.
- Large new nuclear or recommissioned nuclear: From a security and resilience perspective, civil nuclear power is very mature. State-agreed design basis threat (DBT) assessments express government risk appetite and drive physical protective security measures. Security planning and operations are well resourced, normally including on-site armed response capabilities. Security and safety work hand-in-hand, and both are highly regulated. However, recommissioned nuclear power stations like Three Mile Island may have legacy issues where protective security addressing modern threats must be layered onto older infrastructure.
- Small Modular Reactors: SMRs are advanced nuclear reactors that have a power-generating capacity of up to 300 MWe per unit, about one-third of traditional nuclear power reactors. SMRs co-located within large data centre complexes are being considered for future on-site, reliable generation capability. Like their larger cousins, SMRs are also subject to national nuclear security regulations, which set a very high bar. SMR engineering advances in passive safety could reduce the potential for unacceptable radiological consequences to occur, no matter what the initiating event, whether fault or malicious action. The size and other design aspects of SMRs – for example, if they are underground or even underwater, with limited access – may also require fewer on-site security resources, easing cost burden. However, if the adversary aim is to curtail electricity generation, rather than cause a nuclear safety issue, SMRs may offer different opportunities for sabotage. The fear and anxiety in the general population associated with any attack on a civil nuclear site, and the potential curtailing of SMR programmes, could be just as damaging as actual loss of generation.
- Renewables (wind and solar): The wide area characteristic and multiplicity of individual units may seem to spread the risk of sabotage. However, many renewable units are centrally controlled by operational technology, which is vulnerable to sabotage, especially if access control to physical components is poor. Another issue is supply chain vulnerabilities. Some components of turbines are only produced by a handful of suppliers. Photovoltaic solar panels rely on inverters, the loss or malfunction of which can result in sudden loss of supply. In May 2025, Chinese-made “kill switches” were found in US solar farms, prompting immediate government response. This was not long after a massive countrywide electricity outage in Spain, likely caused by a sudden loss of solar-generated power.
- Offshore Hybrid Assets (OHAs): Efficiencies can be derived from connecting multiple offshore assets to one node (an OHA), effectively creating a network that can also act as an interconnector. However, mastering complexity and cost by creating nodes can also concentrate risk. Again, this may be controllable when faults and hazards are assessed as part of safety and reliability design, but targeted kinetic or cyberattack may result in different and unexpected outcomes.
- Battery storage: These assets are increasingly important for grid frequency stability, as fewer generation assets with rotational parts, and therefore inertia, are available. On the downside, new BESS are being built quickly and are arguably more vulnerable to sabotage than big traditional power stations.
- Transmission and Distribution: The fire at the North Hyde substation in March 2025 proved two things. First, critical national infrastructure hubs (in this case, Heathrow Airport) could be vulnerable to rare but essentially single-point failures of this scale. Second, data centres connected to the same hub managed to operate as if nothing had happened, due to their built-in power resilience. In May 2025 fires at electricity substations in Nice and Cannes, France, were understood to be started deliberately by single-issue groups, causing significant disruption. Arson is known to be a favoured tactic for hybrid warfare operators, and electricity substations are an obvious target.
- Electricity interconnectors: A more integrated energy system and less reliance on Russian gas in Europe mean that the number of electricity interconnectors is increasing, and these interconnectors are required for data centre operations and planning. They also represent targets for both maritime and land-based sabotage – all interconnectors require a converter station at each end, also controlling flow via operational technology. Redundancy and separation help, but some countries rely more on imported electricity than others, and some geographies have less concentrated undersea cables than others.
- Data interconnectors: Like their electricity cousins, data interconnectors are increasingly at risk from sabotage when run along the seabed. Separation and redundancy help, of course, but this works better as an engineering risk response than as a security strategy.
Government responses
- Defence and National Security: In the maritime environment, there is a clear need for state intervention to protect critical infrastructure. For example, NATO’s Baltic Sentry operation was in direct response to multiple instances of subsea infrastructure damage, likely part of state-sponsored sub-threshold disruption campaigns. NATO doctrine highlights the need for increased cooperation between infrastructure operators and the military. The UK’s June 2025 Strategic Defence Review (SDR) calls this need out and signposts the need for further work in this area. This will require a new mindset across governments, militaries, private sector operators and regulators. Accompanying the SDR, the UK’s National Security Strategy 2025 also highlights a connection between hostile state activities and critical national infrastructure.
- Regulation: In the US, the Federal Energy Regulation Commission has ordered a refinement of the Critical Infrastructure Protection standard for physical security of the bulk power system, due to evolution of threat. In the EU, the overall regulatory approach is chiefly described in the Critical Entities Resilience Directive (CER), which adopts an “any cause” approach but specifically calls out sabotage and hybrid warfare as threats, acknowledging that physical threats require risk assessment and mitigation alongside approaches for resilience against cyberattack, like NIS2 and the Digital Operational Resilience Act. Since 2018 the UK has had its own version of NIS to improve resilience for essential services. In 2023, regulators for the downstream gas and electricity sector added additional requirements for “Protecting Against Non-Cyber Risks” to the existing Cyber Assessment Framework. The UK’s Cybersecurity Resilience Bill, due to be enacted in 2025, will expand the scope of the NIS, and it is likely that a UK form of the CER will follow. Essentially, energy infrastructure is raising its security game to have a more similar approach to that in place across most civil nuclear security regimes, even if “appropriate and proportionate” security design is different due to non-radioactive outcomes. But the need to assess risk and then produce a plan and maintain it is common to all regulatory approaches.
Assessing threat and risk
Resilience plans need to be based on a clear understanding of both threat and risk. They are not the same thing. A design basis threat, reflective of government agencies’ advice as well as overall government risk appetite, is used by some sectors to determine what a security design should reasonably protect against, in terms of adversary intent, capability, and tactics, techniques and procedures. This approach would be beneficial for all critical sectors, if appropriate expertise is available.
At a strategic level, when making the decision to put effort into resilience planning, likelihood matters less than whether a scenario is applicable and plausible. If the reasonable worst-case impact is high enough to an organisation or country, a resilience plan is required.
Risk assessment and the likelihood of accidents and hazards can be calculated using techniques such as probabilistic safety assessment, essentially an actuarial approach. Cyber risk quantification techniques exist for attacks targeting digital assets. Assessing the likelihood of sabotage by intelligent threat actors targeting tangible assets directly, potentially more than one of them simultaneously, is more problematic. To date this has required an essentially deterministic approach, in other words once a design basis threat is agreed, protective security planning is based a probability factor of the threat materialising of 1.0 (100%). This approach is necessary because an assumed capability side of the threat equation can be countered by engineered resistance and planned responses, and because the intent side is volatile and binary (i.e. an attack will occur or it won’t, so it’s sensible to assume it will). Investment decisions in hardened infrastructure and protective security also need a stable design to enable cost-effective construction and operation.
Risk assessment of impact and vulnerability is where operators of energy infrastructure can make the most valuable headway toward resilience. Impacts can be postulated using digital models and a deep well of engineering knowledge that can simulate systemic risk. The same is true for vulnerabilities. An engineer is less likely to be concerned about whether it’s arson or not, just that there is the potential for fire. Equally, in the cyber domain, a technical vulnerability can be discovered and addressed, whatever the likelihood that any threat actor may choose to exploit it – someone probably will, after all.
Research conducted in 2012 by the US Nuclear Regulatory Commission into SMR security highlights how a “Probabilistic Risk Assessment” approach could dovetail with the traditionally deterministic method to inform SMR security design. Since 2012, protective security has become a component of a wider resilience approach, in which the ability to be more agile in the face of a developing threat landscape has become increasingly important. Advances in open-source intelligence, enhanced by AI, create the possibility of understanding and measuring a changing threat landscape, which can complement the initial and then periodic assessment which influences physical security design. Identifying and measuring potential vulnerabilities and impacts means that this can be translated into a risk assessment. This is especially relevant to private sector operators who will need to provide early warning of specific threats to infrastructure which may require state-level assistance for enhanced deterrence, detection, and response. The combination of continuous threat and risk assessment with cyber risk quantification for operational technology can result in a form of physical risk quantification.
The most effective security and resilience plans will use threat and risk assessments to be clear about the security effects they wish to achieve and will acknowledge interdependencies, trade-offs, and opportunities across safety, security, and operational efficiency, and across the physical and cyber domains. The need to understand both cyber and physical threats in resilience plans is by now very clear. Many operators of critical infrastructure will now also need to plan for how they will interact with public sector civilian and even military response assets, potentially in a multinational environment. They will also have to be clear about how coordinated efforts between different operators and potentially across sectors can address systemic risks.
