The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 


Data centers are critical infrastructure, and need to be regulated as such

Tom Alrich's picture
Supply chain Cyber Risk management - emphasis on SBOMs and VEX documents Tom Alrich LLC

I provide consulting services in supply chain cybersecurity risk management and am now primarily focused on software bills of materials (SBOMs) and VEX (Vulnerability Exploitability eXchange). I...

  • Member since 2018
  • 360 items added with 113,477 views
  • Oct 22, 2021

Nextgov ran an excellent article last week, pointing out that data centers are very dependent on OT (especially power and cooling systems), even though the systems running in those data centers are all IT systems. The lesson I drew from the article (although it wasn’t stated like this) was that, not only are data centers critical infrastructure, but their OT side should be regulated as critical infrastructure. In other words, while I don’t think critical infrastructure regulations should be applied to the IT systems in the data centers, they should be applied to the OT systems that keep the IT systems running.

There’s another relevant lesson that the US learned the hard way this summer: OT systems aren’t limited to a bunch of strange-looking devices that don’t run an OS you’ve ever heard of (or in some cases, don’t run any OS at all), and that don’t normally run a networking protocol you’ve ever heard of. As the Colonial Pipeline attack showed, and as a 2018 ransomware attack on a large US electric utility also showed, a serious attack on IT can shut down systems that are critical to operations, forcing the OT network to be shut down as well.

So any systems that support the operations of a critical infrastructure provider – whether it be a pipeline, a utility, a key software supplier like SolarWinds, a cloud services provider, a data center provider…and other industries, I’m sure – should be in scope for critical infrastructure regulation. And this applies to systems that aren’t actually OT systems, like the Intel-type servers running Windows and Linux in the electric utility’s control centers discussed in the link above. These all had to shut down in 2018 due to a devastating ransomware attack on the utility’s IT network, even though they weren’t infected by the ransomware (of course, control centers in electric utilities are already subject to NERC CIP compliance, and it could certainly be argued that the CIP requirements are aimed much more directly at IT-type systems in control centers, than they are at OT-type systems in substations and generating stations).

I define critical infrastructure systems as those that are necessary for the smooth and continuous operation of critical processes – large scale data processing, production and delivery of electric power, etc. Both IT and OT systems can be critical infrastructure systems. In my opinion, all critical infrastructure systems should be regulated.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. Nor are they shared by the CISA’s Software Component Transparency Initiative, for which I volunteer as co-leader of the Energy SBOM Proof of Concept. If you would like to comment on what you have read here, I would love to hear from you. Please email me at



No discussions yet. Start a discussion below.

Tom Alrich's picture
Thank Tom for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »