Electricity Is a Growing Area of Cyber Risk

CYBER RISK Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know. Electricity Is a Growing Area of Cyber Risk IT has long been concerned about ensuring systems receive the right amount of electricity. Cyberattackers are realizing they can manipulate voltage fluctuations for their purposes, too. Arielle Waldman,Features Writer,Dark Reading April 22, 2026 5 Min Read SOURCE: ZOONAR GMBH VIA ALAMY STOCK PHOTO Organizations secure work phones and company laptops, but attackers could be lurking, targeting the electric current running those devices.  Direct current (DC) power regulation helps to stabilize the energy powering electronics people use daily, from solar panels and connected cars to smartphones and essential computer parts. It's also vital across critical infrastructures like telecommunications, industrial automation, and data centers.  DC regulators provide stable voltage to prevent damage or more concerningly, outages that stem from power surges. However, the power ecosystem is becoming more complex as technology advances -- opening a potential new attack vector. There are many famous attacks against DC power infrastructure, but they're often viewed as unexplained physical damage, safety failure systems, and mysterious outages, which may not be the case, explains Andy Davis, global research director at NCC Group.  Related:Lies, Damned Lies, and Cybersecurity Metrics Additionally, software vulnerabilities that could potentially be exploited have been found in some of the newer, more sophisticated DC regulator models.  Early in the industrial age, when systems required electrical power, it didn’t need to be well regulated. Electricity just needed to power systems adequately enough to complete simple tasks, adds Davis, global research director at NCC Group.  But IT systems have grown immensely more complicated over the years, requiring more power, with greater voltage fluctuations. Rising technologies such as artificial intelligence and quantum computing are big electricity hogs.  "The technology associated with making sure that the power is consistent, managed, and efficiently delivered has become more complex," Davis tells Dark Reading. "As a result, it's become part of the attack surface."  'Overlooked Security Dependencies'  While power regulations have grown more important to manage increasingly complex ecosystems, they are "often overlooked security dependencies," adds Davis. Potential concerns have crept up on the IT industry, but awareness needs to expand because the layer can be attacked just like the systems its powering, he warns. Compromising a system’s power flow can cause the same disruption as breaching the network.  Regulators sit underneath the operating system (OS). Attackers could easily hide there, outside the layer organizations monitor with antimalware or antivirus-type systems, reveals Davis.  "There's the potential to silently hide within infrastructure," Davis says. "[Threat actors] could create backdoors into the power-controlling infrastructure, rather than the infrastructure itself." Related:Shadow AI in Healthcare Is Here to Stay One of the biggest concerns is that people often view power issues – such as unexplained physical damage, safety system failures, and mysterious outages – as glitches, but not necessarily a potential cyberattack.  That mindset could put organizations in jeopardy. Because regulators operate below the OS level, threat actors who successfully exploit and compromise devices can impact performance, trigger shutdowns, or even damage hardware without being seen, adds ExtraHop CISO Chad LeMaire. "These factors are making DC power regulators a more frequent and lucrative target for attackers looking to undermine an organization or create a window of downtime for other nefarious purposes," LeMaire tells Dark Reading. Regulators: The New Jackpot for Hackers Organizations can no longer consider regulators as passive components. Rather than simply delivering voltage, many are now programmable, firmware-driven systems that control how devices physically operate, explains NetRise SVP Gary Schwartz, adding how the shift is reflected in real products. He used semiconductor manufacturer STMicroelectronics as one example. The vendor ships programable power devices with configurable behavior, and their ecosystem already shows up in the National Vulnerability Database with dozens of CVEs tied to firmware and supporting software, warns Schwartz.  Related:Manufacturing & Healthcare Share Struggles with Passwords "That's a reminder that once power regulation becomes software-driven, it inherits the same supply chain risk as any other code," Schwartz says. "The concern isn’t just the presence of vulnerabilities; it’s how quickly they can be exploited."  Potential fallout breaks down into two categories. On the smaller side, attackers could take advantage of a single power regulator affecting multiple servers. Rather than attacking a server, if a threat actor attacks the power regulator that's supplying those servers, they could create denial-of-service (DoS) attacks, warns Davis.  "If you ramp it up to a data center, it has greater impact without having to attack multiple servers," he says. "There's a potential for a large denial-of-service scenario." Larger scale issues – where people are potentially harmed – could occur if threat actors target operational technology (OT) safety-critical systems. A connected car with a power system that's controlling embedded computers within the vehicle is one example where attacks could compromise driver or passenger safety, explains Davis.       Treat Power as a Security Issue  As Schwartz pointed out, unprotected power regulators could lead to supply chain risks. The components that make up complex power architecture may have third-party software or firmware embedded, leaving security questions around how it was developed.   To get ahead of potential threats, organizations should essentially treat power regulation as part of their security architecture, recommends Davis. Regulators are often considered part of the background and therefore taken for granted. Many times, power is monitored from a usage perspective but not a security perspective, and that needs to change, he urges.  Organizations are already familiar with ways to improve DC power regulator security because they have standard protocols they'd apply to enterprise networks, like segmentation and monitoring. Enforcing cryptographic signing and secure boot mechanisms for power management software is another key element to defend against threats that manipulate DC power regulators and other hardware increasingly connected to the network, advises LeMaire.  It may seem like devices are just powering equipment, but that equipment has become more power-hungry. Complexity grew out of a drive for efficient power distribution. People are concerned about green energy, and how efficiently it can be produced, adds Davis.    "People need to be aware that the complexity brings additional threats and needs to be considered as part of the threat model," he says. "The overarching statement is around the risk of attackers using this potential vulnerability to hide in."  Awareness needs to increase because the matter is only going to grow more complicated.  "We're already seeing things like AI being used as part of power regulation," Davis says. "It's going to get more complex for sure. People need to grapple with it right now." Read more about: CISO Corner About the Author Arielle Waldman Features Writer, Dark Reading Arielle spent the last decade working as a reporter, transitioning from human interest stories to covering all things cybersecurity related in 2020. Now, as a features writer for Dark Reading, she delves into the security problems enterprises face daily, hoping to provide context and actionable steps. She looks for stories that go past the initial news to understand where the industry is going. She previously lived in Florida where she wrote for the Tampa Bay Times before returning to Boston where her cybersecurity career took off at SearchSecurity. When she's not writing about cybersecurity, she pursues personal projects that include a mystery novel and poetry collection.     Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports The Agentic SOC: Exploring the Practitioner Mindset as AI Permeates SecOps The Total Economic Impact™ Of Google SecOps The Business Value of Google Threat Intelligence The Total Economic Impact™ Of Google SecOps AI-driven SecOps: Transforming Financial Services Security Access More Research Webinars From AI Hype to Trusted Outcomes: Wolf's New Aurora® Superintelligence Platform and Turnkey Agentic SOC Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap More Webinars You May Also Like CYBER RISK How Can CISOs Respond to Ransomware Getting More Violent? by James Doggett JAN 28, 2026 CYBER RISK US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity by Alexander Culafi JAN 05, 2026 CYBER RISK Switching to Offense: US Makes Cyber Strategy Changes by Robert Lemos, Contributing Writer NOV 21, 2025 CYBER RISK Microsoft Exchange 'Under Imminent Threat,' Act Now by Arielle Waldman NOV 12, 2025 Edge Picks APPLICATION SECURITY AI Agents in Browsers Light on Cybersecurity, Bypass Controls CYBER RISK Browser Extensions Pose Heightened, but Manageable, Security Risks CYBERSECURITY OPERATIONS Video Convos: Agentic AI, Apple, EV Chargers; Cybersecurity Peril Abounds ENDPOINT SECURITY Extension Poisoning Campaign Highlights Gaps in Browser Security Latest Articles in The Edge VULNERABILITIES & THREATS NIST Revamps CVE Framework to Focus on High-Impact Vulnerabilities APR 16, 2026 СLOUD SECURITY Why Orgs Need to Test Networks to Withstand DDoS Attacks During Peak Loads APR 13, 2026 CYBERSECURITY OPERATIONS RSAC 2026: How AI Is Reshaping Cybersecurity Faster Than Ever APR 7, 2026 CYBERSECURITY OPERATIONS Human vs. AI: Debates Shape RSAC 2026 Cybersecurity Trends APR 7, 2026 Read More The Edge Want more Dark Reading stories in your Google search results? BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS