Power Supplies and Cybersecurity Risks: An Often-Neglected Concern

2025. 9. 19
Server rack with interconnected power supply units and network cables
Network-connected power supplies (PSUs) deliver many system management benefits. They also introduce a set of cyberattack vulnerabilities. Careful attention to cybersecurity is a must for today’s system designers.

Table of Contents

Network-Connected PSUs: Value and Vulnerability

In many respects, our world functions as one globally interconnected digital system. Massive data centers and individual remote sensing devices alike are key elements of the Internet of Things (IoT) and Industrial Internet of Things (IIoT). Modern power supplies (PSUs) hold a unique place in infrastructure – they not only power the IoT but are themselves part of it.

Commercial and industrial power supplies are complex systems in their own right. Grid AC is stepped down with high-voltage PSUs to AC or DC at 120 to 480 volts. Equipment racks often use 48-volt rack-bus power supplies, with in-rack units converting to 12, 5, or 3.3 volts for individual components. Uninterruptible power supplies (UPSs) and backup generators may operate at multiple points in the system, and any of these PSUs or UPSs can be connected to the Internet. New PSUs come with Internet-based remote management, monitoring, and lifecycle data collection. The most advanced models also capture detailed telemetry and enable tuning and optimization through remote power monitoring over the Internet.

PSUs connected to the Internet enable maintenance teams to:

  • Track actual vs. budgeted power usage and power down unnecessary units
  • Monitor circuit breakers and limit conditions
  • Track and compare individual loads
  • Tune power levels to compensate for heavier loads

Remote access enables more efficient centralized control but also introduces cybersecurity vulnerabilities from both centralized network attack vectors and individual node attack vectors.

Cybersecurity in the Connected World

Much has been written about electrical infrastructure-level cybersecurity risks, but internal power systems also present significant danger. A connected PSU is essentially an IoT node, and commercial or industrial models increasingly integrate network-connected PLCs (programmable logic controllers) and advanced sensors to boost operational efficiency. If not properly secured, PSUs are vulnerable to exploitation like any other connected device. They can be direct targets of infrastructure cyberattacks, while an unsecured sensor or PLC can serve as an IoT device vulnerability, exposing the entire installation. Once inside, an attacker can disrupt power control systems or pivot into broader company networks.

Three Common Cyberattack Objectives

Company Network Attack Vector

An open node at any point in the network creates a potential attack vector. For example, a remote load sensor connected as an IIoT node can be a serious vulnerability. Engineers may focus on protecting the larger system components while glossing over cybersecurity on microcontroller-based telemetry sensors.

Ransomware and Espionage

Once inside, attackers may move laterally into highly sensitive business network segments, installing ransomware or stealing trade secrets and financial credentials. For example, in 2013, hackers breached retail operator Target’s HVAC system and gained access to the main network, ultimately stealing the credit card data of millions of customers.

System Vandalism

Vandals can send invalid instructions to intelligent PSUs. Commands to adjust voltage levels and current supply may damage or destroy equipment elsewhere in the installation or even shut down critical systems.
Sönke Rogalla, head of the Power Electronics and Grid Integration department at the Fraunhofer Institute for Solar Energy Systems (ISE) in Germany, has raised concerns about millions of active software-controlled solar power inverters installed nationwide. Many have minimal security yet remain connected to the national grid, creating a scenario where a coordinated cyberattack could threaten the country’s power system.

Minimizing the Risk of Cyberattacks

Government and regulatory cybersecurity policy tends to focus on infrastructure and grid-level cybersecurity, placing the responsibility for PSU-level protection on power supply designers, embedded engineers, and system architects. Critical infrastructure cybersecurity must be a top-level concern for system designers and operators. Security must be designed into every layer of the system, from the microcontroller to the master server power control systems.

Every subsystem should be examined for potential vulnerability. Cybersecurity experts must be involved in the design or auditing of all connected device security. Whenever possible, devices should be hard-wired, as wireless connections carry greater risk. Physical security also plays a role—identifying details such as MAC addresses and IP addresses should never appear in public materials or be exposed to unvetted personnel or site visitors.

Parting Thoughts on Power Supply Security

PSU Internet connectivity delivers benefits such as increased efficiency, improved management, and operational flexibility. As connectivity expands, the risk of cyberattacks increases. If not properly secured, this connectivity poses significant PSU cybersecurity and power supply security risks at both the individual system level and across critical infrastructure.

Power supply security is now a first-order design factor for both the intelligence within PSUs and for the overall system architecture. With a system cybersecurity plan that addresses security at both the installation and PSU levels, operators can take advantage of remote power monitoring and optimization while preventing the power system from becoming a potential network attack vector.