AI cybersecurity from the ground up - Data Centers - Part 6 'Gas Turbines'

brencronin
Apr 21
8 min read

Updated: Jul 25

Powering AI - The Role of Gas Turbines in the Energy Supply Chain

In the previous post, we explored the explosive growth of data centers driven by the rise of AI, and the corresponding surge in energy demands. Operators and stakeholders across the AI ecosystem recognize the urgency of scaling power infrastructure, not just to meet current needs, but to do so in a cost-effective and sustainable way.

Three key areas of innovation are being explored:

Nuclear Energy – especially the use of Small Modular Reactors (SMRs).
Renewables – like solar and wind, paired with long-duration thermal energy storage.
Gas Power – currently the most viable bridge solution.

While SMRs and thermal battery systems show great promise, they are still maturing and unlikely to become primary power sources for hyperscale data centers in the immediate future. In the near term, natural gas power is poised to fill the gap.

Natural gas is generally considered a cleaner alternative to coal. It produces significantly less CO₂ and other pollutants, offers higher fuel-to-electricity efficiency, and emits fewer harmful byproducts. The U.S. is well-positioned to benefit from this shift thanks to its extensive natural gas infrastructure, making it a cost-effective choice.

As data centers increasingly deploy gas-powered turbines to meet the high energy demands of AI operations, they are evolving into on-site power producers. This shift introduces additional power generation infrastructure, and with it, new industrial control system (ICS) environments not standard to data centers, that expand the cyber-attack surface and require dedicated security measures.

China’s Carbon Dependency and Geopolitical Energy Strategy

However, the global landscape is more nuanced. Countries like China, rapidly expanding their AI capabilities, continue to rely heavily on coal, which accounts for over 55%+ of their energy mix.

China is expected to remain one of the largest contributors to global carbon emissions in the near term, primarily due to its continued reliance on coal-fired power generation. Several factors contribute to this dependence:

Long lead times for nuclear energy expansion, similar to challenges faced in the West.
Delays in large-scale energy storage solutions, which limit the scalability of renewable energy.
Decentralized energy governance, with provinces making autonomous decisions that often prioritize local economic growth over national sustainability goals.
Strategic energy security concerns, including the well-known “Malacca Dilemma”, China's vulnerability due to heavy reliance on foreign oil imports transiting through the Strait of Malacca.

Strait of Malacca Map of the Strait of Malacca - World History Encyclopedia

Beyond its environmental impact, China’s energy strategy intersects with broader geopolitical objectives. Significant financial investments in countries like Iran, notably in oil infrastructure, serve multiple strategic purposes. These deals:

Support authoritarian regimes, enabling them to maintain power.
Provide financial resources that may be used to fund proxy conflicts or extremist organizations.
Allow China to deepen alliances with resource-rich but politically isolated states, expanding its global influence.

At the same time, China employs information operations and influence campaigns aimed at sowing division within Western democracies, undermining their ability to form coordinated responses to these actions. In essence, China's energy policy is not just about securing fuel, it's about securing leverage, influence, and uninterrupted economic expansion, often at the expense of harm to other peoples of the world, global stability and environmental progress.

Immediate Energy Focus - Gas Turbines in the Power Supply Chain

This article now shifts focus to a critical component of gas-powered data center AI supply chain: the turbine.

Gas turbines are the equipment that convert natural gas into usable electricity. Many hyperscale data center operators are now investing in on-site gas power plants, installing dedicated turbines directly adjacent to their facilities. This not only ensures reliable energy supply but also allows for closer control over energy efficiency and resilience.

In the next section, we’ll break down how turbine technology works, explore leading manufacturers, and examine how this trend is shaping the future of AI infrastructure.

How a Gas Turbine Works

A gas turbine is a type of internal combustion engine that converts the chemical energy in fuel into mechanical energy, which can then be converted into electricity. It operates in three main stages:

Air Intake and Compression - Ambient air is drawn into the turbine and compressed by a series of rotating blades. This compression significantly increases the air pressure, which is critical for efficient combustion.
Combustion
1. The compressed air is mixed with natural gas (or another fuel as an emergency backup) and ignited in the combustion chamber.
2. This process produces a high-temperature, high-pressure stream of expanding gases.
Power Generation (Expansion and Turbine Rotation) - The expanding gases rush through a turbine section, causing it to spin. This mechanical energy drives a generator to produce electricity.

The Combined-Cycle Power Plant

Combined-cycle plants maximize efficiency by capturing and reusing waste heat. After a gas turbine generates electricity, its hot exhaust is directed to a Heat Recovery Steam Generator (HRSG). The HRSG uses this exhaust heat to produce steam, which then powers a secondary steam turbine, generating additional electricity that would otherwise be lost through the exhaust stack.

Leading Gas Turbine Vendors Powering Data Centers

Three dominant manufacturers lead the global gas turbine market, known for producing high-quality, high-efficiency turbines that serve both industrial and data center-scale power needs:

GE Vernova (Greenville, SC)

GE Vernova is a global leader in gas turbine technology, offering a wide range of turbines that scale from mobile and modular units like the TM2500 to high-performance industrial giants like the 7HA and 9HA series. These larger models deliver output in the hundreds of megawatts, making them suitable for utility-scale and hyperscaler data center campuses.

Mitsubishi Heavy Industries (MHI)

Through its energy-focused subsidiary Mitsubishi Power, MHI offers a comprehensive lineup of gas turbines, including the compact M25 series and the powerful M701 series. Like GE’s HA models, these turbines can produce hundreds of megawatts and are frequently deployed in combined-cycle configurations for maximum efficiency.

Siemens Energy

Siemens Energy is another global powerhouse in the gas turbine industry. Its portfolio spans from the compact A05 series to the large-scale, high-efficiency 9000HL series, capable of supporting extensive industrial and power grid demands.

Notable Emerging Players: China

In addition to these global leaders, several Chinese companies are gaining momentum in the gas turbine market, particularly for domestic infrastructure:

Nanjing Turbine & Electric Machinery (Group) Co., Ltd.
Shanghai Electric Group Co., Ltd.
Dongfang Electric Corporation Limited

Gas Turbine Manufacturers: Fiscal Discipline and Supply Chain Challenges

In response to the sharp rise in demand for gas turbines, top manufacturers have announced that they will scale production only to a certain limit and avoid expanding beyond that threshold. This is dragging gas turbine lead times out 7 to 8 years. This deliberate production cap reflects fiscal discipline, allowing turbine manufacturers to avoid overcommitting as disruptive energy alternatives, such as nuclear power, renewables paired with thermal batteries, and energy-efficient AI models like China’s DeepSeek, begin to challenge the long-term dominance of gas-powered solutions.

A critical supply chain constraint lies in the production of compressor and, turbine blades, which require precision manufacturing using specialized metals such as nickel-based superalloys. This underscores the strategic importance of rare earth elements and industrial metals. Although the U.S. holds significant nickel reserves, domestic mining remains underutilized due to regulatory and environmental challenges.

This deliberate production cap not only manages long-term risk but also creates scarcity, enabling turbine vendors to charge a premium and prioritize preferred buyers. Despite the gas turbine delivery delays, many data centers will continue to rely on gas turbines as their primary energy supply over the next few years. Utilities supporting these facilities are also expected to maintain and expand their gas turbine capacity to meet growing demand. A recent example: a joint venture between Engine No. 1, Chevron, and Crusoe AI successfully jumped to the top of GE Vernova’s turbine procurement queue. They secured multiple gas turbines to power dedicated data center infrastructure across the U.S., illustrating how strategic alignment and capital investment can influence access to limited turbine supply.

Cyber Risks to Turbine-Based Power Generation

One of the earliest and most dramatic demonstrations of cyber risk to power generation systems was the 2007 Aurora Generator Test, conducted by Idaho National Laboratory. The test showed how a cyberattack could manipulate generator synchronization, forcing it out of phase with the grid. This led to catastrophic physical failure, documented on video, underscoring that cyber vulnerabilities can result in real-world, kinetic damage.

Today, similar attack pathways still exist, particularly through industrial control systems (ICS) responsible for safeguarding turbine operation. These systems are designed to prevent destructive conditions such as overspeed, overtemperature, or load imbalance. However, if compromised, the very protections designed to shut down unsafe conditions can be bypassed or disabled.

For example, the Industroyer malware (also known as CrashOverride) included a module that exploited a vulnerability in Siemens SIPROTEC relays (CVE-2015-5374). These relays are widely used in motor and generator protection systems, and the exploit allowed attackers to disable critical safety functions.

Likewise, GE Speedtronic turbine control systems, used to manage turbine start/stop sequencing, monitor performance parameters, and execute fault handling, have also been found vulnerable. Older deployments of GE’s Mark VIe controllers have been observed with default credentials and insecure services like Telnet, offering attackers easy entry points if proper hardening measures aren't in place.

Increasing Complexity in Generator Security: Remote Access, Cloud Integration & Supply Chain Risk

Securing industrial generator systems is already a challenge due to the need for hardened configurations and patching known vulnerabilities. However, this complexity is increasing as these systems are now frequently being interconnected with the Internet to enable cloud-based telemetry, remote diagnostics, and vendor support.

Through Network Detection and Response (NDR) tools such as Zeek and Corelight, I’ve observed generator vendors implementing remote access capabilities that create additional exposure. [See example here: Zeek & Corelight – Encrypted Traffic Collection | LinkedIn].

A common remote access method involves ICS control software tunneling SSH sessions from an external system into internal environments. While this can be used maliciously by attackers, vendors themselves often rely on SSH tunneling to securely manage, patch, and troubleshoot systems behind organizational firewalls. A specific variant of this risk is the use of SSH over port 443, a technique also seen in Ransomware-as-a-Service (RaaS) campaigns, where threat actors install OpenSSH on compromised Windows machines and exfiltrate connections via port 443, blending in with normal HTTPS traffic.

Several factors make this type of remote access riskier:

Default Installations by Contractors: SSH tunneling features are often enabled by default in vendor-provided images or contractor-installed systems, frequently without full awareness of the operational or security implications.
Vendor-Owned Cloud Infrastructure: Vendors increasingly build their own cloud-based management platforms using public cloud providers, including smaller or less mature providers. Even when hosted on major platforms like AWS or Azure, the services are typically customer-managed, meaning the cloud provider does not enforce or assume responsibility for security.
Limited Cloud Security Expertise: Generator vendors, often rooted in hardware or mechanical engineering, are now required to secure complex cloud-to-device architectures. This shift introduces supply chain risk, as vendors must implement cloud security practices that may fall outside their traditional domain of expertise.

New Power Generation and New Cyber Targets

As AI data centers scale in power consumption, many operators are turning to gas turbines for on-site generation to ensure performance, autonomy, and uptime. But this transformation shifts them into a new category, not just as data stewards, but as critical infrastructure operators.

Gas turbines bring high energy efficiency and responsiveness, but also introduce complex ICS environments with distinct cyber risks. Failing to secure turbine control systems leaves operators vulnerable to the very kinds of attacks demonstrated in Aurora and used in malware like Industroyer.

To protect the future of AI operations, organizations must treat gas turbine cybersecurity with the same rigor they apply to digital workloads by:

Hardening control system interfaces
Enforcing strong authentication
Monitoring ICS network traffic for anomalies
Eliminating legacy protocols and default configurations

In this evolving landscape, the convergence of high-performance computing and industrial power systems demands a unified approach to cybersecurity, because the next big breach could come not from the cloud, but from the combustion chamber.