NCC Group warns DC power regulation is a cyber risk

NCC Group has warned that DC power regulation is becoming a cybersecurity risk. Andy Davis, the cybersecurity company's global research director, said it now sits at the intersection of hardware, firmware and networked control, placing it within the broader cyber-physical attack surface.

The warning reflects a shift in how security teams view a long-overlooked part of electronics. DC power regulation keeps voltage stable in devices and systems, supporting everything from smartphones and servers to industrial machinery and communications equipment. Increasingly, it depends on digital controls, embedded firmware and connected management interfaces.

As a result, failures can no longer be treated as purely mechanical or localised problems. In older systems, a faulty regulator might damage equipment or interrupt service, but it was not generally seen as a route for deliberate attack.

Modern designs have changed that assumption. Regulators are often integrated into system management buses and monitoring networks, and some can receive firmware updates or report telemetry on voltage, current and temperature.

Below Software

One of the main concerns is where these components sit in the technology stack. Because power regulation operates below operating systems and applications, a compromise at that layer could affect systems that otherwise appear secure.

NCC Group identified embedded firmware as a particular weakness. If the code controlling a regulator lacks secure boot, signed updates or other integrity checks, an attacker could alter voltage levels, disable protections or falsify telemetry without relying on more familiar software exploits.

A successful attack at that level could have wide-ranging effects. Manipulated power delivery could degrade performance, corrupt data, trigger fail-safe shutdowns or damage hardware across an environment.

Those risks are likely to draw scrutiny in sectors where uptime and safety are critical. Data centres, industrial control systems, telecommunications networks and other critical infrastructure depend on precise, stable power delivery to keep systems operating within safe limits.

Supply Chain Risk

NCC Group also highlighted supply chain exposure. Power regulation components are often sourced through complex global manufacturing and distribution chains, making it harder for buyers to verify the integrity of hardware and pre-installed firmware.

A compromised regulator introduced before deployment could provide persistent, low-level access that bypasses conventional network defences. Such compromises may be harder to detect than software flaws and could remain in place for the life of the equipment.

Connectivity creates another route for attackers. Where power management functions are reachable from broader IT or operational technology networks, an intruder who gains a foothold elsewhere may be able to move laterally into components that directly influence physical behaviour.

That creates a bridge between cyber intrusion and operational disruption. In industrial settings, the consequences could extend beyond service interruption to safety hazards affecting plant and equipment.

Physical Manipulation

Davis also pointed to attacks that exploit the physical properties of power systems. Voltage glitching, for example, involves manipulating power delivery to induce faults in processors or controllers, potentially helping an attacker bypass authentication or interfere with software execution.

Such methods are not new to specialist hardware security researchers, but NCC Group's warning suggests they should now be considered more broadly in operational risk planning. As electronics become more precise and tightly tuned, susceptibility to abnormal power conditions can increase.

The company said organisations should adopt a defence-in-depth approach that treats power regulation as part of the security architecture rather than passive infrastructure. Recommended measures include securing firmware, enforcing trust at boot, isolating power management networks, monitoring power behaviour for anomalies, reducing physical tampering risks and improving supplier verification.

It also argued that security and infrastructure teams should treat power management devices as attackable endpoints. That would mean documenting dependencies, defining trust boundaries and including failures at the power layer in resilience and recovery plans.

For operators of critical systems, the message is that the electrical layer can no longer be assumed safe by default. "Without securing how systems are powered, even the most advanced digital defences rest on unstable ground," Davis said.