Expanding Cybersecurity Threats: Regulatory and the guidance landscape

Repeated federal alerts urge immediate basics in water and smaller utilities-asset inventories, password hygiene and policy compliance, network isolation, and monitoring even as policy debates continue over mandates.

Several organizations aim to develop regulation to help guide the sector through the challenges of securing OT assets that can now be harmed not only physically but also digitally.

• NERC CIP (power sector): The CIP family (e.g., CIP-002 through CIP-013) establishes a risk-based baseline for asset identification, access control, incident response, and supply-chain oversight for BES cyber systems. While not a panacea as distribution networks and municipal utilities may fall outside some scopes, CIP drives governance and audit discipline for high-impact assets.
• NIST SP 800-82 Rev. 3 (OT Security): A widely adopted reference that adapts security architecture, controls, and lifecycle practices to industrial environments where safety and availability trump raw confidentiality. It emphasizes segmentation, the rule of providing least privilege, robust but secure remote access, and continuous monitoring tailored to OT environments.

What ‘good’ looks like today

Defending modern energy infrastructure and smart grids requires raising the floor while planning for high-end adversaries. Prioritize the following:

1. Map and minimize the attack surfaces. Build a current, queryable inventory of OT/edge assets, firmware, and exposed services. Remove internet exposure for PLCs/HMIs; where remote access is essential, require multi-factor authentication (MFA), brokered jump hosts, and just-in-time credentials.
2. Design for containment. Treat distribution substations, DER aggregations, AMI head-ends, and control centers as separate security zones with tightly controlled conduits. Use unidirectional gateways or data diodes where appropriate. Apply allow-listing on HMIs/PLCs and disable any and all unused protocols.
3. Harden the edge. Enforce signed updates, secure boot, and measured attestation for field devices and gateways. Protect model pipelines (for edge AI) with provenance checks and canary deployments. Rotate keys and segregate secrets for device management APIs.
4. Detect LOTL and slow, quiet intrusions. Baseline administrative activity and Windows/Linux telemetry; alert on anomalous use of native tools, credential dumping, and scheduled task abuse. Tune detections with Cybersecurity & Infrastructure Security Agency (CISA) LOTL guidance and MITRE ATT&CK for industrial control systems (ICS).
5. Exercise and practice manual modes. Run cross-functional tabletop and live-fire exercises that assume partial loss of EMS/DMS visibility and require fallbacks to local control. Ukraine’s experience shows recovery depends on tested manual procedures as much as forensics.
6. Constrain the supply chain. Implement vendor risk tiering, software bill of materials (SBOM) collection, and tamper-resistant update channels. Align procurement with CIP-013-2 controls and demand secure-by-default configurations for fielded equipment.
7. Measure what matters. Track time to detect and contain, percent of assets with known good firmware, remote-access session approvals, and patch/compensating-control coverage for safety-critical devices.

The road ahead

Electrification (EVs, heat pumps), high DER penetration, and increasingly autonomous grid operations will continue to push intelligence to the edge along with more complex systems in datacenters or cloud-hosted. Edge computing is good for resilience as local decisions can keep pockets of the grid stable, but it also creates more software supply chain, credential, and configuration risk at the periphery.

At the same time, well-funded actors are iterating on stealthy persistence and topology mapping inside U.S. critical infrastructure, aiming to hold latent options during geopolitical crises. Utilities should plan on the assumption that motivated adversaries have time, patience and design architectures that force them to make noise to move laterally or to touch safety-critical functions.

The fundamentals still matter most: reduce exposed services, segment ruthlessly, verify software and models at the edge, monitor for LOTL behaviors, and practice operating safely with degraded visibility.

Considering the growing complexity of utility systems, not only in hardware but firmware, software and communications, security is no longer a simple compliance check at the individual component level.  Each piece is part of a larger system.  Working with vendors should absolutely include a ‘component level’ security conversation from specific policy compliance but also including design and implementation practices, security audit results and how issues are communicated (and resolved) with customers, but also in consideration of the myriad of other components and systems that interoperate and communicate with each other.

As a simple example, even if a smart meter and network may be secure, if a head-end system is compromised, it not only may potentially expose personally identifiable information (PII) types of data, it may also allow for unwanted operations across production meters or even be used as a basis of DOS attack by overloading the AMI communication network.

Conclusion

The sector’s increasing digital sophistication, while offering better telemetry, automation, and control than ever, makes true ‘set and forget’ security impossible. The winners will be operators who turn the visibility into disciplined engineering, treating cybersecurity as integral grid hygiene rather than an add-on project.

Working closely with security-conscious vendors beyond the single component or device level including through implementation can help in reducing the challenges of today, and those of tomorrow.