Nation-state actors are exploiting the organizational gap between IT and OT security teams. For CISOs at energy, water, gas, and communications utilities, closing this gap has shifted from theoretical concern to urgent operational imperative.
In November 2023, residents of two Pennsylvania townships lost water pressure monitoring when Iranian state-sponsored hackers compromised a Unitronics PLC at the Aliquippa Municipal Water Authority’s booster station. The attack vector was remarkably straightforward: a PLC exposed to the internet with the default password “1111” on an unsecured port. The device shared a network with security cameras, a common cost-saving measure that enabled lateral movement once the PLC was compromised.
Within 60 days, three Texas water facilities suffered similar attacks, with one causing a storage tank to overflow for more than 30 minutes. The attacks required no advanced zero-day exploits. They succeeded because of fundamental IT/OT boundary failures: internet-exposed OT devices, default credentials, and inadequate network segmentation.
Matthew Mottes, chairman of the Aliquippa water authority that serves more than 20,000 suburban Pittsburgh residents, captured the organizational blind spot perfectly: If you told me to list 10 things that would go wrong with our water authority, this would not be on the list.
For CISOs at energy, water, gas, and communications utilities, Aliquippa represents a moment of clarity: The attack succeeded because it targeted the nebulous, unsupervised space between IT and OT. IT teams secured the enterprise network. OT teams maintained operational systems. The attackers cleverly exploited the opportunity in the overlapping gray zone.
The U.S. Regulatory Mosaic
The regulatory landscape for IT/OT security varies across utility sectors which complicates standardized governance approaches. For the sake of brevity, we are going to focus on energy, gas, water and communications. The different commodities they produce and the differences in how they produce them mean different vulnerabilities and different approaches, but some common regulatory themes and compliance obligations emerge.
Energy utilities face the most mature regulatory environment through NERC CIP standards, which comprise 14 mandatory requirements governing the Bulk Electric System. Recent updates are significant: CIP-015-1, approved June 2025 by FERC Order No. 907, mandates Internal Network Security Monitoring with compliance deadlines of October 2028 for medium-impact systems and October 2030 for control centers. NERC can impose fines up to $1.29 million per violation per day: Duke Energy paid $10 million in 2019 for 127 CIP violations, setting a cautionary enforcement precedent.
Natural gas pipelines underwent regulatory transformation following Colonial Pipeline. TSA Security Directives (Pipeline-2021-02E, effective July 2024) now mandate TSA-approved Cybersecurity Implementation Plans, incident reporting to CISA within 24 hours, network segmentation between IT and OT, multi-factor authentication, and annual vulnerability assessments. A November 2024 Notice of Proposed Rulemaking would codify these directives as permanent regulations.
Water utilities represent the most significant regulatory gap. EPA withdrew its March 2023 attempt to establish mandatory cybersecurity requirements in October 2023. Current requirements under Safe Drinking Water Act Section 1433 mandate Risk and Resilience Assessments and Emergency Response Plans for systems serving more than 3,300 people, but they lack specific cybersecurity prescriptions. An August 2024 GAO report found EPA urgently needs a strategy to address cybersecurity risks. The sector serves 300+ million Americans through 52,000+ utilities, most lacking dedicated cybersecurity staff. More than 70% of water systems inspected since September 2023 failed basic cybersecurity compliance.
Communications infrastructure faces regulatory uncertainty. The FCC proposed mandatory cybersecurity requirements in December 2024, but voted 2-1 in November 2025 to eliminate these proposed requirements, with FCC leadership citing the need for a collaborative rather than prescriptive approach. Currently, no mandatory minimum cybersecurity standards exist for telecom carriers. This is striking given Salt Typhoon’s compromise of nine major U.S. providers, which congressional cybersecurity leadership has characterized as the most serious telecommunications compromise in U.S. history. As of January 2026, officials confirm Salt Typhoon remains active in U.S. networks, with only 25% reduction in exposed targeted devices since October 2024 disclosure.
| Sector | Mandatory Requirements | Enforcement Maturity | Primary Regulator |
| Electric (Bulk Power) | NERC CIP Standards | High (significant fines) | NERC/FERC |
| Natural Gas Pipelines | TSA Security Directives | High (active oversight) | TSA |
| Water/Wastewater | SDWA Section 1433 (limited) | Low (increasing focus) | EPA |
| Communications | None currently | Minimal | FCC |
Cross-sector requirements are evolving through CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act), with a final rule expected May 2026. This will require 72-hour incident reporting and 24-hour ransom payment notification across all 16 critical infrastructure sectors. National Security Memorandum 22 (April 2024) marked a policy shift toward mandatory minimum resilience requirements, designating CISA as the National Coordinator for critical infrastructure security.
The Great Divide: IT Security Meets OT Operations
The technical challenge of IT/OT convergence is compounded by the fundamentally different value IT and OT leaders assign to security. These differences create political and organizational deadlocks that medium-sized utilities find difficult to overcome.
Governance failures stem from misaligned security priorities. IT security follows the CIA triad (Confidentiality, Integrity, Availability) prioritizing data protection from unauthorized access. OT inverts this to AIC, where availability is paramount because downtime means service disruptions to customers. A water treatment plant that goes offline to patch vulnerabilities isn’t delivering safe drinking water. An electric grid that segments networks too restrictively can’t maintain power distribution. This creates friction when IT security approaches conflict with OT operational requirements.
The organizational question of who owns OT security? remains unresolved at many utilities. Should OT security report to the enterprise CISO, or should there be a dedicated OT security program lead within the OT team? Recent findings show shared domain architecture between IT and OT networks in nearly one in five organizations… a configuration that enables attackers to move laterally once they compromise initial access points. Siloed operations with isolated data, systems, and processes across departments continue to hinder unified approaches.
Cultural resistance represents an underestimated barrier. Successful convergence requires cultural change, not just technical capability. OT personnel understand the physics of their systems in ways IT teams may not. Organizations consistently find it easier to teach security concepts to OT staff than to teach OT operational realities to IT security teams. IT and OT teams have rarely worked together historically, leading to security oversights, complexity, duplication of efforts, and exposure to security flaws.
Technical integration faces constraints unique to utility environments. Legacy equipment with multi-decade lifecycles (sometimes so outdated that replacement parts aren’t available) often lacks built-in monitoring and logging capabilities. Protocol incompatibilities exist between IT security tools designed for TCP/IP and industrial protocols like Modbus, DNP3, and IEC 61850. Patching in OT environments where downtime costs are prohibitive and maintenance windows are months apart creates impossible trade-offs. Asset visibility gaps persist where passive scanning tools capture only 50-60% of the environment, while 45% of OT environments have limited or missing visibility.
Remote Access Has Become the Primary Attack Surface
Insecure remote access conditions exist in 65% of assessed OT environments, including misconfigurations, outdated systems, and weak segmentation. 50% of ransomware incidents stemmed from compromised remote access services, making this the single most critical area for medium-sized utilities to address.
Traditional VPNs are failing for OT environments. Experts describe VPNs as always-on solutions with all-or-nothing access to OT assets. Restricting access requires additional tools and IT skills, creating frustration for OT teams who need quick access modifications. CISA and authorities have requested high-consequence sites stop using VPNs for remote access, recognizing that VPNs provide more connectivity than needed. Jump servers have similarly collapsed under their own weight with no granular session control and reliance on shared credentials that obscure accountability.
Zero Trust Network Access (ZTNA) is emerging as the replacement technology, offering granular identity-based access, MFA, session recording, and just-in-time access. However, implementation challenges persist: ZTNA gateways centralized in the industrial DMZ may be too far from OT assets with IP address reuse and NAT boundaries creating complexity. A growing number of vendors (Cisco, Xage, Cyolo, Dispel, Netskope) offer credible solutions but whatever is selected must account for unique OT-specific requirements. Expecting operations to adapt to the limitations of products built for IT security is a non-starter for OT leaders.
The cost and performance trade-offs are more nuanced than they appear. Modern ZTNA solutions designed for OT can authenticate and verify access with latency measured in milliseconds rather than seconds… acceptable speed for most utility applications. The real constraint isn’t technology: it’s the human capital required to implement and maintain the technology. Medium-sized utilities often lack dedicated OT security teams large enough to manage enterprise-grade ZTNA deployments. The practical middle ground: targeted ZTNA implementation at critical IT/OT boundary points addresses the highest-risk attack surface while remaining feasible for constrained teams.
A Risk-Based Approach to Vulnerability Management
The traditional patch-everything mentality doesn’t work for OT environments. A risk-based approach that addresses the following is essential:
- Critical risks requiring immediate remediation due to active exploitation
- High-priority risks that are less of a priority but need to be addressed in planned timeframe
- Low-risk items that can be deferred indefinitely because patching may introduce its own risks without meaningfully improving security
This risk-based approach acknowledges that many OT devices are insecure by design, with forever-day vulnerabilities where patching does nothing to improve security due to underlying design flaws. The emphasis shifts to compensating controls: network segmentation, monitoring, and access restrictions that reduce exposure regardless of patch status.
Asset inventory has become the foundational capability for implementing this approach. CISA guidance released August 2025 emphasizes defining scope and governance, developing OT taxonomy by function and criticality, and treating inventory as lifecycle management rather than one-time discovery. Effective inventories must include hardware, firmware, software, users/accounts, vulnerabilities, configuration settings, and network connectivity. Key OT visibility vendors being adopted include Dragos, Claroty, Tenable OT Security, Armis, Nozomi Networks, and Verve Industrial (now part of Rockwell Automation).
Mind the Gap: Building an Effective Convergence Program
The DOE Cybersecurity Capability Maturity Model (C2M2) offers a free, sector-specific framework for utilities to assess and improve their programs. Used by U.S. energy organizations for over a decade with 2,400+ requests since 2012, Version 2.1 includes 356 practices across 10 domains. The assessment can be completed in one day and is descriptive, not prescriptive with practices abstracted for interpretation by facilities of different sizes. Sector-specific versions exist: ES-C2M2 (Electricity), ONG-C2M2 (Oil/Gas), and Dams-C2M2.
Implementing a crawl, walk, run approach requires resisting the urge to boil the ocean. The model emphasizes that organizations should target maturity levels aligned with business objectives and risk tolerance rather than pursuing maximum maturity across all domains.
Practitioners recommend this prioritization sequence:
- Establish asset visibility for IT/OT boundary assets (you cannot secure what you cannot see)
- Implement network segmentation at the IT/OT boundary first, using the Purdue Model to create an industrial DMZ
- Address remote access by replacing VPNs with ZTNA solutions appropriate for OT requirements
- Develop OT-specific incident response plans… most organizations use IT-focused procedures that don’t address OT safety and operational continuity requirements
- Build cross-functional teams with executive sponsorship, recognizing that the cultural/political element is just as important as the technical element
One industry source reports a 350% increase in executive/board-level tabletop exercises. This demand surge reflects growing recognition that IT/OT convergence is more than a technical problem for the IT team: it’s an executive-level governance imperative.
Close the Gap: Three Priorities for Immediate Action
The evidence from 2023-2025 shows that treating IT and OT as separate security domains creates exploitable gaps. Attackers have demonstrated they can cross IT/OT boundaries at organizations of every size (from small municipal utilities like Aliquippa to major telecommunications providers compromised in Salt Typhoon).
For CISOs at medium-sized utilities, three priorities offer the most effective path forward.
First, understand your sector’s regulatory position. Energy and pipeline operators already face mandatory requirements with meaningful enforcement, while water and communications utilities can build capability ahead of coming mandates.
Second, address remote access first. With 65% insecure remote access rates and 50% of ransomware incidents entering through this vector, fixing remote access delivers the highest security return.
Third, adopt risk-based vulnerability management using the Now, Next, Never method, which acknowledges OT operational realities while enabling defensible prioritization.
The regulatory trajectory across sectors suggests baseline IT/OT convergence requirements will become mandatory, with energy’s NERC CIP framework providing the template. Medium-sized utilities that build convergence programs now gain dual benefits: improved security posture and readiness for compliance requirements as they arrive.
RM Cyber’s Cybersecurity Advisory Services help utilities navigate IT/OT convergence through gap assessments, roadmap development, and implementation support tailored to your operational constraints and regulatory requirements. Ready to assess your organization’s IT/OT security readiness? Contact RM Cyber to schedule a consultation.
