Interview: practitioners on Critical infrastructure cybersecurity — what they wish they knew earlier

In 2024 alone, North American critical infrastructure operators reported a 67% increase in sophisticated cyberattacks targeting operational technology (OT) systems, with the average cost of a successful breach reaching $4.7 million according to IBM's Cost of a Data Breach Report. These aren't abstract statistics—they represent water treatment facilities compromised, power grids destabilized, and transportation networks disrupted. We sat down with five practitioners who have spent decades on the front lines of critical infrastructure defense to understand what they wish they had known earlier about attack paths, detection and response capabilities, and the practical realities of hardening systems that were never designed to face today's threat landscape.

"The Colonial Pipeline attack in 2021 was a wake-up call, but what people don't realize is that we've been fighting this battle in obscurity for years," explains one senior OT security architect at a major U.S. utility company. "The attacks are getting more sophisticated, the adversaries are better funded, and the gap between IT security maturity and OT security maturity remains dangerously wide."

Why It Matters

Critical infrastructure cybersecurity sits at the intersection of national security, public safety, and sustainable operations. In 2024, the Cybersecurity and Infrastructure Security Agency (CISA) documented over 2,300 incidents affecting critical infrastructure sectors across North America, representing a 41% year-over-year increase. The energy sector alone experienced 847 confirmed intrusion attempts, with 23% resulting in some degree of operational disruption.

The stakes extend far beyond financial losses. When a water treatment facility in Oldsmar, Florida was compromised in 2021, attackers attempted to raise sodium hydroxide levels to dangerous concentrations—a scenario that could have poisoned thousands of residents. More recently, in January 2025, a coordinated attack on three natural gas pipeline operators in the Gulf Coast region resulted in a 72-hour supply disruption affecting industrial operations across Texas and Louisiana.

For sustainability practitioners, the connection is direct: renewable energy infrastructure, smart grid systems, and electric vehicle charging networks all represent expanded attack surfaces. The U.S. Department of Energy estimates that by 2030, smart grid technologies will manage over 80% of electricity distribution—creating unprecedented efficiency gains but also unprecedented vulnerability. "Every connected sensor, every automated control system, every remote access point is a potential entry vector," notes a former CISA advisor. "Sustainable infrastructure must be secure infrastructure, or it becomes a liability rather than an asset."

The North American context presents unique challenges. The interconnected nature of the U.S.-Canada electrical grid, spanning over 360,000 miles of transmission lines managed by hundreds of utilities, creates cascading risk scenarios that practitioners describe as their "nightmare fuel." A single successful intrusion at a strategically positioned node can propagate effects across state and international boundaries within minutes.

Key Concepts

Critical Infrastructure: The 16 sectors designated by the U.S. Department of Homeland Security as essential to national security, economic stability, and public health. These include energy, water systems, transportation, communications, healthcare, and financial services. In practice, practitioners emphasize that these sectors are deeply interdependent—a power grid failure cascades to water pumping stations, hospitals, and communication networks within hours.

Transition Plan: A documented strategy for migrating legacy OT systems to more secure architectures while maintaining operational continuity. Practitioners universally cite transition planning as their greatest challenge, with one industrial control systems (ICS) specialist noting: "You can't just patch a 20-year-old SCADA system the way you update Windows. Every change requires extensive testing, often in environments that can't afford downtime."

Additionality: In the cybersecurity context, additionality refers to security investments that provide measurable protection beyond baseline compliance requirements. Practitioners emphasize that regulatory compliance—meeting NERC CIP standards or NIST frameworks—represents a floor, not a ceiling. "Additionality is what separates organizations that survive sophisticated attacks from those that don't," explains a chief information security officer (CISO) at a regional power cooperative.

OT Security: The protection of operational technology systems that monitor and control physical processes. Unlike IT systems, OT environments prioritize availability and safety over confidentiality, creating fundamentally different security paradigms. Equipment lifecycles of 20-40 years, proprietary protocols, and real-time operational requirements demand specialized approaches that IT security teams often struggle to adapt.

Incident Response: The structured methodology for detecting, containing, eradicating, and recovering from cybersecurity events. In critical infrastructure contexts, incident response must balance cybersecurity imperatives with operational safety—sometimes requiring decisions to maintain potentially compromised systems running rather than risk abrupt shutdowns that could cause physical harm.

CAPEX (Capital Expenditure): Large-scale investments in security infrastructure, including network segmentation hardware, monitoring platforms, and system replacements. Practitioners consistently identify CAPEX justification as a major barrier, with one noting: "I can show the board a $15 million investment proposal, but until they've lived through an incident, the risk feels theoretical."

What's Working and What Isn't

What's Working

Network Segmentation and Zero Trust Architecture: Organizations that have invested in proper network segmentation between IT and OT environments report significantly better incident containment. A major Canadian pipeline operator implemented micro-segmentation across their SCADA networks in 2023 and subsequently contained a ransomware intrusion within 47 minutes—limiting impact to a single control room rather than their entire 2,400-mile system. "Zero trust isn't just a buzzword anymore," the operator's security director explains. "It's the difference between losing one segment and losing everything."

Threat Intelligence Sharing Through ISACs: The Information Sharing and Analysis Centers (ISACs) for energy, water, and other sectors have matured significantly. The Electricity ISAC (E-ISAC) now processes over 50,000 threat indicators monthly, providing member utilities with actionable intelligence about emerging attack vectors. Practitioners credit ISAC participation with enabling proactive defense. "We blocked a sophisticated phishing campaign targeting our engineering team 48 hours before it launched, purely based on E-ISAC intelligence," reports an OT security manager at a Midwest utility.

Operational Technology Detection and Response (OT-DR) Platforms: Purpose-built monitoring solutions from vendors like Dragos, Claroty, and Nozomi Networks have given practitioners visibility into OT networks that was previously impossible. One water utility CISO describes deploying OT-DR as "turning on the lights in a room we'd been fumbling through for decades." These platforms now detect anomalous behavior patterns specific to industrial protocols—identifying reconnaissance activities that traditional security tools miss entirely.

What Isn't Working

Regulatory Fragmentation: Practitioners consistently cite the patchwork of compliance requirements across sectors and jurisdictions as a major impediment. A single utility may face NERC CIP requirements for bulk power systems, TSA security directives for pipeline operations, and state-level mandates for customer data protection. "We spend more time on compliance documentation than actual security improvement," laments one compliance officer. "And the frameworks don't talk to each other."

Vendor Ecosystem Vulnerabilities: The supply chain remains a critical weak point. Industrial control system vendors often require remote access for maintenance, creating persistent entry points. The SolarWinds and MOVEit compromises demonstrated how software supply chain attacks can bypass perimeter defenses entirely. Practitioners describe feeling trapped between vendors who resist security requirements and operational dependencies that make replacement infeasible. "We've identified 47 vendors with standing remote access to our control systems," admits one operations manager. "Securing every one of them is essentially impossible."

Workforce Gaps: The shortage of personnel with combined OT domain expertise and cybersecurity skills remains acute. A 2024 SANS Institute survey found that 68% of critical infrastructure organizations have unfilled OT security positions, with average time-to-hire exceeding 9 months. "We're competing with tech companies for talent, and we can't match their salaries," explains a human resources director at a regional utility. "The people who understand both industrial processes and adversary techniques are unicorns."

Key Players

Established Leaders

Dragos, Inc.: Founded by former NSA and ICS-CERT specialists, Dragos provides the OT threat intelligence and detection platform used by over 500 critical infrastructure operators across North America. Their threat intelligence team tracks activity groups specifically targeting industrial environments.

Claroty: Specializing in cyber-physical systems security, Claroty offers comprehensive asset discovery and threat detection for industrial, healthcare, and commercial environments. Their platform provides visibility into proprietary industrial protocols that generic security tools cannot parse.

Fortinet: Their industrial security solutions integrate IT and OT security under unified management, addressing the convergence challenge that practitioners identify as critical. Their OT-aware firewalls and segmentation capabilities are widely deployed in energy and manufacturing sectors.

Honeywell Forge Cybersecurity: Leveraging decades of industrial automation expertise, Honeywell provides managed security services specifically designed for OT environments. Their approach emphasizes operational continuity alongside security enhancement.

Siemens Industrial Cybersecurity: As a major OT vendor, Siemens has invested heavily in securing their own product lines and offering cybersecurity consulting services. Their defense-in-depth architecture has become a reference model for industrial security design.

Emerging Startups

Xage Security: Pioneering zero trust approaches specifically engineered for industrial environments, Xage provides identity and access management for OT systems that legacy solutions cannot support. Their blockchain-based architecture eliminates single points of failure.

Phosphorus Cybersecurity: Focused on IoT and OT device security, Phosphorus automates the discovery, assessment, and remediation of vulnerabilities in connected devices—addressing the shadow IT problem that plagues industrial environments.

Shift5: Targeting transportation and defense sectors, Shift5 provides observability and cybersecurity for data buses in aircraft, rail, and military systems—addressing a gap that traditional OT security vendors don't cover.

Network Perception: Their platform provides automated verification that network segmentation and firewall configurations match intended security policies—catching configuration drift that creates vulnerabilities over time.

SynSaber: Offering OT network monitoring designed for bandwidth-constrained industrial environments, SynSaber enables visibility in remote and distributed infrastructure where traditional solutions struggle.

Key Investors & Funders

U.S. Department of Energy (DOE): Through the Cybersecurity, Energy Security, and Emergency Response (CESER) office, DOE has allocated over $250 million annually for critical infrastructure security research and deployment support.

Energy Impact Partners (EIP): This utility-backed venture fund has invested over $150 million in grid cybersecurity startups, providing both capital and pilot opportunities with member utilities.

Andreessen Horowitz (a16z): Their American Dynamism practice has made significant investments in critical infrastructure security, including Shift5 and other defense-focused cybersecurity companies.

National Science Foundation (NSF): Through the Secure and Trustworthy Cyberspace program, NSF funds fundamental research on OT security challenges, with grants exceeding $80 million annually.

In-Q-Tel: The CIA-backed venture firm has invested in multiple OT security startups, accelerating technology development for government and critical infrastructure applications.

Examples

Duke Energy's OT Security Transformation: Between 2022 and 2024, Duke Energy invested $127 million in modernizing OT security across their 7.9 million customer service territory. The program included network segmentation of 340 substations, deployment of OT-specific threat detection, and establishment of a dedicated OT Security Operations Center (SOC). Results: Mean time to detect anomalies decreased from 72 hours to 23 minutes, and the utility successfully contained three intrusion attempts that would have previously gone undetected for weeks.

New York City Water Supply Protection Program: Following a 2023 security assessment that identified critical vulnerabilities in SCADA systems managing the city's 6.8 billion gallon daily water supply, NYC invested $89 million in comprehensive OT security upgrades. The program implemented multi-factor authentication for all remote access, deployed continuous monitoring across 19 treatment facilities, and established air-gapped backup control capabilities. The utility now conducts quarterly red team exercises, identifying and remediating an average of 14 vulnerabilities per assessment.

Enbridge Pipeline Cybersecurity Enhancement: Canada's largest pipeline operator completed a three-year security modernization program in 2024, investing CAD $215 million across their 17,127-mile liquids pipeline network. The program included deployment of OT-specific intrusion detection across all compressor stations, implementation of zero trust network architecture, and establishment of a 24/7 OT SOC staffed by 35 dedicated analysts. Following implementation, Enbridge reduced their mean time to respond from 4 hours to 18 minutes and achieved 100% visibility into all connected OT assets.

Action Checklist

• Conduct comprehensive OT asset inventory, identifying all connected devices, their firmware versions, and network connectivity
• Implement network segmentation between IT and OT environments with properly configured firewall rules and data diodes where appropriate
• Deploy OT-specific threat detection and monitoring platforms that understand industrial protocols
• Establish or join relevant Information Sharing and Analysis Center (ISAC) for your sector
• Develop and regularly test OT-specific incident response playbooks that address operational safety requirements
• Assess and document all vendor remote access connections, implementing session recording and just-in-time access controls
• Create transition plans for legacy systems with known vulnerabilities, prioritizing by criticality and exposure
• Conduct tabletop exercises with both cybersecurity and operations teams at least quarterly
• Establish relationships with CISA, FBI, and sector-specific agencies before incidents occur
• Allocate dedicated CAPEX budget for OT security improvements separate from IT security spending

FAQ

Q: How do we convince leadership to invest in OT security when we haven't experienced a breach? A: Practitioners recommend quantifying risk in operational terms that resonate with executive priorities. Calculate the hourly cost of unplanned downtime, estimate recovery timelines from comparable incidents in your sector, and present insurance premium implications. Several CISOs report success with facilitated tabletop exercises that give executives firsthand experience of decision-making during incidents. "Once our CEO had to decide whether to shut down a simulated refinery or risk explosion, the budget conversation became much easier," one practitioner notes.

Q: What's the right approach when legacy OT systems cannot be patched or replaced? A: Compensating controls become essential. Network segmentation limits exposure, continuous monitoring detects anomalous behavior, and application whitelisting prevents unauthorized code execution. Several practitioners implement "virtual patching" through properly configured intrusion prevention systems. The key is documenting the risk, implementing multiple layers of mitigation, and maintaining upgrade paths for eventual replacement. One utility maintains a prioritized backlog of legacy system replacements, addressing the highest-risk systems first while applying compensating controls to others.

Q: How do we address the IT/OT culture clash that impedes security improvements? A: Successful organizations invest in cross-training and establish joint governance structures. Several practitioners describe embedding IT security staff in operational facilities for extended periods to build understanding. Others create integrated teams with shared metrics and accountability. "We stopped talking about 'our' systems versus 'their' systems and started talking about 'our' infrastructure," explains one CISO. Regular joint exercises and shared incident response responsibility accelerate cultural integration.

Q: What should we prioritize if we have limited budget and resources? A: Practitioners consistently recommend starting with visibility—you cannot protect what you cannot see. Basic network monitoring and asset discovery should precede more sophisticated controls. Next, focus on network segmentation to limit blast radius. Remote access controls typically offer high impact relative to cost. Finally, establish relationships with sector ISACs to leverage shared threat intelligence rather than building capabilities independently.

Q: How do we balance security requirements with operational availability demands? A: This tension is fundamental to OT security. Practitioners recommend developing security architectures that fail safe—meaning security control failures should not interrupt operations. Testing security changes extensively in lab environments before production deployment is essential. Several organizations maintain operations-led security governance that ensures operational concerns are heard but balanced against risk. "Security can never override safety, but security failures are increasingly becoming safety failures," one practitioner observes.

Sources

• IBM Security. "Cost of a Data Breach Report 2024." IBM Corporation, 2024.
• Cybersecurity and Infrastructure Security Agency. "Annual Threat Assessment: Critical Infrastructure Sectors." CISA, January 2025.
• SANS Institute. "2024 OT/ICS Cybersecurity Survey: State of the Industry." SANS Institute, 2024.
• U.S. Department of Energy. "Smart Grid Cybersecurity Strategy and Requirements." DOE CESER, 2024.
• Dragos, Inc. "Year in Review: OT Cybersecurity 2024." Dragos Intelligence, February 2025.
• North American Electric Reliability Corporation. "Grid Security Emergency Orders and Lessons Learned 2024." NERC, December 2024.
• Government Accountability Office. "Critical Infrastructure Protection: Actions Needed to Address Cybersecurity Workforce Challenges." GAO-24-106296, 2024.