
At our recent User Conference, we did something a little different. I was fortunate to lead a thoughtful conversation with three leading authorities on OT cybersecurity in the critical infrastructure industry.
Before diving into the nitty-gritty of the Industrial Defender platform, we brought together experts who see operational technology security through very different lenses:
The result was a candid, wide-ranging conversation about how OT security is changing and what practitioners should do about it.
James Brosnan is a managing consultant with roughly twenty years in the industry. He spent years as a field technician before finding his calling in compliance and auditing, where he ran an IT compliance team, led risk management, and served as a CIP auditor. Today, he advises operators on building mature compliance and risk management programs, bringing the practitioner's view of what actually happens when policy meets the plant floor.
Brian Scott is a strategic adviser at Imperium Global Advisors, an advocacy firm in Washington. His path to OT policy is unique: twenty-eight years in the Navy flying from aircraft carriers, followed by sixteen years in critical infrastructure, twelve at the Department of Homeland Security, and six at the White House across three administrations. He worked directly on industrial control system cybersecurity initiatives and brings a rare understanding of how cyber policy is actually written and contested.
Frank Honkus is director of intelligence at the E-ISAC, the Electricity Information Sharing and Analysis Center. His background is OT cyber threat intelligence, with earlier roles at Cyber Command and the Department of Energy's Office of Intelligence and Counterintelligence. He was watching nation-state actors probe control system environments more than a decade ago, when much of this work was still in its infancy, and he now leads the intelligence function for the electricity sector's primary information-sharing body.
We opened with a deliberately broad question:
What is the single biggest change in OT security over the last twelve to twenty-four months?
The panel converged quickly.
The center of gravity has moved away from checklist compliance and toward risk management. Brosnan described it as a choose-your-own-adventure shift, where the question is no longer "did you complete these prescribed steps" but rather "tell us what matters to you and how you intend to protect it."
That is a fundamentally different posture, one that is risk-informed, performance-based, and outcome-focused rather than rooted in static checkpoints.
From the intelligence side, Honkus pointed to a parallel shift in the messaging from the Five Eyes partners.
The guidance increasingly emphasizes the need to fight through an attack and isolate critical control system environments internally, rather than relying on building ever-stronger external walls. The strategic advice itself now assumes that defenders must maintain function and resilience even when the perimeter has been breached, which places a profound reorientation of what good defense looks like.
Scott reinforced that this risk orientation is also showing up in policy. The current administration is looking to reduce regulatory burden and redirect attention from compliance mandates toward the actual work of security. The hard part, he noted, is balancing partnership with a private sector that understands its own infrastructure risks against the need to raise everyone to a baseline that addresses systemic risk at scale.
A recurring topic, and one near to our evangelizing, was the insistence that operational technology is not simply IT pushed down to the plant floor.
Scott described real fights while drafting national policy, where colleagues argued that OT was adequately covered under IT. His firm response was that the distinct attributes and functions of operational technology demand a separate, nuanced treatment.
Brosnan echoed this from the field, observing that the encouraging trend is OT teams beginning to acquire their own dedicated cybersecurity personnel and tools, because a high-level IT policy simply does not map cleanly onto an operational environment.
One panelist offered a useful framing borrowed from prior experience at a large manufacturer: rather than IT versus OT, they used the terms business technology and operational technology.
The change in language helped non-technical stakeholders at the director level finally grasp the distinction, instead of assuming that IT controls could be applied wholesale downward, they needed to be looked at as processes. A small vocabulary shift, but several in the room recognized the underlying problem immediately.
The conversation turned to CIP-015, a topic generating real energy among practitioners. Brosnan framed it as a continuation of the risk management trend already visible in supply chain standards.
The mindset change it demands centers on a word everyone in OT loves and dreads in equal measure: baseline.
Under earlier standards, a baseline meant a small, well-defined set of elements with little room for interpretation. Under CIP-015, the term reappears in the context of network monitoring, where it becomes far more open-ended, with limited definitions.
What a network baseline looks like is highly specific to each entity, and the burden falls on the organization to determine its own risk elements and document them, a more mature undertaking than ticking predetermined boxes.
Several OT operators from the power generation community in the audience were generous enough to share where they stand.
One had deployed passive monitoring across several generation plants and an energy management system and was tuning rules, while also training a corporate security operations center to understand OT environments, findings, and escalation paths.
The ownership model, they noted, is genuinely shared between IT and OT.
Importantly, this operator described feeding Industrial Defender's deep asset data into the SOC alongside passive tooling, arguing that the key baseline configuration information is something we do far better than network-centric tools alone, and that the right answer is a partnership between the two rather than one or the other.
Another operator, running both a passive detection tool and Industrial Defender in tandem, captured the core tension precisely. Passive monitoring does an excellent job of baselining network traffic and showing what is talking to what.
The harder question is whether a given device should be communicating with another, and why?
They described using Industrial Defender to back-fill that picture: when a packet travels to a relay, they want the make, model, configuration, ports, and firmware of the device on the other end, and our platform is where that detail comes from.
There is an abundance of network data; the difficulty is narrowing it to what genuinely matters for a standard like CIP-015, especially while the definition of internal network security monitoring is still settling.
Industrial Defender integrates and enhances well with the major passive detection platforms, and the combination of network visibility and deep device-level asset data is exactly the pairing these operators are gravitating toward.
Honkus offered a sobering tour of the current threat environment.
Through the E-ISAC's information-sharing programs, the organization was reporting Chinese-attributable nation-state activity well before it was publicly named, with reports circulating months ahead of the broader disclosure.
The techniques in question, living off the land and exploiting IP space in the geographic vicinity of a target, are precisely the kind of quiet, blended activity that evades traditional detection.
He flagged the particular exposure of members who also operate their own broadband networks.
A utility that is simultaneously the internet service provider, the electric power provider, and sometimes the water provider for its area is an especially attractive target, because compromising the telecommunications layer can give an adversary leverage over energy and water as well.
In response, the E-ISAC was tasked with developing a preparedness guide for a Taiwan Strait scenario, complete with an escalation ladder members can use to calibrate their posture before and during such an event.
Two more shifts rounded out the picture.
The first is the explosion of edge device exploitation, spanning firewalls, VPNs, servers, and routers regardless of vendor, which the E-ISAC's free scanning program helps members track as new vulnerabilities emerge.
The second, and perhaps most unsettling, is insider risk. As organizations have stood up more serious insider threat programs in response to fraudulent remote IT worker schemes, what they are discovering is genuinely disturbing.
The uncomfortable reality, as Honkus put it, is that you may not know whether the person you are sharing information with is acting, knowingly or not, on behalf of a foreign adversary.
Scott walked through the state of regulatory harmonization, a goal that has appeared in the national cyber strategy across multiple administrations.
The work began with a set of principles:
Harmonization, he stressed, is ultimately about reciprocity, the idea that satisfying the requirements of one regulation should count toward satisfying another.
Getting there has proven difficult.
A forum of more than thirty independent and executive-branch regulators reached real agreement on common elements drawn from frameworks like the NIST Cybersecurity Framework and the CIS controls.
The agreement held in concept right up until the point of actual reciprocity, where it stalled. The forum was, in his words, a coalition of the willing, with no authority to compel participation, and a legislative mandate may ultimately be required to force the synchronization.
Crucially, Scott argued that policy people cannot do this alone. They need engineers, industry, and operators to help build it, because the people running these systems understand realities that policy professionals do not.
This is precisely why we are working with Imperium Global Advisors to create a channel for our user community to get direct feedback to the right people on the Hill.
With dozens of organizations represented and triple-digit numbers using Industrial Defender, there is a real opportunity to give operators face time with legislators on CIP-015, harmonization, and the policies that shape critical infrastructure.
Honkus described the E-ISAC's new OT mitigation and recommendation pilot, a two-year effort to conduct on-site assessments of specific high-value facilities, from substations to generation sites, across municipal utilities, cooperatives, registered entities, and Canadian sites.
What distinguishes the program is its adversary’s perspective. Rather than simply validating a baseline, it begins from the assumption that an attacker may already be present and asks what steps would raise the cost to that adversary, drawing on the site's logical and physical layout to generate recommendations.
The discussion also surfaced the strain created by reduced federal funding.
With gaps emerging in the capacity of agencies that utilities have historically leaned on, the E-ISAC is being called upon to do more, and there is growing recognition that the private sector must step up and lead rather than wait for government leadership.
The electricity sector, several panelists noted, is comparatively well organized, with security taken seriously even at the smallest cooperatives, which positions it to help guide cross-sector efforts.
The final topic was AI.
On the constructive side, Brosnan highlighted AI's promise for identifying gaps in compliance documentation and frameworks, with appropriate safeguards.
Scott and Honkus both pointed to the dramatic acceleration in vulnerability discovery, where work that once took an engineer weeks can now happen in hours, while cautioning that the same capability is available to adversaries who face fewer restrictions.
Honkus described feeding OT data to a language model to test anomaly detection, and even noted AI's emerging role in physical design efficiency for power generation equipment.
Operators in the audience were cautious.
One recounted a recent incident in which an attacker used agentic AI to conduct reconnaissance and ultimately compromise a water utility through a single weak authentication point, prompting them to pause their own automation plans.
Another described a deliberate partnership-only approach, running human-in-the-loop pilots focused on control loop optimization and alarm management rather than attempting anything alone. The shared sentiment was clear: AI is powerful, the threat and the defense are two sides of one coin, and the wise path forward is measured, collaborative, and grounded in the operational realities that define this industry.
If there is a single thread running through each of these conversations, it is that OT security has become a discipline of judgment rather than only compliance. The checklist is giving way to harder questions of what actually matters here, what an adversary already inside the fence would reach for, and how an operator keeps generating power if the perimeter has failed.
None of those questions ship with a single prescribed answer, and none can be answered impactfully by policy, intelligence, or operators working in isolation.
The path forward runs through partnerships between IT and OT, between passive network visibility and deep asset intelligence, between the people writing the standards and the people living with them every day.
That is the work ahead, and it is work Industrial Defender intends to keep doing alongside this community, on the plant floor, at the threat desk, and on the Hill.