Cybersecurity policy is in flux—regulations are shifting, agencies are being restructured, and expectations are increasingly fragmented across federal, state, and industry lines. To shed light on what these changes mean for OT security in critical infrastructure, Industrial Defender hosted a panel discussion with experts who have spent decades shaping and navigating cybersecurity policy. Their insights offer a practical look at what’s happening now (as of June 2025) and what to prepare for.
Moderated by Industrial Defender CEO Jay Williams, the panel brought together a powerhouse of perspective:
Collectively, they shared a well-rounded view on how cybersecurity policy is being shaped and evolving—giving us a download on the changes that could impact utilities, oil and gas operators, and other critical infrastructure owners.
One major theme from the panel was the growing expectation that states and private operators will bear more responsibility for cybersecurity in the absence of strong federal direction. Some federal regulatory structures and information-sharing platforms are changing, including the recent closure of the Emergency Response ISAC, with no clear plans to replace them. Currently, it appears that the expectation is for the states and/or the private sector to pick up more of the responsibility for managing such platforms.
Pushing responsibilities down to the states poses some concerns around alignment, however. While coordinating across six NERC regions is already complex, the prospect of navigating regulations that vary, state by state (and then regions within states) would be far more difficult. Panelists highlighted the reality that states like Texas, New York, and California may never align on approach, and that the resulting patchwork could create confusion across regulatory, quasi-regulatory, and market constructs.
With federal pullback, some cybersecurity expectations are falling not only to the states, but private companies like insurers or business partners (e.g. cybersecurity providers). Despite uncertainty around to whom you will have to report cybersecurity adherence, the guidance is to remain focused on operating to a security standard or framework (pick one), because at some point, you’re going to be asked to show what you’ve been doing, whether from your customers, governing boards, shareholders, and/or regulators.
At the federal level, the panel described a moment of significant uncertainty and organizational flux. Many senior agency leadership positions, such as DOE and DHS, at time of this writing are still awaiting confirmation, making it difficult for stakeholders to engage meaningfully. Feedback channels remain in limbo, and decisions are being delayed or pushed down the stack. This happens during the first months of every new administration, especially when there is a party change, but the significant layoffs of federal career staff in this administration have made this handoff more dependent on political appointees who, in many cases, await Senate confirmation.
There’s also speculation about restructuring. DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER), despite having been created during the last Trump administration, may be folded into another part of the agency, for example. Budget cuts are putting pressure on cybersecurity programs and personnel across the federal layer.
While there is an expectation that the FERC and NERC structure for reliability/cybersecurity/physical security under Section 215 will remain, the relationship between FERC and NERC is evolving. Panelists observed that FERC may increasingly seek to direct NERC’s actions more assertively despite a general trend away from regulation at the federal level under this administration. The concern being that FERC’s policy direction may not always reflect the on-the-ground realities that NERC and industry experts understand well. The FERC chairmanship change is also something to watch.
Panelists also highlighted a broader shift in the electric sector’s structure—from centralized bulk power to decentralized, edge-of-grid systems. As more activity and risk migrate to the edge, the regulatory divide between distribution and transmission may be reviewed.
Recent budget proposals from CISA include notable cuts to programs that support regional collaboration—like the Integrated Operations Division. These proposals are early-stage and not yet final, but they suggest diminished federal support at a time when state and local operators are being asked to do more.
In parallel, cybersecurity policy leadership is becoming more centralized in the White House, particularly through the Office of the National Cyber Director (ONCD) and National Security Council (NSC). Rather than focusing only on perimeter defense, ONCD is expected to emphasize cyber resilience engineering: how quickly a system can mitigate, recover, and prevent cascading failure, especially when compromise is assumed.
The Infrastructure Investment and Jobs Act of 2021 also provided cyber grant funding, but only about 60% of the four-year allocation has been used. Many local governments have been hesitant to accept these grants, unsure they can sustain the programs long-term. The funds remain underutilized—but available at this point—for those with actionable projects and a clear plan for future support.
The panel emphasized that many policymakers genuinely want to understand the complexity of OT security, but often lack the background. This isn’t a matter of apathy, it’s a matter of education and communication.
OT professionals must develop the ability to communicate risk in ways that resonate with non-technical audiences—whether that’s a government staffer, board member, customer group, or regulator. Business impact, audit readiness, and operational continuity often speak louder than CVE charts.
Most workforce development and certification programs remain heavily IT-focused. This leaves a representation gap in policymaking and education that OT professionals must help fill.
Insider language and acronyms serve internal teams well—but they’re a barrier to engaging others. Panelists encouraged OT professionals to stop “talking only to the club” and instead translate needs for executives, regulators, and allies in other sectors.
Every organization should have someone who can bridge the technical and policy worlds. Whether that’s a user group lead, government affairs partner, or trade association, these voices can shape outcomes—if they’re supported with clear, field-informed input. The key isn’t knowing every agency—it’s knowing your champions. Who can advocate on your behalf? What message can they carry forward?
Getting Involved: Practical Steps
It was suggested on the panel that “you can’t complain about the rules if you didn’t help shape them.”
The panel’s closing message was simple and pragmatic: we can’t just wait for perfect guidance. Build your program based on what’s credible, defensible, and actionable today.
Pick a standard and just operate to it—because at some point, you're going to need to show that you did something. Maybe it’s a regulator. Maybe it’s your insurer, a state official, a business partner, or even your creditor. Somewhere, somehow, you're going to have to prove that you did the right thing.
Whether it’s NERC CIP, NIST CSF, IEC 62443, or ISA/IEC 62443, the standard matters less than the ability to show progress, effort, and alignment.
The convergence of threats across all critical infrastructure sectors means lessons learned in one domain increasingly apply to others. From energy to water to healthcare, risk management strategies -- such as SBOMs, Zero Trust, and supply chain assurance -- are stronger when lessons-learned and best practices are shared across sectors. Sharing solutions across sectors can accelerate progress, prevent mistakes, and improve preparedness.
Across federal policy and operational guidance, there’s a clear shift toward resilience: assuming compromise and investing in rapid detection, response, and recovery. That’s reflected in emerging frameworks like Cyber-Informed Engineering (CIE) and reinforced by Zero Trust architecture efforts.
Resilience thinking is especially important as risk shifts to the edge. The rise of AI workloads, distributed energy, and data center demand means more risk is introduced at the distribution level—often by non-traditional actors like hyperscalers.
Supply chain security is under increasing scrutiny. There are calls to change supply chain requirements, such as CIP-013. But asset owners will be expected to show due diligence—not just vendor checklists, but resilient design.
Currently, it looks like more liability is expected to be pushed onto the operators. Again, there are movements calling for a change in balance of responsibility. But in the meantime, that means owning your risk posture, documenting decisions, and investing in systems that can withstand compromise—not just avoid it.
Finally, the idea of IT/OT convergence was reframed: increasingly, it’s not “IT and OT”—it’s just technology.
From Windows-based engineering workstations to Raspberry Pi devices in the field, OT environments are more software-driven and interconnected than ever before. That means the traditional boundaries are dissolving, and defenders must expand their mental model of what qualifies as OT—and how to secure it.
Whether it’s an active directory server running HMI software or a firmware-compromised firewall, the job now is to understand how all this technology connects, communicates, and impacts operations. And with that complexity comes a need for stronger collaboration, better tools, and more rigorous sharing of practical solutions.
Throughout the discussion, one truth kept surfacing: the people in the room, those managing OT risk every day, have insight that policymakers, regulators, and even cybersecurity executives need.
If you’re an OT security professional, don’t wait for someone else to speak for you. Whether you share a case study in a user group, submit public comment on a proposed standard, educate non-technical teams in and outside your organization, you’re contributing to a more resilient, better-informed future for critical infrastructure.
