
Beyond the Meter: Cyber Mandates Reshape the Future of Utility Security
Utility Cybersecurity Expert Stacy Mill Explains Why Cybersecurity Goes Beyond the CISO — and How New Standards Will Drive Success
Let’s just call it what it is—cybersecurity is no longer the awkward sidekick in the corner of the boardroom whispering about “threat surfaces” and “zero trust.” Regulators have officially given it a bullhorn, a front-row seat and a stack of expectations tall enough to block the view of your latest digital transformation project.
Federal regulators, including the National Institute of Standards and Technology (NIST), the North American Electric Reliability Corporation (NERC), the U.S. Department of Energy (DOE) and the U.S. Environmental Protection Agency (EPA), are sending an unmistakable signal: the era of voluntary or loosely enforced cybersecurity frameworks for critical infrastructure is over. What’s emerging is a new paradigm—one that demands real-time visibility, enterprise-wide governance and unprecedented coordination across industries.
This shift is not theoretical or down the road. It’s here, reshaping how organizations manage cyber risk across the grid edge—from distributed energy resources (DERs) and water treatment facilities to the smart meters on our homes and businesses.
A Wake-Up Call From All Sides
Historically, utility cybersecurity was centered on perimeter defense—defending the corporate network and supervisory control and data acquisition (SCADA) systems. Now, thanks to a cocktail of digital transformation, climate goals and increasingly sophisticated adversaries, we’ve got attack surfaces so wide even your grandma’s solar panels are a potential threat vector. As infrastructure decentralizes and digital systems connect everything from rooftop solar to AI-enhanced water treatment sensors, the threat surface has exploded. Regulators have responded accordingly.
NIST continues to evolve its Cybersecurity Framework (CSF), now pushing organizations toward continuous improvement, risk-based prioritization and better mapping to real-world operational technologies. Meanwhile, NERC has sharpened its Critical Infrastructure Protection (CIP) standards to include supply chain risk, incident response and asset inventory management for low-impact bulk electric system (BES) cyber systems—long considered the weakest links.
But it’s the newer players in the regulatory space that have accelerated momentum. The DOE—through its Office of Cybersecurity, Energy Security, and Emergency Response (CESER)—has funded public-private partnerships and pilot programs to test next-generation monitoring tools for DERs and microgrids. And notably, the EPA recently reasserted its authority to enforce cyber hygiene in public water systems—a move that has sparked both debate and transformation across the sector.
Visibility Is No Longer Optional
One common denominator in these mandates is the demand for deeper visibility into operational environments. In many of the network operations centers (NOCs) and security operations centers (SOCs) I’ve built—from Humana’s first on-premises SOC to modern hybrid models supporting energy clients—visibility has been the cornerstone of resilience. You can’t protect what you can’t see.
Today’s regulators are asking operators of critical infrastructure to know more:
- What assets are connected?
- How are they configured and maintained?
- What threats are targeting them in real time?
This isn’t just about adding another security information and event management (SIEM) tool or endpoint agent. It requires layered telemetry, integration between IT and operational technology (OT) environments, and a security architecture that accommodates both centralized utilities and decentralized DER networks.
Take smart meters, for example. Once treated as customer-end devices with little risk potential, they now represent millions of endpoints that can be leveraged for data exfiltration, manipulation of demand signals or even coordinated attacks. A simple meter firmware vulnerability—left unpatched across thousands of units—can quickly escalate into a systemic risk.
Organizations must track and log activity at the device level, enforce patch cycles and monitor for anomalous behavior, such as unauthorized access attempts or unusual data transfers, across systems that were once considered peripheral.
Cybersecurity: No Longer Just the CISO’s Problem (Sorry, Not Sorry)
What has to happen is a cultural change as much as a technical one. Cybersecurity can no longer be the responsibility of just the chief information security officer (CISO) or a siloed security team. It must be embedded in enterprise risk management, board governance and procurement.
NIST’s updated CSF 2.0 reflects this shift clearly, with new emphasis on governance, supply chain integration and the business impact of cyber incidents. Similarly, NERC’s guidance increasingly ties compliance to not just the presence of policies, but the maturity of processes and organizational alignment behind them.
For energy and utility leaders, this means aligning cybersecurity priorities with grid modernization, environmental, social and governance (ESG) initiatives and customer trust. It means reevaluating vendor risk, enforcing security-by-design in new tech deployments and empowering local operators with the tools and training to respond quickly.
Perhaps the most transformative element of this regulatory wave is the expectation of cross-sector collaboration. DERs illustrate this beautifully. A solar installation on a commercial facility may be managed by a third-party aggregator, financed by a private equity firm and digitally connected to a municipal utility’s demand response system. Who owns the cyber risk in that scenario? All of them do.
The EPA’s renewed enforcement in the water sector also reflects this interdependence. A cyberattack on a rural water plant doesn’t just affect one town—it can cascade into public health concerns, regional infrastructure overloads and erosion of public trust in critical services.
Compliance is the Floor, Not the Ceiling
What I’ve learned across six industries outside of the utility world is why I write this column. Many industries, like finance and healthcare, learned decades ago that maintaining, managing and monitoring systems is not enough. You have to predict the future by analyzing trends while addressing internal and external risks to have well-performing, resilient and recoverable systems.
For instance, in the finance industry, having a well-practiced incident response plan allowed a major bank to quickly contain a data breach and minimize damage. Similarly, in healthcare, regular drills and validation of response plans have proven effective in mitigating ransomware attacks.
The mandates coming from NIST, NERC, DOE and EPA are not simply bureaucratic hurdles. They are blueprints for a more resilient future. Meeting these mandates will require investment, alignment and a willingness to change.