Skip to main content

© All rights reserved.

LOOKING FOR SOMETHING?

Securing Utility OT Networks: Best Practices and Strategies

Written by Stacy Mill on . Posted in .

Stacy Mill’s First Utility Security Magazine Contribution Provides a Roadmap to Better OT Security

Welcome to my first article in Utility Security magazine! It’s an honor to contribute to this community of professionals working to protect critical infrastructure. In this space, I’ll offer insights into the current threat landscape facing utilities, share practical advice on securing operational technology (OT) networks and—most importantly—provoke a chuckle or two. Or at least a polite smirk.

Now, you might be wondering why you should read what I have to say. Fair question. I’ve been in IT since I was 19, starting with mainframes and evolving through global networks, data centers and the cloud (which, spoiler alert, is just someone else’s data center and not magic). I’m not a journalist. I’m a CIO, CTO and CISO with more than 25 years of experience across six industries: Fortune 50 healthcare, global manufacturing, top-secret aerospace contracts, state government, a SaaS startup and yes, even public utilities. 

Throughout my career, I can say that my experience in the utility sector truly blew my mind. Here’s what shocked me: utility systems are ancient. I’m talking more than 30 years old. It was so bad, I would not have been surprised if I discovered a 1980s PC running MS-DOS. 

Even more surprising, utilities are still installing SaaS applications in their own data centers because they think it’s “safer” there. Trust me, it’s not. That mindset—and the challenges that come with it—is why I’m writing this article.

We’ll explore how technology strategy, governance structures and business culture come together to secure OT networks. There’s no one-size-fits-all solution. Nothing is ever 100 percent secure. And despite what some vendors claim, no magical off-the-shelf system exists that will fix all your problems. Securing OT networks requires strategic thinking, courageous collaboration and enterprise-wide planning. With that said, let’s dive in!

OT networks aren’t like IT networks, but once you connect them, they start behaving like one big dysfunctional family. OT and IT protocols now share an Ethernet backbone. Walk into a substation and you’ll find routers, switches and a mix of IT and OT devices trying to live together in harmony (or at least tolerate each other).

Here’s the hidden potential: these IT devices can provide situational awareness that OT traditionally lacks. Devices using Simple Network Management Protocol (SNMP) can report things like temperature and network speed. A sudden temperature spike? That could be a fire. A low-speed reading? Might be a fiber issue. Historically, SCADA systems were binary—on/off, up/down. By integrating IT insights, we can make OT smarter and more responsive.

Let’s be honest, implementing technology is the easy part. Changing the culture? That’s the real challenge. Take two-factor authentication (2FA), for example. It’s easy to set up but nearly impossible to get people to embrace.

In one instance, utility employees resisted 2FA because they thought we’d track their location through their phones. I had to convince them (and even add a policy to the employee handbook) that we weren’t spying on anyone. What finally got them on board? Explaining that 2FA would let them enter their time from home without having to come into the office. Suddenly, 2FA wasn’t so bad.

Another cultural challenge in utilities is the “don’t touch the internet” mentality. Honestly, I get it. Most critical infrastructure has no business being connected to the open internet. But here’s the kicker: the 2021 Colonial Pipeline incident wasn’t about the pipeline itself. The pipeline kept flowing just fine. The problem was with IT systems that handled billing and compliance. No IT, no automated billing, no business. You can’t bill what you can’t measure.

It’s not a matter of if your utility will be hit by a cyber event—it’s when. How you respond will determine your fate (and maybe your career). Managing, maintaining and monitoring your IT and OT systems is critical. If you don’t maintain them, they won’t be reliable. If you don’t monitor them, you can’t secure or optimize them.

Where to Start: Securing Utility OT Networks

1. Conduct Comprehensive Risk Assessments
Map your assets, identify vulnerabilities and assess the potential impact of various threats. Think of it like spring cleaning for your network—you can’t secure what you don’t know exists.

2. Network Segmentation
Isolate OT systems from IT networks. Secure zones with strict access controls will help keep bad actors from roaming freely across your infrastructure.

3. Implement Robust Access Controls
Adopt a least-privilege approach and enforce role-based access. And if you’re still using single-factor authentication in 2025, you’re basically leaving your front door wide open. Attackers love that. Don’t make it easy for them.

4. Real-Time Monitoring and Incident Detection
Deploy Security Information and Event Management (SIEM) systems and Intrusion Detection Systems (IDS) designed for OT. Real-time monitoring is your eyes and ears—don’t fly blind.

5. Secure Remote Access
As remote work has become the norm, securing remote access is more crucial than ever. Use Virtual Private Networks (VPNs), zero-trust architectures and secure gateways to keep things locked down.

6. Patching and Updating Systems
Patching OT systems is like playing the game Operation—one wrong move and you could disrupt critical services. Develop a patch management strategy that minimizes downtime while maximizing security.

7. Employee Training and Awareness
The best tools in the world won’t help if your team doesn’t know how to use them—or worse, accidentally invites threats in. Invest in OT-specific security training for employees and contractors. Securing utility OT networks is a continuous journey. The evolving threat landscape demands constant vigilance, ongoing training and a willingness to adapt. So, evaluate your security posture annually, adopt best practices carefully and invest in technologies that will protect our most critical infrastructure. Remember: in the battle for OT security, a proactive strategy is your best defense.

About Stacy Mill:
Stacy Mill is a visionary cybersecurity leader with success developing talent, securing engineering solutions and driving value for organizations across a variety of industries. At Nashville Electric Service,, as CIO and CISO, she transformed their legacy mainframe, multiple data center environment into an efficient hybrid cloud model which empowered their customers and workforce, providing increased security and reliability. Stacy serves as President of the Board of Directors for ISACA Middle Tennessee,  Music City Cloud Security Alliance Board of Directors, ISSA Middle Tennessee CISO Board of Advisors, and is a founding board member of SIM Nashville.