Public power utilities are entering a new phase of cybersecurity accountability that directly links cyber risk to operational reliability. Meeting that expectation will require more than incremental updates. It will demand new strategies, deeper collaboration among cybersecurity, engineering and operational teams, and a more proactive approach to managing cyber risk across connected systems.
In September 2025, the Federal Energy Regulatory Commission (FERC) issued Order 912, directing the North American Electric Reliability Corporation (NERC) to strengthen supply-chain cybersecurity oversight, expand protections to operational assets connected to digital or networked systems that were previously outside mandatory requirements and deliver updated reliability standards within 18 months. Once the standards are finalized, which is expected by March 2027, utilities will be required to comply according to the implementation schedule set by FERC and NERC.
The broader rulemaking package also addresses virtualization, new security expectations for low-impact systems — smaller operational assets that individually pose limited reliability risk but collectively expand the attack surface — and enhanced resilience planning as digital technologies across the grid continue to converge.
Public power utilities are navigating an increasingly complex operating environment. Digital systems now support everything from substation automation and generation controls to remote field operations, and the connectivity that enables operational efficiency also expands pathways for cyber adversaries.
A New Cyber Reality for Public Power
Public power’s mission makes it an attractive target for cyberthreat actors. Public utilities often operate on leaner budgets than large, investor-owned ones, and the systems they maintain often are distributed across rural, aging or lightly staffed facilities where recruiting cybersecurity talent is a challenge.
The shift toward digital controls accelerates these challenges. Nearly every modern operational system in power increasingly includes networked interfaces, vendor managed software and components built on familiar information technology (IT) operating systems. A decade ago, IT and operational technology (OT) could function in parallel. Today, they are intertwined in ways that make isolated risk management impossible. The result is a shared exposure requiring coordinated defense.
All of these systemic issues are amplified for utilities operating Defense Critical Energy Infrastructure (DCEI) assets. These assets supply power to military operations and critical government functions essential to national security. For utilities operating these assets, weak security controls and insufficient response preparedness could enable nation-state adversaries to cause far-reaching consequences beyond local customer disruptions.
Culture Change Matters as Much as Technology
The most persistent barrier to improving cybersecurity is cultural rather than technical. OT teams have long prioritized safety, reliability and operational continuity. IT teams operate under principles of patching, access management and data protection. These differing mindsets create friction, particularly when cybersecurity measures are perceived as intrusive or disconnected from daily operational realities.
Utilities making progress are reframing cybersecurity as an institutional responsibility. Incident response plans, shared across IT and OT, along with cross-functional exercises and collaborative system reviews, help build trust and familiarity. When OT personnel begin asking questions about unusual device behavior or IT staff proactively assist with control-system hardening, it shows that cybersecurity is becoming embedded in the organizational mindset rather than in disjointed silos.
Such cultural alignment does not occur through policy alone. It starts with leadership involvement and grows through repeated, shared experiences, such as responding to simulated events, working through configuration decisions and connecting safety principles to cybersecurity outcomes. In environments where isolated pockets of knowledge once existed, integration begins with communication and continues through shared accountability.
Developing Talent Where It Lives
Workforce constraints remain a defining challenge for public power. Competition for cybersecurity talent is intense, and salaries offered by the private sector can outpace public budgets. In many rural areas, a utility’s IT and OT teams may consist of only a few people who already manage system operations, maintenance or user support.
The most effective utilities are shifting from talent acquisition to talent development. Partnerships with local universities and community colleges, internships built around hands-on experience, and internal learning programs create pathways for individuals who want to stay in the region and contribute to their communities. Many of the strongest cyber professionals at public power utilities entered the field from nontraditional backgrounds, including operations, engineering, or military service.
Remote work options have also broadened the talent pool. Roles involving monitoring, analytics or investigative work can often be performed from larger metro areas within the state, allowing utilities to retain employees who seek both professional opportunity and community connection. These strategies help utilities build resilience into their staffing model, not just the systems they maintain.
Outsourcing Strategically While Building Internal Capability
Once utilities understand their risk landscape and operational needs, they must determine which cybersecurity functions should be built internally and which should be outsourced. The answer is rarely absolute. The most successful programs combine internal operational awareness with external surge capacity, monitoring support or specialized capability.
Many utilities outsource managed detection services and 24/7 security monitoring because staffing a round-the-clock team is costly and complex.
Incident response, forensics and OT system remediation often remain in-house because they require deep familiarity with plant operations and equipment. Consultants can also support major transformation efforts by helping utilities design integrated IT/OT programs without pulling staff away from essential day-to-day responsibilities.
What matters most is clarity. Utilities that write specific scopes of work, verify vendor performance and maintain internal ownership of risk see the strongest results. Outsourcing is most valuable when it augments capability rather than replaces it.
Why IT/OT Integration Is an Operational Imperative
The themes emerging across public power make it clear that cybersecurity and operational reliability can no longer be treated as separate disciplines. Digital systems have become core infrastructure, and securing these systems is as essential as maintaining physical assets.
FERC Order 912 reinforces what many utilities already recognize, that managing cyber risk now requires the same rigor, planning and coordination historically applied to system protection and operational safety. For public power utilities, this means treating cybersecurity as a shared operational responsibility rather than an IT function. It means unifying technology teams, developing local talent, strengthening vendor oversight and leveraging external partners where needed.
The path forward is demanding, but it aligns with public power’s long-standing strengths, including collaboration, problem-solving and a deep commitment to community service. Cyber resilience is the next step in that mission.
