Energy / Utilities Compliance

Regulations That Apply

Regulation	What It Covers
NERC CIP	Critical Infrastructure Protection — bulk electric system
TSA SD 02 Series	Pipeline cybersecurity directives (post-Colonial Pipeline)
AWWA Cybersecurity	American Water Works guidance for water utilities
DOE C2M2	Cybersecurity Capability Maturity Model
CIRCIA	Critical infrastructure incident reporting — final rule expected May 2026

What You Need In Place

• Strict IT / OT network segmentation
• Cyber asset inventory for the bulk electric system
• Personnel risk assessment and background checks
• Physical security perimeter for OT
• Configuration change management for OT
• Carefully scoped vulnerability assessments of OT
• Incident reporting capability (E-ISAC / CISA)
• Supply chain risk management

Common Threats In This Sector

Energy and water utilities are designated critical infrastructure for a reason — both have seen direct attacks on operational technology in recent years (Colonial Pipeline 2021, Oldsmar water 2021, multiple municipal water systems 2023–2024). The threat actors range from criminal ransomware operators to nation-state groups.

• Ransomware targeting OT and ICS systems controlling generation, distribution, or treatment
• Phishing for SCADA, HMI, and engineering workstation credentials
• Internet-exposed industrial protocols (Modbus, DNP3, OPC UA) discoverable via Shodan
• Foreign nation-state reconnaissance and pre-positioning activity (CISA and DOE alerts)
• Small-utility water and wastewater attacks — consistently the easiest critical-infrastructure targets
• Smart meter and IoT compromise reaching the AMI head-end or DER management systems

Documentation You’ll Be Asked For

Regulatory requirements vary by sub-sector and asset criticality. NERC CIP applies to the bulk electric system. TSA Security Directives apply to pipelines. EPA cybersecurity expectations apply to water utilities under AWIA. Smaller cooperatives and municipals still need to demonstrate something defensible to insurers, customers, and state PUCs.

• NERC CIP standards compliance (CIP-002 through CIP-014) for in-scope BES assets
• TSA Pipeline Security Directives compliance for pipeline operators
• DOE Cybersecurity Capability Maturity Model (C2M2) self-assessment
• EPA Cybersecurity for water utilities — risk and resilience assessment per AWIA Section 2013
• State Public Utility Commission cybersecurity filings as required
• CISA incident reporting workflow (CIRCIA reporting once final rules are effective)
• OT and IT network segmentation documentation with documented data flows

Where Most Small Utilities Fall Short

The Government Accountability Office, CISA, and EPA Office of Inspector General consistently flag the same gaps in small-utility cybersecurity. The C2M2 framework is free and self-administered, which makes it the cheapest credible starting point.

• No C2M2 or equivalent self-assessment despite free availability
• Water utilities without a formal cybersecurity plan even where AWIA requires one
• OT and IT networks not segmented — engineering and corporate share the same fabric
• SCADA or HMI systems reachable from the public internet
• Default credentials on PLCs, RTUs, and other industrial equipment
• No incident-reporting workflow to CISA or the relevant ISAC