Critical Infrastructure Security: What State and Local Leaders Need to Know

At the same time, critical infrastructure security is complicated by aging systems that were connected to networks long after they were designed. Those retrofits can open gaps and create uneven implementations across a patchwork of federal, state and local oversight.

“When you’re trying to retrofit older technology with newer computing elements, there are always going to be gaps. And when you consider the patchwork of regulations, things fall through the cracks,” says Dr. Sibin Mohan, associate professor of computer science at George Washington University.

What Is Critical Infrastructure Protection?

The Cybersecurity and Infrastructure Security Agency defines critical infrastructure as “assets, systems, and networks that provide functions necessary for our way of life.” This includes healthcare, emergency services, water infrastructure and electrical infrastructure.

Critical infrastructure protection today means managing geopolitically driven risk targeting those systems, while modernizing legacy environments that weren’t built with those risks in mind. This is especially true of the power grid, which underpins so much about our way of life.

What Are Physical Security Risks to the Power Grid?

While cyberattacks draw headlines, physical threats to electrical substations and other assets remain part of the risk calculus for electric grid security.

Jim Richberg, Fortinet’s head of cyber policy and global field CISO, calls the energy sector “the base of the pyramid,” noting that adversaries understand its leverage over every other sector.

“Domestic violent extremists have really figured out that if they want to hurt government, taking out the power is critical. Nation-states have been targeting, and Russia and China each target a different part of the energy ecosystem,” he says.

For public sector utilities, costs can slow physical upgrades, from hardened perimeters to access control, requiring careful prioritization of mitigations with clear reliability impact and regulatory support. In practice, power grid security teams should align physical hardening, incident playbooks and recovery procedures with cyber contingencies so a single event cannot cascade.

Click the image below for more coverage related to critical infrastructure.

What Are Cyberthreats to Operational Technology?

Attackers can exploit vulnerabilities related to the networks hosting the operational technology systems of electric plants and other utilities.

“OT systems are not like traditional computers. They have highly custom-designed hardware and software. You can’t attack them with a random anti-virus,” Mohan says.

But attackers increasingly exploit the enterprise side of the house to reach OT. Sheldon warns that defenders sometimes overindex on esoteric OT controls and underinvest in enterprise hygiene: “It’s extremely useful to defend those enterprises with best practices like threat hunting and threat intelligence, so that if a bad actor breaches an enterprise, you can spot that and stop it before there is any lateral movement onto OT networks.”

Artificial intelligence has accelerated the cybersecurity arms race. Richberg describes generative AI as a “dual-use tool” that can help small utilities but that also lets low-skill adversaries exploit threat development, increasing the “volume, variety and velocity” of attacks hitting critical infrastructure security.

AI tools can compress discovery and exploitation timelines from months to days or hours, even if specialized OT still imposes some “inertia” before an attack can have effect, Mohan adds.

WATCH: State leaders discuss critical infrastructure protection at NASCIO 2025.

What Are the IT Security Challenges in the Field?

The energy sector is heterogeneous: from large investor-owned utilities to rural co-ops and municipal providers.

“You’ve got rural electric co-ops that don’t even have an IT guy. We all live on the same power grid; the problems of the little guys can bleed over,” Richberg says. That interdependence raises the stakes for shared standards and baseline controls that scale.

For many operators, power grid security starts with doing IT well — identity protections, multifactor authentication (MFA), endpoint detection and response (EDR) and up-to-date configurations — to stop lateral movement early. The same can be said of water utilities and other critical infrastructure.

“All the controls for defending your networks are extremely important,” says Sheldon. But because nation-state actors target this space, “patching alone is not enough”; defenders also need to consume threat intelligence and conduct threat hunting.

When resources are thin, managed security services can be the fastest route to mature capabilities.

“It can be more straightforward to just consume that sort of assistance as a service. It’s a good idea to consider if you’re not going to be able to have a security program where you can handle threat intel, threat hunting and so on,” Sheldon says.

SUBSCRIBE: Sign up for the StateTech newsletter for weekly updates.

What Are Best Practices for Securing Critical Infrastructure?

State and local officials have playbooks for what can be done to secure electric grids.

“There are good things that can be done,” Richberg says, provided segmentation, identity management and access control are enforced and scaled.  And while AI will raise the tempo of attacks, Mohan points out that the specialized nature of OT gives defenders a little time to detect, contain and recover if they are prepared.

Here are some best practices recommended by these experts:

Design for Security; Retrofit With Care

For new deployments, build critical infrastructure protection into requirements: restrict connectivity, separate critical control systems from general IT and apply least privilege access.

“When you’re designing new elements of the grid, think about cybersecurity. Do I connect it to the internet? Make sure those critical systems are separated,” Mohan says. For legacy equipment, create lightweight controls that won’t break real-time operations.

Push Secure-by-Design in the Supply Chain

Richberg points to a growing government-backed push for vendors to prove they’re baking in safer defaults, an approach that could extend from IT to OT with sector-specific tailoring. That market signal helps buyers distinguish who is serious about critical infrastructure security.

LEARN MORE: CISA’s John Bryant discusses Secure by Design and other no-cost CI services.

Segment and Defend Endpoints

Richberg urges defenders to exploit the way OT already separates production lines and plants, and then layer IT controls that limit blast radius.

“Don’t have a flat network. Use segmentation and access control,” he says.

Authorized users are usually easy to identify in industrial environments. “You know what good settings and bad settings are. You can white-list known processes,” Richberg adds.

Harden IT to Protect OT

As Sheldon emphasizes, electric grid security depends on strong enterprise defenses — MFA, EDR, identity protections, threat intel and threat hunting — to detect intrusions and stop lateral movement toward OT.

Assess Continuously and Monitor for Anomalies

Mohan recommends multiple methods: penetration testing with vendors, formal risk assessments and automated checks that trigger alarms or safe modes if “something untoward” occurs. There’s “no silver bullet,” he says, so pair analytic rigor with pragmatic device-level monitoring.

Scale With Services and State Support

Where staffing is limited, managed providers and state-level shared services can deliver essentials quickly. Information Sharing and Analysis Centers (ISACs) offer sector-specific guidance for organizations of all sizes.