ISC East Utility Panel Exposes Governance Gaps and Rising Infrastructure Complexity
Key Highlights
-
Mark Hatcher urged utilities to adopt a “never events” framework to clearly define critical risks and align security priorities across operations, IT, and OT teams.
-
Panelists emphasized that convergence is often misunderstood, stressing the need for segmentation, governance, and shared planning between physical security, IT, and OT.
-
Infrastructure projects are growing in scale and complexity, with data management, fiber ownership, and regulatory constraints creating new challenges for utilities.
The Security Industry Association’s (SIA) Protecting Utilities roundtable at ISC East featured a keynote from Mark Hatcher, Head of Physical Security at San Jose Water, followed by a panel discussion on the infrastructure challenges facing the utility sector.
The conversation focused on translating security needs into business outcomes and navigating the complex relationship between physical security, IT and operational technology (OT) teams.
Hope for the best, plan for the worst
Hatcher introduced a framework borrowed from the healthcare industry — called “never events” — that he has adapted for utility security operations. The concept originated in 2002 when a medical doctor examining quality of care decided that amputating the wrong leg or leaving surgical clamps inside of a patient should “simply never happen.”
“In a security context, the idea is to hyper focus on the things that should never happen,” Hatcher explained. For water utilities, a “never event” might include a threat actor contaminating water, or an unescorted, unauthorized person breaking in and wandering around a facility.
The framework requires gathering input from multiple departments, with operations, SCADA teams, IT departments and more offering perspectives on “never events” within their own domains. The challenge, Hatcher said, is getting disparate groups to agree on these priorities. His methodology involves comparing suggested “never events” to publicly disclosed risks in SEC filings and annual reports, as well as a method he calls “confidence in prevention.”
“If one of these scenarios is really critical and there is a low level of confidence in dealing with it, we need to focus on that,” he explained.
His framework addresses what he calls a fundamental problem in utility security. “Utilities, by and large, don’t make money by preventing things. Energy utilities don’t make a lot of money from the energy they sell,” Hatcher said. “We make money by building things. This creates friction when requesting security investments that don’t directly generate revenue.”
According to Hatcher, the solution is to create a business continuity and governance role that elevates security’s role in enterprise risk management. The board will certify the prioritized list of “never events,” reinforcing the idea that these issues concern the organization as a whole — not just the security department.
To this end, Hatcher emphasized the importance of tracking both obstacles and progress, providing real-time visibility into risk and resiliency reporting.
“Albert Einstein once said that if you can’t say it simply, you don’t know it well enough,” he concluded. “This is a way we can describe things very simply that are at the heart of what we’re trying to accomplish anyway.”
Securing a converged world
The panel discussion — helmed by DirectDefense CSO Christopher Walcutt, Wasabi’s Technology Alliances Manager Vince Ricco, Enterprise Value Creation Director for Corning Optical Communications Gayla Arrindell, and Convergint Founder and CEO Pierre Bourgeix — shifted toward infrastructure and convergence challenges.
Multi-sensor environments, began Walcutt, are becoming the new normal when it comes to utility protection. Facilities are now deploying gunshot detection, drone monitoring and environmental sensors for flooding and humidity, among others.
“When it comes to critical infrastructure, we need to be aware of events as they’re taking place, not after,” he said, citing examples ranging from devastating forest fires to a sniper shooting at Bay Area substations.
One of the largest of these concerns is securing and managing data. Data lakes, Walcutt noted, have become crucial for consolidating information and building readable dashboards. However, regulatory constraints present a regular challenge for utilities, making network segmentation essential for separating physical security data from operational data.
“You also need to think about the physical infrastructure that will transfer and protect that data,” said Arrindell. She noted that fiber networks provide resilience but remain unfamiliar to a large number of people in the utility security market.
Bourgeix addressed this misunderstanding: “Part of the challenge we have in the physical security space has always been a misunderstanding of what a converged environment is,” he said. “Just because you’re a connected system doesn’t mean you’re converged.”
As infrastructure has grown increasingly connected, so too has it increased its attack surface. “We are all more connected — and more vulnerable,” Bourgeix explained. “That means that the segmentation of our physical, controlled world and our data is critical.”
The scale of most infrastructure projects adds another layer of complexity. Ricco described one security architect project to connect over 5,000 substations that required over 6,000 miles of fiber over ten years to the tune of billions of dollars, a gargantuan project that becomes even more difficult when permissions are involved.
“You have to get permission from everyone who owns a pole every time you touch one,” Ricco said. High-tension power lines often have fiber optic cables running along them that are available for rent to water utilities and local governments, but projects are frequently cost prohibitive.
The ownership question around fiber purchases muddles things as well. “Who buys fiber? IT,” Bourgeix added. “Guess who should be purchasing fiber soon? OT.”
This requires bringing stakeholders together through governance programs, which Bourgeix said both “opens up both the budget and the conversation.” According to Bourgeix, all relevant parties should participate in planning discussions.
“If you’re in physical security, make sure you’ve got cyber. Make sure you have IT. Make sure you have operations,” he said. “Otherwise, you end up having the same conversations multiple times.”
Bourgeix also recommended studying NIST frameworks, particularly NIST 800-82, 800-53 and 800-171. “If you crack the book, you begin to understand segmentation, security by design and building organizational infrastructure.”
While every utility faces unique challenges, the panel concluded, all parties must be educated and included to ensure a working approach customized to their needs. Only through clear communication can the industry drive standardization and compliance forward.
