Utilities companies are dealing with fragmentation and silos, preventing a streamlined approach to compliance. A more solid foundation is needed, but how can this be done?
By Kate O’Flaherty
Utilities companies operate numerous disparate systems, many of which were never meant to be connected to the internet. It’s therefore no surprise that cybersecurity — and compliance with regulations covering the area — remain one of the sector’s greatest challenges.
In 2010, the Stuxnet worm demonstrated the real-life threat posed by a cyber-attack on the sector, after centrifuges used in the Iranian nuclear programme were obliterated. More recently, the Russia-Ukraine war has seen several state-sponsored cyber-attempts on Ukraine’s electricity grid. Meanwhile, in the US, the water sector has also been under attack.
The growing risk of attacks such as these and their devastating consequences has led to a number of regulations intended to shore up utilities security, including the EU Network and Information Systems Directive 2 (NIS2) and UK Cybersecurity and Resilience Bill.
As utilities strive to comply with these multiple rules, some have criticised the industry for being slow to adapt. Indeed, a recent blog by Ernst & Young highlights a need for artificial intelligence (AI) technology to manage complex risk management strategies and ensure compliance.
But in an industry already dealing with fragmentation and silos, is adding more tools really the answer?
Keeping Pace With Regulation
Many experts say no. Instead, utilities need a unified, engineered compliance backbone that matches the complexity of the physical systems they run. This starts with fixing the foundations, rather than layering new technologies on top of old fragmentation.
Recent cyber incidents affecting utilities highlight a challenge that goes beyond keeping pace with regulation. The pressure utilities face is real, but it’s not because rules are moving faster than organisations can respond.
It’s because the cost of fragmented, disconnected compliance and risk ownership is “rising faster than utilities can absorb”, Darren Guccione, CEO and co-founder at Keeper Security tells IO.
Utilities operate some of the most interconnected physical systems in the world. Yet the processes governing cybersecurity, operational resilience, privacy, third-party access and regulatory compliance are often disconnected from one another.
“Cybersecurity, operational technology (OT) security, privacy, audit and regulatory teams are often organised as parallel functions, each with their own controls, tools and reporting lines, but limited shared visibility or coordination,” Guccione points out. “That fragmentation creates real exposure.”
These silos lead to “poor communication, duplication of effort, misunderstanding, and slow decision-making”, says Tracey Hannan-Jones, information security consulting director, UBDS Digital. “So, when new regulations arrive, each department interprets then implements changes differently — or not at all — leading to inconsistencies, inefficiencies, and poorly designed compliance frameworks to address requirements.”
The concept of “technical debt” in software — shortcuts that create compounding future costs — “maps perfectly to compliance”, says Rayna Stamboliyska, CEO at RS Consulting. “Every time a utility bolts a new regulatory requirement onto fragmented existing systems, rather than refactoring the foundation, the organisation accumulates ‘compliance debt’. The ‘cost of fragmented compliance’ is actually interest payments on ‘compliance debt’ — and UK utilities are paying compound interest without reducing principal.”
Under-Tooled
No amount of new technology can solve the issue — especially if it’s simply bolted on top of fragmented systems.
In 2024, large enterprises were using an average of 45 cybersecurity tools, according to Gartner. This indicates that being “under-tooled” isn’t the core problem, says Rik Ferguson, VP of security intelligence at Forescout. “On paper, that tool depth can look reassuring. In practice, it often creates a different problem: A security environment that’s busy, noisy and difficult to operate as a coherent whole.”
Boards often see extensive tooling and assume coverage is comprehensive, says Ferguson. “Security teams, meanwhile, spend huge amounts of time stitching together information, validating alerts and chasing activity that doesn’t always translate into measurable risk reduction.”
Amid this complex environment, organisations may look to AI as the “saviour”. However, this is never going to work because AI thrives on “high-quality, integrated data”, says UBDS Digital’s Hannan-Jones. “In fragmented utilities, data is often poor-quality, scattered, inconsistent or inaccessible. Without unified data, AI models can only produce limited or unreliable insights.”
Another factor to consider is that AI cannot fix organisational silos, Hannan-Jones says. “AI can automate tasks or generate recommendations, but it cannot force departments to collaborate, or share information.”
Streamlined Approach
Rather than simply adding new tools, utilities firms should work on a streamlined approach to compliance. This can help facilitate central orchestration, local accountability, consistent controls, continuous monitoring and an integrated view of risk.
As part of this, standardisation provides “a unified vocabulary and set of procedures” for risk, security, privacy and AI, says Hannan-Jones. For example, ISO 27001 covering information security, ISO 22701 on privacy, and ISO 42001 governing AI management.
These frameworks require clear assignment of roles and responsibilities through a centralised approach. This ensures everyone knows who is accountable for what, which will improve coordination and communication, and reduce gaps, says Hannan-Jones. “Organisations can then enforce documented, repeatable processes for risk assessment, incident response and drive continuous improvement,” she explains.
At the same time, since ISO standards are risk-based, they require organisations to consider risks holistically, rather than as a silo. The alignment of risk management with business objectives ensures that all departments are “working towards the same goals with a consistent approach”, says Hannan-Jones.
When looking to streamline your organisation, the first step is to map and standardise your core processes, Hannan-Jones advises. “Document all key workflows across the organisation, including asset management, maintenance, incident response and risk management. This will create clarity, expose duplications, identify gaps and provide a strong baseline for standardisation.”
It’s important to ensure everyone, including leadership, is on board, says Hannan-Jones. “As senior leaders must champion the unified compliance approach, communicate its value, and allocate resources. Sustained change requires visible support from the top, with clear messaging across the whole organisation.”
Benefits of Compliance
While challenges remain, regulation is not getting more complex. Instead, it is exposing how messy and fragile internal structures have become. Risk in utilities only becomes an asset when it’s treated like the grid itself: A functioning system that’s connected, continuously monitored and engineered for resilience.
The benefits are clear: When compliance becomes coordinated and integrated, utilities gain faster regulatory response, a stronger cyber posture, more trustworthy AI models, better board assurance, and reduced duplication and cost.
Coordinated, integrated compliance allows firms to “reclaim operational capacity”, so they can redirect their energy towards improving security outcomes, says Conor Sherman, CISO in residence at Sysdig. “You can then spend your time improving the grid’s resilience, rather than arguing over the provenance of a screenshot for an auditor.”
