What I Keep Seeing in the Field
As I outlined in the first two articles in this series, the CESER FY2026-2030 Strategic Plan frames a broad and serious threat environment for U.S. energy infrastructure. But when I look at where federal agency cybersecurity programs are most exposed, operational technology security comes up every time.
The gap between how well federal teams understand IT environments and how well they understand OT environments is still significant. And in energy-adjacent federal operations, that gap is not a minor oversight. It is a principal risk.
Why OT Security is Different
Operational technology covers the industrial control systems, supervisory control and data acquisition platforms, and embedded devices that run physical infrastructure. These are the systems that open valves, control turbines, manage grid switching, and regulate pipelines. Unlike enterprise IT, many of these systems were designed for reliability over security, were never intended to be networked, and run software that is difficult or impossible to patch without disrupting operations.
When these systems are compromised, the consequences are not data breaches. They are physical. That distinction changes everything about how you approach security.
What CESER is Doing About It
The CESER plan identifies three programs that directly address OT and ICS security.
CyTRICS (Cyber Testing for Resilient Industrial Control Systems) is a supply chain-focused program that identifies vulnerabilities in the common components used across energy systems. The goal is to surface problems before they are deployed in the field, not after an incident exposes them.
CRISP (Cybersecurity Risk Information Sharing Program) deploys sensors and monitoring solutions within energy sector networks to identify and understand threats in near real time. Visibility is the foundation of any OT security program. Without it, you are operating blind.
Cyber-Informed Engineering is an approach, not just a tool. It applies advanced design practices to incorporate cybersecurity into physical operating systems that have digital connectivity, sensors, monitoring, and control built in. The principle is that security should be engineered into infrastructure, not retrofitted onto it after the fact.
The Supply Chain Problem Underneath All of This
One thing the CyTRICS program makes clear is that OT vulnerability is not just an operational issue. It is a supply chain issue. Components manufactured without security requirements baked in become embedded risks at scale across the energy sector. Federal agencies that procure or rely on OT equipment should be asking hard questions about what is in the stack before it reaches their environment.
Project Armor and the Hardening Mandate
The plan also establishes Project Armor as a five-year initiative to harden critical energy infrastructure through assessments, technical guidance, and cyber and physical security upgrades. This program directly addresses the infrastructure side of OT security by treating hardening as an ongoing operational discipline, not a one-time project.
Federal Zero Trust mandates have done a great deal to advance IT security posture across agencies. OT security needs the same level of strategic attention. The CESER plan signals that DOE is treating it that way.
The next article in this series looks at how CESER is approaching artificial intelligence as both a threat vector and a defensive capability through the AI-FORTS program and the Genesis Mission.
See What You’re Actually Securing
Most agencies don’t have full visibility into their OT environments. Start by understanding yours.
