Regulations and Standardization Trends
OT systems, particularly those used in manufacturing, transportation, energy, and healthcare industries, are vital to the economic stability of modern society.
As cybersecurity threats continue to escalate, nations worldwide have adopted diverse cybersecurity standards and policies across various industrial sectors to protect these critical systems. The scope of these standards is expanding, making the protection of critical infrastructure an indispensable aspect of OT security.
Skip to
Dynamic Standards for Protecting Critical Infrastructure
Cyber-Informed Engineering
The CIE Framework
Supply Chain Security Management as a Primary Focus for the Future
Vulnerability Assessment and Patch Management
Regulatory Requirements for Dynamic Risk and Response Management
Enhancing Incident Reporting and Information Sharing
As cyber threats intensify and global regulatory environments become increasingly stringent, organizations must embed cybersecurity compliance into their core business strategies. Our 2024 survey report indicates that data breaches (55%) and compliance failures (51%) are the two primary drivers of corporate investment in OT cybersecurity. Beyond data breaches, 51% of respondents identified compliance failures as a critical business risk, as non-compliance not only incurs fines but also damages a company’s reputation and erodes customer trust. In the years ahead, developments in the following areas are expected to further increase the importance of cybersecurity compliance:
QF3: What are the top business risks that would drive your organization to invest in increased OT security protection? (Rank Top 3)
Figure 3.1. Business Risks Driving Investment in OT Security Protection
Dynamic Standards for Protecting Critical Infrastructure
Mitigate Risk and Enhance Resilience
As the threat landscape grows increasingly complex, traditional static standards are no longer sufficient to meet the needs of modern OT systems. Nations are now adopting risk-based dynamic standards, focusing on high-risk critical infrastructure sectors and creating more targeted regulations. Emerging fields such as energy, medical device manufacturing, food safety, and transportation are gradually being incorporated into the definition of critical infrastructure. Given the varying risk levels and characteristics across industries, these standards must be adjusted to address actual risks effectively.
2019 Q2
Europe
• June
Responsible Agency
European Commission
Initiative Title
Cybersecurity Act
Empowers ENISA and establishes an EU-wide cybersecurity certification framework
2021 Q2
Japan
• May
Responsible Agency
National center of Incident readiness and Strategy for Cybersecurity (NISC)
Initiative Title
Next-Generation Cybersecurity Strategy Outline
The Next-Generation Cybersecurity Strategy Outline was released by the NISC, introducing measures to secure critical infrastructure and industrial control systems
2021 Q3
Japan
• September
Responsible Agency
National center of Incident readiness and Strategy for Cybersecurity (NISC)
Initiative Title
Cybersecurity Strategy
A three-year Cybersecurity Strategy focusing on critical infrastructure protection and OT security approved by the Japanese Cabinet
2023
United States
• Ongoing
Responsible Agency
Cybersecurity and Infrastructure Security Agency (CISA)
Initiative Title
Open-Source Software Security Roadmap
Develops security guidelines and strategies for open-source software to reduce vulnerabilities
• Ongoing
Responsible Agency
Cybersecurity and Infrastructure Security Agency (CISA)
Initiative Title
Advance software bill of materials (SBOM) and mitigate the risk of unsupported software
The Administration will promote the development of SBOMs and establish a process to identify and mitigate risks from unsupported software that is either widely used in or supports critical infrastructure
2024 Q3
United States
• Ongoing
Responsible Agency
Federal Communications Commission (FCC)
Initiative Title
U.S. Cyber Trust Mark
• July
Responsible Agency
North American Electric Reliability Corporation (NERC)
Initiative Title
NERC CIP-015-1 Internal Network Security Monitoring (INSM)
Europe
• July
Responsible Agency
European Commission
Initiative Title
Radio Equipment Directive
• August
Responsible Agency
European Commission
Initiative Title
Resilience of Critical Entities Directive
2024 Q4
Europe
• October
Responsible Agency
European Commission
Initiative Title
Network and Information Security Directive (NIS2)
• August
Responsible Agency
European Union Agency for Cybersecurity (ENISA)
Initiative Title
Cybersecurity Certification Schemes (EUCC, EU5G, EUCS)
• December
Responsible Agency
European Commission
Initiative Title
Cyber Solidarity Act
• December
Responsible Agency
European Commission
Initiative Title
Artificial Intelligence Act
United Arab Emirates
• October
Responsible Agency
Cybersecurity Council
Initiative Title
New Cybersecurity Policies
2025 Q1
United States
• Ongoing
Responsible Agency
Department of Health and Human Services (HHS)
Initiative Title
Cybersecurity Best Practices
• Ongoing
Responsible Agency
Department of Energy (DoE)
Initiative Title
National Cyber-Informed Engineering (CIE) Strategy
• Ongoing
Responsible Agency
Department of Energy (DoE)
Initiative Title
Research and develop cybersecurity labeling criteria to develop the smart grid of the future
Europe
• January
Responsible Agency
European Commission
Initiative Title
Digital Operational Resilience Act (DORA)
2027 Q4
United States
• December
Responsible Agency
Department of Defense (DoD)
Initiative Title
Cybersecurity Maturity Model Certification (CMMC) 2.0 Executes the 2023
DoD Cyber Strategy to enhance defense network capabilities
Europe
• December
Responsible Agency
European Commission
Initiative Title
Cyber Resilience Act
Sets cybersecurity requirements for digital products to ensure their security throughout their lifecycle
Ongoing Updates
Saudi Arabi
• Ongoing
Responsible Agency
National Cybersecurity Authority (NCA)
Initiative Title
Essential Cybersecurity Controls (ECC)
The ECC is a framework to enhance cybersecurity in critical infrastructure and OT, focusing on protecting industrial control systems and implementing robust security controls
Cyber-Informed Engineering
From Defense to Design Upgrades
New regulations urge businesses to enhance the protection of critical assets, with notable initiatives like the U.S. Department of Energy’s National Cyber-Informed Engineering (CIE) Strategy. This approach emphasizes reducing or eliminating cyberattack pathways—or mitigating their consequences—through design decisions and engineering controls. By integrating cybersecurity from the earliest design stages, organizations can implement cost-effective and robust security measures, directly addressing the historical over-reliance on applying external security controls late in a system’s lifecycle.
Key Survey Insights
Balancing compliance, innovation, and economic value is crucial for organizations. While innovation introduces tools like artificial intelligence and machine learning, which enhance efficiency and enable breakthroughs, these must deliver tangible returns on investment (ROI). This balance ensures that organizations operate within regulatory frameworks while pursuing excellence in innovation and profitability.
of respondents identified compliance as the most critical factor for OT security. This highlights the importance of vendors providing up-to-date regulatory knowledge and support to help organizations keep pace with evolving standards. In highly regulated industries like pharmaceuticals and oil and gas, compliance is not just a priority—it is critical for business survival.
of respondents emphasized cost-effectiveness and advanced features as significant considerations, reflecting the dual importance of compliance as a foundation and innovation as a driver of progress.
The CIE Framework
Secure by Design
Shifts the focus of software development from discovering and patching vulnerabilities to eliminating design flaws within the software system architecture. CIE extends this concept to physical infrastructure systems with digital access or control features, embedding security at the architectural level.
Zero Trust Architecture
Rejects implicit trust in devices or user accounts, moving beyond traditional perimeter-based security models. Instead, this approach assumes that systems will inevitably be compromised and deploys resilient, layered defenses to minimize the impact of breaches.
Alignment with Industry Standards and Guidelines
CIE aligns with leading standards and guidelines such as IEC 62443, NIST SP 800-160, and the SAE International G32 Cyber-Physical Systems Security Committee to ensure consistency and interoperability.
QD6: Which of the following factors do you consider key indicators for evaluating the effectiveness of OT security products? (Rank Top 3)
Figure 3.2. Key Factors for Evaluating the Effectiveness of OT Security Products
Supply Chain Security Management as a Primary Focus for the Future
The complexity of supply chains has made them a primary target for cyberattacks. According to the TXOne CISOs Survey, 46% of companies identified “supply chain security management” as the top priority for cybersecurity investment over the next two years. This highlights the critical importance of supply chain transparency and security for regulatory compliance.
Recognizing the risks associated with supply chains, the U.S. government has long prioritized addressing these challenges. One notable initiative is MITRE’s System of Trust, which defines, aligns, and addresses specific concerns and risks in trusting suppliers, supplies, and service providers. TXOne Networks has actively participated in discussions and research surrounding this framework.
Enhancing Supply Chain Transparency: The Foundation of Compliance
60% of oil and gas companies rank supply chain security management as their top priority. Since they are classified as critical infrastructure, this industry must comply with strict regulations, such as NERC CIP standards. Regulatory agencies, including the TSA for pipeline operators, require companies to conduct security capability assessments when selecting suppliers in an effort to prevent supply chain vulnerabilities from becoming entry points for attacks. Companies and vendors must collaborate to create security agreements, ensuring data transfers and equipment access meet the highest standards.
Similarly, the complexity of supply chains in chip fabrication (47%) and food manufacturing (47%) has pushed companies in these industries to strengthen compliance capabilities.
Other examples include:
The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) 2.0
Finalized in 2024, this mandates that all participants in the defense supply chain meet specific standards.
The Department of Energy’s (DOE) supply chain security principles
These ensure security across the lifecycle—from design and engineering to product disposal—while promoting international collaboration on collective cybersecurity frameworks.
QF5: What emerging cybersecurity technologies or trends does your organization plan to adopt in the next 12-24 months?
Figure 3.3. Emerging Cybersecurity Technologies/Trends to be Adopted in the Next 2 Years
Core Elements of Supply Chain Security
1. Software Bill of Materials (SBOM)
SBOMs are central to many regulations, as they track the origin, versions, and potential vulnerabilities of every component in the supply chain.
2. Third-Party Risk Assessments
Compliance frameworks require organizations to conduct regular audits of suppliers’ cybersecurity capabilities, ensuring alignment with industry standards such as SEMI.
QA9: How often does your organization perform cybersecurity assessments of vendors before OT procurement?
Figure 3.4. Cybersecurity Assessments for OT Vendor Procurement
Vulnerability Assessment and Patch Management:
Meeting Shifting Compliance Demands
The EU Cyber Resilience Act (CRA) mandates transparency and security throughout the supply chain, strengthening resilience and reflecting the EU’s acknowledgement of cybersecurity’s critical importance through decisive action. According to the survey, 41% of companies plan to adopt regular vulnerability assessment and patch management technologies in response to the CRA’s principles for OT environments:
1. Patch Management Compliance Challenges:
Many ICS systems cannot undergo frequent downtime for patch updates, necessitating alternative compliance measures such as configuration management or network segmentation.
2. Vulnerability Prioritization Management:
Compliance requires organizations to prioritize the remediation of high-risk vulnerabilities while maintaining detailed documentation of the patching process for audits.
Key Provisions of the EU Cyber Resilience Act (CRA)
The CRA affects OT systems in two major areas: product design and security, and supply chain safety. For products sold in the EU, the CRA imposes the following requirements:
1. Product Security Validation
Manufacturers must demonstrate the security of their products throughout their entire lifecycle, including design, manufacturing, and deployment by end users.
3. Security Updates
Products must receive necessary security updates for a reasonable period after sale to protect consumers and industrial users from emerging threats.
2. Vulnerability Reporting and Response
Companies must provide mechanisms for reporting vulnerabilities and timely remediation of identified security issues.
4. Accountability and Compliance
Manufacturers are responsible for their products’ security and are liable to face fines or market access restrictions for non-compliance.
Regulatory Requirements for Dynamic Risk and Response Management
New regulations mandate that organizations, particularly those involved in critical infrastructure sectors, develop comprehensive cybersecurity plans. These plans must include risk assessments, preventive measures, and post-incident response mechanisms. The dynamic and forward-looking nature of risk management is more critical now than ever.
According to our 2024 survey, 74% of companies prioritize regularly updating risk assessments to address emerging threat intelligence, highlighting the urgent need for dynamic risk management. Furthermore, 57% of companies incorporate OT cybersecurity best practices into daily operations, a strategy that enhances employee security awareness, optimizes business processes, and reduces human error.
The U.S. Transportation Security Administration (TSA) has issued a Notice of Proposed Rulemaking focused on enhancing cybersecurity risk management within the surface transportation sector. This rule was developed in response to the 2021 attack on the largest refined products pipeline in the U.S., Colonial Pipeline. Organizations potentially subject to these regulations must submit their comments by February 5, 2025. The TSA aims to mitigate the risks and potential impacts of successful attacks or cybersecurity incidents on pipelines, railroads, or OTRB (Over-the-Road Bus) systems.
Under this proposed rule, affected entities would be required to establish a Cybersecurity Risk Management (CRM) program that includes:
- Conducting annual enterprise-wide cybersecurity assessments to evaluate current cybersecurity posture against target profiles.
- Developing a Cybersecurity Operational Implementation Plan detailing the roles responsible for executing the cyber response management program and outlining measures for identifying, monitoring, and safeguarding critical systems.
- Creating a Cybersecurity Assessment Plan to identify unaddressed vulnerabilities, with schedules for assessments and annual reporting of assessment outcomes.
QF4: How does your organization continuously improve its risk management processes in industrial cybersecurity?
Figure 3.5. Methods for Improving Risk Management Processes
Organizations must establish clear response plans for scenarios such as cyberattacks, data breaches, and system outages, ensuring these plans are regularly updated and rehearsed.
For example, the Transportation Security Administration (TSA) requires companies to conduct regular cybersecurity audits to ensure that measures align with current standards. It also mandates the annual completion of risk assessment reports, emphasizing the importance of continuous progress in cybersecurity management.
of companies conduct drills of their OT incident response plan, the highest rate among all types of simulations.
This underscores the widespread recognition of the importance of rapid response in mitigating the impact of cyberattacks.
QB6: Did your company conduct any drills related to OT security response processes within your organization in the last 12 months?
Figure 3.6. Drills Conducted for OT Security Response in the Past 12 Months
Enhancing Incident Reporting and Information Sharing
The U.S. has bolstered its cybersecurity posture with the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), mandating real-time incident reporting. However, the rollout faces hurdles because balancing privacy with information sharing remains a significant challenge. Moreover, some organizations under Sector Risk Management Agencies (SRMAs) may lack the tech or manpower to fully comply, particularly smaller or resource-limited entities.
Looking ahead, CISA will collaborate with SRMAs to pinpoint gaps in information exchange and ensure system interoperability. Where SRMAs are weak on information sharing, CISA will step in to enhance capabilities. This involves coordinating with SRMAs, the Department of Justice (DOJ), and other federal bodies to implement CIRCIA effectively, including publishing notices and rules, and streamlining incident report processing and sharing.
Encouraging Information Flow
The TSA actively encourages inter-organizational information exchange to improve responses to emerging threats. By collaborating with agencies like the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS), the TSA ensures seamless communication between stakeholders. This rapid and transparent information exchange mechanism facilitates swift responses and effective mitigation of cybersecurity incidents. It demonstrates and upholds the importance of collaboration and intelligence sharing in enhancing OT cybersecurity.
