A research brief for the campaign website (with references) and a direct map back to voter-facing issues

Abstract

U.S. utilities—electric power, drinking water, wastewater, and natural gas—have become high-value targets for ransomware and disruptive cyber operations. Modern utility operations depend on interconnected IT/OT (information technology / operational technology) systems, remote access, and distributed assets that expand the attack surface. The strategic risk is no longer limited to data theft: cyber incidents can disrupt service, damage physical equipment, and trigger cascading failures across regions. This paper outlines a pragmatic, security-first modernization approach anchored in zero-trust architectures, AI-assisted anomaly detection, and decentralized / segmented control nodes designed to contain intrusions and keep essential services running safely. The policy goal is resilience—utilities that can degrade gracefully, isolate compromised components, and restore operations quickly without paying ransoms or endangering the public

1) The threat: utilities are “critical infrastructure” and attackers know it

Utilities sit at the intersection of public safety and national security. Ransomware crews and state-aligned actors target organizations where downtime is intolerable and public pressure can force rapid concessions. The FBI has described ransomware as a leading cyber threat to U.S. critical infrastructure, with complaints tied to critical infrastructure sectors rising in 2024. Reuters+1

What’s changed over the last decade:

• IT/OT convergence: business networks increasingly connect to industrial control systems (ICS) for monitoring, analytics, maintenance, and remote operations—creating pathways for lateral movement if identity and segmentation are weak. The Department of Energy's Energy.gov

• Remote access reality: contractors, vendors, and operators often connect from outside the plant or substation; those “edges” become the new perimeter.

• Distributed assets: microgrids, DERs (distributed energy resources), and networked sensors improve efficiency but also expand the set of devices that must be secured, monitored, and updated. The Department of Energy's Energy.gov

The core voter point: blackouts and contaminated water aren’t inconveniences—these are safety failures with real economic and human costs.

2) Why traditional “perimeter security” fails in utility environments

Classic security assumed a trusted internal network protected by a firewall “moat.” Zero-trust reverses that assumption: assume breach, verify continuously, and grant the least privilege required. NIST’s Zero Trust Architecture (SP 800-207) formalizes these principles and the architectural components needed to enforce them at scale. NIST Publications+1

CISA reinforces the same direction with federal guidance and a maturity model focused on identity, devices, networks, applications, and data. CISA+1

For utilities, the complication is that OT environments often require:

• high availability,

• deterministic timing,

• legacy devices with limited security controls,

• safety constraints that make “patch immediately” unrealistic.

So the correct approach is not copy-pasting enterprise IT controls into OT—it’s engineering resilience around them.

3) A practical technology solution stack

A. Zero-trust for utility operations (IT and OT)

Target outcome: an intruder cannot move freely just because they got inside one network segment.

Key controls:

• Strong identity with phishing-resistant MFA for staff and vendors (especially remote access)

• Micro-segmentation between enterprise IT, OT supervisory networks, and safety-critical zones

• Continuous policy enforcement (device health, user context, workload identity)

• Explicit authorization per request, not “trusted once, trusted forever” NIST Publications+2CISA+2

B. AI-assisted anomaly detection for early warning (with guardrails)

Target outcome: detect abnormal behavior (credential misuse, unusual control commands, unexpected data flows) fast enough to isolate before disruption.

In OT, “AI” should be used conservatively:

• baseline normal operational telemetry,

• flag deviations for human review,

• prioritize high-confidence indicators,

• avoid autonomous control actions that could create safety risk.

This is best paired with strong asset inventory and visibility—knowing what exists and what it’s doing. The Department of Energy's Energy.gov+1

C. Decentralized / segmented control nodes to prevent cascading failures

Target outcome: if one area is compromised, it can be islanded (logically and operationally) so the rest continues safely.

Design principles:

• “blast-radius reduction” via segmentation and fail-safe modes

• local control capability when central systems are degraded

• pre-planned isolation procedures, tested like fire drills

DOE’s Cyber-Informed Engineering (CIE) explicitly argues for designing physical systems so that cyber compromise cannot easily translate into catastrophic physical consequences. The Department of Energy's Energy.gov+2The Department of Energy's Energy.gov+2

4) Standards and sector expectations already point this way

This platform is not speculative—it aligns with existing national and sector guidance:

• NIST SP 800-207 provides the canonical definition and roadmap for zero-trust architecture. NIST Publications+1

• CISA publishes zero-trust resources and a maturity model widely used in critical infrastructure programs. CISA+1

• CISA #StopRansomware provides cross-sector practices to prevent, respond to, and recover from ransomware. CISA+1

• DOE CESER advances energy-sector cyber resilience, including Cyber-Informed Engineering and distributed energy cybersecurity considerations. The Department of Energy's Energy.gov+1

• NERC CIP standards govern cybersecurity requirements for the North American Bulk Electric System (e.g., identifying and categorizing critical cyber systems). NERC

• EPA water-sector cybersecurity resources reflect the increasing cyber risk to drinking water and wastewater systems and provide baseline hygiene and planning guidance. Environmental Protection Agency+1

5) Policy actions that translate into real resilience (not buzzwords)

1) Minimum cyber-resilience benchmarks for utilities (outcome-based)

Tie expectations to outcomes utilities can demonstrate:

• segmentation/islanding capability,

• tested incident response & recovery,

• strong identity controls for remote access,

• offline backups and restore drills.

This complements, rather than replaces, existing frameworks like CISA guidance and sector standards. CISA+1

2) Fund “CIE-style” upgrades for high-impact nodes

Prioritize grants/financing for engineering controls that reduce worst-case consequences:

• secure-by-design architectures,

• protected local control,

• resilient communications,

• safe fallback modes. The Department of Energy's Energy.gov+1

3) Require secure vendor access and supply-chain hygiene

Many utility intrusions begin with vendors, remote tools, and third-party software. Establish enforceable requirements for:

• least-privilege vendor accounts,

• time-bound access,

• audited sessions,

• software and firmware lifecycle commitments.

4) Create fast lanes for mutual aid + real-time cyber sharing

Utilities already share physical crews during storms. Extend this model to cyber:

• standardized playbooks,

• secure channels for indicators of compromise,

• coordinated restoration support across jurisdictions. The Department of Energy's Energy.gov

6) Map back to the campaign’s core “issues voters feel”

Here’s how Cyber-Resilient Energy & Utilities connects directly to the broader platform planks you’re building:

1. Cybersecurity for Government That Matches the Threat
   Utilities are the front line of national resilience. Zero-trust + ransomware readiness is the same modernization principle applied to the most essential services. CISA+1

2. Decentralized Energy Resilience
   Microgrids and local resilience are powerful—but only if they’re engineered to isolate, fail safely, and resist compromise. Decentralized control nodes are both a reliability and a security strategy. The Department of Energy's Energy.gov+1

3. Resilient Infrastructure Monitoring (AI + Sensors)
   Sensors are only useful if their data can be trusted and disruptions are detected early. AI anomaly detection supports maintenance and security simultaneously—when designed with OT safety constraints. The Department of Energy's Energy.gov+1

4. Modern Emergency Response Coordination
   When utilities fail, emergency services feel it immediately. Cyber incident playbooks and mutual-aid cyber coordination reduce chaos during storms and attacks alike. The Department of Energy's Energy.gov+1

5. Disaster Response & Aid Distribution That Can’t Be Gamed
   Power outages and water disruptions create secondary disasters (housing displacement, supply shortages, medical risk). Resilient utilities reduce the scale and duration of disaster declarations in the first place.

6. Digital Identity Privacy & Verification (your identity plank)
   Zero-trust relies on strong authentication, but it can be implemented with privacy-preserving principles: verify access without turning utilities into surveillance systems. (Identity is a security control—not a data-collection excuse.) NIST Publications+1

Conclusion

Cyber-resilient utilities are a national security imperative. The realistic path forward is not flashy: it’s disciplined architecture (zero-trust), disciplined engineering (cyber-informed design that limits consequences), and disciplined operations (monitoring, drills, recovery planning). The payoff is simple and voter-clear: fewer blackouts, safer water, more reliable heat and fuel, and less leverage for criminals and hostile states.

Russia's cyberattacks target Denmark's infrastructure, say Danish authorities | AP News