Utilities security shifts from locks to cyber-physical defense

The complexity gap

The sharpest lesson from the Protecting Utilities session at ISC West in Las Vegas is that utility security is no longer something you solve with better hardware alone. Electric, water, and public utilities are facing rising cyber and physical pressure at the same time, which turns a simple lock-and-door mindset into a layered access problem where compliance, continuity, and attack response all have to line up.

That shift matters to the physical security trade because utilities sit at the point where hardware selection, key control, electronic access, and regulatory obligations all collide. The session, hosted by the Security Industry Association’s Utilities Advisory Board, brought that collision into focus by treating utility protection as a convergence problem, not a siloed installation job.

What the ISC West panel actually surfaced

The discussion brought together experts from Wasabi, Siemens, HID, and Hanwha, with Frank Dawson of Southern Company delivering the keynote perspective. That mix mattered because it mirrored the reality utilities live with: one team may own identity systems, another manages operational technology, another handles field access, and another is accountable for compliance. None of those lanes is enough on its own.

The broader takeaway was not that one product category failed or succeeded. It was that security in this environment has to deter, detect, and defeat bad actors while still meeting the rules that govern critical infrastructure. In a utility context, a lock is never just a lock, because it is tied to who can enter, who can audit, who can respond, and who can prove the system held up under scrutiny.

Why Dawson’s security mindset lands so hard

Dawson’s keynote centered on a mindset shift that every security team can feel in practice. He drew a line between policing and security: policing is reactive, while security has to be proactive and focused on protecting assets before an incident occurs. That is a useful distinction in any building, but in utility work it becomes a operational philosophy.

Southern Company’s internal Physical Security Technology Team shows how that philosophy gets translated into practice. Dawson described a model built around subject matter experts from IT, NERC-CIP, and operating-company representatives. That kind of team structure sends a clear signal to the physical security side of the trade: critical-infrastructure protection is a collaborative discipline, not a one-person review of hardware on a spec sheet.

Why the standards environment raises the bar

The regulatory backdrop explains why the bar keeps moving upward. North American Electric Reliability Corporation CIP-014-3 is the physical security reliability standard designed to identify and protect transmission stations, transmission substations, and associated primary control centers that could trigger instability, uncontrolled separation, or cascading within an interconnection if they are physically attacked. That is not a routine facility standard; it is a reliability safeguard tied directly to grid stability.

Federal Energy Regulatory Commission action sharpened that focus. In December 2022, in Docket No. RD23-2-000, FERC directed NERC to evaluate CIP-014-3 after an increase in reports of physical attacks on electric substations. In other words, the standard was not being discussed in a vacuum. The pressure came from a real rise in threat activity, and the rulemaking response made clear that physical security failures could not be treated as isolated events.

NERC’s January 2026 Critical Infrastructure Protection Roadmap pushes that same logic forward. Its goal is to keep the CIP standards as an effective baseline for cyber and physical security risk management for the bulk power system. That matters for lock and access professionals because the baseline is no longer just about keeping a door closed. It is about proving the whole access chain, from credentials to response plans, can hold under stress.

Compliance helps, but it does not close the gap

FERC’s fiscal year 2025 lessons-learned report reinforces the same point from another angle. During those non-public Critical Infrastructure Protection audits of U.S.-based NERC-registered entities, most audited organizations met the mandatory cybersecurity requirements. But the report also identified remaining gaps and security risks, which is the kind of language that should make every security team pay attention.

That combination, broad compliance with still-open risk, is exactly why utility work cannot be reduced to a pass-fail checklist. Meeting the rule is necessary, but it does not mean the site is resilient. For locksmiths, integrators, and vendors, the practical lesson is that critical-infrastructure projects require layered planning, regulatory awareness, and technical coordination across teams that do not always speak the same language.

Why CISA’s framing matters to the trade

The Cybersecurity and Infrastructure Security Agency adds the bigger national picture. CISA says the energy sector is uniquely critical, and it notes that threats to critical infrastructure can have consequences for national security, the economy, and public health or safety. It also identifies 16 critical infrastructure sectors in the United States, which is a reminder that utility security sits inside a much larger system of dependencies.

That scale changes how you think about hardware selection and failure planning. A weak key-control process, a poorly coordinated access policy, or a missed link between physical and cyber teams is not just a local problem when the asset supports power delivery or other essential services. The consequences can ripple outward in ways that ordinary commercial security never has to absorb.

What this means on the ground

For the physical security side of the trade, the guide is straightforward even if the execution is not. Utility protection now demands more than sturdy cylinders, controlled key systems, and solid installs. It requires:

• layered physical and digital access decisions
• clear ownership between IT, operations, and compliance teams
• standards literacy, especially around CIP-014-3 and related CIP expectations
• a failure plan that assumes bad actors will probe for weak seams, not just weak doors

That is why utility security sessions like the one at ISC West matter so much. They show a sector that has already moved past the idea that one lock, one badge reader, or one policy can carry the load. The real job is building a system where the physical and the cyber pieces reinforce each other before an incident tests the gaps.

At the end of the day, the complexity gap is the story: securing utilities is no longer about making the door harder to open. It is about making the entire access chain harder to break, harder to misuse, and faster to recover when someone tries.