For decades, the North American electricity sector has operated under steady load growth and relatively forgiving capital market conditions that supported long planning horizons and predictable timelines to deliver infrastructure projects. In that context, regulated electric utilities designed and ran operational technology (OT) for availability, safety and long asset life under cost-of-service regulatory frameworks. OT security controls were added later in the asset life cycle, layered onto in-service systems and funded as an operating expense rather than being treated as capital design requirements.

As such, OT security controls have not been required during design and build phases. They are usually treated as a downstream responsibility handled by operations and maintenance (O&M) after a site is commissioned and in service. These controls have been incorporated gradually, approved only if they did not compromise reliability or materially increase customer costs. That approach has made sense under traditional market conditions because it matched expectations for long asset lives, slower delivery tempo, and a regulatory model built around prudent, stepwise improvement that clearly demonstrates benefits to customers.

Those assumptions are quickly breaking down. Delivery timelines for infrastructure projects are compressing, and stakeholders increasingly expect evidence that sites will operate safely and reliably from day one. At the same time, cyberthreats are more persistent and more capable of causing real harm to the power grid, including downtime and damage to equipment that is not easily replaced. Yet many OT security decisions are still made piecemeal after commissioning, once sites are in operational mode, when changes are harder and more costly to integrate.

Today’s electricity market conditions raise the stakes further. After nearly two decades of flat demand, load growth is projected to accelerate — roughly 5%-6% annually through the end of the decade — driven largely by AI and data centers. Large U.S. utility holding companies forecast capital spend rising from about $190 billion in 2026 to more than $220 billion by 2030. The result is more electricity infrastructure delivered faster, with investors, regulators and customers each demanding dependable operational performance and showing less tolerance for uncertainty and risks to performance. Under the standard approach of treating OT security as a downstream add-on, these infrastructure assets are increasingly exposed to disruptive cyberthreats that can harm the public and negatively impact national security.

To meet this moment, energy companies and investors should work together to require that OT security is adequately engineered into infrastructure designs and validated through delivery and turnover so assets enter service with greater resilience against threats that can cause downtime and disruption. 

A core reason OT security has remained a downstream issue is that engineering requirements are still anchored in standards of care established before digital connectivity, remote access and software-defined control systems became foundational to how the power grid operates. Engineering disciplines manage failure modes using deterministic assumptions and relatively static threat models. Those assumptions do not hold for cyber risk, which is inherently adaptive and adversarial, and historically outside what a “reasonably prudent engineer” has been expected to consider.

Meanwhile, cybersecurity matured as an IT and compliance function, typically applied after key architecture decisions were locked in. That has created a structural gap in which engineers are rarely trained, incentivized or authorized to account for cyber consequences during design. In addition, existing codes, professional licensure, liability precedent and procurement practices have collectively kept cybersecurity from penetrating core engineering considerations in ways that would meaningfully reduce the operational impacts of a cyber incident.

In a digitally operated grid, that legacy division is no longer defensible. Cyber failure is operational failure, and a compromise is now a credible driver of safety, reliability, resilience and national security outcomes.

Utility leaders can respond by pulling OT security into the capital delivery life cycle by making Cyber-Informed Engineering boundary conditions explicit; requiring security architecture decisions during design phases; and holding engineer-procure-construct (EPC) contractors, original equipment manufacturers (OEMs), integrators and internal teams accountable to testable resilience outcomes before turnover. If utilities do not lead this shift, they will continue to inherit risks that compound long after the asset is energized. 

The capital model for new energy infrastructure is changing. More projects now bring private capital into ownership or minority stakes while operational control stays with the asset owner. In that structure, the operators are responsible for managing cyber risks, and yet an OT security failure caused by a cyber incident (e.g., forced outages, equipment impact, prolonged recovery, safety exposure, reputational harm) would still destroy value for investors. That mismatch is exactly why OT security cannot remain exclusively a downstream O&M concern.

In practice, market pressure to deliver electricity infrastructure quickly can preserve the old habit: energize first, harden later. But threats and economics have changed, and OT security cannot be treated as optional based on whether a project happens to trigger a particular compliance obligation. If the traditional utility life cycle is not keeping pace with systemic OT risk, investors should use their leverage while it still exists, during design and delivery. To protect their investment, they must treat OT security as a capital delivery requirement by driving architecture and engineering decisions before turnover and by defining measures to verify that security is folded into long-term O&M governance.

Investors do not need to specify every OT security control or become engineers. They need to require clear, testable acceptance outcomes, just as they do for schedule readiness, performance guarantees and quality assurance. In resilience terms, those outcomes should demonstrate the ability to anticipate, withstand, recover and adapt after a cyber event. Those expectations can be set through governance and contracting mechanisms that drive upstream execution, such as:

• Before you sign off on design, require a documented OT security architecture (including segmentation and remote access) that shows how critical functions are protected against credible cyberthreat scenarios.
• Before commercial operations begin, require commissioning proof that backups/restores work and the system can be rebuilt from a known-good baseline.
• At turnover, require named owners for patching, monitoring, asset management and incident response so OT security doesn’t fall between parties.

When investors set OT security expectations early and require evidence before turnover, they reduce the odds that cyber risk becomes operational disruption and prevent “temporary” delivery exceptions from hardening into operating debt that erodes availability and long-term value.