I came into operational-technology security at a moment when the field was still figuring out what it wanted to be. NERC CIP v3 was the working regime; v5 was on its way; and the first generation of Smart Grid pilots was starting to land at utilities across North America. That stretch — roughly 2012 to 2018 — is where most of modern ICS security's practitioner vocabulary got fixed. Walking the floor at DistribuTECH 2025 in Dallas this past March was a useful prompt to look back at that window from where the industry sits today — and to write down which lessons still hold up.

The NERC CIP v5 transition

NERC CIP v5 was a serious regulatory shift, and not for the reasons most people remember. The headline change — moving from "critical assets" to "BES Cyber Systems" — was real, but the deeper change was that v5 required organizations to think about their OT environments as systems with documented boundaries, identified asset relationships, and specific operational processes around access, change, and incident response. v3 had encouraged that posture. v5 mandated it.

I was the lead security architect on a v5 transition program through the mid-decade window. The work itself was less about new technology and more about applying engineering rigor to environments that had been treated as "components" rather than "systems" for a long time. Network diagrams that lived in someone's head got drawn. Access procedures that had been informal got formalized. Patch and change processes got real cadences. The transition itself was painful — it always is — but the discipline it baked in is still what most utilities lean on for their OT security posture today.

The Smart Grid pilots that actually moved the architecture

Parallel to the regulatory transition, the first wave of Smart Grid pilots was running. FLISR — Fault Location, Isolation, and Service Restoration — was the highest-profile of them. The premise is straightforward: when a fault occurs on a distribution feeder, the protection system locates the fault, isolates the affected segment, and restores service to as many customers as possible without dispatching a crew. Done well, FLISR turns 90-minute outages into 90-second outages.

What FLISR required architecturally was significant: distribution automation devices (reclosers, switches, sectionalizers) that could be operated remotely, with bidirectional communication back to a control center on a tight latency budget. Volt-VAR Optimization (VVO) was the analogous program for voltage and reactive-power management — monitored line sensors plus remotely-controlled capacitor banks coordinating across the distribution feeder. Line sensors were themselves a generational leap: continuous, high-resolution monitoring of distribution-system state, where most utilities had previously had visibility only at substations.

All three — FLISR, VVO, line sensors — pushed the operational-technology stack into territory it hadn't lived in before. They needed reliable communications with field devices on a schedule and at a scale that legacy OT communications couldn't meet. So the protocols moved.

When the protocols moved

The protocol evolution is the part of this story that's easiest to underestimate. In 2010, most distribution OT communications were Modbus or DNP3 running over serial — RS-485 or low-bandwidth radio. By 2015, the same protocols were running encapsulated over IP networks: cellular, fiber, IP-mesh radio. The semantic content of DNP3 didn't really change. What changed was the transport.

That sounds incremental. It wasn't. Encapsulating an OT protocol over IP makes a number of things newly available: routability, multiple endpoints, observable network traffic, standard troubleshooting tooling, and — critically for security — the entire IT-side toolkit of network monitoring, segmentation, and intrusion detection. It also makes a number of things newly threatening: the same routability means the attack surface is no longer bounded by a copper cable, and the same observable traffic means you now have a responsibility to monitor it.

In parallel, IEC 61850 was starting to land in substations as the modern replacement for the protocol soup of substation automation. ICCP (TASE.2) was already established for intercontrol-center communications. The pattern across all three is the same: OT systems began speaking IT-shaped protocols, moving onto IT-shaped networks, and inheriting both the capabilities and the responsibilities of IT systems. In some cases the transition was honest — IEC 61850 is a thoroughly modern protocol that happens to do OT-shaped things. In other cases it was a wrapper — DNP3 or Modbus encapsulated over IP, where the protocol itself didn't change but its delivery context did completely.

OT/IT convergence as a long arc

What "OT/IT convergence" means has shifted across the decade. In 2015, it mostly meant OT systems are now reachable on IP networks, so figure out how to secure them. Today it means something more like OT systems and IT systems share infrastructure, monitoring, identity, and lifecycle expectations — sometimes by design, often by accident, always with friction. The convergence is real. It just isn't clean.

The persistent friction comes from a small number of structural mismatches: OT device lifecycles measured in decades versus IT device lifecycles measured in years; OT operational tempo (you cannot interrupt a process for a re-auth challenge) versus IT security paradigms (continuous re-authentication, rotation, aggressive patch cadences); OT vendor stacks that are slow to change versus IT vendor stacks that turn over constantly. Convergence doesn't make these mismatches go away. It makes them more visible — and forces every utility to develop a posture for managing the seams rather than pretending the boundary still holds.

What I take from the decade

The lessons that most reliably hold up, from where I sit reflecting back from this 2025 vantage:

  • Document your boundaries before you secure them. v5 forced this discipline; it's why utilities that came through that transition are in better shape than ones that didn't.
  • Treat protocol transport as a first-class architectural concern, not an implementation detail. The day a serial DNP3 link becomes IP-encapsulated DNP3 is the day your security model has to change.
  • Expect IT speed to outrun OT lifecycle by an order of magnitude, and design for the gap rather than against it. Patches will arrive faster than your fleet can absorb them; identity standards will rotate faster than your devices can speak them. That gap is a fault line — two systems moving at different velocities, with friction that sometimes ruptures into incident. It needs explicit owners and explicit expectations.
  • Convergence is a process, not a state. Every year I've worked in this domain has been another increment of the same long arc — a few new threats, a few more capabilities, the same underlying tension being managed slightly better than the year before.

The pilots and programs of the mid-decade window are mostly mature now. FLISR is broadly deployed. NERC CIP v5 has been superseded. The protocols still wrap legacy semantics in modern transport. And the OT/IT rift is still where the most interesting and consequential work in this domain lives.

DistribuTECH 2025 in Dallas made the next chapter visible — modern OT platforms like GE Vernova's GridOS landing on top of Kubernetes, with all the friction that implies — and that's the next post in this section.