Policy Pulse: Regulatory Roundable is a new monthly feature of the Critical Assets Podcast. Join Patrick Miller, Joy Ditto, and Earl Shockley as they break down the latest policy, regulatory, and legislative changes impacting critical infrastructure, OT, and cybersecurity. If it affects your assets, audits, or authority, we’re covering it, straight from the policy frontlines.

Policy Pulse: Regulatory Roundable is a new monthly feature of the Critical Assets Podcast. Join Patrick Miller, Joy Ditto, and Earl Shockley as they break down the latest policy, regulatory, and legislative changes impacting critical infrastructure, OT, and cybersecurity. If it affects your assets, audits, or authority, we’re covering it, straight from the policy frontlines.

Patrick Miller talks with Kylie McLanahan about the messy reality of vulnerability management in OT environments. They dig into the pressure to patch, standardization benefits of machine readability and the CSAF, the limits of CVSS, and how CISA’s KEV list fits into prioritization efforts. Kylie brings insight from across the ecosystem (vendors, regulators, and asset owners), offering strategies to cut through the noise and focus on what matters most. From patch fatigue to risk-based triage, this episode is packed with practical advice for managing cyber risk when time, tools, and resources are limited.

In this episode, Patrick Miller interviews Darren Highfill, former CISO of Norfolk Southern, for a candid look behind the curtain of life as a security executive. Darren shares hard-won lessons from building and leading a cybersecurity program in a critical infrastructure environment, including how to gain executive buy-in, scale a team, and align security with business priorities. He reflects on the challenges of translating cyber risk into business risk, managing real-world incidents, and the evolving expectations of the CISO role. Whether you're in the chair now or working toward it, this conversation is packed with practical insights for anyone navigating cybersecurity leadership.

In this episode, we sit down with Lesley Carhart (@hacks4pancakes), a renowned expert in OT/ICS incident response and forensics, to explore the unique challenges of defending critical infrastructure against cyber threats. Lesley shares insights into how internal OT teams can better support external IR teams, evaluates global and sector-specific preparedness, and discusses the impact of regulations on effective incident response. We delve into the complexities of defining and reporting incidents, the potential for improved approaches, and actionable advice for those looking to enhance their IR and forensics skills.

Join us for a discussion on Energizing Cybersecurity Careers: Workforce Development in the OT/ICS Community. Guests Cynthia Hsu and Erin Owens dive into the cybersecurity challenges facing Industrial Control Systems and Operational Technology asset owners. Through open conversations, we explore everything from skill gaps and career pathways to diversity, continuous learning, and the impact of new technologies. This session aims to provide insights into developing a skilled, diverse cybersecurity workforce – starting from the ground up – with a focus on practical strategies for professionals, educators, and anyone interested in the future of ICS/OT security.

In this episode, we take a deep dive into the world of Cyber Informed Engineering (CIE), joined by Ginger Wright, the Program Manager at Idaho National Laboratory. This episode unpacks CIE's strategic efforts in integrating cybersecurity into the very fabric of engineering critical infrastructure. We discuss the evolution of CIE and how it's transforming the approach to system design. We cover the synergy between engineers and cybersecurity experts and the implementation of engineering-based mitigations. Get insights on building resilience into critical systems from the ground up.

Join Patrick Miller, CEO of Ampere Industrial Security and his guest Danielle Jablanski, OT Cybersecurity Strategist at Nozomi Networks as they continue their debate on the topic: "If you could have only one cybersecurity regulation, what should that be?" They cover everything from threat hunting, vulnerability management, attack surface management, incident response, breach notification, risk quantification, cybersecurity insurance, NIS2, NERC CIP, and what's best for corporate vs. public good.

Join Patrick Miller, CEO of Ampere Industrial Security and his guest Amanda Freick, CRO of Altruistic as they discuss the need for collaboration and breaking down cultural barriers to effectively utilize data and drive innovation in the energy sector with AI/ML. We also touch upon the importance of approaching generative AI and language models like GPT with a strategic mindset, understanding the specific needs and goals of the organization before implementation.

Hear from an experienced ICS/OT Security Manager, Gabe Agboruche, on how to enter or upskill into the ICS/OT cybersecurity field. He answers questions such as… What training is available? What are the biggest obstacles? What are some common job roles? What are the best paying job roles? We also cover the asset owner’s perspective on how they can obtain and retain new cybersecurity professionals.

Getting started with ICS and OT security metrics can be hard. What do you measure? How do you represent it? Do you even have the data? In this podcast, we talk with Erin Torruella to share her experience from building and managing metrics for multiple different sectors.

FERC has issued Order 887, directing NERC to create new Critical Infrastructure Protection (CIP) cybersecurity standards for Internal Network Monitoring Systems (INSM). Hear from a real electric utility asset owner, on what this Order means for the industry and what you should do next.