Nation-state threats, IT/OT convergence, and the limits of traditional defenses took center stage in Houston — here’s what decision-makers need to know.
Houston, We Have a Cybersecurity Moment
For two days in March, more than 250 senior cybersecurity leaders from across the energy, water, oil & gas, and industrial sectors gathered in Houston for the 14th edition of CS4CA USA — the nation’s leading summit for critical infrastructure security. The event was a frank and at times sobering examination of where the sector stands: underprepared, outpaced, and facing adversaries who are increasingly sophisticated, patient, and targeted.
Daryl Haegley, Technical Director for Control Systems Cyber Resiliency at the United States Department of the Air Force, opened and chaired the summit — a signal in itself. When military leadership frames the conversation, the room listens. His presence reinforced what attendees already knew: protecting OT environments is no longer just an industry problem. It’s a national security imperative.
CS4CA’s own pre-event research captured the stakes plainly: despite 87% of organizations increasing their cybersecurity spending, only 41% feel adequately equipped to manage future attacks. The message was clear — spending more isn’t the same as defending better.
Here are the five trends that rose to the top across sessions, panels, and roundtables.
#1. Nation-State and Hybrid Threats Are the Operating Assumption
The opening discussion on securing critical infrastructure in the era of nation-state and hybrid threats made clear that sophisticated, well-resourced adversaries are now the default planning scenario, not the outlier. Leaders from utilities and industrial firms described attackers blending cyber operations with physical disruption and information campaigns, often probing OT environments for leverage that can degrade service or erode public trust.
Instead of relying solely on detection, many organizations are shifting toward architectures that inherently constrain what an intruder can do—through tighter segmentation, more disciplined remote access, and in some cases hardware-enforced one-way paths from OT to IT. The goal is to reduce an attacker’s room to maneuver, even if they gain initial access.
Take the next step with Owl: Discover how hardware-enforced protocol filtering diodes (PFDs) can help turn nation-state threat assumptions into concrete architectural safeguards for your most critical OT networks in our recent blog.
#2. The IT/OT Convergence Gap Is Now a Frontline Vulnerability
Across multiple sessions, speakers highlighted persistent misalignment between IT and OT teams: different risk tolerances, operational rhythms, and definitions of “secure”. In his case study, “One Enterprise, One Risk: Building a Strong IT-OT Security Culture,” Jim Betzhold, CISO at the South Florida Water Management District, emphasized that security programs only succeed when they reflect how the business actually runs, not when IT and OT operate as separate worlds.
The conversations in Houston underscored that IT/OT convergence is now a live vulnerability, not a future-state aspiration. Every new connection that brings operational data to enterprise systems can also create a new path into control networks if not carefully engineered. To manage that risk, organizations are looking harder at where they truly need bidirectional connectivity, where they can rely on one-way transfer mechanisms such as data diodes, and how cross-domain architectures can provide visibility without exposing critical control segments.
Take the next step with Owl: See how Owl’s PFDs help operators draw cleaner, more defensible lines between IT and OT while preserving the data flows operations teams depend on.
#3. Zero Trust Is a Design Constraint, Not a Slogan
Zero Trust appeared throughout the agenda as both a strategic mandate and a practical challenge. In sessions focused on protecting critical assets, speakers walked through how “assume breach” and “verify explicitly” principles are being applied to industrial networks, including remote engineering access, vendor connectivity, and cross-site communications. The consensus: Zero Trust is no longer optional for high consequence environments but implementing it in brownfield OT settings is complex.
Rather than trying to retrofit every legacy device, many organizations are prioritizing Zero Trust at key boundaries—between corporate IT and OT, between different trust zones, and across domain or site interfaces. That often means reducing “big pipe” connections, enforcing least-privilege access to specific services, and inserting controls that can strongly govern what crosses—down to protocol and content.
Take the next step with Owl: Learn how Owl’s boundary-enforced Cross Domain Solutions can act as Zero Trust “choke points” between networks, tightly inspecting and controlling flows so that even legacy OT can benefit from a modern Zero Trust strategy.
#4. OT Risk Quantification Is Getting Real
CS4CA sessions also highlighted the growing push to quantify OT cyber risk in terms that resonate with executives and regulators. Industrial leaders and service providers shared approaches for combining vulnerability data with business impact metrics—safety implications, production loss, environmental impact, and regulatory exposure—to prioritize where limited resources should go first.
This shift is changing the conversation from “How many vulnerabilities do we have?” to “Which failure scenarios matter most, and how do we reduce their likelihood or impact?” Architectures that can demonstrably limit lateral movement, simplify trust boundaries, or provide deterministic one-way flows increasingly feature as high-value investments in those discussions.
Take the next step with Owl: Explore Owl’s full suite of rigorously tested & globally trusted PFDs can support your OT risk reduction roadmap by shrinking attack paths and simplifying what you have to defend.
#5. Resilience Demands Deterministic, Not Just Reactive, Defenses
Finally, multiple speakers stressed that resilience in OT cannot rest solely on more monitoring, more alerts, or more tools. In talks on “reasonable responses to credible threats” and operational data strategies, presenters argued for designs where behavior remains predictable under stress and where the blast radius of inevitable incidents is tightly contained.
For critical infrastructure operators, that translates into clearer segmentation, fewer shared failure points, and greater use of controls that are difficult to bypass through misconfiguration or credential theft. Hardware-enforced one-way flows, simplified trust zones, and well-understood cross-domain paths make it easier to reason about how systems will behave during an attack—and to restore operations safely afterward.
Take the next step with Owl: Discover how to gain IT/OT visibility and protect uptime with Owl Talon™ PFDs in our upcoming webinar.
Where CS4CA 2026 Points Next
CS4CA 2026 captured a sector under pressure: facing nation-state-level threats, wrestling with IT/OT convergence, and trying to turn Zero Trust and resilience from buzzwords into daily practice. For energy and infrastructure organizations, the common thread is architecture—how data moves, where trust is granted, and how failures are contained when (not if) something goes wrong.
Owl Cyber Defense has long worked with defense, government, and critical infrastructure operators on exactly these problems, from securing data flows out of high-consequence OT to enabling trusted cross-domain collaboration without opening dangerous backchannels.
Ready to take the next step: If you are ready to translate the lessons from CS4CA 2026 into concrete design changes—whether that means hardening OT boundaries, rethinking IT/OT connectivity, or aligning with Zero Trust and regulatory expectations—connect with the Owl team to schedule a design session or technical workshop tailored to your environment.
