When the Grid Gets Hit: Inside OT Incident Response in Energy & Renewables

July 10, 2026

When a cyber incident impacts operational technology, every decision matters. Unlike traditional IT environments, energy operators must protect reliability, safety, and critical infrastructure while responding to targeted cyber threats.

In this episode of Exploited: The Cyber Truth, host Paul Ducklin is joined by RunSafe Security CEO Joseph M. Saunders and Derrick Bethea, NERC Compliance Manager and OT Cybersecurity Leader at Cypress Creek Energy, to discuss how utilities and renewable energy operators prepare for, respond to, and recover from cyber incidents.

The conversation explores:

  • Why OT incident response differs from IT
  • Navigating NERC CIP and regulatory reporting
  • How AI is changing cyber defense and vulnerability discovery
  • Why incident response plans must be tested, not just documented
  • The value of security-by-design and cross-functional collaboration

Whether you’re securing power generation, renewable energy assets, or industrial control systems, this episode offers practical lessons for building more resilient critical infrastructure.

Speakers: 

Paul Ducklin: Paul Ducklin is a computer scientist who has been in cybersecurity since the early days of computer viruses, always at the pointy end, variously working as a specialist programmer, malware reverse-engineer, threat researcher, public speaker, and community educator.

His special skill is explaining even the most complex technical matters in plain English, blasting through the smoke-and-mirror hype that often surrounds cybersecurity topics, and  helping all of us to raise the bar collectively against cyberattackers.

LinkedIn

 

Joseph M. Saunders: Joseph M. Saunders is the founder and CEO of RunSafe Security, a pioneer in cyberhardening technology for embedded systems and industrial control systems, currently leading a team of former U.S. government cybersecurity specialists with deep knowledge of how attackers operate. With 25 years of experience in national security and cybersecurity, Joe aims to transform the field by challenging outdated assumptions and disrupting hacker economics. He has built and scaled technology for both private and public sector security needs. Joe has advised and supported multiple security companies, including Kaprica Security, Sovereign Intelligence, Distil Networks, and Analyze Corp. He founded Children’s Voice International, a non-profit aiding displaced, abandoned, and trafficked children.

LinkedIn

 

Guest Speaker – Derrick Bethea, NERC Compliance Manager and OT Cybersecurity Leader at Cypress Creek Energy

Derrick Bethea is a strategic NERC Compliance and OT Cybersecurity leader, currently serving as NERC Compliance Manager / OT Cybersecurity SME at Cypress Creek Energy. He brings deep expertise in NERC CIP compliance, regulatory and OT risk management, and enterprise governance. Derrick has led CIP Low and Medium Impact programs from the ground up.

A trusted advisor to executive leadership, Derrick is known for translating complex regulatory and cybersecurity expectations into practical, business-aligned actions — strengthening compliance posture, operational resilience, and risk reduction across critical infrastructure. His work sits at the intersection of grid reliability, regulatory strategy, and OT cybersecurity, making him a sought-after voice on what it takes to secure and comply within today’s evolving renewable energy landscape.

LinkedIn

 

Watch the Full Episode

Episode Transcript

Exploited: The Cyber Truth,  a podcast by RunSafe Security. 

Paul Ducklin (00:03)

Exploited: The Cyber Truth, a podcast by RunSafe Security. Hello everybody, welcome back to Exploited: The Cyber Truth. I am Paul Ducklin, joined as usual by Joe Saunders, CEO and founder of RunSafe Security. Hello Joe.

Joe Saunders (00:20)

Greetings, Paul. Great to be here and very much looking forward to this conversation.

Paul Ducklin (00:24)

Yes, what a fascinating field we will be digging into today. Quite literally talking about keeping the lights on. Our guest is Derrick Bethea. Derrick, welcome.

Derrick Bethea (00:37)

Thank you, Paul, Joe. Thank you, guys, for having me on today.

Paul Ducklin (00:40)

Derrick, I’m just looking down at my notes here. Your job title is NERC Compliance Lead at Cypress Creek Renewables. For non-American listeners, NERC is the North American Electric Reliability Corporation.

Derrick Bethea (00:58)

Yes.

Paul Ducklin (01:00)

So before we get into questions about electricity reliability, Derrick, why don’t you tell us your backstory? How did you get into engineering? How did you get into energy, in particular, renewable energy? And most importantly, how did you come to that nexus of energy delivery and cybersecurity?

Derrick Bethea (01:21)

Used to be a firefighter in the law enforcement. And I used to work at a federal building where I met some guys that were doing cyber intelligence. And it was so fascinating. I used to see these guys and I used to talk to them. I asked, what do you guys do? He’s like, man, we do cyber. We sit behind a computer. I’m like, it seems cool, but what else do you guys do? That kind of interested me to get into cybersecurity. So I graduated my undergrad in criminal justice and went to my master’s in 2017. 

Completed my master’s program, and I was like, I just want to get a cybersecurity job. I want to get a cybersecurity job. I got my first job, fast forward to Burns and McDonough. And before the interview, I wanted to be proactive. Hey guys, is there anything you guys can send me? My manager was like, sure, I’ve sent you the NERC CIP framework.

And I started reading them like, what is this stuff?

Paul Ducklin (02:27)

So you thought it was gonna be coding and scripting and basically super hacking?

Derrick Bethea (02:32)

Yes, hacking and penetrating networks and all of those technical things. And my manager at the time was like, you said you want to do cybersecurity. Was like, yes, you are doing cybersecurity. And I was like, no, this is not cybersecurity. I don’t understand all of this stuff. Fast forward two years into the job, I started understanding, going on different projects, learning the utility, learning the market, and understanding why it was important that these NERC controls was implemented and utilities in the generation plants, because when you look at your general IT cybersecurity, they are focusing more on personal data, keeping the infrastructure running on the OT side. We are making sure that there’s no changes, no impact to the operations. The energy sector is so critical to us as human beings.

If we go too long without energy, they can cause mass casualties. You can’t get that life back. However, I can get my Zoom back.

Paul Ducklin (03:41)

Yeah, exactly yeah.

Derrick Bethea (03:43)

There went to Duke Energy with several projects around the network. The Purdue model of how we zone and secure the OT network and assets to where I’m at today, leading audits and understanding the deep framework of the why behind the NERC CIP framework, and from there to DG sites where NERC CIP control doesn’t apply. How do we protect those assets at those sites?

Paul Ducklin (04:11)

Now, Derrick, it seems that one important thing in the energy sector right now is a thrust towards renewable energy, which also means energy storage, which is all quite new. So how do you balance regulating and securing OT stuff that’s brand new with keeping the legacy equipment safe and secure at the same time?

Derrick Bethea (04:36)

New technology is great. The digital, this AI to the OT environment, to the digital footprint, it is great. It can help with performance. It can dictate to you before a human knows when the error or miss ops is going to happen and alert you so you can get ahead of that issue before it happens and cause an outage. What is my risk if I implement this new technology into the OT environment?

So I had to look at what the regulators say around it, where they put all of these requirements around, hey, you can have it, however, you have to adhere to X, Y, and Z to almost, I’m going to spend more money to maintain this tool than the tool actually costs to my environment. So why would I implement this new tool?

Paul Ducklin (05:28)

Joe, do you want to see something say something about how you see that AI balance? Because I’m delighted that Derrick led off by saying one of the great things about AI is that it can help you process data faster, so you can look for anomalies and react to them faster. But there is a flip side to that. The bad guys can do what you might call vulnerability investigations much more easily if they treat AI as a super-powerful search engine that lets them find out things that were generally considered hard to find in the past because they were buried in thousands of pages of pseudo-confidential or complicated documentation that only the Derricks of the world understood until recently. How do you manage that balance so that you get AI working to help you but stop it doing you down at the same time?

Joe Saunders (06:21)

Well, first of all, we may need to launch a new AI chat program called Derrick GPT if we really want to account for all this. Just kidding, of course. To your point directly, Paul, I think AI can be as much a disruptor as it is an opportunity. And I believe it’s both. Yeah. And on the disruption side, certainly, AI is finding vulnerabilities in these systems. 

And when we think about the energy infrastructure, there are systems that are out there for a long, long time. So five, 10, 15, 20 years is not uncommon. And part of the problem is that there may have been latent vulnerabilities that no one really knew about, nor has anybody been able to patch. And yet AI could be discovering them perhaps for the first time, or certainly bringing them to the forefront. In that regard, AI is finding vulnerabilities at a faster rate and is finding vulnerabilities that humans didn’t find in the past.

Paul Ducklin (07:17)

Joe, would you agree that particularly in the OT and embedded space, there’s a surprising amount of what you might call security by obscurity simply because these devices are so specialized that an AI kind of helps attackers who might otherwise take years to go digging through all the documents to go to places where they would never even known to start before?

Joe Saunders (07:41)

Exactly. And I think if you get exposed to the OT environment and especially in the energy infrastructure, there is a kind of aa lot of deep holes you can go into and a lot of old systems you can uncover. And yeah, I think part of it then is the potential to patch these systems is also tricky because, as Derrick alluded to in the energy infrastructure in general, there’s high consequence if something goes wrong.

This software requires a fair amount of real testing and ensuring that any software updates that are pushed out are reliable and meet standards for both cybersecurity but also for safety in general. We have legacy code, we have lots of testing, we have a safety expectation, and that just means that touching these systems can be delicate and it’s not always done immediately. It’s much different than say a web-based application in a cloud environment, where you can push updates almost instantly and multiple times a day. It’s not necessarily true in a physical environment in a power grid that in some cases can be very brittle with old code. I agree with Derrick that AI can be also very, very helpful. I don’t want to just dwell on the negative. I think AI can be extremely helpful in these cases as well. And to the point that we can leverage and find those vulnerabilities ourselves gives the cyber defense a really strong chance to stay ahead of the threat.

Paul Ducklin (09:05)

Derrick, do you want to say something about how an operator in the energy space might typically respond immediately if a cybersecurity incident is suspected or discovered and reported, and how that differs from how an IT team might respond if they find, God forbid, that Zoom has stopped working for five minutes.

Derrick Bethea (09:28)

The foundation is there, right? If you use your essence response.

Paul Ducklin (09:33)

So you’re not making it up as you’re going along, you’re following policies and procedures that have been honed and learned over very many years.

Derrick Bethea (09:41)

If you have an incident response plan, follow your incident response plan. Make sure it works. Not just check in the box and say, hey, I have an incident response plan to say, I need to meet the cyber insurance to get this insurance. Check the box. I need to comply with this regulation. Check the box. Make sure this cybersecurity incident response plan actually work and is tuned to your environment. Anyone should be able to take lead and go follow the steps.

Get the right parties involved, which pretty much would be the teams that handle the security, make sure you’re roles and responsibilities of the day. Because these individuals should be trained to know what to do when the emergency happens. When the emergency is happening, it’s not time to be training and trying to figure out what’s going on.

Paul Ducklin (10:30)

I guess you, coming from a background of being a first responder, a fireman, if you don’t mind. Yes. Train hard, fight easy, right?

Derrick Bethea (10:38)

Yes, each incident doesn’t require the same team to review the incident. It might be a different product, might be a different asset manager, in my case, might be a different utility that runs a different system that I need to get involved. So we have to be trained on our incidents and know how to respond to your vendors as well and have access to these systems.

Paul Ducklin (11:00)

Now Derrick, it seems that in the IT world at least, there’s much more of what you might call checkbox compliance than we might like, of people who just figure, you know what, to go into business I’m going to need this certificate, I’m going to put in a little frame, I’ll put it on the wall, but I don’t really care about whether I can fulfil what I’m supposed to. Now it sounds as though the cultural attitudes in the energy sector are a little bit different from that.

And that checkbox compliance is rather less of a problem. Would you agree with that? Yes. Good.

Derrick Bethea (11:35)

We have frameworks that we have to adhere to that NERC set by the guidance of FERC.

Paul Ducklin (11:41)

Now FERC, that’s the federal energy regulator that deals with the fact that while there isn’t a national grid in the US like there is some smaller countries, there are guidelines that make sure that all the different parts of the grid can actually work together when necessary.

Derrick Bethea (11:59)

Yes, and no regulations get pushed down to all the, to the utilities companies that we have to adhere to. However, you have utilities that doesn’t understand these regulations, that don’t know how to implement these regulations. Because of how complex the landscape is to adhere to the NERC CIP compliance in all these frameworks and the complexity of running and operating. A lot of these companies doesn’t understand until they get hit with that cyber-screening stick.

Paul Ducklin (12:31)

Is that because they’re small and underfunded and working on very thin margins?

Derrick Bethea (12:36)

I just don’t understand the penalties that come behind not adhering to the regulatory requirements or that cyber incident when you are compromised and you are shut down and you’re missing contractual agreements or you are not able to get that power to the grid. The organization just sometimes doesn’t understand the complexity of it. So yes, NERC provides the guidelines. 

However, sometimes it’s hard to apply those guidelines, implement them into an already complex environment. And if people are constantly changing and moving and roles expanding, leaving, parting the companies, that knowledge is leaving with that individual. That’s another thing that I see in the organization struggle with is that knowledge is just leaving and not being documented and processed.

Paul Ducklin (13:32)

Is it fair to say that with increased reliance on an interest in renewable energy, where you might have a very a much larger number of sites generating much smaller amounts of power, presumably that means that the need to throw everything onto the internet so you can manage it remotely is that much more important, and yet you have a lot of much smaller operators suddenly entering this tightly regulated market.

How do you embrace the future without falling into the holes that we are still living with from the past?

Derrick Bethea (14:08)

Couldn’t put security at the table. For so long, OT security and OT wasn’t a discussion when these deals or these contracts are being put together. Now, security and everything is heightened, right? Within the last two to three years, a tax on utility infrastructure has gone up. We need to put security up front and understand as we’re making these business decisions, looking at every risk, doing an actual risk assessment on this tool. Have you really looked at what risks that you’re going to inherit when I bring this tool, integrate this new tool into my environment? What is this tool doing? What is the capabilities of this tool? So you paying for the talent, the engineers to help build these systems and maintain them and understand it and teach others and not gatekeep the knowledge and leave and go somewhere else and not document all the work you have put into tool to make it work. 

Security upfront. We need to get security upfront and get more individuals like myself that knows and understands the complexity and understands that I cannot just take a traditional IT scanning system.

Paul Ducklin (15:24)

Joe, this is essentially in three words, security by design, isn’t it? Where the vendor decides that they’re going to bake security in right from the very beginning and not try and fit it afterwards. But there’s an important flip side to that, isn’t there, which is secure by demand. Well, obviously there’s the demand of the regulators. Thou shalt do this, thou shalt do that. But there’s also a sense of the purchasers, the people who are building new power supply facilities actually saying to their suppliers, if you don’t have secure by design, then you are not going to get the business. And that leads to the question, well, who pays? Does the secure by demand demander have to say we’re prepared to pay extra? Do the secure by design providers need to say we consider this a minimum standard, or is the truth somewhere in between?

Joe Saunders (16:20)

I think the truth is somewhere in between. And as Derrick was alluding to, it’s folks like Derrick and others that really understand the domain in which this technology is deployed. And understands the threat environment. And so as a result of that, there’s a really good opportunity for a two-way dialogue. You have domain expertise coming from Derrick and you have product knowledge coming from the technology providers that are shipping OT technology to these environments.

The secure by demand side is very, very powerful because it’s really grounded in the requirements that are needed to secure the domain itself. By asking for certain types of security features, that creates the impetus then for the product manufacturers to build security into their products and do secure by design. The burden falls on both sides, actually, and it’s really the communication between the two.

And ultimately, if it’s a competitive environment where there could be multiple technology solution providers, I believe that operators will choose those that have security, all else being equal. I think security is a key discriminator. I think it’s important. And I also think it’s a differentiator for the solution providers ultimately. And they ultimately want to listen to their customers who are demanding more security to be incorporated into the product.

Paul Ducklin (17:40)

Yes. Because if they don’t listen to their customers, eventually they’re going to have to listen to the regulators, aren’t they? Like in the European Union, the Cyber Resilience Act, coming at this from the here’s the stick to go with the carrot. We want you to embrace security. If you don’t, then there may be liabilities that you did not suffer in the past. Right. Exciting times, aren’t they?

Joe Saunders (18:04)

Yeah, I think CRA in particular is very interesting to create both that carrot and that stick. And they both are needed. So if you’ve got operators demanding security and you’ve got solution providers or product manufacturers doing secure by design, the great news is everybody wins, including the consumer and the ultimate users of energy, because we’ve got safer, more secure, more resilient infrastructure that is less likely to go down in a crisis.

Derrick Bethea (18:36)

So screening and demand upfront and bringing people like myself and other practitioners to those tables, to the C-suite tables that’s making these business deals to understand from our standpoint, these are the risks that come with this deal right now.

Paul Ducklin (18:55)

Derrick, shock and horror. It sounds as though you are suggesting that we should bring science and engineering, not merely art, into the sales process. I really like the sound of that.

Derrick Bethea (19:08)

Yes, I mean, it will save you so much money and time as you scale up. I’m not going to gatekeep on any mistakes or anything that I’ve seen that helped in environment.

Paul Ducklin (19:20)

Now, Derrick, given that you are in, as we said, the renewables and energy storage sector, which is what we might call the next gen of electrical energy infrastructure. It’s all new and exciting, and we’re getting new technology, new types of batteries, new smaller devices, more operators. In amongst all of that, what are the cybersecurity risks you foresee that will keep you awake most at night.

Derrick Bethea (19:50)

Someone getting in and manipulating the data that we are using with this new technology. Someone getting into manipulating the data to throw the numbers off. How is being protected going through the different clouds, different SaaS programs? What is this vendor doing with my data once it leaves my environment? How are you keeping my data protected as it’s being transmitted?

Paul Ducklin (20:15)

So it sounds as though what you’re saying is that we need to be at least as concerned about what you might call the typical IT cloud data processing side of the stuff that reads information out of, say, stored energy plants as we need to be about people hacking into those plants and fiddling with the actual batteries themselves. So it sounds as though there’s a whole extra area here that it’s not just about protecting the OT devices themselves. It’s about protecting the automated decision making based on the data that comes out of those devices.

Derrick Bethea (20:55)

Making sure that this new technology integrates in your system, that you have every aspect of it checked. Before I integrate this new technology into my whole environment, I’m going to just pick a region. Out of 10 sites, I’m gonna pick three sites where I’m gonna run this new technology so I can get an understanding. Or a sandbox, being able to that vendors now are offering sandbox.

Paul Ducklin (21:23)

Is that what the military guys call a digital twin?

Derrick Bethea (21:26)

Yes. So similar to they build a lab environment, I get to use this environment for so many days and they will implement different things into the environment that the tool should be catching. So I’m being able to see when I get an alert, what is alert, what is going on, what is it saying, making sure that this tool integrates it. I’m getting the best bang for my buck looking at what can this tool do.

Can it send a command over to another system and cause it to trip it offline?

Paul Ducklin (22:00)

So that’s a sort of safe way, if you like, of making sure that the secure by demand demands meet the secure by design provisions.

Derrick Bethea (22:10)

Yes, we need to design this out together, see how we can make each other happy at the business table. So once I get this product, I am not fighting with the engineers to get credentials to firewall, to make changes wires in their possession.

Paul Ducklin (22:27)

Now gentlemen, I’d like to finish up by asking either or both of you one last question. For the C suite leaders of today in critical infrastructure in general and in electricity supply in particular, what’s the one thing they should start doing today if they’re not doing it already when it comes to cybersecurity?

Derrick Bethea (22:49)

Making sure that you have a subject matter expert accountable for making, keeping you from having cyber attacks. Understanding your operational technology environment, understanding your risk, understanding tools, technology, the resource and people and training. How does AI help you? How can AI hurt you? And most of all, make sure you have a governance plan of how operating out in the OT environment for all the assets that you are in scope to protect.

Paul Ducklin (23:26)

I love to hear you talking about investing in people. You often hear these days, forget the people the machines can do all of the work. I’m delighted to hear that. Joe, do you have anything to add before we finish up?

Joe Saunders (23:40)

Yeah, just say I agree the OT environment’s a huge area for investment, ensuring there’s a dialogue between suppliers and operators and in fact sharing data, sharing information, whether it’s with the Software Bill and Materials or similar, so that both sides have a transparent round of communication and understand all the risk inherent in the technology deployed in this infrastructure. I think if we do that, great things will happen in terms of elevating security, you know, across the board in OT.

Paul Ducklin (24:11)

Yes. Very simply put, supply and demand are not at each end of a one-way street. They need to work together hand in hand. Gentlemen, thank you so much for your lively discussion, for some very interesting insights into a very new, exciting but super important field. So that is a wrap for this episode of Exploited: The Cyber Truth

If you like this podcast, please don’t forget to like and share us on social media. And don’t forget, stay ahead of the threat. See you next time.