OT cyber regulation in 2025: expectations vs. reality

With a new Administration that issued a government-wide regulatory freeze on Jan. 20 and launched a deregulatory executive order eleven days later, many in industry expected rollbacks or lighter enforcement this year.

In OT, that did not materialize.

TSA renewed and updated its pipeline cybersecurity directive effective May 3, 2025, and CISA’s CIRCIA rulemaking continues on a path toward a late-2025 final rule and 2026 effective date.

Why it matters

Critical infrastructure cybersecurity is being treated as a national resilience priority, not a partisan debate. Despite broader deregulatory signals in 2025, mandatory OT cybersecurity requirements remain in place and CIRCIA reporting is still expected once the final rule takes effect. That keeps pressure on operators to deliver timely, defensible incident evidence.

State of play

• Pipelines: TSA’s SD Pipeline-2021-02F remains in force through May 2026, keeping required mitigation, testing, contingency planning, and annual assessment reporting in place.

• Cross-sector baseline: CIRCIA reporting is not required until the Final Rule takes effect, but the NPRM and federal schedules point to late 2025 publication and 2026 applicability, with the 72-hour incident and 24-hour ransom-payment clocks unchanged in the proposal.

• Water utilities: Rather than new rules, EPA emphasized grants, free cybersecurity assessments, and incident-response training in 2025. The emphasis on readiness signals higher expectations for utilities

Between the lines

In 2025, lawmakers and industry groups pushed agencies to align definitions and cut duplicate reporting, not to roll back incident rules.

Zoom in: why SIGA matters now

SIGA supplies the process evidence that are critical for incident reports.

• Level 0 record: SigaGuard reads raw I/O signals out of band, creating a tamper-resistant, time-stamped view of what the process actually did.
• Faster, cleaner reporting: Level 0 timelines help verify impact, cut false positives, and back up incident reports under cross-sector and sector rules.
• Decision and readiness: SigaGuardX distinguishes operational events from cyber breaches and flags false-data injection. Siga-PAS simulates process attacks so teams can test detection and reporting without disrupting operations.

The bottom line

No rollback in 2025. Pipelines stay under TSA, CIRCIA is next. Regulators want process proof, not just logs. SIGA delivers Level 0 evidence, detection, and rehearsal.