Having worked with the energy industry since 1990 including 14 years working for an electric grid operator I can state that this "patchwork of cybersecurity regulations" is indeed an issue that need not exist.
Baseline Cybersecurity Performance Goals (CPG) produced by CISA provide a practical and effective set of cybersecurity practices that could be the basis for harmonized cybersecurity practices across all critical infrastructure sectors. Then we could stop trying to satisfy some truly unrealistic cybersecurity requirements like the NERC CIP virtualization cybersecurity standards effort that has been going on since 2016, which remains an open item in 2024.
The critical infrastructure sectors need one set of baseline cybersecurity practices, like the CISA CPG, to streamline regulatory compliance and provide effective, consistent cybersecurity protections that work.
And, while we're pursuing harmonization, can we also give consumers the visibility they need to make risk-based buying decisions and choose trustworthy products, like Anne Neuberger of ONCD suggested in this interview.
I concur Brandon:
" It is hard to dispute that there is a need for cyber regulatory harmonization, and it is time to make it happen. This is an area for the incoming administration and Congress to push this commonsense, bipartisan idea across the finish line as a way to improve the cybersecurity ecosystem, while simultaneously making it more efficient for industry and government.
Brandon Pugh, Esq. is the director of the R Street Institute’s cybersecurity and emerging threats team. He previously served in elected office and was Republican counsel covering cyber issues for a state legislature."