Security leaders cannot stray from strategizing toward resilient cyber-physical systems (CPS) given the rising tide of threats to these critical systems that is introducing unprecedented risk. At the state, local, tribal, and territorial (SLTT) level, resilience takes on even greater importance given the essential functions at risk that underpin the safety, stability, and continuity of communities.
We present a four-step guide to achieving resilience within SLTT government missions; our guide includes strategies for identifying threats to those missions, enhancing multi-sector collaboration, embedding security and resilience strategies, and delivering cyber operational resilience.
Step 1: Identify Threats to Missions
Mission integrity and continuity can be threatened by a variety of factors. The scope of a threat assessment must span technology, people, and processes. Organizations must identify the cyber risks targeting their domains, and leverage threat intelligence and other sources of information to understand the motivations and tactics of threat actors.
There are also organizational constraints that may limit the ability to maintain essential operations. Threats to missions may be disguised as institutional knowledge or a critical person leaving an agency/organization. Retirements, furloughs, and separations due to new opportunities are inevitable, and transitions or departures can cause significant impact to mission critical operations.
To learn more about how state and local organizations can identify and map these critical processes, review the Customer Journeys Mapping Guide.
It’s also advisable to analyze a single critical process and map it manually before investing in tools or platforms. Agencies acquiring cybersecurity tools or cyber resilience platforms without first understanding critical process domains at a high level risk selecting solutions that do not fully align to mission requirements. This could contribute to:
Procurement inefficiencies
Integration, deployment, and operational problems
Unnecessary tool sprawl
Including weighted criterion for RFP templates is great, but adopting a risk-informed process for developing the document itself results in a powerful risk control for public sector organizations.
Step 2: Collaborate Across Lanes
Another primary risk to missions, however, is lack of collaboration and understanding.
For the sake of resilience, inter-departmental relationship development is a must, and so are public-private partnerships. These collaborations are critical because they enable information sharing, coordinated responses, and a unified approach to protecting essential functions. Collaboration continues the journey toward resilience, so this should be the next step beyond identifying threats to missions.
Resilience may require organizational transformation considerations. While change should begin at the top and trickle throughout ranks, it’s important to obtain lower-level buy-in that makes transformation approachable, sustainable, and successful.
With successful collaboration, cyber-operational risks become more evident across the organization. With reliable risk information, well-informed security and resilience designs naturally lead to effective continuity and disaster recovery plans.
Step 3: Design Security & Resilience Strategies
Cyber-operational design considerations are the next step toward resilience. These include network segmentation, exposure management, secure access controls, system redundancy, incident response protocols, and continuous monitoring strategies.
Designing a security and resilience strategy is the work of reconciling current capabilities, facilities, and people with mission-critical obligations and must result in executable tasks. .
Across critical sectors and for critical infrastructure operators, this requires looking beyond the confines of IT security and into the operational realities of facilities, automation systems, and the people who run them.
Start With Risk & Resilience Assessments
In the water community, the American Water Infrastructure Act (AWIA) mandates that certain water systems must complete what is called a Risk & Resilience Assessment (RRA) every five years. The RRA is a framework that can be adopted regardless of sector and demonstrates that risk and resilience guidance from one sector is likely beneficial and applicable across many others. The result might also provide the beginning of an organizational policy establishing an internal risk and resilience management strategy for your organization..
A strong strategy begins with identifying what must never fail, what is allowed to degrade, and what recovery realistically looks like. Assessments should account for:
Aging infrastructure
Staffing constraints and institutional knowledge gaps
Operational technology (OT) dependencies
Internet of Things (IoT) interdependencies
Data flows (or command flows)
Civic or regulatory obligations
Environmental and facility-specific considerations
Structured methods like NIST CSF 2.0, SP 800-82, SP 1500-201, AWIA, and J100, with its focus on developing threat-asset pairings, help agencies uncover prioritized gaps in security architectures.
Sector-Specific Requirements: NERC CIP as Model Discipline
All investor-owned utilities (IOUs) and some publicly owned electric utilities face mandatory NERC CIP standards, but the underlying disciplines—including controlled change management, asset identification, configuration governance, and defensible access—are universally beneficial. Other sectors will find that CIP-like rigor elevates their readiness even when no such mandate exists for them.
Building in Cyber-Physical Systems Zero Trust Architecture (CPS-ZTA)
Zero trust in cyber-physical environments is about more than identity; it’s about operational assurance:
Concrete, organization-wide definitions of mission critical systems (assets)
Identification and continuous verification of subjects (users) and objects (assets)
Deterministic access to critical systems
Real-time exposure visibility
Logical and physical segmentation aligned to mission outcomes
Reflexive access control
Strong governance around configuration drift and change management
The goal is not to create more alerts, which can overwhelm teams and obscure real risks. The goal is to ensure that critical systems operate as intended and remain within defined risk tolerances, even under stress. By applying zero trust principles, including verifying every access request, continuously monitoring behavior, and enforcing strict least-privilege policies, organizations can maintain resilient operations without creating unnecessary noise.
Step 4: Deliver Cyber-Operational Resilience
Cyber-operational resilience happens when an agency can continue delivering essential services despite disruption. Achieving that requires merging cybersecurity, operations, and governance into a unified discipline.
Establish Real-Time Visibility of All CPS/OT Assets
Most agencies discover gaps immediately once continuous asset discovery begins.
Water systems, power substations, building automation, access control, and environmental controls have interdependencies that standard IT inventories rarely capture due to the specialized and often legacy protocols they operate on. You cannot defend what you do not know exists, and you cannot recover what you don’t yet understand.
Prioritize Exposures, Not Just Vulnerabilities
Traditional IT vulnerability models often fail in CPS environments. Exposure management is a more comprehensive approach to risk reduction that focuses on not only known exploited vulnerabilities, but also insecure configurations, remote access shortcomings, and other exploitable weaknesses. In strategizing for SLTT, it’s critical to understand whether an exposure intersects with:
Public safety (i.e. public safety answering points and computer aided dispatch)
Service continuity
Regulatory obligations
Environmental impact
Mission-critical processes
Revenue generation (i.e. rate payer services)
Exposure-based prioritization ensures a community’s limited resources are applied where the risk to outcomes is highest.
Enforce Network Monitoring for CPS Stability
CPS and OT systems operate on predictability. Even slight deviations in normal behavior often indicate the earliest stages of cyber compromise or system degradation. Resilient organizations rely on:
Passive monitoring
Continuous anomaly and threat detection
Integrated alerting for cyber, operational staff
Identity governance administration (IGA)
Stringent change management processes
Behavioral monitoring is where cyber meets operations, and where early detection prevents community-level impact. All of these improve a continuous monitoring program and lead to better cyber hygiene.
Unify Cyber and Operational Playbooks
When cyber and operations rely on separate playbooks, gaps emerge and even widen precisely when clarity is expected. Joint playbooks must reflect:
Organizational lexicon
Shared escalation paths and decision trees
Clear decision authority
Facility-level and regional-level contingency steps
Community-facing communication dependencies
Resilience requires rehearsed, cross-functional muscle memory, not ad-hoc response.
Build Governance That Outlasts Leadership or Staffing Transitions
Turnover is inevitable in public-sector institutions, and this is where succession planning—historically a domain reserved for C-suite continuity discussions—provides useful lessons.
Resilient agencies embed their processes, including change control, configuration governance, incident management, and knowledge capture, so that continuity is preserved even when people rotate or retire.
Conclusion
For state and local governments across the country, resilience grows when agencies can begin to see their full range of people, processes, technologies, and interdependencies as risk surfaces. Resilience blossoms when collaboration across teams becomes routine rather than exceptional, and when risk is measured through the lens of community impact. It blooms further when leaders commit to visibility, disciplined governance, and zero trust principles that protect cyber-operational outcomes.
Threats evolve. Budgets fluctuate. Staff changes. Mission continuity must remain non-negotiable. The time to strengthen the systems and missions that uphold communities—quietly, daily, and without interruption—is now.
Take the next step in protecting your critical systems and ensuring uninterrupted mission continuity by seeing resilience in action with the Claroty Platform.
