Regulatory bodies in the United States and Europe are converging on a consolidated operating model for industrial control systems (ICS) that binds software bill of materials (SBOM) transparency, network segmentation requirements, and real-time telemetry sharing into a single incident response framework - a shift with direct implications for metals, glass, and allied process manufacturers operating critical infrastructure.
Background
The regulatory push follows years of escalating threat activity in OT environments. Recent analyses show a 40% rise in internet-exposed ICS devices between 2024 and 2025, reflecting how attackers now view industrial environments as high-impact, high-value targets. CISA published more than 450 ICS advisories in 2025, with critical manufacturing accounting for 45.8% of affected technologies - the largest share of any sector.
The fragmented nature of existing frameworks has complicated facility-level response. Four primary frameworks - IEC 62443, NIST SP 800-82, the EU's NIS2 Directive, and TSA security directives - currently guide ICS cybersecurity strategy. Organizations have been migrating from ad-hoc security toward these structured guidelines to mandate auditable baselines across operations. However, fragmentation across formats, standards, and compliance frameworks remains the chief obstacle preventing SBOMs from reaching their full potential as scalable cybersecurity tools.
Details
The most concrete regulatory step came on December 11, 2025, when CISA released its Cybersecurity Performance Goals 2.0 (CPG 2.0) - an update to its core set of recommended cybersecurity practices for critical infrastructure owners and operators, established under the 2021 National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.
A key structural change in CPG 2.0 directly affects OT operators in heavy industry. OT-only goals from the prior version have been folded into new "universal goals" addressing both IT and OT holistically, enabling small- and medium-sized entities to apply one framework and reduce confusion over domain-specific goals. The update also introduces four new goals targeting emerging threats and gaps, including risks from third-party providers with deep system access and zero-trust principles to mitigate lateral movement.
On SBOM adoption, the regulatory trajectory is hardening globally. U.S. Executive Order 14028 in 2021 decisively accelerated global adoption by mandating SBOMs for all federal agencies and their software vendors, establishing the SBOM as a cybersecurity and procurement baseline. CISA subsequently updated its minimum SBOM elements, significantly expanding required metadata to include fields essential for provenance, authenticity, and deeper cybersecurity integration. In parallel, the EU Cyber Resilience Act (CRA) is driving similar mandates for market access.
For ICS-specific procurement, a vulnerability in a component supplied by a third-tier vendor can propagate through the supply chain undetected. Asset owners are responding by demanding full visibility into SBOMs, transparent vulnerability disclosure policies, and defined patch management responsibilities from vendors. An SBOM provides a complete inventory of every software component, library, and dependency within a product, enabling asset owners to assess exposure when a new vulnerability is disclosed.
The telemetry gap in OT environments remains a central compliance challenge. The SANS Institute 2025 survey found that over one in five organizations (22%) reported a cybersecurity incident in the past year, with 40% causing operational disruption and nearly 20% taking more than a month to remediate. ICS-specific protocol or device awareness, session recording and replay, and real-time session approvals were each reported as fully implemented by only 13% or fewer respondents. "This year's findings show that while progress is being made, the industry still faces significant challenges in securing converged environments," said Jason D. Christopher of the SANS Institute. "Organizations must prioritize visibility and segmentation to mitigate these risks effectively."
Network segmentation, a foundational control in both NIST SP 800-82 and IEC 62443, remains inconsistently deployed. Industry observers advise that the most realistic approach is a "risk-based, phased integration of key principles from standards like NIST 800-82 and IEC 62443," prioritizing critical assets and applying controls where they deliver the highest impact - including strong network segmentation and identity management, even where internal legacy systems remain.1CISA Industrial Control Systems (ICS) Advisories Recap for 2025
To address the SBOM and IR toolchain integration challenge, industry practitioners have proposed embedding SBOM data directly into incident response workflows. Under this model, the IR plan uses the SBOM to instantly correlate a new zero-day or CVE with every affected device in the control network, shifting response from a manual audit to an automated, risk-weighted defense deployment that prioritizes operational stability.
Outlook
The EU Cyber Resilience Act, which entered into force in late 2024, reached its most critical implementation milestones in 2025, including the European Commission officially accepting standardisation requests from CEN and CENELEC. These requests set the technical standards every connected product must meet to enter the European market. The CRA's reporting requirements mandate that manufacturers report actively exploited vulnerabilities within 24 hours.
For metalworking and process manufacturing facilities subject to cross-border supply chains, compliance with both the U.S. CPG 2.0 framework and CRA reporting timelines is expected to require coordinated investment in OT telemetry infrastructure, SBOM tooling, and segmented network architecture before the CRA's full enforcement window opens.
