After 9/11 there was recognition that critical infrastructure needed better protection, yet 24 years later many of the same weaknesses in control system cybersecurity remain. In 2001 most engineers and operators had little awareness of cyber threats to industrial systems, and many of the recommendations that emerged—such as connecting the dots between intelligence sources, using imagination to anticipate non-traditional attacks, and involving multidisciplinary expertise—have still not been fully adopted. Control systems continue to be treated separately from IT security, leaving significant blind spots in risk management.

Despite the availability of more advanced tools, greater awareness, and regulatory frameworks, cultural and organizational barriers persist. Engineers and plant personnel are often left out of cybersecurity decision-making, and many organizations remain reactive instead of proactive in addressing risks. The failure to fully integrate cybersecurity into operational practices means that critical infrastructure is still vulnerable, and the lessons from 9/11 about anticipation, coordination, and holistic defense have not been consistently applied.

‍

Source: https://www.controlglobal.com/blogs/unfettered/blog/55315999/recollections-from-9-11-what-has-changed-on-the-cybersecurity-front-24-years-later