2025 RISC Report: Cybersecurity at the Center of Grid Reliability
By Patrick Miller
The 2025 NERC RISC Report elevates cybersecurity to the core of grid reliability, alongside grid transformation, extreme events, interdependencies, and volatile energy policy. Unlike past reviews, this report is a forward-looking roadmap, urging modernization, cross-sector coordination, and resilience in a digitized, high-risk energy landscape.
Overview
When the NERC Board of Trustees accepted the 2025 ERO Reliability Risk Priorities Report earlier this month, they put a spotlight on the risks reshaping the North American bulk power system (BPS). Unlike retrospective reports such as the State of Reliability or incident-driven event analyses, the RISC Report is forward-looking, capturing emerging risks, interdependencies, and recommended mitigation strategies. Think of it as a strategic compass for both industry leaders and regulators. A way to anticipate what’s next, not just reflect on what already happened.
What’s in the 2025 RISC Report?
The Reliability Issues Steering Committee (RISC) identified five critical risk profiles:
Grid Transformation – Rapid deployment of large digital loads (AI data centers, crypto mining, hyperscalers) combined with an accelerated retirement of synchronous generation, uneven replacement with inverter-based resources (IBRs), and supply chain bottlenecks.
Resilience to Extreme Events – Expands beyond natural disasters to include all-hazard scenarios, from polar vortices to cyberattacks timed with extreme weather.
Critical Infrastructure Interdependencies – Growing reliance on natural gas, telecom, and water systems, plus the rise of DERs and distribution-connected resources that blur the traditional BPS boundaries.
Security – Cyber and physical threats intensifying as grid digitization creates a larger attack surface, compounded by supply chain exposure and geopolitical tensions.
Energy Policy – Volatile, fragmented policy landscapes that complicate planning and investment in reliability.
What ties these risk profiles together is interconnection and amplification. Grid transformation multiplies resilience challenges. Interdependencies expand cyber risk vectors. Policy volatility makes technical fixes harder to implement. Security risk, meanwhile, is both a standalone issue, and interwoven challenge, and a multiplier across every other category.
Cybersecurity: No Longer a Parallel Risk
In the previous RISC Report from 2023, cybersecurity was acknowledged as an expanding reliability concern, but often discussed in the context of resilience or technology transformation. In the 2025 report, cybersecurity takes on a more centralized role. It’s listed explicitly as a top risk profile, and the language reflects the reality that cyber is not separate from grid reliability. It is central to grid reliability.
Expanded attack surface – As more inverter-based resources, hybrid plants, and digital large loads connect, control systems multiply. Each connection represents a new potential vector.
Supply chain risk – High-voltage transformers, advanced inverters, and control system components often originate from complex, geopolitically sensitive supply chains.
Cross-sector dependencies – The bulk power system, natural gas delivery, telecom, and water systems are deeply intertwined. An attack on any one can cascade into the others.
Policy drag – While FERC has directed new standards development (e.g., Order 901 on IBR modeling and performance), the pace of standards often lags behind adversarial innovation.
This connects directly to the existing NERC CIP standards, which were designed around a more static, generation-centric grid. The report makes it clear, the traditional scope of CIP, focused on BES Cyber Systems behind the Electronic Security Perimeter, will need to evolve. Inverter-based resources, large flexible digital loads, DER aggregation, and complex interdependencies with gas and telecom are not fully captured in today’s CIP framework. While new efforts like CIP-015 on Internal Network Security Monitoring are important steps, the sector needs faster adaptation: lifecycle security for IBR plants, performance verification of digital controls, visibility into DER/VPP operations, and expanded supply chain assurance. In short, CIP must mature from a compliance baseline into a dynamic reliability-driven framework if it is to mitigate the risks highlighted in this report.
Comparing 2023 vs. 2025 Priorities
The 2023 RISC Report highlighted grid transformation, extreme events, resource adequacy, and cyber/physical security as major risks. By 2025, the landscape has shifted:
Policy volatility has risen to the top tier, recognized as a direct risk driver.
Resource adequacy is now baked into the Grid Transformation profile, reframed around energy sufficiency instead of simple capacity margins.
Critical infrastructure interdependencies are given more weight, acknowledging the tight coupling of electricity with natural gas and communications.
Security is elevated as a core risk, not a sub-component.
The tone of the 2025 report is also sharper. It explicitly warns that traditional planning reserve margins are insufficient, that extreme events must be expected at larger scales, and that industry must modernize reliability constructs now, not later.
| Topic | RISC 2023 Snapshot | RISC 2025 Update | What It Means for Cybersecurity |
|---|---|---|---|
| Grid Transformation | Emphasis on IBR growth, declining synchronous inertia, early DER aggregation questions, emerging AI/data center loads. | Large digital loads (AI/hyperscalers/crypto) now central; shift from capacity to energy sufficiency; modeling & interconnection consistency prioritized; storage pivotal. | More digital controls ⇒ larger attack surface. Lifecycle configuration/patching for IBRs, plant controllers, and large-load backup systems becomes critical. |
| Resilience to Extreme Events | Natural hazards focus (cold, heat, wildfire); early all-hazards framing. | Full resilience lens (all-hazards): extreme weather + cyber/physical events + supply chain. Recovery speed and blackstart readiness elevated. | Exercise for coordinated cyber-physical scenarios; ensure comms, telemetry, and restoration tooling function under degraded conditions (“operate under compromise”). |
| Critical Infrastructure Interdependencies | Noted gas-electric coordination needs; early telecom/water considerations. | Interdependencies are a core risk: just-in-time gas, power-dependent pipeline ops, telecom backbones; call for coupled planning & ops protocols. | Cross-sector cyber incidents can cascade. Joint tabletop exercises, data-sharing MOUs, and coordinated incident response with gas/telecom/water are essential. |
| Security (Cyber & Physical) | Growing threats highlighted; supply chain concerns emerging; security linked to reliability. | Security elevated as a top risk profile; complexity rises with digitization, firmware/embedded risks, and geopolitical supply chains. | Strengthen SBOM/firmware governance, secure configs, network monitoring (INSM-aligned), anomaly detection for IBR plants, and substation hardening. |
| Energy Policy | Policy seen as a driver; emphasis on planning certainty. | Policy volatility explicitly flagged as reliability risk; reliability must be raised in policy design (timelines, siting, permitting, markets). | Map policy mandates to cyber-resilience capacity (workforce, tooling). Advocate reliability-by-design requirements in rulemakings. |
| Resource Adequacy | Peak capacity focus; early warnings on winter risks and energy limits. | Reframed under Grid Transformation: forward-looking energy sufficiency across all hours; weather-informed scenarios; interregional options. | Plan for cyber-driven uncertainty (loss of visibility/dispatch). Portfolio diversity and DSM/VPPs reduce single-point cyber failure impact. |
| Modeling & Interconnection | Need for better EMT/generic models recognized; uneven interconnection practices. | Push for consistent, performance-based interconnection (all gens/loads/storage); FERC Order 901 momentum; real-time IBR performance monitoring. | Treat models/settings as sensitive assets; harden change management, verify after firmware updates, and monitor for malicious configuration drift. |
| Storage & GFM Inverters | Growing role noted; capabilities still being integrated into tools/markets. | Storage is a core reliability asset; ERCOT/MISO moving to GFM requirements; leverage storage for ERS and stability. | Secure BESS fleets (PCS/BMS/EMS). Validate control modes; monitor state-of-charge manipulation attempts; segment networks; log & alert on control changes. |
| DER / VPP Coordination | Early aggregation/2222 considerations; limited BPS visibility. | Active distribution & VPPs require tighter BPS–DSO–aggregator coordination (forecasting, telemetry, performance). | Expand cyber scope to aggregators and behind-the-meter controllers; require minimum security baselines and event data sharing. |
| Supply Chain & Workforce | Lead times and talent gaps noted; emerging risk. | Persistent supply chain constraints and EMT/OT talent scarcity are material reliability risks; call for workforce pipelines and spares strategies. | Vendor risk management, qualified product lists, and secure-by-design procurement; invest in OT cyber + power electronics cross-training. |
| Interregional Planning & TX | Benefits acknowledged; limited actionable metrics. | Encourage actionable interregional transfer metrics; coordinate siting/permitting; use transmission to mitigate extreme events. | Design for cyber-resilient operations (segmentation, trusted comms, fail-safe control) across seams; shared situational awareness interfaces. |
Key Themes and Cyber-Linked Takeaways
Across all five risk profiles, several themes emerge:
Energy sufficiency over capacity – Reliability now depends on being able to supply energy in real time across all hours and scenarios, not just meeting peak load. Cyber disruptions that compromise dispatchable resources or grid visibility are therefore existential.
Cross-sector dependencies – Just-in-time natural gas and power electronics-heavy telecom backbones are reliability risks. Cyber actors understand these choke points.
Supply chain fragility – Long lead times for HV transformers, reliance on offshore IBR components, and vulnerabilities in firmware/embedded software open doors for compromise.
Workforce limitations – Expertise in electromagnetic transient (EMT) modeling, grid-forming inverters, and OT/ICS cybersecurity is scarce. This is a human-capital risk as much as a technical one.
Policy gaps – Energy policy that fails to account for reliability risk. Whether it’s aggressive electrification mandates without corresponding infrastructure or fragmented cyber regulation, only increases exposure.
Strategic Recommendations
The 2025 report’s recommendations can be distilled into six cyber-relevant calls to action:
Update planning and operating models – Incorporate cyber-physical vulnerabilities and inverter-based dynamics into reliability assessments.
Modernize interconnection standards – Ensure IBRs, DERs, and large digital loads have consistent performance and cybersecurity requirements throughout their lifecycle.
Enhance resilience exercises – Expand drills like GridEx to include simultaneous cyber-physical extreme event scenarios, with more follow-through on lessons learned.
Invest in diversity and optionality – Broaden resource portfolios, storage, and demand-side management so cyber disruptions in one area don’t cascade into systemic crises.
Elevate reliability in policy discussions – Cybersecurity and resilience must be part of every major energy policy decision, not bolted on afterward.
Develop workforce pipelines – Build capacity in EMT modeling, IBR controls, and OT/ICS cyber defense to match the pace of technological change.
Why This Matters
The bulk power system is at an inflection point. Large-scale load growth from AI and electrification, the acceleration of inverter-based resources, and a volatile policy environment are combining to rewrite the rules of reliability. Cybersecurity is threaded through every aspect of this transformation, from supply chain to interconnection to extreme event resilience.
The 2025 RISC Report doesn’t just diagnose the risks. It’s a strategic roadmap for utilities, regulators, and industry stakeholders. If taken seriously, it could help the North American grid stay resilient in the face of converging engineering, physical, and cyber challenges. If ignored, it risks becoming yet another well-intentioned document sidelined while the world moves past it.
