Ampyx Cyber Blog
The Intersection of Regulation & Resilience
Is Something Weird Happening on Your System?
Learn how critical infrastructure operators can spot the early signs of cyber intrusions directly from the control room. Drawing on the latest NERC and CISA guidance, this updated guide details specific physical hardware, workstation, and SCADA anomalies to watch for. Empower your frontline staff with a proactive "See Something, Say Something" cyber defense strategy tailored for OT environments.
Claude Mythos and the OT Threat Horizon: What Utility Operators Need to Know Now
Anthropic's Claude Mythos can autonomously discover zero-day vulnerabilities across every major OS and browser, and the same codebases run in OT/SCADA environments. This post breaks down why Mythos-class AI exploitation tools directly implicate utility operators, which NERC CIP obligations are already in play, and what actions defenders should take before the patch window closes.
The E-ISAC's 2025 Report: Real Progress, Remaining Constraints
The E-ISAC's 2025 End-of-Year Report shows real growth in membership, engagement, and threat intelligence output. But a structural challenge rooted in its funding and governance relationship with NERC continues to limit the incident sharing that collective defense depends on. Comparing E-ISAC's reported numbers against peer ISACs in health and financial services reveals how much ground remains.
Poland's Energy Sector Attack: When Cyber Sabotage Targets OT [Updated]
On December 29, 2025, Poland experienced coordinated destructive cyberattacks across 30+ wind/solar farms, a CHP plant, and manufacturing. Attackers exploited FortiGate devices without MFA, used default credentials on OT equipment, and deployed custom wiper malware designed to damage industrial controls. Every failure was preventable.
Humans, Engineering Shifts, Required Investment, and Commitment for Operational Security
New secure connectivity guidance describes a greenfield target architecture, but most OT environments are brownfield reality. True resilience isn't achieved through technology alone. Human expertise, manual operating capability, physical engineering controls, and sustained investment are equally critical. Without these foundations, digital security layers risk becoming expensive new failure modes.
New Joint Agency Guidance: Secure Connectivity Principles for OT
A Five Eyes plus European intelligence coalition has published a new doctrine for securing OT connectivity against nation-state threats. This Deep Dive examines what the NCSC principles mean for utilities and industrial operators, what breaks in legacy environments, and the safety, cost, and engineering realities of moving from compliance-driven security to true operational resilience.
Volt Typhoon and the Quiet Pre-Positioning of the U.S. Power Grid [Updated]
Volt Typhoon represents a quiet but strategic cyber threat to U.S. electric utilities, characterized by long-term access and persistence rather than immediate disruption. Rather than deploying malware, the actor relies on legitimate administrative tools to maintain durable access inside critical infrastructure networks. This blog examines what makes Volt Typhoon different and why early detection depends on behavioral context, not signatures.
New NSA UEFI Guidance: Trust Starts Before the OS
UEFI Secure Boot is widely assumed to be enabled and enforcing, yet recent vulnerabilities show how easily trust at boot time can silently fail. NSA’s new guidance breaks down how Secure Boot actually works, where configurations commonly go wrong, and how organizations can validate and recover trust in the earliest stages of system startup.
From Firefighting to Foresight: Building CIP Programs for the Future Power Grid
NERC calls grid reliability a “five-alarm fire.” With data centers, AI, and extreme weather straining capacity, CIP programs must evolve from reactive compliance to proactive resilience. This post outlines how utilities can strengthen controls, close documentation gaps, and build CIP programs ready for the future grid.
INSM Just Got Clearer: Key Takeaways from the NATF Guidance
NATF has released new CIP-015 INSM guidance that confirms a risk-based approach for collection points, clarifies scope around ESP boundaries, contains numerous useful reference models, and reinforces practical retention strategies. It aligns closely with our INSM playbook, especially on passive visibility, multicast deduplication, and EACMS/BCSI determinations for INSM platforms.
CIP-002-8, Decoded: Who’s In, Who’s Out Under the New 2.12
Upcoming NERC CIP-002 grid rules change which control centers fall under stricter cybersecurity protections. This post explains the new test in plain language, who is likely covered, and when local, load-serving areas can qualify for an exception. We also share a quick checklist to help utilities document what they have today and avoid surprises later.
Foundations for OT Cybersecurity: From Inventory to Impact
CISA’s new OT asset-inventory guidance puts structure behind “know your system.” This post translates it into action: a practical, prioritized field set and taxonomy you can implement now. We added a lightweight BIA overlay that links asset criticality to mission impact. We also show where to emphasize configuration baselines, change control, and logging to improve monitoring and decision quality.
CIP-015-1 INSM: A Practical Playbook
NERC CIP-015 makes east-west visibility inside the ESP mandatory. This playbook shows how to stand up INSM the right way through risk-based data feeds, ICS-aware anomaly detection, evaluation tied to incident response, and defensible evidence on a timeline to 10/1/2028 and beyond. Avoid common pitfalls and design now for the likely CIP-015-2 expansion.
Building Blocks of OT Security Monitoring: A Deep Dive for SOC Builders and MSSPs
Learn how to build scalable, OT-aware security monitoring using (free, no cost) open-source tools like Security Onion, Wazuh, Malcolm, and The Hive. Whether you're launching a SOC or growing your MSSP, this guide covers deployment models, costs, timelines, and training to get you started fast - and smart.
Strategic Value of Self-Reporting in NERC CIP Compliance
Self-reporting in NERC CIP isn’t a weakness. It’s a sign of maturity. Proactive disclosures build regulatory trust, reinforce internal controls, and empower compliance teams to improve. When done right, self-reporting signals ownership, not failure, and positions your program as resilient, transparent, and credible.
Automation and AI Risks in Long Duration Energy Storage Systems (LDES): Risk Mitigation and Regulatory Responsibilities
As Long Duration Energy Storage Systems (LDES) become essential to the future of grid resiliency and renewable integration, the infusion of automation and artificial intelligence (AI) into these technologies presents a range of strategic risks. These include cybersecurity vulnerabilities, operational uncertainties, automation-induced failures, and regulatory gaps. This white paper outlines the major categories of risk and identifies key government, regulatory, and standards bodies responsible for managing and mitigating these challenges.
Four Years In: What NERC’s Cyber Security Incident Reporting Data Tells Us (and What It Doesn’t)
In the world of Bulk Electric System (BES) cybersecurity, signals of risk don’t always arrive with alarms blaring or malware lighting up dashboards. Sometimes, the signs are quieter—brute force login failures, odd port scans, or a sudden spike in account lockouts. The annual CIP-008-6 report, filed March 21, 2025 by NERC, shines a small but telling light on just such signals.
Proactively Enhancing Safety in Long Duration Energy Storage: Lessons, Challenges, and Future Strategies
As Long Duration Energy Storage (LDES) technologies gain prominence in modern energy infrastructure, ensuring the safety of workers and surrounding communities is critical. By examining past incidents involving lithium-ion Battery Energy Storage Systems (BESS) and other storage solutions, we can extract crucial lessons to mitigate risks in LDES deployment.
FERC Staff Report Offers Lessons Learned from 2024 CIP Audits: What You Need to Know
In its 2024 CIP audit report, the Federal Energy Regulatory Commission (FERC) shared critical lessons learned from the latest round of reliability audits, revealing key areas where NERC-registered entities can strengthen their security posture. While many organizations successfully met compliance requirements, the report highlighted specific gaps in asset categorization, control center segmentation, and data protection that could pose significant operational risks.
Is SBOM the answer?
Government and industry experts have recently pointed to software bill of materials (SBOM) as a requirement for organizations, but what are you getting? David Foose spends some time exploring aspects of SBOM fever.