Ampyx Cyber Blog
The Intersection of Regulation & Resilience
2025 RISC Report: Cybersecurity at the Center of Grid Reliability
The NERC 2025 RISC Report elevates cybersecurity to the core of grid reliability, alongside grid transformation, extreme events, interdependencies, and volatile energy policy. Unlike past reviews, this report is a forward-looking roadmap, urging modernization, cross-sector coordination, and resilience in a digitized, high-risk energy landscape.
Cyber on Tap: NY's Water Utilities Face New Cyber Rulebook
New York has proposed the first mandatory cybersecurity regulation for water and wastewater systems, targeting utilities serving over 3,300 people. With requirements for vulnerability assessments, incident reporting, and executive oversight, this rule signals a shift toward enforceable cyber resilience and other states may soon follow.
Monitoring Meets Mandate: Will the Next CIP-015 Standard Deliver on FERC’s Vision?
FERC approved CIP-015-1, but also ordered NERC to expand it. The new SAR outlines how INSM requirements will extend beyond the ESP to include EACMS and PACS systems. This post breaks down how the SAR aligns with FERC’s directive, what still needs attention, and why internal visibility is no longer optional.
Texas SB 75: A Lone Star Model for Grid Resilience
Texas SB 75 establishes a first-of-its-kind Grid Security Commission to evaluate and enhance the resilience of the state’s electric grid and critical infrastructure. With a broad all-hazards focus, from cyber threats to EMPs, this bipartisan law signals Texas’ intent to lead on proactive, cross-sector grid security. Learn what’s required, what’s coming, and why it matters now.
Broad Scope, Big Impact: NY Mandates Cyber Rules for Public Sector
New York's new cybersecurity law, Chapter 177 of 2025 (S.7672A / A.6769A), introduces mandatory incident reporting, ransom payment disclosures, annual training, and data protection requirements for public-sector entities. Its broad definitions suggest applicability to both IT and OT systems, signaling a significant expansion in cybersecurity oversight for municipalities and public authorities.
Help Shape the Future of the NERC CIP Standards
NERC is asking for industry input on the future of CIP Standards. As part of its 2025 Work Plan, NERC has launched a survey to identify and prioritize emerging security risks to the Bulk Power System. The results will directly inform a roadmap for updating the CIP Standards to address today’s evolving threat landscape. What’s happening, why it matters, and how you can participate before the July 22 deadline.
FERC Quietly Closes The Books on RM20-12-000
FERC has officially closed Docket RM20-12-000, ending a five-year inquiry into potential gaps in the CIP Reliability Standards. While the docket is withdrawn, the underlying concerns—data security, anomaly detection, and coordinated cyberattacks—are being addressed through recent standards like CIP-015-1 (INSM) and proposed updates to CIP-003.
FERC Finalizes INSM Standard: CIP-015-1 and the New Visibility Mandate for the Grid
On June 26, the Federal Energy Regulatory Commission issued Order No. 907, approving the new NERC Reliability Standard CIP-015-1: Cyber Security – Internal Network Security Monitoring (INSM). This marks a critical shift in how we approach cybersecurity within the Bulk Electric System. It also raises the bar significantly on what’s expected for visibility inside the network perimeter.
Canada’s Bill C‑8: A New Era for Cybersecurity Regulation
Canada is proposing sweeping changes to strengthen its cyber resilience through Bill C‑8. This two-part legislation enhances federal powers over telecom infrastructure and establishes enforceable cybersecurity obligations for critical infrastructure operators. Read our full breakdown of what it means, who it impacts, and what’s next in Parliament.
NERC CIP-002 Standards Authorization Request - Project 2021-03
NERC’s CIP-002 Project 2021-03 (Phase 2) introduces key updates to improve clarity and consistency in identifying and classifying BES Cyber Systems. The revisions address long-standing ambiguities by clarifying functional entity roles, refining the treatment of communication protocol converters, revising Criterion 1.3 to establish objective criteria for high-impact control centers, and expanding Criterion 2.6 to include control centers operated by Generator Operators and Transmission Owners. These changes aim to eliminate gaps in protection, align risk-based categorizations across all entities, and support more consistent compliance with CIP standards.
Analysis of the June 6th, 2025 Executive Order on Cybersecurity
On June 6, 2025, President Donald J. Trump issued a new Executive Order (EO) titled “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Orders 13694 and 14144.” This directive serves as a recalibration of federal cybersecurity strategy, signaling a shift away from prescriptive mandates toward more targeted, agency-specific authority and risk-informed investment in critical initiatives. It amends prior EOs while preserving core elements of federal cybersecurity policy.
Cyber Stress Testing: Strengthening Cyber Resilience in the EU Energy Sector
As cyber threats grow more complex, the EU energy sector is turning to stress testing to bolster its resilience. This post explores ENISA’s 2025 Cyber Stress Test Handbook and how it helps energy providers simulate real-world attacks, uncover vulnerabilities, and strengthen defenses in alignment with NIS2, CER, and the Cyber Solidarity Act.
Testimony Before the U.S.-China Economic and Security Review Commission: Protecting U.S. Energy Infrastructure from Strategic Risks
On April 24, 2025, Patrick Miller testified before the U.S.-China Economic and Security Review Commission on the growing cybersecurity and supply chain risks facing U.S. energy infrastructure. My testimony focused on how Chinese state-aligned actors are embedding themselves within critical systems and why securing our grid is essential to preserving America's economic leadership, technological advancement, and national security.
Chinese-made technology in U.S. critical infrastructure: an interview with Patrick Miller
Patrick C. Miller of Ampyx Cyber testifies in front of the Senate U.S. - China Economic and Security Review Commission on Thursday, April 24 about the threat of Chinese-made technologies in U.S. critical infrastructure, including power systems and telecom. Here is a short interview with Patrick Miller about his testimony.
FERC Proposes New Standards for INSM: Internal Network Security Monitoring (CIP-015-1)
The Federal Energy Regulatory Commission (FERC) has issued a new Notice of Proposed Rulemaking (NOPR) under Docket No. RM24-7-000. This proposed rule seeks to approve NERC’s proposed Critical Infrastructure Protection (CIP) Reliability Standard CIP-015-1. The new standard focuses on Internal Network Security Monitoring (INSM) to detect and address cyber threats within the electronic security perimeter of the Bulk Electric System (BES).
FERC’s New Proposed Rule on Supply Chain Risk Management (SCRM)
The Federal Energy Regulatory Commission (FERC) has released a new Notice of Proposed Rulemaking (NOPR) under Docket No. RM24-4-000, focusing on supply chain risk management (SCRM) for the Bulk-Power System (BPS). This proposed directive aims to fill critical gaps in existing NERC Critical Infrastructure Protection (CIP) standards and bolster the defenses of our nation’s critical infrastructure.
Ask An Expert
GOT A TOUGH QUESTION?
Sometimes you just need to phone a friend. Ask us anything, any time. You don’t need to be an existing or prospective client. No cost, no hassle and no commitment. We will not put you on a contact list and our sales team won’t harass you. We will always respect your privacy. We promise. Just real answers from real experts for real problems.