Cyber-Informed Transmission Planning: Seven Pilots, CIP Leverage
BY Patrick Miller
NERC's April 2026 release of the Cyber-Informed Transmission Planning lessons learned captures seven 2024 pilots. None triggered a corrective action plan. The report's most consequential finding: strengthening low-impact CIP requirements is likely a more cost-effective leverage point than expanding TPL-001 to embed coordinated cyber contingencies.
Overview
On April 20, 2026, NERC publicly released the lessons learned report from the Cyber-Informed Transmission Planning (CITP) pilot program, capturing seven voluntary pilots conducted in 2024 against the framework introduced in the May 2023 ERO Enterprise white paper. The report is more diagnostic than mandate-shaping. None of the seven pilots produced a reliability violation requiring a corrective action plan. The framework worked as a structured tool for cross-disciplinary scenario development, surfaced real modeling and data-availability gaps, and produced one substantive technical finding outside the cyber frame. The most consequential conclusion is one that complicates the most obvious regulatory trajectory: multiple respondents and the report itself argue that strengthening low-impact CIP requirements is likely the more cost-effective leverage point than expanding TPL-001 to embed complex cyber contingencies in already-overburdened planning workloads. For asset owners building near-term security investment plans, that pivot is the headline.
What NERC Actually Released
The report documents seven pilots completed by registered entities across five Regional Entities. The participants are Northern States Power (Xcel Energy) in MRO; an anonymous MRO entity identified in the report as Pilot Participant A; AES Indiana and the RF Transmission Performance Subcommittee in ReliabilityFirst; Duke Energy Florida in SERC; the joint CAISO and Southern California Edison submission in WECC; and VELCO with ISO-NE, NERC, and NPCC support in the Northeast. Participants spanned vertically integrated utilities, transmission-only operators, an ISO and one of its TOs, and a Regional Entity subcommittee. Not every pilot ran a planning simulation. Two participants stayed in the qualitative or scenario-vetting space, and the report explicitly captures their submissions as legitimate framework outcomes rather than incomplete work.
That capture matters. One of the durable lessons is that the framework can deliver value at Step 1 alone, when an entity's architecture or controls make a scenario non-applicable and the framework produces the documented rationale for that determination. The CAISO and SCE submission is the clearest example. SCE's transmission BES substations do not have remote routable connectivity, so the multi-substation remote-access compromise scenario was not credible against their architecture. They documented that conclusion and stopped at Step 1. This is the framework working correctly, not a pilot that failed to complete.
The Pilot Findings, Compactly
| Pilot | Region | Scenario Studied | Method | Headline Finding |
|---|---|---|---|---|
| Northern States Power | MRO | Critical substation outages combined with natural gas pipeline disruption removing associated generation, MISO23 2028 horizon | Steady-state and dynamic | Widespread thermal and voltage violations under high-wind and winter-peak conditions, with hundreds to thousands of voltage violations in some cases. No TPL-001 CAP triggered. Composite load model issues identified for follow-up. |
| Pilot Participant A | MRO | Supply chain firmware compromise of a relay fleet, simultaneous tripping of 53 lines and 16 substations, MISO23 and MISO24 models | Steady-state and dynamic | All cases solved and converged. Stable across both model series. One overvoltage generator trip, no cascading. Two-model approach validated robustness. |
| VELCO (with ISO-NE, NPCC, NERC) | NPCC | Malicious reversion of DER settings from IEEE 1547-2018 to 1547-2003, Spring 2033 minimum-load case | Dynamic with seven simulations | No instability, separation, or cascading. No ISO-NE or VELCO planning criteria violated. Worst case tripped 195 MW of DER, 87.2% of total DER in simulation. Frequency reached 57.9 Hz nadir and 64 Hz peak, raising UFLS coordination and PRC-024 ride-through concerns. |
| AES Indiana | RF | Coordinated physical attack on long lead-time 345-138 kV autotransformers informed by cyber breach, MISO MTEP23 2024 summer peak | Dynamic, 21 combinations of five-substation pairings | All combinations stable. No CAP needed. Identified data-access management for critical asset lists as primary mitigation. Other planned scenarios dropped due to existing controls or DER data unavailability. |
| Duke Energy Florida | SERC | OEM compromise causing common-equipment generator outage, plus T-D interface disruption from compromised distribution control center | Steady-state and stability, manual | No significant impacts. Three of five framework scenarios dropped as non-applicable given low DER penetration and existing remote-access controls. Steps 4 and 5 not executed within pilot scope. |
| CAISO and Southern California Edison | WECC | Multi-substation outage via remote access compromise | Step 1 only | SCE BES transmission substations have no remote routable connectivity. Coordinated attack scenario non-credible against this architecture. Residual single-substation risk already covered by CIP-014 and TPL-001. Stopped at Step 1 with documented rationale. |
| RF Transmission Performance Subcommittee | RF | Group discussion and internal evaluation across multiple member entities | Qualitative | Roughly half of members reported little or no interaction between transmission planning and security staff. Recent TPL-001 P5 revisions cover some single-asset scenarios but not coordinated attacks on multiple low-impact BCS substations. DER and third-party data identified as the dominant data-availability barrier. |
The CIP-Versus-TPL-001 Pivot
The 2023 white paper recommended moving cyber contingencies out of the TPL-001 extreme-events table into the main contingency table, with corrective action plans required where coordinated attacks would produce instability, separation, or cascading. The lessons learned report does not back away from that long-term direction, but it explicitly reframes the near-term cost-benefit. Multiple respondents argued, and the report records, that strengthening low-impact CIP requirements is likely a better and more cost-effective mitigating control than embedding complex cyber contingencies into transmission planning workloads. The report's standards-pathway recommendations reflect this caution. They suggest exploring CIP enhancements for low-impact assets covering remote access, vulnerability management, physical security, and supply chain. They suggest considering TPL-001-5.1 alignment with cyber contingencies as a long-term goal, with optional reporting of CITP findings as part of annual assessments rather than mandatory contingency categories.
This is a meaningful softening of the 2023 trajectory. The reasoning is grounded in what the pilots actually showed. None of the seven produced a reliability violation under current planning criteria. Where pilots identified credible reliability concerns, the more direct mitigation lay in the security control layer, not the transmission infrastructure layer. SCE's submission illustrates the cleanest version of this logic. CAISO and SCE concluded that with remote routable connectivity removed at the architecture level, the coordinated attack scenario does not need to be added as a planning contingency. The control already mitigates the risk.
For Ampyx Cyber clients tracking where regulatory pressure is heading, the practical implication is clear. The CIP-003-11 work that responded to the Low Impact Criteria Review Team and the broader CIP Roadmap published in January 2026 are not parallel tracks to the CITP work. They are the leverage point the CITP work is now pointing toward. Investment in low-impact remote access controls, multifactor authentication, malicious code detection, and vendor-access management produces the regulatory and reliability return. Investment in standing up cyber contingency simulation infrastructure to satisfy a hypothetical TPL-001 expansion is a less defensible bet at this stage.
The VELCO Finding That Was Not About Cyber
Of the seven pilots, the VELCO submission produced the only technically substantive finding that warrants attention from planners regardless of cyber posture. The team studied a Spring 2033 minimum-load case in which a malicious actor reverted DER settings from IEEE 1547-2018 to 1547-2003. The simulation found no instability, separation, or cascading and no ISO-NE or VELCO planning criteria violations. What it did find was that frequency deviations during fault conditions reached 57.9 Hz at the nadir and 64 Hz at the peak, with sustained excursions below the UFLS threshold for the VELCO area. PRC-024 ride-through curves allow instantaneous tripping below 57.8 Hz or above 61.8 Hz. Voltage-inhibit logic on frequency-monitoring relays should prevent inappropriate operation, but the simulation showed repeated entering and exiting of the inhibit region, raising the possibility of inadvertent tripping if the inhibit function is improperly set or absent.
The team's conclusion is that transmission planning practices should look at frequency deviations during fault conditions, not just voltage. This is a planning-practice insight that emerged from a cyber-framed exercise but applies to any high-DER-penetration system regardless of whether a malicious actor is in the threat model. It is the clearest example in the report of why cross-disciplinary scenario work produces value beyond the immediate cyber question. VELCO's footprint is unusual in its DER trajectory, but the frequency-versus-voltage observation will travel.
What Good Looked Like in the Pilots
The pilots that produced the most defensible work shared several practical patterns.
Cross-functional sponsorship was real, not nominal. The pilots that worked engaged transmission planning, cyber security, protection engineering, IT, and OT staff early. The TPS observation that roughly half of member entities have little or no interaction between transmission planning and security staff is the baseline the framework is trying to move. Where that interaction was already in place, the pilots produced more vetted scenarios and better data.
Scenario selection was filtered against existing controls. DEF dropped three of the five framework scenarios because remote-access controls and limited DER penetration made them non-credible. SCE stopped at Step 1 because the architecture rendered the scenario non-applicable. AES Indiana dropped scenarios where existing internal controls already mitigated the threat. The pattern is to start from the framework's baseline scenarios, document whether each applies, and concentrate study effort on the ones that survive that filter. The framework explicitly accommodates this.
Existing programs were leveraged where they fit. AES Indiana extended its participation in the Edison Electric Institute Spare Transformer Equipment Program to support the long lead-time asset scenario, then added a dynamic simulation layer that STEP itself does not require. NSP used its MISO23 series planning models for the 2028 horizon. The Pilot Participant A submission ran the same scenario across MISO23 and MISO24 model series to validate robustness. None of these pilots required standing up new infrastructure. They extended what was already in place.
Data sensitivity was managed. VELCO's submission required a rigorous CEII access vetting process before models, contingency files, and dynamic response data were shared with NERC and NPCC engineers. AES Indiana redacted specific transformer counts and capacities in the published submission. The framework's data-protection caution from 2023 held up in practice.
Conservative assumptions were documented. VELCO assumed a lack of preventative security controls where evidence of those controls was not available, and explicitly recommended this as a default approach. The discipline of documenting how engineering judgment was applied is what allows future planning cycles to refine the assumptions rather than rewrite them.
Multi-Stakeholder Action Guidance
| Role | What changes after this report | What to do in the next 90 days |
|---|---|---|
| Transmission Planner | Cyber-informed scenario work has been validated as a practice. Expect Regional Entity engagement on it to increase. Do not expect TPL-001 changes in the near term. | Walk through the five framework scenarios. Document which apply to your footprint and which existing controls render others non-applicable. Use the SCE pattern as a template for the latter. |
| Planning Coordinator | Voluntary regional CITP coordination is on NERC's recommendation list. ISO-NE's role in the VELCO pilot is the working example. | Identify whether a regional CITP exercise makes sense in your footprint. Use VELCO and Pilot Participant A submissions as design templates. |
| Generator Owner / Operator | OEM compromise scenarios and long lead-time asset scenarios both pulled GO data. The data requests will be high level, not configuration level. | Prepare a high-level OEM penetration and remote-access posture template. AES Indiana's STEP-extension approach is the cleanest example of using existing programs for cyber-informed analysis. |
| Transmission Owner | The report explicitly recommends exploring CIP enhancements for low-impact assets. Investment there is more defensible than investment in cyber contingency simulation infrastructure. | Audit your low-impact substations for remote access posture, multifactor authentication, malicious code detection, and vendor access controls. These are the leverage points the report is pointing toward. |
| Distribution Provider | T-D interface and distribution control center compromise scenarios remain on the planning study list. DEF dropped these to a future iteration but flagged the modeling work needed. | Map your distribution control center footprint to T-D interfaces. Be prepared to support a planning study at the data-sharing level rather than the configuration level. |
| Cyber Security Lead | The report names cross-functional engagement as the single most consistent success factor and the absence of it as the single most consistent barrier. | Build the relationship with the planning team if it does not exist. The TPS submission is the cautionary case. Roughly half of RF members reported little or no interaction. |
| Executive Sponsor | The framework requires cross-functional collaboration that does not happen organically. Without sponsorship, the work stalls at the data-collection step. | Establish named sponsors and a clear escalation path on the planning, engineering, and security sides. AES Indiana's resource reprioritization that cut three of four scoped studies is the cautionary case. |
Audit and Examination Preparation
Regional Entity engagement on CITP topics will increase. The relevant questions an entity should be ready for, based on what the pilots show works:
How does your transmission planning group engage with cyber security and design engineering on long-term planning assessments? Frequency, format, named participants. The TPS finding that roughly half of RF entities have little or no such interaction sets the baseline.
For each of the five baseline framework scenarios, what is your documented rationale for whether the scenario applies to your footprint? SCE's Step 1 stop with documented architecture rationale is a defensible model. DEF's narrowing from five to two scenarios with documented rationale is another.
Where you have identified credible cyber-induced reliability risk, have you considered both transmission reinforcement and security control enhancement? The report explicitly elevates the security control path as often more cost-effective. Be prepared to show the comparison.
How do you protect transmission planning models, contingency lists, and study results? VELCO's CEII access vetting process before sharing data with NERC and NPCC is a working example. AES Indiana's redaction of transformer counts and capacities in the published submission is another.
If your low-impact BCS substations allow remote access, what authentication, malicious code detection, and session monitoring controls are in place? This question is upstream of CITP. It is downstream of CIP-003-11 and the broader CIP Roadmap, which the lessons learned report explicitly aligns with.
Open Questions to Watch
Will TPL-001 changes follow? The lessons learned report's softer language on TPL-001 alignment, including the "consider" framing and the optional-reporting suggestion, indicates near-term TPL-001 expansion is unlikely. A standards drafting team would have a harder case to make now than it did before the pilots ran. The CIP track is the more active near-term path.
How will simulation tool vendors respond? The report names current planning models and simulation platforms as a constraint. Coordinated cyber misoperations, protection setting reversions, DER ride-through changes, and composite load model behavior all required manual workarounds in the pilots. NSP specifically flagged composite load model issues for follow-up. Whether tool vendors deliver native capability for cyber contingency definition affects how widely the framework can scale.
How does the DER aggregator question evolve? Studies 2 and 5 from the original framework, on DER OEM compromise and DER aggregator compromise, were the most consistently dropped scenarios across the pilots due to data availability. The report recommends exploring registration mechanisms to compel data sharing from non-traditional grid participants. That is a regulatory question with implications well beyond CITP.
What happens to the VELCO frequency-deviation observation? The recommendation that transmission planners should examine frequency deviations during fault conditions is not a cyber-specific lesson. Whether ISO-NE, NPCC, or NERC pick that thread up through a broader planning-practice channel will determine whether one of the report's most substantive findings actually reaches industry.
How does this work intersect with European frameworks? NIS2, the proposed Cyber Resilience Act sectoral measures, and the European grid resilience work all converge on the same fundamental question of how planning engineers and security engineers integrate. North American and European utilities operating across both regimes would benefit from explicit coordination, and that coordination is not yet visible.
Where Ampyx Cyber Helps
The lessons learned report points clearly at where the practical work is. Cross-functional collaboration that does not happen organically. Scenario filtering against existing controls so resources are concentrated on what matters. Data-collection design that does not trigger BCSI handling burden. Conservative-assumption documentation that future planning cycles can refine. Low-impact CIP control posture as the more cost-effective leverage point versus standing up new planning simulation infrastructure. We work with TPs, PCs, GOs, TOs, DPs, and their security counterparts on each of these. Reach out if your team is starting a CITP exercise, preparing for Regional Entity engagement on the topic, or working through the CIP-003-11 implementation that the lessons learned report has now elevated as the more practical near-term investment.
