Four Years In: What NERC’s Cyber Security Incident Reporting Data Tells Us (and What It Doesn’t)

By Patrick Miller

In the world of Bulk Electric System (BES) cybersecurity, signals of risk don’t always arrive with alarms blaring or malware lighting up dashboards. Sometimes, the signs are quieter—brute force login failures, odd port scans, or a sudden spike in account lockouts. The annual CIP-008-6 report, filed March 21, 2025 by NERC, shines a small but telling light on just such signals. This marks the fourth annual report filed pursuant to FERC Order No. 848, and while the volume of incidents may appear modest—just three attempted compromises in 2024—it’s the stories behind those numbers that matter.

A Quick Recap: Why This Reporting Exists

FERC issued Order 848 in 2018 in response to what was, frankly, a reporting gap. Under the prior version of the standard (CIP-008-5), only actual compromises that disrupted BES functions had to be reported. That left a big blind spot. Near misses, suspicious probes, and even clear attempts to breach cyber perimeters went unreported.

FERC told NERC to close that gap. The result was CIP-008-6, which requires entities to report both actual and attempted compromises, especially those targeting Electronic Security Perimeters (ESPs) and the Electronic Access Control and Monitoring Systems (EACMS) protecting them.

CIP-008-6 became effective in the U.S. on January 1, 2021. Now, four years into this enhanced reporting framework, we’re starting to see patterns—but also the limits of what this data can tell us.

What qualifies as “Reportable?”

The definition for Cyber Security Incident is…

A malicious act or suspicious event that:

• For a high or medium impact BES Cyber System, compromises or attempts to compromise (1) an Electronic Security Perimeter, (2) a Physical Security Perimeter, or (3) an Electronic Access Control or Monitoring System; or

• Disrupts or attempts to disrupt the operation of a BES Cyber System

The definition for Reportable Cyber Security Incident is…

A Cyber Security Incident that compromised or disrupted:

• A BES Cyber System that performs one or more reliability tasks of a functional entity;

• An Electronic Security Perimeter of a high or medium impact BES Cyber System; or

• An Electronic Access Control or Monitoring System of a high or medium impact BES Cyber System

To fully understand, you need to combine both definitions. First, understanding what a Cyber Security Incident is, then second, what makes a Cyber Security Incident a Reportable Cyber Security Incident.

Pro-tip: any capitalized term from the NERC Reliability Standards (e.g., Cyber Security Incident, BES Cyber System, Electronic Security Perimeter) can be found in the NERC Glossary of Terms.

2024: Three Incidents, No Compromises (But That’s Not the Full Story)

In 2024, the E-ISAC received three reports—same number as in 2023. All were attempts to compromise BES Cyber Systems (BCS), none were successful, and none disrupted BES operations. But let’s unpack what really happened:

Report A – Login Failures from Multiple States

A responsible entity’s SIEM detected 20 failed login attempts to a medium impact BCS via an Intermediate System. The attempts came from IPs in Wyoming and Florida, using the same username. The data suggests it was coordinated. What’s missing is how the perpetrator got to the Intermediate System - which is usually located in a DMZ, well behind all of the usual corporate protections (Firewalls, VPNs, etc).

Report B – Brute Force

This report included two separate incidents:

1. A brute force attack from multiple foreign IPs that locked out approximately 20 user accounts, but no systems were compromised. The IP addresses in the accounts were associated with reports related to brute force attacks documented by AbuseIPDB and Cisco’s Talos.

2. A second wave of failed VPN authentications from IPs tied to the same ISP across multiple countries.

Report C – SCADA Scan Attempt

A foreign IP address tried to actively scan a SCADA network using techniques documented in the MITRE ATT&CK framework. All attempts were stopped at the firewall. The source of the attack is still “under investigation,” which means either the attacker was very good at covering their tracks or the entity doesn’t have the data or the capability to know. It’s also worth recognizing that seeing the MITRE ATT&CK referenced in regulatory filings is a good thing - even if how they determined this is not included in the report.

Across all three incidents, no critical systems (BCS) were accessed, and BES reliability remained unaffected. But from a threat intel perspective, that doesn’t mean there’s nothing to see here.

Key Takeaways from the 2024 Report

• All three incidents were attempts to compromise — consistent with the intent of CIP-008-6 to detect precursors to potential compromise.

• Two attacks leveraged Intermediate Systems, the often-overlooked middle ground between external networks and core cyber assets.

• Foreign IPs played a role in two reports, highlighting the ongoing role of international adversaries (or proxies).

• Brute force attacks and VPN abuse remain active vectors, reminding us that credential hygiene and access control matter—especially in remote access pathways.

Perhaps most notable: none of the incidents involved contractors or third parties, unlike previous years. That’s a positive shift, but not a reason to relax concern for these vectors. The report reminds us to strictly monitor both internal and external access points.

Reporting Trends Over Time

Over the past four years, 16 incidents have been reported under CIP-008-6:

• 2021: 2 reports

• 2022: 8 reports

• 2023: 3 reports

• 2024: 3 reports

While these numbers are small, it’s worth remembering that we’re only counting reportable cyber security incidents (technically, compromises or attempts to compromise). The vast majority of “background noise” (scans, pings, low-level recon) still doesn’t rise to that threshold—and may never be reported.

What’s Missing (Still)

While this year’s report added helpful detail (e.g., IP origins, login patterns, scan behaviors), the fundamental limitations persist:

• Lack of actionable threat intel: No correlation with known threat actors, campaigns, or malware strains.

• No context around detection or response: What worked? What could have worked better?

• Unclear thresholds for what gets reported: Even with Order 848’s expansion, there’s still variance in how entities interpret “attempt to compromise.”

NERC is already working on this. Project 2022-05 is already underway to revise the reporting thresholds—albeit on the “low priority” standards development track. Let’s hope it articulates the expectations in a way that they are actually implementable. The industry needs sharper clarity and better consistency across the sector.

Final Thoughts

It would be easy to look at three reported incidents and breathe a sigh of relief or shrug it off. But that’s the wrong message. These events aren’t failures—they’re publicly documented warnings. They tell us the perimeter is being watched, touched, and tested (as should be expected). Each of these attempted compromises required someone (or something) to detect them, triage them, and take action to report. That effort matters. But it also means we’re only seeing the part of the iceberg above the waterline. Also note that due to the inconsistency in the understanding of what qualifies as an attempt, not all entities are reporting consistently. Further, some entities will only disclose to the E-ISAC what is explicitly required by the regulations for fear of compliance investigations, potential leaks of the data, and many other arguably valid reasons. Even with all of these issues factored in, it’s still good to get some public view/record of what’s going on in the sector.

Featured Posts