Reinforcing the U.S. Grid: The 2025 USCC Report on Chinese Energy Influence
By Patrick Miller
The 2025 USCC Annual Report outlines national security risks from PRC-linked technologies in the U.S. energy sector. It offers clear, field-informed recommendations, including testimony from Ampyx Cyber’s CEO, on supply chain threats, OT device transparency, and cyber response. Read the full analysis and policy roadmap.
TL;DR
The report draws from multiple sources, including technical experts, intelligence briefings, and testimony provided during public hearings. Importantly, the Commission doesn’t just describe the threat. It outlines a pragmatic roadmap. Recommendations include:
Enforcing stronger procurement safeguards and national testing of foreign-origin OT devices
Funding open-source firmware initiatives for field-deployed energy assets
Strengthening mandatory disclosure and product lifecycle transparency
Developing regional incident response exercises and technical playbooks
Supporting utility asset owners with segmentation, monitoring, and rapid response tools
Throughout, the report distinguishes between policy-level actions best driven by the federal government and those that fall to asset owners and operators. This layered approach reflects the operational realities of the energy sector.
For OT and ICS professionals, this is a rare federal report that speaks your language. It doesn’t gloss over protocol-level risks, firmware backdoors, or the realities of patching embedded systems in live environments. And for policymakers, it offers concrete, actionable steps grounded in field realities.
Overview
The U.S.-China Economic and Security Review Commission’s 2025 Annual Report to Congress includes some of the most pointed and actionable language to date regarding cybersecurity risks to U.S. critical infrastructure, especially within the electric power sector. Several independent analyses have identified undocumented communication modules and unlisted wireless radios inside Chinese-origin inverters and energy storage systems, underscoring how embedded device risk extends beyond traditional network layers into hardware design itself.
Ampyx Cyber is honored to have supported the Commission’s deliberations this year. Our CEO, Patrick C. Miller, provided formal testimony before the Commission in April 2025 and responded to follow-up Questions for the Record in May, sharing pragmatic recommendations focused on mitigating latent risk in foreign-manufactured control systems.
Key Findings
The Commission finds that Chinese cyber operations increasingly focus on pre-positioning within U.S. critical infrastructure. This includes persistent access that could be activated during periods of geopolitical tension rather than short-term data theft. The electric power sector remains a priority target due to its central role in national defense, economic stability, and societal function.
Importantly, the report emphasizes that risk is not confined to enterprise IT networks. Embedded devices such as inverters, energy storage systems, protective relays, and other industrial control components can introduce access paths that bypass traditional cybersecurity controls. Public reporting and expert testimony cited by the Commission note concerns around undocumented communications capabilities, opaque firmware, and vendor-controlled update mechanisms in foreign-origin equipment deployed across the grid.
The Commission references campaigns such as Volt Typhoon to illustrate how threat actors may maintain long-term footholds in infrastructure environments, preserving the option to disrupt operations rather than immediately triggering visible effects. This strategic posture complicates detection and attribution and raises the stakes for preparedness and resilience.
The report draws upon input from multiple expert witnesses, including testimony from national labs, electric sector security leaders, and researchers. Notably, Dr. Emma Stewart, Chief Scientist for Cybersecurity at INL and a long-time leader in grid security analytics, is cited for her insights on pre-positioning and the challenges of attribution and resilience.
Key Recommendations
The Commission’s final recommendations to Congress include a notably strong and bipartisan set of cybersecurity measures, several of which directly reflect ideas offered during testimony:
1. Improve Network Segmentation and Monitoring
Require asset owners to isolate high-risk components, enforce firewall rulesets, and deploy continuous monitoring tools that support anomaly detection across OT protocols (e.g., Modbus, DNP3).
2. Mandate BOMs and Embedded Transparency
Accelerate the adoption of Software Bills of Materials (SBOMs), Firmware BOMs (FBOMs), and Hardware BOMs (HBOMs) at the point of procurement, with validated provenance and digital signature verification.
3. Establish a National Open Source Firmware Program
Fund federal labs (e.g., INL, PNNL, NREL) to develop open-source, trusted firmware alternatives for inverters, relays, and other ICS devices, enabling “clean” re-flashing where hardware replacement is not feasible.
4. Conduct Forensic Evaluation of Foreign-Origin Devices
Sponsor reverse engineering of high-risk field equipment to detect latent functionality, backdoors, or unauthorized update paths. This work would support coordinated risk advisories and procurement bans.
5. Simulate Adversarial Activation Scenarios
Task DOE, CISA, and the National Guard with leading regional tabletop exercises to model the operational impact and response coordination challenges if foreign-manufactured devices were remotely triggered.
These actions, while technically achievable, require coordinated policy, sustained funding, and clearly delegated responsibility across agencies.
Global Relevance Beyond the United States
Although the report is written for Congress, its findings extend well beyond U.S. borders. Grid operators and regulators in the European Union, the United Kingdom, and the Indo-Pacific face similar dependencies on global manufacturing and many of the same embedded risks.
The core challenge is shared: how to participate in a global technology marketplace, including with vendors from countries that may pose strategic risk, while maintaining sovereignty, resilience, and operational trust. As the report implicitly acknowledges, the answer is not isolation but the development of safeguards, transparency, and technical countermeasures that function as an antidote when supply chains are compromised.
Why This Matters Now
The 2025 USCC Annual Report represents a shift from general warnings toward actionable governance. It signals that cybersecurity, supply chain integrity, and energy reliability are now inseparable policy issues.
For policymakers, regulators, and infrastructure operators alike, the report provides a clear message: embedded digital risk must be addressed deliberately and systematically. Waiting for a crisis to reveal hidden dependencies is no longer an acceptable strategy.
We encourage readers to review the full report, particularly the sections addressing cyber and digital infrastructure risk, and to consider how its recommendations may shape policy and regulatory action in the coming year.
Read the full report here: https://www.uscc.gov/annual-report/2025-annual-report-congress
