Securing Tomorrow’s Grid: FERC Acts on Low Impact, Virtualization, and Supply Chains
By Patrick Miller
FERC’s September 2025 actions reshaped grid reliability standards by tightening security requirements for low-impact assets, adding authentication, encryption, and monitoring; introducing long-awaited, new requirements and new definitions to support secure adoption of virtualization technologies; and expanding supply chain protections to cover Protected Cyber Assets and other connected systems.
Overview
On September 18, 2025, the Federal Energy Regulatory Commission (FERC) unanimously approved a package of reliability measures aimed squarely at modernizing the cybersecurity posture of the Bulk Power System (BPS). Three agenda items, E-1, E-2, and E-4, mark significant shifts in how NERC CIP standards address low-impact cyber assets, virtualization, and supply chain risk management. The virtualization standards in particular, have been in the development process since 2016, and are considered by most to be the biggest shift in the NERC CIP standards since the V3 to V5 transition (possibly ever).
E-1: Raising the Floor for Low-Impact Cyber Assets
What happened
Item E-1 advances a Notice of Proposed Rulemaking (NOPR) to approve CIP-003-11 [NOPR not available at the time of posting; post will be updated with links as they happen], which strengthens baseline controls for low-impact BES Cyber Systems, systems that historically fell into the “lightest-touch” category under CIP.
Key new requirements:
Authentication for remote users – closing the gap where low-impact assets were accessible with weaker identity controls.
Protection of authentication information in transit – ensuring credentials and tokens cannot be intercepted or replayed.
Detection of malicious communications – requiring monitoring for indicators of compromise targeting or traversing low-impact systems with external routable connectivity.
The NOPR also solicits comments on whether NERC should conduct a white paper or study on evolving threats to low-impact assets, signaling the Commission’s concern that these systems remain an attractive vector for adversaries.
Why this matters
Shift in philosophy: Low-impact no longer equates to low concern. Attackers can leverage distributed low-impact assets as beachheads for coordinated operations—FERC is responding to that reality.
Operational challenges: Many entities have relied on cost-efficient but minimally secured low-impact environments. Adding authentication, encryption, and detection means more investment in tools and monitoring.
Future trajectory: The request for a study suggests FERC is preparing to expand beyond these incremental measures. Low-impact standards could, over time, resemble scaled-down versions of medium-impact obligations.
E-2: Virtualization [Finally] Comes to CIP
What happened
FERC issued a Notice of Proposed Rulemaking [NOPR not available at the time of posting; post will be updated with links as they happen] approving 11 modified CIP standards and 22 new or revised glossary definitions to address virtualization and cloud technologies. This is the most comprehensive attempt to realign CIP with modern IT/OT architectures and many consider this severely overdue.
Highlights of the proposal:
Establishes security objective-based requirements instead of rigid one-to-one hardware/software assumptions.
Defines Shared Cyber Infrastructure (SCI) (e.g., hypervisors) and Virtual Cyber Assets (VCA) (e.g., virtual machines) to clarify scope.
Seeks comments on eliminating the Technical Feasibility Exception (TFE) program, which has often been used as an administrative exception for requirements difficult to implement in virtualized environments.
Commissioner Q&A
Chairman Rosner asked why virtualization-specific standards are needed. Staff explained that traditional CIP was designed for discrete hardware, but virtualization enables hundreds of BES Cyber Assets on shared hosts. Security objectives give entities flexibility while preserving reliability.
Commissioner Chang pressed on hypervisor risk, noting that shared infrastructure introduces systemic vulnerabilities. Staff confirmed the SCI/VCA definitions directly target this issue, ensuring hypervisor compromise scenarios are within CIP scope.
Why this matters
Virtualization is inevitable: Staff acknowledged entities will adopt virtualization for efficiency and cost, even if not required. Standards must therefore facilitate secure adoption rather than ignore it.
Audit complexity: Regions and auditors will face steep learning curves assessing shared hypervisors, cloud-based assets, and “security objectives” that are less prescriptive than legacy CIP.
End of TFEs?: Eliminating the TFE program could remove a compliance exception option. Entities may push back if prescriptive requirements outpace what’s technically feasible in their environments.
Forward-looking but fragile: By focusing on security objectives, FERC is signaling a shift toward outcome-based compliance. But without detailed guidance, and given the rapid pace of change in this type of technology, inconsistent enforcement is highly likely.
E-4: Expanding Supply Chain Risk Management
What happened
FERC issued a Final Rule directing NERC to expand its supply chain standards (CIP-013 and related requirements). The rule largely adopts the September 2024 proposal but adds sharper directives:
Identification and response to supply chain risks must be more explicit and programmatic.
Protected Cyber Assets (PCAs) are now included in the scope of supply chain protections.
Risk assessments must be more accurate and complete, ensuring that gaps are identified before equipment is deployed.
NERC has only 18 months to deliver responsive modifications.
Commissioner Q&A
Chairman Rosner asked how these revisions help utilities stay ahead of emerging threats. Staff highlighted more accurate risk assessments and flexible, risk-based responses.
Commissioner See pushed for details on the three directives. Staff explained that systematic identification, consistent response processes, and PCA inclusion all reduce the likelihood of vulnerabilities slipping through supply chains.
Commissioner Chang framed the issue as national security, underscoring that grid supply chain integrity underpins not only electricity but the U.S. economy.
Why this matters
Closing critical gaps: Expanding to PCAs is a major scope shift. Many devices that were connected but not fully covered will now fall under formal supply chain oversight.
Vendor friction: Utilities will need stronger assurances from suppliers, many of whom may resist additional disclosures or validation. Expect confusion, contractual disputes and market shuffling.
Flexible but vague: FERC emphasized risk-based approaches, but left room for interpretation. Without concrete audit criteria, entities may struggle to prove they are meeting the new expectations.
National security overlay: By tying supply chain risk directly to national security, FERC is laying groundwork for potential future directives that align with broader federal procurement restrictions.
Cross-Cutting Themes
From E-1, E-2, and E-4, several threads emerge:
Rising Expectations Across the Board: Low-impact assets are subject to ever-increasing cybersecurity obligations.
Flexibility vs. Enforcement: Virtualization and supply chain standards rely on “objectives” and “risk-based responses,” but how Regions audit and enforce them remains uncertain.
Acceleration of Modernization: These actions recognize that entities are already moving toward virtualization and complex supply chains. Standards must catch up quickly - and then keep up.
National Security Framing: Particularly in E-4, Commissioners explicitly tied reliability to national defense and economic security, signaling a broader policy context/influence.
Critical Takeaways
FERC’s actions in September 2025 reinforce a trend: reliability standards are changing, expanding, and shifting. They are attempting to keep pace with the rapid changes to both technology and the threat landscape.
For utilities, vendors, and operators, the takeaways are clear:
E-1: Upgrade low-impact environments now. Authentication, encryption, and detection are no longer optional.
E-2: Prepare your virtualization path; hypervisor risk and shared infrastructure are officially in scope - if/when you want to virtualize.
E-4: Reassess supply chain programs to include PCAs, formal risk identification, and systematic response mechanisms.
