Securing Tomorrow’s Grid: FERC Acts on Low Impact, Virtualization, and Supply Chains
By Patrick Miller
FERC’s September 2025 actions reshaped grid reliability standards by tightening security requirements for Low Impact assets, adding authentication, encryption, and monitoring; new requirements and new definitions to support secure adoption of virtualization technologies; and expanding supply chain protections to cover Protected Cyber Assets and other connected systems.
Overview
On September 18, 2025 in the September Commission Meeting, the Federal Energy Regulatory Commission (FERC) unanimously approved a package of reliability measures aimed squarely at modernizing the cybersecurity posture of the Bulk Power System (BPS). Three agenda items, E-1, E-2, and E-4, mark significant shifts in how NERC CIP standards address Low Impact cyber assets, virtualization, and supply chain risk management.
E-1: Raising the Floor for Low Impact Cyber Assets
What happened
Item E-1 advances a Notice of Proposed Rulemaking (NOPR) to approve CIP-003-11 (Docket RM25-8-000), which would retire CIP-003-9 and supersede CIP-003-10. It strengthens baseline controls for Low Impact BES Cyber Systems, systems that historically fell into the “lightest-touch” category under CIP. The changes are rooted in the Low Impact Criteria Review Team (LICRT) convened after the SolarWinds compromise, which concluded that coordinated attacks against low-impact BES Cyber Systems pose risks that current standards do not adequately address.
Key new requirements:
User authentication before granting access to networks containing low-impact systems or shared infrastructure.
Protection of authentication data in transit to reduce the risk of credential theft or replay.
Detection of malicious communications to and from low-impact systems, expanding protections beyond vendor remote access to all routable electronic communications.
Entities would have 36 months from the effective date to comply. Recognizing that compliance will require new policies, staff training, architectural changes, and technology investments.
The NOPR also solicits comments on whether NERC should conduct a white paper or study on evolving threats to Low Impact assets, signaling the Commission’s concern that these systems remain an attractive vector for adversaries.
Why this matters
Increasing controls: Low Impact doesn’t mean low concern. Attackers can leverage distributed Low Impact assets as training grounds for testing attacks or beachheads for coordinated operations. This reality has driven FERC to increase the security controls for Low Impact assets.
Scope expansion: By broadening monitoring to all electronic communications, not just vendor access, FERC is signaling that distributed risks demand systemic detection, not selective coverage.
Detection vs. mitigation: The NOPR stops short of requiring entities to mitigate malicious traffic, only to detect it. This may be an interim step with stronger obligations to follow.
Implementation runway: The three-year compliance window reflects the reality that even small utilities face meaningful cost and resource burdens, with NERC estimating average compliance costs in the tens of thousands per entity over the implementation period.
Operational challenges: Many entities have relied on cost-efficient but minimally secured Low Impact environments. Adding authentication, encryption, and detection means more investment in tools and monitoring.
Future trajectory: The request for a study suggests FERC is preparing to expand beyond these incremental measures. Low Impact standards will likely, over time, resemble scaled-down versions of Medium Impact obligations.
The bottom line
Low Impact systems are getting more attention from adversaries, more scrutiny from regulators, and more security controls as a result. CIP-003-11 reframes them as part of the broader threat surface, placing authentication, encryption, and detection in scope. While the NOPR provides a measured path, the Commission has stated their concern that attackers are interested in Low Impact assets, and the standards should be modified to reflect it. These are clear signals that more security controls are coming to a Low Impact asset near you, and not just the ones proposed in this NOPR.
E-2: Virtualization Finally Comes to CIP
What happened
FERC issued a long-awaited Notice of Proposed Rulemaking approving 11 modified CIP standards and 22 new or revised glossary definitions to address virtualization and cloud technologies (Docket RM24-8-000). This is the most comprehensive attempt to realign CIP with modern IT/OT architectures and the biggest shift since the V3 to V5 transition (or possibly, ever).
Highlights of the proposal:
Establishes security objective-based requirements instead of rigid one-to-one hardware/software assumptions.
New terms and definitions: “Cyber System,” “Management Interface,” “Shared Cyber Infrastructure,” and “Virtual Cyber Asset.”
Modernized perimeter language: shifting from “inside” an Electronic Security Perimeter to being “protected by” one, enabling entities to apply security objectives without being locked into a single network model.
Change management fit for virtualization: moving away from rigid baseline updates to authorization-focused processes better suited to dynamic workloads.
Attack surface reduction: addressing shared resource risks, such as side-channel exposures in multi-tenant environments.
Seeks comments on eliminating the Technical Feasibility Exception (TFE) program, which has often been used as a “release valve” for requirements difficult to implement in virtualized environments.
Implementation is staged: the standards would become effective no earlier than April 1, 2026, or 24 months after final approval, to give entities time to update controls and documentation.
Commissioner Q&A
Chairman Rosner asked why virtualization-specific standards are needed. Staff explained that traditional CIP was designed for discrete hardware, but virtualization enables hundreds of BES Cyber Assets on shared hosts. Security objectives give entities flexibility while preserving reliability.
Commissioner Chang pressed on hypervisor risk, noting that shared infrastructure introduces systemic vulnerabilities. Staff confirmed the SCI/VCA definitions directly target this issue, ensuring hypervisor compromise scenarios are within CIP scope.
Why this matters
Alignment with reality: Virtualization is already widely deployed in IT and increasingly in OT. Without these updates, CIP obligations were mismatched to modern system design. Standards must therefore facilitate secure adoption rather than ignore it.
Audit complexity: Regions and auditors will face steep learning curves assessing shared hypervisors, cloud-based assets, and “security objectives” that are less prescriptive than legacy CIP.
Forward-looking but fragile: By focusing on security objectives, FERC is signaling a shift toward outcome-based compliance. But without detailed guidance, inconsistent enforcement is likely.
Flexibility in compliance: Entities can maintain perimeter-based security if they choose, but they now have clear standards for secure virtualized operations.
Oversight concerns: FERC flagged risks with NERC’s proposal to replace “technical feasibility” exceptions with a new “per system capability” carve-out. Commissioners worry this could allow entities to self-declare exceptions with minimal oversight, potentially weakening transparency and accountability. They are seeking comment on whether to refine, replace, or eliminate exception language altogether.
Cost and scope: NERC estimates about 400 registered entities will face meaningful new compliance work (policy updates, documentation, training), with estimated costs of ~$19.6M spread over three years.
End of TFEs?: Eliminating the TFE program could remove a common compliance safety net (or loophole, depending on perspective). Entities may push back if prescriptive requirements outpace what’s technically feasible in their environments.
The bottom line
The Virtualization NOPR is a forward-looking overhaul. It clears the way for secure adoption of virtual machines, containers, and shared hypervisors in BES environments. At the same time, the Commission is drawing a line on exceptions, signaling that flexibility must not become a loophole.
E-4: Expanding Supply Chain Risk Management
What happened
FERC issued a Final Rule directing NERC to expand its supply chain standards (CIP-013 and related requirements; Dockets RM24-4-000 and RM20-19-000). The rule largely adopts the September 2024 proposal but adds sharper directives:
Identification and response to supply chain risks must be more explicit and programmatic.
Protected Cyber Assets (PCAs) are now included in the scope of supply chain protections.
Risk assessments must be more accurate and complete, ensuring that gaps are identified before equipment is deployed.
NERC has 18 months to deliver responsive modifications.
Commissioner Q&A
Chairman Rosner asked how these revisions help utilities stay ahead of emerging threats. Staff highlighted more accurate risk assessments and flexible, risk-based responses.
Commissioner See pushed for details on the three directives. Staff explained that systematic identification, consistent response processes, and PCA inclusion all reduce the likelihood of vulnerabilities slipping through supply chains.
Commissioner Chang framed the issue as national security, underscoring that grid supply chain integrity underpins not only electricity but the U.S. economy.
Why this matters
Closing critical gaps: Expanding to PCAs is a significant scope shift for those who have PCAs in their ESP. Many devices will now fall under formal supply chain oversight.
Vendor friction: Utilities will need stronger assurances from suppliers, many of whom may resist additional disclosures or validation. Expect contractual disputes and market shuffling.
Flexible but vague: FERC emphasized risk-based approaches, but left room for interpretation. Without concrete audit criteria, entities may struggle to prove they are meeting the new expectations.
National security overlay: By tying supply chain risk directly to national security, FERC is laying groundwork for potential future directives that align with broader federal procurement restrictions.
See our full blog post on this order.
Cross-Cutting Themes
From E-1, E-2, and E-4, several threads emerge:
Rising Expectations Across the Board: Even Low Impact assets are no longer exempt from substantive cybersecurity obligations.
Flexibility vs. Enforcement: Virtualization and supply chain standards rely on “objectives” and “risk-based responses,” but how Regions enforce them remains uncertain.
Acceleration of Modernization: These actions recognize that entities are already moving toward virtualization and complex supply chains. Standards must catch up quickly.
National Security Framing: Particularly in E-4, Commissioners explicitly tied reliability to national defense and economic security, signaling a broader policy alignment.
Critical Takeaways
FERC’s actions in September 2025 reinforce a trend: reliability standards are expanding outward from core high-impact systems into every corner of the grid ecosystem, Low Impact, virtualized, and supply-chain connected alike.
For utilities, vendors, and operators, the takeaways are clear:
E-1: Upgrade Low Impact environments now. Authentication, encryption, and detection are no longer optional.
E-2: Prepare for virtualization audits; hypervisor risk and shared infrastructure are officially in scope.
E-4: Reassess supply chain programs to include PCAs, formal risk identification, and systematic response mechanisms.
