Ampyx Cyber Blog
The Intersection of Regulation & Resilience
Using the Work of Others in NERC CIP and O&P Compliance
The work of others lets you lean on someone else's assessment as compliance evidence. It does not transfer accountability. This breakdown maps the ERO guidance stack, the two-part test auditors apply, worked examples for CIP-013 vendor assessments and BCSI in the cloud, the FERC FY2025 findings on delegation gone wrong, and the audit prep questions to answer first.
Protocol Converters: The 2023 SAR Just Got Validated (Again)
The 2023 NERC SAR asked whether protocol converters belong inside CIP-002. A new disclosure of 22 CVEs in serial-to-Ethernet hardware, set against a decade of advisories across the category, settles the question. The categorization debate now has its empirical record, and asset owners have CIP-007 R2 and CIP-013 work to do that does not wait for the standard.
Claude Mythos and the OT Threat Horizon: What Utility Operators Need to Know Now
Anthropic's Claude Mythos can autonomously discover zero-day vulnerabilities across every major OS and browser, and the same codebases run in OT/SCADA environments. This post breaks down why Mythos-class AI exploitation tools directly implicate utility operators, which NERC CIP obligations are already in play, and what actions defenders should take before the patch window closes.
ERO CMEP 2026: Oversight in the Age of Transformation
The Electric Reliability Organization’s (ERO) 2026 Compliance Monitoring and Enforcement Program Implementation Plan (CMEP) signals a new era in how risk-based oversight keeps pace with a rapidly transforming grid. Released in October, the plan refines NERC’s compliance priorities for the coming year, retiring Incident Response as a distinct risk element and introducing Grid Transformation as a central theme.
From Firefighting to Foresight: Building CIP Programs for the Future Power Grid
NERC calls grid reliability a “five-alarm fire.” With data centers, AI, and extreme weather straining capacity, CIP programs must evolve from reactive compliance to proactive resilience. This post outlines how utilities can strengthen controls, close documentation gaps, and build CIP programs ready for the future grid.
FERC 2025 CIP Audit Findings: DER Impact Ratings, Vendor Oversight Gaps, and Cloud Compliance Risk
FERC’s latest CIP audit lessons for 2025 highlight three rising compliance risks. Entities are undercounting DERs in GOP control center impact ratings, outsourcing compliance work without adequate oversight, and moving EACMS or PACS functions to the cloud without a defensible evidence path. These issues now represent real audit exposure across the US bulk power system.
FERC Staff Report Offers Lessons Learned from 2024 CIP Audits: What You Need to Know
In its 2024 CIP audit report, the Federal Energy Regulatory Commission (FERC) shared critical lessons learned from the latest round of reliability audits, revealing key areas where NERC-registered entities can strengthen their security posture. While many organizations successfully met compliance requirements, the report highlighted specific gaps in asset categorization, control center segmentation, and data protection that could pose significant operational risks.
Alexa, can you tell me when my grid is hacked?
A new addition to the NERC CIP regulation is coming for the electric sector requiring anomaly detection and internal network security monitoring to detect active attacks on critical systems.