Ampyx Cyber Blog
The Intersection of Regulation & Resilience
CIP-002-8, Decoded: Who’s In, Who’s Out Under the New 2.12
Upcoming NERC CIP-002 grid rules change which control centers fall under stricter cybersecurity protections. This post explains the new test in plain language, who is likely covered, and when local, load-serving areas can qualify for an exception. We also share a quick checklist to help utilities document what they have today and avoid surprises later.
CIP-015-1 INSM: A Practical Playbook
NERC CIP-015 makes east-west visibility inside the ESP mandatory. This playbook shows how to stand up INSM the right way through risk-based data feeds, ICS-aware anomaly detection, evaluation tied to incident response, and defensible evidence on a timeline to 10/1/2028 and beyond. Avoid common pitfalls and design now for the likely CIP-015-2 expansion.
Strategic Value of Self-Reporting in NERC CIP Compliance
Self-reporting in NERC CIP isn’t a weakness. It’s a sign of maturity. Proactive disclosures build regulatory trust, reinforce internal controls, and empower compliance teams to improve. When done right, self-reporting signals ownership, not failure, and positions your program as resilient, transparent, and credible.
Monitoring Meets Mandate: Will the Next CIP-015 Standard Deliver on FERC’s Vision?
FERC approved CIP-015-1, but also ordered NERC to expand it. The new SAR outlines how INSM requirements will extend beyond the ESP to include EACMS and PACS systems. This post breaks down how the SAR aligns with FERC’s directive, what still needs attention, and why internal visibility is no longer optional.
FERC Finalizes INSM Standard: CIP-015-1 and the New Visibility Mandate for the Grid
On June 26, the Federal Energy Regulatory Commission issued Order No. 907, approving the new NERC Reliability Standard CIP-015-1: Cyber Security – Internal Network Security Monitoring (INSM). This marks a critical shift in how we approach cybersecurity within the Bulk Electric System. It also raises the bar significantly on what’s expected for visibility inside the network perimeter.
NERC CIP-002 Standards Authorization Request - Project 2021-03
NERC’s CIP-002 Project 2021-03 (Phase 2) introduces key updates to improve clarity and consistency in identifying and classifying BES Cyber Systems. The revisions address long-standing ambiguities by clarifying functional entity roles, refining the treatment of communication protocol converters, revising Criterion 1.3 to establish objective criteria for high-impact control centers, and expanding Criterion 2.6 to include control centers operated by Generator Operators and Transmission Owners. These changes aim to eliminate gaps in protection, align risk-based categorizations across all entities, and support more consistent compliance with CIP standards.
The Human Factor: The Greatest Challenge in Organizational Cybersecurity
Despite significant investments in technical controls, frameworks, and compliance efforts such as NIST SP 800-171 Rev 3, NIST SP 800-53 Rev 5, and NERC CIP standards, many organizations still struggle with implementing effective cybersecurity programs. The root of this challenge is not just technology or documentation — it's human behavior.
FERC Proposes New Standards for INSM: Internal Network Security Monitoring (CIP-015-1)
The Federal Energy Regulatory Commission (FERC) has issued a new Notice of Proposed Rulemaking (NOPR) under Docket No. RM24-7-000. This proposed rule seeks to approve NERC’s proposed Critical Infrastructure Protection (CIP) Reliability Standard CIP-015-1. The new standard focuses on Internal Network Security Monitoring (INSM) to detect and address cyber threats within the electronic security perimeter of the Bulk Electric System (BES).
FERC’s New Proposed Rule on Supply Chain Risk Management (SCRM)
The Federal Energy Regulatory Commission (FERC) has released a new Notice of Proposed Rulemaking (NOPR) under Docket No. RM24-4-000, focusing on supply chain risk management (SCRM) for the Bulk-Power System (BPS). This proposed directive aims to fill critical gaps in existing NERC Critical Infrastructure Protection (CIP) standards and bolster the defenses of our nation’s critical infrastructure.
FERC Staff Report Offers Lessons Learned from 2024 CIP Audits: What You Need to Know
In its 2024 CIP audit report, the Federal Energy Regulatory Commission (FERC) shared critical lessons learned from the latest round of reliability audits, revealing key areas where NERC-registered entities can strengthen their security posture. While many organizations successfully met compliance requirements, the report highlighted specific gaps in asset categorization, control center segmentation, and data protection that could pose significant operational risks.
Reporting Cyber Incidents under DHS CIRCIA’s Proposed Rulemaking
The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) on April 4, 2024 published its proposed rules requiring critical infrastructure entities to report significant cyber incidents and ransom payments to CISA. The proposed regulations are intended to consolidate, fortify, and strengthen the United States’ cyber defenses in critical infrastructure (CI) sectors.
Embracing AI for the Electric Grid: Insights from NERC
In the rapidly evolving landscape of the electric sector, the integration of cutting-edge technologies is not just an option; it's a necessity. Among these, artificial intelligence (AI) stands out as a transformative force, offering unprecedented opportunities to enhance grid reliability, security, and efficiency. Recognizing this potential, the North American Electric Reliability Corporation (NERC) has provided insightful comments on how AI can be harnessed to address the challenges and opportunities within the electric grid.
CIP-015: The Crucial Role of INSM in Strengthening Grid Security
introduction of CIP-015, a new regulation aimed at enhancing grid security by mandating Internal Network Security Monitoring (INSM) for high and medium impact Bulk Electric System (BES) Cyber Systems. This development, initiated by FERC Order No. 887, responds to the need for robust monitoring within trusted network zones to detect and mitigate potential cyber threats. CIP-015 emerges as a standalone standard after industry feedback suggested that INSM requirements did not align well with existing frameworks, shifting towards an objective-based rather than prescriptive approach.
NERC's New INSM Regulation: Assessing Impact and Ambiguity
The recent draft release of NERC's new CIP Standard for Internal Network Security Monitoring (INSM) sparks a conversation filled with anticipation and skepticism. With directives from FERC Order 887 echoing in its language, the draft attempts to navigate through the challenges of creating a new regulation to address situations where vendors or individuals with authorized access are considered secure and trustworthy but could still introduce a cybersecurity risk.
Embracing the Cloud: A New Era for BES Operations
This insightful blog post delves into the critical aspects of cloud migration, offering a strategic roadmap for businesses. It emphasizes the importance of a well-thought-out plan, highlighting the need for compatibility assessment, data security, and cost management. The article also stresses the significance of choosing the right cloud provider and preparing the workforce through training and support. This guide is an essential resource for organizations seeking to navigate the complexities of transitioning to cloud computing, ensuring a seamless and successful migration.
Understanding NERC's CIP-004-7 and CIP-011-3: A Deep Dive into BCSI Access, Cloud Challenges, and Encryption
Stay ahead of the curve with a comprehensive overview of NERC's new Critical Infrastructure Protection (CIP) standards, CIP-004-7 and CIP-011-3, set to be effective from January 1st, 2024. Understand the pivotal changes concerning BES Cyber System Information (BCSI) access, the nuances of cloud BCSI, and the strategic choices around encryption.
Inverter-Based Resources - Guide to Potential NERC CIP Impacts of Upcoming Regulatory Changes
Upcoming NERC regulatory changes are expected to result in a significant increase in registrations of inverter-based resources, resulting in the likelihood of control centers to be categorized as North American Electrical Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Medium-Impact Control Centers and/or Low-Impact Control Centers and correspondingly to meet the relevant NERC CIP requirements.
The European Union's Upgraded NIS2 Cybersecurity Framework
The European Union, with its commitment to digital governance and cyber protection, has recently updated its foundational cybersecurity framework, repealing the previous Network and Information Systems Directive (“NIS”) with the NIS2 Directive. Take a dive into the notable changes, implications, and suggested actions for businesses that fall under its scope.
NERC Initiates Data Collection on INSM for Low Impact CIP Assets
NERC has initiated the Internal Network Security Monitoring (INSM) Data Request in response to a directive from FERC. This effort aims to gather data on the risks of not implementing INSM in medium and low impact BES Cyber Systems. NERC is collecting information from utilities in the electric power industry regarding facility numbers, network configurations, malicious code detection, implementation challenges, and alternative solutions. The data must be submitted by July 25, 2023.
New cybersecurity controls for vendor access to low impact NERC CIP assets
FERC has approved new cybersecurity standards to improve risk management practices and supply chain risk management for low impact assets. The new standards, designated CIP-003-9, require utilities to establish and maintain a documented supply chain cyber risk management plan and implement vendor-focused cybersecurity protections for their low impact BES Cyber Systems.
Ask An Expert
GOT A TOUGH QUESTION?
Sometimes you just need to phone a friend. Ask us anything, any time. You don’t need to be an existing or prospective client. No cost, no hassle and no commitment. We will not put you on a contact list and our sales team won’t harass you. We will always respect your privacy. We promise. Just real answers from real experts for real problems.