Ampyx Cyber Blog
The Intersection of Regulation & Resilience
FERC Issues Orders on Virtualization and Low Impact: What Changed and What You Need to Do
FERC unanimously approved Order Nos. 918 and 919 on March 19, 2026, finalizing CIP virtualization standards and new low-impact BES Cyber System controls, plus an updated "Control Center" definition. All CIP-registered entities are affected. Implementation windows are 24 and 36 months respectively. Compliance programs should begin gap assessments now.
CIP-002-8, Decoded: Who’s In, Who’s Out Under the New 2.12
Upcoming NERC CIP-002 grid rules change which control centers fall under stricter cybersecurity protections. This post explains the new test in plain language, who is likely covered, and when local, load-serving areas can qualify for an exception. We also share a quick checklist to help utilities document what they have today and avoid surprises later.
NERC CIP-002 Standards Authorization Request - Project 2021-03
NERC’s CIP-002 Project 2021-03 (Phase 2) introduces key updates to improve clarity and consistency in identifying and classifying BES Cyber Systems. The revisions address long-standing ambiguities by clarifying functional entity roles, refining the treatment of communication protocol converters, revising Criterion 1.3 to establish objective criteria for high-impact control centers, and expanding Criterion 2.6 to include control centers operated by Generator Operators and Transmission Owners. These changes aim to eliminate gaps in protection, align risk-based categorizations across all entities, and support more consistent compliance with CIP standards.
FERC Staff Report Offers Lessons Learned from 2024 CIP Audits: What You Need to Know
In its 2024 CIP audit report, the Federal Energy Regulatory Commission (FERC) shared critical lessons learned from the latest round of reliability audits, revealing key areas where NERC-registered entities can strengthen their security posture. While many organizations successfully met compliance requirements, the report highlighted specific gaps in asset categorization, control center segmentation, and data protection that could pose significant operational risks.
Inverter-Based Resources - Guide to Potential NERC CIP Impacts of Upcoming Regulatory Changes
Upcoming NERC regulatory changes are expected to result in a significant increase in registrations of inverter-based resources, resulting in the likelihood of control centers to be categorized as North American Electrical Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Medium-Impact Control Centers and/or Low-Impact Control Centers and correspondingly to meet the relevant NERC CIP requirements.
Securing Control Center communications is more than encryption
While encryption meets the security objective of CIP-012, entities can utilize additional security controls to provide a defense in depth approach and in some cases utilize controls other than encryption.