Ampyx Cyber Blog
The Intersection of Regulation & Resilience
Funded, Not Secured: The April 20 DPA Determinations & the Bulk Electric System
Two April 20 Defense Production Act determinations expand domestic capacity for grid components and large-scale energy infrastructure. Neither addresses cybersecurity. For the electric sector, NERC CIP and Order 693 standards still apply. A practitioner's view of intersections with CIP-013, CIP-014, PRC, FAC, and TPL, and why domestic capacity is not domestic assurance.
Cyber-Informed Transmission Planning: Seven Pilots, CIP Leverage
NERC's April 2026 release of the Cyber-Informed Transmission Planning lessons learned captures seven 2024 pilots. None triggered a corrective action plan. The report's most consequential finding: strengthening low-impact CIP requirements is likely a more cost-effective leverage point than expanding TPL-001 to embed coordinated cyber contingencies.
CMEP Version 9: Maintenance on the Surface, Three Signals Underneath
NERC released CMEP Manual Version 9 on March 1, 2026. On the surface it is a maintenance release. Underneath, three signals matter: the Global Internal Audit Standards join the authoritative guidance stack, Rules of Procedure Appendix 4C moved, and a decade-old CIP Version 3 artifact got scrubbed from the Sampling Guide. None of it redraws CMEP. All of it reinforces v8's direction.
Redesigning the Machine: NERC Board Accepts Transformational Standards Modernization Plan
The NERC Board has approved a historic transformation of the standards development process to meet the speed of the modern grid. Aiming for a 12–18 month timeline, the new framework re-engineers how NERC addresses risks from data centers, IBRs, and VPPs. Read our deep dive into the 2027 roadmap, the new SME pool, and the upcoming shift in voting eligibility.
NERC’s CIP Roadmap and the Future of Grid Cybersecurity
NERC’s new CIP Roadmap signals a major shift in how cyber risk will be regulated across the power grid. This Policy Pulse explains what NERC released, why it matters, what standards and guidance are coming next, and how utilities, generators, and grid operators should prepare for expanding CIP scope and enforcement.
![Volt Typhoon and the Quiet Pre-Positioning of the U.S. Power Grid [Updated]](https://images.squarespace-cdn.com/content/v1/5f80bdfaeeac37068ed8c60e/1750463988120-77LW8AOEP96E0SZ38CV2/Deep+Dive.png)
Volt Typhoon and the Quiet Pre-Positioning of the U.S. Power Grid [Updated]
Volt Typhoon represents a quiet but strategic cyber threat to U.S. electric utilities, characterized by long-term access and persistence rather than immediate disruption. Rather than deploying malware, the actor relies on legitimate administrative tools to maintain durable access inside critical infrastructure networks. This blog examines what makes Volt Typhoon different and why early detection depends on behavioral context, not signatures.
Reinforcing the U.S. Grid: The 2025 USCC Report on Chinese Energy Influence
The 2025 USCC Annual Report outlines national security risks from PRC-linked technologies in the U.S. energy sector. It offers clear, field-informed recommendations, including testimony from Ampyx Cyber’s CEO, on supply chain threats, OT device transparency, and cyber response. Read the full analysis and policy roadmap.
From Firefighting to Foresight: Building CIP Programs for the Future Power Grid
NERC calls grid reliability a “five-alarm fire.” With data centers, AI, and extreme weather straining capacity, CIP programs must evolve from reactive compliance to proactive resilience. This post outlines how utilities can strengthen controls, close documentation gaps, and build CIP programs ready for the future grid.
Closing the Gaps: FERC Order 912 and the Future of Supply Chain Risk Management
FERC Order 912 marks a shift in supply chain cybersecurity for the Bulk-Power System. It directs NERC to strengthen supply chain protections by closing gaps in risk identification, reassessment, and response, and by extending coverage to Protected Cyber Assets. Vendor data validation is encouraged but not mandated, and NERC has 18 months to deliver new or revised standards.
Securing Tomorrow’s Grid: FERC Acts on Low Impact, Virtualization, and Supply Chains
FERC’s September 2025 actions reshaped grid reliability standards by tightening security requirements for low-impact assets, adding authentication, encryption, and monitoring; new requirements and new definitions to support secure adoption of virtualization technologies; and expanding supply chain protections to cover Protected Cyber Assets and other connected systems.
2025 RISC Report: Cybersecurity at the Center of Grid Reliability
The NERC 2025 RISC Report elevates cybersecurity to the core of grid reliability, alongside grid transformation, extreme events, interdependencies, and volatile energy policy. Unlike past reviews, this report is a forward-looking roadmap, urging modernization, cross-sector coordination, and resilience in a digitized, high-risk energy landscape.
Texas SB 75: A Lone Star Model for Grid Resilience
Texas SB 75 establishes a first-of-its-kind Grid Security Commission to evaluate and enhance the resilience of the state’s electric grid and critical infrastructure. With a broad all-hazards focus, from cyber threats to EMPs, this bipartisan law signals Texas’ intent to lead on proactive, cross-sector grid security. Learn what’s required, what’s coming, and why it matters now.
Testimony Before the U.S.-China Economic and Security Review Commission: Protecting U.S. Energy Infrastructure from Strategic Risks
On April 24, 2025, Patrick Miller testified before the U.S.-China Economic and Security Review Commission on the growing cybersecurity and supply chain risks facing U.S. energy infrastructure. My testimony focused on how Chinese state-aligned actors are embedding themselves within critical systems and why securing our grid is essential to preserving America's economic leadership, technological advancement, and national security.
Chinese-made technology in U.S. critical infrastructure: an interview with Patrick Miller
Patrick C. Miller of Ampyx Cyber testifies in front of the Senate U.S. - China Economic and Security Review Commission on Thursday, April 24 about the threat of Chinese-made technologies in U.S. critical infrastructure, including power systems and telecom. Here is a short interview with Patrick Miller about his testimony.
Proactively Enhancing Safety in Long Duration Energy Storage: Lessons, Challenges, and Future Strategies
As Long Duration Energy Storage (LDES) technologies gain prominence in modern energy infrastructure, ensuring the safety of workers and surrounding communities is critical. By examining past incidents involving lithium-ion Battery Energy Storage Systems (BESS) and other storage solutions, we can extract crucial lessons to mitigate risks in LDES deployment.
Embracing AI for the Electric Grid: Insights from NERC
In the rapidly evolving landscape of the electric sector, the integration of cutting-edge technologies is not just an option; it's a necessity. Among these, artificial intelligence (AI) stands out as a transformative force, offering unprecedented opportunities to enhance grid reliability, security, and efficiency. Recognizing this potential, the North American Electric Reliability Corporation (NERC) has provided insightful comments on how AI can be harnessed to address the challenges and opportunities within the electric grid.
FERC Chairman's Reliability Report: A Year in Review
In 2023, FERC Chairman Willie L. Phillips' report highlighted advancements in U.S. power grid reliability, focusing on enhanced cybersecurity measures, physical grid security improvements, and resilience against extreme weather. Key initiatives included the implementation of new cybersecurity standards, incentive-based cybersecurity investments, and transmission reforms to accommodate evolving energy resources. These efforts underscore FERC's commitment to maintaining a resilient and secure electric grid.
Embracing the Cloud: A New Era for BES Operations
This insightful blog post delves into the critical aspects of cloud migration, offering a strategic roadmap for businesses. It emphasizes the importance of a well-thought-out plan, highlighting the need for compatibility assessment, data security, and cost management. The article also stresses the significance of choosing the right cloud provider and preparing the workforce through training and support. This guide is an essential resource for organizations seeking to navigate the complexities of transitioning to cloud computing, ensuring a seamless and successful migration.
There is a better way to do this: why critical infrastructure cybersecurity regulations are heading in the wrong direction
I helped write and establish the NERC CIP regulations. But now I want change. There is a way to save time, money and headaches while actually improving security for critical infrastructure.
Communication avalanche: What utilities need to think about before a nation-state cyberattack happens to them
Utilities are preparing for the technical side of a cyberattack generated by the Russia-Ukraine conflict. But there is another aspect to these attacks that can cause chaos if you’re not ready. We’ll explore that here.