Ampyx Cyber Blog
The Intersection of Regulation & Resilience
Cyber-Informed Transmission Planning: Seven Pilots, CIP Leverage
NERC's April 2026 release of the Cyber-Informed Transmission Planning lessons learned captures seven 2024 pilots. None triggered a corrective action plan. The report's most consequential finding: strengthening low-impact CIP requirements is likely a more cost-effective leverage point than expanding TPL-001 to embed coordinated cyber contingencies.
CIP-003 Low Impact Vendor Remote Access: Expert Audit Questions
A deep dive into NERC’s Currently Compliant Podcast Episode 8, extracting every key question being asked about CIP-003-9 vendor remote access. These questions provide a clear view into audit expectations across the ERO Enterprise and highlight where entities are struggling with visibility, control validation, and monitoring of vendor access.
FERC Issues Orders on Virtualization and Low Impact: What Changed and What You Need to Do
FERC unanimously approved Order Nos. 918 and 919 on March 19, 2026, finalizing CIP virtualization standards and new low-impact BES Cyber System controls, plus an updated "Control Center" definition. All CIP-registered entities are affected. Implementation windows are 24 and 36 months respectively. Compliance programs should begin gap assessments now.
NERC’s CIP Roadmap and the Future of Grid Cybersecurity
NERC’s new CIP Roadmap signals a major shift in how cyber risk will be regulated across the power grid. This Policy Pulse explains what NERC released, why it matters, what standards and guidance are coming next, and how utilities, generators, and grid operators should prepare for expanding CIP scope and enforcement.
Securing Tomorrow’s Grid: FERC Acts on Low Impact, Virtualization, and Supply Chains
FERC’s September 2025 actions reshaped grid reliability standards by tightening security requirements for low-impact assets, adding authentication, encryption, and monitoring; new requirements and new definitions to support secure adoption of virtualization technologies; and expanding supply chain protections to cover Protected Cyber Assets and other connected systems.
FERC Quietly Closes The Books on RM20-12-000
FERC has officially closed Docket RM20-12-000, ending a five-year inquiry into potential gaps in the CIP Reliability Standards. While the docket is withdrawn, the underlying concerns—data security, anomaly detection, and coordinated cyberattacks—are being addressed through recent standards like CIP-015-1 (INSM) and proposed updates to CIP-003.
Inverter-Based Resources - Guide to Potential NERC CIP Impacts of Upcoming Regulatory Changes
Upcoming NERC regulatory changes are expected to result in a significant increase in registrations of inverter-based resources, resulting in the likelihood of control centers to be categorized as North American Electrical Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Medium-Impact Control Centers and/or Low-Impact Control Centers and correspondingly to meet the relevant NERC CIP requirements.
NERC Initiates Data Collection on INSM for Low Impact CIP Assets
NERC has initiated the Internal Network Security Monitoring (INSM) Data Request in response to a directive from FERC. This effort aims to gather data on the risks of not implementing INSM in medium and low impact BES Cyber Systems. NERC is collecting information from utilities in the electric power industry regarding facility numbers, network configurations, malicious code detection, implementation challenges, and alternative solutions. The data must be submitted by July 25, 2023.
New Low Impact NERC CIP-003-9 Regulations: Vendor Supply Chain Security
On March 16 2023, FERC issued a new Order approving NERC CIP-003-9 introducing new requirements for vendor electronic remote access security controls to low impact BES Cyber Systems. These new security controls are intended to allow detection and the ability to disable vendor remote access in the event of a known or suspected malicious communication.
New cybersecurity controls for vendor access to low impact NERC CIP assets
FERC has approved new cybersecurity standards to improve risk management practices and supply chain risk management for low impact assets. The new standards, designated CIP-003-9, require utilities to establish and maintain a documented supply chain cyber risk management plan and implement vendor-focused cybersecurity protections for their low impact BES Cyber Systems.