Ampyx Cyber Blog
The Intersection of Regulation & Resilience
Protocol Converters: The 2023 SAR Just Got Validated (Again)
The 2023 NERC SAR asked whether protocol converters belong inside CIP-002. A new disclosure of 22 CVEs in serial-to-Ethernet hardware, set against a decade of advisories across the category, settles the question. The categorization debate now has its empirical record, and asset owners have CIP-007 R2 and CIP-013 work to do that does not wait for the standard.
Funded, Not Secured: The April 20 DPA Determinations & the Bulk Electric System
Two April 20 Defense Production Act determinations expand domestic capacity for grid components and large-scale energy infrastructure. Neither addresses cybersecurity. For the electric sector, NERC CIP and Order 693 standards still apply. A practitioner's view of intersections with CIP-013, CIP-014, PRC, FAC, and TPL, and why domestic capacity is not domestic assurance.
National Cyber Strategy: What It Means for Critical Infrastructure
The Trump administration released its long-awaited National Cyber Strategy. Six pages, six pillars, and a clear signal that federal cyber policy is shifting toward offensive posture and regulatory streamlining. For critical infrastructure operators, the document raises more questions than it answers. Here is what it says, what it doesn't, and what you should do about it.
Humans, Engineering Shifts, Required Investment, and Commitment for Operational Security
New secure connectivity guidance describes a greenfield target architecture, but most OT environments are brownfield reality. True resilience isn't achieved through technology alone. Human expertise, manual operating capability, physical engineering controls, and sustained investment are equally critical. Without these foundations, digital security layers risk becoming expensive new failure modes.
New NSA UEFI Guidance: Trust Starts Before the OS
UEFI Secure Boot is widely assumed to be enabled and enforcing, yet recent vulnerabilities show how easily trust at boot time can silently fail. NSA’s new guidance breaks down how Secure Boot actually works, where configurations commonly go wrong, and how organizations can validate and recover trust in the earliest stages of system startup.
Reinforcing the U.S. Grid: The 2025 USCC Report on Chinese Energy Influence
The 2025 USCC Annual Report outlines national security risks from PRC-linked technologies in the U.S. energy sector. It offers clear, field-informed recommendations, including testimony from Ampyx Cyber’s CEO, on supply chain threats, OT device transparency, and cyber response. Read the full analysis and policy roadmap.
Cybersecurity Performance Goals 2.0: Governance First, Outcomes Always
CISA’s Cybersecurity Performance Goals 2.0 reshape baseline expectations for critical infrastructure. The update elevates governance, strengthens OT-specific requirements, and shifts from checklist controls to outcome-driven resilience. This Policy Pulse post breaks down what changed, why it matters, and how operators should prepare.
Cybersecurity Signals in the 2025 National Security Strategy
The 2025 National Security Strategy weaves cybersecurity into every major national priority, from resilient infrastructure and protected supply chains to technology leadership and secure global partnerships. This overview highlights the core cyber related themes and what they signal for critical infrastructure and industry.
Closing the Gaps: FERC Order 912 and the Future of Supply Chain Risk Management
FERC Order 912 marks a shift in supply chain cybersecurity for the Bulk-Power System. It directs NERC to strengthen supply chain protections by closing gaps in risk identification, reassessment, and response, and by extending coverage to Protected Cyber Assets. Vendor data validation is encouraged but not mandated, and NERC has 18 months to deliver new or revised standards.
Securing Tomorrow’s Grid: FERC Acts on Low Impact, Virtualization, and Supply Chains
FERC’s September 2025 actions reshaped grid reliability standards by tightening security requirements for low-impact assets, adding authentication, encryption, and monitoring; new requirements and new definitions to support secure adoption of virtualization technologies; and expanding supply chain protections to cover Protected Cyber Assets and other connected systems.
2025 RISC Report: Cybersecurity at the Center of Grid Reliability
The NERC 2025 RISC Report elevates cybersecurity to the core of grid reliability, alongside grid transformation, extreme events, interdependencies, and volatile energy policy. Unlike past reviews, this report is a forward-looking roadmap, urging modernization, cross-sector coordination, and resilience in a digitized, high-risk energy landscape.
Canada’s Bill C‑8: A New Era for Cybersecurity Regulation
Canada is proposing sweeping changes to strengthen its cyber resilience through Bill C‑8. This two-part legislation enhances federal powers over telecom infrastructure and establishes enforceable cybersecurity obligations for critical infrastructure operators. Read our full breakdown of what it means, who it impacts, and what’s next in Parliament.
Automation and AI Risks in Long Duration Energy Storage Systems (LDES): Risk Mitigation and Regulatory Responsibilities
As Long Duration Energy Storage Systems (LDES) become essential to the future of grid resiliency and renewable integration, the infusion of automation and artificial intelligence (AI) into these technologies presents a range of strategic risks. These include cybersecurity vulnerabilities, operational uncertainties, automation-induced failures, and regulatory gaps. This white paper outlines the major categories of risk and identifies key government, regulatory, and standards bodies responsible for managing and mitigating these challenges.
Analysis of the June 6th, 2025 Executive Order on Cybersecurity
On June 6, 2025, President Donald J. Trump issued a new Executive Order (EO) titled “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Orders 13694 and 14144.” This directive serves as a recalibration of federal cybersecurity strategy, signaling a shift away from prescriptive mandates toward more targeted, agency-specific authority and risk-informed investment in critical initiatives. It amends prior EOs while preserving core elements of federal cybersecurity policy.
Cyber Stress Testing: Strengthening Cyber Resilience in the EU Energy Sector
As cyber threats grow more complex, the EU energy sector is turning to stress testing to bolster its resilience. This post explores ENISA’s 2025 Cyber Stress Test Handbook and how it helps energy providers simulate real-world attacks, uncover vulnerabilities, and strengthen defenses in alignment with NIS2, CER, and the Cyber Solidarity Act.
Testimony Before the U.S.-China Economic and Security Review Commission: Protecting U.S. Energy Infrastructure from Strategic Risks
On April 24, 2025, Patrick Miller testified before the U.S.-China Economic and Security Review Commission on the growing cybersecurity and supply chain risks facing U.S. energy infrastructure. My testimony focused on how Chinese state-aligned actors are embedding themselves within critical systems and why securing our grid is essential to preserving America's economic leadership, technological advancement, and national security.
Chinese-made technology in U.S. critical infrastructure: an interview with Patrick Miller
Patrick C. Miller of Ampyx Cyber testifies in front of the Senate U.S. - China Economic and Security Review Commission on Thursday, April 24 about the threat of Chinese-made technologies in U.S. critical infrastructure, including power systems and telecom. Here is a short interview with Patrick Miller about his testimony.
FERC’s New Proposed Rule on Supply Chain Risk Management (SCRM)
The Federal Energy Regulatory Commission (FERC) has released a new Notice of Proposed Rulemaking (NOPR) under Docket No. RM24-4-000, focusing on supply chain risk management (SCRM) for the Bulk-Power System (BPS). This proposed directive aims to fill critical gaps in existing NERC Critical Infrastructure Protection (CIP) standards and bolster the defenses of our nation’s critical infrastructure.
The European Union's Upgraded NIS2 Cybersecurity Framework
The European Union, with its commitment to digital governance and cyber protection, has recently updated its foundational cybersecurity framework, repealing the previous Network and Information Systems Directive (“NIS”) with the NIS2 Directive. Take a dive into the notable changes, implications, and suggested actions for businesses that fall under its scope.
New cybersecurity controls for vendor access to low impact NERC CIP assets
FERC has approved new cybersecurity standards to improve risk management practices and supply chain risk management for low impact assets. The new standards, designated CIP-003-9, require utilities to establish and maintain a documented supply chain cyber risk management plan and implement vendor-focused cybersecurity protections for their low impact BES Cyber Systems.