Ampyx Cyber Blog
The Intersection of Regulation & Resilience
FERC 2025 CIP Audit Findings: DER Impact Ratings, Vendor Oversight Gaps, and Cloud Compliance Risk
FERC’s latest CIP audit lessons for 2025 highlight three rising compliance risks. Entities are undercounting DERs in GOP control center impact ratings, outsourcing compliance work without adequate oversight, and moving EACMS or PACS functions to the cloud without a defensible evidence path. These issues now represent real audit exposure across the US bulk power system.
Closing the Gaps: FERC Order 912 and the Future of Supply Chain Risk Management
FERC Order 912 marks a shift in supply chain cybersecurity for the Bulk-Power System. It directs NERC to strengthen supply chain protections by closing gaps in risk identification, reassessment, and response, and by extending coverage to Protected Cyber Assets. Vendor data validation is encouraged but not mandated, and NERC has 18 months to deliver new or revised standards.
Securing Tomorrow’s Grid: FERC Acts on Low Impact, Virtualization, and Supply Chains
FERC’s September 2025 actions reshaped grid reliability standards by tightening security requirements for low-impact assets, adding authentication, encryption, and monitoring; new requirements and new definitions to support secure adoption of virtualization technologies; and expanding supply chain protections to cover Protected Cyber Assets and other connected systems.
Interconnection Gets Teeth: Virginia Puts Cyber into the Rulebook
Virginia moves cyber into DER interconnection. State Corporation Commission (SCC) Staff proposes adopting IEEE 1547.3-2023 and the NARUC/DOE Baselines, requiring utilities to publish minimum cybersecurity standards, audit & report annually, and align Technical Interconnection (TIIR) settings for secure comms/ports. Bottom line: meeting utility cyber controls becomes a condition of interconnection.
CIP-015 Clarified: Mixed-use PACS/EACMS and What’s Actually In Scope
FERC Order 907-A clarifies CIP-015 on shared networks. INSM must monitor only east-west traffic used for access monitoring of EACMS and PACS. Non-CIP assets and data flows are out of scope, even in mixed-use or commingled PACS/EACMS environments. Learn practical patterns to filter collection, segment analytics, and produce audit-ready evidence.
2025 RISC Report: Cybersecurity at the Center of Grid Reliability
The NERC 2025 RISC Report elevates cybersecurity to the core of grid reliability, alongside grid transformation, extreme events, interdependencies, and volatile energy policy. Unlike past reviews, this report is a forward-looking roadmap, urging modernization, cross-sector coordination, and resilience in a digitized, high-risk energy landscape.
Cyber on Tap: NY's Water Utilities Face New Cyber Rulebook
New York has proposed the first mandatory cybersecurity regulation for water and wastewater systems, targeting utilities serving over 3,300 people. With requirements for vulnerability assessments, incident reporting, and executive oversight, this rule signals a shift toward enforceable cyber resilience and other states may soon follow.
Monitoring Meets Mandate: Will the Next CIP-015 Standard Deliver on FERC’s Vision?
FERC approved CIP-015-1, but also ordered NERC to expand it. The new SAR outlines how INSM requirements will extend beyond the ESP to include EACMS and PACS systems. This post breaks down how the SAR aligns with FERC’s directive, what still needs attention, and why internal visibility is no longer optional.
Texas SB 75: A Lone Star Model for Grid Resilience
Texas SB 75 establishes a first-of-its-kind Grid Security Commission to evaluate and enhance the resilience of the state’s electric grid and critical infrastructure. With a broad all-hazards focus, from cyber threats to EMPs, this bipartisan law signals Texas’ intent to lead on proactive, cross-sector grid security. Learn what’s required, what’s coming, and why it matters now.
Broad Scope, Big Impact: NY Mandates Cyber Rules for Public Sector
New York's new cybersecurity law, Chapter 177 of 2025 (S.7672A / A.6769A), introduces mandatory incident reporting, ransom payment disclosures, annual training, and data protection requirements for public-sector entities. Its broad definitions suggest applicability to both IT and OT systems, signaling a significant expansion in cybersecurity oversight for municipalities and public authorities.
Help Shape the Future of the NERC CIP Standards
NERC is asking for industry input on the future of CIP Standards. As part of its 2025 Work Plan, NERC has launched a survey to identify and prioritize emerging security risks to the Bulk Power System. The results will directly inform a roadmap for updating the CIP Standards to address today’s evolving threat landscape. What’s happening, why it matters, and how you can participate before the July 22 deadline.
FERC Quietly Closes The Books on RM20-12-000
FERC has officially closed Docket RM20-12-000, ending a five-year inquiry into potential gaps in the CIP Reliability Standards. While the docket is withdrawn, the underlying concerns—data security, anomaly detection, and coordinated cyberattacks—are being addressed through recent standards like CIP-015-1 (INSM) and proposed updates to CIP-003.
FERC Finalizes INSM Standard: CIP-015-1 and the New Visibility Mandate for the Grid
On June 26, the Federal Energy Regulatory Commission issued Order No. 907, approving the new NERC Reliability Standard CIP-015-1: Cyber Security – Internal Network Security Monitoring (INSM). This marks a critical shift in how we approach cybersecurity within the Bulk Electric System. It also raises the bar significantly on what’s expected for visibility inside the network perimeter.
Canada’s Bill C‑8: A New Era for Cybersecurity Regulation
Canada is proposing sweeping changes to strengthen its cyber resilience through Bill C‑8. This two-part legislation enhances federal powers over telecom infrastructure and establishes enforceable cybersecurity obligations for critical infrastructure operators. Read our full breakdown of what it means, who it impacts, and what’s next in Parliament.
NERC CIP-002 Standards Authorization Request - Project 2021-03
NERC’s CIP-002 Project 2021-03 (Phase 2) introduces key updates to improve clarity and consistency in identifying and classifying BES Cyber Systems. The revisions address long-standing ambiguities by clarifying functional entity roles, refining the treatment of communication protocol converters, revising Criterion 1.3 to establish objective criteria for high-impact control centers, and expanding Criterion 2.6 to include control centers operated by Generator Operators and Transmission Owners. These changes aim to eliminate gaps in protection, align risk-based categorizations across all entities, and support more consistent compliance with CIP standards.
Analysis of the June 6th, 2025 Executive Order on Cybersecurity
On June 6, 2025, President Donald J. Trump issued a new Executive Order (EO) titled “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Orders 13694 and 14144.” This directive serves as a recalibration of federal cybersecurity strategy, signaling a shift away from prescriptive mandates toward more targeted, agency-specific authority and risk-informed investment in critical initiatives. It amends prior EOs while preserving core elements of federal cybersecurity policy.
Cyber Stress Testing: Strengthening Cyber Resilience in the EU Energy Sector
As cyber threats grow more complex, the EU energy sector is turning to stress testing to bolster its resilience. This post explores ENISA’s 2025 Cyber Stress Test Handbook and how it helps energy providers simulate real-world attacks, uncover vulnerabilities, and strengthen defenses in alignment with NIS2, CER, and the Cyber Solidarity Act.
Testimony Before the U.S.-China Economic and Security Review Commission: Protecting U.S. Energy Infrastructure from Strategic Risks
On April 24, 2025, Patrick Miller testified before the U.S.-China Economic and Security Review Commission on the growing cybersecurity and supply chain risks facing U.S. energy infrastructure. My testimony focused on how Chinese state-aligned actors are embedding themselves within critical systems and why securing our grid is essential to preserving America's economic leadership, technological advancement, and national security.
Chinese-made technology in U.S. critical infrastructure: an interview with Patrick Miller
Patrick C. Miller of Ampyx Cyber testifies in front of the Senate U.S. - China Economic and Security Review Commission on Thursday, April 24 about the threat of Chinese-made technologies in U.S. critical infrastructure, including power systems and telecom. Here is a short interview with Patrick Miller about his testimony.
FERC Proposes New Standards for INSM: Internal Network Security Monitoring (CIP-015-1)
The Federal Energy Regulatory Commission (FERC) has issued a new Notice of Proposed Rulemaking (NOPR) under Docket No. RM24-7-000. This proposed rule seeks to approve NERC’s proposed Critical Infrastructure Protection (CIP) Reliability Standard CIP-015-1. The new standard focuses on Internal Network Security Monitoring (INSM) to detect and address cyber threats within the electronic security perimeter of the Bulk Electric System (BES).