Policy Pulse - Regulatory Roundtable: NERC CIP, Cybersecurity Strategy, AI & Electric Sector

Season 4 - Episode 1

Host: Patrick Miller

Guests: Joy Ditto, Earl Shockley

Policy Pulse: Regulatory Roundable is a new monthly feature of the Critical Assets Podcast. Join Patrick Miller, Joy Ditto, and Earl Shockley as they break down the latest policy, regulatory, and legislative changes impacting critical infrastructure, OT, and cybersecurity. If it affects your assets, audits, or authority, we’re covering it, straight from the policy frontlines.

Episode Summary

NERC CIP Roadmap: Low Impact No More

The panel explores NERC’s proposed push to apply medium-impact-style controls to traditionally lower-tier systems. Topics include:

• MFA for low-impact boundaries

• Greater scrutiny of public network use

• Proxy regulation of DER aggregators via existing registered entities

Joy raises constitutional and policy questions about Federal Power Act boundaries and the creeping federal reach into state-regulated distribution. Earl contextualizes with past discussions on DHS command-and-control models, arguing proactive industry performance is the best defense against unwanted federal takeover.

CMEP Manual and Auditor Competency

The group reacts to updates in the CMEP manual, especially language emphasizing stronger technical capabilities for auditors.

• Earl describes firsthand struggles with underqualified auditors lacking utility/ICS background.

• Joy likens it to letting a soccer referee officiate American football, calling for rigor over regulatory theater.

• Patrick stresses the importance of aligning audits to performance-based standards, not wishful control interpretations.

All agree that audit inefficiencies, excessive RFIs, and inconsistent enforcement undermine trust in the process.

National Cyber Strategy (Pending Release)

Joy shares insights from inside the Beltway on the still-pending national cyber strategy:

• Expected pillars: Offensive posture, AI governance, and workforce development

• Concern over leadership gaps at CISA, with Sean Plankey’s confirmation still on hold

• Calls for more classification transparency so critical infrastructure owners can prepare for threats in real time

Patrick and Earl highlight the need for execution, not just aspiration, especially if infrastructure is to become a battleground in geopolitical conflict.

AI and Critical Infrastructure

The team debates AI’s growing role in OT/ICS:

• Earl warns against “false precision” and blind deference to AI outputs, advocating for decision support, not decision ownership.

• Joy calls for trust structures in AI training and deployment, emphasizing risk-managed design over blind faith in tools.

• Patrick pushes for policy-level boundaries, especially around life-critical or safety-of-life AI decisions.

Concerns also surface about autonomous vehicles, large load data centers, and AI-driven energy demand outpacing grid planning.

Workforce, Succession, and the Talent Gap

Earl issues a stark warning: for every 5 retiring engineers, only 2–3 are in the pipeline. The sector must:

• Treat succession planning as an enterprise risk

• Broaden recruiting beyond EE-only mindsets

• Recognize certifications and targeted skills, especially in cybersecurity

Joy reinforces the need to recognize small utilities and under-resourced sectors as essential parts of national security, and asks whether we need more support (and maybe more declassification) to empower them.

Show links:

• Joy Ditto Consulting

• Inpowerd

• NERC CIP Roadmap

• NERC CMEP Manual v8

• ERO Enterprise Guide for Internal Controls

• National Security Strategy

• Principles for the Secure Integration of Artificial Intelligence in Operational Technology

• Earl's AI blog - Artificial Intelligence in the Energy Industry, a Force Multiplier or a Reliability Risk?

Recent Podcasts