Svenska 
English (UK) 
Русский 
العربية 
日本語 
한국어 
Magyar 
Türkçe 
Español 
Čeština 
Português 
Ελληνικά 
Suomi 
Nederlands 
Română 
Italiano 
Français 
Polski 
Українська 
Deutsch 
简体中文 
Slovenčina 
Implement the proposed two-tier plan now to strengthen grid cybersecurity and reliability. The plan targets critical assets and requires auditable controls, with fercs leading the way and utilities preparing for a phased rollout, including protections for such assets. When these controls are applied, information flows become clearer and fewer entry points exist for threat actors. In the october meeting, those proposing the rule noting the need to take immediate steps and to limit risk across large-scale utility networks.
To execute quickly, note the recommended actions that companies should take this year: map networks, inventory information, implement multi-factor authentication, segment networks, and adopt anomaly detection. When these measures are deployed, organizations gain clearer visibility into critical paths and exposed interfaces. The rules require those responsible for security to demonstrate progress in quarterly reviews and to share non-sensitive information with regulators. The nopr constraint was discussed as a practical limit on certain data categories, so operators can maintain privacy while enabling collaboration. This approach has been used by large utility operators where demand resilience is tested during peak periods. The october cycle will test integration with existing plans and operator procedures.
Key recommendations for decision-makers: require those responsible for grid defense to implement a formal cybersecurity plan that covers supply chain risk, incident response, and software updates. For such cases, the rules should limit risk by tying compliance to specific timeframes, such as quarterly reviews. The cost burden should be balanced against reliability gains; companies should plan to allocate budget for year-round monitoring and staff training, while keeping essential operations uninterrupted. The plan encourages information sharing with regulators and industry groups and supports anonymized incident data so others can prepare without exposing sensitive details.
In practical terms, fercs propose that each utility submit a concise five-point plan this year, including scope, timelines, and metrics. The rules support information sharing while preserving sensitive data and set a limit on tolerated vulnerabilities. For demand management, the framework links cybersecurity readiness to the reliability plan, so operators can continue to operate during cyber events. The emphasis is on measurable improvements, with a clear pathway from assessment to action in the october cykel.
Grid Cybersecurity and Supply Chain Risk: FERC, NERC, and 2025 Outlook
Adopt an integrated supply-chain risk program aligned with the ferc rulemaking and NERC standards, with an accelerated, time-bound adoption path and a clear calendar of milestones. Establish executive sponsorship and a cross-functional team to oversee governance, supplier vetting, and contract terms that enable rapid remediation. This approach reduces reliance on single vendors and strengthens network resilience by addressing weaknesses before a disruption occurs.
Noting that progress in 2025 hinges on formal controls, the program should implement electronic records, SBOMs, and vendor risk scoring. The rulemaking process signals growing expectations for risk transparency, and adoption targets should align with state and federal timelines. Seeking measurable progress, teams must document milestones and maintain visibility across all affected operations that touch the grid.
Action plan includes a phased approach: map critical suppliers and document upstream chains; categorize risk by impact and likelihood; apply layered controls and continuous monitoring; require contract clauses for notification and remediation; expand the program to include electronic operations and remote access pathways. Use cross‑functional reviews to ensure controls span procurement, IT, OT, and field activities, avoiding gaps that could enable a breach over time.
Governance and metrics center on a practical dashboard to track progress, time-to-remediate, and the number of additional supplier evaluations; coordinate with state regulators to harmonize requirements and avoid duplicative efforts. Establish clear escalation paths, noting how each action affects overall reliability and the ability to recover quickly after an incident. Build a feedback loop that drives ongoing improvement across processes and teams.
Outlook for 2025 points to broader adoption and reinforced oversight, with rulemaking shaping expansion of decision rights and verification procedures. Expect tighter controls on supplier onboarding, heightened verification of electronic suppliers, and stronger coordination between ferc, NERC, and state entities to address multi‑state networks. The calendar of activities will emphasize accelerated milestones and continuous updates to ensure readiness for the next compliance cycle years ahead.
Utility leadership should publish a concrete six‑quarter timeline, secure board endorsement, and begin supplier surveys and risk assessments now to avoid bottlenecks in adoption. By prioritizing adoption, establishing robust processes, and expanding visibility into chains and electronic components, organizations can strengthen reliability and reduce exposure across multi‑state operations.
Background: Why Cybersecurity and Supply Chain Risks Matter for Grid Reliability
Implement tightened perimeters around control rooms and critical network assets, and establish a continuous supplier-risk program to support reliability and prevent compromises.
Noted interdependencies exist between cyber and physical layers, and they show that most incidents involve sophisticated compromises affecting the subject and organizations across IT, OT, and suppliers.
ferc conducted a review in october that highlighted increased exposure as networks expand and as supply chains become more covered by external vendors, accelerated by digitization.
To support progress, implement standardized controls that reduce interdependencies risk, require regular assessments of suppliers, and document outcomes on a date-driven cadence. Second, align incentives so organizations implement accelerated protections and share threat intel to close the most critical gaps, in order to shorten response times.
Proposed Rulemaking: FERC’s Rationale, Scope, and Timelines
Recommendation: FERC should adopt a phased, five-core-rule package with a targeted compliance schedule, including initial readiness by october next year and a final rule within 24 months; the order should require operators to implement eacms protections and strengthen management processes for long-term energy resilience, reflecting american industry demands while addressing rising cybersecurity risks.
- Rationale: The approach links rules to real risk, reflects reported threat trends, and supports growth in the american energy sector. These proposed steps address demand from the industry and align with their reliability expectations, delivering a predictable path for compliance.
- Scope: The rules cover critical assets and processes, including eacms and related control-room management systems; their interface with field devices, substations, and data centers is included in this scope while excluding noncritical IT assets.
- Timelines: Initial compliance target by october next year; final rule within 24 months; follow-on phases with annual milestones within a defined time horizon and target dates for each milestone; a public meeting in january to collect input and refine the approach.
- Implementation and Metrics: Five core cybersecurity requirements (governance, risk assessment, vendor/contractor management, incident response, and testing) will drive enforcement. fercs will publish clear deadlines, metrics, and quarterly progress reports, with specific time-bound deliverables to show progress against these milestones.
- Engagement and Next Steps: fercs will convene industry meetings to gather feedback; american industry groups, utilities, and independent grid operators should submit comments by the published date; the agency will incorporate these inputs into a final rule package while maintaining a steady growth trajectory for reliability.
Adopting Electric Supply Chain Cybersecurity Standards: What Changes and Who Is Affected
Adopt an SBOM-based baseline and require those vendors that supply equipment, software, and firmware used across electric generation and distribution to provide a transparent software bill of materials. This approach strengthens integrity across the energy supply chain and speeds up implementation, ensuring timely remediation and clear vulnerability data from design through deployment.
Changes to the scope add equipment manufacturers, service providers, and groups delivering cloud-based grid management tools; addition covers software updates and firmware used to control devices at substations. This change helps identify risk along the supply chain and aligns with the approach presented by policymakers according to the rule text to verify compliance through periodic assessments.
Those utilities, independent system operators, municipal operators, and critical infrastructure contractors will implement mandatory controls, while suppliers must provide SBOMs, vulnerability disclosures, patch timelines, and incident response plans. nation-states and international groups with cross-border supplier ties must align with baseline controls to minimize risk, and cryptocurrency groups operating in the energy market can influence demands on grid resources.
Implementation timeline supports a phased rollout over 24 months: Phase 1 within six months requires SBOMs and binding vulnerability disclosures; Phase 2 within 12 months enforces patch management and incident response testing; Phase 3 within 24 months introduces independent assessments and continuous monitoring. Track metrics such as the share of high-risk vendors with SBOMs, average time to patch, and the number of vulnerabilities identified and closed, with quarterly updates to policymakers and operators.
Cross-sector coordination drives resilience beyond the electric system. Align with water and wastewater operators to synchronize incident response and data-sharing protocols; conduct joint tabletop exercises, and build standard reporting templates. In extreme scenarios, such as a coordinated cyberattack, verified recovery playbooks and real-time status dashboards help those responsible respond quickly while preserving energy integrity and minimizing disruption to customers and essential services.
FERC’s Proposals to Expand NERC’s Scope: Compliance, Oversight, and Enforcement
Recommendation: implement a phased expansion of NERC’s responsibilities, anchored by a january notice and a year-long pilot that tests expanded compliance, oversight, and enforcement for critical reliability activities. The proposed framework would require timely reporting, independent verification, and clear penalties for unavailability or nonconformance, with data-based adjustments to keep costs manageable and to address gaps between policy and field practice.
To address gaps between policy and practice, implement defined perimeters around cyber risk, strengthen pacs and communications security, and require regular testing of incident response. This approach would help deter attacking activity and protect remote access while ensuring operators operate within approved controls during year-long operations.
Key steps include formalizing the notice process, setting clear compliance obligations, and creating oversight mechanisms that report to FERC and NERC leadership. The plan covers reliability during normal conditions and when a PAC is attacked or there is field unavailability. The year’s budgets and financial plans align with implementation milestones and training across control rooms, cybersecurity teams, and field personnel.
| Aspekt | Proposed approach | Timeline / Metrics |
|---|---|---|
| Scope & authority | Expand NERC’s role to include formal compliance, oversight, and enforcement actions with FERC notice | 12–24 months for phased adoption |
| Oversight & governance | Clear reporting lines between NERC, FERC, and regional entities; regular audits | Quarterly reviews; annual report |
| Compliance measures | Mandatory testing of communications, incident response drills, and unavailability reporting | Monthly submissions; annual validation |
| Enforcement mechanisms | Graduated actions, corrective action plans, and financial remedies for nonconformance | Initial penalties in year 1; escalation thereafter |
NERC 2025 RISC Findings: Interdependencies Among Critical Infrastructure and Reliability Implications
Recommendation: Establish a cross-sector governance plan within 12 months that will present a unified risk map across critical infrastructure and focus on transmission interdependencies that affect reliability. Assign a responsible owner for each domain and secure jurisdictional coordination for timely decision-making.
The plan should create a formal risk-identification workflow, linking transmission, communications, and production processes to reliability outcomes. Build a living catalog of such issues with clear owners and due dates to ensure ansvarsskyldighet.
Presented findings from the 2025 RISC review show increased awareness of cross-sector dependencies and the escalation of risks during extreme weather and physical events. The analysis highlights high-probability routes and critical failure points that cut across utility and non-utility sectors.
Additionally, map jurisdictional authorities to identify interdependencies along the grid and other essential services. This route-level view helps planners forecast cascading impacts on production and service restoration timelines.
Meeting cadence includes quarterly reviews with utility operators, municipal agencies, and private partners to discuss issues, update plans, and set measurable restoration targets. The focus remains on resilience and creating actionable controls that prevent compromises to service.
Implementation steps emphasize standard data sharing, secure communications, and interoperable incident response. Invest in high-priority monitoring, apply consistent incident command structures, and test recovery plans to shorten restoration windows. Responsible teams will maintain dashboards and provide status updates in each meeting.
Over the next years, the program will refine its route maps, expand awareness, and integrate with capital and operation plans. By maintaining a clear line of sight on risks and dependencies, agencies can sustain resilient operations and reduce long-term production disruptions.