Broad Scope, Big Impact: NY Mandates Cyber Rules for Public Sector

New York's new cybersecurity law, Chapter 177 of 2025 (S.7672A / A.6769A), introduces mandatory incident reporting, ransom payment disclosures, annual training, and data protection requirements for public-sector entities. Its broad definitions suggest applicability to both IT and OT systems, signaling a significant expansion in cybersecurity oversight for municipalities and public authorities.

Read More
Patrick Miller
Help Shape the Future of the NERC CIP Standards

NERC is asking for industry input on the future of CIP Standards. As part of its 2025 Work Plan, NERC has launched a survey to identify and prioritize emerging security risks to the Bulk Power System. The results will directly inform a roadmap for updating the CIP Standards to address today’s evolving threat landscape. What’s happening, why it matters, and how you can participate before the July 22 deadline.

Read More
Patrick Miller
FERC Quietly Closes The Books on RM20-12-000

FERC has officially closed Docket RM20-12-000, ending a five-year inquiry into potential gaps in the CIP Reliability Standards. While the docket is withdrawn, the underlying concerns—data security, anomaly detection, and coordinated cyberattacks—are being addressed through recent standards like CIP-015-1 (INSM) and proposed updates to CIP-003.

Read More
Patrick Miller
FERC Finalizes INSM Standard: CIP-015-1 and the New Visibility Mandate for the Grid

On June 26, the Federal Energy Regulatory Commission issued Order No. 907, approving the new NERC Reliability Standard CIP-015-1: Cyber Security – Internal Network Security Monitoring (INSM). This marks a critical shift in how we approach cybersecurity within the Bulk Electric System. It also raises the bar significantly on what’s expected for visibility inside the network perimeter.

Read More
Patrick Miller
Canada’s Bill C‑8: A New Era for Cybersecurity Regulation

Canada is proposing sweeping changes to strengthen its cyber resilience through Bill C‑8. This two-part legislation enhances federal powers over telecom infrastructure and establishes enforceable cybersecurity obligations for critical infrastructure operators. Read our full breakdown of what it means, who it impacts, and what’s next in Parliament.

Read More
Patrick Miller
Automation and AI Risks in Long Duration Energy Storage Systems (LDES): Risk Mitigation and Regulatory Responsibilities

As Long Duration Energy Storage Systems (LDES) become essential to the future of grid resiliency and renewable integration, the infusion of automation and artificial intelligence (AI) into these technologies presents a range of strategic risks. These include cybersecurity vulnerabilities, operational uncertainties, automation-induced failures, and regulatory gaps. This white paper outlines the major categories of risk and identifies key government, regulatory, and standards bodies responsible for managing and mitigating these challenges.

Read More
Patrick Miller
NERC CIP-002 Standards Authorization Request - Project 2021-03

NERC’s CIP-002 Project 2021-03 (Phase 2) introduces key updates to improve clarity and consistency in identifying and classifying BES Cyber Systems. The revisions address long-standing ambiguities by clarifying functional entity roles, refining the treatment of communication protocol converters, revising Criterion 1.3 to establish objective criteria for high-impact control centers, and expanding Criterion 2.6 to include control centers operated by Generator Operators and Transmission Owners. These changes aim to eliminate gaps in protection, align risk-based categorizations across all entities, and support more consistent compliance with CIP standards.

Read More
Patrick Miller
Analysis of the June 6th, 2025 Executive Order on Cybersecurity

On June 6, 2025, President Donald J. Trump issued a new Executive Order (EO) titled “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Orders 13694 and 14144.” This directive serves as a recalibration of federal cybersecurity strategy, signaling a shift away from prescriptive mandates toward more targeted, agency-specific authority and risk-informed investment in critical initiatives. It amends prior EOs while preserving core elements of federal cybersecurity policy.

Read More
Patrick Miller
The Pillars of an Effective Incident Response Plan

A strong Incident Response Plan (IRP) is more than just a document—it’s a foundation built on key elements like asset inventory, network diagrams, logging, communication strategies, backups, and clear roles. In this blog, Dan Ricci, Senior Cybersecurity Consultant at Ampyx Cyber, breaks down the critical components every IRP needs to be resilient and effective in the face of cyber incidents.

Read More
Patrick Miller
Testimony Before the U.S.-China Economic and Security Review Commission: Protecting U.S. Energy Infrastructure from Strategic Risks

On April 24, 2025, Patrick Miller testified before the U.S.-China Economic and Security Review Commission on the growing cybersecurity and supply chain risks facing U.S. energy infrastructure. My testimony focused on how Chinese state-aligned actors are embedding themselves within critical systems and why securing our grid is essential to preserving America's economic leadership, technological advancement, and national security.

Read More
Patrick Miller
Four Years In: What NERC’s Cyber Security Incident Reporting Data Tells Us (and What It Doesn’t)

In the world of Bulk Electric System (BES) cybersecurity, signals of risk don’t always arrive with alarms blaring or malware lighting up dashboards. Sometimes, the signs are quieter—brute force login failures, odd port scans, or a sudden spike in account lockouts. The annual CIP-008-6 report, filed March 21, 2025 by NERC, shines a small but telling light on just such signals.

Read More
Patrick Miller
Proactively Enhancing Safety in Long Duration Energy Storage: Lessons, Challenges, and Future Strategies

As Long Duration Energy Storage (LDES) technologies gain prominence in modern energy infrastructure, ensuring the safety of workers and surrounding communities is critical. By examining past incidents involving lithium-ion Battery Energy Storage Systems (BESS) and other storage solutions, we can extract crucial lessons to mitigate risks in LDES deployment.

Read More
Patrick Miller
FERC Proposes New Standards for INSM: Internal Network Security Monitoring (CIP-015-1)

The Federal Energy Regulatory Commission (FERC) has issued a new Notice of Proposed Rulemaking (NOPR) under Docket No. RM24-7-000. This proposed rule seeks to approve NERC’s proposed Critical Infrastructure Protection (CIP) Reliability Standard CIP-015-1. The new standard focuses on Internal Network Security Monitoring (INSM) to detect and address cyber threats within the electronic security perimeter of the Bulk Electric System (BES).

Read More
Patrick Miller
FERC’s New Proposed Rule on Supply Chain Risk Management (SCRM)

The Federal Energy Regulatory Commission (FERC) has released a new Notice of Proposed Rulemaking (NOPR) under Docket No. RM24-4-000, focusing on supply chain risk management (SCRM) for the Bulk-Power System (BPS). This proposed directive aims to fill critical gaps in existing NERC Critical Infrastructure Protection (CIP) standards and bolster the defenses of our nation’s critical infrastructure.

Read More
Patrick Miller
FERC Staff Report Offers Lessons Learned from 2024 CIP Audits: What You Need to Know

In its 2024 CIP audit report, the Federal Energy Regulatory Commission (FERC) shared critical lessons learned from the latest round of reliability audits, revealing key areas where NERC-registered entities can strengthen their security posture. While many organizations successfully met compliance requirements, the report highlighted specific gaps in asset categorization, control center segmentation, and data protection that could pose significant operational risks.

Read More
Patrick Miller
Proactive Cyber Defense: Recognizing Cyber Intrusions for Critical Infrastructure System Operators

Leveraging Guidance from the Electric & Water Sectors and Broadening for all Critical Infrastructure. In an era marked by rapid digital transformation and increasing cyber threats, whether electric, water and wastewater systems, chemical, or any other of the critical infrastructure sectors, it is imperative for control system operators to be well-versed in recognizing and responding to cyber intrusions.

Read More
Patrick Miller