Tracking NERC CIP regulatory updates, ICS/OT vulnerabilities, and cybersecurity threats targeting the Bulk Electric System and critical infrastructure sectors.
Recent regulatory actions, standards updates, and sector-wide cybersecurity developments.
FERC unanimously approved 11 updated CIP Reliability Standards for secure virtualization, plus CIP-003-11 strengthening baseline security controls for low-impact BES Cyber Systems, including new remote access and intrusion detection requirements.
Read full articleThe new strategy frames cybersecurity as national power, emphasizing offensive & defensive operations, zero-trust modernization, post-quantum cryptography, and hardening critical infrastructure including energy, telecom, and water sectors.
Read full articleThe CIP Roadmap identifies key risk areas outpacing current standards: low-impact system aggregation risk, telecom dependency for SCADA/AGC, universal MFA expansion, and foundational cyber hygiene gaps across the Bulk Power System.
Read full articleA ransomware attack hit Spain's Port of Vigo, forcing authorities to disconnect digital cargo management systems and temporarily switch to manual operations. This follows a pattern of escalating attacks on maritime critical infrastructure.
Read full articleForescout reports a record 508 ICS advisories covering 2,155 CVEs in 2025, with 82% reaching high or critical severity. CISA tracked only 22% of vendor-published vulnerabilities, leaving major blind spots for energy sector operators.
Read full articleOMICRON study found critical issues within 30 minutes at most sites: unpatched devices, flat networks, undocumented external connections (50+ per substation), and insecure PLC debugging functions left active in production.
Read full articleSecurity management controls for low-impact BES Cyber Systems. Requirement R1 Part 1.2.6 (vendor electronic remote access controls) must be fully implemented on day one.
Communications between Control Centers. Requires documented plans to mitigate unauthorized disclosure, modification, and loss of availability of real-time operational data in transit.
FERC approved the updated "control center" definition expanding scope to Transmission Owners. Effective date follows CIP-002-7 or first calendar quarter 3 months after FERC approval.
Physical security risk assessment refinements expected to be finalized in 2026 per NERC's Standards Development Plan 2026-2028.
Internal Network Security Monitoring revisions. CIP-015-1 effective September 2025, but phased compliance begins October 2028.
Revisions to incident reporting and response planning requirements under NERC's development pipeline.
Comprehensive coverage of NERC CIP regulatory activity, critical infrastructure cybersecurity events, and OT/ICS threat intelligence.
Eleven updated CIP Reliability Standards support secure use of virtualization technologies. CIP-003-11 introduces new baseline security controls for low-impact BES Cyber Systems including remote access password safeguards and intrusion detection. The rule also approved CIP-002-8 with updated control center definition.
Industrial CyberCISA now has 1,000 vacancies after workforce cuts. Six members of a highly technical threat hunting and incident response team resigned in a single day. Remaining personnel carry out mission-essential functions without pay while facing increasing pressure from nation-state and criminal actors.
McCrary InstituteStrategy pillars: shape adversary behavior (offensive/defensive ops), promote common sense regulation, modernize federal networks (zero trust, PQC), secure critical infrastructure, sustain tech superiority, build talent. Signals less checkbox compliance, more measurable outcomes.
Global Policy WatchThe 2026 Roadmap warns that OT enabling generation, transmission, and balancing now sits outside medium- and high-impact CIP coverage. Key themes: universal MFA, encryption for "last mile" communications, foundational cyber hygiene, and IBR-specific risk assessments.
DeNexusCIP-003-9 (effective April 1) refines security management controls for supply chain and low-impact environments. CIP-012-2 (effective July 1) requires confidentiality, integrity, and availability protections for real-time data between control centers.
CertrecDocumented incidents across Germany, Denmark, Finland, and the Baltics confirm state-aligned threat actors targeting physical systems. Russia's Sandworm and China's Volt Typhoon actively targeting European energy OT. EU NIS2 creates enforceable obligations with fines up to 10M EUR.
Geopolitical Matters2025 set a record with 508 ICS advisories covering 2,155 CVEs. Average CVSS climbed to 8.07 (up 25% since 2010). 134 vendors published ICS vulnerabilities without CISA advisories. 61% of non-CISA vulns were high/critical severity.
ForescoutOMICRON study of 100+ energy installations found unpatched devices, undocumented external connections (50+ per substation), unused Windows file sharing services, IPv6 services, and insecure PLC debugging functions in production substations.
The Hacker NewsEnergy, oil, and utilities organizations face ransomware at rates exceeding other sectors. 60% of critical infrastructure attacks attributed to nation-state actors. Energy ranks 4th most targeted sector, accounting for 10% of all incidents.
TTMS GuideThe Roadmap warns that coordinated attacks on multiple "low impact" assets can aggregate into high-impact events. Salt Typhoon campaign targeting telecom infrastructure threatens unencrypted SCADA/AGC data. Recommends extending CIP-012 scope and MFA to low-impact systems.
ShieldworkzProtecting critical infrastructure with slim resources, China's aggressive cyber ambitions, balancing regulatory frameworks, CIRCIA incident reporting mandate, workforce morale crisis, election security, and Secure by Design continuation.
Cybersecurity DivePwC reports nation-state rivals running long-term campaigns using credential harvesting and LOTL tactics to infiltrate IT and OT systems. Tech debt from decades-old OT systems connected to modern digital infrastructure creates escalating risk without matching cyber maturity.
PwCRecent CISA ICS Advisories and critical vulnerabilities impacting energy, manufacturing, and critical infrastructure sectors.
| CVE / Advisory | Severity | CVSS | Vendor / Product | Affected Sectors | Description |
|---|---|---|---|---|---|
| CVE-2026-22553 | Critical | 9.8 | InSAT MasterSCADA BUK-TS |
Energy Manufacturing | OS Command Injection in SCADA/OT environments. Remote code execution without authentication. Immediate patching and OT network isolation required. |
| CVE-2021-22681 | Critical | 10.0 | Rockwell Automation Multiple ICS Products (PLCs) |
Energy Manufacturing | Now actively exploited (added to CISA KEV). Allows remote attackers to impersonate engineering workstations and manipulate PLCs. Urgent patching required. |
| CVE-2025-12807 | High | 8.8 | Rockwell Automation FactoryTalk DataMosaix Private Cloud |
Manufacturing | SQL Injection via exposed API endpoints. Low-privilege users can perform unauthorized sensitive database operations. Versions 7.11, 8.00, 8.01 affected. |
| CVE-2025-9368 | High | 7.5 | Rockwell Automation 432ES-IG3 GuardLink EtherNet/IP |
Manufacturing | Resource allocation without limits. DoS condition requiring manual power cycle. Update to V2.001.9 or later recommended. |
| Synology-SA-26:03 | Critical | 9.0+ | Synology DiskStation Manager (DSM) |
IT Enterprise | Unauthenticated remote command execution on NAS devices. Immediate security update required for all DSM deployments. |
| ICSA-26-085 | High | 7.8 | WAGO GmbH Industrial Managed Switches |
Energy | Vulnerabilities in industrial managed switches used in energy sector. CISA advisory released March 26, 2026. Check and address across ICS/SCADA environments. |
| ICSA-26-083 | High | 8.1 | Schneider Electric Plant iT / Brewmaxx |
Energy Manufacturing | Vulnerabilities in process automation software used in energy sector. CISA advisory released March 24, 2026. |
| ICSA-26-083 | Medium | 6.5 | Honeywell IQ4 Series BMS Controller |
Buildings Energy | Building Management System controller vulnerability. Updated advisory (Update A) released March 26, 2026. |
| CVE-2026-1995 | High | 7.8 | IDrive Cloud Backup Client for Windows |
IT Enterprise | Local privilege escalation. Authenticated low-privilege attackers can execute arbitrary code with system-level permissions. |
Tracking Note: CISA/ICS-CERT has published 3,637 ICS advisories covering 12,174 vulnerabilities affecting 2,783 products from 689 vendors since 2010. However, 134 additional vendors published ICS vulnerabilities without associated CISA advisories in 2025 alone, with 61% of those carrying high or critical severity. Monitor vendor disclosures directly alongside CISA advisories.
Sources: CISA ICS Advisories ·
Forescout ICS Report ·
WaterISAC Bulletins
The 14 NERC CIP standards (CIP-002 through CIP-015) define cybersecurity requirements for entities operating on the North American Bulk Electric System.
Identify and categorize BES Cyber Systems and their associated assets for the application of cybersecurity requirements commensurate with their impact on the BES.
CIP-002-8 ApprovedSpecify consistent and sustainable security management controls that establish responsibility and accountability for BES Cyber System security.
CIP-003-9 Apr 2026 / CIP-003-11 ApprovedMinimize risk from individuals accessing BES Cyber Systems by requiring appropriate personnel risk assessment, training, and access management.
ActiveManage electronic access to BES Cyber Systems by specifying controlled Electronic Security Perimeters and requiring MFA for interactive remote access.
ActiveManage physical access to BES Cyber Systems by specifying a physical security plan for the protection of BES Cyber Systems.
ActiveManage system security by specifying select technical, operational, and procedural requirements in support of protecting BES Cyber Systems.
ActiveMitigate risk from cyber security incidents by specifying incident response requirements for identification, classification, response, and reporting.
CIP-008-8 In DevelopmentRecover reliability functions performed by BES Cyber Systems by specifying recovery plan requirements in support of the continued stability and operability of the BES.
ActivePrevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements.
ActivePrevent unauthorized access to BES Cyber System Information by specifying information protection requirements.
ActiveProtect the confidentiality, integrity, and availability of real-time assessment and monitoring data transmitted between control centers.
CIP-012-2 Jul 2026Mitigate cybersecurity risks to the BES by implementing security controls for supply chain risk management of BES Cyber Systems.
ActiveIdentify and protect Transmission Stations and Substations and primary control centers that if rendered inoperable could result in widespread grid instability.
Risk Assessment Refinement 2026Requires INSM for High and Medium Impact BES Cyber Systems with External Routable Connectivity. Newest CIP standard addressing internal visibility gaps.
Effective Sep 2025 / Compliance Oct 2028Curated links to official standards, intelligence feeds, and critical infrastructure security guidance.
Official Critical Infrastructure Protection standards for the Bulk Electric System.
NERC's program for critical infrastructure protection, risk management, and threat intelligence.
Federal Energy Regulatory Commission's CIP standards oversight and enforcement.
Official Industrial Control Systems security advisories from the Cybersecurity and Infrastructure Security Agency.
Catalog of actively exploited vulnerabilities with binding operational directives for federal agencies.
Water Information Sharing and Analysis Center. Aggregates ICS advisories and sector-specific bulletins.
Dedicated publication covering OT/ICS cybersecurity, NERC CIP compliance, and industrial sector threats.
Industrial control systems security training, certifications, and research from SANS Institute.
Annual threat intelligence report on OT/ICS cyber threats, adversary activity, and vulnerability trends.
NERC's biennial grid security exercise simulating coordinated cyber and physical attacks on the power grid.
Department of Energy's office focused on energy sector cybersecurity, R&D, and incident response capabilities.