Insights

September FERC Orders Reshape Bulk Power System Reliability

NERC directed to advance wildfire mitigation, CIP cybersecurity, supply chain resilience, virtualization standards, and cold weather readiness

By Nicholas A. Giannasca and Samin Peirovi

09.29.25

From requiring a report on wildfire mitigation to adopting a suite of reliability standards on cybersecurity and supply chain resilience, FERC has been unusually active this September. To help make sense of this spate of regulatory activity and its implications, we offer the following summary and observations.

Wildfire Mitigation Report

In an order issued on September 10, 2025,[1] FERC directed the North American Electric Reliability Corporation ("NERC") to submit a report by May 1, 2026, on "best practices" to reduce the risk of wildfire ignition from the bulk power system ("BPS").[2] The requested report must assess: (a) methods such as vegetation management and the removal of forest-hazardous fuels along transmission lines; and (b) known and emerging technologies that can be deployed to detect and mitigate wildfire in the context of protecting the BPS, and whether the use of such technologies is consistent with existing NERC reliability standards.[3]

Additionally, FERC directed NERC to: (a) assess low-cost measures to lower the risk of wildfire ignition (e.g., facility inspections); and (b) solicit input from wildfire mitigation experts, and include in the required report those suggested best practices that should be adopted in future reliability standards. Concurrent with the issuance of the Wildfire Order, FERC issued a notice of a technical conference on wildfire mitigation "to solicit input from relevant subject matter experts on the topics outlined in Executive Order 14308."[4] NERC was directed to consider testimony from that conference in its required report, including its consideration of the need for new or revised reliability standards. The technical conference will be held on October 21, 2025, at FERC headquarters in Washington, D.C.

Supply Chain Risk Management

In an order issued September 18, 2025,[5] FERC directed NERC to submit new or modified reliability standards within 18 months of the issuance of Order No. 912 that address "ongoing risks to the reliability and security of the [BPS] posed by gaps" in the Critical Infrastructure Protection ("CIP") reliability standards related to supply chain risk management ("SCRM"). The new or revised reliability standards must address: (a) the sufficiency of responsible entities' SCRM plans related to the identification of and response to supply chain risks, and (b) the applicability of SCRM reliability standards to protect cyber assets referred to as Protected Cyber Assets or PCAs.[6]

NERC had previously issued a Notice of Proposed Rulemaking ("NOPR") to address supply chain risk.[7] In that NOPR, FERC explained that, while the currently effective SCRM reliability standards provide a baseline of protection against supply chain threats, there are increasing opportunities for attacks posed by the global supply chain, including insertion of counterfeit code or malicious software in hardware to enable remote access. In FERC's view, directing NERC to identify gaps in the SCRM reliability standards "enhances the security posture" of the BPS.

Order No. 912 takes effect on November 24, 2025.

Critical Infrastructure Protection ("CIP") – NOPR

The Commission issued a NOPR on September 18, 2025[8] proposing to adopt a modified reliability standard—CIP-003-11—that would specify management controls that establish responsibility and accountability to protect low impact bulk electric system ("BES") cyber systems against compromise that could lead to misoperation, non-operation, or instability of the BES.[9]

The proposed, modified reliability standard would require entities with assets containing low impact BES Cyber Systems to "document and maintain plans that include controls" specified in the proposed standard "to authenticate remote users, protecting the authentication information in transit, and detecting malicious communications to or between low impact BES Cyber Systems with external routable connectivity."[10] In addition to comments on the proposed, modified reliability standard, FERC seeks comment "on the continuing evolution of threats of compromise to low impact BES Cyber Systems" and "whether it is worthwhile to direct NERC to perform a study or develop a whitepaper on evolving threats as they relate to the potential exploitation of low impact BES Cyber Systems."

Comments in response to the CIP NOPR are due November 24, 2025.

Virtualization Reliability Standards

In another NOPR, FERC advanced a number of revisions to the NERC Glossary and proposed for approval 11 CIP reliability standards.[11] FERC submitted the proposed modifications to update CIP reliability standards to "enable the application of virtualization and other new technologies in a secure manner."[12] With regard to the proposed reliability standards, FERC also proposed to approve applicable violation risk factors, violation security levels, implementation plans, and effective dates, and approve the retirement of the currently effective version of each reliability standard.[13]

FERC noted that the reliability standards in question (e.g., those governing perimeter-based security) were "designed around the concept that devices have a one-to-one relationship between software and hardware."[14] With the evolution of technology, FERC wishes to provide responsible entities with the flexibility "to adopt virtualization and other technologies" to operate their systems efficiently while maintaining a "robust security posture."[15] While noting the reliability benefits of virtualization (including increased uptime and fast recovery capability), FERC stated that the proposed modifications would not obligate entities to adopt virtualization.

Finally, FERC offered its view on language offered by NERC for multiple requirements in the reliability standard requirements, namely, replacing the phrase "where technically feasible" (which NERC viewed as creating administrative burdens) with the phrase "per system capability."[16] FERC expressed its concern that the proposed phrase would eliminate transparency and FERC oversight by introducing a self-implementing exceptions process with no reporting obligations.[17]

Comments on the Virtualization NOPR are due November 24, 2025.

Extreme Cold Weather Reliability Standard

Continuing its effort to ensure system reliability during major cold weather events affecting the BPS, FERC issued an order on September 18, 2025[18] approving a modified reliability standard (EOP-012-3 – Extreme Cold Weather Preparedness and Operation), and its related violation risk factors, violation security levels, and defined terms.

In response primarily to the February 2021 cold weather event affecting millions of customers in Texas, FERC staff made a series of recommendations that were ultimately adopted by FERC, including the filing and approval of EOP-012-2 in 2023.

In approving reliability standard EOP-012-3, FERC noted that the modified standard would improve the reliability of the BPS by adding requirements to ensure that:

Generator owners declaring a Generator Cold Weather Constraint ("GCWC") submit the declaration to their compliance enforcement authority ("CEA")
Corrective action plans developed due to a GCWC are completed prior to the first day of the first December following the event
An approval process is in place for any corrective action plan extension
A discrete list of GCWCs is identified for generator owners along with a preapproval process for all declared constraints
A short timeframe (36 months) is required to review the validity of declared constraints
Generation units that begin commercial operation on or after October 1, 2027, must be capable of operating in Extreme Cold Weather Temperature[19] without the provision to develop any corrective action plan

FERC concluded that the revised reliability standard should become effective October 1, 2025.

Finally, FERC directed NERC to file biennial information filings (starting no later than October 2026 and proceeding to October 2034) to report on data collected to ensure the effectiveness of the revised reliability standard.

FERC continues to play an active role in working with NERC and regional entities to ensure the reliability of our nation's BPS. This effort has only been accelerated by the interconnection of diverse electric generation resources, the extreme demand placed on the BPS by large loads such as data centers, and Administration directives. With this level of regulatory activity, compliance risk can be enhanced, making it incumbent on entities with registration and related obligations to ensure that they review issued orders and notices carefully and engage with consultants and counsel regularly.

If you have any questions, please contact the authors of this advisory.

*Deiman Flores, energy paralegal, also contributed to this article.

[1] Order Directing Report, 192 FERC ¶ 61,212 (2025) ("Wildfire Order"). President Trump's June 12, 2025, Executive Order 14308 directed FERC to consider best practices "to reduce the risk of wildfire ignition from the [BPS] without increasing costs for electric-power end users, …" Executive Order No. 14308, 90 Fed. Reg. 26175 (June 18, 2025). In July of 2025, NERC also issued a voluntary reference guide with information and tools for developing a wildfire mitigation plan. North American Electric Reliability Corp., Wildfire Mitigation Reference Guide (July 2025).

[2] The BPS is defined by NERC as the facilities and control systems necessary for operating an interconnected energy transmission network (or any portion thereof); and electric energy from generation facilities needed to maintain transmission system reliability. The BES is defined as all transmission elements operated at 100 kV or higher and real power and reactive power resources connected at 100 kV or higher. NERC, Glossary of Terms Used in NERC Reliability Standards (July 10, 2025), ("NERC Glossary") at 8-10.

[3] NERC has not developed reliability standards aimed directly at wildfire mitigation, but a number of reliability standards (e.g., FAC-003-1 related to vegetation management) play a pivotal role in preventing wildfires.

[4] Wildfire Order at 6.

[5] Supply Chain Risk Management Reliability Standards Revisions; Equipment and Services Produced or Provided by Certain Entities Identified as Risks to National Security, Order No. 912, 192 FERC ¶ 61,230 ("Order No. 912").

[6] In the NERC Glossary, PCA is defined as "one or more Cyber Assets connected using a routable protocol within or on an Electronic Security Perimeter that is not part of the highest impact BES Cyber System within the same Electronic Security Perimeter." (NERC Glossary at 32).

[7] Supply Chain Risk Management Reliability Standards Revisions, Notice of Proposed Rulemaking, 188 FERC ¶ 61,174 (2024).

[8] Critical Infrastructure Protection Reliability Standard CIP-003-11 – Cyber Security – Security Management Controls, Notice of Proposed Rulemaking, 192 FERC ¶ 61,227 (2025) ("CIP NOPR").

[9] In the NERC Glossary, BES Cyber System is defined as "[o]ne or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity." BES Cyber Asset is defined as "[a] Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems." (NERC Glossary at 7). The CIP reliability standards classify BES Cyber Systems as high, medium, or low impact based on their ability to impact the reliability on the BES adversely if they are compromised. Most BES Cyber Systems with the BES are categorized as low impact. According to FERC, "[i]ndividual low impact BES Cyber Systems have less of an impact on [BES] reliability than medium or high impact BES Cyber Systems and thus, have fewer CIP reliability standard requirements. Nevertheless, low impact BES Cyber Systems may still introduce reliability risks of a higher impact when distributed low impact BES Cyber Systems are subjected to a coordinated cyber-attack." (CIP NOPR at P 6).

[10] CIP NOPR at P 2. In the NERC Glossary, External Routable Connectivity is defined as "[t]he ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection" (NERC Glossary at 17).

[11] Virtualization Reliability Standards, Notice of Proposed Rulemaking, 192 FERC ¶ 61,228 (2025) ("Virtualization NOPR").

[12] Virtualization NOPR at P 1. Virtualization is "the process of creating virtual, as opposed to physical, versions of computer hardware to minimize the amount of physical hardware resources required to perform various functions."

[13] Id.

[14] Virtualization NOPR at P 2.

[15] Id.

[16] Virtualization NOPR at P 3.

[17] Id.

[18] North American Electric Reliability Corp., Order Approving Reliability Standard EOP-012-3 and Directing Data Collection, 192 FERC ¶ 61,229 ("Cold Weather Order").