Regulatory Affairs news highlights: July 2025

 

Recent regulatory headlines we’re tracking include:

NERC SVP presents takeaways from Iberian Peninsula outages to FERC

During the FERC June open meeting, NERC SVP & Chief Engineer Mark Lauby gave a presentation on takeaways from the recent Iberian Peninsula outages that affected all of Spain and Portugal and portions of France.

Lauby provided an overview of the outages and the event analysis reports issued by the Spanish government and the local grid operator, explaining that according to the reports, traditional synchronous generation could not control high voltage resulting from frequency oscillations during the event.

Lauby also went over the recommendations from the reports, pointing out that several recommended actions are things that the U.S. already does. For example, FERC and NERC already require that all generation units capable of voltage regulation, including IBRs, provide that regulation (per VAR-002-4 and Order 827).

The reports also recommended enhanced voltage control resources such as synchronous condensers, static VAR compensators and static synchronous compensators, all of which are already in place in the U.S. To listen to the full presentation and discussion, the June open hearing is available here.

 

FERC withdraws notice of inquiry on the CIP standards, issues final rule approving CIP-015-1

FERC issued a Withdrawal of Notice of Inquiry and Termination of Rulemaking Proceeding on June 26. The move withdraws a 2020 Notice of Inquiry (NOI) on whether the CIP Standards adequately addressed data security risks, detection of anomalies/events, and mitigation of cybersecurity events. The NOI also sought comment on the potential risk of a coordinated cyberattack on geographically distributed targets and how to address that risk via the CIP Standards.

FERC explained that it decided to withdraw the NOI because since the time of its issuance, FERC and NERC have taken actions to address the issues discussed in the NOI, including approving CIP-012-1 (Communications Between Control Centers), CIP-003-9 (Security Management Controls), as well as modifications to the CIP Standards to require protections regarding data communicated between control centers.

FERC also issued a final rule (Order 907) approving Reliability Standard CIP-015-1 (Cyber Security – Internal Network Security Monitoring). CIP-015-1 was developed in response to a FERC directive in Order No. 887. The new standard requires internal network security monitoring (INSM) for all high impact bulk electric system (BES) Cyber Systems with and without external routable connectivity, and for medium impact BES Cyber Systems with external routable connectivity. FERC explained that INSM enhances cyber security because it provides early warning of situations where perimeter network defenses are breached by detecting intrusions and malicious activity within a trust zone.

The final rule also directs NERC to develop modifications to CIP-015, to extend internal network security monitoring to include electronic access control or monitoring systems and physical access control systems outside the electronic security perimeter. These modifications are due within one year.

 

DOE announces new vulnerability intelligence solution

The Department of Energy (DOE)’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) announced that it has created a new vulnerability intelligence solution on June 24. The V-INT: Automated Vulnerability Intelligence and Risk Assessment enables companies to “conduct realistic attack simulations to provide a clear view of how their vulnerabilities appear from an attacker’s perspective.”

The effort was a partnership between CESER, cybersecurity companies Bastazo and Network Perception, and the University of Arkansas. Additional information can be found here.