The Federal Energy Regulatory Commission (FERC) took significant steps to bolster the reliability and security of the U.S. bulk power system, advancing four measures that address supply chain risks, cloud computing, cybersecurity, and extreme cold weather preparedness. The commission’s actions, announced on September 18, reflect a proactive stance in modernizing grid infrastructure against evolving threats and operational challenges.
FERC finalized a new supply chain risk management rule, set to take effect in 60 days, which expands protections against vulnerabilities stemming from external threats. This rule directs the North American Electric Reliability Corp. (NERC) to develop revised reliability standards within 18 months, focusing on strengthening supply chain risk management plans and extending protections to critical cyber assets. The measure aims to close gaps exposed by past cyber incidents and compliance audits, recognizing growing threats from nation-state actors and global supply chain insecurities.
In addition to the final rule, FERC issued two notices of proposed rulemaking (NOPRs). The first NOPR proposes to approve NERC’s CIP-003-11 standard, which addresses the risk of coordinated cyberattacks on low-impact bulk electric system (BES) cyber systems. The proposal requires entities to authenticate users, protect authentication information, and detect malicious communications. The second NOPR seeks to modernize cybersecurity oversight by revising eleven CIP standards to accommodate virtualization and cloud computing in bulk power operations. This proposal aims to replace prescriptive controls with objective-based criteria, reducing compliance documentation burdens and providing flexibility for entities to adopt protections aligned with their chosen technology stacks.
FERC also approved enhanced extreme cold weather preparedness standards, which will become effective on October 1, 2025. These standards clarify how to calculate unit-specific Extreme Cold Weather Temperatures, update the definition and validation process for Generator Cold Weather Constraints, and strengthen corrective action plan timelines. The new provisions require generators entering commercial operation on or after October 1, 2027, to meet freeze-protection measures or declare constraints until mitigations are complete.
Chairman David Rosner also raised critical questions about load forecasting practices, particularly for data centers supporting artificial intelligence operations. In a letter to six regional transmission organizations (RTOs) and independent system operators (ISOs), Rosner emphasized the importance of accurate forecasting, noting that even small improvements can significantly impact investments and customer bills. This inquiry highlights the need for improved methods to protect reliability and ratepayer value as the sector evolves.
These developments are poised to shape the future of the energy sector by enhancing grid resilience, addressing emerging cyber threats, and ensuring preparedness for extreme weather events. The focus on load forecasting also underscores the need for better planning and investment strategies to meet the growing demands of high-capacity industrial and commercial customers. As the sector continues to evolve, these measures will be crucial in maintaining the reliability and security of the U.S. bulk power system.