FERC’s September grid reboot: virtualization, supply chain, cold

FERC just set the next arc for grid cybersecurity and winter readiness. A virtualization-ready CIP rewrite, tougher supply chain rules that reach PCAs, and an upgraded extreme cold standard are now on the clock. Here is what changes, when it hits, and how to budget for 2026.

ByTalosTalos
Energy
FERC’s September grid reboot: virtualization, supply chain, cold

What FERC just did and why it matters

At its September 18, 2025 open meeting, FERC advanced a four-part package that will shape how utilities design networks, buy equipment, and budget for compliance through 2026 and beyond. The Commission approved a new extreme cold weather standard, issued a final rule directing tougher supply chain protections, and proposed two cybersecurity actions: one to modernize the CIP suite for virtualization and another to raise the floor for low-impact cyber assets. For a concise summary of the decisions and dockets, see the FERC’s September 18 actions overview.

For broader context on transmission policy and near-term grid pressures, you may also want our primers on the FERC 1920-A grid playbook and the timeline fights in Order 1920 courts and clocks, as well as how AI demand is reshaping PJM.

The headline changes at a glance

  • Virtualization-ready CIP (proposed): FERC issued a Notice of Proposed Rulemaking to approve 11 modified CIP standards and related glossary updates so entities can securely use virtual machines, hypervisors, and containers in BES environments. The NOPR also asks whether to replace the long-standing technical feasibility exception with a new per system capability approach. Comments are due November 24, 2025.
  • Tighter supply chain controls (final): FERC directed NERC to strengthen supply chain risk management and explicitly extend protections to Protected Cyber Assets (PCAs). The rule is effective November 24, 2025. NERC must file responsive modifications within 18 months of that date.
  • Low-impact uplift (proposed): FERC proposed to approve CIP-003-11, adding baseline security for communications and system management of low-impact BES Cyber Systems. Comments are due November 24, 2025.
  • Tougher winterization (final): FERC approved EOP-012-3, effective October 1, 2025, and required biennial informational filings starting in October 2026 to track risk reduction.

Virtualization-ready CIP: what changes under the NOPR

The virtualization NOPR would acknowledge virtualization infrastructure and virtual machines across 11 CIP standards, adjust language that assumed one-to-one hardware-to-software mapping, broaden change management beyond static baselines, and add explicit treatment for co-tenancy and side-channel risks on shared hosts. FERC is also seeking comment on swapping the phrase “where technically feasible” for “per system capability,” signaling a shift from exception management to explicit capability documentation. Stakeholders have until November 24, 2025 to comment.

Why it matters now: utilities planning data center refreshes or substation compute upgrades can model high-availability clusters, live migration, and ephemeral workloads without forcing those architectures through controls written only for fixed servers. Expect auditors to ask for evidence that virtual assets are discoverable, that hypervisor access paths are governed like other admin pathways, and that change processes cover template images and orchestrators, not only golden baselines on physical boxes.

Supply chain: from program sufficiency to PCA coverage

FERC’s final rule directs NERC to close several long-recognized gaps in supply chain protections. First, entities must show that their supply chain risk management plans can detect, validate, and respond to real risks in their environment. Second, applicability expands to PCAs, which often include identity stores, badge systems, logging and monitoring platforms, and jump hosts that support BES Cyber Systems. These systems concentrate risk if compromised and are frequently network-connected and vendor-maintained.

What changes in contracts: expect obligations for vendor identity assurance, software transparency, and the ability to disable or suspend remote access on demand. SBOM delivery, vulnerability disclosure timelines, and attestations about development and support locations will move from best practice to common terms for PCA-relevant equipment and software.

Low-impact uplift: CIP-003-11 and coordinated threats

The proposed CIP-003-11 raises the floor for low-impact BES Cyber Systems by hardening communications and system management. FERC is specifically seeking input on whether the low-impact universe is facing coordinated attack patterns that justify further study. Owners with large fleets of low-impact substations or small generators should plan for utility-scale tasks such as standardizing remote access disablement and logging, hardening device management channels, and inventorying vendor connections that traverse business and field networks.

Extreme cold: EOP-012-3 is in effect this winter season

FERC’s approval of EOP-012-3 makes the latest cold-weather requirements effective October 1, 2025. The standard refines generator preparedness planning, improves communications expectations, and tightens timelines for corrective actions when freeze-related issues occur. Biennial informational filings begin October 2026 and run through October 2034. Generator owners and operators should align maintenance, training, and spare-parts stocking with the new requirements and be ready to explain how design limits and freeze protection measures were validated.

Do not forget INSM: coverage expands and clocks are already running

Beyond September’s actions, CIP-015-1 on Internal Network Security Monitoring is now effective, with implementation timelines that start from September 2, 2025. Entities must first implement INSM within control centers and backup control centers, then extend to other applicable systems on a longer timeline. FERC has also directed NERC to expand INSM to include Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS) outside the Electronic Security Perimeter, with proposed modifications due by September 1, 2026. Design your visibility stack to include those systems or you will re-architect twice. See the NERC’s INSM standard project page for the latest milestones.

Architectural shifts you should expect

  • Virtualization becomes auditable OT: Hypervisor management interfaces and orchestration planes move into scope. Treat vCenter-like consoles and KVM management networks as admin pathways that require MFA, role separation, and logging equal to other privileged zones. Live migration changes your threat model because high-value VMs can move; your asset discovery and NAC must follow.
  • Change management gets dynamic: Golden images, templates, and declarative configs become first-class configuration items. Evidence will include how you control and attest to image provenance and how you lock down registries for container images used in BES processes.
  • INSM overlays perimeter controls: East-west visibility, not only ESP ingress and egress, is the new default. Plan taps or SPANs, time sync, and storage for multi-month packet capture or enriched flow metadata. Expect additional monitoring for EACMS and PACS to close blind spots.
  • Supply chain is operationalized: SCRM plans need measurable controls such as vendor identity assurance, remote access kill switches, and SBOM-driven vulnerability triage that ties back to your change windows. PCA scoping will pull in more enterprise-adjacent systems that support BES operations.
  • Cold weather planning is more data-driven: Documentation of freeze-sensitive components, corrective action timelines, and training records must be lined up for the 2025-26 season. Align spares, heat tracing upgrades, and weatherization checks with the new requirements and your dispatch obligations.

Deadlines and near-term actions

  • September 2, 2025: CIP-015-1 effective date. Begin building toward INSM in control centers first, then other applicable systems. Plan now for coverage of EACMS and PACS per FERC’s directive, with NERC’s modification filing due by September 1, 2026. See the NERC’s INSM standard project page for project updates.
  • October 1, 2025: EOP-012-3 effective. Update generator cold-weather plans, training, and corrective action procedures.
  • November 24, 2025: Comments due on the virtualization NOPR and on CIP-003-11. Coordinate with trade associations and include practical evidence from pilots or incident response.
  • November 24, 2025: Supply chain final rule becomes effective. Begin drafting contract and procurement changes to cover PCA-relevant equipment and services. NERC’s responsive standards are due 18 months later.
  • October 2026: First biennial informational filing under EOP-012-3. Build data collection processes into 2025-26 winter operations.

A concise checklist for CISOs and asset owners

  • Inventory and classification
    • Update asset inventories to include virtualization layers: hypervisors, templates, orchestrators, containers, and inter-VM networks.
    • Identify PCAs that support BES Cyber Systems and map vendor access paths.
  • Access and segmentation
    • Enforce MFA and role separation for hypervisor and orchestration consoles.
    • Review segmentation for virtual networks. Treat migrations and snapshots as privileged events.
  • Monitoring and detection
    • Deploy INSM sensors for east-west visibility in control centers and plan expansion to EACMS and PACS.
    • Baseline VM-to-VM flows and set alerts for anomalous lateral movement.
  • Change and vulnerability management
    • Extend change workflows to image pipelines and container registries.
    • Require SBOMs and vulnerability disclosure timelines in contracts; tie findings to risk acceptance or remediation SLAs.
  • Incident response
    • Update plans to cover hypervisor compromise, snapshot theft, and orchestrator misuse.
    • Exercise remote access disablement for vendors supporting PCAs and low-impact sites.
  • Evidence and governance
    • If you rely on per system capability, document why a control cannot be met and how you mitigate the residual risk.
    • Align board and regulator reporting with EOP-012-3 biennial metrics.

Common pitfalls to avoid

  • Cloud and VM sprawl: Uncontrolled test clusters and shadow IT can drift into CIP scope via shared networks or credentials. Require registration for any new virtualization nodes and block unapproved orchestrators.
  • PCA scoping gaps: Overlooking identity management, logging stacks, or badge systems that act as PCAs will create both audit exposure and real risk. Build a PCA registry with owner, vendor, and remote access details.
  • INSM blind spots: Focusing only inside ESPs will fall short once EACMS and PACS come into scope. Plan for visibility outside the ESP boundary now.
  • Weak per system capability documentation: If the virtualization NOPR’s language is finalized, superficial justifications will not stand up during audits. Capture vendor statements, technical limits, compensating controls, and review cycles.
  • Low-impact complacency: Treating low-impact as out of scope will conflict with CIP-003-11’s direction and with supply chain expectations. Inventory communications paths and vendor access for low-impact fleets.

Budgeting for 2026: practical ranges

Every fleet and footprint is different, but planning guidance helps:

  • INSM rollout and storage: Pilot sensors, taps, time sync, and 12 to 24 months of metadata retention can run low six figures for smaller portfolios and into low seven figures for large, multi-region owners, depending on analytics choice and packet capture depth.
  • Virtualization hardening: Licensing for privileged access management, hypervisor logging, and microsegmentation typically adds low six figures at enterprise scale; retrofit projects in substations with constrained bandwidth may add similar amounts in one-time spend.
  • Supply chain uplift: Contract rewrites, vendor attestations, SBOM tooling, and remote access control integration often demand dedicated staff or third-party services equal to one to three FTEs for a year, plus platform fees.
  • Cold-weather readiness: Freeze protection retrofits, revised spares, and training refreshes can range from hundreds of thousands to several million dollars depending on unit count, fuel type, and prior winterization maturity.

Treat these as anchors for 2026 budgets rather than commitments; actuals will hinge on footprint, vendor choices, and how much tooling you already own.

Strategic impacts by stakeholder

  • Vertically integrated utilities: Expect heavier near-term capex for INSM and winterization, offset by virtualization efficiencies in data centers and control centers. Procurement must add PCA-aware templates and SBOM clauses. Compliance teams will spend more time on evidence for dynamic change management and on documenting system capability constraints.
  • Independent power producers: EOP-012-3 dominates near-term risk. Generator owners should time freeze-protection work with outages and ensure corrective action tracking is auditable. IPPs that rely on OEM remote support should pre-negotiate disablement and logging expectations consistent with PCA coverage.
  • Equipment and software suppliers: Prepare for contract language that requires SBOMs, vulnerability disclosure timelines, and remote access kill switches. Virtualization-friendly licensing and clear support positions on hypervisor versions will be differentiators. Suppliers of identity, logging, and access systems should anticipate landing inside PCA scope and plan audits accordingly.

What to do in the next 90 days

  • Coordinate comments by November 24, 2025. Prioritize positions on per system capability, definitions for virtualization infrastructure, and practical requirements for low-impact communications.
  • Map your virtualization footprint. Identify all hypervisors, orchestrators, templates, and container registries in or near BES operations.
  • Pre-wire contract language. Add SBOM delivery, remote access disablement, and PCA applicability to your 2026 renewals.
  • Launch an INSM pilot in a control center. Validate telemetry volume, storage needs, and analytic workflows you can scale.
  • Pressure test your cold-weather plan against EOP-012-3. Confirm training is current, spares are stocked, and corrective action timelines are realistic.

The September package is both a forcing function and an opportunity. It closes several gaps exposed by recent incidents and weather events while giving operators the green light to modernize architectures with virtualization. The winners will be those who turn compliance into design principles now, not after the comment windows close. For the official summary, start with the FERC’s September 18 actions overview.

Other articles you might like

Why Your UI Shows [object Object] and How to Fix It Fast

Why Your UI Shows [object Object] and How to Fix It Fast

Seeing [object Object] instead of a title is a classic JavaScript issue. Learn exactly why it happens in React and other UIs, how to debug it quickly, and the patterns that prevent it for good.

Energy
·Read more
States vs. PJM: AI-fueled demand ignites a grid reckoning

States vs. PJM: AI-fueled demand ignites a grid reckoning

Electricity bills are surging across PJM and capacity prices have jumped nearly tenfold in two years. On September 23, 2025, a new bipartisan Governors’ Collaborative meets to press for faster transmission, market fixes, and a stronger state voice over the nation’s largest grid operator.

Energy
·Read more
Governors vs. PJM: AI Data Centers Reshape the Grid

Governors vs. PJM: AI Data Centers Reshape the Grid

A coalition of PJM-state governors is moving to exert new influence over the nation’s largest grid as AI data centers turbocharge demand and push capacity prices higher. Here is what could change next for rules, rates, interconnection, and resources.

Energy
·Read more
States Move to Rewire PJM as AI Load Swamps the Grid

States Move to Rewire PJM as AI Load Swamps the Grid

Governors across the PJM region are forming a new collaborative to shape grid planning and market rules as AI data center demand drives up capacity prices and reliability risk. Here is what they want to change, how it could hit bills, and the milestones to watch next.

Energy
·Read more
AI’s power boom collides with America’s LNG export wave

AI’s power boom collides with America’s LNG export wave

Exploding AI data center demand is arriving just as a major wave of US and Qatari LNG supply hits global markets. The cross‑currents are rewriting policy from PJM to ERCOT, reshaping capacity prices, and guiding where new gas plants get built.

Energy
·Read more
Summer 2025 made batteries the grid’s new peaker plants

Summer 2025 made batteries the grid’s new peaker plants

A scorching Summer 2025 flipped the peaker playbook. ERCOT surpassed CAISO in battery capacity, Texas storage set a 6.3 GW evening discharge record on July 11, CAISO credited storage for stronger reserves, and Puerto Rico’s home batteries performed like a paid virtual power plant.

Energy
·Read more
Order 1920’s trench fight: courts, clocks, and cost splits

Order 1920’s trench fight: courts, clocks, and cost splits

Order 1920 left the page and entered the trenches in 2025. Rehearing clarifications, a new FERC chair, Fourth Circuit consolidation, and a demand shock from data centers now collide with looming compliance deadlines that will decide who actually builds long lines.

Energy
·Read more
Palisades Comes Back: The New Playbook for Reactor Re‑life

Palisades Comes Back: The New Playbook for Reactor Re‑life

With a fresh DOE loan disbursement on September 16 and summer NRC approvals, Palisades now has a credible path to a Q4 2025 restart. Here is the playbook behind the financing, offtake and licensing, what it means for MISO, and how SMR co-location could multiply the impact.

Energy
·Read more
AI islands collide with Texas’s new 765 kV power superhighway

AI islands collide with Texas’s new 765 kV power superhighway

AI data centers are racing into the Permian on islanded gas-plus-battery microgrids while Texas readies 765 kV lines to move bulk ERCOT power west. SB 6 rewrites who pays, how to connect, and when operators must curtail.

Energy
·Read more