NERC acronym. An organization overseeing the reliability of the North American bulk power system, ensuring stability and compliance.

Why won’t NERC identify control system incidents as being cyber-related?

July 14, 2025

Understanding the importance of identifying and reporting cyber incidents for maintaining system security

A cyber incident is defined as electronic communication between systems or systems and people (displays) that affects confidentiality (C), integrity (I) or availability (A). A cyber incident does not need to be malicious. Moreover, a sophisticated cyberattacker can make a cyberattack appear to be an equipment malfunction.

NERC is the North American Electric Reliability Corporation and in conjunction with the electric industry develops the electric industry’s cyber security standards – the NERC Critical Infrastructure Protection (CIP) standards. NERC publishes “Lessons Learned” documents to provide industry participants with technical and understandable information that helps them maintain the reliability of the bulk electric system.

NERC CIP-008-06 deals with cyber incident reporting. Yet, NERC has continued to downplay cyber incident reporting. In 2023, I wrote about NERC’s reticence to identify incidents as being cyber-related. The situation hasn’t changed.

NERC has issued two NERC Lessons Learned in 2025: “Loss of Monitoring and Control Due to a Communication Failure Between Control Centers” and “Loss of SCADA/EMS Monitoring and Control – GPS Clock Failure”. According to the first Lessons Learned, “A communication failure between control centers caused several entities to experience loss of monitoring and control.” According to the second Lesson Learned, “Manual intervention stemming from the replacement of a failed Global Positioning System (GPS) clock led to a loss of SCADA and EMS monitoring and control due to an incorrect configuration of the network time protocol (NTP)”.

Both Lessons Learned reports dealt with electronic communication issues that led to loss of availability - loss of monitoring and control. These are cyber incidents that impacted the bulk electric system. NERC Lessons Learned documents are extensively reviewed. Yet, neither incident was identified as being a cyber incident. How can that be?

Get your subscription to Control's tri-weekly newsletter.

Even though both incidents were unintentional, they could have been done maliciously. The Lessons Learned documents provide the following information:

Introducing incorrect time synchronization might inadvertently weaken cyber security defenses. Many security protocols and audit trails rely on precise time synchronization, and discrepancies can be exploited by malicious actors to obscure or manipulate activities.

To enhance the security and reliability of access for control room operator workstations to the data center, these workstations should be configured within the data center where the EMS servers are hosted. This setup will allow for direct access and eliminate the need for a potentially less reliable VPN tunnel. Additionally, control room workstations should be designed as NERC Bulk Electric System cyber assets.

Summary

Neither Lessons Learned document identified the incidents as being cyber-related despite both incidents experiencing loss of monitoring and control that affected the bulk electric system. Consequently, the utilities cybersecurity organizations may not be aware of these Lessons Learned documents. It is not clear why NERC continues to downplay identifying control system incidents as being cyber-related as it only makes the electric industry more susceptible to cyberattacks by creating a false sense of security.

About the Author

Joe Weiss | Cybersecurity Contributor

Joe Weiss P.E., CISM, is managing partner of Applied Control Solutions, LLC, in Cupertino, CA. Formerly of KEMA and EPRI, Joe is an international authority on cybersecurity. You can contact him at [email protected]