FERC Approves Order No. 919: Modernizing Grid Cybersecurity through Virtualization
Federal Energy Regulatory Commission (FERC)
The Federal Energy Regulatory Commission (FERC) has finalized a comprehensive rule fundamentally modernizing the way the federal government oversees cybersecurity for the nation’s electric grid.
By updating the Critical Infrastructure Protection (CIP) Reliability Standards, the agency is formally clearing the regulatory path for utility companies and grid operators to integrate advanced virtualization technology into their industrial control systems without running afoul of strict federal compliance mandates.
Order No. 919 approves 11 modified CIP Reliability Standards, along with 22 new or modified glossary terms, directly accommodating virtualization and other nascent technologies.
The new standards replace the cumbersome "technical feasibility exception" process with a new standard of "per system capability." Under this new framework, if a grid operator can demonstrate that a specific piece of equipment is inherently incapable of performing a required security action, the operator is no longer forced to undergo the lengthy formal exception approval process. Instead, they are permitted to self-implement an equally effective alternative mitigation measure.
The Commission explicitly directed NERC to develop a clear set of criteria governing how and when operators can invoke the "per system capability" exception, ensuring that entities cannot simply bypass security protocols without legitimate cause.
Furthermore, the rule mandates that grid operators report their use of these exceptions directly to the enforcement authorities, and it requires NERC to submit an annual, anonymized report to FERC detailing exactly how often and for what types of equipment these exceptions are being used nationwide.
The nation's power grid is increasingly targeted by sophisticated cyber threats. Virtualization allows grid operators to isolate applications in secure, separated software environments, drastically reducing the attack surface available to bad actors and mitigating the risk of widespread blackouts.
Furthermore, by streamlining the regulatory process for legacy equipment, the rule protects consumers' wallets. Forcing utilities to prematurely rip out and replace highly expensive, long-life operational technology simply because it lacks a modern software configuration would result in massive infrastructure costs that are inevitably passed down to ratepayers. By allowing flexible, alternative security mitigations, FERC is ensuring grid security without triggering unnecessary spikes in utility bills.
Crucially, the adoption of virtualization under this rule is entirely voluntary. The standards are designed to accommodate entities that choose to modernize their network architecture, but they do not force operators to abandon their traditional, physical perimeter-based security models if they prefer to maintain them.
Furthermore, FERC has certified that the rule will not place a significant economic burden on small businesses.
Of the affected entities, roughly 406 are classified as small, and the agency estimates that the one-time cost to update compliance documentation and processes for these smaller operators will be approximately $33,938 per entity, which is a figure deemed manageable given the critical necessity of securing the bulk power system against modern threats.
