FERC, NERC CIP and the ISA/IEC 62443 Series of Standards

Durham, N.C., 14 October 2025 — The Federal Energy Regulatory Commission’s (FERC’s) latest meeting showed just how fast the energy sector’s cybersecurity landscape is evolving. Several new actions aim to strengthen North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards, expanding protections for low-impact systems, addressing virtualization risks and tightening supply chain oversight.

FERC was established pursuant to the Energy Policy Act of 2005, finalized on 2 February 2006, landmark new rules on the certification of an Electric Reliability Organization and the procedures for the establishment and enforcement of mandatory reliability standards.

The 18 September 2025 FERC meeting emphasized how closely these updates mirror ISA/IEC 62443 principles that many in our community already follow: secure design, lifecycle management and defense-in-depth. It’s clear that regulators and industry are moving in the same direction — toward a more consistent, certifiable approach to protecting critical infrastructure. This growing alignment means utilities and vendors can finally speak the same language of trust and security.

FERC meets monthly, with the next meeting scheduled for 15 October 2025. For details, visit https://www.ferc.gov/electric-reliability.

Learn More: Compare NERC CIP and ISA/IEC 62443

The ISA Global Cybersecurity Alliance (ISAGCA) and ISASecure® worked with the Cumulys and the Utilities Technology Council (UTC) to write and publish the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) and ISA/IEC 62443 Comparative Analysis last year. For more information, visit this blog post from ISAGCA.

Written by Cordell Briggs, the vice president of advocacy and cybersecurity at UTC