Harrison Chang, Senior Security Engineer
On March 21, 2025, NERC released its annual CIP-008-6 report detailing cyber security incidents reported throughout 2024. While the data confirms that no reported events compromised Bulk Electric System (BES) functions, a closer look reveals areas that demand attention – from evolving tactics to persistent blind spots.
RMC proactively drives organizations beyond compliance, turning updates like these into opportunities to build lasting resilience. Let’s explore what this year’s report is really telling us.
Why These Reports Matter
Cyber security incidents tied to the BES must be reported under CIP-008-6, reflecting a critical evolution from previous standards that only required reporting of successful compromises. In 2018, FERC Order No. 848 mandated the inclusion of attempted compromises, recognizing that malicious intent and probing behavior carry real risk, even if an attacker doesn’t get all the way in.
This shift marked a turning point for situational awareness. But how much does the data truly reveal?
A Look at the 2024 Incidents
Three incidents were disclosed in the report – each from a different regional entity (NPCC, RF, and WECC). While none resulted in disruption, each carried telling characteristics:
- Report A:
A medium-impact BES Cyber System experienced 20 failed login attempts via an intermediate system – using the same username from IPs located in both Wyoming and Florida.
Takeaway: The attacker bypassed some corporate defenses, likely through a proxy or VPN, to reach the intermediate system remotely. - Report B:
Two brute-force attacks targeted a VPN interface within one month:- The first attempt used IPs from a foreign country and caused lockouts of legitimate users.
- The second involved multiple IPs from a common ISP, using known usernames to repeat the tactic.
Takeaway: These attacks suggest reconnaissance and repeat targeting of a known vulnerability, creating potential denial-of-service conditions for authorized personnel.
- Report C:
A foreign IP attempted a scan of a SCADA network – mapped to MITRE ATT&CK tactics – but was blocked at the firewall. The incident remains under investigation.
Takeaway: Whether due to strong obfuscation by the attacker or inadequate internal telemetry, the lack of clarity highlights the need for better visibility into intermediate system activity.
Key Observations from RMC
From a mission assurance standpoint, a few patterns stand out:
- Foreign IPs continue to surface.
Entities should evaluate geo-blocking or fencing as part of a layered defense strategy. - Brute force tactics persist.
These aren’t just noise – they can disrupt access for critical personnel, introducing operational risks. - Intermediate systems remain vulnerable.
These often-overlooked components are increasingly the focal point for initial access attempts. - Timing matters.
Between 2021–2024, most incidents occurred in Q2 and Q3 – when grid demand and staffing fatigue are at their peak. Cyber attackers know when to strike.
- Foreign IPs continue to surface.
Final Thoughts
It’s encouraging that no incident in the report resulted in an actual breach. But the absence of disruption should not be confused with the absence of risk.
What the report doesn’t tell us is just as important. Are entities dismissing early-stage reconnaissance? Are they consistently aligned across jurisdictions? And how much of the real threat landscape goes unreported because the definition of “attempted compromise” remains subjective? At RMC, we believe in preparing for more than compliance checkboxes. That means understanding the full spectrum of risk – even when a report says “no impact.”
