Joe Weiss criticizes the North American Electric Reliability Corporation (NERC) for failing to classify certain operational failures in the electric sector as cyber incidents. He discusses two recent cases: one involving a communication breakdown between control centers, and another where a GPS clock misconfiguration disrupted SCADA and EMS systems. Although these incidents had clear impacts on system availability and could potentially be exploited by malicious actors, NERC treated them as technical or operational issues, excluding them from cybersecurity reporting.

Weiss argues that this approach fosters a dangerous complacency by underestimating the cyber risks to critical infrastructure. He stresses that any event affecting the confidentiality, integrity, or availability of control systems—whether caused by error, failure, or attack—should be recognized within a cybersecurity framework. Failing to do so prevents organizations from properly responding to and learning from these incidents, ultimately weakening the resilience of the power grid.

‍

Source: http://scadamag.infracritical.com/index.php/2025/07/14/why-wont-nerc-identify-control-system-incidents-as-being-cyber-related/