What NERC’s 2025 RISC Report Means for Grid Cyber Risk — and How CRQ + QVM Help

NERC’s Reliability Issues Steering Committee (RISC) approved the 2025 ERO Reliability Risk Priorities Report on July 22, 2025 (accepted by the Board on August 14, 2025). 

Among the top risks validated by the stakeholder survey: grid transformation, cyber security vulnerabilities, resource adequacy, energy policy, and resilience to extreme events; closely followed by critical infrastructure interdependencies, large loads (e.g., data centers), and supply chain capacity.

Two threads run through the report: (1) the grid’s growing reliance on telecommunications networks for real-time monitoring, control, and restoration, and (2) the expansion of new large loads (data centers/AI) that change demand patterns and risk.   

The report also notes that rising system complexity increases cyber and physical security challenges and makes the grid a more attractive target for adversaries. 

What the RISC findings mean for security leaders

• Cyber isn’t siloed: OT, IT, data centers/large loads, and DER/aggregators all figure into the cyber risk picture. 
• Communications are critical infrastructure: Disruptions or compromises can directly hamper situational awareness and BPS operation. 
• Extreme events amplify cyber risk: Converging cyber/physical impacts and cross-sector interdependencies stress reliability. 

Where DeRISK CRQ + DeRISK QVM help

DeRISK CRQ (Cyber Risk Quantification) translates technical exposure into financial impact (e.g., expected loss/VaR), making it clear which risks most threaten reliability, revenue, and safety. That unlocks credible budget asks, scenario modeling (“what if we segment here vs. patch there?”), and governance aligned to business goals.

DeRISK QVM (Quantified Vulnerability Management) applies risk-based vulnerability management to OT/IT: combining exploit likelihood (e.g., EPSS, threat intel), asset criticality, exposure/attack paths, and modeled business impact to prioritize the next best action—patch, segment, tighten access, or monitor—within tight maintenance windows.

See how DeNexus DeRISK CRQ + DeRISK QVM operationalize these steps across OT and large-load environments. Request a demo and get a tailored risk-reduction plan for your Power Plant, Transmission or Distribution systems.

How this maps to the report’s priorities:

• Large loads / data centers: Quantify outage cost by site/process; prioritize controls that protect high-impact loads first.
• Communications interdependencies: Model loss from comms downtime; harden network paths and device configs with the greatest reliability impact.
• OT/IT/DER exposure: Tie vulnerabilities to process criticality and reachable attack paths; remediate top-risk items before lower-impact CVEs.
• Extreme-event preparedness: Use DeRISK CRQ scenarios to stress-test mitigation plans and quantify residual risk when patching must wait.

A practical playbook you can run this quarter

1. Build the data spine: Normalize OT/IT asset inventories; map assets to processes/lines and critical loads (e.g., data centers).
2. Risk-enrich CVEs: Blend EPSS + threat intel with network reachability and control gaps to estimate exploit probability.
3. Quantify impact: Model downtime, SLAs, and safety/revenue implications to assign a dollar value to each exposure.
4. Prioritize actions: Patch or mitigate the highest expected loss items first; use segmentation and allowlists when patching is constrained.
5. Track risk reduction: Report risk-reduction deltas ($), high-risk exposure closed, and “risk removed without patch” to demonstrate ROI.

Results to aim for

• Faster time-to-decision: From detection to scheduled change, driven by modeled business impact.
• More risk removed per window: Focused remediation that actually moves the risk needle.
• Better board communication: DeRISK CRQ expresses cyber in the same language as reliability and finance.

Request a demo and get a tailored risk-reduction plan for your footprint.