Search
December 14, 2025
Texas RE Speaker Emphasizes Human Role in Security

Listen to this Story Listen to this story

Shutterstock
Apr 23, 2025 | Holden Mann
Texas RE's manager of CIP compliance monitoring said humans remain the most important factor in a utility's cybersecurity approach.

Devin Ferris, the Texas Reliability Entity’s manager of critical infrastructure protection compliance monitoring, did not mince words in his briefing on cyber readiness at the regional entity’s Spring Standards, Security and Reliability Workshop on April 23.

“It’s important to understand what we’re up against. The threat landscape is changing; the speed at which it is changing, the volume the sophistication of those threats, is ever-increasing,” Ferris said. “Attackers are using [generative artificial intelligence], and that’s changing the game on certain things. These attackers are able to gain initial access quickly, weaponize whatever they’re doing, exploit it, and be out of there and cover their tracks.”

Despite his invocation of AI and other new technologies, Ferris emphasized that one of the biggest risks entities face is an old one: human error. But, he continued, this danger also represents an opportunity.

“You hear a lot in the security world [that] people are the weakest link in security,” Ferris said. “That could be true, but I truly believe if you shift your mindset on that, you could turn it on its head. You can create a culture of security, and they are going to be the strongest link in that.”

The theme of Ferris’ presentation was the risks posed by low-impact grid cyber systems, which NERC defines as systems not considered a significant risk to grid security. He told attendees that while some might assume these systems are low priority, Texas RE and the ERO in general have devoted considerable attention to them in recent years because “there’s a lot of growth in that space,” particularly with the rapid spread of internet-connected inverter-based resources “that are more than likely going to be low-impact.”

In his presentation, Ferris aimed to help utilities prepare for compliance audits of CIP-003-8 (Cybersecurity – security management controls). The standard requires entities to have “consistent and sustainable security management controls that establish responsibility and accountability to protect [high-, medium- and low-impact] cyber systems against compromise that could lead to misoperation or instability in the” grid.

Rather than give the bulk of his time to compliance, Ferris said he wanted listeners to think more about risks, saying that “if you mitigate these risks, you can effectively still … achieve compliance. It’s going to be a byproduct of that.”

For example, he noted that CIP-003-8 requires entities to permit only “necessary” inbound and outbound electronic access. With many new IBR facilities relying on remote connections, this requirement creates a challenge for utility staff.

“One of the risks that you have is if you haven’t identified what’s necessary, and you’re proactively looking to see if access is still needed on a periodic basis, you may not be able to address it, and so the compliance and risk overlap,” Ferris said. “And when you do these reviews, if you’re documenting what the justification … or your business need is, it’s going to help you make sure that only necessary rules are in place and that you still need them as access changes and you implement new technologies, or there’s different threats you’re trying to mitigate.”

He then returned to the theme of human error, noting that phishing and social engineering frequently are used by attackers to gain a foothold in a target system. Without knowledgeable, educated staff, he warned, utilities remain vulnerable to such attacks, especially with their systems increasingly dependent on remote connections.

Ferris said that multifactor authentication (MFA) can be an effective way to mitigate the phishing and social engineering risks, but he urged listeners to remember that “some are better than others.” An MFA approach that uses a hardware key may be more effective than one that depends on text messages or an app.

Human attention remains the most important factor, Ferris said, as much for physical security as for cybersecurity. Whether it involves periodic checks of cyber access permissions or walk-downs of fences and other physical infrastructure, utilities must maintain awareness of who is allowed into their systems and why.

“The key to all of this, to remain compliant and be reliable and address those risks, is, are you controlling the access? Because that’s what the standard says you have to be able to control,” Ferris said.

CIPTexas RE
KeywordsCIP-003-8cybersecurityTexas Reliability Entity (TX RE)
Holden Mann
RSTC Approves Leaders for Next 2 Years
More From This Author

Leave a Reply

Your email address will not be published. Required fields are marked *

We Recommend

1
SERC: East, Central Subregions Face Elevated Risk in Severe Weather
Dec 11, 2025Regional EntitiesHolden Mann
2
RSTC Approves Leaders for Next 2 Years
Dec 10, 2025NERC & CommitteesHolden Mann
3
NERC Standards Committee Pushes Projects Forward
Dec 9, 2025Standards/ProgramsHolden Mann
4
NERC Board Approves Committee Reorganization
Dec 8, 2025NERC & CommitteesHolden Mann
5
DOE’s National Petroleum Council Releases Report on Gas-electric Coordination
Dec 4, 2025Resource AdequacyJames Downing

Popular Stories

1
NERC Board Approves Committee Reorganization
Dec 8, 2025NERC & CommitteesHolden Mann
2
West Needs Unified IBR Approach, WIRAB Says
Dec 3, 2025Regional EntitiesHenrik Nilsson
3
SERC: East, Central Subregions Face Elevated Risk in Severe Weather
Dec 11, 2025Regional EntitiesHolden Mann
4
CISA Publishes Guide for AI Critical Infrastructure Integration
Dec 3, 2025FERC & FederalHolden Mann
5
Power Industry Asks Congress to Authorize Cyber Defense Programs
Dec 2, 2025FERC & FederalJames Downing

Industry Gatherings


Upcoming Event

Upcoming Event