Why NERC CIP Alone Cannot Address Cyber-Enabled Market Integrity Risks in RTO/ISOs
Reflecting on years of RTO governance, it is clear Electricity Markets can no longer assume no one has a structural information advantage. Financial markets address information asymmetry through more disclosure and surveillance than Power markets, which have not yet incorporated analogous cyber-risk constructs. That gap is growing, and the consequences could extend well beyond reliability. The emerging risk is not just cyberattacks, but rather cyber-informed market advantage.
The Assumption Markets Are Built On
Every wholesale electricity market rests on a foundational premise: that participants have broadly comparable access to price-relevant information. Locational marginal pricing, forward capacity markets, ancillary service auctions are all mechanisms that function fairly when no participant holds a structural informational advantage over others. Cybersecurity risk is eroding that premise, exacerbated by AI.
The concern isn't simply outages. That risk is visible. It’s modeled. It’s increasingly managed. The subtler and more consequential risk is asymmetric awareness of vulnerabilities, remediation status, or disruption probability. That a cyberattack could cause an outage and spike prices. That risk is real, but it's visible and increasingly contemplated in reliability frameworks.
If an adversary gains superior awareness, it could distort market expectations, create asymmetric positioning advantages, or undermine confidence. Knowledge about latent operational fragility in the grid, electricity markets were never designed to price that asymmetry and existing regulatory frameworks were never designed to address it.
What NERC CIP Does Well (and Where It Stops)
Let's be precise here, because this is not a critique of NERC CIP. It is an effective framework. It has materially improved baseline security governance across the bulk electric system. It protects critical assets, establishes accountability, and sets enforceable standards for operational technology environments.
But NERC CIP was designed to address reliability, not market integrity. Those are related objectives, but they are not the same, and the distinction matters enormously.
NERC CIP does not create system-wide, participant-level cyber posture visibility. It does not generate the kind of structured, comparative cyber-risk disclosures that would allow market operators or independent market monitors to detect asymmetric information conditions. And it was never designed to identify or deter financially motivated, cyber-enabled market distortions.
That's not a flaw. It's a scope boundary. The flaw would be assuming that reliability-focused standards are sufficient to address a market-integrity problem they were never built to solve.
The "Cyber-Informed Positioning" Problem
Here's the structural risk pathway that deserves attention. This is not a “hack-and-crash” problem. It’s a “know-before-the-market-knows” problem. Call it "hack-and-short" if you want a memorable shorthand, though that framing can sound sensational, and precision matters more than drama here. The cleaner concept is cyber-informed positioning: a condition in which actors with superior awareness of grid cyber-risk may anticipate disruptions and position financially to benefit from resulting price movements, congestion effects, or scarcity signals.
No active exploitation required. No direct causation necessary. The advantage is informational—awareness of what is fragile, when it might fail, and what the market impact could be. What happens when one market participant knows something others don’t, and that “something” is system fragility?
In a financialized electricity market with active forward, futures, and derivatives participation, even probabilistic or partial knowledge of operational conditions can translate into material positioning advantage. Traditional market surveillance is not calibrated to detect this. It monitors trading behavior against operational outcomes. It does not have visibility into the cyber-risk layer that sits between them.
To be clear: this analysis does not assert financial motives for any specific threat actor. It describes a structural risk pathway that exists independent of intent.
The Economic Dimension of Cyber-Informed Asymmetry
The concept of cyber-informed positioning is often discussed abstractly; the following scenarios illustrate the implications based on publicly observable electricity market dynamics, including known price volatility ranges, congestion behavior, and financial market structures.
These illustrative ranges demonstrate a key point: even modest informational asymmetries can scale into material financial outcomes in highly interconnected and financially active electricity markets due to the sensitivity of LMP-based pricing and congestion dynamics. AI is accelerating the discovery and analysis of vulnerabilities, increasing the potential for cyber-informed market asymmetries (the conditions I refer to as “Hack & Short” risk). Advances in quantum computing could further amplify these dynamics over time.
Why Volt Typhoon Changed the Calculus
Public reporting on activity attributed to Volt Typhoon has shifted how we think about persistence in critical infrastructure. Not because it was the first nation-state intrusion, but because of what it demonstrated about persistence.
The documented pattern is not smash-and-grab. It is long-duration, low-signature access within operational technology environments. Persistent presence of that nature could, in theory, generate asymmetric knowledge about the timing, likelihood, and operational implications of potential disruptions before those disruptions are visible to markets, operators, or regulators.
In a highly financialized electricity market, that kind of knowledge asymmetry is not merely a reliability concern. It is a potential market-integrity concern of the first order.
Again: this is not a claim about what Volt Typhoon did or intended. It is a recognition of what persistent OT accessmakes structurally possibleand what market design has not yet accounted for.
Why the Risk Window Is Widening, Not Narrowing
Several converging trends are compressing timelines and amplifying the market implications of cyber-risk asymmetry:
AI-assisted vulnerability discovery is accelerating the pace at which sophisticated actors can identify and characterize operational weaknesses faster than patch cycles, faster than regulatory disclosure timelines.
Electrification and data center growth are tightening reserve margins in ways that make localized disruptions more consequential for price formation. A grid operating closer to its limits is one where informational advantages about fragility translate more directly into market outcomes.
OT technology and product security gaps remain widespread across the energy sector. Legacy systems, firmware with undisclosed vulnerabilities, and inconsistent software bill of materials (SBOM) practices create an attack surface that is difficult to fully characterize even for operators themselves (let alone market monitors).
Nation-state persistence at the Volt Typhoon scale suggests this is not a transient threat to be managed episodically. It is a structural condition that market governance frameworks need to internalize.
Together, these trends do not merely elevate cyber risk in a reliability sense. They create the conditions for durable, hard-to-detect informational asymmetries that market design is not yet equipped to manage.
What a More Complete Response Would Look Like
This is where the conversation should focus: not on alarm, but on design evolution. Organized around four areas:
1. Visibility and Disclosure RTO/ISOs and regulators need access to standardized, confidential cyber posture indicators at the participant and system level. Not to publish them, but to establish baselines, detect anomalies, and identify conditions of heightened asymmetry. Structured confidential cyber-risk disclosures, analogous in spirit to material risk disclosures in securities markets, deserve serious examination.
2. Market Surveillance Independent Market Monitors (IMMs) need cross-domain analytical capability: the ability to correlate operational signals, market positioning data, and cyber-risk indicators in ways that current surveillance architectures do not support. Cyber-informed anomaly detection is not a luxury feature. It is a logical extension of the IMM mandate in a world where the grid's cyber layer is increasingly market-relevant.
3. Governance Board-level cyber expertise at utilities and market operators is no longer optional. The individuals setting governance posture need to understand that cybersecurity is not only an operational risk. It is a market-integrity risk with financial and regulatory dimensions. Clear, non-duplicative roles for independent cyber monitoring, complementing existing IMM functions, should be defined.
4. Technical Controls Secure firmware provenance, SBOM governance, and coordinated telemetry with privacy-preserving aggregation are the unglamorous foundations that make everything else possible. AI-assisted defensive analytics can help close the gap between the speed of adversarial capability development and the pace of defensive response.
The goal is not perfect information symmetry (which is unachievable). The goal is reducing cyber-enabled asymmetry to a level consistent with nondiscriminatory market functioning.
A Governance and Design Evolution, Not a Crisis Declaration
This is not a claim that electricity markets are failing today. Participants are operating in good faith within well-designed frameworks. IMMs are doing their jobs. NERC CIP is doing its job.
The argument is narrower and more specific: market design is lagging emerging risk realities. The cyber-information layer has become material to price formation in ways that existing governance structures do not yet address. Closing that gap is a design evolution that is necessary, achievable, and overdue.
The financial markets precedent is instructive. Insider trading and market manipulation frameworks did not emerge because markets were broken. They emerged because regulators recognized that informational asymmetries of certain kinds are fundamentally incompatible with fair market functioning—and built governance structures accordingly.
Electricity markets aren’t broken. They simply weren’t designed for this kind of asymmetry. Financial markets evolved once the problem became clear. Electricity markets haven’t – yet. The question isn’t whether cyber risk exists. It’s whether markets can remain fair when awareness of that risk is uneven. That is the analogous inflection point we’ve entered. The question is whether governance evolves proactively, or whether it waits for an incident that makes the structural gap impossible to ignore.
What do you think?
Is the energy sector moving fast enough on cyber-informed market surveillance? Are IMMs equipped for this? I'd welcome perspectives from market participants, regulators, and security practitioners.
#EnergySecurity #CriticalInfrastructure #ElectricityMarkets #CyberRisk #NERCCIP #MarketIntegrity #GridSecurity #OTSecurity #VoltTyphoon #EnergyPolicy
Dr. Jeanine Johnson is co-founder of Immutaverse. She also serves on various boards and consults. The views expressed in this article are solely those of the author and do not represent those of any board, organization, or client. The analysis reflects the author’s independent research and long-standing interest in the intersection of cybersecurity, engineering systems, and critical infrastructure reliability. All information presented draws on publicly available industry sources and does not rely on any non-public or proprietary information from her board service or client engagements. The views expressed here are analytical and forward-looking. They do not reflect the confidential operational details or internal assessments of any specific market operator.
