Rapid Mobile GIS Deployment for Gas Leaks and Inspections

Hope Gas (Hope) provides gas services to approximately 125,000 residential, industrial, and commercial customers in 35 West Virginia counties. As part of an acquisition, Hope transitioned its legacy geographic information system (GIS) to the latest Esri technology and ArcGIS Utility Network data model. Hope also needed an Esri solution to support field operations.  

A map with blue and orange lines on a white background with information boxes on the left and right

Screenshot depicts selecting a leak class to place.

Challenge

To improve customer service and further promote safety, Hope required the implementation of a new mobile solution for documenting gas leaks and performing asset inspections that could run on Windows field laptops. The deployed app had a very tight timeline and needed to be implemented and deployed to the 150-person field crew within three months, including time for training and testing.

A map interface displays streets and buildings, with colored markers and lines indicating gas lines and potential leaks

Screenshot depicts entering attributes for a leak.

Solution

Hope partnered with RAMTeCH on this project, which involved developing a GIS mobile application for viewing and collecting data using the ArcGIS Maps SDK for .NET. The app uses the Windows Presentation Foundation (WPF .NET) UI framework and was deployed on Hope’s Windows 11 field machines. One crucial aspect was the ability to operate offline so Hope’s crews could collect data without interruption in areas where there isn’t cellular connectivity.

Hope leveraged RAMTeCH’s Esri-based gMobileTM solution to deploy the mobile application. The app uses the ArcGIS Field Maps configuration, including Arcade expressions, allowing users to configure forms in ArcGIS Enterprise. By providing an underlying application platform, gMobileTM allows the rapid deployment of mobile applications, which includes common GIS functionalities along with specific workflows to meet unique client requirements.

This process allowed Hope staff to meet the compressed timeline to provide an app that allows users to perform mission-critical field tasks. The solution development and configuration work began in October 2023, with a round of field testing and training in December 2023. The production application was deployed on January 1, 2024.

A map displays streets, colored lines, and points of interest

Screenshot depicts attributes completed.

Results

The gMobile™ solution was able to support the deployment of a built-to-purpose native Windows solution in a compressed timeline. Hope avoided unnecessary spend on mobile app software licensing by using a solution which utilized core Esri licensing. The gMobile™ solution supported rapid development, maintainability, and scalability while increasing Hope’s ROI. The proven methodology was designed to identify key business needs and align them with Esri’s software capabilities for business-focused deployments for Hope’s field staff. The application is designed to operate offline allowing field crews to collect data uninterrupted in areas without cellular connectivity. The solution provides continuous background data synchronization, keeping Hope’s field crews up-to-date in near real-time.

Map with blue buttons and lines on green and yellow streets, and a text box reads Gas Leak open over Broadway and Nutter

Screenshot depicts leak placement completed.

Originally posted here.

G

Your Grid has more data than ever

This post is about the most expensive mistake the energy industry has made in the last 20 years and why it is now the single biggest obstacle to the AI-native grid:

We built silos. When we should have built systems.

Let’s get into it.

Your Grid has more Data than ever

Your grid has more data than ever. But your operators are more blind than ever. How is that possible?

In the last decade, utilities have invested heavily in digitalisation. Smart meters by the million. IoT sensors across every asset. SCADA upgrades. Cloud migrations. Data lake projects. Advanced analytics platforms.

And yet I still sit across the table from grid operators who cannot answer basic questions in real time.

  • “Where is the fault right now?”

  • “How much available capacity do I have in the next 15 minutes?”

  • “What happens to network stability if I bring this renewable asset online?”

The data to answer those questions exists. It is being generated, somewhere in the system, right now. The problem is that it is trapped.

Trapped in SCADA. In the EMS. In the OMS. In the DERMS. In the market systems. In the AMI platform. In the asset management database. Each system a world unto itself, with its own data model, its own naming conventions, its own timestamp format, its own definition of what a “fault” or an “asset” or a “reading” actually means.

We didn’t build a digital grid. We built a digital archipelago.

Islands of data, separated by water, with no bridges between them.

And here is the irony that keeps me up at night: We are now trying to build AI on top of this archipelago.

We are pointing machine learning models at fragmented, inconsistent, latency-riddled operational data and expecting them to produce reliable, actionable grid intelligence. And when the outputs are wrong, or worse, when they are confidently wrong: we blame the AI.

The AI is not the problem. The data architecture is the problem. And it was a choice. Not an accident.

Every silo in your operational technology landscape was created deliberately. A vendor sold you a best-in-class solution for one specific problem. It solved that problem. It did not solve the problem of how its data would talk to the system you bought three years earlier from a different vendor with a different data model and a different integration philosophy.

Nobody owned the data layer. So nobody built it.

The result is what we have today: utilities managing the most complex distributed energy systems in history using a patchwork of disconnected tools that, in aggregate, produce more noise than signal.

This is not a technology problem. It is an architecture decision that was deferred for 20 years. And the bill is now due.

The good news is that the path forward is clear.

Not another application. Not another dashboard. Not another AI pilot running on the same broken foundation.

A data fabric. A unified semantic layer across the IT-OT boundary that gives every system, every operator, and every AI model access to the same trusted, contextualised, real-time view of the grid.

One source of truth. Not because we moved everything into one database. No, that ship has sailed. But because we built the layer that connects and contextualises what already exists.

The companies building that layer today are not just solving a technical problem. They are building the foundation that the AI-native grid runs on. Everything else is built on sand.

This post was adapted from my articles series about The AI-Native Grid or Agentic Grid. If you'd like deeper analysis on AI, data platforms, and the future of electric utilities, you can dive deeper on Substack.

G

GIS Is Not Just Another Dataset. Most Integration Strategies Treat It Like One.

A utility can invest years modernizing its enterprise systems and still be flying blind operationally. The culprit is usually the same: an integration layer between GIS and everything else that was never built for how spatial data actually works. 

Traditional enterprise integration was designed for business records. Work orders, customer accounts, asset registers. It moves structured, predictable data between systems on a schedule. That approach works reasonably well until GIS enters the equation. 

Spatial data is different in kind, not just degree. 

Every GIS feature carries geometry, network connectivity, and geographic relationships that directly affect field operations. A transformer or water valve isn't a row in a table. It exists within a physical network, and that network has to stay accurate across every system that touches it, in near real time, at scale. 

When it doesn't, the consequences aren't theoretical: 

  • Field crews stop trusting the operational map 

  • Asset records drift from physical reality 

  • Manual verification quietly replaces the automated workflows organizations paid to build 

One organization we've worked with discovered that missing synchronization identifiers had generated hundreds of thousands of duplicate service connections during testing. They eventually abandoned automated synchronization altogether and reverted to manual processes. That's not a technical failure. That's an organizational one. 

What makes this harder: spatial integrations don't fail all at once. They drift. 

An ERP upgrade introduces a revised API. A workflow shifts. And data that was flowing cleanly stops doing so, without triggering any alarm. By the time someone notices, operational trust has already eroded. Rebuilding it takes far longer than fixing the integration. 

Keeping those connections stable as enterprise environments evolve requires expertise on both sides of the equation, geospatial and enterprise systems. That combination is rarer than most organizations expect, and the gap tends to show up at the worst possible moment. 

GIS is now central to digital twin programs, predictive maintenance, mobile workforce operations, and real-time network monitoring. It's not a mapping department tool. It's the operational layer connecting enterprise systems to the physical world. 

That layer deserves an integration strategy built for what it actually is. 

Modernization efforts don't stall because organizations lack ambition. They stall because the infrastructure connecting systems wasn't designed to last. Getting that foundation right isn't a technical detail. It's a strategic one. 

For CEOs leading modernization efforts, these are the questions that keep surfacing in my conversations with other executives: 

  • Did we build an integration layer that understands network topology, or are we treating spatial features as generic records? 

  • Is critical geospatial and enterprise systems expertise concentrated in one or two people on our team? What happens to our operations if that knowledge walks out the door? 

  • Do we have a clear way of knowing when spatial data synchronization starts to drift, or are we relying on our teams noticing after trust has already been lost? 

  • When we upgrade ERP, GIS, or other enterprise platforms, do we have a repeatable process to validate that our integrations still hold? 

  • Do our field crews trust the operational map, or have they quietly reverted to manual processes? 

David Miller

I think you could apply those questions to almost any integration, not just geospatial. And I do agree that GIS can be higher profile as maps are how many utility workers know what's what and what's where for their company. But GIS data ultimately is still data and it should be accessible/shareable/integrate-able as anything else.

Anytime an integration is designed, it should definitely factor in:

  • How is it quality controlled? Manually? Automatically? Regular true ups?

  • How often does the data need to move? What happens if we miss a data push, both technically and operationally? Can we survive a short disruption? If not, what should the SLA be and how should notifications be established to start that SLA clock ticking?

  • Does the integration NEED to know the topology or just the asset records? What are the actual functional business requirements and are they all feasible?

This is a good article to highlight that the tech evolutions we are seeing are not just siloed events. They typically tip over a set of dominos that a lot of executives have no idea are actually daisy chained together.

G

Everything you always wanted to know about CVE, but were afraid to ask

Given how important CVEs are for cybersecurity, it’s at first surprising how few people, outside of those who make their living in vulnerability management or remediation, have a good understanding of where and how CVE records are created and managed. My guess is this is because most users of CVEs think of them as just something that’s part of the landscape, like roads: We don’t have to think about who made them and how they did it; we just use them. But as we all learned in April 2025, we can’t take CVEs for granted.

Not more than a few years ago, I was like most people who utilize CVE information all the time: I had no more idea of where CVEs came from than if the Vulnerability Fairy created CVE records. There’s no “CVE for Dummies™” book that puts everything you need to know in a few pages, so I’ve pieced together what I know about CVE over the past few years from a variety of sources.

Since I write about vulnerabilities regularly in my blog but I always feel bad when I use terms that I’m sure people don’t understand well (e.g., CVE, CNA, CPE, PURL, NVD), I’m writing this post to serve as an “anchor” for future posts. Because the world of CVE is always changing, I will try to keep this post up to date with new developments.

Where do vulnerabilities come from, Daddy?

You probably know that a CVE number (e.g., CVE-2026-12345) designates a vulnerability, which is why it is called a “vulnerability identifier” (CVE stands for “Common Vulnerabilities and Exposures”). There are many vulnerability identifiers, such as GitHub Security Advisories (GHSA), but CVE is by far the most widely used vulnerability identifier worldwide. Where do CVE’s come from?

Here’s a short quiz: Who do you think reports the overwhelming majority of software vulnerabilities in commercial software: A) independent researchers (good guys), B) evil hackers (bad guys), or C) the developer of the software? If you said “C”, you’re correct! As far as commercial software is concerned, vulnerabilities are usually identified and reported by the developer of the software; moreover, a small number of the largest developers report the great majority of new vulnerabilities.[i]

Far from hiding vulnerabilities, developers are taking the lead in rooting them out and exposing them to the light of day. Of course, this isn’t to say there aren’t developers who try to hide vulnerabilities. But I suspect that any developer who does that today is setting themselves up for failure, not success. I say this because, if the developer’s software is hacked and they get sued by a bunch of unhappy customers - and if the plaintiffs learn that the developer almost never (or literally never) reports vulnerabilities they find in their software - the developer might not be happy with the outcome of their court case. That is, if they’re even still in business afterwards.

Before I go further, you may wonder whether developers are stupid, since they’re usually still identifying new vulnerabilities in their products long after they develop them. Wouldn’t the world be a better place if the developers just followed secure software development practices to begin with? That way, their software will be vulnerability-free from the start, right? Is it hard to do that?

In fact, developing vulnerability-free software is not only hard, but it’s literally impossible. That’s because even though most developers do their best to identify and fix vulnerabilities they identify in their code before they ship their product (if for no other reason than because they know that a lot of their customers will scan the product for vulnerabilities before starting to use it), a determined individual - usually a member of either Group A or Group B - could fairly easily find multiple vulnerabilities that were unknown when the code was originally written. Thus, no software is ever truly “vulnerability free”. Anyone who tells you otherwise is wrong.

New vulnerabilities are discovered all the time, and they’re discovered in code that was previously thought to be completely benign. In other words, lots of pairs of experienced eyes previously looked at a piece of code and saw nothing wrong with it. But one day, some intrepid soul realized these seemingly innocuous lines of code were in fact a vulnerability that needed to be reported to the world; without any change to the code, the software went from being “vulnerability-free” to “vulnerable”.

The CVE Program

The CVE Program creates and manages the CVE Records that identify software vulnerabilities – so that two people discussing a vulnerability can be sure they are discussing the same thing. The program used to be called simply “MITRE”, since from its inception CVE has been a project contracted to the MITRE Corporation (in fact, MITRE first described their idea for CVE in 1999). Today, an independent board of government and private industry representatives governs the CVE Program, although MITRE staffs and runs the program.

Here are the steps by which a new CVE record is created in the CVE Program:

1.             New CVEs are reported by public and private organizations that are called CVE Numbering Authorities or CNAs; today, there are over 525 CNAs. Each CNA has a scope, which can be a country, an industry, etc. When a person or organization that is not a CNA wishes to report a vulnerability, they can approach a CNA that has the organization within its scope. For example, any project on GitHub can report a vulnerability to GitHub, which is a CNA; GitHub will assign a CVE number to the vulnerability and submit the report for approval by the CVE program. If an organization can’t find a CNA that way, they can go to one of the “CNAs of Last Resort”. Currently, these are CISA (for industrial control systems) and MITRE (for everything else).

2.             The CNA creates a CVE ID (aka “CVE number”) for the vulnerability and submits the report to CVE.org, where it becomes a CVE record and is included in the CVE.org database (although it needs to be approved first. Many proposed CVEs are rejected, for various reasons). At this point, the CVE record always includes a textual description of the product(s) in which the vulnerability is found. However, it does not usually contain a “CPE name” (CPE stands for “common platform enumeration”, although that phrase means little today); see below for further discussion of CPE.

3.             Now the CVE record goes to the National Vulnerability Database (NVD), which is operated by the National Institute of Standards and Technology (NIST), an agency of the US Department of Commerce. It also goes to any other vulnerability database that supports both CVE and CPE (there are at least six or seven of these databases. They all include everything currently in the NVD, plus additional features and data offerings).

4.             Until 2024, after a new CVE record reached the NVD, an NVD contractor almost always “enriched” the CVE record by a) creating and adding a CVSS Base Score, b) identifying one or more CWEs (common weakness enumeration) that apply to the vulnerability, and c) creating a CPE name[ii] for any product described as vulnerable in the text of the CVE record.

5.             However, starting in February 2024, that process broke down, with the result that currently a large percentage of CVE records do not contain a CPE name; that percentage is growing quickly, following an announcement by NIST in January 2026 that they were going to significantly restrict the number of CVEs they enrich going forward (see this post for more information on this subject). This is a big problem, because a CVE record that does not contain either a CPE name or a PURL identifier is usually invisible to a command line- or API-based search in the NVD. This means that, when a user searches the NVD for a particular product and version number, they will not be notified that CVE-2026-12345 has been reported in that product, even if the product/version was mentioned as vulnerable in the text of the report for CVE-2026-12345. This may potentially leave the user with a false sense of security.

Tom Alrich’s Blog, too is a reader-supported publication. You can view new posts for three months after they come out by becoming a free subscriber. You can also access all of my 1300 existing posts dating back to 2013, as well as support my work, by becoming a paid subscriber for $30 for one year (and if you feel so inclined, you can donate more than that or become a founding subscriber for $100). Whether free or paid, please subscribe. 

If you would like to comment on what you have read here, I would love to hear from you. Please comment in my chat or email me at [email protected].


[i] These results are different for open source software (OSS), since currently most OSS vulnerabilities are reported by third parties including Patchstack, VulDB, the Linux kernel, MITRE and GitHub. Of course, commercial software is compiled code. Seeing the source code (or what’s asserted to be the source code) requires decompiling the software, which is hard to do and is often a violation of the user’s contract. This puts the responsibility to identify vulnerabilities in a software product squarely on the shoulders of the developer of that product. 

[ii] Because names for individual software products vary widely based on the context in which the software is being referred to, the only reliable way to identify a software product in a vulnerability database like the NVD is to have a single machine-readable identifier. CPE is the oldest machine-readable software identifier. 

Until October 2025, CPE was the only software identifier supported by the NVD. At that time, support for the PURL identifier was added to the CVE Record Format, so that CNAs now have the option of using PURL to identify the vulnerable software in a CVE record. However, PURL can currently only be used to identify open source software found in package managers. Work is now proceeding (in the PURL working group) to extend PURL to identify open source software not found in package managers, including programs written in C and C++. 

However, by far the biggest “hole” in PURL coverage is commercial software, which is almost never distributed through package managers. Extending PURL to identify commercial software products isn’t a technical problem at all, but requires a) developing, with commercial developers, protocols which the developers will follow to make naming information about their products available to the public, then b) conducting education and training to get commercial developers to follow those protocols. The required protocols will almost certainly be easy to follow. 

Note that, unlike CPE names, PURLs for commercial software, like PURLs for open source software projects in package managers, will not need to be created by a central authority, nor to have a central database. This is the primary reason why PURL has become by far the most widely used identifier for open source software. 

An OWASP group, called the PURL Expansion Working Group, has been approved to address expansion of PURL to commercial software; the group is led by Tom Alrich and Steve Springett, OWASP Global Chairman. If you would like to learn more about this group, please email Tom at the address below.

G

Mixing Oil & Data Center Water

Grist: “A solution to data center backlash? Put them in oil fields.” A new project in California’s oil country could dodge national controversies over energy + water usage + noise/light pollution. “Most Americans loathe data centers…recent polling found that Democrats and Republicans alike would oppose having one in their neighborhood, and hundreds of communities across the country have fought against them, citing fears about noise, water contamination, and energy bills.”  In just the past month, policymakers in New YorkTexasPennsylvania, and Utah have proposed limits on the facilities.

A project unveiled this week in California’s Central Valley suggests a potential alternative. “California Resources Corporation, the state’s largest oil company, wants to build a 600,000-square-foot data center campus in the Elk Hills oil field about two hours north of Los Angeles.” Hopes to avoid the nationwide backlash from communities that have watched the outfits developing these sprawling operations swallow up farmland or install diesel generators near residential neighborhoods. 

“More developers are proposing to build data centers in or near active oil and gas fields, which tend to sit far from densely populated areas and boast ready access to power.” These projects are seen as a way of juicing revenues for legacy producers, even as the California project is unfolding in a state that has been trying to phase out fossil fuels. Gotta love the contradictions here.

“By repurposing an existing industrial site, creating jobs and tax revenue in Kern County, utilizing dedicated on-site power, and employing one of the industry’s most water-efficient cooling systems, the project is designed to support California’s growing digital infrastructure needs while minimizing impacts on local communities,” said Chris Gould, the company’s chief sustainability officer and the head of its carbon capture venture.

Remember that when something sounds too good to be true—it usually is. Thus, litigation by Earthjustice + others is ramping up.

G

How ESO Migrated Data from ArcGIS Utility Network for Successful CIM Interoperability

Electric operations all over the world rely on business continuity. Lithuania's Energy Distribution System Operator (ESO) has long been a strategic user of Esri geographic information system (GIS) software for increasing the reliability of the utility’s electric operations across the country. ESO's services cover 1.8 million customers and spans a service territory of the whole of Lithuania, with 127,000 kilometers total length of the distribution network.

As part of an overall digital transformation strategy, ESO employees in the spring of 2023 integrated their GIS data in ArcGIS Utility Network with their advanced distribution management system (ADMS). This integration was crucial to ensure that ESO employees could easily maintain their data in their ADMS and that it would be compatible with industry-standard systems.

Challenge

Historically, ESO employees relied on geometric network and GE Smallworld as their integration platform for as-built documentation. However, as part of ESO's strategy, staff recognized the need for a more dependable, sophisticated, and standardized infrastructure service with the most current technologies. Utility leadership initiated a project to migrate the GIS data from the existing geometric network and implement a modern product-based integration with the ADMS. Using new technologies, such as ArcGIS Utility Network, would allow staff to maintain the data and provide a single source of truth.

Following the successful migration of their systems, ESO leadership prioritized finding an integration solution that would enable their staff to work from a unified interface. This required interoperability with the Common Information Model (CIM), a globally accepted way of describing and transferring electrical models. This makes it a popular choice for new integrations in the industry.

Lithuania's Energy Distribution System Operator (ESO) has long leveraged Esri GIS technology to ensure the continuity of their electric operations.

Solution

ESO employees first implemented ArcGIS Enterprise, a complete GIS software system that helps users manage, map, visualize, and analyze their data. Staff then deployed ArcGIS Utility Network, a configurable system that leverages ArcGIS Enterprise for advanced asset modeling, analysis, business integration, and communications.

“ArcGIS Utility Network provided a network model more aligned with the principles of CIM and eased the integration between the GIS and ADMS,” said Andrius Mackevičius, Head of Network Data Management at ESO.

ESO leadership chose Similix, an Esri partner, to ensure their ArcGIS data in their ADMS was CIM-compatible. ESO employees utilized the CIM Adaptor for ArcGIS. This licensed software provides a versatile solution for aligning data and business processes across business units and systems. For users, data can easily be exchanged without modifying the underlying data models in source systems. Key to ESO's leadership was the adaptor’s ability to seamlessly work with standard ArcGIS services like Utility Network Export Subnetwork Service.

The CIM Adaptor’s user-friendly interface allows ESO users to easily map or connect the information from one system to the other with a drag-and-drop function . Additionally, the adaptor includes a rule engine that facilitates data transformation in a way that is useful for the users. ESO employees will be able to also use the CIM profile information in the adaptor to run future simulations for planning purposes in power network analysis applications.

Similix's CIM Adaptor with ArcGIS Utility Network work together to monitor for network changes and automatically export full feeders—a group of electrical devices that are connected—when changes are flagged. This automated system provides ESO employees with up to 1500 changed feeders daily, ensuring timely data updates in the ADMS.

ESO employees also wanted to ensure that the CIM Adaptor didn't negatively impact their ADMS and operations in the control room during implementation. Equally, it was important to ensure that feeders imported from the legacy GIS geometric network and feeders from Utility Network could coexist [FL2] in the ADMS. To meet this challenge, the CIM Adaptor stores existing IDs from the ADMS as attribute values in the Utility Network. This approach ensures that when the CIM Adaptor exports changed feeders to ADMS, it continues to use the same IDs for assets like transformers, saving operators time and allowing them to focus on operational tasks.

Similix's solution was easy to implement and train staff on. They also provided ESO with CIM training so staff could maintain the solution.

“Integrating GIS and ADMS using Similix CIM Adaptor is a best-in-class example of creating value from upgrading to ArcGIS Utility Network,” said Jesper Vinther Christensen, CEO at Similix. “With a product-based CIM integration, ESO has a robust platform to leverage network information to ADMS and other systems for the future.”

 

Diagram of Esri Utility Network to CIM Integration to Electric Model Assets and Connectivity to GE PowerOn ADMS

ArcGIS Utility Network data is fed into the Similix CIM Adaptor for ArcGIS; seamlessly aligning data and business processes without the need to modify underlying data models.

Results

ESO leadership values the new, robust, and configurable integration from Utility Network to ADMS. This integration, along with the benefits of Utility Network, has streamlined workflow processes and eliminated steps. ESO employees can continue maintenance or updates as new business requirements arise.

Additionally, ESO can trust Similix with new releases that meet future Esri standards. The CIM Adaptor lets ESO use the product for new CIM-based integrations. For example, it could enable Utility Network and network analysis systems in the future. ESO is exploring integrating GIS into other parts of the organization, like planning for networks and grids.

“Implementing ArcGIS Utility Network with CIM Adaptor has been a game-changer for ESO, as it has allowed us to establish a centralized system based on GIS and easily exchange network data from GIS to ADMS via industry standard format without any additional platforms” said Virgilijus Žukauskas, Head of Network Operation Division at ESO. “By integrating these technologies, we have enabled enterprise-wide use, ensuring that nearly every employee can access and utilize the system for their daily operations.”

Originally posted here.

G

AI Skepticism

ResourceInsights: "Here's comes the AI bailout: Why government stakes in AI companies are a sucker's bet." There is good reason to argue that AI based on current models is likely to be a much smaller and less impactful technology than advertised. "If the government is lured into taking an ownership stake in AI companies, it will be walking into a trap." The first clue is that the CEO of the most prominent AI company, OpenAI, proposed the idea to Trump early last year. Why would the top executive of the best-known AI company offer to dilute his wealth and the wealth of his shareholders to give the government a share? "Why would that CEO want the government looking over his shoulder as he runs his company?"

Unless of course he knows he is going to need a bailout. When a duplicitous CEO + a transactional, self-interested president shake hands—then the rest of us can look forward to paying the bill. Kurt Cobb argues there are 2 reasons for this outcome.

First, "the AI industry has convinced lawmakers and the current administration that AI is somehow the future of technology and therefore the industry (as opposed to the technology) cannot fail."

Second, "the AI industry's capital expenditures are the main thing driving the economy and the stock market and a bust among major industry players (again, as opposed to the technology) would lead to too much pain in pocketbooks and portfolios." Remember the phrase—'too big to fail?'

"Governments are actually very poor at making financial investment decisions, in part, because they are not set up for that." When the current AI bubble bursts, the federal government [could] be tempted to throw good money after bad to bail out its investment since the government has something private industry lacks, the power to tax and the ability to print money as needed.

"The entire global software industry had revenues of about $719 billion in 2025...for products that presumably work and have a marginal distribution cost close to zero." Aside from stringent regulation, I share Cobb's skepticism about the government getting any closer to AI than with a 10-foot pole.

Atul Pandurang Joshi

Interesting perspective — if AI is truly the next industrial revolution, why are its biggest champions already floating bailout ideas? The tension between technological promise and financial fragility is worth unpacking. Are we witnessing innovation or inflation of expectations?

G

The “Cloud CIP” standards drafting team may be about to hit a brick wall

I have been writing about the problem of medium and high impact NERC CIP systems being “illegal” in the cloud for close to ten years. At one point, I gave up on the idea that things would ever get better, since I thought the changes that would need to be made to the existing CIP standards would be too much for the power industry.

The problem was (and is) that prescriptive, device-based requirements like CIP-007 R2 and CIP-010 R1 can’t work in the cloud. These will all need to be rewritten as risk based. However, the industry is worried about how auditors would audit true risk-based requirements, since NERC’s Rules of Procedure were originally developed with only prescriptive requirements in mind. Since all the NERC Reliability Standards except for CIP are ultimately based on the laws of physics, prescriptive requirements are the only ones that make sense for those standards; but cybersecurity is based on risk, and all cyber requirements should be risk-based.

Thus, I was pleasantly surprised when in December 2023 a very well-written Standards Authorization Request (SAR) for fixing the cloud problem was approved by the NERC Standards Committee. Note that, by “cloud problem” I’m referring to the fact that medium and high impact BES Cyber Systems (BCS), Electronic Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS) cannot be implemented or utilized in the cloud without violating over thirty NERC CIP Requirements and Requirement Parts. I break the cloud problem into three “sub-problems”: BCS in the cloud, EACMS in the cloud and PACS in the cloud.

Note the cloud problem is separate from the problem of BES Cyber System Information (BCSI) being stored or utilized in the cloud. The BCSI problem was solved when CIP-004-7 and CIP-011-3 came into effect on January 1, 2024, although hardly anybody in the NERC community seems to believe that the problem really was solved. As a result, a lot of NERC entities are needlessly refraining from using cloud-based services (SaaS) that sometimes uses BCSI, such as cloud-based MFA and configuration management.

The Risk Management for Third-Party Cloud Services Standards Drafting Team was constituted in the spring of 2024 (in response to the SAR’s approval) and started meeting in the summer; they have been meeting continually since then. However, the SDT has yet to publish a single draft standard or definition for comment, even though they are currently working on about twelve new standards and an undetermined number of new definitions.

If I’d been told a year and a half ago that the SDT would still be meeting today and that they wouldn’t yet have drafted any new standards, I would probably have said that’s not surprising, given how ambitious the project is; in fact, I predicted in late 2024 that it would be 2031 before new standards would be drafted, approved and in effect.

However, starting in early 2025, I began to see some red flags that made me worry the SDT might ultimately fail – i.e., disband without having solved the three cloud problems. Those red flags have only multiplied since then. Below are brief descriptions of about ten of those red flags. Once draft standards and definitions are posted, I’ll have a lot more to discuss.

1. The SDT decided in early 2025 that they would not only draft new standards for cloud-based systems, but they would develop new standards (called the “100-series”: CIP-102, 103, etc.) that would apply to both on-premises and cloud-based systems. At the time, I didn’t see how standards that apply to both types of systems could possibly work (since on-premises systems can be directly audited, but cloud-based systems can’t). But the SDT members assured me (since at that time I was attending at least two SDT meetings per month) that this would be no problem. I still don’t know if or how CIP auditing will work for cloud-based systems.

2. In order not to alienate NERC entities that are happy (or at least not terribly unhappy) with the current CIP standards and don’t want to go through a huge effort to revise all their documentation, procedures, etc., the SDT wants to let them stick with the current standards for on-premises systems, but utilize the 100 series standards for cloud-based systems. However, NERC entities that have both on-premises and cloud-based systems subject to CIP compliance will also be able to have their on-prem systems audited on compliance with the 100 series.

The SDT’s hope is that ultimately all systems subject to NERC CIP compliance will be audited based on the 100 series standards. This is a fine idea, but I know of no provision in the NERC Rules of Procedure that allows a NERC entity to choose not to comply with a group of standards, even though they’re technically required to comply with them. All NERC entities with on premises control systems and with assets (mostly Control Centers, Transmission substations and generating facilities) that meet one of the “bright line” criteria in Attachment 1 of CIP-002 must comply with the CIP standards.

The SDT might address this problem by changing Section 4 of each existing CIP standard to say that the standard isn’t applicable to entities that have chosen to follow the 100-series equivalent of that standard (e.g., CIP-105 for CIP-005). However, negotiating this wording with the NERC lawyers will be a bear. Instead, the SDT seems to be pursuing a strategy of hoping the lawyers won’t notice what they’re doing. Good luck with that.

3. The above is one of at least two – and perhaps more – aspects of the new standards that are likely to violate the Rules of Procedure. Of course, the RoP can be changed, although not by an SDT. Nobody has been able to tell me how the RoP can be changed, but it’s certainly going to require a long process and will almost certainly require both NERC and FERC approval. The SDT’s leaders have told me, probably with fingers crossed, that RoP changes won’t be needed (although one of them said something very different to me less than a year ago). We’ll see what happens, but this is another red flag.

4. The proposed 100 series standards will supposedly fix the cloud problem, which of course is the SDT’s mandate (see below for more on this topic). But the SDT decided early last year that they wanted to add a huge task that isn’t in their mandate at all: rewrite the current CIP standards to be entirely risk-based (or “objectives-based”, to use the current NERC term). Even though NERC entities will be allowed to stay on the current standards for their on-premises systems, the 100 series standards are intended to be the next version of CIP, so sooner or later all NERC entities will have to comply with them, no matter where their systems are located.

I’ve been saying for years that the current CIP standards need to be rewritten as risk-based. In fact, in 2018 I wrote more than half of a book explaining the problems I see with the current CIP standards and describing how they could be fixed. However, I abandoned it when I became too busy (I may be working with someone soon to finally finish the book. If you’re interested in joining this effort, let me know).

But I’m not the only person with ideas about how to improve the CIP standards; just about every NERC entity who must comply with CIP has something to say about the current standards, some of it printable and some not. If this SDT wants to rewrite the current standards for on-premises systems, I suggest they stop what they’re doing now and draft a SAR for doing that, since they have no mandate to do this now. In drafting that SAR, they need to hold listening sessions with NERC entities to get their ideas on how to fix CIP; if they try to impose their own ideas on a very passion-filled topic, they aren’t likely to get approved by the NERC ballot body.

If the SDT does this right, it will take them six months to a year to conduct “listening tours” (physical and virtual, of course), then draft the new SAR. This might seem to be an unnecessary use of the SDT’s time, but deciding for themselves what NERC entities need and then forcing them to swallow the team’s ideas whole isn’t going to work.

5.  However, there’s one problem that currently makes all the others moot: Since the beginning of the year, the SDT has been sprinting (although running hard in place is a better description) to meet a seemingly arbitrarily imposed September “deadline” to submit the new standards and definitions for the first ballot for NERC entities to vote on. The SDT is no more likely to meet that deadline than I am to score a goal in the World Cup. Here’s why:

a)      Given everything that needs to go on before the first ballot, the team needs to have at least an agreed upon set of about 12 draft standards ready in a few weeks – this will be the “posting for comment” for the NERC community. Yet, after 22 or 23 months of work, the SDT has yet to agree on a single draft standard; in fact, there is at least one standard that the team hasn’t yet decided whether it will even be part of the package they submit. Will they really be able to finalize all twelve standards in a few weeks? Is it possible that the reason why they’re having so much trouble drafting the 100 series standards is that they’re trying to do too much at once - like end global warming, square the circle, and invent a perpetual motion machine in one fell swoop?

b)     When the team first started discussing new standards to apply to the cloud, they started using terms like “BES Cyber Systems or Services” and building the requirements on them. However, they never finalized any definitions and still haven’t done so; in fact, there isn’t even agreement on what terms are needed. This is just another task that needs to be accomplished in the next few weeks (this is also one reason why none of the standards are finalized. How can you finalize a requirement without being sure what the terms in it mean?). I note that the team that drafted CIP version 5 – the last major change to the CIP standards before this one – developed their fundamental definition, BES Cyber System, in 2008 or 2009. That was two years before they started drafting v5 and seven years before it came into effect, not three weeks before they first posted the standards for comment.

c)      In recent years, the primary guidance for a new or revised NERC standard is its Technical Rationale (TR) – a document prepared by the drafting team that explains what they had in mind when they developed the standard. This SDT is already at work on a TR for each standard (to be more exact, a few individuals are at work on TRs. Given the huge volume of work remaining to be done and the pressure to finish up, it’s not clear they’ll have much time to coordinate with each other). I’ve seen some of the language in one of the TRs; it’s quite complex, which is a huge red flag in my book. If a requirement can’t be described in concise language, it shouldn’t be a requirement, since it will result in endless audit fights.

d)     Before the SDT can post the standards for the first ballot, they need to take two steps: The first is posting the draft standards for comment, so that members of the NERC community can submit questions and comments. This comment period is normally at least 25 days; anything less than that will be a big problem, since a NERC compliance team at a major utility can’t just whip something up in a couple of weeks and submit it without any review; in fact, comment periods are normally 45 days.

e)     Once the comments are received, the SDT needs to respond to them, including at least all the negative ones (although they can group comments that seem to be similar). However, after responding, the hard work begins: the team needs to decide which negative comments are valid and make changes to the standards or definitions to address those comments. Finally, they need to post the revised draft standards for comment, so NERC entities can verify that they have in fact taken their comments seriously. If the SDT tries to skip this step, they risk making a lot of NERC entities unhappy, and anxious to take their revenge on the SDT in the balloting.

f)       The second step the SDT needs to take before the first ballot posting is the Quality Review, in which the draft standards are submitted to a group of NERC lawyers and auditors for their comments (actually, the SDT should have had at least one meeting with the auditors already. If they had done so – as I was repeatedly promised - they might have avoided running into a brick wall in the QR, with the lawyers and/or auditors telling them they have to restart the drafting process from the beginning.

g)      I think this is a real possibility, although it’s still better than having the standards get approved by NERC (which is almost certain to take at least a year) and then go to FERC for their judgment. It might take more than one year for FERC to render judgment (I believe the CIP record was 17 months for version 1), given the importance of the cloud changes and given the fact that, unlike almost every other change in or addition to the CIP standards, FERC didn’t order the changes. Thus, if FERC has problems with what’s submitted to them, they might not do what they normally have done with CIP: approve the standard but require that changes be made in a new version. Instead, they might simply remand the standard entirely, so the SDT will have to restart the drafting process from the beginning. This would add at least two years to the amount of time the SDT has wasted. Of course, this would be a catastrophe for NERC, since so many NERC entities have been waiting for so long to – finally! – have full access to the cloud. If they suddenly find themselves in another long wait just when they thought their problem was finally solve…I have no idea what would happen, but it’s unlikely to be pretty.

h)     It should be clear that the two comment periods (one for the general community and one for the NERC lawyers and auditors) will take at least two months each – which alone puts the SDT far past their September “deadline” for the first ballot posting. However, that assumes that none of the negative comments will require substantial changes to the standards (and anything more than a misspelling might require a substantial change). But it’s close to certain that many substantial changes will be required, to the point that the SDT may have to throw out everything they’ve drafted so far and start over (in fact, in the last SDT meeting, it was pointed out that one feature of the draft standards – even though they haven’t been officially drafted yet – has already drawn substantial negative comments from one group of NERC entities. There will likely be other such cases as well).

i)       Given this, the earliest possible date for posting for a first ballot is probably January, but even that will depend on not needing to make any substantial changes after either the posting for public comment or the quality review.  Since that’s not a realistic assumption, I’d say the SDT will be lucky if they can have a first ballot before next spring or even summer. On the other hand, it will be much worse if the initial draft standards make it to the first ballot posting substantially unchanged, since I don’t see any reasonable path to their getting passed by even a majority of the NERC ballot body (i.e., the NERC entities that say they want to vote on these changes), let alone the required supermajority. If the SDT is forced to go back to the drawing board soon (say, after the public posting for comment) rather than 1-3 years from now, it will be a very bad day at the office for the NERC community in general, but especially the SDT members.

Thus, I think it will realistically be at least 3-5 years (including allowance for an implementation period after FERC approves the new standards and definitions) before the standards now being worked on by the SDT come into effect (which brings me back to my original prediction of 2031, although I wasn’t aiming for that result). Given that the team has already met for two years with very little to show for that effort, I wonder how many members will be willing to stick around that long.

I want to point out that there are two scenarios in which I can at least imagine that the most important part of the CIP-in-the-cloud problem would be solved (i.e., an enforceable set of standards and definitions would be in place) in the next two years:

1. When I moved to Chicago decades ago, there was a common saying in politics: “The fix is in.” This meant there was no point in fighting some political move that had recently been made or was about to be made, since the people in charge (which was certainly not the voters at that time!) had already decided what they wanted; they would make it happen no matter what anyone else said. I certainly hope that can’t happen in this case, but given the obviously huge pressure on the drafting team to meet the September deadline for the first ballot, I’m not so sure it won’t.

After all, the NERC Board of Trustees has various emergency powers at their disposal. I can’t imagine what emergency would justify not going through the normal standards approval process in the case of CIP and the cloud. However, I do know that short-circuiting that process would be a huge and extremely costly mistake if it happened. NERC literally might not recover from that.

2. Last November, I realized that the three components of the Cloud CIP problem - BCS, EACMS and PACS in the cloud – could all be solved with eight small changes to the existing standards and definitions (seven of the changes are trivial. One, the definition of “system”, is less trivial but is certainly doable with a few SDT meetings). I also realized that by far the most important of these problems was (and continues to be) the “EACMS problem” (although the “PACS problem”, which is literally word for word identical with the EACMS problem if you just replace every instance of EACMS with PACS, is a close number two). In fact, the 2023 Standards Authorization Request (linked earlier), under which this SDT was constituted, mentioned – nay, pleaded – in a couple of places that the SDT should address the EACMS problem before the others. I don’t think the SDT ever seriously considered this request, mainly because they spent their first six months drafting their own SAR, which didn’t mention this issue at all.

When I realized early this year that this SDT was probably on the road to failure and needed some sort of quick fix, I realized that just the last four of the eight changes (now highlighted in red) in my November post linked earlier were all that are needed to fix both the EACMS and PACS problems (but not the BCS problem, which ironically is the least important today); all four of these are trivial changes that should be easy to draft and shouldn’t be controversial at all. I’m sure that, if the drafting team starts to draft these changes soon (they won’t require a new SAR), both EACMS and PACS in the cloud could be “legal” by the end of next year (Note to the SDT: The scheduling problem with CIP-002 that you discussed in your meeting on Thursday doesn’t apply to these changes, since no change to CIP-002 is needed).

Here’s a final kicker: I’m close to certain that whatever standards the SDT drafts for the posting for comment will not solve the problem of either EACMS or PACS in the cloud. In other words, even if by some miracle the SDT can get the currently envisioned standards and definitions approved by both NERC and FERC, they will still have to go back and make the four changes I listed in that post. Why not make these changes now, rather than wait for NERC entities - who have only on-premises systems, but want to utilize a cloud-based access control or monitoring service or PACS service - to realize they still can’t legally use the cloud when they start to get audited for the 100 series? Boy, will they be p___..…umm, unhappy.

Tom Alrich’s Blog, too is a reader-supported publication. You can view new posts for two months after they come out by becoming a free subscriber. You can also access all my 1300 existing posts dating back to 2013, as well as support my work, by becoming a paid subscriber for $30 for one year (and if you feel so inclined, you can donate more than that or become a founding subscriber for $100). Whichever option you choose, please subscribe. 

If you would like to comment on what you have read here, I would love to hear from you. Please comment in my chat or email me at [email protected].

David Miller

I remember having to help draft a set of NERC CIP policies at my old job around information protection and had a lot of insight to the other standards being written. So seeing EACMS, PACS, BES, BCS, and all the other fun acronyms is bringing back PTSD.

I was part of a FERC-led NERC audit and when this question of cloud based systems came up, both NERC and FERC were very sympathetic because they do understand the cloud is the future of utilities. And while they said nothing in the CIP policies at the time specifically prohibited cloud, we did point out it was VERY difficult to adhere to the standards as written because of the words and phrases NERC used.

If we're still 5 years out from a new set of standards and policies to try and allow usage of a technology that changes every 6 months...yeah, we're going to have a lot of unhappy people.

G

PAPUC Advances Proposed Cybersecurity Regulations for Pennsylvania Utilities

"The proposed regulations would require utilities to maintain cybersecurity programs aligned with widely recognized national cybersecurity frameworks, including the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). The proposal also establishes updated requirements for cybersecurity evaluations, incident reporting, and annual certifications designed to help ensure utilities maintain appropriate cybersecurity practices based on the size and complexity of their operations."

https://www.puc.pa.gov/press-release/2026/puc-advances-proposed-cybersecurity-regulations-for-pennsylvania-utilities-06182026

Fortunately for utilities, DHS CISA provides guidance to help entities implement cybersecurity best practices aligned with NIST CSF, by following CyberSecurity Performance Goals (CPG) version 2.0; https://www.cisa.gov/cybersecurity-performance-goals-2-0-cpg-2-0

G

Beyond Interconnection: How GIS Can Help Utilities Understand Grid Influence

A professional and technical visual representing the convergence of electric utility grids and GIS, now including a central concept of two diverse people in professional attire shaking hands to symbolize collaboration. The image features a stylized, modern power grid network with transmission lines and substations. Overlaid on this network are vibrant, semi-transparent data visualization layers including heat maps for congestion, topographic contours, and digital icons representing spatial intelligence and power system analysis. The aesthetic is futuristic and precise, with a dark blue and teal color palette.

I have been fortunate to have had some remarkable influences in my career. Two stand out.

The first was my college professor, Homer Brown. He taught power system analysis using computers. What made him unique was that he wasn't just teaching algorithms; he invented one of them, the Z-Matrix method for short-circuit analysis, which is still used today. Homer sparked my fascination with power system modeling and the idea that computers could help us better understand how the grid behaves. Later, I ended up teaching many of these same algorithms.

The second influence was Esri President Jack Dangermond. Jack's vision was that GIS was never really about maps. It was about understanding relationships and helping organizations make better decisions. For me, those organizations became electric utilities.

For most of the industry's history, power system analysis and GIS have lived in separate worlds. Engineers built models to understand power flows, fault currents, and system reliability. GIS provided geographic context. The two occasionally met when network data was exported into engineering software, but that was about it.

Today, that separation no longer makes sense.

A New Approach

The industry is facing a fundamental shift. The grid deals with a stampede of interconnection requests driven by renewables, battery storage, data centers, electrification, and artificial intelligence infrastructure. At the same time, utilities are facing an onslaught of wildfires, flooding, severe storms, and extreme heat. The grid is becoming more stressed, more interconnected, and more difficult to plan.

Traditional approaches are struggling to keep up.

For years, interconnection studies focused on a simple question: Can this project connect to the grid?

That is still important, but it is no longer enough.

A better question is: How does this project influence the grid, and how does the grid influence the project?

Consider a large solar facility. Its output may flow across transmission lines hundreds of miles from its point of interconnection. Some of those facilities may already be congested. Others may cross regions vulnerable to wildfire, flooding, or extreme weather. Likewise, a large data center may create impacts far beyond the substation where it connects. Its demand may influence transmission loading, generation dispatch, and reliability conditions across an entire region.

These relationships are real, but they are often hidden inside engineering studies and planning models.

This is where I believe GIS, along with its GeoAI capabilities, and traditional power system analysis can come together in a transformational way.

Electricity Does Not Flow Along a Single Path

One of the most useful concepts in transmission planning is the Power Transfer Distribution Factor, or PTDF. PTDFs help us understand how power actually moves across a network. They remind us that electricity does not travel along a single path. It spreads across the system according to the network's connectivity and electrical characteristics.

Utilities have used PTDFs for years to understand congestion and transmission impacts. What GIS brings to the table is the ability to place those electrical relationships into geographic context.

A transmission line several hundred miles away may carry a meaningful portion of a generator's output. A transformer in another state may become a limiting factor for a proposed data center. A wildfire-prone corridor may be critical to delivering power between a resource and a load center.

Those are not just engineering relationships. They are geographic relationships as well.

Using GIS, utilities understand geography. They know where assets are located. They know where development is occurring. They understand environmental risks.

What has been much harder to visualize is how electrical influence spreads across the network and intersects with those geographic realities.

By combining load-flow analysis, PTDFs, GIS, and the ArcGIS Utility Network, utilities can begin to see those relationships in entirely new ways.

This is where GIS’s GeoAI capabilities and ArcGIS Utility Network become interesting. They can help identify patterns, dependencies, and risks that may not be obvious when information is scattered across multiple systems and reports.

Imagine combining transmission analysis results with interconnection queues, congestion history, asset condition data, weather forecasts, wildfire risk, flood exposure, and land-use trends within a common geospatial framework.

Suddenly, questions become easier to answer.

Which facilities are most critical to a project's success? Which environmental risks threaten key delivery paths? Which future projects may compete for the same transmission capacity? Which constraints are likely to emerge before they show up in a formal study?

Supporting the Future Grid

The future grid will be shaped by interactions between generation, load, transmission, geography, climate, and infrastructure risk. Understanding individual projects will remain important, but understanding how those projects influence one another across the network may become even more important.

Homer Brown helped me understand the physics of the grid.

Jack Dangermond showed me how geography can help us better understand the world.

The next step is bringing those two ideas together.

When electrical and geographic intelligence converge, utilities gain a new perspective on the grid, not simply where assets are located, but how they influence one another. One great example is a large transmission operator (which I am not permitted to name) that has integrated real-time EMS data into its GIS within the control room. Dispatchers value the ability to view their operations in a geographic context. While they do not dispatch directly from the GIS, it enables them to uncover insights and relationships that would not be apparent from the EMS alone.

That may be one of the most important opportunities GeoAI brings to the future of utility planning.

For more information on how GIS can transform the grid, visit the GeoAI and ArcGIS Utility Network websites.

Atul Pandurang Joshi

This is an exceptional piece — not just for its technical clarity, but for how it bridges two disciplines that have historically operated in silos. Your ability to connect power system physics with geospatial intelligence shows exactly where the industry needs to go next. The personal influences you highlight make the narrative even more compelling.

G