NAESB is hosting a meeting on December 15 to discuss software vulnerability disclosure reporting practices, which will include an update on the current state of the NIST NVD/CVE program, with funding expected to expire on March 16, 2026 and what comes next for software vulnerability disclosure reporting needed by product users after funding expires. Two objectives for this meeting are:
Inform the energy industry of the situation facing the CVE reporting program and the rise in the number of software vulnerability reports, now up to 130 reports per day.
Open the door for the industry to speak with one voice by developing a strategic solution/standard for vendor product vulnerability disclosure reporting to meet energy industry needs supporting continuous monitoring of cyber risks and a rapid risk response in support of FERC Order 912 expectations.
I'll also talk about the 60 Minutes segment covering the LELWD breach that exploited a software vulnerability in a Cisco product (FYI: Cisco is the best, IMO, when it comes to informing consumers of software vulnerabilities in specific Cisco products using a dynamically generated Product Vulnerability Disclosure Report, (VDR) that lists current vulnerabilities affecting a specific product as of "right now" - think of a CARFAX report for software products, i.e. "show me the VDR").
The Cisco VDR generator tool (Software Checker) that reports all known current vulnerabilities in a product could serve as a model for any forthcoming NAESB work efforts on product vulnerability disclosure reporting aimed at product consumers.
Reports of software vulnerabilities, like the Cisco firewall vulnerability (CVE-2023-20198) covered by 60 Minutes, have reached 130 per day! That's a lot of holes to plug before the cyber criminals can exploit them and cause harm.
R Street Institute also offers valuable insights in this article:
The WEQ Cybersecurity Subcommittee (CSS) and Business Practices Subcommittee (BPS) have scheduled a meeting for Monday, December 15, 2025 from 2:30 PM – 3:30 PM Central to begin discussing the jointly assigned item on the 2025 and proposed 2026 WEQ Annual Plan. As part of this effort, the subcommittees will consider and develop standards to support cybersecurity vulnerability disclosures, such as software supply chain risks, including those that could support industry implementation of NERC reliability requirements. For the upcoming meeting, the WEQ CSS and BPS co-chairs plan to begin with review of a presentation to overview the topic and potential considerations that could help inform initial discussions. An agenda for the meeting is posted to the WEQ CSS and BPS pages of the NAESB website; https://naesb.org/committee_activities.asp
The final slide deck presentation for this meeting has been submitted and will appear as a work paper for the December 15 meeting on the NAESB Activities page
Here is a link to the final presentation from NAESB.
This Energy Central Podcast from December 16 is also well worth watching.