2026 Regional Risk Assessment
Our Mission:
To identify, prioritize, and assure effective and efficient mitigation of risks to the reliability and security of the North American bulk power system by promoting Highly Effective Reliability Organizations® (HEROs)
Executive Summary
A reliable and secure power grid is more than a convenience; it is essential to our economy and daily lives, now and into the future. Without electricity, there is no health care, banking, transportation, or communications, to name a few.
"As we electrify more of our economy, our dependence on the bulk power system—the backbone of North America’s electricity network—has never been greater."
MRO's Regional Risk Assessment (RRA) provides a common risk foundation to assist utilities and other stakeholders in prioritizing and planning the individual systems that support and improve the entire interconnected network.
This critical, annual assessment drives MRO’s focus on risk management and advances our mission by helping prioritize risk reduction efforts across the region.
By offering expert perspectives on risk mitigation and resource allocation, efforts can be directed where they are needed most to maintain a resilient energy landscape in a rapidly changing world.
- Richard Burt, Senior Vice President and Chief Operating Officer
About the Region
Midwest Reliability Organization (MRO) is a Regional Entity of the North American Electric Reliability Corporation (NERC). Together, the Regions and NERC are referred to as the Electric Reliability Organization (ERO) Enterprise.
The ERO Enterprise operates under section 215(e)(4) of the Federal Power Act with oversight from the Federal Energy Regulatory Commission in the United States, and under other agreements in Canada.
Regional Highlights:
More than 260 organizations in the MRO region participate in the production and delivery of electric power to roughly 28 million people.
The region spans the provinces of Saskatchewan and Manitoba, and all or parts of the states of:
|
Arkansas |
Minnesota |
Oklahoma |
|---|---|---|
|
Illinois |
Missouri |
South Dakota |
|
Iowa |
Montana |
Texas |
|
Kansas |
Nebraska |
Wisconsin |
|
Louisiana |
New Mexico |
|
|
Michigan |
North Dakota |
We are uniquely situated at the intersection of three North American electric grids — the Western Interconnection, Eastern Interconnection, and Texas Interconnection (see Figure 1) — and provide a critical link to delivering diverse generating resources to customers within the region and beyond.
Our primary responsibilities:
- Monitor and enforce compliance with mandatory Reliability Standards by entities who are registered as owners, operators, or users of the North American bulk power system.
- Conduct reliability assessments of the grid's ability to meet electric power demand in the region.
- Analyze disturbances to regional bulk power system power system generation and supply.
- Provide outreach and training on important topics related to addressing risk and improving reliable operations of the bulk power system.
Additionally, MRO creates an open forum for stakeholder experts from across the region to discuss important topics related to addressing risk and improving reliable operations of the bulk power system.
MRO's three stakeholder-led advisory councils expand outreach and awareness, promote information-sharing, and publish guidance for the region.
Assessment Process
The Regional Risk Assessment (RRA) is a product of close collaboration with industry stakeholders and is designed to drive informed decision-making. MRO staff and the industry experts that serve on the three advisory councils (Compliance Monitoring and Enforcement Program, Reliability, and Security) analyze a variety of technical assessments and performance data as part of this comprehensive assessment.
Reliability Risk Matrix
Regional risks are identified and prioritized based on the impact to reliability and security of the grid and likelihood of occurrence. The MRO Reliability Risk Matrix is used to score risks as Extreme, High, Medium, or Low, based on impact and likelihood.
Two levels of priority are then assigned:
- Extreme and High Risks receive immediate attention for regional awareness and mitigation efforts, and
- Medium and Low Risks are monitored to ensure long-term stability.
Risk Management Action Plans (RMAPs) are under development to provide regional stakeholders with deeper insights into specific risks and ongoing mitigation strategies.
Key Findings
Fourteen risks were identified in 2026, with seven rising to an extreme or high priority:
Notable shifts and trends include:
- The risk of insufficient energy persists: “Uncertain Energy Availability” was first designated as an extreme priority risk in 2024. While electricity demand continues to climb, the projected supply from current and future confirmed generation is not keeping pace, creating significant uncertainty across the MRO footprint.
- Ongoing supply chain pressures: “Material and Equipment Unavailability” escalated from a medium to a high priority risk this year. The shift is due to accelerating utility investments competing for the same electrical equipment required by hyperscale data centers and industrial facilities.
- Regional risk profile remains consistent: The remaining high risks in the report have not changed priority since 2025.
Summary of Top Regional Risks
Uncertain Energy Availability
Designated as an EXTREME risk
A reliable bulk power system requires an instantaneous and precise balance: supply must perfectly match demand every second to prevent system instability or collapse. This has historically been achieved by planning sufficient dispatchable generation and reserves (supply) around predictable load patterns (demand). Integrating weather dependent, intermittent, and finite duration resources (wind, solar and battery storage) complicate this precise balance.
At the same time, electricity demand is increasing rapidly and becoming harder to forecast. Massive new 'hyperscale' loads—primarily data centers that require a constant supply of reliable power—are driving much of this growth.
Across the MRO region, accelerating retirements of dispatchable power plants before adequate replacement energy is available, limited transmission capacity, and barriers to timely deployment of new infrastructure are increasing the risk of energy shortfalls.
Recent reliability assessments and bulk power system events underscore the need for new energy adequacy metrics, improved planning standards, and careful management of retirements to ensure sufficient dispatchable resources remain available.
Nation-State Threat
Designated as a HIGH risk
Rising geopolitical conflicts have dramatically increased the volume and sophistication of nation-state threats targeting North American critical infrastructure, including the bulk power system. These well-resourced threat actors pose a significant and strategic cyber threat aimed at undermining military, economic, and political capabilities.
They demonstrate high levels of persistence within Information Technology (IT) and Operational Technology (OT) environments and often use “Living Off the Land” techniques to carry out attacks that avoid detection from installed security software tools. Recent campaigns—such as the China-linked Volt Typhoon and Russia’s Sandworm attacks on European grids—showcase the potential for coordinated cyber and physical strikes on critical infrastructure.
While existing NERC Critical Infrastructure Protection standards offer a foundation of defense-in-depth protection, the evolving landscape requires a more proactive approach that includes enhanced internal network monitoring, improved detection on OT systems, and stronger preparedness for coordinated, large-scale cyber events.
Generation Outages During Extreme Cold Weather
Designated as a HIGH risk
Recent extreme winter storms—including Uri (2021), Elliott (2022), and major events in early 2024, 2025, and 2026—severely strained both electric generation and natural gas systems. These events caused elevated outage rates and, in some cases, unprecedented firm load shedding to maintain electric grid stability. MRO staff participated in the expert analysis of these events that exposed vulnerabilities like insufficient winterization of infrastructure, a growing reliance on “just-in-time” natural gas delivery, and tightening operating margins due to the retirement of dispatchable resources.
Unplanned generation outages during major winter storms have been several times higher than planned seasonal averages. While NERC cold weather preparedness standards and industry-wide initiatives are strengthening grid resilience, extreme winter weather remains a primary reliability risk. The system is particularly vulnerable when high outage rates coincide with constrained fuel supplies and limited electricity import capabilities.
Supply Chain Compromise
Designated as a HIGH risk
A supply chain compromise occurs when malicious or defective hardware, software, or services are introduced into utility systems before deployment. This can happen through intentional manipulation by threat actors or weak security practices at the vendor level. Several trends have heightened this risk to the bulk power system:
- There is growing reliance on a small number of common third-party providers, which creates single points of failure.
- At the same time, utilities often have limited visibility into third-party hardware/software development, manufacturing, and security protocols.
- The rapid deployment of wind, solar, and battery technologies introduces new software-heavy components into the grid, expanding the potential attack surface.
Recent incidents—including compromised open-source software, ransomware delivered through managed service providers, and large-scale software update failures—demonstrate how a single vendor vulnerability can trigger widespread operational disruptions.
Inadequate Inverter Performance and Modeling
Designated as a HIGH risk
Advanced technologies have introduced new risks to power grid planning and operations. Inverter-based resources (IBRs)—such as wind, solar, and battery storage—rely on programmable software, unlike traditional electricity generators that provide a physical response to grid stress. Inverter-based loads, primarily data centers, add another dimension to this risk because of their scale and concentrated electricity consumption.
Limited operational experience, combined with insufficient and incorrect modeling, makes it difficult for system planners and operators to accurately forecast how inverters will behave during grid disturbances. Past events have shown that poorly coordinated or misconfigured inverters can “trip” or disconnect simultaneously from the grid. This leads to abrupt, large-scale shifts in electricity supply or demand that can destabilize the entire system.
While new NERC standards are being developed and implemented to improve IBR modeling accuracy and performance, continuous monitoring, industry coordination, and new or enhanced technical standards are essential to maintaining bulk power system stability.
Material and Equipment Unavailability
Designated as a HIGH risk
Rising demand to replace aging infrastructure and build new generation and transmission has strained the global electrical equipment supply chain beyond its current manufacturing capacity. Utilities are facing unprecedented competition for electrical equipment, primarily driven by the rapid expansion of large-scale data centers. This has led to much longer lead times for critical components like power transformers and circuit breakers, which limits utilities’ ability to quickly replace failed assets or address security vulnerabilities.
These delays heighten reliability risks by keeping critical system components out of service for longer periods and delaying major generation and transmission projects needed to meet rising demand. As equipment availability becomes a strategic risk rather than just a procurement hurdle, mitigation now depends on spare equipment sharing, strong vendor relationships, and proactive inventory management.
Malicious Insider Threat
Designated as a HIGH risk
A malicious insider—including employees, contractors, or vendors with authorized access—poses a unique risk to system reliability. Unlike external attackers, insiders possess legitimate credentials, proximity to critical assets, and deep institutional knowledge of system vulnerabilities. Insiders may be motivated by professional dissatisfaction, ideological beliefs, or financial gain. They may act independently or in coordination with external actors to conduct cyber or physical attacks on corporate networks, operational control systems, and bulk power system assets. Heightening this risk are:
- A growing dependency on external contractors and vendors expands the number of individuals with high-level access.
- Ongoing social and political unrest, influencing individual motivation and increasing the likelihood of ideological sabotage.
- Ineffective perimeter defenses, as insider activities easily blend in with normal administrative or maintenance tasks.
While existing NERC CIP standards provide defense-in-depth protection for high- and medium- impact assets, gaps remain for low impact assets. To address this, new requirements—specifically CIP-015-1 (Internal Network Security Monitoring)—are being implemented to improve detection, response, and recovery from unauthorized internal activity. Effective mitigation depends on strong insider threat programs, security-focused organizational culture, least-privilege access controls, network segmentation, and proactive monitoring.
Summary
The industry is undergoing a rapid and historic transformation, which continues to underly the top risks in MRO's 2026 Regional Risk Assessment. The speed of the transformation poses a “triple threat” to the grid, with surging energy demand, increasing uncertainty of energy supplies, and a decreasing reserve margin. Coordinated action from multiple players is crucial to achieving the industry's shared vision of a highly reliable and secure North American bulk power system.
MRO is uniquely positioned to coordinate and collaborate with various industry stakeholders to address the risks highlighted in this report. As a trusted authority on grid reliability and security, we are committed to raising awareness, providing guidance, and developing mitigation strategies for the highest risks to the regional bulk power system.
The full report linked below highlights work being done by MRO and the broader ERO Enterprise to identify, track, trend, and mitigate reliability and security risks to the North American bulk power system.
Built with Shorthand