Utilities Focus on Compliance with NERC-CIP Cyber Standards
Electric utilities of all kinds, including independent power producers, have a legal responsibility to adhere to the North American Electric Reliability Corporation (NERC) standards for cybersecurity. In the US, these standards have been mandatory since 2007. Violations result in very significant fines, up to and including a hefty penalty of $1 million per day.
NERC has a complex strategy, but it’s possible to cut to the chase: NERC calls the companies affected by their cybersecurity standards “Registered Entities.” They operate in a variety of functional areas: Transmission Owner/Operator, Generation Owner/Operator, Transmission Planner, Balancing Authority and Reliability Coordinator.
NERC’s standards are designed to protect critical infrastructure (CI) from cyber threats and ensure the continuous and reliable delivery of electricity. By following NERC’s mandatory standards and requirements, organizations safeguard systems against potential cyberattacks, minimize vulnerabilities and maintain the trust and confidence of the public. The commitment to these standards underscored the dedication to operational excellence and security of energy infrastructure.
These cybersecurity standards focus on a variety of areas, but they are all about Critical Infrastructure Protection (CIP). The most important fact to keep in mind is that, for utilities, NERC-CIP compliance is not an easy road to travel. There are some special challenges associated with NERC-CIP.
Key Cybersecurity Requirements
Patch management is only one of the essential areas in which Registered Entities must protect against vulnerabilities and ensure compliance with these NERC standards. Regularly updating software and systems addresses potential security weaknesses, reducing the risk of unauthorized access and cyberattacks. This practice is crucial for maintaining the reliability and stability of utility operations, which is vital for delivering consistent and uninterrupted services to customers.
Baselining cyber assets for the Bulk Electric System (BES) in North America is guided by NERC-CIP standards. These require the Registered Entities to identify and document all cyber assets, establish and maintain baseline configurations and implement a formal change management process. This ensures that any modifications to the baseline configurations are reviewed, approved and documented to prevent unauthorized changes and potential vulnerabilities. Regular vulnerability assessments are also mandated to identify and address security weaknesses, along with strict access controls to ensure that only authorized personnel can make changes.
Additionally, continuous monitoring and logging of activities related to cyber assets are essential to detect and respond to unauthorized or suspicious activities. NERC Registered Entities must maintain audit trails, conduct regular log reviews and have an incident response plan in place to address security incidents. Providing regular training and awareness programs for personnel is also crucial to ensure adherence to security practices. By following these mandatory requirements, Registered Entities protect their critical infrastructure from cyber threats—thereby ensuring the security and reliability of their operations within the BES.
What are the significant challenges the Registered Entities face? The complexity and scope of these NERC-CIP standards present several challenges. They require the Registered Entities to ensure comprehensive compliance across all aspects of their operation, from physical security to information systems. This process is resource-intensive and requires substantial financial investment and finding specialized personnel. An additional challenge is maintaining these specialized personnel after the company has invested so much in training and hands-on experience.
As one might expect, Registered Entities have a variety of ways they can build robust programs to protect the BES. NERC CEO Jim Robb has been focused on cybersecurity compliance and evolving threats and risk-based approaches. During the 2025 “Reliability Leadership Summit” convened by NERC, Robb emphasized the importance of continuously improving defenses against sophisticated cyber threats. He noted that NERC’s Compliance Monitoring and Enforcement Program is designed to prioritize significant risks to reliability, ensuring efficiency and effectiveness in addressing security challenges.
In NERC’s 2024 Year-in-Review, Robb underscored the organization’s commitment to mitigating cyber and physical security risks through collaboration with over 1,800 member organizations. He highlighted that despite an unprecedented threat landscape, no security incidents impacted grid reliability in 2024.
Continuous monitoring, regular NERC audits and detailed periodic reporting are essential components of NERC CIP compliance. Registered Entities must establish processes and tools to track compliance, detect potential security incidents and report to regulatory bodies such as NERC and the Regional Entities. The evolving threat landscape further complicates this task, as Registered Entities must stay ahead of new vulnerabilities and attack vectors, requiring ongoing investment in cybersecurity measures and staying updated with the latest threat intelligence.
Recent changes to NERC-CIP Cyber Standards include a significant focus on enhancing cybersecurity measures by requiring more robust internal network security monitoring (INSM), stricter controls for previously considered "low-impact" assets, expanded supply chain risk management and a greater emphasis on incident reporting for potential grid reliability impacts, with the goal of addressing evolving cyber threats and improving overall grid resilience; these updates are primarily driven by the Federal Energy Regulatory Commission (FERC) directing NERC to develop new or revised standards to close identified gaps in cyber security practices across the BES.
Effective coordination and communication across various departmental and external partners are crucial for maintaining grid security and compliance. Registered Entities must also stay informed about regulatory changes and adapt accordingly. Developing and maintaining an effective incident response and recovery plan is essential to minimize the impact of cybersecurity incidents and ensure prompt recovery. Addressing these challenges requires a strategic approach, strong leadership, trusted partnerships and commitment to ongoing improvement in cybersecurity.
Strategic approach and trusted partnerships are something that Registered Entities have been working on since the NERC standards became mandatory in 2007. To learn more, we checked in with one of the executives who’s been leading efforts to protect the BES: Trey Kirkpatrick, VP of NERC Implementations with SigmaFlow at Parsons Corp.
Kirkpatrick’s worked for utilities, program manager at one of the Regional Entities as well as consulting for numerous Registered Entities. We asked him about his views on the challenges facing Registered Entities:
“Over the years, I’ve seen some of the most dedicated teams working to protect the important aspects of our Bulk Electric System throughout North America,” said Kirkpatrick. “It requires leadership with a strong vision to ensure their teams are getting the right personnel and tools in place. Protecting the IT/OT cyber assets is one of those areas that is most vulnerable to cyber threats.”
When asked about the key elements necessary for maintaining NERC CIP compliance, Kirkpatrick’s response was quick and focused:
“Having the systems and expertise in place to monitor, detect and mitigate these threats,” he said. “That includes a centralized compliance solution that can show an auditor that a Registered Entity has implemented all the mandatory standards, show management that the risks and controls are in place and that the public has confidence that they are protected.”
Our mission-critical electric grid in North America faces constant threats from a variety of cyber and physical sources. Thousands of dedicated individuals across utilities, IPPS, government agencies and the public are working tirelessly to safeguard this critical infrastructure. Their collective efforts are essential to protect our energy systems, ensure compliance with stringent NERC CIP standards and maintain the reliability and security of the Bulk Electric System. Through strong leadership, continuous investment in advanced cybersecurity measures and effective collaboration, these stakeholders are committed to defending against evolving threats and ensuring the resilience of our electric grid for the benefit of all.
The Utilities Perspective
To better understand how utilities think about NERC-CIP compliance challenges, we asked one major company that has been operating for decades: ENEL. ENEL’s executive team were asked five key questions. Here’s what we learned from them:
Which high-impact NERC-CIP standards are you heavily focused on at your organization?
“The following NERC CIP Standards aim to minimize the risk to BES Cyber System security exploits and vulnerabilities. They have a high level of complexity, especially in terms of traceability, monitoring, interpretation, and implementation. This complexity can pose a challenge for some organizations, making advanced strategies necessary to ensure compliance:
CIP-007 R1 — Ports and Services — Authorization, justification and associated System Configuration Changes.
CIP-007 R2 — Security Patch Management (Installation).
CIP-010 R1 — Configuration Change Control (Baseline and Monitoring).”
How are your teams continuously monitoring the IT/OT devices to ensure compliance with NERC-CIP standards?
“The NERC CIP baseline of requirements surrounding system monitoring offers a solid foundation. By establishing effective cyber monitoring platforms for system monitoring requirements, a framework of consistent monitoring and verified reporting is established:
CIP-007 R1 — Ports and Services — Configuration Management Data Base (CMDB) enables asset/system owners to track port changes, justification and approvals through a shared approach with cross-functional asset/system owners (e.g., Firewalls, switches, Domain Controllers, servers, Cyber Tools, etc.).
CIP-007 R2 — Security Patch Management — Services such as Ivanti offer consistent tracking of applicable OS evaluations and records of deployment.
CIP-007 R3 — Malicious Code Prevention — Monitoring, Prevention and Detection platforms such as Trellix provide endpoint security for analysis of suspicious traffic/system activity.
CIP-007 R4 — System Event and Incident Monitoring (SIEM) — RSA Net Witness is a platform that accelerates threat detection and response through real-time monitoring system agents configured to monitor successful/unsuccessful login attempts and malicious activity.
CIP-010 R1 — Configuration Change Control — Windows Industrial Defender allows central monitoring and tracking of baseline configuration changes when integrated into Change Request ticketing systems.”
How are your cyber security and compliance teams planning to address the network security monitoring related to new NERC-CIP requirements?
“The CIP-015 standard will present a challenge for some organizations that are not well-established with baseline cybersecurity monitoring.
Because we have a solid foundation in security monitoring (as mentioned above in question two), we are well positioned to establish an effective method (e.g., span ports in a configuration management appliance/collector in order to monitor all routed traffic).”
How are your teams handling the constantly moving cyber vulnerabilities and threats landscape at your organization?
“Because of our size and breadth as an organization, we are well-positioned to analyze and respond to the ever-changing threat landscape via a layered ‘Glocal’ approach. Local CIP Compliance, Cyber & Data Protection, IT/OT Systems Management and ‘Glocal’ CERT teams are in continuous communication.”
Regarding software solutions for NERC-CIP compliance currently in use within your organization, do these tools incorporate the real-world complexities that your teams face, and do they position your organization for an improved audit experience? If so, how do they achieve this?
“The deployment and management of our highly regarded, industry-standard platforms and solutions do position us for a favorable audit experience. Improved audit experiences can be achieved through consistent training, awareness married with proper monitoring and course correction.
We have learned that not only is it necessary to deploy trusted solutions, but it is also absolutely paramount for proper management and monitoring of deployed solutions in order to achieve consistent improvements in audit results.”
About the Author
Gordon Feller
Gordon Feller advises government and industry leaders working to improve physical and digital infrastructure. His expertise is used by utilities, cyber-companies, Federal agencies, foundations, and universities. He brings 40+ years of experience helping large complex projects led by HP, IBM, Lockheed, Chevron, Cisco, World Bank, UN, S&P, World Economic Forum, The Smithsonian Institution and dozens more. For more information, email [email protected] and follow him on X @GordonFeller.