Background

The North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) standards are the mandatory cybersecurity framework for operators of the North American bulk electric system. Covering generation, transmission, and control facilities above defined voltage thresholds, NERC CIP requires asset identification, electronic security perimeters, access controls, incident response, configuration management, and supply chain risk management across a hierarchy of high-, medium-, and low-impact assets.

Compliance is enforced through regional entities under FERC oversight, with fines that have reached hundreds of millions of dollars for significant violations. The compliance regime is real and consequential.

What NERC CIP is not is a complete OT security program. The gap between NERC CIP compliance and genuine defensible security posture is wide — and that gap is where adversaries operate. Volt Typhoon’s successful pre-positioning in multiple US electric utility OT networks, documented in joint CISA/FBI/NSA advisories, occurred at utilities that were NERC CIP compliant. Compliance and security are related but not equivalent.

Where NERC CIP Leaves Gaps

Low-Impact Asset Exclusions

The most significant structural gap in NERC CIP is the low-impact asset category. Low-impact bulk electric system cyber systems (BES Cyber Systems) are subject to a much lighter compliance burden than medium- and high-impact systems. The required controls for low-impact assets are:

  • Cybersecurity policy
  • Physical security controls
  • Electronic access controls at an electronic access point
  • Incident response
  • Transient cyber assets (basic protections)

Notably absent from low-impact requirements: asset inventory specifics, configuration management, patch management timelines, malware prevention requirements, and the monitoring and logging requirements that apply to higher-impact systems.

Low-impact assets are numerous. Distribution substations, smaller generation facilities, and remote telemetry points often fall below the high- and medium-impact thresholds. An adversary who can reach these less-monitored systems has a lateral movement path into the broader OT environment. Volt Typhoon’s documented activity shows exactly this approach — entering through lower-security network segments and moving toward higher-value targets.

Supply Chain Requirements vs. Supply Chain Reality

NERC CIP-013 established supply chain risk management requirements in 2020, requiring utilities to develop and implement supply chain risk management plans. The requirements cover vendor risk assessment, notification of software update integrity, and verification of software authenticity.

CIP-013 compliance, however, is largely plan-based. Utilities must have a supply chain risk management plan and implement it — the standard does not prescribe specific technical controls or mandate software bill of materials (SBOM) requirements. Enforcement reviews focus on whether the plan exists and is followed, not on whether specific technical controls have been implemented.

In practice, the supply chain threat to electric utility OT is significant. ICS/SCADA components are sourced from a global supply chain with limited transparency into software origin and component provenance. The SolarWinds intrusion demonstrated that trusted vendor software can be a vehicle for adversary access; the same vector applies to industrial control system software. NERC CIP-013 provides a compliance framework for thinking about this risk — it does not provide the technical assurance that would genuinely mitigate it.

CISA’s advisories on software supply chain integrity and the mandatory SBOM requirements emerging from the 2021 Executive Order on Cybersecurity apply to federal government software procurement and have not yet been incorporated into NERC CIP. The gap is known and discussed in standards development bodies, but implementation timelines are long.

Monitoring and Detection at OT Level

NERC CIP-007 requires security event monitoring and log retention, but the standards are calibrated to enterprise IT monitoring concepts that don’t translate cleanly to OT environments. The specific OT protocols that operational technology uses — DNP3, Modbus, IEC 61850, GOOSE — are not addressed in CIP monitoring requirements. A utility can be CIP-007 compliant with syslog collection from IT-facing systems while having no visibility into traffic on the OT network itself.

OT-specific monitoring — understanding what normal DNP3 poll/response traffic looks like between a substation RTU and its SCADA master, and detecting anomalies in that baseline — requires OT-aware monitoring tools (Dragos, Claroty, Nozomi, Microsoft Defender for IoT) that most compliance-focused programs have not deployed.

Dragos’s 2026 OT Cybersecurity report notes that the majority of utility OT environments it assessed had limited or no monitoring visibility inside the OT network perimeter. The Electronic Security Perimeter (ESP) concept in NERC CIP protects the boundary — it does not detect activity within the protected space.

Patch Management Timelines vs. OT Reality

NERC CIP-007 R2 establishes patch management requirements: utilities must evaluate security patches within 35 calendar days of availability and apply applicable patches within 35 days. High-impact and medium-impact systems have defined patch windows.

In OT environments, this is routinely difficult to meet. OT software vendors often do not patch their industrial control system software at the same cadence as enterprise software vendors. Patches require operational testing before deployment — applying an untested patch to a SCADA system or protective relay could have operational consequences. Some OT components cannot be patched without vendor-provided update mechanisms that may not be available on a 35-day cycle.

The practical result is that CIP-007 patch management compliance often involves extensive use of the “mitigating measures” provision — documenting alternative controls that compensate for an unpatched vulnerability rather than actually patching it. This is compliant. It is not the same as a patched system.

Known vulnerabilities in unpatched OT components are a significant part of CISA’s ICS advisory catalog. Advisories for Siemens SIMATIC, Rockwell Automation ControlLogix, Schneider Electric Modicon, and similar systems routinely cite CVSS scores in the 8-9 range. A mitigating-measures approach to managing these vulnerabilities depends entirely on the quality of the compensating controls implemented.

The ESP Perimeter Model vs. Modern Attack Surfaces

NERC CIP’s Electronic Security Perimeter (ESP) model was designed around an assumption of air-gapped or well-segmented OT networks. The ESP defines the logical boundary of the OT network and requires access controls at Electronic Access Points (EAPs) that cross this boundary.

The ESP model is sound in principle. In practice, the perimeter has eroded significantly:

Remote access proliferation. COVID-19 dramatically accelerated the deployment of remote access capabilities for OT systems — vendor remote maintenance, remote SCADA access for operators working from home, remote support for ICS components. Many of these capabilities were deployed rapidly and some without the same rigor applied to permanent infrastructure. Remote access paths that cross the ESP are EAPs and must be secured accordingly, but detection of unauthorised remote access channels is difficult without active monitoring.

IT/OT convergence. Operational technology environments are increasingly connected to enterprise IT networks for operational reasons — historian servers that aggregate plant data to business intelligence systems, predictive maintenance platforms, energy management systems. Each connection requires an EAP and accompanying controls, but the number of connections has grown faster than many security programs can track.

Engineering workstations and laptops. Transient cyber assets (CIP-010 R4) that connect to OT networks are a known risk. Engineering workstations that move between corporate networks and OT environments are a documented lateral movement vector — if malware reaches a Windows engineering workstation on the IT network, it moves to the OT network when that workstation connects. CIP transient asset requirements address some of this risk, but not all utility programs apply them rigorously to every asset that touches the OT environment.

Volt Typhoon’s documented persistence in US electric utility networks exploited several of these patterns — remote access infrastructure, living-off-the-land through legitimate administrative tools, and extended dwell time that CIP monitoring requirements did not detect.

What Genuine OT Security Requires Beyond CIP

OT Asset Visibility

NERC CIP requires asset inventories for high- and medium-impact systems. What it doesn’t require is the passive network monitoring necessary to discover assets that weren’t captured in the initial inventory — the legacy RTU that engineering knows about but isn’t in the documented asset list, the engineering laptop that someone connects periodically, the vendor remote access jump server that was set up three years ago.

Passive OT network monitoring (Dragos Platform, Claroty, Nozomi Networks) provides asset discovery through packet analysis of OT network traffic. This approach doesn’t require agents on OT endpoints (which may not be possible) and provides continuous visibility into what’s actually on the network, not just what’s documented.

Protocol-Aware Monitoring

Detecting threats in OT environments requires understanding OT protocols at the packet level. A SIEM that ingests syslog from enterprise systems doesn’t see DNP3 function code anomalies or GOOSE spoofing attempts. OT-specific monitoring tools build behavioral baselines for OT protocol traffic and alert on deviations — an RTU that starts sending unsolicited data it didn’t historically send, a command that would open a circuit breaker arriving from an unexpected source, a Modbus write to a register that hasn’t been written in years.

This level of detection is not in NERC CIP requirements. It is what Dragos and similar firms apply in post-breach OT assessments when they find adversary activity that compliance controls didn’t detect.

Tabletop and Red Team Exercises for OT-Specific Scenarios

NERC CIP-008 requires incident response plans and exercises. The exercises required are often paper-based or IT-focused. OT-specific tabletop exercises — what happens if the EMS loses connectivity to all RTUs, what’s the manual operation procedure for a substation that goes dark, how do field crews communicate if SCADA is unavailable — require OT-knowledgeable staff and scenarios that go beyond IT breach response playbooks.

CISA’s NERC CIP-focused exercises and the E-ISAC’s GridEx exercise program provide frameworks for OT-specific incident exercises. Utilities that have participated in GridEx consistently report that it surfaces gaps in their manual operating procedures and inter-utility communication processes that compliance-focused exercises don’t reach.

Supply Chain Technical Controls

Beyond CIP-013 plan requirements, utilities operating at a mature security posture are implementing:

  • SBOM requirements in ICS procurement contracts — vendors must provide a software bill of materials for new ICS software
  • Integrity verification of firmware and software before installation (hash verification against vendor-provided values)
  • Vendor remote access monitoring — every vendor remote session is logged, supervised, and limited in duration
  • Evaluation of component origin and manufacturing provenance for hardware in high-impact positions

These controls are not CIP requirements. They’re what the gap between CIP compliance and genuine supply chain assurance looks like when closed.

FERC’s Direction of Travel

FERC has been pushing NERC toward strengthened standards, particularly for supply chain risk management and internal network security monitoring. FERC Order 887 (2022) directed NERC to develop internal network security monitoring (INSM) standards for high-impact BES Cyber Systems — monitoring inside the Electronic Security Perimeter, not just at its boundary. NERC CIP-015 (INSM), currently in the development pipeline, would require OT network monitoring that CIP has historically not mandated.

The direction is clear: the baseline is moving toward visibility inside the OT network, not just at its perimeter. Utilities investing in OT monitoring capabilities now are ahead of the coming compliance requirements, not just ahead of threat actors.

Summary

NERC CIP compliance is a legal obligation and a reasonable baseline for bulk electric system cybersecurity. It is not sufficient to defend against the threat actors targeting US electric grid infrastructure in 2026. The gaps — low-impact asset exclusions, plan-based supply chain requirements, limited OT-specific monitoring, and the eroded perimeter model — are where sophisticated actors, including state-sponsored groups, operate. Closing these gaps requires investment in OT visibility tooling, protocol-aware monitoring, OT-specific incident response capability, and supply chain technical controls that go beyond what CIP currently mandates. Utilities that treat CIP as a ceiling rather than a floor are accepting risk that the compliance framework itself acknowledges is unaddressed.

Tags
NERC-CIPelectric-gridbulk-electric-systemOT-securityICSCISAFERCcompliancecritical-infrastructureenergy