NERC CIP Is the Starting Point
For bulk electric system operators in North America, NERC CIP (Critical Infrastructure Protection) standards are not optional. They are enforceable regulations with real penalties. And for substation security specifically, they define exactly what you must do — even if they do not tell you how to do it at 400 remote sites with no IT staff.
This post walks through the CIP standards that matter most for substations, maps each one to the real-world security challenge it creates, and shows how overlay networking solves the logistics problem that makes traditional compliance approaches fail.
CIP-002: Know What You Have
The requirement: Identify and categorize all BES (Bulk Electric System) Cyber Systems at every substation.
The substation challenge: A typical regional utility operates hundreds of substations. Each one contains a mix of equipment spanning multiple decades — Remote Terminal Units (RTUs) running proprietary firmware with serial interfaces, protection relays from the 1970s-80s sitting alongside modern Intelligent Electronic Devices (IEDs) with Ethernet ports and IEC 61850 support, SCADA masters polling over DNP3, and HMI workstations running Windows with long patch cycles.
Most substations are unmanned. Many are in remote locations accessible only by dirt road. The "IT team" for a substation is an engineer who drives out with a laptop when something breaks. Building and maintaining an accurate asset inventory across all of these sites is the first compliance hurdle — and most utilities struggle with it because they have no persistent network visibility at remote sites.
The zero-trust answer: A single appliance or VM at each substation connects to a centralized overlay network. Once connected, it provides continuous asset discovery and inventory across all sites — meeting CIP-002 without requiring manual site-by-site audits.
CIP-005: The Electronic Security Perimeter
The requirement: Establish and enforce an Electronic Security Perimeter (ESP) around every BES Cyber System. Control all access at network boundaries.
The substation challenge: This is the standard that causes the most operational pain. CIP-005 requires a defined, monitored boundary at every site with networked OT devices. For a utility with 300 substations, that means 300 perimeters that must be individually deployed, configured, and maintained.
Traditional approach: install a firewall at each site. That requires a technician on-site for 4-8 hours per site — roughly 1,800 person-hours just for initial deployment, before ongoing rule management and maintenance. Many sites connect over low-bandwidth links (9.6 kbps serial connections still exist), so cloud-based security tools are not viable.
The zero-trust answer: Micro-segmentation via overlay networking creates per-site (and per-device) security perimeters from a central policy engine. A pre-configured appliance ships to each substation and installs in 15 minutes by field crews during routine maintenance — no security expertise needed on-site. The ESP is defined once at the control center and enforced everywhere simultaneously.
CIP-007: System Security Without Endpoints
The requirement: Manage ports and services, apply patches, prevent malware — at every BES Cyber System.
The substation challenge: RTUs and protection relays run proprietary firmware. There is no operating system to patch on a schedule. There is no endpoint to install an agent on — installing software on a certified relay voids its safety certification. Any modification to a protection relay requires engineering review, testing, and a maintenance window. You cannot push security patches weekly. And a misconfigured rule that blocks a trip signal can cause equipment damage or grid instability.
The zero-trust answer: Network-level enforcement handles what endpoint agents cannot. Block unauthorized ports and services at the network boundary. Restrict traffic to known-good protocols (DNP3, IEC 61850) between known-good devices. The security control wraps around the device rather than running on it.
CIP-010: Configuration Change Management
The requirement: Track all configuration changes to BES Cyber Systems. Conduct vulnerability assessments.
The substation challenge: Changes happen at remote sites, often by field engineers connecting directly to protection devices with a laptop. Tracking who changed what, when, and why across hundreds of dispersed sites is an audit nightmare when each site operates independently.
The zero-trust answer: Centralized policy management with a full audit trail. Security rules are defined once and pushed to all sites simultaneously. Every policy change is logged with timestamp, author, and affected systems. When an auditor asks "show me the change history for Site 347," the answer is a single dashboard query — not a phone call to a field engineer.
CIP-011: Protecting BES Cyber System Information
The requirement: Prevent unauthorized access to information about BES Cyber Systems — network diagrams, relay settings, SCADA configurations.
The substation challenge: Engineering data travels between control centers and substations over wide-area networks. DNP3 traffic between an RTU and the SCADA master often traverses unencrypted links — fiber, microwave, cellular, or satellite.
The zero-trust answer: Encrypted overlay tunnels for all inter-site communication. DNP3 traffic between an RTU and the SCADA master travels through an authenticated, encrypted tunnel — even over legacy microwave links. No one intercepting the WAN traffic can read the contents.
CIP-013: Supply Chain Risk Management
The requirement: Manage cybersecurity risks from vendors and suppliers who have access to BES Cyber Systems.
The substation challenge: Relay manufacturers, SCADA vendors, and system integrators all need remote access for maintenance. The common pattern is persistent VPN credentials shared among vendor staff — the same access vector that threat groups like SYLVANITE target in other sectors.
The zero-trust answer: Time-limited, session-recorded vendor access through a central gateway. No persistent VPN tunnels. Each session is attributed to a specific individual, restricted to specific equipment, and logged for audit.
NIS2 for European Grid Operators
European energy operators face NIS2 obligations as "essential entities." The requirements overlap with NERC CIP but add:
- Incident reporting within 24 hours of detection
- Business continuity planning that accounts for cyber incidents
- Management accountability — board-level responsibility for cybersecurity posture
- Risk-based security measures proportionate to the threat environment
For grid operators, NIS2 creates the same fundamental challenge as NERC CIP: you need to demonstrate security coverage across every substation, not just your control centers. An auditor will ask how you enforce access control at Site 347, the unmanned substation 80 miles from your nearest office.
The Logistics Math
The operational difference between traditional and overlay approaches is stark:
| Traditional Approach | Overlay Network Approach | |
|---|---|---|
| Deployment per site | Firewall installation, configuration, testing — 4-8 hours on-site | Pre-configured appliance, plug in and register — 15 minutes |
| Policy changes | Site-by-site firewall rule updates | Single policy push to all sites |
| Vendor access | VPN credentials per site, often shared | Time-limited, recorded sessions through central gateway |
| Compliance evidence | Collect logs from each site individually | Centralized audit dashboard |
| Staffing | Requires security-trained field personnel | Field crews handle physical install; security team manages remotely |
For a utility with 300 substations, the traditional approach requires roughly 1,800 person-hours just for initial deployment — before ongoing maintenance. The overlay approach reduces that to under 100 hours of field time, with the security configuration handled entirely from the control center.
Grid security is not a technology problem. It is a logistics problem. The utilities that solve the logistics pass the compliance audit and reduce their attack surface at the same time. For a broader look at how this centralized-management pattern works across any distributed infrastructure, see our guide to scaling zero trust across 50+ locations. Water utilities face a strikingly similar set of constraints — our analysis of water utility cybersecurity from treatment plant to tap covers that parallel.
For more Zero Trust OT resources, architecture guides, and comparisons, visit the Zero Trust for OT Networks hub.
