New cybersecurity rules for electric utilities. Enforcement starts April 1.
If your utility has vendor remote access to substations, SCADA, or any OT, you're now in scope. Here's what changed, what's required, and how to get compliant in 3 weeks.
NERC CIP has governed the grid since 2008, but enforcement scope just expanded. CIP-003-9 pulls low-impact utilities into the compliance funnel. Vendor remote access controls are now mandatory for every registered BES entity. CIP-015 requires internal network monitoring inside the perimeter, the direct response to Volt Typhoon. And CIP-002-8 reclassification may move entities from Low to Medium Impact, which triggers MFA, logging, and evidence retention requirements.
Per day, per violation
NERC's maximum fine authority. Self-reports get lighter treatment. Audit findings escalate.
CIP-003-9 enforcement date
Low-impact vendor remote access controls become mandatory. The first audit cycle will catch the unprepared.
Registered BES entities
In North America, now subject to CIP. Munis, co-ops, and IPPs are in scope for the first time.
No firmware changes. No downtime. No change management.
Sits adjacent to the network. Legacy PLCs, HMIs, and RTUs get MFA and monitoring without any device modification. This is how you solve CIP-007 for equipment that can't run agents.
Your Electronic Security Perimeter, defined by overlay. Not VLANs.
Access Gate creates the ESP for CIP-005 without touching your network topology. No VLAN reconfiguration, no firewall rule sprawl, no maintenance windows.
East-west visibility inside the perimeter. CIP-015 out of the box.
Monitors traffic inside the ESP continuously. Exactly what CIP-015 requires. No separate monitoring platform needed.
Identify and classify all BES Cyber Systems and Cyber Assets
Agent-free asset discovery across IT, OT, and ICS. Finds every device on the network, including legacy PLCs and HMIs that can't run agents.
Vendor remote access controls; security policies; low-impact governance (CIP-003-9)
Proxy-based remote access with full session logging. Vendors connect through Access Gate, never directly to assets. Session kill-switch included.
Personnel risk assessment; security awareness; access management
Every session is tied to a named user. Role assignments, access history, and revocation are audit-ready out of the box.
Define and enforce ESPs; control interactive remote access; vendor session management
The overlay network defines your ESP without touching existing VLANs. Vendor sessions are proxied, monitored, and terminable.
Physical access controls for BES Cyber Systems
Outside scope for physical controls. Access Gate logs all logical access adjacent to physical access events.
Patch management; malware prevention; authentication enforcement; security event logging
MFA on all systems, including legacy OT that can't support it natively. Centralized event logging with tamper-evident audit trail.
Incident response processes; reporting timelines; plan testing
Real-time anomaly alerts with full event timeline. Does not replace the IR plan, but makes timeline reconstruction straightforward.
Baseline configurations; change detection; vulnerability assessments
Detects unauthorized configuration changes on network-visible assets. Baseline deltas are logged with timestamp and session attribution.
Vendor risk management; software integrity verification
Every vendor session is proxied, logged, time-limited, and revocable. Covers CIP-005 R2.4/R2.5 vendor session requirements.
Internal network security monitoring inside the ESP for high/medium impact systems
Continuous east-west traffic visibility inside the perimeter. This is exactly what CIP-015 requires.
Fully Covered
Partially Covered
Physical Only
CIP-007 is the most violated NERC standard. The main finding: no MFA on legacy OT and bad event logging. Access Gate fixes both without touching OT devices.
Your next move depends on what kind of utility you are.
Municipal utilities
City-owned electric departments with substations and SCADA. Newly caught by CIP-003-9. Usually no dedicated OT security staff.
Highest urgencySuggested next step
Start with the 3-week CIP pilot. Get audit-ready evidence for CIP-002 and CIP-003 before April 1.
Rural electric cooperatives
Member-owned co-ops on aging distribution infrastructure. CIP-003-9 compliance is new territory. Tight budgets.
High urgencySuggested next step
Talk to NRECA about recommended vendor solutions. Request a pilot scoped to CIP-003 vendor access controls.
IPPs & generation operators
Independent power producers with 20MW+ generation. Already in CIP scope, but CIP-015 INSM and CIP-005 vendor access revisions create new gaps.
High urgencySuggested next step
Map your existing controls against CIP-015 INSM. Access Gate fills the east-west monitoring gap.
Transmission owners & operators
Medium and high-impact BES. CIP-015 INSM is mandatory now. Complex multi-site environments where agent-based tools don't work.
StrategicSuggested next step
Evaluate the overlay architecture for multi-site ESP definition. No change management across substations.
Audit-ready evidence before April 1.
Week 1: full asset inventory (CIP-002). Week 2: ESP and vendor access controls (CIP-003, CIP-005). Week 3: MFA and INSM activation (CIP-007, CIP-015). Evidence packages delivered.
3 weeks to audit-ready
Agent-free. No firmware changes, no device modifications, no downtime. Works in CIP environments where change management approval takes six months.
Self-report beats audit discovery
Self-reported violations with a corrective action plan get lower penalties. Violations discovered in audit are aggravating factors. NERC fined Exelon $1.8M in one action.
NERC CIP & Access Gate FAQ
CIP-003-9 enforcement date
CIP-003-9 extends vendor remote access controls to low-impact BES Cyber Systems, effective April 1, 2026. Before this, low-impact sites had minimal oversight. Now every entity must document and control vendor electronic remote access. This catches hundreds of munis and co-ops who assumed 'low-impact' meant 'no action required.'
CIP-015-1 requires Internal Network Security Monitoring inside the Electronic Security Perimeter for high- and medium-impact BES systems. FERC Order 907 approved it in June 2025 as a direct response to Volt Typhoon, where attackers lived inside the perimeter undetected for months. Access Gate's overlay network provides exactly this visibility.
CIP-007 requires authentication enforcement on all systems, but legacy PLCs and HMIs can't support MFA natively. Access Gate wraps these devices at the network layer, enforcing multi-factor authentication without modifying device firmware. The audit finding goes away without touching the OT equipment.
The 3-week CIP pilot delivers audit-ready evidence in three phases. Week 1: full BES Cyber Asset inventory (CIP-002). Week 2: ESP definition and vendor remote access controls (CIP-003, CIP-005). Week 3: MFA enforcement and INSM activation (CIP-007, CIP-015).
NERC can fine up to $1 million per day, per violation. Self-reported violations with a corrective action plan get significantly lower penalties than violations discovered in audit. NERC fined Exelon entities $1.8M in a single enforcement action.