Time to Clamp Down on Cyber Security

Prepare for NERC Changes in New Vendor Electronic Remote Access Requirements Control

Electric utilities and power generation companies are facing a significant compliance change with the upcoming NERC CIP-003-9 standard focused on cybersecurity management controls. This new standard, effective April 1, 2026, introduces crucial requirements to address vendor electronic remote access to low impact Bulk Electric System (BES) Cyber Systems. All renewable organizations, including solar, need to begin preparation now to ensure they are ready when the standard becomes enforceable.

What’s changing in CIP-003-9: The essentials

The changes in CIP-003-9 are targeting Responsible Entities with assets containing low impact BES Cyber Systems (such as SCADA and ICS) and are two-fold: First is the addition of Requirement Part 1.2.6, which requires they modify their cyber security policy to also address vendor electronic remote access security controls. The second change is to Attachment 1 of the standard, with the addition of Section 6, "Vendor Electronic Remote Access Security Controls" that outlines three key processes that must be implemented:

1. Methods to determine vendor electronic remote access.
2. Methods to disable vendor electronic remote access.
3. Methods to detect malicious communications related to vendor access.

For compliance purposes, "vendors" include system developers, integrators, contractors, manufacturers, asset managers, on-site O&M providers, managed service providers, and other third parties providing services or systems — but not other NERC registered entities providing reliability services.

"Vendor electronic remote access" encompasses both interactive user connections and system-to-system communications initiated by a vendor from outside the electronic access control boundary, whether through user or site-to-site remote access via VPNs, machine-to-machine connections allowed by authorized firewall access control rules, or other remote access communication pathways.

Beyond compliance: Securing the grid's digital backdoors

The addition of vendor access controls in CIP-003-9 represents more than just another compliance checkbox — it acknowledges a critical vulnerability in the power grid's cybersecurity armor. For too long, these digital backdoors have remained insufficiently protected, creating potential entry points for sophisticated threat actors.

Vendor risk reality

The energy sector's increasing reliance on third-party vendors for everything from turbine tuning to SCADA monitoring has created a complex web of access points that could be exploited. Consider some recent cyber attacks on US infrastructure: The Volt Typhoon[1] where attackers obtained access to an electric utility and remained undiscovered for months, and the Colonial Pipeline attack[2] that shut down the pipeline for several days causing fuel shortages. Both of these began with compromised vendor credentials or connections.

When a solar manufacturer can remotely access generation controls or a contracted asset manager has system-to-system connections to operational technology, these pathways demand robust security controls. Without them, we're essentially leaving doors open for potential adversaries to enter.

From technical requirements to security culture

While CIP-003-9 outlines the technical foundations for securing vendor remote access, utilities should embrace this as an opportunity to fundamentally transform their approach to third-party access management.

For many utilities, partnering with a Managed Security Services Provider (MSSP) offers a scalable and cost-effective way to enforce access controls, enable just-in-time provisioning, and maintain compliance through centralized logging, 24/7 monitoring, and real-time alerting. 

Multi-factor authentication, though not explicitly required by the standard, is a good baseline for all remote access. Single-factor passwords have repeatedly proven inadequate against today's sophisticated threat actors.

Security is often complicated and time-consuming. Partnering with a security and compliance firm can ease this burden and bring specialized expertise to secure internal systems and prevent unauthorized access. These partnerships provide scalable solutions, actionable threat intelligence, and continuous monitoring to address evolving threats while enabling utilities to focus on core operations. Having a dedicated team makes the advent of new regulations like NERC CIP, a manageable improvement to security and compliance, thereby reducing the risks of regulatory penalties.

As for the detection of malicious communications, while the new requirements are focused on those that may come from a vendor to the Responsible Entity’s BES Cyber System, a best practice is to apply anti-virus/malware and intrusion detection controls to all external communications. This helps reduce the risk of threat actors compromising BES Cyber System through adjacent systems like the IT/business network. This is where MSSPs can play a vital role, offering dedicated threat monitoring and response capabilities that many internal teams cannot sustain around the clock.

The path forward

As utilities prepare for 2026, the approach should transcend mere minimal compliance. Renewable facilities should consider these 5 strategies:

1. Inventory and evaluate all vendor remote access connections – Many utilities will be surprised by how many undocumented or inadequately secured vendor pathways exist in their environments.
2. Establish governance frameworks for all remote access – Create clear policies around who can access what systems, when, and how, with particular attention to emergency access and vendor connection termination protocols. An MSSP can also assist with policy enforcement through centralized identity management, access control automation, and detailed audit trails for all remote vendor sessions. 
3. Implement dynamic risk assessment – Not all vendor connections pose equal risk. Develop a tiered security controls approach based on the criticality of accessed systems and the vendor's security controls and practices.
4. Build security into vendor relationships – Establish security expectations, update contracts to memorialize these expectations, and implement verification procedures to confirm that the vendors are following secure practices.
5. Create a detection-focused security culture – Train operators to recognize abnormal vendor access patterns and empower them to question unusual activity. An MSSP’s real-time behavioral analytics and alerting capabilities can further enhance visibility into vendor activity and supplement internal awareness training.

The larger security picture

CIP-003-9 arrives at a critical juncture for grid security. Nation-state actors have demonstrated both capability and intent to target energy infrastructure, and the expanding attack surface created by digitalization and remote access increases vulnerability.

Utilities that address these requirements strategically will find themselves better positioned not only for CIP-003-9 compliance but for the evolving threat landscape. Those that approach it as merely another regulatory hurdle will miss an opportunity to truly secure operations against an increasingly dangerous digital battleground. Strategic use of MSSPs allows utilities to operationalize these controls more efficiently, reducing internal workload while ensuring continuous compliance and threat defence. 

The April 2026 deadline provides adequate time for thoughtful implementation, but the work should begin now, with security, not just compliance, as the primary objective.

Ryan Carlson is Vice President, CIP Advisory Services for PCS, a Radian Generation
brand. PCS offers an extensive range of consulting services to help clients comply with the
North American Electric Reliability Corporation (NERC) Reliability Standards requirements.

Radian Generation | radiangen.com