NERC Critical Infrastructure Protection Changes

Inverter-Based Resources (IBRs) attached to the Bulk Electric System (BES) have increased. Some IBRs previously below the required threshold for NERC registration were found to be improperly configured to react to voltage or frequency disturbances on the grid and may reduce power output, exhibit momentary cessation, or trip offline.

As NERC works to transition entities with IBR that were not required to be registered previously, many entities will be required to start building out Critical Infrastructure Protection (CIP) low impact programs to ensure that they are staying compliant. Building out a CIP low impact program requires entities to adhere to the CIP-002 and CIP-003 Standards.

CIP-002 requires an entity to assess existing BES Cyber Systems to determine their impact on the BES. The CIP-002 assessment entails reviewing existing cyber systems at a site against the CIP-002 Attachment 1 – Impact Rating Criteria.

CIP-003 requires an entity to designate a CIP Senior Manager, who is responsible for the overarching CIP Program and developing cyber security policies covering cyber security awareness, physical security controls, electronic access controls, cyber security incident response, transient cyber asset, and removable media malicious code prevention, as well as declaring and responding to CIP exceptional circumstances.

• Transient cyber assets are defined as being capable of transmitting or transferring executable code, and are not included in a BES cyber system. Transient cyber assets are not a protected cyber asset (PCA) associated with high or medium impact, and are directly connected to a BES cyber asset, electronic security perimeter, or PCA for 30 consecutive calendar days or less. Examples include laptops and diagnostic and testing equipment.
• Removable media are defined as no cyber assets. They are capable of transferring executable code, can be used to store, copy, move, or access data, and are directly connected to a BES cyber asset, electronic security perimeter, or PCA for 30 consecutive calendar days or less. Examples include floppy disks, compact disks, USB flash drives, external hard drives. CIP-003 Standard changes have been approved and go into effect April 2026. The changes focus on how an entity addresses vendor electronic remote access and requires the entity to have methods in place to determine if a vendor is currently accessing their BES cyber systems, and mandates a method that is capable of removing the vendor’s current access and to prevent future access when deemed necessary.

Finally, the update requires the entity to have a method to detect known or suspicious inbound and outbound malicious communications for the vendor electronic remote access. These changes may require entities to employ new methods to allow, inspect, and remove electronic remote access to vendor, this may include, but is not limited to a VPN, solution, an intermediate remote access system, and/or additional firewall monitoring. entities may also choose not to allow electronic remote access.

Regardless of the method that an entity chooses, they will still be required to update their existing policies to reflect acknowledgement of the changes to the CIP-003 Standard and what actions are being taken to address them. Failure to adhere to the applicable CIP Standards subject an entity to fines up to $1Mil per violation per day.