Insight
A Primer on NERC CIP-003-9: Supply Chain Security Risk for Low Impact BES Cyber Systems
Ron Fabela has over 25 years of cybersecurity experience and a deep technical understanding of Industrial Control Systems (ICS) and Operations Technology (OT) security. His hands-on experience includes being onsite at power generation facilities, offshore oil rigs, refineries and other critical infrastructure sectors. He has successfully navigated the industry's unique cultural and technological challenges, honing his ability to communicate both technical and business concepts effectively to diverse audiences.
Ron Fabela
Technical Director, Cybersecurity
Cybersecurity Compliance for Low Impact Transmission Systems
Grid reliability is critical to every sector of modern society, from hospitals and water treatment plants to financial systems and national defense. When the grid experiences an unexpected outage, that costly disruption can quickly cascade into infrastructure failures that could compromise supply chain security. In a high stakes example, a coordinated cyberattack across multiple facilities or regions can also carry national security implications.
You Know the Basics
The North American Electric Reliability Corporation Critical Infrastructure Protection, or NERC CIP, is a mandatory set of cybersecurity standards designed to help protect that grid, and the bulk electric system (BES) that powers it, from physical and cyber threats. NERC is the regulatory authority responsible for grid reliability, and its CIP standards specifically address the cyber security of the systems that operate and control it.
But as cyber risk and attack surface evolve, new standards and requirements can reshape how the industry has always operated, forcing us to take a closer look at the gaps.
NERC CIP-003-9 for Low Impact BES Cyber Systems
Why low impact sites specifically? There are scores of them, they do not have inventory requirements and as a result, are often less defended. While it’s true that a single low impact site might not matter to the outside world, hence the low impact, disrupting multitudes could put a major interconnection at risk or down an entire region’s power supply. What stood out to NERC a few years ago was just how vulnerable low impact sites really are because of their remote access.
That’s why on April 1, 2026, the NERC CIP-003-9 requirements introduced in March 2023 will become enforceable, changing the playing field for low impact BES cyber systems.
Closing the Gap
For the first time, a Responsible Entity (RE) must document and implement controls that govern “vendor electronic remote access” to assets like Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) across generation, substations and control environments. NERC’s own data from evaluating 1,000+ entities showed how widespread and uncontrolled third-party remote access has become at low impact sites, which often allow equipment manufacturers, managed service providers and other non-registered parties to operate outside any enforceable security baseline. The NERC CIP-003-9 standard helps to close that gap.
What this means for BES asset owners and operators subject to NERC reliability standards:
If your entity owns, operates or controls low impact BES cyber systems with any form of vendor remote connectivity, you should have a process in place that allows you to:
Determine that access exists
Disable access when necessary
Detect malicious communications flowing through it
These are the three (3) core requirements under the new Section 6 of Attachment 1 for NERC CIP-003-9.
On April 1, you’ll need to have these controls documented and implemented. If you don’t already have this compliance deadline in sight, speak to one of our experts to get started.
Ultimately, entities subject to NERC reliability standards understand that building real operational security above the minimum requirements leaves them better positioned when the next round of standards like CIP-003-9 arrives. But the difference between what you must do to satisfy the regulation and what you should keep doing to protect your operational technology is where your risk strategy lives.
Download our Primer on NERC CIP-003-9: Supply Chain Security Risk for Low Impact BES Cyber Systems for more information and get started with one of our experts on a compliance action plan fit for your specific low impact site.
Complete the form below to access the paper.