NERC CIP-003-9 (Part 2): What You Should Do vs What You Must Do
NERC CIP-003-9 is a set of cybersecurity requirements designed to protect the critical cyber assets of power generation facilities. Compliance with these NERC CIP cybersecurity standards is essential for ensuring the security and reliability of the North American power grid.
By April 1, 2026, all Responsible Entities must be compliant with the new NERC CIP-003-9 standard. This change involves a more proactive cybersecurity approach in compliance with the new section 6, as outlined in "Project 2020-03 Supply Chain Low Impact Revisions."
This 3-part webinar series is tailored for those with intermediate knowledge about NERC CIP, breaking down the changes and their impact in the field.
In Part 1 of our webinar series, we discussed an overview of Section 6 "Vendor Electronic Remote Access Security Controls." In Part 2, our panelists will cover the essential preparation and performance elements required for meeting CIP-003-9 Standard Requirements, along with key considerations for cybersecurity that should be taken into account.
What We Cover
Preparation and performance elements that must be completed to meet NERC CIP-003-9 Standard Requirements and considerations of what should be done for cybersecurity implementation.
Key elements your organization MUST do
Identifying Cyber Assets
Electronic Access Control Analysis
Best Practices: SHOULD versus MUST
- Evaluation of Capacity of Existing Electronic Access Points
Keon McEwen, SOC Director - Industrial Cybersecurity, ABS Group
With over seven years of experience in OT technologies, Keon McEwen's expertise includes cybersecurity, control systems, automation and data. Keon has a strong knowledge in OT/ICS systems and related compliance requirements including NIST, IMO, ISO and NERC CIP. As the ISOC Global Lead, Keon collaborates with clients and team leaders to manage threat alerts throughout the ISOC client's environments. Previously, he oversaw government cybersecurity projects and managed the ABS Group cyber lab where he introduced simulation and virtual capabilities from conception. He holds a bachelor’s degree in Electrical Engineering with a specialization in computers and embedded systems and has a security+ certification.
Ben Stirling, Director - Industrial Cybersecurity, ABS Group
Ben Stirling has over 15 years of experience working in the power, industrial and oil and gas industries. He works closely with global leaders, OEMs and technology providers, among others, to develop integrated technology solutions and secure architectures. Ben's expertise in control systems, passion for protecting the world's infrastructure and deep knowledge of NERC CIP, NIST, ITIL, ISA 99/IEC 62443 and MITRE ATT&CK for ICS has positioned him as a thought leader in securing industrial environments. Ben has a proven track record of working with industry clients to recognize and mitigate cybersecurity risks to infrastructure, process and human safety.
Michiko Sell, NERC CIP Services Supervisor, NAES Corporation
Michiko has over 30 years of combined experience that includes NERC, AKCIP, ARSCIP standards compliance management, auditing, accounting, financial analysis, budget and financial forecasting, strategic planning, power marketing, new power resource analysis, contract management and negotiations. Ms. Sell led the CIPv5 transition effort for her prior employer and her experience traverses both the Cyber Security and Operations and Planning Standards. Her hands-on experience includes Reliability Policy and Compliance Management, Reliability Compliance Auditing, Program/Procedure Writing, Compliance GAP Analysis and Compliance Risk Assessments.
Joe Baxter, Director - Solutions Engineering, Network Perception
With more than 20 years of experience, Joe Baxter is an expert in regulatory compliance and IT and OT systems, with deep expertise in infrastructure and total conversions. He specializes in the design of compliance systems, efficient networks, network security and databases, with a particular interest in the creation of cybersecurity policies, procedures and audit responses in the electrical and financial sectors. In the past, Joe has worked at NERC, SERC, Jack Henry, AECI, Burns & McDonnell and ABB, among other organizations.
About NAES Corporation
NAES Corporation (www.naes.com) is an independent services company dedicated to optimizing the performance of energy facilities across the power generation, oil & gas and petrochemical industries. NAES applies its deep experience in operations, maintenance, construction, engineering and technical support to build, operate and maintain plants that run safely, reliably and cost-effectively. NAES is a wholly owned subsidiary of ITOCHU Corporation. With operations in over 80 countries covering a broad range of industries, ITOCHU ranks among the world’s largest corporations.
About Network Perception
Network Perception proactively protects industrial control systems by ensuring network access security as the first line of perimeter defense. Our monitoring software provides complete network transparency and continuous mapping to better support cybersecurity compliance and enable greater cyber resiliency. For more information, visit www.network-perception.com.
About ABS Group
ABS Group of Companies, Inc. (www.abs-group.com), through its operating subsidiaries, provides technical advisory and certification services to support the safety and reliability of high-performance assets and operations in the oil, gas and chemical, power generation, marine, offshore and government sectors, among others. Headquartered in Houston, Texas, ABS Group operates with more than 1,000 professionals globally. ABS Group is a subsidiary of ABS (www.eagle.org), a leading marine and offshore classification society.