FAQs for NERC CIP-003-9 and Low Impact BES Cyber Systems
Ron Fabela, Technical Director, Cybersecurity for ABS Consulting, answers frequently asked questions about the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standard for low impact transmission sites and how to get started with CIP-003-9 compliance.
Frequently Asked Questions about what the NERC CIP-003-9 standard means, defining key terms to know and outlining how you can stay ahead of compliance:
What is NERC CIP-003-9 and what are the standard requirements?
CIP-003-9 is the ninth revision of the Cyber Security Security Management Controls standard within the NERC CIP Reliability Standards. This specific regulation governs how a registered entity must manage cybersecurity policies and controls specifically for assets categorized as Low Impact Bulk Electric Systems (BES) Cyber Systems.
The key addition is Section 6 of Attachment 1 under Requirement R2 establishing enforceable controls for vendor electronic remote access. This is a new compliance area that previously had no minimum security baseline at the low impact level.
How does NERC define a "vendor" for CIP-003-9 compliance?
It’s important to note that terms like “vendor” and “vendor electronic remote access” are not defined explicitly by NERC, leaving room for interpretation during an audit.
From an industrial cybersecurity lens, a vendor can be understood as an entity that provides services to a registered entity that supports the reliable operation of the bulk electric system. This includes equipment manufacturers, software providers, integrators, contractors, managed service providers, an on-site contractor handling the day-to-day operations and maintenance and any other third parties providing systems or services.
What is vendor electronic remote access according to NERC CIP?
Vendor electronic remote access refers to any non-physical method by which a vendor or third-party provider connects to the electronic systems of a NERC-regulated entity. For example, vendors connecting to a utility or power generation owner to perform maintenance, monitoring, support or other operational services. This can include interactive user connections such as a virtual private network (VPN) or remote desktop sessions, system-to-system communications initiated by the vendor from outside the electronic access control boundary, machine-to-machine connections authorized through firewall rules or other remote communication pathways.
In OT environments, this is the pathway through which external parties reach your SCADA systems, DCS relays historians and other devices at the plant or in a substation. We also use the term “secure remote access” in the technology space to describe the controls wrapped around these connections, but CIP-003-9 is concerned with the access itself, including who has it, how it’s established and whether you can shut it down when it’s urgent to do so.
What is the Section 6 requirement related to Vendor Electronic Remote Access Security Controls?
CIP-003-9 adds Section 6 to Attachment 1 of Requirement R2. Here’s what the standard language says exactly:
Vendor Electronic Remote Access Security Controls: For assets containing low impact BES Cyber System(s) identified pursuant to CIP-002, that allow vendor electronic remote access, the Responsible Entity shall implement a process to mitigate risks associated with vendor electronic remote access, where such access has been established under Section 3.1.
That process must include:
- 6.1 – One or more method(s) for determining vendor electronic remote access.
- 6.2 – One or more method(s) for disabling vendor electronic remote access.
- 6.3 – One or more method(s) for detecting known or suspected inbound and outbound malicious communications for vendor electronic remote access.
Additionally, Requirement Part R1.2.6 now requires REs to update their cybersecurity policies to explicitly address vendor electronic remote access security controls.
Why is there a NERC CIP update for low impact sites?
Based on the NERC Supply Chain Risk Assessment Report conducted in 2020 and evaluating 1,000+ entities, the data showed that there was a significant percentage of low impact sites and locations that have third-party remote access or external connectivity. Third party is a critical distinction here; it means non-asset-owner access to your systems and networks.
The concern driving this change is a coordinated cyberattack. While individual low impact locations may represent a small percentage of all transmission stations and substations, the combined effect of a coordinated attack on multiple locations could degrade BES reliability well beyond the local area.
NERC is addressing what has been a relatively lackluster control set for low impact risk management.
Who needs to comply with NERC CIP-003-9?
NERC registered entities that own or operate BES assets, including generator owners and operators, transmission owners and operators and reliability coordinators with facilities that contain Low Impact BES Cyber Systems.
Unlike medium and high impact assets, low impact BES Cyber Systems do not currently have formal inventory requirements. As a result, organizations may have limited visibility into how many devices or systems at a given location could be exposed to vendor remote access.
Are low impact sites mostly all externally managed facilities (e.g. through a managed service)?
A high percentage of low impact facilities may be de facto outsourced or remotely managed. The renewables sector is a clear example: operations are often geographically remote, spread across dispersed sites with limited on-site personnel and dependent on vendor support for day-to-day system management. For these environments, the traditional low/medium/high BES asset framework doesn’t always map to the operational reality. This may be a natural consequence of how low impact sites are staffed and run, with vendor remote access at times the primary operational interface, not the exception.
If CIP Low Impact Sites do not have an ESP, then what does "remote" mean for 003-9?
When the update was introduced, we expected a range of interpretations. There are differences in opinion across the industry, and it will take time before consensus forms around what “normal” looks like for low impact remote access definitions.
At a minimum, you should have clear definitions of where your network boundaries are: where your firewalls sit, what traffic is permitted and who is on the other side of those connections.
Many low impact sites are remotely managed in a way where third parties are entering through the enterprise network, provisioned in and given access to the appropriate operational network. In that scenario, “remote” doesn’t necessarily mean an external party connecting from a separate network like a VPN. It may mean a vendor who is functionally embedded in your organization even though they are technically an independent, third-party operator of your systems. For example, when you onboard a contractor to your network environment, they no longer exist outside of the enterprise; however, they are still considered a vendor under CIP-003-9.
Getting this language right in your documentation will be key during audits. Define your terms. Map how access is provisioned. Be prepared to explain how you distinguish between internal and vendor-initiated sessions.
Where did our previous NERC CIP reference models go?
The short answer is they’re no longer applicable. If you are building a new program for low impact facilities today, the absence of reference material that the industry debated and reached agreement on over more than a decade is a significant gap. The loss of these models means entities need to be more deliberate about documenting their own architectural frameworks and access models. And they also should be prepared to defend those models to auditors.
My organization needs to get started yesterday. Can you explain what we Should Do vs. what we Must Do?
Something you can do now, without any supply chain dependency, is assess your risk posture by conducting an architecture assessment. Understand how your operational networks are configured, where data flows and where vendor access points exist today.
However, it's common to assess a specific aspect of your operations, confirm there is no remote access and shelve that discussion for later. The reality is that new technologies and configuration changes are happening regularly, and any one of them could introduce or modify connectivity for your low impact sites.
Start documenting now. Build a skeleton outline of what is required even if you do not yet have remote access for a particular asset or operation. When an auditor asks, you will have evidence that ou've been tracking the risk and putting a control framework in place. While you're not currently required to maintain an inventory, that could change in future regulatory updates and having a baseline will put you ahead.
You also want to identify all individuals who play a role in your relevant operations and know which vendors they work with at the system, network and application levels.
On the language side, expect NERC CIP terminology to continue evolving until the industry reaches common consensus. For example, there is a real and meaningful difference between "remote access" and "remote monitoring." Audit challenges could center on what "remote access" means versus "remote control" in your specific environment.
The conservative, defensible approach: treat all communications, including monitoring, as within scope. If something bad happens, NERC wants to see that you had visibility into and control over all of it.
Our operations do not have remote access at this time. Should I future-proof my low impact site for NERC CIP-003-9 compliance?
Start now is a call to action I’ll keep repeating by determining whether you will allow vendor electronic remote access to low impact assets going forward. This decision can be a strong motivator for modernization projects and an opportunity to design secure access into your architecture rather than bolt it on after the fact.
Ensure that the Section 6 requirements are factored into every new project and system change. It's straightforward to assess current architecture, but future modifications and technology refreshes are where gaps tend to develop. Consider mapping your solutions and controls with an independent, third-party cybersecurity firm that understands your operating environment and the threat landscape specific to OT systems. An outside perspective from professionals who understand how adversaries think will help you build proactive, defensible controls rather than reactive fixes.
Architecture assessments and compliance-focused training are foundational steps. You need to know, with certainty, how data flows inside and outside of your operating environment.
COMPLIANCE TIP:
Many entities treat policy review as a checkbox event. Auditors increasingly look for evidence of substantive review: version diffs, reviewer sign-off logs and documented rationale for unchanged language. A policy that shows no changes in five years is a red flag, even if it has been reviewed on schedule.
Is there a NERC CIP-003-9 cyber security compliance deadline I need to know now?
Yes. Requirements under CIP-003-9 related to vendor electronic remote access must be implemented by April 1, 2026.
Regulators will expect entities to have documented controls in place and an implementation plan that demonstrates progress toward compliance. This includes evidence that your organization has taken steps to manage cybersecurity risk associated with vendor remote access at low impact BES locations.
