NERC’s CIP Roadmap and the Future of Grid Cybersecurity
By Patrick Miller
NERC’s new CIP Roadmap signals a major shift in how cyber risk will be regulated across the power grid. This Policy Pulse explains what NERC released, why it matters, what standards and guidance are coming next, and how utilities, generators, and grid operators should prepare for expanding CIP scope and enforcement.
Overview
In January 2026, NERC quietly released one of the most consequential cybersecurity policy documents the North American electric sector has seen since the Version 5 CIP transition. The NERC Critical Infrastructure Protection Roadmap is not a compliance guide or a retrospective. It is a forward-looking regulatory blueprint for how CIP must evolve as the grid becomes more distributed, more digital, and more dependent on third-party and cloud-based systems.
For years, CIP has been anchored to a world where cyber risk lived inside well-defined control centers, transmission substations, and “traditional” generation facilities. That world no longer exists. The Roadmap is NERC’s acknowledgement that modern grid risk is now created by aggregation, connectivity, and dependencies that often sit outside traditional CIP boundaries.
This matters because NERC is no longer talking about hypothetical gaps. The Roadmap lays out which risks are most urgent, which standards will be modified, which guidance will be issued, and which new categories of assets and operators are moving into scope.
Why NERC Issued the CIP Roadmap
The electric grid has changed faster than the CIP framework was designed to change. Large portions of today’s operational technology environment now fall into categories that CIP treats as low impact, non-BES, or outside registration entirely (i.e., not even on NERC’s radar). That includes inverter-based resources, DER aggregators, EV charging infrastructure, cloud-hosted control platforms, vendor-operated remote access systems, and telecom-dependent SCADA links. At the same time, adversaries have shifted from targeting individual high-value assets to exploiting scale, aggregation, and shared infrastructure.
NERC’s Roadmap reflects three core realities.
First, low-impact systems are no longer low risk. Coordinated attacks across many small assets can now produce system-level effects.
Second, remote access and third-party operations have become foundational to grid operations. That creates attack paths that CIP was never designed to govern.
Third, the grid now runs on infrastructure that utilities do not own. Telecom networks, cloud platforms, vendor monitoring systems, and distributed control systems now sit directly in the operational control plane.
The Roadmap is NERC’s attempt to realign CIP with this reality.
What the Roadmap Actually Does
The Roadmap is built on a formal risk registry and scoring model that evaluated likelihood, impact, and mitigation maturity across dozens of cyber and physical risk categories. That analysis produced three dominant cross-cutting control themes that NERC believes offer the greatest reduction in systemic risk.
1. Multi-Factor Authentication
NERC concluded that MFA is the single most powerful control for reducing cyber risk across nearly every attack path that involves remote access, credential theft, or third-party support. While MFA is already required for remote acces at the boundary of high- and medium-impact BES Cyber Systems, enormous portions of the grid still rely on single-factor access for low-impact, sub-BES, and vendor-managed systems.
NERC is now initiating a standards effort to require MFA for interactive remote access to low-impact BES Cyber Systems. This is not a guidance item. It is a formal standards action. This effectively closes one of the largest and most exploited gaps in the CIP framework.
2. Foundational Cyber Hygiene
The Roadmap makes a blunt assessment. Most of the residual cyber risk in the sector does not come from exotic attacks. It comes from weak asset inventories, poorly defined network boundaries, inconsistent identity controls, outdated software, and limited visibility into what is actually connected to the grid. Advanced controls like internal network security monitoring, threat detection, and automated response cannot work reliably if the environment itself is not well understood.
NERC is now preparing to evaluate whether foundational cyber hygiene controls should become part of CIP’s minimum baseline for low-impact systems. That means controls such as asset identification, configuration management, vulnerability and patch management, network topology documentation, identity management, and malware response may become regulatory expectations rather than optional best practices. This is a structural shift. CIP is moving from impact-based scoping to maturity-based risk.
3. Protection of Public Network Communications
One of the most striking findings in the Roadmap is how much critical grid control traffic still flows over telecom infrastructure that utilities do not control. SCADA, AGC, RTU telemetry, and DER coordination routinely traverse leased fiber, cellular, and IP-based carrier networks using legacy protocols that were never designed to be encrypted or authenticated.
Recent nation-state campaigns targeting telecommunications providers (e.g., Salt Typhoon) have demonstrated that these networks cannot be assumed to be trustworthy.
NERC is now directing a standards effort to expand CIP-012 so that confidentiality and integrity protections apply not only to control-center-to-control-center links, but also to facility-to-control-center communications that rely on public or carrier-dependent networks. This is one of the most operationally significant changes in the Roadmap. It will force utilities to inventory every telecom-dependent control path and determine where encryption, tunneling, or secure gateways are required.
Cloud Is No Longer Outside CIP
For years, cloud adoption in the electric sector has been constrained by regulatory ambiguity. Utilities want the resilience, scalability, and security capabilities that cloud platforms provide, but CIP was written for on-premise control environments. The Roadmap removes that ambiguity.
NERC has elevated its cloud standards project to high priority. That project will define how identity, access control, logging, segmentation, monitoring, and shared responsibility must work when operational or security systems are hosted in third-party cloud environments. Cloud is no longer something utilities have to tiptoe around. It is now being formally incorporated into the CIP framework.
Who Else Is Coming Into Scope
The Roadmap also makes clear that CIP’s future will not be limited to traditional utilities. NERC is now formally monitoring and assessing cyber risk associated with:
Category 2 inverter-based resources (IBRs)
DER aggregators
Large controllable loads such as data centers and crypto mining
EV charging infrastructure
Third-party operators with remote access to grid assets
For Category 2 IBRs in particular, NERC has launched a focused cybersecurity risk assessment to determine what minimum controls must apply. That is the first step toward bringing large portions of renewable generation into enforceable CIP coverage.
What Is Coming Next
The Roadmap defines three time horizons for specific actions.
Near Term
NERC has authorized or will soon issue Standards Authorization Requests (SARs) in the near term for enhanced MFA requirements and expanded telecom protections, kicking off the standards development process for these items. Formal SAR documents are expected in Q1, with implementation timelines to follow once they proceed through the standard drafting and approval cycle.
Expect immediate action on:
A new MFA standard for low-impact BES Cyber Systems
A CIP-012 expansion for public telecom-dependent communications
Cloud security standards development moving into high gear
These are not long-range ideas. They are already in motion.
Intermediate Term
NERC will assess whether foundational cyber hygiene controls should become part of CIP’s baseline requirements, especially for low-impact systems. It will also determine what cybersecurity controls must apply to Category 2 inverter-based resources. This is where the scope of CIP will begin to widen.
Ongoing
NERC and the E-ISAC will continue tracking:
DER aggregators
EVSE
Large loads
Physical security trends
Cross-sector dependencies
These categories are now part of NERC’s permanent risk model.
Hello & Welcome to the NERC Ecosystem
What NERC published is not just a set of future CIP standards. It is a signal that the grid’s trust boundary is being redrawn. That has very real implications for entities that have never thought of themselves as part of the NERC compliance ecosystem.
What the newly “in-scope” entities should be thinking
DER aggregators, inverter-based resource operators, EV charging network operators, large data centers, crypto miners, cloud control platform providers, and OEMs with persistent remote access all sit in a new category. They are operationally significant but regulatorily invisible today. The Roadmap is NERC saying that this mismatch is no longer sustainable.
These organizations should be preparing for three things:
First, baseline cybersecurity expectations are coming, even if they are not registered today. NERC is explicitly evaluating what minimum controls must apply to Category 2 IBRs and is tracking DER aggregators, EVSE, and large loads as systemic risks. That almost always precedes either new registration categories or mandatory participation in a utility’s compliance boundary.
Second, remote access and identity will become regulated surfaces. If you operate, monitor, or control grid assets remotely, you will be expected to support MFA, access logging, segmentation, and revocation. Many of these firms currently operate with SaaS-like assumptions that will not survive the current NERC audit model.
Third, evidence will matter. These entities are not just being asked to be secure. They will be asked to prove it. That means inventories, access logs, vulnerability management, and documented controls. That is a very different operating model than most grid-edge technology firms run today.
Why registered entities should already be engaging them
Utilities, transmission operators, and generation owners are not insulated from this shift. They are exposed through dependencies. If a DER aggregator, wind OEM, or EVSE platform inside your footprint is compromised, the reliability impact lands on you, not on them. NERC is explicitly saying that these actors now create bulk power system risk even if they are not registered.
That means every registered entity should already be asking:
Which DERs, IBRs, large loads, and third-party platforms have real-time operational influence in my footprint?
Who has remote access into my plants, substations, or DER fleets?
Which of those parties would fail an MFA or telecom encryption requirement today?
Who would I be expected to coordinate with in a multi-entity incident?
Those conversations are not future work. They are now part of risk ownership. One of the unstated but unavoidable outcomes of this Roadmap is that utilities will increasingly act as cybersecurity gatekeepers for their ecosystem. If NERC cannot directly regulate a DER aggregator or a cloud vendor yet, it will do so indirectly by holding registered entities accountable for the risks they introduce.
This is how CIP expands without rewriting CIP-002
NERC is not going to flip a switch and register every EV charger or data center. What it is doing instead is much more powerful. It is defining what creates systemic reliability risk, then forcing that risk to be governed, either through direct standards or through the entities that depend on it.
For the new players, that means learning the language of NERC, controls, and evidence.
For existing registered entities, that means pulling these actors into security and reliability governance now, before regulators do it for them.
What Registered Entities Should Be Doing Now
The Roadmap gives a clear signal. The next phase of CIP will be built around remote access control, telecom security, cloud governance, and baseline cyber hygiene across all tiers of the grid. Organizations that wait for standards language will be late.
Smart moves now:
Deploy MFA for all remote and privileged access across OT and support environments
Inventory and secure every telecom-dependent control path between field assets and control centers
Build complete, defensible asset and network inventories that can support INSM and future compliance
Prepare for cloud-based security and operations with strong identity, logging, and segmentation
Assess exposure created by vendors, DERs, large loads, and third-party operators
CIP is no longer just about compliance for a subset of traditional grid assets. The grid changed, technology changed, and the threat landscape changed. The CIP standards needed to change accordingly.
