New for CIP Standard for Low Impact Facilities 

By Kyle Tobias, NERC CIP and Cyber Security Officer  

On March 16, FERC issued a new Order approving NERC CIP-003-9.  The revision to the standard adds new responsibilities for CIP low impact sites and is scheduled to take effect on 4/1/2026. At the site level, you will need to formally have methods to know when vendors are remotely accessing your systems and the ability to enable or disable these methods where needed. This new documented process will need to have supporting evidence which will be entirely dependent on what method is used at your site. For many of you, this will not change much functionally as you are already doing much of this. Documenting and logging that you are doing it will satisfy the compliance requirements. 

For example, there are some sites that have added physical A/B switches to the ethernet cables that handle remote connections. This may not have been formally stated in any process documents so adding it to the CIP-003 procedure satisfies compliance with that portion. Documenting the existence of the switch with an updated site network diagram will also provide some of the evidence needed.  

At the corporate level, we will be evaluating your site firewall access control rules over the course of the next year to ensure these are already compliant and make any adjustments where needed. We will be updating the standard CAMS CIP-003 process documents to address this issue at that level and will work with each site to ensure what is stated in that procedure fits your site’s abilities and requirements. 

Anytime NERC adds new responsibilities to the low impact sites it gets attention, and rightly so. Most of the CAMS fleet, much like the US generation fleet, are CIP low impact. Even though in this instance we have three years to ensure we are compliant, we are already working on this to get ahead of it with plenty of time to fine-tune the methods and related evidence-collection processes, tailored to your site’s needs. Expect to hear from your CAMS NERC compliance team.  By working together, we can ensure a streamlined transition to the new standard.    

The updated standard adds the following language to the requirement section for CIP low impact sites: 

Vendor Electronic Remote Access Security Controls: For assets containing low impact BES Cyber System(s) identified pursuant to CIP‐002, that allow vendor electronic remote access, the Responsible Entity shall implement a process to mitigate risks associated with vendor electronic remote access, where such access has been established under Section 3.1. These processes shall include: 

  • One or more method(s) for determining vendor electronic remote access; 
  • One or more method(s) for disabling vendor electronic remote access; and 
  • One or more method(s) for detecting known or suspected inbound and outbound malicious communications for vendor electronic remote access. 

Evidence examples provided for this new requirement are: 

  • Part one documentation showing: 
  • steps to preauthorize access; 
  • alerts generated by vendor log on; 
  • session monitoring; 
  • security information management logging alerts; 
  • time‐of‐need session initiation; 
  • session recording; 
  • system logs; or 
  • other operational, procedural, or technical controls. 
  • Part two documentation showing: 
  • disabling vendor electronic remote access user or system accounts; 
  • disabling inbound and/or outbound hardware or software ports, services, or access permissions on applications, firewall, IDS/IPS, router, switch, VPN, Remote Desktop, remote control, or other hardware or software used for providing vendor electronic remote access; 
  • disabling communications protocols (such as IP) used for systems which establish and/or maintain vendor electronic remote access; 
  • Removing physical layer connectivity (e.g., disconnect an Ethernet cable, power down equipment); 
  • administrative control documentation listing the methods, steps, or systems used to disable vendor electronic remote access; or 
  • other operational, procedural, or technical controls. 
  • Part three documentation showing implementation of processes or technologies which have the ability to detect malicious communications such as: 
  • Anti‐malware technologies; 
  • Intrusion Detection System (IDS)/Intrusion Prevention System (IPS); 
  • Automated or manual log reviews; 
  • alerting; or 
  • other operational, procedural, or technical controls.