To assess existing Critical Infrastructure Protection (CIP) standards, evaluate emerging risks, identify gaps in current protections, and chart a risk-informed path forward, the North American Electric Reliability Corporation has developed the Critical Infrastructure Protection (CIP) Roadmap in consultation with Regional Entities and industry subject matter experts in 2025.
“We found that while our CIP standards remain the backbone of mandatory security controls for the bulk power system, the operating environment is evolving faster than the scope and cadence of standards development,” said Soo Jin Kim, vice president of Engineering and Standards. “A growing portion of operational technology, including low-impact systems, third-party operators, and newly registered Category 2 inverter-based resource registrants, plays a critical role in grid operations but resides outside medium- and high-impact CIP standards coverage, representing a security risk.”
The roadmap identifies several potential security measures to reduce risk across multiple threat areas, including broader use of multi-factor authentication, stronger cyber hygiene, and improved safeguards for communications that rely on public networks. It also identifies a limited number of specific risks that warrant targeted attention.
Near- and intermediate-term recommendations across three areas were identified: potential Reliability Standard modifications, development of security guidance, and ongoing risk monitoring.
These recommendations intend a targeted, risk-driven evolution of NERC CIP standards to strengthen coverage where threats have outpaced their existing scope while leveraging guidance where flexibility is needed, NERC said.
NERC staff is coordinating with the Reliability and Security Technical Committee (RSTC) to determine which recommendations should be RSTC-led and which should be NERC-led.
Teams supporting near-term recommendations will kick off in the first quarter with work on intermediate-term recommendations to follow.
“The CIP Roadmap reinforces that reliability, resilience, and security are inseparable and provides a blueprint for the ERO Enterprise, industry, and government partners to ensure the CIP framework remains adaptive and effective as the grid continues to transform,” NERC said.
