Denrich Sananda, Managing Partner and Senior Consultant, Arista Cyber, explains how to ensure companies shine with the NERC CIP checklist.
“NERC CIP gives North American power generators clear cyber security expectations for Bulk Electric System environments. It gives compliance teams a shared language and forces evidence around systems that cannot be treated like ordinary enterprise IT.
“That kind of structure is essential, because control systems, protection systems, historians, remote access paths and engineering workstations all sit inside the reliability obligation placed on generation operators. But there is still a gap between the framework and the field.
“NERC CIP activity may be real, documented and audited, yet an organisation’s operational posture can, in fact, be less complete than that evidence suggests.
“The Federal Energy Regulatory Commission’s 2024 Lessons Learned from Commission-led CIP Reliability Audits made that point clearly: most entities reviewed met mandatory CIP requirements, but potential noncompliance and security risks remained.
“So if a plant can look compliant on paper while remaining exposed, it is clear that power generators must look beyond frameworks like NERC CIP to consider the full picture of their facilities and operational capabilities.
“If incomplete controls fail to reflect the systems, access paths and changes that exist in the real environment, can that environment actually be considered secure?
Arista Cyber | Compliance evidence is not operational control
“The NERC CIP requirements raise hard questions. Which cyber systems matter to BES reliability, where are the electronic boundaries, who is allowed access, how are changes authorised, and what evidence shows the controls are working? No answer to these questions can be static, because generation environments are always changing.
“Evidence may describe the intended environment rather than the real one. A diagram may show the expected electronic security perimeter, a spreadsheet may show the approved asset list, and a policy may describe remote access.
“But none of that proves the control is complete unless it is checked against current traffic flows, discovery data, user activity and change records from the plant itself.
Arista Cyber | Scope, segmentation and access paths
“Asset identification is the foundation of NERC CIP, but it is easy to treat too narrowly. A BES Cyber System categorisation process may correctly identify high and medium impact systems, yet still leave supporting systems under examined if they do not sit within that strict audit boundary.
“Engineering workstations, jump servers, time servers, backup repositories, patch staging systems, remote access brokers and historian interfaces may not all be covered by the same formal classification, but each can provide a pathway into core control systems.
“If asset identification is shaped only by what must be evidenced for an audit, it can miss the route an attacker would actually take. FERC’s 2024 CIP audit lessons offer useful guidance here.
“The report encourages entities to assess the operational risk of associated cyber assets, such as electronic access control and monitoring systems, even where categorisation alone may not capture the full consequence of that risk.
“A next-generation firewall may sit outside the electronic security perimeter, but if its failure, compromise or misconfiguration could block traffic required for reliable operation, it still needs to be treated as operationally significant.
“Segmentation needs the same treatment. A documented electronic security perimeter is useful only if it is true to the way traffic actually moves.
“Firewall rules may include broad exceptions, temporary vendor access may have become permanent, and outage rules may remain in place long after the work has finished.
Arista Cyber | Remote access, credentials and ownership
“Remote access is a fact of operation. Power generation depends on external expertise, and turbine specialists, controls vendors, OEMs, integrators and managed service providers may all need such access. Removing remote connectivity entirely is rarely practical, but leaving it loosely governed is indefensible.
“CISA’s guidance on remote access for industrial control systems frames the challenge clearly: operational assets need to be accessed and managed, but remote connectivity can alter the cyber security posture of the control system itself. The question is whether that access is specific, temporary, authenticated, monitored and tied to a responsible owner.
“If it is not, this introduces risk. Shared vendor accounts hide individual accountability. Standing access remains available outside the business context that justified it.
“Weak approval workflows may allow a vendor to connect without the plant knowing exactly what that vendor can reach. Access may be documented, but still not sufficiently visible, controlled or reviewable.
“Field experience shows that many related failures come from accounts that outlive their purpose, or from shared passwords, local administrator rights granted for convenience, and unclear ownership over who can approve access. Where shared or local accounts cannot be removed, they should be isolated, monitored and backed by compensating controls.
Arista Cyber | Configuration drift turns evidence stale
“Despite its formal structure, configuration change management is closer to process safety than paperwork. Security settings may be adjusted for troubleshooting, firmware may be inconsistent between devices, or a workstation may gain an unapproved tool because an engineer needed to solve a practical problem quickly.
“Each change may be understandable in context, but if it is poorly documented, it can create a system nobody fully recognises.
“FERC’s 2024 audit lessons also underline the level of detail required here. Cyber asset baselines should cover intentionally installed commercial software, including browser extensions and standalone applications.
“Incomplete baseline documentation can make it difficult to restore BES Cyber Systems to a prior configuration and can distort the organisation’s view of its own security posture.
“A useful baseline should show authorised ports and services, approved software, firmware levels, account settings, security controls and known exceptions. If a change has to be made to solve an immediate operational problem, the emergency process should still leave evidence of what changed, who approved it and whether the control was restored.
Arista Cyber | The audit should not be the finish line
“In the end, all strong industrial cybersecurity comes down to a change in approach, a move from on-paper strength to real-world resilience. Evidence should be tested, not filed.
“Network diagrams should match real traffic, inventories should reflect what is connected, and firewall rules should be reviewed with engineers as well as network teams.
“Remote access exceptions, dormant accounts, configuration baselines and recovery plans all need scrutiny, especially after outages when temporary changes can quietly become permanent.
“NERC CIP remains a vital framework for BES reliability, but frameworks do not secure systems by themselves. Partial compliance may reduce regulatory risk, but it does not reduce operational risk.
“For generation owners and operators, the question is whether a NERC CIP program can still see, govern and prove control over the systems the plant depends on when conditions are least forgiving.”
You can access the Arista Cyber free NERC CIP Audit Preparation compliance checklist here, which is hosted on the Arista Cyber website.
Arista Cyber specialise in Operational Technology and from power generation to petrochemical processing, organisations trust Arista Cyber to strengthen defences, enhance resilience, and protect the infrastructure that keeps economies running and societies thriving.
You can visit the Arista Cyber website here.
Alternatively, to read more Arista Cyber news, click here.
