As of April 1, 2026, NERC Reliability Standard CIP-003-9 went into effect. For renewable operators and utilities registered with NERC, the preparation window is closed.
The revised standard concentrates on a long-standing issue in the industry — vendor electronic remote access into Low-Impact Bulk Electric System (BES) Cyber Systems. This access isn’t unusual. At utility-scale solar, wind, and battery storage sites, it’s often necessary to maintain and operate equipment. What has changed isn’t the existence of vendor access, but the expectation that it is managed, monitored, and, most importantly, verifiable.
Readiness before enforcement has been inconsistent. In practice, most organizations already implement some level of control, such as restricting access windows, supervising sessions, or managing credentials. However, these controls are often applied unevenly, or they exist without the documentation and monitoring needed to validate them under scrutiny. In many cases, the system is effectively controlled, but no one can clearly demonstrate it, and this is what often leads teams to overestimate how defensible their controls really are.
That gap is what CIP-003-9 is designed to address.
The reason behind the standard is not just theoretical. The SolarWinds breach showed how trusted vendor pathways can be exploited on a large scale, exposing a systemic weakness in critical infrastructure. In response, NERC and FERC turned their attention to low-impact facilities, where vendor access to control environments was not explicitly managed within the CIP framework. The conclusion was that unmanaged vendor access, when repeated across many sites, presents a measurable risk to the reliability of the bulk power system.
Know your scope
For renewable operators, the first step in complying with this standard is understanding where it applies. Typically, that includes inverter controls, plant controllers, SCADA systems, and data acquisition platforms that qualify as Low-Impact BES Cyber Systems. From there, the focus shifts to identifying every vendor capable of establishing electronic connectivity to those systems.
This exercise is often more revealing than expected. The definition of “vendor” is broad, covering OEMs, O&M contractors, system integrators, managed service providers, and other third parties with system access. While some connections are obvious, others are embedded in equipment, maintained through persistent VPN tunnels, or enabled through firewall rules that have not been revisited since commissioning.
A consistent pattern emerges during program reviews. Operators recognize that vendor access exists but cannot clearly map every pathway or explain how access is managed across systems. In some cases, organizations cannot confidently determine whether vendor access is active at any moment. This lack of visibility becomes hard to justify once formal requirements are established.
It is also crucial to define the scope accurately. CIP-003-9 specifically covers bi-directional electronic remote access used for configuration, troubleshooting, and system interaction. Passive or one-way data flows are excluded. Drawing that boundary accurately prevents unnecessary complexity and compliance gaps.
Three operational requirements
The changes introduced by CIP-003-9 are clear in theory. Requirement Part 1.2.6 calls for updates to cybersecurity policies to specifically address vendor electronic remote access. Even more importantly, Section 6 of Attachment 1 requires a Vendor Electronic Remote Access Program with three main functions:
- Identifying when vendor connections are active
- Disabling that access when needed, and
- Detecting malicious activity related to those connections.
Each of these requirements is operational in nature. Organizations must be able to identify not only user-initiated sessions but also persistent system-to-system connections such as VPN tunnels. They must have a clear and executable method to disable access, whether through credential revocation, firewall adjustments, or physical disconnection, and this process must be coordinated across operating entities where responsibilities are shared. Additionally, they must implement monitoring that aligns with the actual access pathways in use, rather than relying on security tools that are not scoped to the relevant traffic.
None of these requirements are particularly complex, but what trips up teams is not capability, but follow-through. What proves more difficult is maintaining consistency to ensure these actions are performed the same way every time and are supported by clear documentation.
This is where most organizations encounter challenges. The technical controls themselves are typically achievable. The issue is the evidence.
Evidence gap
NERC audits do not evaluate intent; they assess alignment. Policies, procedures, and records must accurately reflect the same reality. When those elements diverge, even well-managed environments can generate findings.
In many low-impact environments, vendor access is managed through operational knowledge rather than formal programs. Access may be limited and controlled, but authorization records are incomplete, revocation actions are not consistently documented, and monitoring logs do not clearly capture relevant activity. These are not failures of capability. They are failures of structure.
A common response to this gap is reconstruction. After an event, teams gather emails, screenshots, and system logs to explain what happened. While often well-meaning, that method creates inconsistencies and raises questions about the record’s reliability. It shifts the focus from proving what actually happened to explaining what probably happened.
A more robust approach generates evidence as part of normal operations. Access approvals are logged when granted. Connections are recorded as they happen. Disconnections are documented when performed. Monitoring is continuous and traceable. The difference becomes evident when an auditor requests proof. Instead of reconstructing events, the organization can provide a consistent and verifiable record.
What’s next
CIP-003-9 is not the final point in this sequence. CIP-003-10 has already been approved, and CIP-003-11 is progressing through the standards development process. The message is clear that low-impact facilities are moving toward more structured and auditable cybersecurity programs.
That evolution reflects broader changes across the grid. Renewable generation has increased the number of interconnected assets. Digital systems and remote connectivity have expanded operational capabilities. At the same time, reliance on third-party vendors has grown. Vendor access is now a standard part of operating these systems, but it introduces an exposure point that must be managed carefully.
Organizations that treat CIP-003-9 as just a compliance checkbox will likely find themselves revisiting the same issues as new requirements come up. Those who take this opportunity to enhance visibility into vendor access, establish clear processes, and maintain consistent documentation will be better prepared as expectations continue to change.
The work involved is manageable. It focuses on clarity by understanding who has access, how access is managed, and what records are in place to prove it. Many organizations already have some of these elements established. The key difference now is that those elements need to be formalized, consistently implemented, and backed by evidence.
CIP-003-9 establishes that expectation. For renewable operators and utilities alike, vendor remote access is no longer a background concern. It is now a defined part of reliable grid operation.
—
Brandon Ware is Vice President of Power O&M Services at EverLine Integrated Technical Services. He works with utilities and renewable energy operators across all six NERC regions on registration, CIP program development, and audit readiness.
The views and opinions expressed in this article are the author’s own, and do not necessarily reflect those held by pv magazine.
This content is protected by copyright and may not be reused. If you want to cooperate with us and would like to reuse some of our content, please contact: editors@pv-magazine.com.
By submitting this form you agree to pv magazine using your data for the purposes of publishing your comment.
Your personal data will only be disclosed or otherwise transmitted to third parties for the purposes of spam filtering or if this is necessary for technical maintenance of the website. Any other transfer to third parties will not take place unless this is justified on the basis of applicable data protection regulations or if pv magazine is legally obliged to do so.
You may revoke this consent at any time with effect for the future, in which case your personal data will be deleted immediately. Otherwise, your data will be deleted if pv magazine has processed your request or the purpose of data storage is fulfilled.
Further information on data privacy can be found in our Data Protection Policy.