Help Shape the Future of the NERC CIP Standards

By Patrick Miller

NERC is asking for industry input on the future of CIP Standards. As part of its 2025 Work Plan, NERC has launched a survey to identify and prioritize emerging security risks to the Bulk Power System. The results will directly inform a roadmap for updating the CIP Standards to address today’s evolving threat landscape. What’s happening, why it matters, and how you can participate before the July 22 deadline.

Overview

On December 10, 2024, NERC’s Board of Directors approved its 2025 Work Plan Priorities. Among them was a mandate to develop a roadmap to ensure that the Critical Infrastructure Protection (CIP) Standards continue to serve as an effective baseline for managing cyber and physical security risks to the Bulk Power System (BPS). That effort is now underway and NERC is asking the industry for input.

As part of this initiative, the ERO Enterprise has launched a new industry-wide survey focused on identifying and prioritizing the most pressing emerging security risks facing the BPS. The results will inform not only NERC’s security risk assessments but also the structure, scope, and focus of future updates to the CIP Standards.

The Opportunity: Influence What Comes Next

The cybersecurity and threat landscape continues to shift rapidly. The grid’s increasing reliance on digital infrastructure across control systems, supply chains, cloud services, and remote access is introducing new and complex risk vectors. At the same time, geopolitical tensions, advanced persistent threats, and disruptive ransomware campaigns are raising the stakes for electric sector resilience.

While the CIP Standards have provided a stable framework for BPS security over the past two decades, the current regulatory architecture must evolve to keep pace. This survey gives stakeholders the opportunity to influence that evolution.

Survey participants are asked to:

  • Rank security risks based on their likelihood and potential impact to the BPS.

  • Identify additional risks not currently captured in the predefined list.

  • Contribute to the broader effort of aligning standards with today’s operational realities and tomorrow’s threats.

The survey is open through July 22, 2025, and includes a supplemental document that provides background, definitions, and hypothetical risk scenarios to guide responses.

What NERC Plans to Do With Your Input

Responses from this survey will inform a comprehensive report that NERC will publish later this year. That report will:

  • Identify and prioritize the top emerging security risks to the reliability and security of the BPS.

  • Review how current CIP Standards address (or fail to address) those risks.

  • Analyze the scope and maturity of ongoing mitigation activities across industry.

  • Offer targeted recommendations for updating the CIP Standards and associated guidance.

In short, this effort will help define the roadmap for how the CIP Standards evolve, from technical scope to enforcement and compliance expectations.

What This Means for Asset Owners, Operators, and Compliance Professionals

This is more than just a survey. It’s a signal from NERC that the CIP Standards will be adapting and that they’re actively seeking stakeholder input to do so. If you’re responsible for cybersecurity in the electric sector, your feedback matters.

Participation offers a few key benefits:

  • Visibility into the direction NERC is heading for CIP evolution.

  • Influence over what gets prioritized in terms of standards updates and guidance.

  • Preparedness for upcoming compliance expectations that may emerge from this process.

Whether you're concerned about cloud adoption, insider threats, AI-powered attacks, edge device vulnerabilities, or third-party risk, this is your opportunity to ensure those concerns are represented in the roadmap that will shape the next generation of BPS security standards.

How to Participate

NERC is looking to modernize CIP to better reflect the current and emerging risk environment. By participating in this process, you can help ensure that future standards are practical, forward-looking, and grounded in the operational realities of securing critical infrastructure.

Featured Posts

Featured
Help Shape the Future of the NERC CIP Standards
Help Shape the Future of the NERC CIP Standards

NERC is asking for industry input on the future of CIP Standards. As part of its 2025 Work Plan, NERC has launched a survey to identify and prioritize emerging security risks to the Bulk Power System. The results will directly inform a roadmap for updating the CIP Standards to address today’s evolving threat landscape. What’s happening, why it matters, and how you can participate before the July 22 deadline.

Read More →
FERC Quietly Closes The Books on RM20-12-000
FERC Quietly Closes The Books on RM20-12-000

FERC has officially closed Docket RM20-12-000, ending a five-year inquiry into potential gaps in the CIP Reliability Standards. While the docket is withdrawn, the underlying concerns—data security, anomaly detection, and coordinated cyberattacks—are being addressed through recent standards like CIP-015-1 (INSM) and proposed updates to CIP-003.

Read More →
FERC Finalizes INSM Standard: CIP-015-1 and the New Visibility Mandate for the Grid
FERC Finalizes INSM Standard: CIP-015-1 and the New Visibility Mandate for the Grid

On June 26, the Federal Energy Regulatory Commission issued Order No. 907, approving the new NERC Reliability Standard CIP-015-1: Cyber Security – Internal Network Security Monitoring (INSM). This marks a critical shift in how we approach cybersecurity within the Bulk Electric System. It also raises the bar significantly on what’s expected for visibility inside the network perimeter.

Read More →
Canada’s Bill C‑8: A New Era for Cybersecurity Regulation
Canada’s Bill C‑8: A New Era for Cybersecurity Regulation

Canada is proposing sweeping changes to strengthen its cyber resilience through Bill C‑8. This two-part legislation enhances federal powers over telecom infrastructure and establishes enforceable cybersecurity obligations for critical infrastructure operators. Read our full breakdown of what it means, who it impacts, and what’s next in Parliament.

Read More →
Automation and AI Risks in Long Duration Energy Storage Systems (LDES): Risk Mitigation and Regulatory Responsibilities
Automation and AI Risks in Long Duration Energy Storage Systems (LDES): Risk Mitigation and Regulatory Responsibilities

As Long Duration Energy Storage Systems (LDES) become essential to the future of grid resiliency and renewable integration, the infusion of automation and artificial intelligence (AI) into these technologies presents a range of strategic risks. These include cybersecurity vulnerabilities, operational uncertainties, automation-induced failures, and regulatory gaps. This white paper outlines the major categories of risk and identifies key government, regulatory, and standards bodies responsible for managing and mitigating these challenges.

Read More →
Patrick Miller