Help Shape the Future of the NERC CIP Standards

By Patrick Miller

NERC is asking for industry input on the future of CIP Standards. As part of its 2025 Work Plan, NERC has launched a survey to identify and prioritize emerging security risks to the Bulk Power System. The results will directly inform a roadmap for updating the CIP Standards to address today’s evolving threat landscape. What’s happening, why it matters, and how you can participate before the July 22 deadline.

Overview

On December 10, 2024, NERC’s Board of Directors approved its 2025 Work Plan Priorities. Among them was a mandate to develop a roadmap to ensure that the Critical Infrastructure Protection (CIP) Standards continue to serve as an effective baseline for managing cyber and physical security risks to the Bulk Power System (BPS). That effort is now underway and NERC is asking the industry for input.

As part of this initiative, the ERO Enterprise has launched a new industry-wide survey focused on identifying and prioritizing the most pressing emerging security risks facing the BPS. The results will inform not only NERC’s security risk assessments but also the structure, scope, and focus of future updates to the CIP Standards.

The Opportunity: Influence What Comes Next

The cybersecurity and threat landscape continues to shift rapidly. The grid’s increasing reliance on digital infrastructure across control systems, supply chains, cloud services, and remote access is introducing new and complex risk vectors. At the same time, geopolitical tensions, advanced persistent threats, and disruptive ransomware campaigns are raising the stakes for electric sector resilience.

While the CIP Standards have provided a stable framework for BPS security over the past two decades, the current regulatory architecture must evolve to keep pace. This survey gives stakeholders the opportunity to influence that evolution.

Survey participants are asked to:

  • Rank security risks based on their likelihood and potential impact to the BPS.

  • Identify additional risks not currently captured in the predefined list.

  • Contribute to the broader effort of aligning standards with today’s operational realities and tomorrow’s threats.

The survey is open through July 22, 2025, and includes a supplemental document that provides background, definitions, and hypothetical risk scenarios to guide responses.

What NERC Plans to Do With Your Input

Responses from this survey will inform a comprehensive report that NERC will publish later this year. That report will:

  • Identify and prioritize the top emerging security risks to the reliability and security of the BPS.

  • Review how current CIP Standards address (or fail to address) those risks.

  • Analyze the scope and maturity of ongoing mitigation activities across industry.

  • Offer targeted recommendations for updating the CIP Standards and associated guidance.

In short, this effort will help define the roadmap for how the CIP Standards evolve, from technical scope to enforcement and compliance expectations.

What This Means for Asset Owners, Operators, and Compliance Professionals

This is more than just a survey. It’s a signal from NERC that the CIP Standards will be adapting and that they’re actively seeking stakeholder input to do so. If you’re responsible for cybersecurity in the electric sector, your feedback matters.

Participation offers a few key benefits:

  • Visibility into the direction NERC is heading for CIP evolution.

  • Influence over what gets prioritized in terms of standards updates and guidance.

  • Preparedness for upcoming compliance expectations that may emerge from this process.

Whether you're concerned about cloud adoption, insider threats, AI-powered attacks, edge device vulnerabilities, or third-party risk, this is your opportunity to ensure those concerns are represented in the roadmap that will shape the next generation of BPS security standards.

How to Participate

NERC is looking to modernize CIP to better reflect the current and emerging risk environment. By participating in this process, you can help ensure that future standards are practical, forward-looking, and grounded in the operational realities of securing critical infrastructure.

Featured Posts

Patrick Miller