CIP Roadmap

In January 2026, the North American Electric Reliability Corporation (NERC) released the Critical Infrastructure Protection (CIP) Roadmap to evaluate current CIP Standards and offer a summary analysis of the evolving risks that threaten the North American electric sector. NERC compiled a comprehensive risk registry and evaluated potential enhancements that would reduce residual risk to the grid.

Among the key findings, NERC has identified that low impact Bulk Electric System (BES) Cyber Systems (BCS)—including Category 2 inverter-based resources—represent an expanding share of operational dependency, as well as increased use of the operational technology deployed across the Bulk Power System (BPS). This suggests the need for increased security around low impact BCS.

The risk analysis identified several control themes with broad mitigation values such as: 

• Multi-factor authentication (MFA): Implementing MFA for all interactive remote access, regardless of impact rating, could reduce the risks to credential theft, remote access abuse, and insider threats.
• Foundational cyber hygiene: Practicing good cyber hygiene can improve the effectiveness of all basic controls such as configuration management, defensible network topologies, vulnerability management, and internal network security monitoring.
• Protection of public network communications: Utilities rely heavily on leased or carrier-provided telecommunications for the transmission of critical data. This suggests the need for increased protection around the confidentiality and integrity of all communications that could be intercepted and impact reliability.

The CIP Roadmap suggests the need for continued coordination between NERC, Regional Entities, industry, and government partners to ensure that the CIP framework continues to evolve at a pace that addresses the security needs of the present and the future.

For more information Texas RE encourages registered entities to review the CIP Roadmap.