The perimeter is no longer enough. If recent nation-state cyber campaigns have taught us anything, it is that advanced adversaries do not break through the front door of industrial control systems-they log in using trusted vendor credentials and pivot through unmonitored internal systems.

Before we move forward, don’t forget to check out our previous blog post “Exposed ICS/SCADA Ports: The Silent Threat Lurking on Your Public-Facing Industrial Infrastructure ” here. 

For plant managers, OT engineers, and CISOs across the North American power grid, the regulatory landscape is rapidly shifting to address this exact reality. The primary catalyst? NERC CIP-003-9. With an enforcement deadline of April 1, 2026, this standard fundamentally changes how utilities must manage and secure vendor electronic remote access to low-impact Bulk Electric System (BES) cyber assets.

But CIP-003-9 is not operating in a vacuum. It is part of a massive regulatory wave explicitly designed to close the visibility gaps hackers exploit once they bypass traditional firewalls. Hot on its heels is the proposed NERC CIP-015-2 standard, which dramatically expands Internal Network Security Monitoring (INSM) beyond the traditional Electronic Security Perimeter (ESP).

In this comprehensive guide, we are going to break down exactly what the April 2026 deadline means for your operations, why the CIP-015 monitoring scope is expanding to include critical support systems, and how you can implement step-by-step prevention tactics today.

At Shieldworkz, we know that compliance does not equal security. Let’s explore how you can achieve both.

The April 2026 Reality: Understanding NERC CIP-003-9

For years, the energy sector focused its heaviest cybersecurity investments on high- and medium-impact facilities. Low-impact environments-such as remote solar arrays, distributed wind farms, and smaller distribution substations-were often protected by basic network isolation or simple virtual private networks (VPNs).

That era ends on April 1, 2026.

NERC CIP-003-9 specifically targets these low-impact systems, acknowledging a critical vulnerability: the supply chain and third-party vendors. The standard mandates robust security controls for vendor electronic remote access. It requires utilities to explicitly identify, authenticate, and monitor the third-party contractors and systems integrators who maintain remote connections to the grid.

The Problem with Legacy VPNs

As the deadline approaches, many organizations are tempted to simply scale up their existing legacy VPNs. This is a critical strategic error.

A traditional VPN grants broad, network-level access. Once a user authenticates, they are essentially inside the moat. If a third-party vendor’s laptop is compromised-a common tactic in modern supply chain attacks-the VPN acts as a direct conduit for the attacker to move laterally across your OT environment, scan for legacy programmable logic controllers (PLCs), and execute malicious commands. Furthermore, VPNs lack the granular, application-level authorization required to prove to NERC auditors that a vendor only accessed the specific water pump or inverter they were contracted to maintain.

To meet the intent of NERC CIP-003-9, utilities must shift toward zero-trust principles and multi-factor authentication (MFA). You must verify the user's identity before any network traffic is allowed to reach the protected asset.

Beyond the Perimeter: The Evolution of NERC CIP-015

While CIP-003-9 locks down remote access to low-impact systems, regulators are simultaneously addressing the blind spots inside high- and medium-impact facilities.

In June 2025, the Federal Energy Regulatory Commission (FERC) approved NERC CIP-015-1, mandating Internal Network Security Monitoring inside the ESP. However, FERC recognized that this initial version left a glaring "reliability gap." Attackers were no longer just targeting the BES Cyber Systems directly; they were compromising the infrastructure that supports and controls access to them.

This led to FERC Order No. 907, which explicitly directed NERC to expand the CIP-015 monitoring scope. The result is the proposed NERC CIP-015-2 standard.

Core Expansion: From ESP to EACMS and PACS

While version 1 focused on monitoring "east-west" traffic strictly inside the ESP, CIP-015-2 extends INSM requirements to systems that often sit outside the perimeter but hold the proverbial "keys to the kingdom."

To maintain compliance and protect your infrastructure, your security teams must understand and monitor three critical categories of support systems:

• Electronic Access Control or Monitoring Systems (EACMS): These are the systems that manage logical access. Examples include authentication servers (like Active Directory, RADIUS, or TACACS+), remote access gateways, jump hosts, and network monitoring tools. If an attacker compromises your EACMS, they control who is allowed into the network.

• Physical Access Control Systems (PACS): This encompasses the infrastructure managing physical entry to your facilities. It includes badge readers, biometric scanners, door controllers, and visitor management systems. Hackers increasingly target PACS to facilitate physical intrusions or to cross-reference physical locations with logical network activity.

• Shared Cyber Infrastructure (SCI): A newer term in the NERC glossary, SCI refers to the virtualization technologies and shared storage environments (like hypervisors, SANs, or shared databases) that support multiple operational technologies simultaneously. A compromise here can impact multiple BES Cyber Systems at once.

  The "Why": Closing Security Gaps and Thwarting Adversaries

  Why are regulatory bodies like NERC and FERC pushing so aggressively for INSM for EACMS and PACS? The answer lies in the evolving tactics of advanced persistent threats (APTs).

  Adversary Pivot Points

  Hackers rarely execute a direct, brute-force attack against a core PLC or safety instrumented system (SIS). Instead, they pivot. They look for the path of least resistance.

  A prime example is the sophisticated Volt Typhoon campaign, where attackers targeted critical infrastructure by first compromising peripheral edge devices and identity systems. Once inside, they used "living off the land" (LotL) techniques-employing native, legitimate administrative tools already present on the network to move laterally without triggering malware signatures.

  • Step 1: The adversary gains access to an EACMS or PACS outside the ESP through phishing, credential theft, or a supply chain compromise of management software.

  • Step 2: Once inside the EACMS or PACS, they conduct reconnaissance. They map out the topology, identify the trusted connections to the ESP, and establish command-and-control channels.

  • Step 3: The adversary uses the compromised support system as a launching point. Because the traffic originates from an authorized, trusted source (your own authentication server), it bypasses perimeter firewalls and existing CIP-015-1 monitoring focused strictly within the ESP.

    
    

  NERC CIP-003-9 & CIP-015-2: Key Technical Requirements for Compliance

  To prepare for the April 2026 deadline and the ensuing CIP-015 monitoring scope expansion, your compliance and security teams must implement specific technical controls. Understanding what NERC expects is the first step toward actual security.

  The forthcoming standards mandate monitoring for:

  • Vendor Electronic Remote Access: For NERC CIP-003-9, utilities must have methods to determine and disable vendor access, detect malicious communications related to that access, and implement multi-factor authentication (MFA) or an equivalent zero-trust architecture. This ensures that a compromised vendor credential does not translate into a compromised control system.

  • Network Segments Connected to EACMS and PACS Outside the ESP: You must capture and analyze the traffic paths between your electronic and physical access systems and the core BES Cyber Assets. This is no longer optional. NERC specifically focuses on the east-west traffic for access monitoring of EACMS and PACS.

  • Internal Segments Within External Support Systems: You must maintain visibility into the internal communications of your shared infrastructure components, such as hypervisors and shared storage environments, to detect configuration changes or unauthorized access attempts.

  Timeline and Status

  Here is where things stand for the Internal Network Security mandates:

  • Draft Status: The NERC drafting team (Project 2025-02) published proposed revisions to CIP-015-2 in late 2025.

  • Industry Approval: An initial industry ballot in January 2026 passed with an overwhelming 84.33% approval, signaling broad consensus that these measures are necessary.

  • Effective Dates: The final ballot passed on March 5, 2026. While the April 2026 deadline for CIP-003-9 is firmly set, implementation for CIP-015-2 for high-impact systems and control centers is expected to follow the phased rollout established by CIP-015-1, with broad compliance likely required by late 2029.

Your Blueprint: Step-by-Step Prevention Tactics

Compliance is a trailing indicator of security. To truly protect your BES Cyber Assets and meet the stringent requirements of NERC CIP-003-9 and CIP-015-2, you need a proactive, defense-in-depth strategy.

Here is the step-by-step blueprint our team at Shieldworkz recommends for plant managers and OT engineers preparing for the impending deadlines.

Step 1: Execute a Comprehensive Asset Discovery and Inventory

You cannot protect what you cannot see, and you certainly cannot monitor what you do not know exists. Begin by mapping your entire access control infrastructure. Identify all systems that manage logical or physical access, including:

• Active Directory and identity management platforms.

• Remote access gateways, jump hosts, and VPN concentrators.

• Badge systems, door controllers, and visitor management logs.

• Shared virtualization hosts (hypervisors).

Understanding exactly where these systems reside on the network-and their impact categorization-is the foundation of compliance.

Step 2: Implement Zero-Trust for Vendor Access (CIP-003-9 Focus)

Replace legacy VPNs with an identity-aware proxy built on zero-trust principles. Instead of connecting a device to a broad network, connect a verified human identity to a single, authorized application.

• Enforce MFA: Mandate multi-factor authentication for every remote session. Verify the user’s identity through something they know (password) and something they have (physical token or biometric) before any traffic reaches the asset.

• Eliminate Inbound Ports: Configure your architecture to use outbound-only connections to cloak your infrastructure from public internet scanners like Shodan.

• Application-Layer Authorization: Ensure vendors can only access the specific equipment they are contracted to maintain, logging every interaction for your NERC compliance audits.

Step 3: Map Communication Paths and Deploy Strategic Sensors (CIP-015 Focus)

Next, map the communication flows between your EACMS, PACS, SCI, and the BES Cyber Systems they support. This is the new CIP-015 monitoring scope.

• Identify the critical choke points where east-west traffic flows between the perimeter and the support systems.

• Deploy deep packet inspection (DPI) sensors capable of understanding industrial protocols (like DNP3, Modbus, and IEC 61850) at these strategic locations. You must be able to decode the exact commands being sent over the wire, not just the IP headers.

Step 4: Establish AI-Driven Baselining and Anomaly Detection

Signature-based anti-virus tools are effectively useless against "living off the land" tactics. You must rely on behavioral baselining.

• Use an AI-driven engine to monitor your network traffic over a learning period. The system must understand what "normal" looks like for your specific plant-for example, knowing that a specific engineering workstation only ever issues logic download commands to a PLC during a scheduled maintenance window on Tuesdays.

• Configure the engine to trigger automated alerts the moment a trusted account or system deviates from this baseline (e.g., an Active Directory server suddenly attempting to ping a remote substation).

Step 5: Integrate Forensics and Automate Audit Logging

Proving compliance during a NERC CIP audit requires meticulous documentation. Ensure your monitoring solutions generate a central, immutable audit log of all remote access sessions, authentication challenges, and detected anomalies.

Your SOC team needs rapid access to historical packet captures and context-enriched alerts to quickly investigate and respond to incidents before an attacker can pivot from an EACMS into the core ESP.

Conclusion

The April 2026 deadline for NERC CIP-003-9 is not a suggestion; it is a mandate. And the incoming CIP-015-2 standard expanding INSM for EACMS and PACS proves that regulatory bodies are fundamentally shifting how they view the industrial perimeter. The days of relying on an isolated network and a legacy VPN are over.

Hackers understand that your access control systems and vendor connections are the fastest route to compromising your critical infrastructure. It is time to secure those pathways.

By shifting to zero-trust architecture for vendor remote access, mapping your expanded network dependencies, and deploying continuous, deep-packet anomaly detection, you can ensure your utility is not just compliant, but genuinely secure against the next generation of nation-state threats.

Ready to secure your infrastructure before the deadline?

At Shieldworkz, we specialize in helping energy utilities deploy seamless multi-factor authentication, automate compliance, and integrate continuous OT anomaly detection. Don't let your VPN become a compliance liability.

Contact the Shieldworkz engineering team today to schedule a zero-trust architecture assessment and get ahead of NERC CIP-003-9.

Download additional resources 

OT Security Controls Aligned to NIST SP 800-171 
STRIDE-Based Threat Modeling and DREAD Evaluation for Oil Refinery Distributed Control Systems
OT Cybersecurity Baseline Assessment Checklist
Defensive Posture Guidance for Middle Eastern Enterprises