If you are a plant manager, OT engineer, or CISO in the power generation sector, the release of the NERC CIP Roadmap in January 2026 is not just another compliance update-it is a fundamental restructuring of how we define "criticality" in the bulk power system (BPS). For nearly two decades, the industry has operated under a model where "High Impact" control centers were fortresses, and "Low Impact" generation assets were treated with a lighter touch. 

The 2026 Roadmap dismantles that assumption. Driven by a risk environment that has evolved faster than the standards themselves, NERC is signaling that the era of perimeter-only defense is over. The Roadmap explicitly warns that the bulk of Operational Technology (OT) enabling generation, transmission, and balancing now resides outside medium- and high-impact CIP coverage. This "coverage gap" has created a massive, distributed attack surface where adversaries can aggregate small compromises-targeting PLCs, RTUs, and inverters-to create system-wide instability. 

At Shieldworkz, we see this as the definitive moment for OT security. The Roadmap doesn't just ask for more paperwork; it demands a technical evolution. It calls for Internal Network Security Monitoring (INSM), ubiquitous Multi-Factor Authentication (MFA), and the encryption of real-time operational data over public networks. 

Before we move forward, don’t forget to check out our previous blog post “Observed reduction in Chinese APT Operations amid 2026 PLA purge”, here. 

In this comprehensive guide, we will dissect the 2026 NERC CIP Roadmap, analyze the specific threats driving these changes (including state-sponsored campaigns like "Salt Typhoon"), and provide a detailed, six-step strategy to protect your PLCs and RTUs from the inside out. 

Part 1: The New Risk Reality (Why NERC is Acting Now) 

To understand the 2026 mandates, we must first understand the "Why." NERC’s Security Integration team, in collaboration with Regional Entities, built this Roadmap based on a comprehensive risk registry. Their analysis reveals that while the grid is becoming more digitized and interconnected, its exposure to sophisticated cyber and physical threats is growing in parallel. 

1. The "Aggregation" of Low-Impact Risks 

The most significant finding in the Roadmap is that the "Low Impact" classification often masks high-risk dependencies. The Roadmap notes that low-impact systems, third-party operators, and newly registered "Category 2" inverter-based resource (IBR) registrants represent an expanding share of operational dependency. 

Historically, we assumed that compromising a single PLC at a small generation site wouldn't impact the broader grid. The 2026 Roadmap challenges this. It highlights that coordinated attacks on multiple low-impact assets can "aggregate" into large-scale effects. If an attacker uses a shared vendor pathway to simultaneously shut down 50 "low impact" turbines, the result is a "High Impact" event. This aligns with concerns raised by FERC regarding the "Notice of Proposed Rulemaking (NOPR) for CIP-003-11". 

2. The Telecom & "Salt Typhoon" Threat 

Perhaps the most urgent warning in the Roadmap concerns the Protection of Public Network Communications. The electric sector relies heavily on leased or carrier-provided telecommunications for Supervisory Control and Data Acquisition (SCADA) and Automatic Generation Control (AGC) data. 

NERC explicitly references the "Salt Typhoon" campaign, a state-sponsored effort targeting telecommunications infrastructure. The Roadmap warns that utility traffic often traverses unencrypted links that fall outside the current scope of CIP-012, which only protects control-center-to-control-center links. 

• The Vulnerability: Legacy protocols like DNP3, ICCP, and Modbus often traverse these carrier networks without native encryption. 

• The Reality: Even if you have a "private" APN or leased line, your traffic is moving over physical infrastructure owned and operated by telecommunications providers who are now active targets of APT groups. 

• The Mandate: The Roadmap prioritizes extending confidentiality and integrity protections to include these facility-to-control-center communications. 

3. The "Foundational Hygiene" Gap 

Despite years of investment in advanced threat detection, the Roadmap reveals that the industry is still failing at the basics. It cites "persistent gaps" in asset identification, configuration management, and defensible network topologies. The document states bluntly: "The effectiveness of advanced capabilities, such as internal network security monitoring (INSM), ultimately depends on these fundamentals". You cannot monitor what you have not identified, and you cannot defend a network whose topology is undocumented. 

Part 2: The Core Pillars of the 2026 Roadmap 

The Roadmap categorizes its recommendations into "Near Term" (immediate action required) and "Intermediate Term" (strategic planning required). For power generation operators, three specific pillars stand out. 

Pillar 1: Universal Multi-Factor Authentication (MFA) 

The Roadmap identifies MFA as one of the "most impactful and immediately actionable safeguards" available to the industry. While CIP-005-7 already requires MFA for high- and medium-impact systems, the 2026 Roadmap pushes to extend this requirement to Low-Impact BES Cyber Systems. 

• The Logic: Attack paths frequently involve credential theft or remote access abuse. Since many low-impact generation assets have remote access enabled for maintenance, they become easy entry points for attackers to pivot into the broader network. 

• The Friction Argument: The Roadmap acknowledges that MFA introduces friction, but argues that this friction is necessary at the precise points where adversaries attempt to transition from initial access to control. 

• The Goal: The explicit recommendation is to develop a Standard Authorization Request (SAR) to mandate MFA for all interactive remote access to low-impact systems. 

Pillar 2: Encryption for "Last Mile" Communications 

Current CIP-012 standards focus on the links between control centers. The Roadmap identifies a critical blind spot: the "last mile" between the control center and the facility (the power plant or substation). 

• The Problem: SCADA and AGC data often flow over public carrier networks using protocols that have no security. DNP3 and Modbus traffic can be intercepted, read, and even modified (Man-in-the-Middle attacks) if the carrier network is compromised. 

• The Recommendation: The Roadmap calls for a "CIP-012-based study" to develop a SAR that addresses encryption and network security protections for all public or carrier-dependent communications used in facility operations. 

Pillar 3: Internal Network Security Monitoring (INSM) 

Moving beyond the perimeter is a central theme. The Roadmap references the "Internal Network Security Monitoring Feasibility Study," noting that a large portion of generation assets possess internal remote access capabilities that are currently unmonitored. 

• East-West Visibility: The goal is to detect lateral movement. If an attacker breaches a workstation, INSM should detect them scanning for PLCs or attempting to update firmware before they cause damage. 

• The Standard: This aligns with the ongoing project "2025-02 (Internal Network Security Monitoring Standard Revision)," which aims to mandate these controls. 

Part 3: Tactical Defense - 6 Steps to Protect PLCs and RTUs 

The "Near Term" and "Intermediate Term" designations in the Roadmap are not an excuse to wait. They are a warning. To align your power generation facility with the 2026 Roadmap, you need to implement a defense-in-depth strategy that protects your legacy hardware (PLCs and RTUs) from modern threats. 

Here is Shieldworkz recommended six-step implementation plan. 

Step 1: Establish a "Defensible" Network Topology 

The Roadmap cites "defensible network topologies" as a foundational cyber hygiene gap. You cannot simply flatten your network and hope for the best. 

• The Challenge: Many plants have evolved organically, with PLCs, HMIs, and Historians sitting on the same flat VLAN to make communication "easy." 

• The Fix: You must segment your network based on the Purdue Model, but with a modern twist. Separate your Safety Instrumented Systems (SIS) from your standard control loops. 

• Topology Documentation: The Roadmap explicitly lists "Network topology definition and trust boundary documentation" as a focus area. You need an automated way to visualize which devices are communicating. If a PLC in Unit 1 is talking to a PLC in Unit 2, why? If there is no operational reason, that path should be severed. 

Step 2: Implement MFA for "Interactive" Remote Access 

The Roadmap defines a clear target: "Uniform deployment of MFA for all interactive remote access". This means that every time a human-whether an employee or a vendor-logs in to make a change, they must prove their identity. 

• Vendor Access: This is often the hardest part. Your turbine vendor might demand a permanent VPN tunnel for "predictive maintenance." The Roadmap warns against this "unregistered third-party" risk. 

• Shieldworkz Strategy: Implement a secure remote access gateway that sits before the OT firewall. Enforce MFA at this gateway. Once authenticated, the user is "jumped" to a secure host inside the DMZ, never directly to the PLC. This satisfies the requirement for MFA on interactive access without requiring you to install software on a legacy PLC (which is usually impossible). 

Step 3: Encrypt the "Dirty" Protocols (DNP3/Modbus) 

You likely have RTUs sending DNP3 data to a control center over a cellular modem or a leased line. The Roadmap calls out these "legacy protocols" explicitly for their lack of native encryption. 

• The Risk: In the "Salt Typhoon" era, you must assume the carrier network is compromised. An attacker with access to the carrier infrastructure can inject false AGC commands, forcing your generators to ramp up or down dangerously. 

• The Fix: Since you cannot patch DNP3 to be secure, you must wrap it. Deploy localized encryption gateways (VPN edge devices) at every substation and generation site. These devices encapsulate the DNP3 traffic inside an IPsec or TLS tunnel before it touches the public network. This ensures "confidentiality and integrity" as demanded by the Roadmap. 

Step 4: Deploy INSM for Anomaly Detection 

The Roadmap warns that without INSM, you are blind to "living off the land" techniques. This is where an attacker uses legitimate tools (like PowerShell or engineering workstations) to carry out attacks. 

• What to Monitor: You don't just want to see "virus blocked." You need to see operational anomalies. 

• Logic Changes: An alert should trigger if a "Write" command is sent to a PLC's logic block. 

• Firmware Updates: Any attempt to push firmware to an RTU should generate a critical severity alert. 

• New Conversations: If an HMI that usually only talks to PLCs suddenly opens a connection to the Internet, INSM must catch it. 

• Shieldworkz Capability: Our platform specializes in this "East-West" monitoring. We parse the industrial protocols to understand what is being commanded, not just who is talking. 

Step 5: Master Configuration & Change Management 

The Roadmap highlights "configuration management" as a persistent gap that "undercuts grid security maturity". 

• The Baseline: You need a "Gold Image" of your PLC logic. What does "good" look like? 

• The Delta: Every time a change occurs, it must be compared against the baseline. Did the setpoint change? Did a ladder logic rung get deleted? 

• Lifecycle Management: The Roadmap also points to "End-of-Life Systems" as a risk. You need an inventory that flags devices that are no longer supported by the vendor, so you can apply extra monitoring around them. 

Step 6: Supply Chain & Vendor Risk Management 

The Roadmap raises "Risk Management for Third-Party Cloud Services" to a High Priority. It also calls for better "vendor assurance validation". 

• The Shift: You can no longer just accept a vendor's word that they are secure. You need to validate their "attestation materials". 

• Cloud Risks: As you move Historian data to the cloud for analysis, you are creating a bridge between your critical OT data and the public internet. The Roadmap warns of misconfigurations in these environments. 

• Action: Ensure that any cloud service provider (CSP) you use has strict role-based access control (RBAC) and is isolated from your control network by a data diode or a strictly configured DMZ proxy. 

Part 4: Looking Ahead - The "Intermediate Term" 

The Roadmap doesn't stop at 2026. It lays out a path for the "Intermediate Term" that you should start planning for now. 

1. Inverter-Based Resources (IBRs) 

The Roadmap specifically targets Category 2 IBRs (solar, wind, battery storage) for a focused risk assessment. These assets are becoming critical to grid stability, yet often lack the physical security and hardened networks of traditional fossil fuel plants. 

• Future Mandate: Expect new standards that define "cybersecurity control minimums" specifically for IBRs. If you are building new solar or wind capacity, build it to "High Impact" standards now to avoid a costly retrofit later. 

2. Foundational Cyber Hygiene Assessments 

NERC plans to evaluate the "residual risk" associated with cyber hygiene gaps across all BPS systems. This suggests that future compliance audits may look deeper than just "did you patch?" They may ask "do you have a defensible process for determining what to patch?" 

• Focus Areas: The Roadmap lists specific focus areas for this evaluation, including "Information protection," "Identity and access management," and "Vulnerability and patch management processes". 

3. Incident Response Playbooks 

The Roadmap recommends developing guidance for "improved incident response playbooks". 

• The Gap: Most IRPs are generic. They say "disconnect the infected machine." In a power plant, disconnecting a running turbine controller can be catastrophic. 

• The Need: You need specific OT playbooks. "If HMI 1 is infected, switch to redundant HMI 2 and island the network." Shieldworkz can help you build these operational-centric response plans. 

Conclusion: Turning Compliance into Resilience 

The NERC CIP Roadmap for 2026 is a wake-up call. It acknowledges that the "air gap" is a myth, that "low impact" is a misnomer, and that the threats we face-from Salt Typhoon to ransomware-are targeting the very physics of the grid. 

For power generation, the message is clear: Protect your PLCs and RTUs. 

By implementing the steps outlined in this guide-building a defensible inventory, enforcing MFA everywhere, encrypting your telecom links, and deploying internal monitoring-you aren't just preparing for a 2026 audit. You are building a resilient operation capable of withstanding the advanced threats of the next decade. 

At Shieldworkz, we are dedicated to helping you navigate this transition. Our platform is built to provide the Internal Network Security Monitoring, Asset Visibility, and Secure Remote Access capabilities that the 2026 Roadmap demands. We bridge the gap between the IT-centric requirements of the standards and the OT-centric reality of your plant floor. 

Don’t wait for the regulation to catch up to the risk. 

Take the Next Step 

• Download the Shieldworkz NERC CIP 2026 Implementation Checklist: Here 

• Let our experts analyze your current topology and identify your "Public Network" and "Remote Access" gaps before the deadlines arrive. Book a free consultation with our experts: here 

• Access our regulatory playbooks here.