# NERC CIP-003-9: Why your VPN is a compliance dumpster fire

The clock is ticking. On April 1, 2026, NERC CIP-003-9 becomes enforceable, bringing stringent new requirements for how low-impact bulk electrical systems implement vendor electronic remote access security controls.

If your organisation is still relying on a VPN for vendor access, you are staring down a massive compliance liability. VPNs are no longer the industry standard or best practice for remote connectivity. They are a vulnerability.

Consider the Colonial Pipeline breach. A single compromised VPN connection brought down 45 per cent of the U.S. East Coast’s refined oil supply across a 5,500-mile network. The result? A 75-bitcoin ransom, 100 gigabytes of stolen data, and a catastrophic six-day shutdown.

Giving a third-party vendor network-level VPN access just to service a single HMI or PLC is like giving a locksmith the keys to the entire city just to fix one door. It is an unacceptable risk, and the new regulatory constraints are designed to eliminate it.

## What NERC CIP-003-9 actually demands

Section 6 of the new standard demands granular control, specific 'time-of-need' access, and immutable audit trails that prove exactly who did what. Using the blueprint provided in Attachment 2 of the CIP-003-9 document, compliance requires:

- **Pre-authorised access:** Tied to individual user levels, explicitly eliminating the use of shared credentials.
- **Time-of-need session initiation:** Access that exists only when work is actively required and approved.
- **Granular audit trails:** Detailed session logging retained for a minimum of three years.
- **Security information management:** Active logging and alerts for remote sessions.
- **Instant disablement:** The ability to immediately revoke vendor remote access at the individual user level.

## Why legacy tools fail the test

Legacy remote access tools—VPNs, remote desktop, jumpboxes, and VNC—are fundamentally unequipped for these constraints.

They cannot easily pre-authorise access at the individual user level. They fail to provide complete, immutable audit trails. Most damningly, they often rely on shared credentials, making it impossible to confidently disable a single user without disrupting the entire vendor team.

Meeting NERC CIP-003-9 means moving beyond perimeter-based defence and adopting a zero-trust architecture. It means specific, identity-based access to individual resources, not the entire network. This approach replaces weak perimeters with robust multi-factor authentication and granular, context-aware authorisation.

## Dive deeper

I recently hosted a webinar breaking down exactly why legacy tools fail these new requirements and how to architect a compliant, zero-trust solution for your critical infrastructure.

[Watch the full webinar: NERC CIP-003-9: Why your VPN is a compliance dumpster fire](https://www.agilicus.com/webinars/2026-03-12-nerc-cip-003-9-why-your-vpn-is-a-compliance-dumpster-fire/)