NERC CIP-003-9: Why Your VPN is a Compliance Dumpster Fire

On April 1, 2026 NERC CIP-003-9 will become enforceable. This new standard introduces stringent requirements for how low impact Bulk Electrical Systems implement Vendor Electronic Remote Access Security Controls.

VPNs are no longer considered the industry standard or best practice for vendor remote access, leaving your organization vulnerable to cyber breaches, and should be re-evaluated when considering NERC CIP-003-9 requirements.

Colonial pipeline, serving 45% of the East Coast’s refined oil products through a 5,500 mile pipeline network from Texas to New Jersey was breached through a VPN, resulting in a ransom of 75 bitcoin paid, 100gb of stolen data, and a 6-day shutdown.

Section 6 is demanding granular control, specific ‘time-of-need’ access, and audit trails that actually prove who did what. Join Agilicus, an industry leader in remote connectivity, to learn why your current VPN setup is a liability.

Webinar Highlights 

The Speaker

don-bowman

Don Bowman, CEO at Agilicus

Founder and CEO of Agilicus, Don Bowman is an expert in cloud, security, and networking with 30 years of experience in global Internet, technology, public policy.

VPNs were never designed for the strict requirements of NERC CIP-003-9. They are a security risk when it comes to third-party vendors. Giving a vendor network-level access to fix a single HMI is like giving a locksmith the keys to the city just to fix one door.

Regulatory Constraints:

NERC CIP has provided examples in the CIP-003-9 document under attachment 2 that can be used as a blueprint or starting point for the implementation process.

  • Pre-Authorized Access
  • Security information management logging alerts
  • Time-of-need session initiation
  • Granular audit trails for 3 years
  • Disabling vendor remote access

Legacy remote access tools such as VPN, Remote Desktop, Jumpboxes, VNC are no longer sufficient for meeting these requirements/constraints.

  • They lack the ability to pre-authorize access at individual user levels
  • Unable to provide complete and immutable granular audit trails
  • Impossible to disable access at individual user levels
  • Rely on shared credentials that should be eliminated.

LEARN MORE ON THE TOPIC

Take a deeper dive into the new NERC CIP-003-9 regulations, and why legacy remote access tools aren’t up to the task.

WHITE PAPER

Get In Touch

Ready To Learn More?

Agilicus AnyX Zero Trust enables any user, on any device, secure connectivity to any resource they need—without a client or VPN. Whether that resource is a web application, a programmable logic controller, or a building management system, Agilicus can secure it with multi-factor authentication while keeping the user experience simple with single sign-on.

BOOK A MEETING
9f758437 agilicus logo horizonta

info@agilicus.com, +1 ‪519 953-4332‬

300-87 King St W, Kitchener, ON, Canada. N2G 1A7

partner

info@partner.com, +1 ‪555 555-5555

1 Main Street, Townsville, ON, Canada. POST-CODE