NERC CIP-003-9 and the shift to multi-factor authentication

Executive Summary

The regulatory landscape for the electric sector is shifting rapidly. With the looming enforcement of NERC CIP-003-9 on April 1, 2026, utilities and energy providers face a profound challenge: extending modern cybersecurity controls—specifically multi-factor authentication and strict access management—to “Low Impact” Bulk Electric System (BES) cyber systems. This whitepaper examines why legacy operational technology cannot natively support these mandates, why traditional virtual private networks fall short, and how zero trust architecture provides a compliance path without requiring a total infrastructure overhaul.

The April 2026 Mandate

For years, the energy sector has focused its most rigorous security efforts on high and medium-impact facilities. The updated NERC CIP-003-9 reliability standard fundamentally changes this paradigm. By April 2026, organisations must implement strict vendor electronic remote access controls for their distributed, low-impact environments. This includes remote solar arrays, wind farms, and smaller substations that have historically relied on isolation or basic perimeter defences.

The core of this mandate is the requirement for robust identity verification. It is no longer acceptable to allow a third-party integrator or maintenance contractor to access a facility using a shared password or a persistent, unmonitored connection.

Why Legacy Systems Fail the Authentication Test

The fundamental problem is that the operational technology (OT) running these facilities was designed for reliability, not security. Programmable logic controllers (PLCs) and human-machine interfaces often predate modern cryptographic standards. They lack the memory, processing power, and software architecture to natively handle encryption or complex identity federation.

As highlighted in a recent Cybersecurity and Infrastructure Security Agency (CISA) report, attempting to force these legacy devices to manage their own security is a flawed strategy. They cannot prompt a user for a second form of verification, nor can they integrate with a modern corporate directory. This leaves facility managers with a difficult choice: replace millions of dollars of perfectly functional equipment, or find a way to shield it.

The Fallacy of the Virtual Private Network

Historically, the stopgap solution for remote access has been the virtual private network. However, VPNs grant broad, network-level access. Once a user authenticates to the VPN, they are inside the perimeter, often with unhindered lateral movement across the network. If a contractor’s laptop is compromised, the attacker inherits that broad access, turning a single point of failure into a systemic breach.

This approach violates the core principles of zero trust. As discussed in our analysis of zero trust VNC and remote desktop, modern security requires application-level access, where a user is granted permission to interact with a single, specific resource (like a specific water pump interface) rather than the entire plant network.

The Shift to Multi-Factor Authentication

To meet the NERC CIP-003-9 requirements, organisations must shift to a model where multi-factor authentication is mandatory for every remote session. This means verifying the user’s identity through something they know (a password) and something they have (a physical token, a mobile app prompt, or biometrics) before any network traffic is allowed to reach the protected asset.

Because the legacy endpoints cannot perform this verification, the authentication must occur at an intermediary layer. This layer must intercept the connection request, challenge the user, and only broker the connection to the OT device once the identity is unequivocally proven.

How Agilicus AnyX Solves the Challenge

The Agilicus AnyX platform provides this essential intermediary layer, acting as an identity-aware proxy. It wraps legacy industrial infrastructure in modern security controls without requiring any changes to the underlying devices.

When a vendor needs to access a remote substation, they authenticate through Agilicus AnyX using their existing corporate identity (single sign-on) and complete a multi-factor authentication challenge. The platform then establishes a secure, outbound-only connection to the specific piece of equipment they are authorised to manage. This approach not only ensures compliance with the impending NERC standards but also fundamentally reduces the attack surface of the facility.

For more details on how traditional remote access tools fail in these environments, see our companion whitepaper: NERC CIP-003-9: Legacy Remote Access Tools Are Not Sufficient.