# NERC CIP-003-9: Automating access control and authorisation for remote power sites

![](https://www.agilicus.com/www/198eb936-supply-mesh-1024x755.webp)# **NERC CIP-003-9: Automating access control and authorisation for remote power sites**

## Replacing manual processes with precise, automated zero trust

## **Executive Summary**

## Table of Contents

- [NERC CIP-003-9: Automating access control and authorisation for remote power sites](#nerc-cip-003-9-automating-access-control-and-authorisation-for-remote-power-sites)
    - [Replacing manual processes with precise, automated zero trust](#replacing-manual-processes-with-precise-automated-zero-trust)
    - [Executive Summary](#executive-summary)
    - [The Burden of Manual Access Management](#the-burden-of-manual-access-management)
    - [Automating Precise Authorisation](#automating-precise-authorisation)
    - [Meeting the Technical Rationale and Audit Requirements](#meeting-the-technical-rationale-and-audit-requirements)
    - [Conclusion](#conclusion)

As the energy grid becomes increasingly decentralised, managing access to remote power sites has evolved into a complex logistical challenge. With the impending enforcement of the [NERC CIP-003-9 standard](https://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-003-9.pdf), utilities are mandated to enforce strict Vendor Electronic Remote Access controls across low-impact Bulk Electric System (BES) cyber assets. Relying on manual, legacy access methods is no longer a viable strategy for compliance or security. This whitepaper explores how automating access control and precise authorisation through a zero trust architecture fundamentally streamlines operations while satisfying regulatory requirements.

## **The Burden of Manual Access Management**

Historically, provisioning access for third-party vendors and maintenance crews at remote sites involved manual, error-prone processes. IT administrators would create temporary virtual private network (VPN) accounts, configure complex firewall rules, and distribute shared credentials. When a vendor completed their work, deprovisioning that access was frequently delayed or forgotten entirely, leaving open backdoors into critical infrastructure.

The [Independent Electricity System Operator (IESO) summary](https://www.ieso.ca/-/media/Files/IESO/Document-Library/system-reliability/OEB-Review-Process/Summary-of-Proposed-NERC-Standards-CIP-003-9.pdf) of the proposed CIP-003-9 standards highlights the expanded scope: utilities must now assert control over these distributed edge environments. Manual tracking cannot scale to meet the demands of hundreds of remote solar arrays, wind farms, and distribution substations.

## **Automating Precise Authorisation**

The strategic shift requires moving away from broad network access toward automated, precise authorisation. A [zero trust architecture](https://www.agilicus.com/zero-trust/), such as the Agilicus AnyX platform, enforces access at the application layer rather than the network perimeter.

By integrating with a unified corporate identity provider, the lifecycle of a user's access is entirely automated. When a contractor is onboarded in the central directory, their access is provisioned. When their contract expires, their access is instantly and automatically revoked across all systems. Furthermore, using features like [application requests](https://www.agilicus.com/features/application-requests/), technicians can gain just-in-time, temporary access to a specific programmable logic controller (PLC) or human-machine interface without requiring a helpdesk ticket to configure a VPN.

## **Meeting the Technical Rationale and Audit Requirements**

The regulatory expectations are explicitly detailed in NERC's [Technical Rationale for CIP-003](https://www.nerc.com/globalassets/standards/projects/2023-04/2023-04_cip-003-a-technical-rationale-1.5_013024.pdf). The focus is on ensuring that multi-factor authentication and strict access controls mitigate the risk of compromised vendor credentials. A manual VPN approach often struggles to provide the granular visibility required to prove compliance.

During an audit, organisations must provide evidence of their security controls, as outlined in the [Reliability Standard Audit Worksheet (RSAW) for CIP-003-9](https://www.nerc.com/globalassets/standards/projects/2020-03/2020-03_rsaw_cip-003-9_2022_v1draft_11012022.pdf). Agilicus AnyX automates this process by generating a central, immutable audit trail. Every connection attempt, multi-factor authentication challenge, and resource access is logged. This transforms a gruelling, forensic audit process into a simple, automated report generation.

## **Conclusion**

To secure the modern, distributed energy grid and satisfy the impending NERC CIP-003-9 requirements, utilities must abandon manual, network-centric access models. By embracing a zero trust identity-aware proxy, organisations can automate precise authorisation, enforce multi-factor authentication, and generate comprehensive audit trails. This approach not only [replaces the legacy VPN](https://www.agilicus.com/what-we-do/vpn-alternative/) but fundamentally elevates the security posture of remote power sites without adding operational overhead.