The evolution of NERC CIP-003: Transitioning from v9 to v11 and securing the grid

Executive Summary

The Federal Energy Regulatory Commission (FERC) has approved Critical Infrastructure Protection (CIP) Reliability Standard CIP-003-11, significantly expanding the scope of cybersecurity controls for low-impact bulk electric system cyber assets. As the April 2026 deadline for CIP-003-9 approaches, organisations must now prepare for a fundamentally broader mandate: protecting against coordinated cyberattacks across all electronic access, rather than just vendor remote connections. This whitepaper details the critical differences between the two standards, the systems requiring immediate attention, the risks of compliance over-correction, and how the Agilicus AnyX platform simplifies the transition through unified identity and fine-grained authorisation.

The catalyst: Moving beyond vendor access

While CIP-003-9 focused primarily on establishing enforceable controls for vendor electronic remote access to low-impact BES cyber systems, the evolving threat landscape demanded a more comprehensive approach. The motivation for CIP-003-11 is rooted in the risk of coordinated cyberattacks. FERC identified that exploiting numerous distributed, externally routable low-impact assets could have a cumulative, cascading effect on grid reliability. Consequently, CIP-003-11 eliminates the word “remote” and broadens the regulatory scope to encompass all electronic access, fundamentally changing how utilities must architect their security posture.

Deep dive: Key changes from v9 to v11

The transition to CIP-003-11 introduces three critical new control categories aimed at mitigating coordinated threats. Moving beyond third-party vendors, the standard now requires robust identity verification for every remote user accessing low-impact systems. Organisations must safeguard user credentials while they are transmitted across networks, preventing interception and replay attacks. Furthermore, the requirement to detect anomalous traffic is expanded to all communications to or between assets containing low-impact BES cyber systems with external routable connectivity. Structurally, the vendor-specific language from Section 6 of Attachment 1 in CIP-003-9 has been consolidated into Section 3 of Attachment 1 in CIP-003-11, cementing its application to electronic access controls generally.

Impact and systems requiring updates

The expanded scope means that any low-impact BES cyber system with external routable connectivity falls under the new requirements. This heavily impacts legacy operational technology environments. Human-machine interfaces, programmable logic controllers, and older Windows machines running legacy protocols like virtual network computing, remote desktop protocol, or secure shell often lack native support for multi-factor authentication or granular authorisation. Retrofitting these legacy systems to meet the new authentication and transit protection mandates is a significant technical hurdle.

The over-correction risk: Compliance vs. access

In the rush to achieve compliance, utilities face a dangerous temptation: over-correction. Some organisations may attempt to solve the problem by severing remote access entirely, forcing personnel to travel to physical sites for routine maintenance. Others may deploy overly complex, heavy firewalls and traditional virtual private networks that create operational bottlenecks. Viewing compliance and operational access as an either-or proposition stifles agility, increases downtime, and ultimately harms reliability. True security enables work rather than hindering it.

Navigating mergers and acquisitions

The challenges of CIP-003-11 are amplified during mergers and acquisitions. Acquiring entities often inherit disparate, non-compliant operational technology networks with fragmented authentication schemes. Integrating these newly acquired systems into a unified compliance framework without disrupting critical operations requires a strategy that abstracts access controls away from the underlying legacy infrastructure.

How Agilicus simplifies compliance

The Agilicus AnyX platform provides a direct path to CIP-003-11 compliance without the operational friction of traditional approaches. Built on zero trust principles, it operates as an identity-aware proxy, delivering unified authentication across the entire distributed environment. Crucially, Agilicus brings fine-grained authorisation and multi-factor authentication to legacy devices—like those relying on virtual network computing or older protocols—without requiring any modifications to the edge device or its software. By intercepting and authenticating traffic at the identity perimeter before it ever reaches the asset, Agilicus ensures that both authentication information is protected in transit and all remote users are rigorously verified. This approach allows utilities to achieve perfect compliance, maintain seamless operational access, and rapidly integrate new infrastructure during acquisitions, completely eliminating the need for vulnerable inbound firewall ports.

Conclusion: The strategic imperative

The leap from CIP-003-9 to CIP-003-11 is not merely an administrative update; it is a fundamental shift in how the electric sector must defend its distributed assets against coordinated threats. By embracing an identity-first, zero trust architecture, utilities can exceed regulatory requirements while building a more resilient, agile operational environment.