Distribution Utilities Now Affected by NERC CIP Regulations

Distribution Utilities Now Affected by NERC CIP Regulations  –        by Matt Cole, 3 Phase Associates, LLC

As NERC CIP’s regulations and standards continue to evolve by tightening its belts, new and upcoming compliance regulatory standards will affect the low voltage utilities or distribution providers (~100kV and below). In the past, low voltage electric suppliers were considered to be of no impact or low impact to the grid or bulk electric system (BES). Previous NERC CIP regulations only applied to transmission utilities at voltages of 100kV and higher.

Today, distribution utilities, cooperatives and municipalities are included in the CIP scope especially if they take part in an underfrequency load shed (UFLS) or undervoltage load shed (UVLS) program with their generation or transmission suppliers and partners.  Distribution providers are now affected by the NERC CIP requirement CIP-003-7 (Security Management Controls) if involved in UFLS & UVLS actions. FERC approved the NERC CIP-003-7 compliance on April 19, 2018, enforceable by Docket No. RM17-11-000.

Also, low voltage suppliers are included in CIP-003-7 if they operate and control more than 300MW of total system load.


Low voltage utilities that fall in the NERC CIP scope are also required to perform the following:

  1. Cyber security awareness – training employees at least once every 15 months.
  2. Implement adequate physical security controls – security cameras, card readers, other physical access controls, etc.
  3. Implement adequate electronic access controls to electronic security parameters (ESPs) and critical cyber assets (CCAs).
    1. Permit only necessary inbound and outbound traffic
    2. Authenticate all dial-up connections and communications to ESPs and CCAs
  4. Develop a plan for properly mitigating possible malicious code caused from transient cyber assets such as removable media, portable drives, flash drives, etc.
    1. Implementing malware and virus protection software with periodic signature and patch updates
    2. Application whitelisting or other methods for detecting malware
  5. Create and exercise an adequate cybersecurity incident response plan – similar to storm response plans.
    1. Designate cyber specific personnel with roles and responsibilities for first responders in case of an event
    2. Identify and classify whether an event is reportable to the Electricity Information Sharing & Analysis Center (E-ISAC) and other authorities
    3. Create a mitigation strategy for recovering after an event
    4. Test the cybersecurity incident response plan with appropriate personnel using drills or tabletop exercises at least once every 3 years.
    5. Update cybersecurity incident response plans with any required changes/modifications within 180 days of testing


Let 3 Phase Associates help you get NERC CIP compliant. Our cybersecurity consultants are ready to help with all your physical and cybersecurity needs. We have experts that can help with any of the following:

  • Cyber assessments
  • Critical asset identification
  • Cyber network design
  • Intrusion prevention & detection systems (IPS/IDS)
  • Data access management & access controls
  • Physical security protection
  • NERC CIP requirements
  • Cyber awareness training & procedures
  • Penetration testing
  • and more...

Let's Design Something Together!

3 Phase Associates


Leave a Reply