With the U.S. electric grid system evolving to adopt clean and distributed sources of energy, including rooftop solar, wind, and energy storage, regulatory landscapes are evolving to keep up with this ongoing change. Cybersecurity in the bulk electric system has been guided by the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards to reduce risk. But the increased usage of Distributed Energy Resources (DERs) and DER aggregators requires a revamping of NERC CIP for more of the non-traditional, large-scale assets.
Expanding Scope: DERs Moving Under NERC CIP’s Lens
Traditionally, NERC CIP standards applied primarily to high-voltage, BES-level systems, which are typically 100 kV and above, streamlining cybersecurity requirements for large-scale generation and transmission assets. In the past, many small DERs fell outside full CIP scope. However, recent NERC guidance and threshold reductions (e.g., new registration/reporting thresholds around the ~20 MW/20 MVA range and lower voltage cutoffs in some contexts) are closing that gap.
Additionally, the regulatory landscape is shifting. The 2025 NERC CIP updates include new versions of CIP‑003‑9, CIP‑005‑7, CIP‑010‑4, and CIP‑013‑2, which significantly reclassify previously “low-impact” assets, including DERs and substations, raising their security requirements or even designating them as medium-impact assets.
Cyber Risks & Security Gaps for DERs and Aggregators
DERs, with their many benefits, also have their own set of challenges. Many of them are now internet-connected behind the meter, using inverters and digital interfaces that used to be offline previously. Authorized DER aggregators under FERC Order 2222 can also manage many DERs at a distance. This presents a risk of individual DERs being breached, which, even if countered, can still pose an issue, as a breach of a DER aggregator may affect hundreds or thousands of resources, questioning the stability of the BES.
DER systems often lack standardized cybersecurity requirements. Device-level certifications (like UL or IEEE standards) may ensure secure design, but they don’t guarantee proper configuration or operation in the field. For example, a firewall that’s present but disabled provides no real protection.
Zero Trust and Purpose-Built Platforms: A Path Forward
Utilities and DER aggregators can use Zero Trust platforms designed to work in OT and grid settings to help fill the expanding divide between DER operation and compliance with NERC CIP.
Key capabilities to consider when selecting a vendor:
- PKI-based MFA: Smart cards or PIV tokens to provide added control of remote access consistent with CIP-003-9 and CIP-005-7.
- Centralized logging and audit readiness: Collects session data, transfers, and the communications between devices in one place, which makes evidence collection and compliance audits easy to perform.
- Modular, policy-driven architecture: The modularity allows utilities to adapt configurations or policies as CIP is implemented—rather than rebuilding everything when new standards are released.
- Sustained vendor support: Patches, updates, and advisory services help maintain alignment with evolving CIP updates.
By combining DER-level hardening (e.g., secure device design, certifications) with secure OT practices (e.g., MFA, segmentation, logging), organizations can adopt a defense-in-depth approach that aligns with NERC CIP’s risk-based framework.
Recommended Practices at a Glance
Here are strategic actions DER operators, aggregators, and utilities should consider:
- Assess device cybersecurity from design to deployment—ensure controls are enabled and operations are configured securely, not just certified.
- Implement Zero Trust or identity-centric access systems to protect remote connections.
- Establish clear compliance roles when leveraging cloud services, including evidence provision and contract terms.
- Maintain robust logging and event capture, mapped directly to applicable CIP requirements to simplify audits.
- Be prepared for future updates; use platforms that can adapt to new CIP-002 revisions without heavy upgrades or redeployments.
Conclusion
The rapid growth of DERs and DER aggregators, paired with evolving cybersecurity threats, makes navigating NERC CIP compliance both critical and more complex. With the 2025 CIP updates expanding coverage and tightening controls even on formerly low-impact assets, utilities must urgently rethink how DERs and cloud-connected systems are secured. By combining principles of secure design, Zero Trust OT platforms, cloud governance, and centralized compliance capabilities, the sector can ensure reliability, regulatory alignment, and the resilience of a clean energy future.
What percentage of Distributed Energy Resources (DERs) are now subject to NERC CIP compliance?
How many DERs can a single aggregator potentially affect in the event of a breach?
What is the typical voltage threshold for DER inclusion in NERC CIP compliance?
How many CIP standards are specifically updated in 2025 for DER-related assets?
What proportion of DER devices fail proper configuration despite being certified?
Disclaimer: Any opinions expressed in this blog do not necessarily reflect the opinions of Certrec. This content is meant for informational purposes only.
