NERC CIP Explained: What Energy Organizations Need to Know 

Understanding NERC CIP with Josue Alvarez-DeGolia, Security Engineer at Bureau Veritas Cybersecurity 

The North American power grid is one of the most complex systems in the world. It’s also one of the most important to protect. As it becomes more digitized, so does its exposure to cyber threats. That’s where NERC CIP (North American Electric Reliability Corporation’s Critical Infrastructure Protection) cybersecurity standards come in: a series of mandatory standards designed to safeguard the reliability of the grid. 

To understand what these standards mean in practice, we spoke with Josue Alvarez-DeGolia, Security Engineer at Bureau Veritas Cybersecurity. Josue has been with the company for just over three years and brings a rare mix of technical, operational, and analytical experience to his role. He began his career in the U.S. Navy as a submarine officer, trained in nuclear power operations and maintenance, an experience that shaped his understanding of high-stakes, high-reliability systems. After his time in the military, he worked in power plant construction (steam and gas turbine plants), investment banking, and consulting before transitioning into cybersecurity. 

Since joining Bureau Veritas, Josue has worked with manufacturing technology companies, cloud service providers, and increasingly with industrial and energy organizations, helping them strengthen their operational technology (OT) security and meet growing compliance and security demands. 

What is NERC CIP, and why does it matter?

“NERC CIP refers to the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards,” Josue begins. “It’s a set of mandatory requirements created and designed to protect the Bulk Electric System (BES) in North America from cybersecurity threats.”

These standards aren’t voluntary. They’re approved by the Federal Energy Regulatory Commission (FERC) in the United States. They are also legally enforceable. NERC and its associated regional entities monitor compliance and enforce them through audits. FERC can impose fines for non-compliance. Some Canadian provinces have adopted NERC standards through agreements. So, the same requirements apply there and are enforced by province regulators. 

Josue explains that the framework evolves along with emerging threats. “Cyber risks in the energy sector aren’t static. As technology changes, NERC CIP is periodically updated to strengthen the baseline for security.” For utilities, compliance isn’t just about passing an audit. It’s about ensuring that the power grid remains stable and resilient in the face of increasingly sophisticated attacks. 

How does NERC CIP differ from other cybersecurity frameworks?

“There are several standards out there such as ISO 27001, IEC 62443, and others.  Each serves a different purpose,” Josue says. “ISO 27001 is broad; it’s for managing information security across any organization. IEC 62443 focuses more on industrial automation and OT, so it’s popular with manufacturers as well as oil and gas companies.”

“But NERC CIP is specific to the Bulk Electric System,” he continues. “It focuses on energy generation, transmission, and distribution. Essentially anything that keeps the power grid stable.

Another key difference? Compliance under NERC CIP is mandatory for Bulk Electric Systems. “ISO and IEC certifications are voluntary. Companies pursue them because they’re good practice or because clients ask for it. NERC CIP, on the other hand, is required by law in North America. You don’t have a choice if you operate within the bulk electric system.”

Still, the standards complement one another. “If you already follow ISO or IEC frameworks, you’re actually in a good position,” Josue says. “There’s a lot of overlap in the controls. You’re already partway to meeting NERC CIP requirements.” 

What types of systems or assets does NERC CIP protect?

“NERC CIP is designed to protect the power distribution and energy infrastructure of North America,” Josue explains. “Everything nowadays is interconnected. Any interruption in power would affect airlines, communications, and other parts of critical infrastructure.   The goal is to make sure there’s no impact on the grid, or that any impact is minimized as much as possible.”

He notes that the standards cover more than just grid assets. “It’s not only about the grid itself, but also physical security. Making sure there’s the right level of physical protection for remote substations or distribution stations,” he says. “It also includes all the data collected from the grid during generation, as that information is valuable in its own right.”

“The systems you use to manage electronic access, both locally and remotely, are part of it too,” he adds. “And it extends to the supporting infrastructure that goes along with operating the grid.”

In short, NERC CIP applies to cyber systems and assets, whether physical or digital, that directly support the operation of the Bulk Electrical System.

What are the biggest challenges organizations face when trying to comply with NERC CIP?

“One of the biggest challenges is legacy systems,” Josue says. “Much of the grid infrastructure has been around for decades, and you can’t just take it offline and replace it. A lot of the technology wasn’t designed with cybersecurity in mind.”

He explains that operators have to find practical ways to bring older systems up to today’s standards. “You might be dealing with equipment that can’t encrypt data or restrict access in the same way newer systems can. That makes compliance difficult.”

Finding suitable solutions requires both technical understanding and operational awareness. “It’s about identifying solutions that let legacy and modern systems work together securely and are compliant,” Josue says. “Sometimes that means introducing a bridge technology or isolating systems in a way that limits risk while keeping operations steady.”

Specialists familiar with both industrial operations and cybersecurity can help organizations identify the most realistic options without disrupting service, but ultimately, it’s the operators who know their systems best. “They’re the ones who understand what’s feasible day-to-day. External experts can guide and recommend, but the decisions always have to make sense for operations.”

Are there common misconceptions about NERC CIP?

“One big misconception is that compliance is going to be hugely disruptive,” Josue says. “People assume they’ll have to redo a lot of their technology or take systems offline, but NERC CIP is really a minimum set of requirements. It’s about looking at what’s already in place. Your existing procedures, your IT setup, your firewalls, your access controls—and seeing how that fits with the standards.”

He explains that the process doesn’t have to interfere with operations. “It’s not as intrusive as people think,” he says. “You’re not taking the grid down. It’s mostly about understanding how things work today and finding the right adjustments to meet compliance.”

Working with an organization like Bureau Veritas Cybersecurity, he adds, can help minimize disruption. “We can identify what’s already effective and where improvements can be made, that makes getting compliant a smoother process overall.”  

What are some other ways that Bureau Veritas can help organizations get NERC CIP compliant?

“What we bring is a combination of cybersecurity expertise and an outside perspective,” Josue says. “Operators understand their systems better than anyone, but sometimes that familiarity can lead to blind spots.”

Bureau Veritas provides assessments, gap analyses, and practical recommendations tailored to the operational environment. “We review how existing controls align with NERC CIP requirements, identify any shortfalls, and suggest feasible solutions,” he explains.

Bureau Veritas can also help clients stay ahead of upcoming changes. “For example, CIP-015, which covers Internal Network Security Monitoring (INSM), is relatively new,” Josue notes. “And new revisions like CIP-003-9 already have enforcement dates set for 2026. We help clients interpret those updates and prepare before they become mandatory.”

Having an independent assessment, Josue explains, adds assurance. “It’s not about calling anyone out—it’s about confirming you’re actually compliant and secure.”

How is NERC CIP evolving?

NERC CIP is not static. It changes as the threat landscape changes. “Each standard goes through multiple revisions,” Josue explains. “That’s because cyber threats evolve. What worked five years ago might not hold up today.”

He points to CIP-015 as an example of how the framework is expanding into more proactive monitoring for BES systems and networks. “It’s about knowing when someone is inside your network who shouldn’t be,” he says. “That’s a big step forward in protecting the grid.”

Josue also predicts that new technologies like AI could influence future updates. “I wouldn’t be surprised if AI shows up in future revisions. Either to regulate how it’s used or to leverage it for threat detection. We’re already seeing AI being adopted in other industries, and eventually it will reach the energy sector too.” 

What advice would you give to organizations starting now?

“My advice is to start early,” Josue says simply. “Begin by reading the standards and understanding which parts apply to your systems. Identify what you already have in place and where your gaps are.”

He emphasizes the importance of internal collaboration. “Bring your IT, OT, and compliance teams together from the start. They each have different perspectives, and NERC CIP touches all of them.”

And while organizations can go it alone, Josue says external support can accelerate progress. “Bureau Veritas provides NERC CIP guidance, helping clients benchmark against what has worked elsewhere. Once you understand your baseline, the path to compliance becomes much clearer.” 

Why should companies start now rather than later?

“The closer you get to the enforcement deadlines, the more expensive and complicated compliance becomes,” Josue cautions. “You’ll be competing for resources. Consultants, equipment, even vendor attention. Starting now gives you flexibility.”

He adds that early compliance isn’t just about avoiding fines. It’s a smart business move. “It helps you strengthen your infrastructure, reduce operational risk, and build trust with regulators and customers. Compliance and security go hand in hand.”

Building Resilience for the Future

For Josue, NERC CIP isn’t just about checking boxes—it’s about ensuring reliability. “These standards are here to keep the lights on,” he says. “They protect the systems that power our daily lives.”

As new technologies and threats emerge, that mission will only grow more important. “Cybersecurity isn’t a one-time effort. It’s continuous,” he adds. “NERC CIP gives the energy sector the framework to stay ahead, adapt, and keep North America’s critical infrastructure secure.”