Perspective for OT cybersecurity leaders, CIP compliance teams, and senior decision makers
In its January 2026 Critical Infrastructure Protection (CIP) Roadmap, NERC describes a Bulk Power System (BPS) that is becoming more dynamic, interconnected, and digitized—and therefore more exposed to sophisticated threats. NERC’s starting point is not that existing CIP requirements are failing; rather, it notes that “the sector’s operating environment has changed faster than the standards’ scope and cadence of revisions.”
A central implication is that many operational dependencies relevant to reliability are increasingly found in low-impact systems, third-party operated pathways, and technology categories that have historically sat outside the strongest baseline CIP requirements. This is a risk and governance issue: aggregation and interdependence can allow small compromises to create larger effects.
The Roadmap is not a revision of enforceable CIP Reliability Standards. Instead, it summarizes a structured, risk-based process used to identify priority risks and map them to possible standards modifications, studies, and guidance development.
As Ampyx Cyber observes, the Roadmap is “not a compliance guide… [but] a forward-looking regulatory blueprint for how CIP must evolve.”[2]
The key artifacts are:
NERC is explicit about limitations: “The framework is a qualitative model at its core…” and resulting scores should be treated as categorical indicators rather than precise rankings. NERC also states: “This assessment excluded financial or reputational effects to maintain focus on system reliability.”
From the risk analysis and survey results, NERC identifies cross-cutting control themes with broad mitigation value across multiple risk categories.
NERC recommends near-term standards work to extend MFA for interactive remote access—particularly where low-impact systems and vendor-managed remote access paths remain outside minimum baselines.
NERC highlights persistent gaps in foundational controls such as asset identification, configuration/change management, defensible network topologies, vulnerability management, and disciplined patching. It also signals interest in evaluating whether baseline expectations should be strengthened for low-impact environments.
NERC emphasizes risks tied to leased or carrier-provided telecom dependencies used for SCADA/AGC data, including legacy protocols that may traverse unencrypted links outside current CIP-012 scope.[6] In that context, NERC calls for expanding confidentiality and integrity protections beyond control-center-to-control-center links.
The Roadmap cautions that “improving grid security does not mean layering new compliance requirements indiscriminately,” emphasizing targeted, risk-driven evolution of CIP.
One reason the Roadmap is consequential is that its recommended actions are designed to drive future standards development. For entities and assets that become in-scope through future Reliability Standards changes, compliance is not optional: it becomes a regulated obligation subject to audit and enforcement.
FERC notes that violations of mandatory Reliability Standards can be subject to civil penalties “of up to $1 million per day per violation.”[3]
This is why the Roadmap should be read primarily as a policy and standards trajectory document—not as a discussion of optional risk-reduction best practices.
NERC’s industry survey and qualitative scoring are well-suited to initiating action and aligning the sector on what to address first. However, an industry-wide survey produces a thematic view of risk: it reflects average judgments across diverse operational contexts.
Site-specific decision making is different. Individual Responsible Entities have unique architectures, remote access pathways, telecom dependencies, restoration capabilities, and compensating controls; those factors influence likelihood and impact for the same scenario.
Even within the Roadmap’s qualitative framework, NERC’s likelihood rubric explicitly considers exposure/attack surface and the degree of existing preventive control coverage—factors that vary materially between entities.
This section reflects DeNexus perspective. It does not represent NERC guidance or a NERC requirement.
A practical way to extend the Roadmap for governance and investment decisions is to preserve its scenario-based structure (risk registry, impact framing, and emphasis on aggregation) while replacing the qualitative 1–5 scoring with probabilistic modeling and calibrated estimation.
In quantitative cyber risk models, likelihood is not a single point estimate. It is a distribution that captures both high-frequency/low-impact events and low-frequency/high-impact tail events. Impact is likewise represented as a distribution rather than a single severity label
NERC’s CIP Roadmap provides a structured, reliability-centered assessment of emerging risk and a targeted plan for evolving the CIP framework. Its value is clearest as a sector alignment instrument: it identifies where grid operating realities are outpacing existing baselines and where standards work is most likely to focus next.
For Responsible Entities and senior decision makers, the next step is translating sector priorities into site-specific decisions. Quantification can complement the Roadmap by producing scenario likelihood and impact distributions that reflect each entity’s controls, exposures, and operational constraints—and by making aggregation and tail risk explicit in a form leaders can govern.
DeNexus’ CRQ platform provides cyber risk quantification methods and analytics for operational technology environments. In the context of the Roadmap, our objective is to extend a sound, structured sector framework into entity-specific, decision-ready risk analysis—that allows entities to think about the real risk to their business, the financial impacts to their bottom-line, ahead of mandatory compliance requirements placed upon them.
[1] NERC, “NERC Critical Infrastructure Protection Roadmap,” January 2026. URL: https://www.nerc.com/globalassets/our-work/reports/special-reports/nerc_cip_roadmap_01122026.pdf
[2] Patrick Miller, Ampyx Cyber, “NERC’s CIP Roadmap and the Future of Grid Cybersecurity,” January 13, 2026. URL: https://ampyxcyber.com/blog/nercs-cip-roadmap-and-the-future-of-grid-cybersecurity
[3] Federal Energy Regulatory Commission (FERC), “Enforcement Reliability.” URL: https://www.ferc.gov/enforcement-reliability
[4] NIST, Special Publication 800-30 Rev. 1, “Guide for Conducting Risk Assessments,” 2012. URL: https://csrc.nist.gov/pubs/sp/800/30/r1/final
[5] NERC Reliability Standard CIP-005-7, “Cyber Security — Electronic Security Perimeter(s).” URL: https://www.nerc.com/globalassets/standards/reliability-standards/cip/cip-005-7.pdf
[6] NERC Reliability Standard CIP-012-1, “Cyber Security — Communications between Control Centers.” URL: https://www.nerc.com/globalassets/standards/reliability-standards/cip/cip-012-1.pdf
[7] CISA, Cybersecurity Advisory AA25-239A (Salt Typhoon). URL: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a
[8] NERC Newsroom, “Targeting Actions to Address Emerging Risks is Focus of CIP Roadmap.” URL: https://www.nerc.com/newsroom/targeting-actions-to-address-emerging-risks-is-focus-of-cip-roadmap