Where Organizations Struggle
Low Impact BES Cyber systems have historically been less monitored with no minimum security baselines – but are critical in nature and can collectively be targeted for coordinated attacks.
NERC CIP-003-9 specifies security management controls for these systems, but most organizations lack visibility into vendor activity, monitoring at low impact sites, and real time threat detection that this regulation specifies.
Limited Visibility
Limited visibility into distributed assets or vendor activity
Air-Gapped Environments
Air-gapped or offline environments make monitoring difficult
IT/OT Mismatch
IT-centric tools that don’t translate to OT for monitoring and access control
Scaling Costs
High cost of scaling traditional monitoring

iolite supports NERC CIP-003-9 compliance for BES environments
Baseline and Anomaly Detection
- Detects deviations across cyber-physical behaviors including unapproved communications and network behavior
- Identify suspicious communication patterns and malware-like behavior through custom detection logic
Incident Response
- Build pre-approved processes
- Controls directly into detection and monitoring systems
Vendor Electronic Remote Access Security Controls
- Monitors for electronic remote access behavior and logging
- Detects known or suspected inbound and outbound malicious communications
Physical Layer Connectivity
- Monitor industrial events like temperature, pressure, humidity, and more or disconnected cables and unexpected behaviors
- Lightweight deployment runs on minimal hardware
- Air-gapped operation is fully functional with no cloud connectivity
What is NERC CIP-003-9?
NERC CIP-003-9 is a part of the broader NERC CIP framework, which governs cybersecurity for the North American electric utilities. 003-9 specifies security management controls for Bulk Electric Systems (BES) environments, with a focus on Low Impact assets. It defines foundational controls around governance, access, and monitoring to protect grid reliability, most notably establishing controls for vendor electronic remote access.
Low Impact BES Cyber systems have historically been less monitored with no minimum security baselines – but are critical in nature and can collectively be targeted for coordinated attacks.
Who does it apply to?
- Electrical distribution providers
- Electrical generator owners and operators
- Electric transmission owners and operators
- Utilities
- Independent power producers
- Municipal utilities
- Public power and co-ops

