This executive summary explains NERC CIP compliance requirements for utility private wireless deployments across substations, control centers, and field operations. Electric utilities are deploying private LTE, 5G, and Wi-Fi 6 networks to enable SCADA telemetry, connected worker programs, video analytics, and IoT sensor integration — but these networks introduce attack surfaces and compliance complexities that wired-only architectures never addressed. The 2025–2026 NERC CIP updates have significantly raised the bar for compliant electronic security perimeters.
The Regulatory Catalyst: CIP-015-1
CIP-015-1, approved by FERC on June 26, 2025 via Order No. 907 and effective September 2, 2025, represents the most significant shift in NERC CIP philosophy since Version 5. For the first time, the standards explicitly require continuous monitoring of traffic inside the trusted zone — not just at the perimeter. Wireless segments within an Electronic Security Perimeter can no longer rely solely on perimeter firewalls and access control lists. Utilities must demonstrate they can detect anomalous wireless traffic, identify rogue devices, and respond to lateral movement threats in real time. Compliance deadlines: high- and medium-impact BES Cyber Systems with external routable connectivity by October 1, 2028; all other applicable BES Cyber Systems by October 1, 2030. Concurrently, CIP-002-8 introduces Aggregated Weighted Value (AWV) scoring that may reclassify previously low-impact substations to medium-impact, triggering substantially more demanding requirements for utilities that had scoped wireless deployments at low-impact sites.
Key Findings: What Utilities Must Know
- Wireless devices are BES Cyber Assets. Access points, wireless controllers, and private cellular infrastructure that communicate using routable protocols within or across an ESP must be identified and categorized under CIP-002.
- Physical and electronic perimeters intersect at the antenna. Wireless signals do not respect physical walls. If an access point inside a substation broadcasts a signal detectable outside the Physical Security Perimeter, the ESP effectively extends beyond the physical boundary — a CIP-005/CIP-006 intersection requiring RF power management, directional antennas, and wireless intrusion detection.
- Zero Trust is no longer optional. CIP-005 electronic access controls and CIP-007 system security requirements together demand a Zero Trust architecture where every wireless connection is authenticated, authorized, and continuously monitored.
- Supply chain risk extends to wireless vendors. CIP-013 supply chain risk management must encompass wireless hardware, firmware, and management platform vendors, including their update and patching mechanisms.
CIP Standards and Their Wireless Impact
The standards span the full wireless compliance lifecycle. CIP-002 requires classifying wireless APs, controllers, and cellular infrastructure by impact level. CIP-005 requires designating wireless entry points as Electronic Access Points and monitoring all wireless traffic crossing ESP boundaries. CIP-006 governs antenna placement and AP physical access. CIP-007 mandates patch management, port controls, and malware prevention for wireless devices — the same as wired BES assets. CIP-010 requires wireless firmware baselines, configuration documentation, and vulnerability assessments. CIP-011 requires encryption of data over wireless links. CIP-015 requires continuous monitoring of wireless traffic within the ESP and anomaly detection capabilities.
Reference Architecture: Four Security Zones
Zone 0 — Field Instruments and Sensors
RTUs, IEDs, power quality meters, and environmental sensors. Where possible, use non-routable serial protocols to minimize CIP scope. When IP connectivity is required for IEC 61850 or DNP3-over-IP, devices must be classified under CIP-002 and wireless sensor networks must use dedicated, encrypted channels isolated from the SCADA control plane.
Zone 1 — Private Wireless Layer
Wi-Fi 6 access points, private LTE small cells, or 5G gNB equipment. Every device is a candidate for BES Cyber Asset classification. Wireless controllers must enforce WPA3-Enterprise authentication with 802.1X. Private cellular infrastructure must implement SIM-based mutual authentication. All wireless backhaul traffic crossing zone boundaries must use AES-256 encryption.
Zone 2 — Electronic Security Perimeter
Next-generation firewalls with protocol-aware deep packet inspection for OT protocols (DNP3, Modbus/TCP, IEC 61850 MMS). IDS/IPS for signature-based monitoring per CIP-005-7. Network Access Control platforms enforcing identity-based policies so only authorized devices traverse the ESP.
Zone 3 — SCADA and Control Center
Highest-value BES Cyber Systems: SCADA HMI, historians, EMS/DMS, and INSM infrastructure. Any wireless access must traverse a dedicated jump host with session recording and multi-factor authentication. This zone must be continuously monitored per CIP-015 requirements.
Four-Phase Compliance Roadmap
- Phase 1 (Months 0–3) — Assessment and Discovery: OT asset inventory identifying all wireless-capable devices including dormant interfaces. RF site surveys at all BES facilities. CIP gap analysis. CIP-002 impact classification for all wireless assets.
- Phase 2 (Months 3–6) — Architecture and Design: Target-state wireless architecture with explicit zone boundaries aligned to CIP-005. Encryption standards per CIP-011 and CIP-012. Zero Trust access control policies via 802.1X, NAC, and dynamic segmentation. INSM sensor placement planning.
- Phase 3 (Months 6–12) — Deployment and Hardening: Wireless installation per CIP-010 change management requirements. Firewall, IDS/IPS, and NAC configuration at all ESP boundaries. Wireless intrusion detection for rogue device detection. Patch management processes per CIP-007.
- Phase 4 (Ongoing) — Monitoring and Continuous Compliance: INSM activation for wireless segments, traffic baselining, and anomaly detection. Automated compliance reporting dashboards. Annual wireless-specific tabletop exercises per CIP-008 incident response planning.



