NERC CIP 2025 Updates—What Energy Suppliers Are Saying and Opportunities for the IoT Connectivity Market

In 2005, after the 2003 blackouts in the Northeast United States, the Federal Energy Regulatory Commission (FERC) was given authority to oversee the reliability of the U.S. bulk power systems. The FERC gave the task of building electric grid reliability standards, including cybersecurity standards, to the North American Energy Reliability Council (NERC). In 2008, NERC released its initial plan for improving grid reliability called the Critical Infrastructure Protection (CIP) standards.

In March 2025, these standards were updated with enhanced cybersecurity guidelines with a key change of extending cybersecurity controls to assets once deemed low priority such as substations and renewables.

The top cybersecurity changes include:

• Remote Access: Must implement multi-factor authentication such as Public Key Infrastructure (PKI) tokens.
• Configuration Management: A broader range of assets and systems are subject to enhanced security such as secure software updates and patch management.
• Supply Chain Security: The broader supply chain supporting grid assets will require stricter oversight of services such as remote session access to reduce risk from third-party vendors supporting their own equipment, and from greater use of managed services providers.

ABI Research conducted two surveys in 2025 covering Internet of Things (IoT) connectivity generally and utility connectivity needs. For the survey assessing general connectivity needs, some key results from U.S. energy respondents included the following:

• Top Security Risks: The top three security risks for energy firms operating in the U.S. market in order of most cited by respondents were data breach and privacy exposure, insufficient threat detection, and non-compliance and fines. Data breach was cited by 60% of respondents; the remaining two were cited by 54% of respondents. These reasons are all related as a data breach can be caused by insufficient security tools to detect a breach with the result of not complying with regulations such as the CPI.
• Top Reasons for Delayed or Blocked IoT Projects: The top three reasons were lack of internal and external expertise cited by 71% of respondents, followed by IoT solution development delay by 57% of respondents and third was connectivity issues with 49% of respondents. Security was only cited by 31% of respondents.
• Top Problems Encountered or Anticipated When Scaling IoT Projects: The top reason for energy respondents was managing deployments outside the core coverage area. Deployment management could be related to connectivity such as coverage issues; or be hardware related such as supporting devices remotely. The second most cited reason was unstable connectivity/capacity concerns. Because energy companies operate in remote areas, expansion of an IoT application brings network capability uncertainty depending on the location of expansion. The third most-cited problem is using multiple Connectivity Management Platforms (CMPs). If expansion into new areas requires a contract with another cellular provider, that provider could have its own CMP, which adds another layer of complexity to operational management.
• Top Criteria for Evaluating an IoT Connectivity Provider: The top three criteria among energy respondents ranked in order of importance were future-proofed Subscriber Identity Modules (SIMs), scalability, and coverage. The interesting outcome of these results is that future-proofed SIMs, such as Embedded SIM (eSIM)-enabled devices, will address the scalability need and provide insurance against connectivity issues. As the energy industry, particularly utilities, expands its connectivity footprint, establishing the right technology foundation within its device inventory is critical to reducing technical challenges and truck rolls.

For utilities respondents, key survey findings included:

• Connectivity Requirements Critical at Each Grid Location: Reliability and resiliency were the number 1 and 2 requirements regardless of grid location. The third most cited requirement was response time/latency by approximately 40% of respondents. In light of the increasing threats of unpredictable/stronger weather events, rogue and nation-state cyberattacks, and a diversified energy environment, utilities need stable, reliable connectivity. Interestingly, connectivity from a single provider was only cited by 20% of respondents as a key requirement for all grid locations except for homes/businesses.

While security plays a key role in energy firm technology assessment, connectivity provider capabilities are what energy firms will focus on to ensure they can meet the latest NERC CIP requirements. As a result, connectivity providers should prioritize around the following capabilities.

Partnerships

Energy firms have multiple choices for procuring connectivity, but the top three as determined from the connectivity survey results were from a hardware partner, a system integrator partner, or a solutions provider. In light of the new CIP requirements that will drive more frequent remote access, these different procurement channels will be actively reassessing their connectivity provider choices to ensure they can reliably meet these requirements. To that end, connectivity providers also need to be active courting these partners and marketing their connectivity capabilities.

Connectivity—Location

Connectivity providers need to be aware of energy firm preference for certain connectivity technologies based on the location of energy assets. The utility survey results showed that utilities tend to prefer certain technologies based on concentration of assets. In addition, the survey results showed that utility connectivity technology preference will vary by size of the utility and its customer base, the latter of which ranges from urban to rural, and consumer to industrial. These variations mean that connectivity providers need to be targeted with their offerings when marketing to energy clients knowing the strengths and weaknesses of their chosen connectivity technology offerings.

Connectivity—Coverage Capabilities

As energy firms expand their IoT applications, Wide Area Network (WAN) technology choice becomes important. But WAN choice needs to consider the breadth of energy firm applications with throughput needs ranging from low to high. LoRa is top WAN choice for distributed assets and low-throughput applications, and it is less expensive than cellular on a per asset basis but does require that the energy firms deploy and manage the networks themselves. Cellular is more expensive than LoRa but has the benefit of no network management by the customer. Where cellular choice becomes important is the type of Low-Power Wide Area (LPWA) cellular technology the connectivity provider offers. Narrowband-IoT (NB-IoT) is one option with very good coverage for the region deployed but is limited by total data throughput, so it is less ideal for gateway-based applications. Cat-1 is good for all types of gateway connectivity due to higher throughput capabilities and offers greater worldwide coverage. Cat-M has similar coverage capabilities as NB-IoT for the region it is deployed in and is a good middle ground for low and higher throughput IoT app needs.

Survey findings show that coverage, scalability, reliability, and resilience are top considerations for energy firm choice of connectivity provider. As a result, connectivity providers need to have a portfolio of connectivity technologies. Mobile Virtual Network Operators (MVNOs) would appear to be in the best position to offer a range of WAN technology options.

Connectivity Management

With cellular as the only choice to connect a range of assets over wide areas, eSIM is addressing one of the last issues for this technology—provider choice. Through eSIM, a different cellular network can be provisioned as the primary carrier, which gives energy companies both choices and leverage in connectivity discussions. But eSIM does not address a top issue for energy firms—dealing with multiple CMPs, which is a situation that can happen as more remote energy assets are connected through other cellular networks.

To facilitate a single CMP, connectivity providers need to expand their connectivity footprint both through their own network investments and via roaming partnerships. Flexible roaming relationships are necessary for Mobile Network Operators (MNOs) to ensure they are not contractually tied to a single roaming partner without sufficient coverage in a particular geographic region where an energy firm may want to expand. MVNOs need to improve their perception with energy firms, particularly around network support. In interviews with energy firms, some believed that the MVNO just added another layer of complexity. Both MNOs and MVNOs need to have satellite partnerships in their portfolio and 3GPP-Non-Terrestrial Network (NTN)-compliant devices to ensure that energy companies do not have to seek new cellular providers as the energy firm’s footprint expands, particularly for a small share of devices that operate just outside the cellular footprint.

Private Networks

Utilities are increasingly investing in private wireless networks for connectivity. As revealed by the utility survey results, the top two wireless connectivity choices for private networks are Wi-Fi and cellular. Wi-Fi was chosen for more asset-concentrated assets such as those at generation sites and substations. Cellular was a top choice regardless of grid location from generation through transmission and distribution. LoRa was a top choice for more distributed asset locations such as the last mile of utility grids.

However, for connectivity providers to succeed with private networks, the survey data also showed two important requirements. First, they need to be able to accommodate a utility’s security needs. This can include everything from devices that do not have Chinese components, to integration of connectivity management services into utility security software, to including private Access Point Names (APNs) as part of the connectivity package.

The second is that the connectivity supplier needs to have a robust onboarding process, including training, resources, and post-sales follow-up. This result demonstrates that once a utility has completed the tech assessment, including the technology’s security capabilities, proper support resources are necessary for tech implementation.