Solar SCADA cybersecurity NERC CIP: utility-scale compliance guide
In a 2024 Joint Advisory the Cybersecurity and Infrastructure Security Agency warned that Volt Typhoon style reconnaissance was probing renewable generation control networks, putting solar SCADA cybersecurity NERC CIP compliance back at the top of every IPP risk register. The deciding question for plant owners is straightforward: at what aggregate nameplate does a PV site cross from low to medium impact, and what controls follow that classification? The answer starts at 75 MVA and runs through zone segmentation, jump hosts, vendor attestations, and 35 day patch cycles.
When solar SCADA cybersecurity NERC CIP applies to your plant
A utility-scale PV facility triggers solar SCADA cybersecurity NERC CIP obligations once its aggregate nameplate crosses the 75 MVA gross threshold defined in CIP-002-5.1a Attachment 1. The classification rule looks at the facility as a whole, including all inverter blocks tied into the point of interconnection. Once you cross that line, the plant controller, RTUs, communications gateways, and HMI servers are each evaluated for BES Cyber Asset status.
The North American Electric Reliability Corporation publishes the Bulk Electric System Definition that drives this calculation, and most IPP compliance teams run an annual nameplate audit against generator interconnection agreements. A 49.9 MW DC array tied to a 55 MVA AC inverter block stays low impact, but a 90 MVA array with shared substation infrastructure may pull adjacent assets into medium scope. The EIA-860 generator data set is a useful sanity check against your registered list when an acquisition adds a plant to the portfolio.
The practical signal: any plant above 75 MVA needs a documented solar SCADA cybersecurity NERC CIP scope memo, an Electronic Security Perimeter diagram, and an asset registration with the NERC Compliance Registry. Operators below the threshold are not exempt from prudence, but the auditable obligation lives above 75 MVA. For a deeper read on how the controller and SCADA touch, see our plant power controller integration guide.
For a closer look at this, see Solar tracker SCADA integration: backtracking and tag map design.
Solar SCADA cybersecurity NERC CIP zones with IEC 62443-3-3
ISA/IEC 62443-3-3 zone and conduit modeling sits cleanly on top of the NERC CIP Electronic Security Perimeter. A defensible PV plant separates four reference zones: a control zone holding the plant controller and RTUs, a field zone for inverters, trackers, and met stations, an operations zone for engineering workstations and historians, and a DMZ for vendor jump hosts, MFA brokers, and syslog forwarders. Conduits between zones carry only enumerated protocols at enumerated ports, with stateful inspection at the boundary firewall. Modbus TCP from inverters terminates at a polling gateway inside the field zone; the gateway publishes normalized tag data northbound over DNP3 or OPC UA to the control zone; and the control zone forwards selected points to the operations zone over an authenticated, rate-limited conduit. Because conduit rules permit no lateral traffic between the field zone and the operations zone, a compromised inverter cannot reach the plant controller or historian directly, limiting attacker movement without requiring host-based controls on every field device. The IEC cyber security portal and the ISA/IEC 62443 series page are the canonical references.
In a 145 MW plant REIG commissioned for a Duke Energy Progress interconnection in Cabarrus County, NC, the prior integrator had shipped the entire site on a flat plant LAN, and remediating it to an IEC 62443-segmented architecture consumed more engineering hours than the original SCADA build. Skipping segmentation and relying on a flat plant LAN was the most common solar SCADA cybersecurity NERC CIP audit finding category through 2023, and it remains the most expensive remediation on a brownfield site. The chart below summarises the recurring finding categories from public audit summaries.
Solar SCADA cybersecurity NERC CIP remote access controls
CIP-005-7 governs interactive remote access to medium impact BES Cyber Systems, and it is the first standard most utility-scale PV operators read. The minimum stack: a hardened jump host inside an Electronic Access Control or Monitoring System (EACMS), end-to-end encryption of the IRA session from the requester to the jump host, and multi-factor authentication before the jump host releases a connection into the Electronic Security Perimeter.
In practice this means the vendor support technician at SMA, Sungrow, or Huawei does not connect directly into the plant controller. The technician authenticates against your identity provider, completes an MFA challenge, lands on a jump host in the DMZ, and from there an outbound proxy or RDP gateway brokers the session into the control zone. Every keystroke is recorded. Every session has a documented start and stop time tied to a change request. The NIST Cybersecurity Framework and the SP 800-82 Revision 3 guide for industrial control systems treat this same architecture as a baseline.
Every solar SCADA cybersecurity NERC CIP remote access path you certify should pass three tests before it is logged as compliant: encrypted tunnel, jump host inside an EACMS, and MFA before the conduit opens. Skip any one and you should treat the gap as a finding before an auditor does. The pattern stays the same whether you are remoting in for tuning, troubleshooting, or witness pack capture, which we cover in our SCADA commissioning witness pack guide.
Solar SCADA cybersecurity NERC CIP supply chain rules under FERC Order 850
FERC Order 850, issued October 18, 2018, directed NERC to develop and enforce CIP-013 supply chain risk management standards. CIP-013-1 became enforceable on October 1, 2020, and CIP-013-2 followed. The rule reaches every vendor procurement that touches a medium or high impact BES Cyber System, which for a 250 MW solar plant means inverters, plant controllers, RTUs, firewalls, and the SCADA HMI software itself. The FERC Order 850 record documents the rulemaking history.
For a fleet running Huawei, Sungrow, and SMA gear, procurement language has to compel four things from each vendor: documented disclosure of remote support paths, cryptographic software integrity verification at install, vulnerability and incident notification windows expressed in calendar days, and the right to audit the vendor’s source-of-supply controls. Most IPPs run this through a structured questionnaire that mirrors NATF Energy Sector Supply Chain Risk fields.
Treat every solar SCADA cybersecurity NERC CIP procurement as a documented control event, not a paperwork exercise. The Department of Energy CESER program reinforced this work in its 2024 Joint Advisory on Volt Typhoon, which called out vendor remote access as the most exploited pivot path into utility SCADA. Standing tunnels into a control zone are defended boundaries, not conveniences.
Solar SCADA cybersecurity NERC CIP patch management with CIP-007
CIP-007-6 R2 requires a documented patch evaluation cycle of no more than 35 calendar days per cyber asset, and CIP-010-4 requires baseline configuration management to detect unauthorized change. On a fleet of 200 RTUs spread across 30 sites, that compounds into a monthly cadence: source identification against each vendor’s security bulletin feed, an evaluation memo per patch, an installation or documented mitigation plan, and an evidence package signed off by the compliance lead.
A workable program assigns each cyber asset class to a named source: SEL bulletins for protective relays, Schneider Electric advisories for plant controllers, vendor portals for inverter firmware, and the NIST National Vulnerability Database for OS and library CVEs. Anything past the 35 day clock without an approved mitigation is a self-report. For the architecture context, our SCADA failover architecture guide covers how to schedule patch windows without losing availability.
Solar SCADA cybersecurity NERC CIP audits in 2023 and 2024 returned a recurring finding pattern: patch evaluation evidence existed, but installation evidence did not survive a technician handoff. The fix is mechanical, wire your CMDB to your ticketing system so every approved patch generates a work order, and every closed work order writes back a configuration baseline hash. The distribution of a typical fleet’s monthly outcomes looks like the donut chart below.
| Standard | Focus | Key requirement |
|---|---|---|
| CIP-002-5.1a | Asset classification | 75 MVA aggregate threshold for medium impact |
| CIP-005-7 | Electronic Security Perimeter | Encrypted IRA, jump host, MFA |
| CIP-007-6 | System security management | 35 day patch evaluation cycle |
| CIP-010-4 | Configuration change | Baseline tracking and change windows |
| CIP-013-2 | Supply chain risk | Vendor risk plan and procurement controls |
For teams new to the monitoring versus SCADA distinction underneath these obligations, our monitoring versus SCADA roles primer covers the layered architecture this compliance program defends.
Frequently asked questions
When does a solar plant trigger NERC CIP applicability?
A solar facility triggers NERC CIP applicability when aggregate gross nameplate at one facility crosses 75 MVA, per CIP-002-5.1a Attachment 1. The classification looks at the whole plant tied to the point of interconnection. A 90 MVA plant becomes a Medium Impact BES Cyber System and must produce an asset list, an Electronic Security Perimeter diagram, and a registration with the NERC Compliance Registry. Plants below 75 MVA can adopt the same solar SCADA cybersecurity NERC CIP controls voluntarily but are not subject to the medium impact audit regime.
How do IEC 62443 zones and conduits map to a PV plant?
IEC 62443-3-3 defines four practical zones for a utility-scale PV plant: a control zone for the plant controller and RTUs, a field zone for inverters and trackers, an operations zone for engineering workstations and historians, and a DMZ for vendor access. Conduits between zones carry only enumerated protocols at enumerated ports. Modbus TCP from inverters terminates at a field gateway that publishes normalized data northbound over DNP3 or OPC UA. The ISA/IEC 62443 series gives the canonical taxonomy.
What is the minimum remote access stack for solar SCADA?
The minimum stack under CIP-005-7 for medium impact BES Cyber Systems includes three controls: an encrypted interactive remote access session, a hardened jump host inside an Electronic Access Control or Monitoring System, and multi-factor authentication before a connection is allowed into the Electronic Security Perimeter. Vendor technicians at SMA, Sungrow, or Huawei should authenticate against your identity provider, land on a DMZ jump host, and have every session recorded against a tied change request. NIST SP 800-82 Revision 3 treats this same architecture as a baseline.
How does FERC Order 850 affect vendor remote support?
FERC Order 850 directed NERC to adopt CIP-013 supply chain risk management standards, enforceable October 1, 2020. The rule requires utilities to evaluate and document the security practices of any vendor whose products touch a medium or high impact BES Cyber System. For solar plants this includes inverters, plant controllers, and the SCADA HMI itself. Procurement language must compel disclosure of remote support paths, cryptographic verification at install, and incident notification windows. The FERC Order 850 record documents the rulemaking history.
What does a CIP-007 patch program look like for SCADA RTUs?
CIP-007-6 R2 requires a 35 calendar day patch evaluation cycle per cyber asset. A workable program assigns each asset class to a named source: SEL bulletins for protective relays, Schneider advisories for plant controllers, vendor portals for inverter firmware, and the NIST National Vulnerability Database for OS CVEs. Each patch generates an evaluation memo, an installation or mitigation plan, and an evidence package. Wire the CMDB to ticketing so every approved patch writes back a configuration baseline hash on close. Anything past the 35 day clock without an approved mitigation is a self-report.
How should solar operators respond to the 2024 Volt Typhoon advisory?
The 2024 CISA and DOE Joint Advisory on Volt Typhoon flagged renewable generation SCADA as a reconnaissance target. Solar operators should treat every standing vendor tunnel as a defended boundary, rotate jump host credentials, and review egress logs from the control zone for anomalous outbound DNS or HTTPS traffic. Run a tabletop exercise that assumes a Sungrow, Huawei, or SMA support credential is compromised and walk through your isolation procedure. The advisory also recommends multi-factor authentication on every administrative interface and disabling unused vendor accounts at the identity provider, not just at the device level.
