This regulatory shift signals that cyber attackers are changing their tactics, focusing on exploitation of less critical systems in the hopes of pivoting to more critical infrastructure. North American Electric Reliability Company (NERC) has documented cases where cyber criminals have attempted to access higher-value systems through brute force login attempts, VPN abuse and SCADA network scanning.
Yet basic authentication failures remain common, operational systems with unchanged default passwords or compromised credentials continue to provide entry points.
The move towards consistent controls come at a time when cyber attacks and their financial consequences are on the rise. U.S. utility companies experienced an increase of nearly 70%1 from 2023 to 2024 for example, with an average data breach costing organizations in the U.S. $10.22 million2 compare to the global average of $4.88 million3 .
Performance-based enforcement
NERC’s Critical Infrastructure Protection (NERC-CIP) requirements have governed power generation and water utility cyber security for nearly two decades. The framework requires operators to establish and maintain comprehensive cyber security programs with regular third-party audits against documented procedures.
In recent years, the scope has been extended to cover previously exempt assets. Intermediate systems connected to medium-impact bulk electric systems must now adopt revised standards, including CIP-005-8, which requires multi-factor authentication. Some substations and distributed energy resources have been reclassified to medium-impact status, which brings a new set of requirements for monitoring, segmentation and training to meet higher-tier obligations.
The maximum penalty reaches $1 million per day per violation. Although official NERC filings show total fines have fallen in recent years – in 2023, fines totaled $3.67 million (almost half of which was made up of one fine of $1.8 million), falling to $1.08 million in 2024, and just over $750k in 2025 to date – occasional cases remind operators that compliance failures carry significant weight. The largest public NERC-CIP fine hit $10 million in 2019 for 127 separate violations. These were caused by failure to implement access controls, such as adequate training of staff, sufficient managerial oversight and appropriate internal controls and processes.
The global picture shows a similar trend. NERC-CIP requirements have been adopted in Chile, Colombia, and parts of Mexico and Canada. Europe's NIS2 directive now covers hydrogen production and storage, while countries across Asia and Latin America are adopting frameworks that increasingly align with international standards like IEC 62443. This convergence creates consistent global requirements, though regional implementation varies. For multinational energy companies, standardized frameworks translate more easily across borders than disparate national requirements.
These changes mean operators must focus on practical, demonstrable protections. Regulators and auditors want evidence that identity controls are enforced consistently, that vendor access is properly managed and that system documentation reflects reality. Even for sites deemed lower impact, the expectation is that authentication, monitoring and segmentation are no longer optional.
How ABB supports compliance
ABB helps operators meet these evolving requirements through control systems with integrated security controls, electronic security perimeter configurations, and documentation supporting compliance efforts. Our secure remote access solutions address specific regulatory requirements, like CIP-003-9 standards for vendor remote access, through time-based access controls, real-time monitoring and comprehensive audit trails.
By offering solutions that map directly to regulatory expectations, ABB enables operators to maintain compliance while strengthening day-to-day defenses.
A new operating reality
Cyber security has become a license to operate. Mandatory cyber security frameworks will continue to expand in scope, reshaping how infrastructure is managed. Organizations that implement comprehensive programs proactively will not only reduce risk of penalties – they will find themselves better positioned when regulations inevitably tighten.
Register for ABB's upcoming webinar "Wired for Defense: How Regulators Are Shaping Energy Cyber Security" to explore practical strategies for navigating this regulatory environment. Industry experts will share real-world insights on turning regulatory compliance into operational advantage.
1https://www.reuters.com/technology/cybersecurity/cyberattacks-us-utilities-surged-70-this-year-says-check-point-2024-09-11/
2https://www.bakerdonelson.com/webfiles/Publications/20250822_Cost-of-a-Data-Breach-Report-2025.pdf
3https://www.ibm.com/reports/data-breach
