Critical infrastructure deserves critical engineering

The US electric grid was attacked 1,162 times in 2023 — a 70% increase year over year, with vulnerability points growing by approximately 60 per day as grid edge devices proliferate. Most of these attacks targeted operational technology infrastructure running on unpatched systems, communicating over unencrypted protocols, and connected to corporate IT networks through inadequately controlled access points. NERC CIP compliance does not equal security: a utility can satisfy every NERC CIP control on paper while maintaining undetected persistent adversary access through attack vectors the NERC CIP standards don't address. The $174 billion capital expenditure cycle in US energy is creating new technology integration requirements at the grid edge — wind, solar, battery storage, EV charging infrastructure. FERC Order 2222 requires these distributed energy resources to participate in wholesale electricity markets, demanding new technology platforms for DER aggregation, dispatch, and settlement that must integrate with legacy SCADA systems and satisfy NERC CIP security requirements simultaneously. The OT-IT convergence that enables these capabilities creates compliance boundary questions that engineering teams with IT backgrounds routinely miss: is the newly connected system inside the Electronic Security Perimeter? Does it qualify as a BES Cyber Asset? What interactive remote access controls apply?

The Algorithm approaches energy and utilities engagements with NERC CIP compliance at the control layer — not the documentation layer — as the defining engineering requirement. BES Cyber System classification analysis begins at the architecture phase, with every connected component evaluated against the NERC CIP-002 categorization criteria before network topology decisions are finalized. Electronic Security Perimeter design follows CIP-005 requirements with documented interactive remote access controls that satisfy CIP-007 requirements — including the authentication, encryption, and session monitoring requirements that most legacy remote access implementations do not meet. OT-IT connectivity is designed with the Electronic Security Perimeter boundary explicitly defined, documented, and enforced rather than assumed. For utilities implementing DER aggregation under FERC Order 2222, the platform architecture addresses both the FERC market participation technical requirements and the NERC CIP security requirements for the control systems involved. IEC 62443 security levels are applied to OT system design, providing the defense-in-depth architecture that NERC CIP and TSA directives require but do not fully specify. Anomaly detection is implemented at the control system layer — not just at the IT network perimeter — because adversaries who have penetrated the OT environment are not visible to IT-layer monitoring tools.

Energy & Utilities Compliance Assessment

A structured checklist for evaluating your AI and software vendor's readiness across the key regulatory frameworks in Energy. Free — no email required.