Utilities operate under a supply chain regulatory regime that predates most others, and the practical sophistication has grown substantially since CIP-013 took effect in 2020. The 2024 incidents at several mid-sized utilities, including the spear-phishing campaign that reached operational planning systems at a Western US utility, made it clear that supply chain risk for the bulk electric system is not theoretical. The 2026 baseline reflects both the regulatory tightening and the lessons from those incidents.
This post is about what utilities should actually require from their software vendors in 2026, with attention to the gap between CIP audit expectations and operational reality.
What does NERC CIP-013 actually require in 2026?
CIP-013 requires registered entities to implement supply chain cyber risk management plans covering procurement of BES Cyber Systems, with documented controls around vendor identification, risk assessment, and incident notification. The standard has been in force long enough that the audit expectations have stabilized, and the regulator has been clear in supervisory feedback about what counts as evidence. The 2026 enforcement focus has been on plan implementation maturity, not plan existence.
The practical implication is that utilities need to demonstrate live execution of their CIP-013 plan, not just documented procedures. Audit findings in 2024 and 2025 frequently cited gaps between documented vendor risk assessment criteria and the actual evidence of assessments performed, particularly for medium-impact assets where attention has historically been thinner than for high-impact BES Cyber Systems. The 2026 baseline includes maintained vendor inventories, dated assessment records, and demonstrable use of the assessment outputs in procurement decisions.
How have CIP-010 expectations evolved?
CIP-010 covers configuration change management and vulnerability assessments, and the practical expectations in 2026 are tighter than they were three years ago. Auditors increasingly expect vulnerability assessments to be informed by component-level inventory, which in practice means SBOM-grounded analysis rather than vendor-attestation alone. The shift is driven partly by regulator awareness of the limits of vendor self-attestation, and partly by high-profile vulnerabilities like the Log4j incident that were missed by vendor-attestation workflows.
The 2026 baseline is to maintain component inventory for all BES Cyber Systems in scope, mapped to vulnerability feeds, with documented cadence for review. The practical workflow involves ingesting vendor SBOMs where available, generating component inventory through passive analysis where SBOMs are not available, and producing the inventory in a format that supports auditor review. Several utilities that moved to this model in 2024 and 2025 have reported smoother audits and faster identification of high-leverage vulnerabilities in their environments.
Which threats have actually targeted grid environments recently?
The grid threat landscape in 2026 is dominated by reconnaissance activity, with confirmed targeting of operational technology environments by state-aligned actors documented in joint CISA and DOE advisories through 2024 and 2025. The Volt Typhoon activity attributed to PRC-aligned actors, with confirmed access to multiple US utility environments, has reshaped the threat model from "ransomware affecting business systems" to "pre-positioning for potential disruptive operations." The 2024 advisory on Volt Typhoon-style activity at additional utilities reinforced the pattern.
The practical implication is that utility supply chain expectations need to account for sophisticated, patient adversaries with specific interest in OT environments. This is different from the commercial threat model, where opportunistic actors dominate. The 2026 baseline for vendor risk assessment includes specific attention to vendor exposure in environments that have themselves been targeted, and to vendor remote access tooling that has been identified as a recurring attack path.
What does SBOM workflow look like for OT vendors?
OT vendor SBOM workflows in 2026 are more mature than they were two years ago, but coverage remains uneven. The large EMS and SCADA vendors broadly support SBOM delivery for new releases, with format support for SPDX or CycloneDX. The long tail of specialized vendors, particularly in protection and control, often does not have SBOM capability, and utilities have had to accept attestation-based controls for those vendors while requiring SBOM capability as a forward-looking contract requirement.
The harder problem is matching OT SBOMs against vulnerability feeds. The OT-specific component ecosystem includes firmware versions, vendor-specific libraries, and legacy components that do not consistently appear in NVD. Utilities that rely solely on NVD for OT vulnerability monitoring miss material risk. The 2026 baseline includes pulling from OT-specialized vulnerability feeds in addition to NVD, with explicit attention to the BES Cyber Asset categories where component-level visibility is required for CIP-010 evidence.
How do you handle vendor remote access in BES environments?
Vendor remote access into BES Cyber Systems is one of the highest-leverage supply chain risks, and the CIP-005 expectations around interactive remote access have tightened with time. The 2026 baseline is brokered, multi-factor authenticated, time-limited remote access through a defined intermediate system, with no persistent vendor connectivity and no vendor-installed remote-access tools running unsupervised. The CIP-005 requirements have always pointed in this direction, but the operational implementation has matured enough that this is now achievable without disrupting vendor support workflows.
The procurement implication is that vendor contracts need to specify the access architecture before equipment installation, not as a retrofit. Several utilities in 2024 and 2025 found themselves negotiating compensating controls for legacy vendor connectivity because the original procurement contracts assumed always-on access. The 2026 baseline includes standardized remote-access language in vendor contracts for any equipment that will reach in-scope BES Cyber Systems.
How Safeguard Helps
Safeguard ingests SBOMs from your EMS, SCADA, and protection vendor portfolio, combining them with passive-inventory data for legacy assets, and maps the combined inventory against NVD and OT-specialized vulnerability feeds. Griffin AI surfaces emerging grid-targeting threat activity and correlates it with your specific component exposure, including the remote-access products and recurring attack paths flagged by CISA. TPRM scoring captures vendor incident history and patching cadence, supporting CIP-013 plan evidence. Policy gates enforce SBOM delivery in vendor contract reviews, and reachability analysis filters CVE noise so OT teams can focus on the small set of issues that actually expose BES Cyber Systems to exploitation.