
The mission of the North American Electric Reliability Corporation (NERC) and its Regional Entities (collectively the ERO Enterprise) is to promote the effective and efficient reduction of risks to the reliability and security of the electric grid by fostering collaboration among the organizations that own, operate, and utilize the bulk power system (BPS). The methods and tools that these organizations use to manage and operate the BPS are increasingly dependent on automated, computer-based systems. While these tools improve the efficiency and effectiveness of work, they also introduce security and reliability risks to the overall operation of the grid.
In the past, BPS elements were operated by authorized personnel through local control and monitoring systems. These systems have since evolved to allow personnel to manage both routine and urgent matters remotely. As a result, “authorized remote access” is no longer restricted to operators engaged in tasks specifically related to managing the BPS. Remote access has also been necessary for individuals who are responsible for maintenance on these systems.
The potential for remote access misuse is a known risk. There may also be unexpected risks to grid reliability when remote access occurs from one geographical location and crosses state or international borders into areas governed by different authorities. For example, there are cases where control of the grid is being managed from locations outside of the United States.
In 2023, NERC issued a Section 800 data request to assess cross-border remote access under NERC Rules of Procedure Sections 804 and 808.3: Section 800 Reliability Assessment Request: Access to Bulk Power System Elements. The data from that request confirmed an increase in authorized remote access to critical BPS elements from outside of the United States. This includes monitoring, control, as well as maintenance activities.
In response, NERC issued a Level 2 Alert (NERC Recommendation to Industry regarding Cross-Border Remote Access to Bulk Power System Elements) on June 17, 2025, to all registered Generator Owners (GOs) or Generator Operators (GOPs).
The contents of this alert are useful to individuals with the following responsibilities:
- Cyber Security – Control Systems
- Cyber Security – Corporate IT
- Generation Engineering
- Generation Operations
The Alert includes three recommendations, as well as a questionnaire and an accompanying data submission worksheet. The recommendations are as follows:
- Perform a review of all remote access to systems that monitor or operate BPS Elements under your organization’s operational responsibility (GOPs) or ownership (GOs) to determine whether remote connectivity originates from outside the continental United States.
- For each remote connection that originates from outside the United States, each GOP and GO should document and maintain records that include:
- Organization connected to the BPS
- Country
- Fuel type(s)
- GO(s) (NERC Compliance Registry (NCR) numbers for the GO(s) of the BPS
- Elements associated with the connection)
- Bulk Electric System (BES) MegaVolt-Amperes (MVA)
- Non-BES MVACapability
- Persistence
- Management
- Security Controls
- Each GOP and GO should review and document organizational remote access policies and procedures to ensure they specifically address risk assessment and risk management processes needed for cross-border remote access.
Responses to the questions, as well as the data submission worksheet, are due to NERC by September 15, 2025 (Midnight Eastern), through the NERC Alert System.
To view the alert please log in to the NERC Secure Alert System (https://www.nercalerts.com).
For clarification or content-related questions, contact: [email protected]
For login/account/registration issues, contact: [email protected]
By Max Desruisseaux, MRO Principal Power Systems Engineer