This post is not legal advice. NERC CIP compliance determinations are entity-specific and should be made with your compliance counsel, internal CIP compliance team, and regional entity guidance. This article addresses the architectural and procurement questions that come up during evaluation conversations, not compliance determinations.
NERC CIP-013 entered enforcement in 2020 and requires Responsible Entities to develop and implement supply chain risk management plans for industrial control system (ICS) hardware and software components used in their high and medium impact BES Cyber Systems. As condition monitoring and predictive maintenance solutions have proliferated in utility OT environments, CIP-013 evaluation has become a standard step in the procurement process for these tools — alongside the more familiar CIP-005 and CIP-007 requirements for OT network connectivity.
Reliability engineers are often pulled into these conversations even when CIP compliance is formally owned by another team. Understanding the questions the compliance team will ask — and the architectural decisions that affect the answers — helps move evaluation conversations forward more efficiently.
CIP-013 Scope: What It Does and Does Not Cover
CIP-013 applies to supply chain risk management for BES Cyber System components. The key scoping question for a condition monitoring deployment is whether the monitoring solution — its software, its network nodes, its hardware gateways — meets the definition of a BES Cyber System component under NERC's CIP definitions. This is not a question with a universal answer; it depends on the specific BES Cyber System assets involved, the connectivity architecture of the monitoring deployment, and your entity's asset categorization.
Distribution-level assets — distribution transformers, line reclosers, step voltage regulators — are generally categorized as Distribution Provider assets rather than Transmission Owner or Transmission Operator assets for CIP applicability purposes. NERC's CIP standards apply to Transmission Owner, Transmission Operator, and certain other functional entity types, with applicability to distribution assets significantly more limited than transmission assets. Most distribution-level monitoring deployments do not involve BES Cyber Systems in the CIP sense.
However, the connection pathways matter. If the condition monitoring platform connects, even indirectly, to a substation network segment that includes CIP-relevant BES Cyber System assets (transmission-level substation controls, protection relays on high-voltage equipment), the architecture requires careful review. The monitoring platform itself may be treated as a system with physical or logical access to BES Cyber Systems, triggering access management and supply chain requirements regardless of what assets the monitoring is actually watching.
The Questions Your CIP Team Will Ask
In practice, when Fieldiq's customer teams work through the OT security review process with utility compliance teams, the questions cluster into four categories:
1. Electronic Security Perimeter Connectivity
Does the monitoring software reside within an established Electronic Security Perimeter (ESP), or outside? If inside an ESP, CIP-005 interactive remote access requirements and CIP-007 system security management requirements apply to the monitoring platform. Most condition monitoring deployments are architected outside the ESP — the monitoring platform receives data from field gateways via encrypted cloud connection rather than being installed within the CIP-protected network segment. This architecture is easier to deploy and cleaner from a CIP perspective, provided the data pathway from field assets to the monitoring platform does not traverse BES Cyber System network segments.
2. Third-Party Software Components
CIP-013 requires risk identification and management for software obtained from third parties, including updates and patches. The relevant question for a SaaS monitoring platform is: what is the software update process, how are updates tested and validated before deployment, and what notification does the utility receive of software changes that could affect the ICS-adjacent connectivity? This is a legitimate procurement question regardless of CIP applicability, and monitoring vendors should be able to answer it with documented procedures rather than general reassurances.
3. Hardware Gateway Provenance
CIP-013 specifically addresses hardware supply chain risks, including the risk of counterfeit hardware. For condition monitoring deployments that involve physical gateway devices installed at field locations, the compliance team will want to understand the hardware manufacturer, country of origin, and whether there are documented hardware integrity verification procedures. This is primarily a procurement and vendor qualification question, not an ongoing operational question, but it needs to be addressed during vendor selection.
4. Vendor Remote Access
Does the monitoring software vendor have any remote access capability into the utility's network? CIP-005 has specific requirements for Interactive Remote Access into BES Cyber Systems. For condition monitoring platforms that operate in a cloud SaaS model with no remote access into the utility's network segment — where the utility's field gateways initiate outbound connections to the platform rather than the platform initiating inbound connections — the remote access question is generally more manageable. Architectures where the vendor maintains SSH or VPN access into the utility's OT network for troubleshooting purposes carry more CIP exposure.
Fieldiq's Architectural Position
Fieldiq is designed with NERC CIP operational technology controls in mind. Concretely, this means the platform architecture is built around outbound-only data flows from field gateways to the cloud-hosted analytics platform — no inbound network connections from Fieldiq infrastructure to utility network segments. Field gateways communicate over encrypted cellular (TLS 1.3) and do not require firewall rule additions for inbound traffic. The platform does not require installation of any software within utility OT network segments for the standard deployment pattern.
We are not NERC CIP certified — CIP certification is an entity-level compliance determination, not a product certification. What we can provide during the procurement review process is architectural documentation, data flow diagrams, penetration test reports, and documented software update procedures that give your compliance team the information they need to make their own determinations.
Practical Advice for the Evaluation Process
If you are an asset reliability engineer driving a condition monitoring evaluation and you know your CIP compliance team will be involved in the review, the most useful thing you can do early in the process is request architectural documentation from the monitoring vendor before the compliance review begins. Specifically: a network data flow diagram showing all connectivity pathways, the data residency and encryption documentation, and the vendor's CIP-013 supply chain questionnaire responses if they have one prepared.
Coming to the CIP review meeting with vendor documentation in hand significantly reduces the review cycle time. The compliance team is not trying to block the procurement — they are trying to make an informed determination about scope and controls, and they can do that more quickly with documented information than with verbal descriptions from a vendor sales cycle.
The architectural question that most commonly delays distribution-level monitoring deployments in the CIP review process is not usually CIP-013 supply chain — it is the network connectivity architecture and whether it requires modifications to existing ESP boundary rules. Getting that diagram in front of the networking and compliance teams early, before the procurement decision is made, avoids the scenario where a deployment is approved on technical and business grounds and then stalls for months in the security review process.
The Bigger Picture
Utilities are adding more connected equipment to their distribution systems — smart meters, DER monitoring nodes, distribution automation controllers — and the supply chain and connectivity security questions that come with each new category of connected device are accumulating. A condition monitoring platform is one more item in this growing connected-device inventory, and the review process it goes through is the same process that every connected device will increasingly face.
The practical implication for reliability engineers: building familiarity with the CIP scoping questions and the connectivity architecture requirements for OT-adjacent software is increasingly part of the job, not just a compliance team concern. The engineers who can bridge the technical architecture questions and the reliability engineering requirements will drive faster procurement cycles and more successful deployments.
