A leading investor-owned electric utility operating more than 800 substations and generation sites faced the April 1, 2026 NERC CIP-003-9 compliance deadline, which required documented vendor electronic remote access controls at all low-impact BES Cyber System sites.
With no standardized vendor access governance, an understaffed compliance team, and dozens of OEM vendors using VPNs, TeamViewer, or on-site visits, the utility deployed Xona Critical System Gateways managed through the Xona Central Manager. The result is zero direct network access: users interact with OT systems in real time, but their endpoints are never connected to the OT network. This architecture delivered full CIP-003-9 Section 6 compliance across all control areas, vendor access time reduced from 4+ hours to 8 minutes, zero compliance findings, and a complete rollout by a two-person team using pre-configured DIN-rail appliances requiring no network changes.
Like many large utilities, this organization operates a geographically dispersed fleet of substations and generation sites. The vast majority, over 800, are classified as low-impact BES Cyber Systems. Vendor access was informal: some vendors used corporate VPNs, others relied on TeamViewer, and many simply traveled to the site.
When NERC approved CIP-003-9 with Section 6 requirements for vendor electronic remote access at low-impact sites, the utility confronted several challenges:
Regulatory urgency: The April 1, 2026 deadline required controls for preauthorization, monitoring, logging, recording, alerting, and disabling of all vendor sessions, none of which existed at any low-impact site. A missed deadline means potential NERC violations and civil penalties up to $1 million per violation per day.
Scale: 800+ sites requiring uniform controls, many in rural locations with limited connectivity and no on-site IT staff.
No vendor access governance: No intermediate system, no session recording, no centralized logging. Vendor credentials were often shared and access was not time-limited.
Understaffed compliance team: Fewer than five dedicated staff for evidence collection, policy development, and audit preparation across all CIP standards.
40+ OEM vendors: Each requiring access to diverse OT assets including protective relays, RTUs, PLCs, substation automation systems, and SCADA servers.
The utility selected the Xona CSG as the purpose-built solution for CIP-003-9 compliance across all low-impact sites. OT protocols terminate inside the trusted network at the gateway; only encrypted pixel streams reach the vendor's browser over HTTPS 443. No direct endpoint-to-OT connectivity ever exists.
Pre-configured DIN-rail appliances, IEC 61850 and IEEE 1613 compliant, install without network reconfiguration, firewall changes, or OT asset modifications. The XCM provides a single pane of glass for policy control, identity federation, log aggregation, and reporting across all 800+ sites. Sites operate autonomously during WAN outages. Moderated approval workflows ensure no standing access, with sessions scoped to specific assets and time windows that auto-terminate on expiry.
The utility adopted a phased rollout: 10 pilot sites in weeks 1-2, approximately 100 sites per week through weeks 3-10, and full fleet coverage by week 16. The same two-person team completed the entire deployment. Average time per site was 20 minutes from hardware mount to first vendor session, with zero network changes required.
The utility achieved documented compliance with all 14 CIP-003-9 Section 6 control requirements. Vendor access was reduced from 4+ hours to 8 minutes through JIT moderated access with browser-based connectivity. Zero compliance findings were recorded in the first internal audit post-deployment, compared to 3 findings previously.
Protocol isolation eliminated all direct endpoint-to-OT connectivity, making ransomware, malware, and lateral movement architecturally impossible. Credential injection eliminated shared passwords, so vendors never see or handle OT asset credentials. Lockbox and Kill Button provide instant access revocation, reducing incident response time from hours to seconds.