ELECTRIC UTILITIES

The Architecture NERC CIP-005-7 Requires

NERC CIP-005-7 requires an Intermediate System for all Interactive Remote Access (IRA) to applicable BES Cyber Systems, internal operators and external vendors alike. The CSG is that system.
Protocol isolation terminates every OT protocol at the gateway boundary. Vendors see a browser. Your substation SCADA sees nothing about the external network.

BAKER HUGHES

GE VERNOVA

ALTAGAS

ALUAR

MITSUBISHI

NERC CIP-005-7

CIP-007

CIP-003-9

SOC 2 Type II

KuppingerCole Leader 2025

20 min

Deployment per Substation

40+

Countries Deployed

R2 + R3

NERC CIP Coverage

SOC 2

Type II Certified
Xona-Electric-Image

Your NERC CIP Auditor Is Looking at Vendor Remote Access

The SANS Institute 2025 OT cybersecurity survey found remote access vulnerabilities among the top risk vectors across critical infrastructure operators. NERC CIP auditors are following that data.
Your auditor asks: "Show me your Intermediate System for vendor Interactive Remote Access." You show them the VPN. The auditor reviews the logs. The vendor authenticated. The session was encrypted. But the Intermediate System requirement is not about encryption. It is about isolation.
CIP-005-7 R2.1 requires that all Interactive Remote Access (IRA) to applicable BES Cyber Systems route through an Intermediate System, internal operators and external vendors alike. The user interacts with the Intermediate System. The Intermediate System interacts with the asset. No one touches the substation SCADA directly.
A VPN does not do this. A VPN creates an encrypted tunnel into your network. Vendors with VPN access have network access. They can reach assets outside the maintenance scope.

This is not an encryption problem. It is an architecture problem.

Five Capabilities. One Architecture.

The CSG is the Intermediate System CIP-005-7 describes. Every capability maps directly to a compliance requirement.

Protocol Isolation

The CSG terminates Modbus, DNP3, IEC 61850, Telnet, VNC, HTTP/HTTPS, and every other OT protocol at the gateway boundary. Zero protocol data crosses to the user side. In a Wireshark capture on a vendor laptop, there are no OT protocol packets.

Result

Meets and exceeds the CIP-005-7 R2 Intermediate System requirement. Closes the lateral movement pathway a jump host leaves open.

Identity-Driven Access

Every vendor session requires MFA at the boundary before asset access begins. Access is time-limited and asset-scoped. No standing network credentials. No persistent VPN tunnels.

Result

CIP-005-7 R2.1 authenticated connections, enforced at the boundary.

Session Recording & Audit

The CSG captures every session recording. Xona Centralizer aggregates and indexes recordings from every connected substation, with timestamps, user attribution, and asset-specific detail. What required manually aggregating logs from 35 substations for six weeks is now a report pull.

Result

Centralized governance across every connected substation.

Air-Gapped Deployment

The CSG operates locally at each site without a cloud dependency. Centralizer connects to your corporate network for governance. No internet uptime requirement at the substation.

Result

No VPN exposure. No cloud dependency. No concessions.

NERC CIP R2 + R3 Coverage

R3 extends the Intermediate System requirement to EACMS and PACS: your industrial firewalls, access control servers, and physical access systems. The CSG applies uniformly across R2 and R3. Same MFA. Same session recording. Same protocol isolation.

Result

R3 adds no new infrastructure when the CSG is your Intermediate System.

20

minutes to deploy per site

Step 1: Install the CSG at the site. Register with Centralizer. No OT topology changes. Network firewall policies may require minor updates. No new VLANs. No inbound ports opened. Step 2: Grant scoped access. Vendors authenticate through MFA. Access is time-limited and asset-scoped. Step 3: Compliance automatic. Every session recorded, timestamped, user-attributed. CIP-003-9 documentation from day one.

Deployed by Baker Hughes and GE Vernova across 40+ sites in 40+ countries. These are not pilots. Baker Hughes standardized on Xona for third-party vendor access to remote OT infrastructure. GE Vernova uses the platform to govern secure access across energy generation and grid equipment sites globally.
Named "Leader in OT/ICS Secure Remote Access" by KuppingerCole Leadership Compass 2025

Built for Your Role

Operations Manager

  • Vendor access provisioning from days to minutes
  • Same deployment pace for low-impact and high-impact BES
  • Explicit administrator approval required before each vendor session begins

OT/ICS Security Engineer

  • Zero OT protocol packets on vendor side (Wireshark verified)
  • Session-level access replaces VPN tunnels
  • Air-gapped substations. No cloud dependency.

CISO / Security Lead

  • R2 and R3 coverage from one architecture
  • SOC 2 Type II. KuppingerCole Leader 2025.
  • Every session recorded and audit-ready

Compliance Officer

  • CIP-003-9 April 2026 ready with 20-minute deployment
  • Automatic compliance documentation from session data
  • R2, R3, CIP-003-9 from one platform

How Xona Compares

Capability
Deployment Time
Network Changes
Protocol Isolation
Session Recording
NERC CIP R2/R3
Air-Gap Support
Legacy System Support
Vendor Access Control

Xone-Logo-White@2x

 

20 minutes per site
No OT topology changes. Network firewall policies may require minor updates.
Full. Protocols terminate at boundary.
Every session. User-attributed.
Intermediate System for R2 and R3
On-premises. No cloud required.
Modbus, DNP3, IEC 61850, Telnet, VNC, HTTP/HTTPS, RDP, SSH
MFA, time-limited, asset-scoped, approval gate
Traditional VPN
Days to weeks
Firewall rules, VLANs
None. Tunnel carries all traffic.
IP-level logs only.
Not an Intermediate System
Requires network path
Protocol-agnostic tunnel
Network-level access
Cloud ZTNA
Hours to days
Cloud connector config
Partial. Cloud relay.
Varies. Often cloud-stored.
Cloud dependency disqualifies
Requires cloud connectivity
Web-app focused
Identity-based, cloud-dependent
Jump Server
Days to weeks
Network segmentation
None. Direct session.
Screen recording add-on.
Manual audit assembly
Requires network path
RDP/SSH only
Shared credentials common

NERC CIP Compliance Mapping

NERC CIP-005-7 defines the architecture for all Interactive Remote Access to bulk electric system assets. The CSG implements that architecture directly.
Requirement
CIP-005-7 R2
CIP-005-7 R2.1
CIP-005-7 R2.2
CIP-005-7 R2.3
CIP-005-7 R3
CIP-007 R5
CIP-003-9
Control
Intermediate System for all IRA to BCS
Authenticated vendor-initiated connections
Encrypted sessions
Session logging and monitoring
Intermediate System for EACMS/PACS access
System access controls and audit logging
Supply chain risk management (low-impact BES)
Xona Architecture
CSG is the Intermediate System. Protocol isolation, MFA, session logging.
MFA enforced at the boundary prior to asset access. Enforced at Centralizer if Centralizer is included in the architecture; at CSG if Centralizer is not deployed.
TLS-encrypted session to CSG.
CSG session recordings, aggregated and indexed in Centralizer. Real-time logs.
Same CSG architecture. R3 adds no new infrastructure requirements.
Role-based access, centralized Centralizer audit log.
Vendor access policies, session recording, access attestation across all asset tiers.

CIP-003-9: April 2026 Is a Hard Deadline

CIP-003-9 extends supply chain risk management requirements to low-impact BES. Vendor remote access controls and security assessment documentation become mandatory beginning April 2026.

If your utility has addressed high and medium impact BES but has not applied documented vendor access controls to low-impact distribution feeders and smaller transmission assets, April 2026 is approaching fast.

Xona deploys at the same 20-minute pace for low-impact distribution assets as for high-impact transmission substations. The architecture is the same. The audit documentation is automatic. A CIP-003-9 compliance sprint is a deployment operation, not an architecture project.
International context: EU Transmission System Operators face equivalent requirements under EU NCCS Article 33.

Technical Specifications

System Requirements
On-premises appliance or VM
Air-gapped deployment supported
No cloud dependency
Centralizer for multi-site governance
Security Features
SOC 2 Type II certified
MFA at boundary
CSG session recordings via Centralizer
Role-based access control
Protocol isolation at boundary
Supported Protocols
Modbus
DNP3
IEC 61850
IEC 61968/61970
Telnet, VNC, HTTP/HTTPS, RDP, SSH
Performance
20-minute deployment
No OT topology changes
Outbound-only communication
No inbound ports opened

FAQ

Does Xona replace our existing network segmentation and industrial firewalls?

No. The platform controls who accesses what, when, with a complete audit trail. Your network segmentation and industrial firewalls remain in place. Session isolation and protocol termination layer on top of your existing network perimeter.

What does "protocol isolation" mean for a CIP audit?

The CSG terminates OT protocols at the gateway. Zero Modbus, DNP3, IEC 61850, Telnet, VNC, or HTTP/HTTPS protocol data reaches the vendor side of the session. The vendor sees a browser interface. In a Wireshark capture on a vendor laptop, there are no OT protocol packets. The CSG satisfies the CIP-005-7 R2 Intermediate System requirement and exceeds it: protocol termination at the boundary eliminates OT protocol data from reaching the user side entirely. A compliant jump host meets the standard. The CSG closes the lateral movement pathway a jump host leaves open.

How does deployment work at a remote transmission substation?

20 minutes. Install the CSG at the site, register it with Centralizer. Deployment requires no changes to OT network topology or control system configurations. Network firewall policies may require minor updates to enable the CSG connection path. No new VLANs. The CSG communicates outbound to Centralizer only. No inbound ports are opened.

Our substation has no reliable internet. Will Xona work?

Yes. The CSG is on-premises and does not require a live internet connection to enforce access controls or log sessions locally. Centralizer synchronizes when connectivity is available. Air-gapped deployments are a supported architecture, not an edge case.

What does Centralizer do for our audit process?

Centralized governance across every connected substation. Administrators see every session, enforce policy, and replay access recordings from one console. What previously required manually aggregating logs from 35 substations for six weeks is now a report pull. Session recordings are timestamped, user-attributed, and asset-specific.

Are we ready for CIP-003-9 in April 2026?

If your low-impact BES assets do not yet have documented vendor remote access controls, you are not ready today. Xona deploys in 20 minutes per site with the same architecture as your high-impact substations. A CIP-003-9 compliance sprint across low-impact distribution assets is an operational execution, not an infrastructure project.

How does Xona handle NERC CIP R3 for EACMS and PACS?

The same way it handles R2. Remote access to BES Cyber Systems and remote access to EACMS and PACS route through the same CSG. Same MFA, same session recording, same protocol isolation. One platform. No additional controls or parallel infrastructure required.

What is the total cost of a CIP-005-7 compliance project with Xona versus a VPN-based approach?

A VPN-based approach requires firewall rule changes per substation, VLAN reconfiguration, ongoing credential management, manual log aggregation for audits, and compensating controls documentation for every gap the VPN does not cover. The CSG eliminates all of those line items. Deploy in 20 minutes per site. Audit documentation is automatic. The architecture satisfies R2 and R3 without compensating controls.

Stop Compensating for Your VPN. Start Satisfying CIP-005-7.

Every utility will face the same audit question: did you build the architecture CIP-005-7 describes, or did you build around it? The session record will show which.

 Secure access for the systems that keep the world running.
© Xona Systems, 2026
Cookie Policy
Privacy Policy
Disclosure Policy
Website Terms of Service
Terms & Conditions