FERC Orders 918 & 919: Why Compliance Alone Is No Longer Enough for Critical Infrastructure Securit

The question is no longer:

“Are we compliant?”

The real question is:

“Are we operationally resilient?”

The New Reality of Grid Security

Electric utilities today face unprecedented complexity.

Distributed substations, remote operations, contractors, mobile workforces, third-party vendors, virtualized infrastructure, OT systems, and cloud-connected environments are expanding the attack surface faster than traditional security models can keep up.

FERC Orders 918 and 919 recognize this reality.

These orders reinforce the need for stronger controls around:

• Identity and access governance

• Remote and privileged access

• Protection of low-impact BES cyber systems

• Security of virtualized and software-defined environments

• Continuous monitoring and risk reduction

• Modern security architectures, including zero trust

But here is the challenge:

1. Most utilities are still operating with disconnected systems.

2. Physical access lives in one platform.

3. Cyber access lives in another.

4. Contractor management exists somewhere else.

5. Compliance reporting is often manual.

6. Operational context is missing.

7. That fragmentation creates risk.

Why Traditional Compliance Models Are Breaking

Historically, many organizations approached NERC CIP compliance as an audit exercise.

• Build policies. Generate reports. Prepare evidence.

• Pass the audit.

• Repeat.

But today’s threat landscape demands more.

A contractor badge misused at a remote substation, unauthorized after-hours access, remote OT connections without physical verification, or privileged access outside approved maintenance windows can create operational and security risks that compliance reports alone cannot prevent.

The future of compliance is not periodic.

It is continuous, contextual, and operational.

The Missing Piece: Cyber + Physical + Workforce Convergence

To truly address the intent behind FERC Orders 918 and 919, utilities must move beyond siloed security.

They need a unified operational model that connects:

This is where cyber-physical convergence becomes essential.

Why Utilities Need Operational Zero Trust

Zero trust is often discussed as a network concept.

But for critical infrastructure, operational zero trust matters even more.

Utilities must answer questions like:

• Is the right person accessing the right facility?

• Are they authorized for this task?

• Is the timing expected?

• Is the access aligned to operational approvals?

• Does physical presence match remote system access?

• Are contractor certifications current?

• Is there unusual behavior that requires escalation?

Security should not rely on static permissions.

It must be dynamic, contextual, and risk-aware.

From Audit Readiness to Continuous Compliance

One of the biggest burdens for utilities is audit preparation.

Gathering evidence across disconnected systems consumes enormous time and resources.

The next generation of security platforms will shift utilities toward:

Always-on compliance

Instead of chasing documentation, organizations should continuously automate:

• Workforce entitlement validation

• Contractor compliance

• Temporary access governance

• Visitor and vendor chain-of-custody

• Access certifications

• Exception management

• Audit evidence collection

The goal should be simple:

Always audit-ready.

The Contractor Risk Challenge

Contractors and third-party service providers represent one of the largest operational and cyber risks in critical infrastructure.

Yet many organizations still manage contractor access manually or through disconnected workflows.

For modern utility operations, contractor access should be tied to:

• Training completion

• Safety certifications

• Background checks

• Work orders

• Supervisor approvals

• Time-based access policies

• Location awareness

• Maintenance schedules

Security and operations must work together—not independently.

The Path Forward

FERC Orders 918 and 919 are more than regulatory updates.

They represent a broader transformation in how utilities think about resilience.

The organizations that succeed will move beyond fragmented tools and compliance checklists toward a more integrated operational model one that converges cyber security, physical security, workforce identity, contractor governance, and operational workflows into a unified system of trust.

At Splan, we believe the future of critical infrastructure security lies in cyber-physical operational intelligence where identity becomes the control plane for resilience, compliance becomes continuous, and AI-driven insights help organizations predict and mitigate risk before incidents occur.

Because in today’s environment, compliance is only the starting point.

Operational Resilience is the Destination.

Cyber-Physical Threat Detection, Prediction & Automated Remediation is the Future.

FAQs