In the November issue of Cyber Defense Magazine, Zentera CEO Dr. Jaushin Lee published a timely perspective on why traditional perimeter-centric controls no longer meet the realities of modern critical infrastructure risk. With permission from CDM, we’re sharing an excerpt below.
Adversaries like these are no longer relying on malware that triggers alarms. Instead, they’re leveraging stealthy “living off the land” (LOL) techniques—using administrative tools, stolen credentials, and vendor access paths to blend in with legitimate network activity. These actors aren’t looking for a quick payout; they’re positioning themselves to infiltrate and persist, gathering intelligence and laying the groundwork for future disruption during geopolitical conflict.
This new class of advanced persistent threats (APTs) renders signature-based and perimeter-only defenses insufficient. Recognizing this, the North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) standards are evolving to emphasize identity-based controls, continuous monitoring, and Zero Trust frameworks. In particular, the newest standard, CIP-015, was finalized by the Federal Energy Regulatory Commission (FERC) in July 2025 and takes effect in September 2025.
This article explores how Zero Trust Architecture (ZTA) can enable utility cybersecurity teams to defend against emerging threats while maintaining alignment with evolving compliance mandates.
The Volt Typhoon threat campaign underscores a broader shift in threat actor strategy. Rather than breaching with brute force or deploying noisy malware, attackers now use legitimate administrator tools—such as PowerShell, WMI, RDP, and SMB—and stolen credentials to move laterally and silently within networks. This stealth enables long-term persistence, allowing adversaries to collect proprietary data, understand system operations, and potentially seize control in times of geopolitical tension.
This shift in technique renders traditional perimeter-based defenses and signature-based detection tools increasingly ineffective. As Volt Typhoon and similar APTs exploit vendor access paths and unmonitored internal connections, critical infrastructure operators must shift toward security architectures that tie all network activity—both on the edge and between internal services—to continuously authenticate identities while enforcing strict least-privilege access.
To respond to this evolving threat landscape, regulatory frameworks are following suit. Two of the most impactful updates include:
CIP-015-1, as adopted by FERC in July 2025, applies broadly to transmission operators, generator owners, reliability coordinators, and other entities that are responsible for the proper functioning of the electric grid. Compliance requirements roll out in phases from 2028-2030, depending on the type of equipment entities maintain.
Taken together, these updates build upon existing CIP mandates and point toward a future in which identity-centric security is no longer optional—it’s a compliance necessity.
Motivated by sophisticated attackers using a new breed of tactics, techniques, and procedures (TTPs), Zero Trust's principle of "never trust, always verify" aligns perfectly with NERC CIP’s direction.
The challenge? Previous compliance requirements have emphasized a perimeter defense model, leaving blind spots for any threats that happen to breach the perimeter. Zero Trust initiatives solve this by making accesses inside the perimeter visible and subjecting them to strong, identity-based policies. This proactive, Zero Trust-driven model naturally fulfills CIP-015-1 requirements, reducing or eliminating false positives compared to threat detection methods.
In fact, an organization with a mature Zero Trust posture should be able to operate normally, even if the network is compromised. This resilience is possible when critical assets—such as controls in electrical substations or business software in the data center—are properly shielded from the shared network. ZeroTrust enforces access based on verified identity, role, and context. Every connection is authenticated, authorized, encrypted, and logged.
(...)
Read the complete article in Cyber Defense Magazine
“Expanding Zero Trust to Critical Infrastructure: Meeting Evolving Threats and NERC CIP Standards” (November 2025 issue).