NERC CIP applies to Bulk Electric System Cyber Systems and the supporting infrastructure of North American electric utilities. The privileged access controls — CIP-005, CIP-007, and CIP-010 in particular — are where most utilities lose audit time. Innovexus aligns to those specific controls. We are not a full NERC CIP compliance platform. We are the privileged access piece, done well, in a way that maps cleanly to the auditable evidence the standards require.
Most utilities have a written compliance programme that addresses the relevant CIP standards. The audit doesn't question the policy — it asks for the evidence. Specific evidence questions about privileged access keep showing up as findings.
Every interactive remote access session into a BES Cyber System must use multi-factor authentication and an Intermediate System (jump host). The audit asks: prove every IRA session went through the Intermediate System, with MFA, attributable to a real person. Most utilities have most of this; few have the evidence to prove every session.
R5 requires authentication, authorization, accounting, password complexity, change frequency, and account lifecycle for every account on every BES Cyber System. The audit asks for evidence per device — and that evidence has to align with documented procedures. Manual evidence collection takes weeks per audit cycle.
Every BES Cyber System has a documented baseline; every change is documented and tested. The audit asks: show the baseline, show the change history, prove no unauthorised changes occurred. "We diff configs quarterly" rarely satisfies a CIP auditor.
Local fallback accounts on routers and switches that are shared across operators violate the attribution requirements in both CIP-005 and CIP-007. Most utilities have these, most have not rotated the credentials in years, and most cannot prove which human operator initiated a given session that used them.
Innovexus is the Intermediate System for IRA, the credential vault for BES Cyber System accounts, and the configuration baseline registry — three NERC CIP control areas covered by one platform with one signed audit trail. Honest version: we do not address every CIP control, and we are not a substitute for a full compliance programme. What we do, we do in a way that produces auditor-ready evidence.
The per-tenant Innovexus pod is the Intermediate System. Every interactive remote access session to BES Cyber Systems goes through the pod. MFA happens at the pod (FIDO2 hardware key); the device sees only the pod's allowlisted IP. R2.1, R2.2, and R2.3 evidence is the pod's session log.
Vaulted credentials for every shared local account, automated rotation on schedule (R5.6), enforced complexity (R5.5), and per-session attribution rooted in the FIDO2 hardware key (R5.1, R5.2, R5.3, R5.4). The signed audit trail provides accounting (R5.7) per session, per command, per credential retrieval.
Continuous baseline collection across the BES Cyber System fleet. Approved-change baseline promotion via the brokered-session workflow. Drift alerts on any change outside the workflow. R1.1–R1.5 evidence is the signed baseline archive plus the change-ticket-linked promotions.
Export templates for each of the relevant CIP standards. One click produces the per-control evidence bundle: device-by-device account inventory for R5, IRA session logs for R2, baseline diffs and approval chain for R1. Auditor consumes the bundle directly.
Each customer's pod is dedicated infrastructure, not multi-tenant SaaS. For utilities under CIP, this matters — the Intermediate System for IRA must be controlled by the Responsible Entity. Dedicated per-tenant pods on Tier 3/4 SOC 2 audited facilities align with that posture.
Most utilities have IRA, account lifecycle, and baseline running through Innovexus within 1–2 weeks. Here's the actual sequence — and the points where you should expect to engage your CIP compliance team.
Start with your CIP coordinator. Identify which BES Cyber Systems are in scope, which IRA paths exist, which controls Innovexus will support. Document this in your CIP programme — the scoping document is itself an audit artefact.
Per-tenant pod provisions in your region. The pod's IP is allowlisted at your Electronic Security Perimeter as the only authorised IRA source. Your existing ESP firewalls remain — Innovexus does not replace network segmentation.
Inventory shared local accounts across BES Cyber Systems. Vault each account, set rotation schedule per device class. Existing TACACS+ shared secrets and RADIUS keys vaulted in the same pass. R5 evidence starts populating immediately.
Initial config collection establishes the R1 baseline. Polling cadence configured per device class. Approved-change workflow for promoting new baselines via brokered sessions. R1 evidence accumulates over the first 30–60 days.
Pre-built audit export bundles available for CIP-005-7 R2, CIP-007-6 R5, and CIP-010-3 R1. Run them quarterly, hand to your compliance team, hand to the auditor. Saves substantial evidence-collection time vs the manual workflow most utilities run today.
Several patterns are common in CIP-regulated environments. Honest read on where Innovexus fits.
CyberArk is widely deployed at large utilities for CIP-aligned PAM. Capability parity is real for the controls we both cover. Trade-offs: enterprise pricing ($60K+/yr typical), partner-led deployment over 3–6 months, organisational maturity required to operate. Best fit at large utilities (above ~5,000 BES devices) with dedicated PAM administration.
BeyondTrust's PRA (formerly Bomgar) is widely used for vendor and third-party IRA in OT environments. Strong on the R2 controls. Weaker on R5 account lifecycle automation and not a baseline configuration tool. Often deployed alongside another product for the rest of CIP.
The most common pattern is still manual: spreadsheets, scripts that pull configs to a file share, syslog forwarding to a SIEM. Works for compliance but expensive in evidence-collection labour every audit cycle. Scales poorly as BES Cyber System count grows.
OT security platforms like Dragos, Claroty, and Nozomi address ICS-specific monitoring, asset inventory, and threat detection. They are complementary to Innovexus, not alternatives — they cover detection and inventory; Innovexus covers privileged access and baseline integrity. Many utilities run both.
Direct answers — written so each passage stands alone for AI-engine citation.
No, and we won't pretend to be one. NERC CIP covers physical security, supply chain risk, incident response, training, and many other domains beyond privileged access. Innovexus is the privileged access piece — we align cleanly to CIP-005-7 R2 (IRA), CIP-007-6 R5 (account lifecycle), and CIP-010-3 R1 (baseline configuration) and produce auditor-ready evidence for those controls. For full CIP compliance you still need your existing GRC platform, your physical security, your training programme, and the rest.
Yes. The per-tenant pod is purpose-built to be an Intermediate System: MFA at the pod (FIDO2 hardware), encrypted channel to the BES Cyber System, no direct user-to-BES connection, full session attribution, full session recording. The signed session log is the auditor's primary evidence for R2.1, R2.2, and R2.3. We have utilities running this configuration in production today; we will share architecture documentation with your CIP coordinator under NDA.
Innovexus pods run on dedicated per-tenant infrastructure inside SOC 2 Type II audited facilities (Tier 3/4 data centres). Geographic placement is configurable per tenant — a utility under CIP would typically deploy to a US-only region. The pod is the Responsible Entity's controlled system in the sense that the Responsible Entity owns the access policies, the FIDO2 hardware key inventory, and the audit trail. The underlying infrastructure is Innovexus-operated, similar to how a SaaS-delivered Intermediate System works for many utilities. Your CIP coordinator will want to review the architecture documentation; we provide it under NDA before any contract.
CIP-013-2 imposes supply chain risk management requirements on BES Cyber System procurement. As a vendor providing a security-relevant service, Innovexus is part of your supply chain. We provide a CIP-013-aligned vendor risk package: SOC 2 Type II report, ISO 27001 certification, infrastructure compliance reporting at innovexus.io/compliance, evidence of security training for personnel, incident notification procedures, and the right-to-audit clause in our contracts. Your supply-chain risk programme will still need to evaluate us — we provide the evidence inputs.
ISE handles AAA decisions at the BES Cyber System — authentication, authorization, command accounting. It's a great tool for that layer and we don't replace it. Innovexus addresses three things ISE doesn't: (1) IRA Intermediate System with MFA at the pod (R2), (2) credential lifecycle automation including shared-account rotation and signed audit (R5), (3) configuration baseline registry and drift detection (R1). Most CIP-compliant utilities run ISE for AAA and need additional tooling for the other three; Innovexus is one option for that additional tooling.
Innovexus produces the evidence; the audit conversation is between you and your regional entity (NPCC, RF, SERC, MRO, Texas RE, WECC). We provide pre-built export bundles aligned to each in-scope control, will respond to evidence requests routed through your compliance team during an audit window, and have utility-experienced engineers available for technical questions if your auditor has them. We don't represent you to the regional entity; you do.
Start with a 5-day trial against a representative subset of BES Cyber Systems. Your CIP coordinator can review the architecture documentation under NDA before any production deployment.