Does NERC CIP require phishing simulation?

NERC CIP-004 (Personnel and Training) requires Cyber Security Awareness Reinforcement at least every 15 calendar months for personnel with authorized cyber or unescorted physical access to BES Cyber Systems. CIP-004 does not name 'phishing simulation' as a specific control mechanism, but Regional Entity audits increasingly cite phishing testing as standard evidence of awareness reinforcement. The 2024-2025 audit posture treats the absence of phishing testing as a finding-eligible operational gap, particularly for utilities at higher risk-impact ratings.

What does TSA expect from pipeline operators on phishing training?

TSA Security Directive Pipeline-2021-02 (and subsequent revisions through 2024) requires designated cybersecurity coordinators, specific training programs, incident reporting within 24 hours, and a TSA-approved Cybersecurity Implementation Plan (CIP). Phishing simulation is one of the standard mechanisms operators use to satisfy the training-program requirement. The TSA also requires annual cybersecurity assessments which examiners increasingly bundle with phishing-program evidence review.

How does the CISA cross-sector guidance apply to utility phishing programs?

CISA's Cybersecurity Performance Goals (CPGs, updated 2024) provide voluntary cross-sector baseline expectations including 4.1 (Strong and Agile Cybersecurity Workforce) which addresses awareness and training. Sector-specific implementations vary - electric uses NERC CIP, pipeline uses TSA SDs, water uses AWIA - but the CISA CPGs provide a common floor. Utilities maintaining CPG-aligned programs typically satisfy sector-specific awareness requirements as a byproduct of meeting the cross-sector baseline.

What lure categories matter most for utility workers?

Utility-targeted phishing typically falls into five categories: (1) vendor-impersonation lures (SCADA software vendors, OT equipment manufacturers, integrators); (2) ICS-vendor advisory impersonation (fake security advisories with malicious attachments); (3) dispatcher and control-room operational lures (fake outage reports, fake regulatory directives); (4) procurement and PO-related fraud (BEC against finance/procurement staff); (5) credential-harvest lures targeting field-tech mobile devices. Programs that match template categories to these patterns produce stronger evidence than generic mass-phishing simulation.

Energy & Utility Phishing: NERC CIP, TSA

Energy and Utility Phishing Simulation: NERC CIP, TSA, EPA, AWIA Compliance (2026)

By The Bait & Phish Team
Energy, Utility, NERC CIP, TSA, AWIA, Critical Infrastructure

Critical infrastructure organizations - electric utilities, water and wastewater, oil and gas, pipeline operators - face a regulatory awareness-training landscape that's distinct from the rest of the economy. NERC CIP-004 governs the bulk electric system. TSA Security Directives govern pipelines. AWIA and EPA guidance govern water utilities. CISA's cross-sector Performance Goals provide a common floor. Each framework has its own evidence expectations; programs that satisfy one don't automatically satisfy another.

This post translates the major sector-specific regulatory anchors into a working phishing simulation program design: where the prescriptive language sits, the OT/control-room inclusion problem that's the single most common audit finding, the template categories that produce real training evidence for utility workers, and the program shape that satisfies multiple frameworks simultaneously.

The regulatory landscape at a glance

Sector	Primary regulatory anchor	Awareness-training expectation
Electric (Bulk Electric System)	NERC CIP-004 (Personnel and Training)	Reinforcement at least every 15 calendar months for personnel with cyber/physical access
Pipeline (oil and gas)	TSA Security Directive Pipeline-2021-02 + subsequent revisions	Annual training; TSA-approved Cybersecurity Implementation Plan
Water and wastewater	AWIA + EPA cybersecurity guidance	Risk-assessment driven; cadence not explicit but examiners weight continuous
Cross-sector (voluntary baseline)	CISA Cybersecurity Performance Goals (CPGs) Goal 4.1	Workforce awareness aligned to threat landscape; continuous preferred
DoD-supplier critical-infra	CMMC AT family (when DFARS 252.204-7021 applies)	Annual minimum; assessor-validated evidence

NERC CIP-004 specifically

For Bulk Electric System operators, CIP-004 R2 requires Cyber Security Training before granting authorized cyber access, with reinforcement at least every 15 calendar months thereafter. R3 (Personnel Risk Assessment) requires identity verification and background screening. The enforceable text doesn't name "phishing simulation" specifically - but Regional Entity (RE) audits in 2024-2025 increasingly cite phishing testing as standard evidence of meaningful awareness reinforcement.

The audit-posture trend: REs are treating the absence of phishing testing as a finding-eligible operational gap, particularly for utilities at higher risk-impact ratings (Medium and High Impact BES Cyber Systems). Programs that comply with the letter (annual classroom training plus a quiz) but produce no behavioral evidence are increasingly noted as Level 1 deficiencies during spot checks.

TSA pipeline directives

The TSA's Security Directives for pipeline cybersecurity (Pipeline-2021-02 and subsequent revisions through 2024) apply to designated owner/operators of higher-risk pipeline infrastructure. Key requirements:

Designated Cybersecurity Coordinator with 24/7 reachability
TSA-approved Cybersecurity Implementation Plan (CIP)
Cybersecurity training program covering personnel with access to operational and IT systems
24-hour incident reporting to CISA
Annual third-party cybersecurity assessments

Phishing simulation is the standard mechanism operators use to satisfy the training-program requirement. TSA inspectors increasingly bundle phishing-program evidence review with the annual third-party assessment, so the evidence package serves both purposes.

AWIA and water utilities

America's Water Infrastructure Act of 2018 requires community water systems serving more than 3,300 people to conduct risk and resilience assessments and develop emergency response plans. EPA cybersecurity guidance (issued 2023 and updated since) explicitly addresses phishing-driven attacks on operational technology and customer-billing systems.

AWIA itself doesn't specify training cadence, but ransomware incidents at municipal water systems (Aliquippa PA 2023, multiple others 2024-2025) have driven EPA enforcement attention. Water utilities targeting credible AWIA posture increasingly include monthly phishing simulation in their training and assessment workstreams.

The OT and control-room exclusion problem

The single most consistent finding in 2024-2025 utility cybersecurity assessments: phishing simulation programs that exclude OT and control-room staff. The exclusion typically happens for two reasons:

OT/control-room staff don't have standard corporate email accounts (they use shared dispatcher emails or operations-only addresses)
Operations management considers phishing testing inappropriate for staff focused on real-time grid/plant operations

Both rationales are wrong from a regulatory perspective. NERC CIP-004 explicitly applies to personnel with BES Cyber System access including OT staff. TSA pipeline directives apply to "personnel with access to operational systems." AWIA / EPA guidance addresses operations-staff phishing risk explicitly. Programs that systematically exclude OT/control-room staff have surfaced as findings in NERC audits and TSA inspections.

Practical recommendation: include OT/control-room staff on the same email phishing simulation cadence as corporate IT, using auxiliary email addresses or dedicated training portals for staff without primary email accounts. Tailor the template categories to OT-relevant lures (see below).

Template categories that produce real evidence for utility workers

Standard mass-phishing templates produce weak training evidence for utility workers. The five categories that map to real attacker behavior against critical infrastructure:

Vendor-impersonation lures - SCADA software vendors (GE, Siemens, ABB, Schneider Electric, Rockwell), OT equipment manufacturers, integrators. Includes fake security advisories with malicious attachments, fake patches, fake licensing reminders.
ICS-advisory impersonation - fake CISA bulletins, fake E-ISAC alerts, fake DOE / EPA notices. Designed to harvest credentials from operations or compliance staff who would naturally trust those sources.
Dispatcher and control-room operational lures - fake outage reports, fake regulatory directives, fake emergency-response coordination requests. Targets the operational urgency that bypasses normal verification reflexes.
Procurement and PO fraud - BEC against finance/procurement staff. Vendor-payment redirection is the dominant fraud pattern; utilities have lost millions to this category.
Credential-harvest lures targeting field-tech mobile devices - field technicians and meter readers using mobile devices have weaker spam filtering and weaker spoof-detection. SMS phishing (smishing) pretending to be dispatch is a real attack pattern.

Cross-framework program shape

For a typical mid-sized utility (electric distribution co-op, regional water utility, mid-sized pipeline operator), a defensible phishing-program shape that satisfies multiple regulatory anchors:

Monthly phishing simulation across all personnel including OT and control-room staff
Five template categories tailored to utility-specific lures (vendor, ICS-advisory, dispatcher, procurement, field-mobile)
Multi-channel coverage (email + SMS + voice). SMS specifically matters for field-tech populations
Auto-assigned remediation training tied to lure category
Quarterly trend reports with click-rate, completion, threshold-exceedance documentation, OT-vs-corporate breakdown
Annual comprehensive training module covering sector-specific incident reporting (NERC OE-417, TSA 24-hour CISA, EPA, state utility commissions)
Personnel scoping aligned to the regulatory anchor (CIP-004 personnel categories for electric; TSA-CIP scoping for pipeline; AWIA scoping for water)

Common findings in utility cybersecurity audits

Patterns that recur across NERC RE audits, TSA inspections and EPA assessments:

OT and control-room staff systematically excluded from phishing simulation
Annual classroom training documented but no behavioral testing evidence
Generic mass-phishing templates only - no utility-specific lures
Training records not differentiated by personnel category (corporate IT vs OT vs field-tech)
Phishing simulation results not tied to incident-reporting drill outcomes
No documented response to threshold-exceedance events
Field-technician mobile populations not covered (no SMS phishing component)

For DoD-supplier critical infrastructure

Some critical infrastructure operators (defense-supplier-segment, DOE NNSA contractors, certain federal-facility operators) face overlapping CMMC requirements in addition to sector-specific anchors. The CMMC AT controls (AT.L2-3.2.1, .2.2, .2.3) align well with NERC CIP-004 personnel/training expectations, so the same program substantively satisfies both. Evidence packets are sliced for each examination type but the underlying program is unified.

Where Bait & Phish fits

Bait & Phish supports the operational profile critical-infrastructure assessors look for: continuous monthly phishing simulation across email, SMS and voice; auto-assigned remediation training; OT/control-room inclusion (auxiliary-email handling); utility-specific template categories; quarterly trend reports exportable for NERC, TSA, EPA evidence packages. The 15+ years of operating history matters - regulated utilities under audit value vendors with track-record evidence over newer entrants. Start a 25-user free trial or talk to us about a program design walkthrough mapped to your sector's regulatory anchor.

This post is informational and does not constitute compliance, legal, or examination advice. Specific NERC CIP audit readiness, TSA inspection preparation, AWIA scoping and CMMC assessment planning are organization-specific - consult your sector compliance counsel or registered NERC entity for tailored guidance.

See also: Manufacturing and OT Phishing Risks for the broader OT cybersecurity context, Federal and Government Phishing Training Requirements for federal-facility and DoD-supplier overlap, and the Compliance Comparison hub for cross-framework evidence reuse.

Related industry guides

09may