https://cdn.c360a.salesforce.com/beacon/c360a/0a8296a1-4b2a-47ba-87fb-96fe6d16e7ed/scripts/c360a.min.js
Schedule a Demo
Blog August 5, 2025

The Hidden Disconnect: Why Utilities Prioritize NIST Compliance But Still Ignore PKI

by Nick Sirikulbut

In the electric utility sector, compliance isn’t just a box to check it has its own culture and way of life within the utility. The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, and the NIST Cybersecurity Framework (CSF) dominate conversations, budgets, and boardroom priorities. 

Audits get resources. Policies get written. Teams get staffed.

NERC CIP: The High-Stakes Compliance Standard

The NERC CIP standards are federally mandated rules designed to protect the bulk power system from cybersecurity and operational risks. While NERC IP is specific to the electric sector, it often aligns with and in some areas references the broader NIST security controls.  Many electric utilities map their NERC CIP programs to NIST guidance to strengthen both compliance and operational resilience.

For utilities, failing to comply isn’t just a minor finding, it’s a direct business risk:

  • Fines up to $1 million per day, per violation and penalties can stack if multiple standards are missed 
  • Increased oversight with more frequent, more invasive audits that divert resources from core operations 
  • Operational restrictions requiring systems to be taken offline or isolated until remediated 
  • Legal and liability exposure if non-compliance is tied to an outage or cyber incident 
  • Public enforcement actions that can erode trust with customers, investors, and regulators

Why this matters for PKI: Many NERC CIP controls depend on strong cryptography, reliable identity management, and verifiable trust, all of which are rooted in healthy PKI. If PKI posture is neglected, compliance failures aren’t just possiblethey’re inevitable.

But Here’s the Uncomfortable Truth

You can’t be compliant with NIST or build a serious Zero Trust program if you ignore the health of your Public Key Infrastructure (PKI).

Everything modern security relies on such as identity, authentication, encryption, secure access, starts with PKI. And yet, this foundational technology is often the weakest, least understood link in the chain.

The Compliance Disconnect

Utilities pour millions into compliance programs:

  • Staff up for audits
  • Align with the NIST Cybersecurity Framework
  • Check the “boxes” 

But when it comes to the actual backbone of trusted identity — PKI, Certificate Authorities (CAs), and Hardware Security Modules (HSMs) — PKI is often treated like a black box.

Set it and forget it.

That’s like locking every door in your control center…while leaving the keys under the mat.

What NIST Actually Says

Let’s be clear. NIST isn’t vague about PKI. NIST guidance contains explicit PKI requirements.

SP 800-53 Rev. 5:

  • SC-12: Cryptographic Key Establishment
  • SC-17: Public Key Infrastructure Certificates
  • SC-23: Session Authenticity

These are not “nice-to-have” controls rather they are baseline safeguards. And all of them assume your PKI is valid, trusted, continuously monitored, and resilient.

SP 800-207 (Zero Trust Architecture):

  • Calls for continuous authentication and strong cryptographic identity—functions that only PKI provides.

SP 1800-35 (Zero Trust Implementations):

  • Demonstrates real-world Zero Trust architectures that are built on PKI: mutual Transport Layer Security (mTLS), certificate-based access control, and workload identity.

If your PKI is broken or unmanaged, your entire Zero Trust effort is on shaky ground.

“We Have a CLM Solution…Aren’t We Covered?”

No. Not even close.

Certificate Lifecycle Management (CLM) solutions only solve the “last mile” issuing and renewing certificates. They do nothing to monitor or harden the PKI backend itself.

Your CLM isn’t:

  • Validating CA configurations or templates that could cause catastrophic outages
  • Detecting when offline roots or HSMs are unreachable, disrupting identity systems
  • Identifying weak algorithms or deprecated cryptography like SHA-1
  • Monitoring revocation chains or broken trust paths
  • Providing real-time posture assessments to prevent vulnerabilities before a penetration test finds them

Lifecycle automation ≠ PKI posture management.

And PKI posture management is where compliance and resilience actually live.

Why Is PKI Still an Afterthought?

Ask most utility Chief Information Security Officers (CISOs) or Chief Information Officers (CIOs), and they can’t answer questions like:

  • Who owns our CAs?
  • Are we still using weak or deprecated algorithms?
  • What’s our recovery plan if our internal CA goes down?

Why?

  • PKI is invisible when it’s working. It doesn’t make noise until it fails then everything breaks at once. Just because it’s working does not mean it’s secure. And just because it’s working does not mean it’s resilient.
  • There’s no clear owner. PKI straddles Information Technology (IT), Operational Technology (OT), and Information Security. Everyone relies on it, but no one truly owns it.
  • Audits don’t dig deep. Compliance checks confirm a CA exists but rarely validate its security posture.
  • Assumed coverage. Teams mistakenly think Identity and Access Management (IAM), Endpoint Detection and Response (EDR), or network tools handle PKI risks when they don’t.

The Real-World Cost of Ignoring PKI

Utilities have experienced crippling outages due to expired or misconfigured certificates:

  • Power restoration delays after certificate failures blocked remote commands
  • Remote substation lockouts during emergencies
  • Credential outages halting operations
  • Cascading failures during certificate rotations

Certificates are just the surface. Below the surface, in a Zero Trust world, it’s PKI, the trust backbone, that matters. If it’s misconfigured or fails, every dependent control crumbles.

Shining a Light on PKI

Gartner defines PKI posture management as a continuous, risk-based approach to assessing not just certificates but the health, hygiene, and security of the entire PKI infrastructure, from CAs and HSMs to policy enforcement and change control (Effectively Manage Your Organization’s Certificates, ID G00804504).

This isn’t theory. It’s a growing recognition from one of the most influential analyst firms in the world that PKI posture management is not the same as certificate lifecycle management.

Where CLM automates renewals, PKI posture management:

  • Delivers real-time visibility into PKI health, CA availability, and HSM connectivity
  • Enables continuous monitoring for misconfigurations, policy violations, or trust breaks
  • Provides cross-environment awareness across Microsoft Active Directory Certificate Services (ADCS), third-party, and cloud-based CAs
  • Identifies vulnerabilities before they lead to outages, audit failures, or compliance gaps

The Bottom Line

  • Can you really claim NIST compliance if your PKI is a black box?
  • Can you call your Zero Trust program “mature” if PKI health isn’t continuously monitored?
  • Can you secure critical infrastructure while ignoring the foundational infrastructure of trust itself? 

Compliance isn’t enough. Visibility is. Control is. Posture is.

If NIST compliance is the goal, then PKI Posture Management must be part of the equation. Your security strategy and the resilience of the grid depends on it.

Next Step

Unsure of the health of your PKI right now, assuming it’s fine, or you’re good?

The difference between “hope” and “certainty” could be the difference between uptime and headlines.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *