Listen to the article 7 min

This audio is auto-generated. Please let us know if you have feedback.

Modern grid operations depend on connected systems spread across generation, transmission and distribution. As more wireless devices and links show up around substations, control centers and field crews, a once-overlooked risk surface is expanding in the radio-frequency spectrum. Traditional programs built around the North American Electric Reliability Corp.’s Critical Infrastructure Protection standards have emphasized wired networks and IT assets. But the airwaves around the bulk electric system are busy and largely unmonitored in many environments.

The blind spot in today’s defenses

Utilities have long defined electronic security perimeters, hardened remote access and segmented networks. Those steps are necessary, but they do little for risks introduced by Wi-Fi, Bluetooth Low Energy, cellular modems, ad hoc hotspots, Zigbee and other radio frequency (RF) signals that slip past cable-centric controls. A personal hotspot left on in a control room, a rogue access point in a substation cabinet or an unapproved IIoT radio near protective relays can undermine otherwise solid defenses. These conditions are common because each site’s RF environment shifts with time of day, maintenance schedules and nearby activity.  

The physical threat environment has also grown more complex. The Cybersecurity and Infrastructure Security Agency and the Department of Energy have urged substation owners and operators to update protective measures as incidents highlight evolving tactics against critical sites. Wireless emissions can accompany reconnaissance or facilitate intrusion, making spectrum awareness a practical complement to fences, cameras and guards. Retired Gen. Tim Haugh told CBS’ “60 Minutes” that China has sought persistent access to U.S. critical infrastructure including water and electric power to gain leverage in a crisis, underscoring why utilities must monitor what’s in the air as well as on the wire.

Standards are moving, so should monitoring

Compliance is not a substitute for security, but regulatory momentum is clear. On June 26, 2025, the Federal Energy Regulatory Commission approved NERC CIP-015-1, which requires internal network security monitoring inside electronic security perimeters. That decision reflects a broader expectation for continuous visibility of east-west traffic and by extension, a growing industry emphasis on closing monitoring gaps wherever they exist. While CIP-015 focuses on internal network telemetry, pairing it with persistent wireless situational awareness helps align security practice with how operations communicate.  

Core requirements under CIP-005 still anchor perimeter discipline, and the latest revision reinforces the need to know and control all access points, a concept that logically includes wireless pathways at or near those boundaries. Treating the RF domain as part of the perimeter mindset reduces surprises and speeds incident response.  

A practical playbook for RF risk reduction

Before utilities add new tools, they can tighten everyday practices that close common wireless gaps. The steps below prioritize actions that are low-friction, repeatable and aligned with existing NERC CIP workflows.

• Establish a living inventory of wireless emitters: Create and maintain an asset inventory that includes every RF transmitter observed in and around high- and medium-impact sites, such as authorized access points and client devices, cellular gateways, maintenance laptops, sensors and wearables. Tie this inventory to location and time so transient devices and walk-by emitters don’t get missed. Utilities report that inventories drift fastest at facilities with frequent contractor access or mobile work management.  
• Monitor the spectrum continuously, not just during audits: Point-in-time sweeps find issues present in that moment, continuous or regularly scheduled monitoring captures seasonal work, outage windows and shift changes. Continuous RF visibility complements internal network monitoring under CIP-015 and strengthens evidence for CIP-005 controls when investigating unknown connections near the perimeter.  
• Enforce clear wireless use policies for control rooms and substations: Codify rules for personal hotspots, Bluetooth accessories, test gear and temporary cellular bridges. Post signage at access points, require documented exceptions and verify enforcement with spectrum data rather than relying only on attestation. RF best-practice guides from the Department of Homeland Security emphasize disciplined device management as part of interference mitigation.  
• Integrate RF alerts into existing SOC and compliance workflows: Treat suspicious or policy-violating emissions like any other detection. Send alerts to the SIEM, ticket them in the same system used for cyber events and map findings to the relevant CIP controls for consistent documentation. That alignment shortens investigations and helps demonstrate due diligence to auditors.  
• Include spectrum checks in physical security rounds: CISA’s substation guidance highlights layered defenses. Adding quick RF scans to routine patrols can reveal covert surveillance devices, illicit bridges or interference sources that cameras won’t catch. When an alert triggers, being able to locate a device precisely inside a yard or building reduces mean time to remediation.  
• Address renewables and remote assets explicitly: Solar inverter pads, wind collection points and rural substations often rely on wireless backhaul or maintenance links. Fold these sites into your RF monitoring strategy, accounting for vendor maintenance practices and seasonal activity to prevent “surprise” radios from appearing during outages or upgrades.  

What success looks like

Effective RF monitoring shows up in the outcomes. When teams see fewer unknown devices, faster investigations and clearer audit evidence, the program is working.

• Fewer unknowns at the perimeter: Unknown service set identifiers, ad hoc hotspots and stray Bluetooth beacons get triaged quickly, supporting CIP-005 expectations for controlled access.  
• Stronger evidence for auditors: Time-stamped, location-aware findings show policy enforcement over time, not just at audit prep.  
• Faster incident response: When a suspicious device appears, crews can go to the right rack row or control room bay instead of searching across a campus.  
• Better alignment with new monitoring mandates: As INSM rolls out under CIP-015-1, organizations that already think continuously about “what’s talking, where, and why” will adapt faster. 

Wireless activity is now part of the operational landscape for electric utilities. Treating the RF spectrum as a monitored domain (alongside networks and physical perimeters) closes blind spots, supports NERC CIP objectives, and speeds incident response. The utilities that build routine spectrum awareness into daily work will be better prepared for evolving threats.