For decades, owners and operators of small inverter-based resources (IBRs) like solar farms and wind turbines haven’t had to worry much about compliance or cybersecurity. North American Electric Reliability Corporation (NERC) Reliability Standards were a utility-scale concern, reserved for projects greater than 75 megawatts (MW) connected at 100 kilovolts (kV).

Not anymore.

If you develop, own, or operate IBRs with an aggregate capacity of 20 MVA or more (roughly 16 MW to 20 MW) connected at 60 kV or higher, you are now required to register as a Generator Owner (GO) and/or Generator Operator (GOP) under NERC Category 2. Developed in response to a 2022 Federal Energy Regulatory Commission (FERC) order, the initiative aims to improve visibility and oversight of previously unregistered facilities, providing a stronger foundation for planning, operations, and risk management. 

What are the Stakes?

The deadline for registration and compliance is right around the corner, May 15, 2026, and there’s no grace period. Penalties can reach up to $1 million per day.

“What aren’t people more worried about this?” Kellie Macpherson wondered aloud at the annual Solar + Wind Finance & Investment Summit in Phoenix, Arizona.

Macpherson is the executive vice president of compliance and security at Radian Generation, a technical advisory and engineering firm focused on assets in development through operations. Her company offers two tailored options to help Independent Power Producers (IPPs) get their stuff in order.

Based on Energy Information Administration (EIA) data, 874 existing or operating IBR sites with a total capacity of 20 MW or higher, connected at 60 kV, are on the hook for compliance with NERC, plus another 156 projects in development. Many weren’t designed with NERC in mind.

That means Kellie has been busy lately. Radian has contracted with dozens of those customers; when we spoke, she had her eyes on potentially hundreds of projects that may not have even been aware they needed to comply. Fortunately for the bulk electric system (BES), it looks like someone tipped them off.

Who Still Needs to Comply?

On Wednesday, NERC reported that it had filed its IBR registration work plan update with the FERC, which reports that NERC and the Regional Entities have processed registration for 100% of applicable entities with identified inverter-based resources (IBRs), closing what the agency deems a “critical reliability gap.” 

“This work improves industry’s ability to understand and address emerging reliability risks as the resource mix continues to evolve,” said Howard Gugel, NERC senior vice president of regulatory oversight. “Our efforts do not stop here. The ERO Enterprise remains committed to continuing this work, supporting newly registered entities, and working alongside industry to maintain a reliable, secure, and resilient bulk power system.”

NERC’s filing concludes its FERC-approved three-year work plan, but efforts to identify and register applicable entities will continue. As new IBRs are developed and interconnected, the ERO Enterprise will continue to identify and register entities that meet the registration criteria and support those entities as they transition to compliance with NERC Reliability Standards. The stakes are too high, otherwise.

Public Safety and Project Viability

Macpherson cited a couple of well-documented instances of grid disturbances that highlight the potential risk of fault-induced tripping of solar photovoltaic (PV) systems, both in Western Interconnection territory. The August 2016 Blue Cut Fire resulted in approximately 1200 MW of PV resources tripping offline or momentarily ceasing output in Southern California, much to the chagrin of the grid. Just over a year later, the Canyon 2 Fire, also in Southern California, resulted in approximately 900 MW of solar to trip similarly.

“A bunch of these smaller solar sites weren’t playing nice,” she explained. “That whole situation changed it,” she added, referencing increased regulatory focus on smaller-scale IBRs.

NERC compliance is also a prerequisite to participation in ancillary service market revenue streams, she pointed out. If you don’t play ball, you’re effectively locked out of some of the most valuable upsides your assets can deliver long-term.

“If you’re building a new site, as soon as earth is moving on the site, we need to be thinking about compliance,” Radian Generation’s Macpherson recommended. “It’s really hard, 18 months down the road, to be like: ‘Hey, inverter manufacturer, oh yeah, these also need to be NERC compliant.’ Unfortunately, that happens a lot of the time.”

Compliance can’t be put on the back burner anymore, she continued. It needs to be baked into investment decisions, financial modeling, and ultimately, the capital stack. So does cybersecurity.

Cybersecurity Concerns

Critical Infrastructure Protection (CIP) standards, enforced by NERC and FERC, are evolving (and increasingly complex) mandatory cybersecurity requirements designed to secure the BES against threats. Cyber attacks on utilities and critical infrastructure have recently drawn the wrong sort of headlines, and IBRs are grid access points that need to be battened down.

Ubiquitous utility technology supplier Itron confirmed a cyberattack last month in an 8-K form filed with the US Securities and Exchange Commission. Unknown actors managed to access parts of its IT network; the attack was blocked, the perpetrators were kicked out, and so far, it doesn’t look like anything bad happened that might compromise the company’s 8,000+ utility customers.

It is imperative to strengthen cybersecurity standards across distributed generation assets, Macpherson concurs. While the inclusion of cybersecurity measures in NERC requirements marks an important step forward, she believes many current standards lack the prescriptive rigor needed to fully safeguard the U.S. electrical grid against evolving threats.

“The stakes are especially high for Category 2 assets, as these sites play a critical role in supporting local communities, hospitals, and essential services. In some cases, critical infrastructure operates without properly configured firewalls or other foundational safeguards, exposing them to preventable risks,” Macpherson remarked.

The bar for such “preventable risks” is pretty low, Macpherson admits. Some developers, owners, and operators slip up in the simplest ways when it comes to cybersecurity, including forgetting to update their equipment when they install it.

“EPC equipment can sit on the shelf for 24 months, and they just go try to plug and play on a site,” she chuckled. “Think about your phone. If you didn’t update it at least fairly consistently, you’d be in a lot of trouble, right? Same thing for these devices.”

Common sense ain’t so common, perhaps. Fortunately for Macpherson, that means business is good. She expects the ERO Enterprise will also stay busy, keeping up with new IBRs as developers race to bring generation online.

“We’re about to be on the verge of an electron crisis,” she implored. “We can’t fix it without renewables.”