Why physical verification of relays and breakers is no longer optional — and how to get started

Most power utilities have spent the last decade hardening their cybersecurity infrastructure by upgrading firewalls, segmenting networks and deploying tools such as Intrusion Detection Systems. Yet despite these investments, a critical part of operational technology (OT) often goes unverified: whether commands issued to field devices — such as opening a breaker or initiating a trip — actually result in physical action.

This isn't just a reliability issue. It's now a regulatory obligation.

Under North American Electric Reliability Corporation (NERC) PRC‑005, all utilities operating within the Bulk Electric System must be able to verify the function and physical inputs of their protection systems. That includes confirming that voltage and current signals are reaching relays, and that the relays can perform their intended function.

This article lays out a practical roadmap for meeting those requirements. It explores what the standard actually demands, why SCADA-based monitoring falls short, and how utilities can close the gap using out-of-band instrumentation and audit-ready workflows.

What NERC PRC-005 actually requires

NERC PRC-005 applies to any entity that owns, operates or maintains protection systems connected to the Bulk Electric System (BES). According to PRC-005-2, Table 1-3(a), entities must confirm "that current and voltage signal values are provided to the protective relays."

The Supplementary Reference Guide (2015) clarifies that utilities must "verify operation of the relay inputs and outputs that are essential to proper functioning of the Protection System."

They are enforceable compliance obligations, with defined maintenance intervals (ranging from six to 12 years, depending on the component and methodology) and documentation requirements.

Yet many utilities still rely on indirect indicators: SCADA status updates, internal device registers, and operator assumptions. If a relay silently fails, or a breaker doesn't close as commanded, the system may never know - until something breaks.

Why SCADA isn't enough

For years, grid operators have depended on SCADA and control-layer tools to monitor power utility operations. Monitoring tools can confirm that commands were issued, relay logic was triggered and devices appear "healthy." But none of this guarantees that the intended physical action actually occurred.

For instance, a trip command might be logged as successful, even if the breaker failed to operate. SCADA systems record that a command was sent, but not whether the equipment physically responded. As automation and remote operations become more widespread, the disconnect between digital intent and physical action becomes increasingly critical.

Operational failures like these may stem from aging equipment, signal degradation or configuration errors. But they also expose a deeper vulnerability: the lack of an independent signal to verify whether field devices responded correctly. In the case of a cyber attack, an adversary might manipulate logic or spoof sensor inputs so that SCADA displays expected conditions, hiding the fact that no physical action took place or that actions differed from the intended control logic.

The disconnect between command and physical outcome can remain unnoticed for extended periods in substations that lack on-site verification. And in contrast to IT systems — where user activity or malicious behavior can often be identified through spikes in network traffic or system logs — there's usually no software-based mechanism in OT environments to confirm whether a breaker opened or a relay received the correct input.

That same principle is reflected in NERC PRC 005. While not written as a cybersecurity standard, it reinforces the regulatory importance of physical validation. The standard explicitly requires that utilities verify that protective relays receive the correct current and voltage signals, and that their critical inputs and outputs are tested regularly as required. [i]

Why are these obligations mandatory?  Regulators understood that without instrumentation capable of monitoring actual electrical behavior, compliance is difficult to demonstrate and operational assurance would be incomplete.

The cyber threats to the physical layer

In February 2024, CISA, NSA and the FBI jointly released an alert about Volt Typhoon, a state-sponsored threat actor embedded in U.S. critical infrastructure. According to the alert: "Volt Typhoon has maintained access to some victim environments for at least five years, living off the land and using valid accounts to access operational systems."

These actors aren't using ransomware or crashing servers. They're quietly mapping power infrastructure, observing relay and breaker controls, and preparing to disrupt physical operations in a crisis without leaving forensic evidence. If your system can't independently verify whether a protective relay or breaker executed its command, you won't know it's happening.

CISA's Secure by Design principles emphasize the need to monitor control system behavior beyond software: "It is difficult and costly for owners and operators to defend their OT assets against compromise," particularly when adversaries use legitimate tools and credentials.

Level Zero: How it works

In the Purdue Model, Level 0 — also known as the process layer — refers to physical components such as relays, circuit breakers and analog signals from current and voltage transformers.

Level Zero monitoring uses out-of-band instrumentation to observe physical conditions directly, capturing raw electrical signals that indicate whether a device actually responded to a control command. This can include measuring voltage and current inputs to a relay or detecting the electrical signature of a breaker coil to confirm whether it has physically changed state.

Because these signals are collected outside the control network and software logic, they offer tamper-resistant evidence of real-world activity. If a breaker command is issued but the expected signal pattern doesn't appear, operators can be immediately alerted that the action failed — or was never carried out.

This approach provides a second source of truth, grounded in physics rather than software, that cannot be forged by malware or distorted through compromised SCADA data. It helps utilities move beyond assumptions about what should have happened, and instead verify what actually did happen in the physical layer, where protection and safety are decided.

Penalties for noncompliance are substantial

Failure to comply with NERC PRC-005 isn't just risky, it can also be expensive. Under Federal Energy Regulatory Commission (FERC) authority, the maximum fine is $1.54 million per day per violation. In 2023, NERC levied over $33 million in CIP enforcement actions.

Common violations include missing documentation, skipped testing intervals and failure to demonstrate that required verifications took place. As scrutiny on the grid increases — from regulators and nation-state adversaries alike — utilities must be able to show more than good intentions.

The path forward

Cyber attackers, system failures and misconfigurations all share one trait: They exploit the gap between what was supposed to happen and what actually did. NERC PRC-005 has made it clear that utilities are expected to close that gap.

Utilities must move beyond indirect monitoring and adopt Level Zero instrumentation that can independently verify physical events. This isn't just about checking a compliance box. It's about knowing (confidently and in real time) whether your grid is functioning safely, and being able to prove it when it matters most.

The roadmap is clear. The tools exist. What's needed now is the will to close the last mile of grid visibility. Before an attacker or a regulator forces your hand.

Sources 

Technologies