The electric grid is the backbone of our modern society here in North America. Ensuring its reliability and security is paramount, which is where the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards come in. These standards provide a framework for securing the Bulk Electric System (BES) against cyber threats.

However, with the grid undergoing significant modernization and increased connectivity, meeting these stringent cybersecurity requirements presents a complex challenge for power utilities. More connected devices mean a larger attack surface, demanding a robust and phased approach to security.

Cisco’s Phased Approach to Industrial Threat Defense

Cisco recognizes that enhancing your security posture is a journey. We advocate for a phased approach, building foundational security elements that support subsequent steps, allowing utilities to improve security at their own pace while demonstrating value. The Cisco Industrial Threat Defense solution offers a modular and comprehensive set of capabilities designed to address the unique challenges of securing operational technology (OT) environments and achieving NERC CIP compliance.

How Cisco Solutions Help Address Key NERC CIP Requirements:

Cisco just published a solution brief describing the key NERC CIP requirements and how our portfolio can help utilities to comply. Here is a quick summary:

1. Visibility and Categorization (CIP-002, CIP-015):
   • Cisco Cyber Vision: Provides deep packet inspection embedded in the industrial network to automatically discover and inventory all grid assets, their communication patterns, and vulnerabilities. This visibility is fundamental for categorizing BES Cyber Systems (CIP-002) and is a core component of Internal Network Security Monitoring (INSM) (CIP-015). It helps identify risks and deviations from expected behavior.
   • Splunk OT Security Add-On: Aggregates data from various sources, including Cyber Vision, to provide asset classification visibility (CIP-002) and supports monitoring for INSM (CIP-015).
2. Electronic Security Perimeters (ESPs) and Access Control (CIP-005, CIP-007):
   • Cisco Industrial Routers and Secure Firewalls: Serve as the backbone for defining and enforcing ESPs. They offer comprehensive Next-Generation Firewall (NGFW) features, stateful inspection, application control, and integrated intrusion prevention (IDS/IPS) to manage electronic access and block threats at the perimeter (CIP-005, CIP-007). They can enforce unified security policies across distributed sites.
   • Cisco Secure Equipment Access (SEA): Provides a Zero-Trust Network Access (ZTNA) solution for secure remote access, crucial for managing vendor and remote user access to BES Cyber Systems. It enforces least privilege, just in time access and supports multi-factor authentication (MFA) as well as session monitoring/recording (CIP-005).
   • Cisco Catalyst Center and Identity Services Engine (ISE): Help manage security policies centrally across switching infrastructure, control physical port usage, and enforce access controls via IP ACLs or Security Group ACLs (CIP-007).
   • Splunk OT Security Add-On: Collects logs from firewalls, routers, switches, and access systems to monitor activity crossing the ESP boundary (CIP-005) and track ports, services, and system access control events (CIP-007).
3. System Security Management & Vulnerability Assessment (CIP-007, CIP-010):
   • Cisco Catalyst SD-WAN Manager and Catalyst Center: Enable centralized management of network device configurations, helping prevent unauthorized changes and facilitating the deployment of ‘golden’ configurations (CIP-010). They also support security event monitoring on network infrastructure (CIP-007).
   • Cisco Cyber Vision: Identifies vulnerabilities in discovered assets and highlights those actively exploited by bad actors to help prioritize patching. Also monitors deviations from network communication baselines (CIP-010).
   • Splunk OT Security Add-On: Aggregates logs from various sources (firewalls, endpoints, etc.) to track ports/services, security events, malware alerts, and supports baselining efforts (CIP-007, CIP-010). It also helps track compliance with log retention requirements (CIP-007).
4. Incident Reporting, Response, and Recovery (CIP-008, CIP-009):
   • Splunk: Acts as a central SIEM for collecting, correlating, and analyzing security events from across the network and security tools. It supports incident detection, investigation, and reporting, helping utilities meet the requirements for identifying and responding to cyber incidents (CIP-008).
   • Cisco Catalyst Center and Catalyst SD-WAN Manager: Provide monitoring and recovery capabilities for network equipment, supporting the restoration of network infrastructure in case of failure or attack (CIP-009).
   • Splunk OT Security Add-On: Provides dashboards to monitor notable security alerts (CIP-008) and brings in data from backup logs and Splunk environment status to support recovery plan requirements (CIP-009).
5. Information Protection & Supply Chain Risk (CIP-011, CIP-013):
   • Cisco Network Infrastructure & Security Policies: Enforce network segmentation and access controls to protect BES Cyber System Information (BCSI) from unauthorized access (CIP-011).
   • Cisco Security and Trust Organization: Cisco’s commitment to security is embedded in its Secure Development Lifecycle (SDL), certified for IEC 62443-4-1. Trustworthy technologies like image signing and secure boot ensure product integrity. The Cisco Product Security Incident Response Team (PSIRT) handles vendor-identified incidents and provides vulnerability information, patches, and mitigation advice (CIP-013). Cisco is also an active contributor to relevant industrial security standards.

A Unified Approach for Enhanced Security

Navigating NERC CIP compliance requires a strategic, solutions-based approach. Cisco provides the building blocks and integrated solutions to help power utilities secure their critical infrastructure, enhance visibility, and meet regulatory requirements effectively. Have a look at our NERC CIP Compliance Solution Brief to better understand the requirements and see how Cisco can help.

I will be presenting a webinar on July17th together with experts from Burns & McDonnell to discuss the new Internal Network Security Monitoring (INSM) CIP-015 standard and solutions available to help Utilities comply. Save the date and register now.

The AI enterprise is here, and it’s demanding more from our wireless networks than ever before. We’re seeing an explosion of AI agents designed to automate operations, an increase in bandwidth-hungry applications like 8K video streaming, and a growing need to protect an expanding attack surface that’s overwhelming IT. At Cisco, we understand these challenges and are committed to providing our customers with the tools needed not just to keep up but thrive in this new era.

That’s why I’m incredibly excited about three new, groundbreaking additions to our wireless portfolio that were just announced at Cisco Live San Diego. We’re expanding our Wi-Fi 7 portfolio with the Cisco Wireless 9179F Access Point for stadiums and large venues, delivering seamless, cloud-managed roaming for large campuses with the Cisco Campus Gateway, and connecting new critical wireless use cases with the integration of Ultra-Reliable Wireless Backhaul (URWB) together with Wi-Fi technology in a single access point. These aren’t just incremental upgrades; they represent fundamental shifts in how we approach campus networking. These new additions are designed to deliver the scalability, security, and simplicity that the AI enterprise demands.

Cisco Wireless CW9179F: Delivering unmatched wireless performance for high-density venues

This addition to our Wi-Fi 7 portfolio is all about delivering the best possible wireless experiences in the highest-density use cases like stadiums, large public venues, and convention centers.

• Unmatched performance for high-density environments: The CW9179F access point leverages the full potential of Wi-Fi 7, offering blazing-fast speeds, reduced latency, and increased capacity to support the massive number of devices and bandwidth-intensive applications in large venues. Imagine seamless streaming of instant replays, lag-free mobile gaming, and reliable point-of-sale systems—all happening simultaneously.
• Software-controllable beam switching: We’ve built some amazing RF technology into this access point, with software-controllable beam switching that allows you to adjust coverage in three different configurations.
• Seamless management: Whether you’re managing your wireless networks with an on-premises controller or through the cloud, we’re unifying management across Cisco Catalyst Center and the Meraki dashboard to help IT teams scale operations and focus on delivering exceptional user experiences.
• Advanced security: Security is always paramount, especially in high-profile venues. The CW9179F access point delivers on that front with support for the latest security protocols (including WPA3 encryption) and integration with Cisco Identity Services Engine (ISE) for advanced device profiling, microsegmentation, and policy enforcement. This ensures that every connection is secure, and your network is protected from threats.

Cisco Campus Gateway: Simplifying campus wireless with seamless cloud integration

For organizations with complex campus wireless networks, the Cisco Campus Gateway is a game changer. This solution is designed to facilitate a seamless transition to cloud management and deliver high performance and scalability without requiring costly and disruptive infrastructure changes.

• Fast, seamless roaming: Enable seamless client roaming at scale, with up to 1,000 roams per second so clients stay connected across your entire campus.
• Simplified cloud deployment: Transition to cloud management without re-cabling or reconfiguring your wireless architecture. This makes it even easier to take advantage of the benefits of cloud management.
• High scalability: Manage up to 5,000 access points and connect up to 50,000 clients in a single network, making the Campus Gateway an ideal solution for large campus environments. 

Ultra-Reliable Wireless Backhaul (URWB) with Wi-Fi technology: The foundation for critical applications

AI-enabled applications across smart manufacturing, healthcare, retail warehouse automation, and more depend on predictable, reliable wireless connectivity. Our URWB standalone solution provides a proven, dedicated, high-performance wireless link for critical systems—ensuring seamless operation, even in the face of interference or network congestion.

• Unwavering reliability: URWB utilizes advanced technologies like redundant data paths and automatic failover to ensure that critical applications remain connected, no matter what.
• Predicable low latency: URWB with Cisco-only software innovations boost productivity by meeting the needs of the most demanding process automation or robotic operations with real-time control.
• Secure and dedicated: URWB provides a secure, dedicated wireless link that is isolated from the public Wi-Fi network, protecting sensitive data and ensuring the integrity of critical systems.

Future-proofing your wireless network for the AI enterprise

Wi-Fi 7 is more than a network for connectivity—it’s the foundation you need to build truly smart spaces at every scale. That’s why Cisco Spaces is included as part of every wireless subscription license. Out of the box, you’ll have access to rich AI 3D mapping, dynamic IoT services, precise asset tracking, and more.

Paired with a Cisco Networking Subscription, you get the same seamless experience in one license—whether managing a network from the cloud, on-premises, or through a hybrid model. This enables greater operational simplicity and the freedom to evolve your network management approach as your needs change. We offer a truly smart, unified, and simple licensing model.

Now that the AI enterprise is here, it’s time to future-proof your network—especially in the most-demanding environments. With the Cisco Wireless CW9179F Access Point, Ultra-Reliable Wireless Backhaul (URWB) technology, and the Cisco Campus Gateway, you’re positioned to unlock the full potential of AI and transform your organization. Cisco wireless technologies empower you to scale, secure, and simplify your operations, so you can deliver exceptional experiences for fans, employees, and customers alike.

Digitizing and automating the network for energy utilities can lead to significant operational and financial benefits by reducing operational expenses (OPEX), capital expenses (CAPEX), human configuration errors, and time to deploy. Benefits will vary depending on the utility’s starting point, scale, and maturity of existing systems. However, based on industry insights, case studies, and vendor analysis (such as those from Cisco or other networking companies), the following approximate figures are often indicated:

Reduction in OPEX: 20%-30%

• How:
  • Automation reduces the need for manual processes such as configuration, troubleshooting, and maintenance.
  • Proactive monitoring and predictive analytics (enabled by digitization) minimize downtime and improve resource utilization.
  • Remote management reduces the need for on-site visits.
• Key Savings Areas:
  • Labor costs for network operations and maintenance.
  • Power efficiency improvements through intelligent systems.
  • Reduction in outage-related costs.

Reduction in CAPEX: 10%-20%

• How:
  • Improved visibility of network assets reduces over-provisioning by optimizing asset utilization.
  • Software-defined solutions (e.g., SD-WAN) allow utilities to invest in more cost-effective infrastructure (e.g., replacing expensive MPLS links with broadband).
  • Virtualization reduces the need for physical hardware by consolidating resources and leveraging cloud-based services.
• Key Savings Areas:
  • Reduced hardware procurement costs.
  • Extended lifespan of existing infrastructure through better optimization.

Reduction in Human Configuration Errors: 60%-80%

• How:
  • Automation tools reduce the manual intervention needed for repetitive tasks such as configuration, firmware updates, and patching, which are prone to human error.
  • Validation tools and centralized management platforms ensure consistency in network settings across sites.
  • Standardized templates for configurations decrease variability and errors.
• Impact:
  • Fewer service outages due to misconfigurations.
  • Improved security posture by reducing misconfigurations that could lead to vulnerabilities.

Reduction in Time to Deploy: 50%-70%

• How:
  • Automation streamlines deployment processes by automating initial configurations, provisioning, and testing.
  • Zero-touch provisioning (ZTP) and Plug-and-Play (PnP) capabilities allow devices to be deployed faster without requiring manual setup.
  • Centralized management reduces the time needed to replicate configurations across multiple locations.
• Impact:
  • Faster rollout of new services or infrastructure.
  • Accelerated response to business demands or regulatory requirements.

 Why These Gains Matter for Energy Utilities:

Energy utilities face unique challenges such as aging infrastructure, regulatory compliance, and increasing demand for renewable energy integration. Digitizing and automating the network aligns with their need for:

• Resilience: Improved reliability and reduced downtime.
• Scalability: Ability to accommodate growing data from IoT devices, smart meters, and distributed energy resources.
• Compliance: Meeting strict regulatory requirements for grid security and performance.
• Sustainability: Optimizing energy use and reducing waste.

 Example from Case Studies:

• OPEX Savings: A European energy utility that implemented SD-WAN and automated network management achieved 25% operational savings
• Deployment Time: A Middle Eastern utility reduced new site deployment timelines by 60% through zero-touch provisioning.
• Error Reduction: A North African utility reported a 70% drop in configuration errors after deploying centralized network automation tools.

Takeaways:

By digitizing and automating the network, energy utilities can achieve:

• 20%-30% reduction in OPEX.
• 10%-20% reduction in CAPEX.
• 60%-80% reduction in human errors.
• 50%-70% faster deployments.

These improvements not only reduce costs but also enhance operational efficiency, improve service reliability, and accelerate the adoption of modern energy technologies.

Cisco offers end-to-end solutions to help utilities modernize their energy grids. These solutions create a reliable, secure, and intelligent infrastructure, enabling utilities to:

• Digitize their networks
• Integrate renewable energy sources
• Strengthen grid resilience
• Improve efficiency
• Enhance security

By adopting Cisco’s technology, utilities can tackle modern energy challenges, meet regulatory requirements, achieve sustainability goals, and provide resilient services.

Check-out our latest Cisco Utility Solution web page to discover more:

The world’s cybersecurity community is gearing up to meet at the RSAC™ 2025 Conference in San Francisco. I’m looking forward to reconnecting with old friends, making new ones, and discussing OT security needs with industrial organizations. Be sure you stop by the Cisco booth and say Hi!

We’ll be showcasing the latest features of Industrial Threat Defense, Cisco’s comprehensive and highly modular OT security solution. It uses the industrial network as the fabric to easily enable OT visibility and policy enforcement at scale. It’s a platform that unifies visibility across IT and OT domains to help detect advanced threats and orchestrate responses. Here is a brief overview of three new capabilities we’re demonstrating at RSAC.

1. Prioritizing OT Vulnerabilities with Threat Intelligence

Industrial networks have tens of thousands of connected assets; some can be very old and plagued with software vulnerabilities. Not all of them need patching, but operations and security teams need guidance to identify which ones do and which should be prioritized. Cyber Vision now utilizes threat intelligence from Cisco Vulnerability Management to help identify which OT asset vulnerabilities are actively exploited in the field, allowing industrial organizations to be more strategic when addressing OT vulnerabilities and reducing their attack surface.

2. Adaptive Industrial Zone Segmentation Using Cisco Secure Firewall

Protecting industrial operations by segmenting the network in small zones of trust is often challenging without disrupting production. Cisco Cyber Vision now shares industrial asset groups created by the line of business with Cisco Firewall Management Center. The plant firewall can enforce policies to protect operations without impacting production. When OT teams modify groups in Cyber Vision, firewalls are automatically informed so that policies can be adjusted in real-time to meet the needs of operations.

3. Unifying Security Data Across IT and OT to Better Detect Threats

A siloed approach is inefficient for industrial organizations to detect threats. With digitization, OT, IT, and cloud domains are becoming increasingly interconnected. Security teams need unified visibility across all domains to detect advanced threats. Cyber Vision and Splunk already work together to offer a unified view on IT and OT security events. Cyber Vision now also populates OT asset profiles into Splunk Asset and Risk Intelligence (ARI) to help organizations maintain an aggregated inventory of all assets across IT and OT, streamlining investigations, uncovering compliance gaps, and better managing risks.

Cisco is dedicated to empowering industrial organizations with robust cybersecurity solutions that meet the demands of today’s interconnected world. At RSAC 2025, we are eager to demonstrate how our latest capabilities can enhance your security posture and streamline operations. Don’t miss the opportunity to connect with our experts and explore how Cisco’s innovative solutions can support your organization’s journey toward stronger and more effective OT security. Join us in shaping a secure and sustainable digital future.

Safeguarding industrial control systems (ICS) from cyber threats is a critical priority, but transforming these intentions into effective actions can be challenging. Given the complexity of ICS and their networks, which often rely on outdated technologies and inadequate security measures, it can be difficult to determine the best starting point. Cisco Validated Designs (CVDs) are proven networking and security reference architectures that industrial organizations can use to build advanced capabilities and create a flexible foundation for the future.

The Cisco Validated Design for Industrial Security has been updated to create additional blueprints for securing critical infrastructure. Taking a phased approach to secure the industrial network, the Cisco Industrial Threat Defense solution comprises of OT asset visibility, zero trust access and segmentation, and cross-domain detection, investigation and response.

Cisco Industrial Threat Defense comprehensive OT/ICS security capabilities

Comprehensive OT visibility driving network segmentation

The previous version of Cisco’s Industrial Security Validated Design described how the Cyber Vision sensor software embedded in Cisco switches and routers could help gain visibility into connected industrial assets without having to deploy dedicated appliances or SPAN collection networks. It explained how control engineers and network managers could use this comprehensive asset inventory to implement adaptive zone segmentation in the industrial network by having Cyber Vision and Cisco Identity Services Engine to seamlessly work together.

The updated CVD now includes using the Cisco Secure Firewall to secure plant networks. Rising investments into AI and the virtualization of the plant floor is resulting in the industrial data center (IDC) becoming a critical component of operational networks. Virtual PLCs are an example of this shift, where virtual controllers allow for a more flexible and modular design of production plants.

In a traditional Purdue model architecture, the IDC would reside in level 3, the industrial operations zone. But many operational networks who have implemented some levels of network traffic control have done so at the IDMZ, or level 3.5. As the IDC becomes more modern, it also becomes more connected, relying on cloud connectivity for services to run as intended. More connectivity expands the attack surface, so placing the IDC behind a firewall is needed to protect it if an attack was to breach the boundary firewall.

Cisco Secure Firewall for protecting the industrial data center and segmenting OT networks

The Cisco Secure Firewall, supplemented by an integration with Cisco Cyber Vision, can also be used to dynamically segment the industrial network and prevent cyber-attacks from spreading. The updated CVD explains how to use the Cisco Secure Dynamic Attributes Connector (CSDAC) to make OT asset groups created in Cyber Vision automatically available to the Firewall Management Center (FMC) as dynamic objects. Dynamic objects can easily be incorporated into access control policies to allow or deny communications based on source/destination, ports, protocols, and even Industrial Control System (ICS) commands using OpenAppID. Cisco Secure Firewalls installed in the industrial distribution frame, or Purdue level 3, will enforce these access policies, driving east-west and north-south segmentation with the need to deploy dedicated firewall appliances in each zone.

A blueprint for securing distributed industrial infrastructure

The second major update to the CVD provides design guidance for building a cyber resilient network for distributed field assets with Cisco Industrial Routers. While we often talk a lot about cybersecurity, which refers to the robust tools and policies implemented to prevent attacks from occurring in operational networks, we often overlook cyber resiliency. Cyber resiliency refers to an organizations ability to maintain its critical operations even in the face of cyber attacks.

Cybersecurity is of course part of a cyber resiliency architecture. Capabilities such as firewalls, segmentation, and the implementation of a zero-trust model means that if an attacker does get a foothold in the network, their reach is limited and both reconnaissance and lateral movement can be prevented. However, cybersecurity practitioners and networking teams often make the mistake of treating themselves as siloed entities in the organization. The network configuration is just as important as the security appliances deployed in the network. Quality of Service (QoS) ensures that critical traffic always has priority when the network is in a degraded state. Lossless redundancy protocols ensure that critical traffic meets latency metrics when network paths go down. Management plane security ensures only trusted users get access to the network infrastructure and cannot be taken down by malicious actors. Plug and play ensures that new network devices are onboarded with a secure configuration out of the box. While all these features are typically considered part of networking, it’s the combination of networking and security that results in a cyber resilient architecture.

Cisco Industrial Router provides the best of OT security and rugged industrial networking

Zero trust remote access made for OT

Last, but not least, the CVD explores the various options for securing remote access to industrial networks and describes how to deploy Cisco Secure Equipment Access to enable zero trust network access (ZTNA) to the plant floor. Remote access solutions come in many forms, and it can often be confusing to understand which one will meet business needs. The design guide compares virtual private networks, the remote desktop protocol, and the evolution towards zero trust network access, ultimately leading to the deployment of Cisco SEA within a Purdue model architecture.

Cisco Secure Equipment Access enables ZTNA remote access in industrial settings

Learn More

The new version of the Cisco Industrial Security Validated Design is available now. It’s free to help everyone involved in building and/or securing industrial networks to implement advanced capabilities without fear of integration complexities or performance surprises. For further help, browse through a library of our industrial CVDs, or schedule a free, no-obligation consultation with a Cisco industrial security expert, and we will reach out to you.

Customers can take advantage of new capabilities of Wi-SUN FAN 1.1

With over 100 products certified by the Wi-SUN Alliance, Field Area Network 1.0 is a popular networking option for smart utility and smart city use cases. Electric utility metering, distribution automation, and municipal street lighting applications benefit greatly from FAN’s secure, self-forming, self-healing IPv6 wireless mesh networking which is able to support million scale deployments spanning large geographic areas.

Building on the strong foundation laid down by FAN 1.0, the Wi-SUN Alliance recently announced the availability of the first devices certified to support the new feature additions of FAN 1.1. These new FAN 1.1 capabilities include:

• Low energy device operation (LE). Low power nodes are able to function for up to 20 years on a single battery charge, targeting use cases such as methane detection, water metering, gas metering, and other low power field sensing applications.
• Higher performance (HP). FAN 1.1 adds Orthogonal Frequency Division Multiplexing radio support, meaning FAN 1.1 now offers data rates from 50 Kbps (FSK) up to 2.4 Mbps (OFDM). The higher data rates are ideal for utility AMI 2.0 and Distribution Automation use cases such as Fault Location Isolation and Restoration (FLISR).
• Modulations and data rate negotiation (MDR). Mesh neighbors can now negotiate a “gear shift” to transition, for example, a section of a lower speed AMI mesh to a higher throughput mode for DA fault isolation operations.
• Expanded geographic support. North America, Brazil, Japan, and European Union operation is supported. Extension to additional 800 and 900 MHz regions is now practical.

Figure 1 depicts an example multi-hop FAN 1.1 mesh. The mesh forms automatically between a set of deployed Routers and a Border Router providing WAN connectivity. A Router’s frequency hopping capabilities and ability to determine alternate data paths provide superior resiliency. Routers are further able to “parent” low power nodes.

The sub-GHz mesh RF links can individually stretch to several kilometers (depending upon local conditions), with multi-hop meshes able to span distances of 10s of kilometers. A single FAN 1.1 mesh can support thousands of Router nodes, each able to parent low power nodes. A classic utility deployment scenario is an electric meters (Router) parenting one or more low power water meters, gas meters, or environmental sensors. Adding additional meshes scales a deployment to millions of nodes.

The Catalyst IR8100 Heavy Duty Series Industrial Router will be the first member of the Cisco Resilient Mesh solution to be FAN 1.1 certified. Given its rugged design for harsh outdoor environments, flexible backhaul configuration, and security capabilities, the IR8140 is an ideal FAN 1.1 Border Router. An individual IR8140 can root a mesh of thousands of FAN 1.1 devices, with millions scale device networks achieved with the deployment of additional IR8140s. Following the IR8140, IR530 Range Extender, and Cisco Resilient Mesh Endpoint SDK will also be scheduled for FAN 1.1 certification, rounding out a complete Cisco FAN 1.1 portfolio of Border Routers, Routers, and endpoint design SDK.

Figure 2: Cisco IR8140 Border Router

Large FAN 1.1 networks require a network management system able to provide lifecycle management for million node networks. Cisco IoT Field Network Director is purpose built, and field proven to manage these large-scale networks.

“Wi-SUN 1.1 provides improved flexibility, security, and adaptive performance to unlock newer markets demanding high performance or low energy use cases in the growing Utility or Smart city landscape. Cisco’s Wi-SUN commitment has been focused on ease of use through simplified Zero Touch Provisioning, resiliency in varying RF conditions, interoperability and network management for endpoints and border routers through industry leading OpenCSMP to enable customers to build production networks with its industry leading solution at scale in a secure manner.” says Lakshmi Narayana Jammi, Sr Product Manager for Cisco IR8140 and Cisco Resilient Mesh SDK

“With the introduction of low power nodes and higher data rates, FAN 1.1 supports many new and exciting use cases. Cisco is well positioned to support this increase in utility and smart city network demand with OpenCSMP and Field Network Director, device and network management solutions that have proven ability to scale to millions of endpoints.” says Clay Stroud, Product Manager for Cisco Field Network Director.

“Wi-SUN FAN1.1 provides highly flexible communications capability allowing both high performance and low energy functionality on the same network, making it the obvious choice for an even broader range of industrial IoT applications such as utilities and smart cities” says Phil Beecher, President and CEO of the Wi-SUN Alliance.  “We’re excited that Cisco will be supporting Wi-SUN FAN 1.1 communications infrastructure with its range of industrial routers, bringing proven reliability, scalability, and security to these critical infrastructure networks. “

For more information about the Wi-SUN Alliance and Field Area Network 1.1, head over to the Wi-SUN FAN information site.

Also see this additional information about Cisco Resilient Mesh products and Cisco Field Network Director.

Finally, if you are attending DISTRIBUTECH 2025, join us at Booth 1223 to see the Catalyst IR8140 and our IoT Field Network Director in person, as well key solutions to help utilities with their grid modernization projects in grid security, substation automation, distribution automation, renewable energy, and more.

Wi-Fi 7 offers a wealth of new services opportunities that go beyond the routine wireless upgrade. Recently, I assisted a local school, where my children attend, as they embarked on a wireless network refresh initiative. As the first school in the Catholic Diocese to upgrade, they sought to replace their outdated patchwork of Wi-Fi 4 and Wi-Fi 5 devices from various manufacturers; this inconsistency in design, performance, and management, is particularly common in various sectors like education, retail, and healthcare, and perhaps an overall pervasive problem with aging infrastructure that pre-dates Wi-Fi 6/6E and earlier installations.

The school’s primary goal was straightforward, to establish a secure, reliable, and easy to manage network infrastructure capable of supporting current and future demands. To achieve this, they invited proposals from various local IT providers, including resellers and Managed Service Providers (MSPs). As a Solutions Engineer in the IT industry working for Cisco Systems, I found it intriguing that all the solution proposals from the various vendors still centered around Wi-Fi 6E and older Wi-Fi 6 products — some of which would likely be announced soon for End-of-Life (EOL) or End-of-Sale (EOS)!

With Wi-Fi 7 entering its main adoption phase, I encouraged the school to look beyond Wi-Fi 6/6E. It became clear that information regarding Wi-Fi 7 was still trickling through the reseller and partner channels, and most were not well versed on the newer Wi-Fi 7 solutions. This prompted me to compile a summary of Cisco’s Wi-Fi 7 portfolio to highlight its transformative opportunities for end customers, resellers, and MSPs alike.

Focusing on the Key Takeaways regarding Cisco Wi-Fi 7

Cisco unveiled a comprehensive suite of Wi-Fi 7 products in November 2024 and followed up with additional product announcements in February 2025.

Key takeaways on Cisco’s Wi-Fi 7 product portfolio:

• Product Portfolio: Cisco introduced a wide array of Wi-Fi 7 products, from more entry-level Access Points (APs) to high-capacity, high-throughput models. These APs are ideal for supporting demanding applications such as High-Definition Video Streaming, Augmented/Virtual Reality (AR/VR), Immersive Gaming and Entertainment, and help build an infrastructure that optimizes the adoption of various AI-related use cases.
  • CW9176 – Enterprise Class, High Density, High Performance, Omni-directional, Indoor AP, with single 10 mGig capable port, suitable for offices, conventional buildings, etc.
  • CW9176D – Enterprise Class, High Density, High Performance, Indoor AP with Directional Antenna, suitable for auditoriums, warehouses, long aisles/corridors, and/or areas with high ceilings.
  • CW9178 – Mission Critical, Ultra High Density, High Performance, Omni-directional, Indoor AP, with dual 10 mGig capable ports that can operate in active/active for higher throughput or active/passive to achieve high availability/redundancy purposes.

• • CW9172 – Moderate Density, Omni-directional, Indoor AP, ideal for retail, clinics, branch offices, or Multi Dwelling Units (MDUs) deployments like hotels, student housing, apartments, condominiums, etc.

• Unified Hardware: Cisco Wi-Fi 7 products now feature a single Product ID (PID) per model, greatly simplifying the quoting and ordering process. There are no longer different PIDs/SKUs based on regulatory domains or operation modes. All Cisco Wi-Fi 7 based APs are designed for global use and can detect and operate in either Meraki Dashboard or Catalyst (WLC) management mode automatically. Users can also switch between management modes without needing to contact technical support. These Global Use Access Points offer efficient, smart, and scalable operations with comprehensive connectivity capabilities that include Bluetooth, IoT, and geolocation capabilities.
• Unified Licensing: Cisco Wi-Fi 7 APs offer a streamlined experience with unified licensing, supporting all management modes with a single license. Available in two tiers—essentials and advantage—this system simplifies the ordering process. Essentials licensing provides fundamental network operation features, while Advantage licensing advanced functionality enabled through the inclusion of Cisco Spaces Advantage. This unified licensing approach enables customers to deploy networks using the same hardware across cloud, on-premises, or hybrid environments. Additionally, the Cisco Networking Subscription includes comprehensive product support, addressing both hardware and software aspects.
• Power: With the exception of the CW9172I model, which supports DC input as an option, all Cisco Wi-Fi 7 based APs utilize Power Over Ethernet (PoE) as the power source. While these APs require at least 802.3at/PoE+ to function, they ideally need 802.3bt/PoE++/UPoE to enable full AP functionality.
• Ethernet Cabling Requirements: While existing Category 5e cabling can be re-used, it comes with limitations. To fully harness the throughput capabilities of the Wi-Fi 7 APs, Category 6/6A or better Ethernet cabling is recommended. Category 5e cabling supports a maximum throughput of 1 Gb up to 100 meters. In contrast, Category 6 cabling can potentially support up to 10 GbE, but only up to ~50 meters. For 10 GbE support over the full 100-meter distance, Category 6A or better cabling is required.

Opportunities that Wi-Fi 7 Brings for MSPs/Partners

Proposing a managed wireless service built around Wi-Fi 7 technology for an MSP can be compelling for several reasons:

• Cutting-Edge Technology: Wi-Fi 7 represents the latest advancement in wireless technology, offering higher transmission rates, lower latency, and enhanced reliability. By providing a service based on Wi-Fi 7, MSPs can position themselves as leaders in offering state-of-the-art solutions that meet the evolving needs of customers. By adopting Wi-Fi 7, MSPs help their customers future-proof their networks, ensuring they remain competitive in a rapidly changing technological landscape.
• Increased Demand for High-Performance Connectivity: With the growing reliance on bandwidth-intensive applications such as video collaboration, augmented reality, and IoT, customers are seeking faster and more reliable connectivity. Wi-Fi 7 enables these high-performance applications, making managed Wi-Fi services more attractive to organizations looking to upgrade their infrastructure.
• Consulting and Deployment: As customers transition to Wi-Fi 7, MSPs have the opportunity for additional revenue streams by offering consulting, deployment, and ongoing monitoring and management services. This includes network design, installation, maintenance, and optimization services. MSPs can also provide consulting services to assist businesses in planning and implementing the transition to this new technology, as well as integrating it with related infrastructure.
• Infrastructure Upgrades: This includes upgrading Ethernet cabling, as well as the network switching infrastructure to support the higher throughputs, as well as the PoE/power requirements of the APs.  MSPs can also provide more advanced monitoring/automation capabilities or provide additional services that ensure the clients’ infrastructure can support the demands required from modern use cases.
• Comprehensive Service Offering: By leveraging Cisco’s Wi-Fi 7 portfolio, MSPs have the right building blocks to create a powerful and differentiated services offering. Bundling Wi-Fi 7 with value-added services such as advanced security features, AI-enhanced management tools, and in-depth analytics can significantly enhance a business’s network performance and security, providing a clear competitive edge.  Consider these compelling services add-on examples:
  • Assurance and Monitoring Services: Integrate solutions like ThousandEyes to offer clients unparalleled visibility into their network performance. This enables quick identification and resolution of issues, greatly improving the overall user experience and ensuring maximum operational efficiency.
  • Enhanced Security Services: Utilize Wi-Fi 7’s cutting-edge capabilities to integrate sophisticated security solutions. MSPs can deliver additional security services, including real-time threat detection and response, alongside proactive network monitoring. This not only protects client environments from evolving cyber threats but also reinforces trust in MSPs as security partners.
• Scalability and Flexibility: Wi-Fi 7’s ability to support a higher density of devices and more complex environments makes it ideal for scalable solutions. MSPs can offer flexible managed services that grow with their clients’ needs, from small businesses to large enterprises.
• Support for New Business Applications: Wi-Fi 7 enables new business applications and services, providing MSPs with opportunities to develop and support innovative solutions tailored to specific industry needs.  MSPs can offer tailored solutions that support new use cases, including IoT, video collaboration, and/or augmented reality.
• Comprehensive Wireless/Wi-Fi Management: The demand for integrated Wi-Fi systems that include AI-enhanced automation and analytics creates an opportunity for MSPs to offer comprehensive management services that optimize wireless connectivity and improved user experiences.

By adopting managed wireless networking services centered on Wi-Fi 7 technology, MSPs are well-equipped to meet the growing demand for advanced wireless solutions, thereby enriching their service offerings and driving business growth.

In the context of my story, the school took the guidance to heart and conducted a thorough evaluation of their options. Recognizing the transformative potential of leveraging cutting-edge technology, they concluded that a Cisco-based Wi-Fi 7 deployment simply made more sense. This choice not only fulfilled their goals of establishing a secure, reliable, and easy-to-operate network, but also emerged as the more practical and overall, more cost-effective solution for the long run. The solution provided an excellent balance between current needs with future scalability, ensuring longevity from their investments.

By adopting this more forward-thinking strategy, the school positioned itself at the forefront of technological advancement, setting an example for other schools in the district. Their approach serves as a reference, illustrating the benefits of embracing new technology to enhance educational environments. This move ensures they not only meet the current demands of digital learning but also lead the way in setting new standards for educational connectivity.

Register for the upcoming Managed Services Voice of the Engineer session to learn more about Cisco’s innovative Wi-Fi 7 portfolio

I’m pleased to report that Cisco was named Industrial IoT Company of the Year 2025 in the IoT Breakthrough Awards Program. Since 2017, IoT Breakthrough has made annual awards to industrial IoT companies and products based on quality, unique technology, and market leadership. I would like to thank our customers, partners, and the entire Cisco industrial IoT team for making this award possible.

“Most people know Cisco for their enterprise networking products, but for over 20 years, Cisco has been instrumental in making enterprise technologies decisive for digitizing industrial operations.”

– Steve Johansson, Managing Director at IoT Breakthrough

In this blog I’ll summarize the reasons why the evaluation committee awarded Cisco top honors as Industrial IoT Company of the Year. Our solutions enable our customers to protect their operations and lay a robust foundation for AI, all with seamless IT-OT collaboration and validated designs built in partnerships with leading industrial automation companies.

“The same robust security as the enterprise”

In the award announcement, IoT Breakthrough emphasizes Cisco innovations in industrial cybersecurity and AI readiness, which it terms paramount concerns for industrial operations. The announcement says, “Designed specifically for industrial needs, Cisco’s switches, routers, and wireless equipment share a common foundation with their enterprise counterparts… A shared operating system, management platform, and security measures facilitate collaboration between IT and OT teams.” As shown in the figure, Cisco industrial networking solutions come with built-in visibility, segmentation, zero-trust remote access, and the threat intelligence needed for effective incident response. A case study: Brazil’s CPFL Energia uses Cisco solutions to automatically detect and profile OT assets in substations and identify vulnerabilities and anomalies.

Figure 1: Visibility, segmentation, and secure remote access are built into Cisco network fabric

Johansson from IoT Breakthrough says, “By enabling IT best practices in OT, Cisco has freed industrial networks to scale and be flexible, while enjoying the same robust security as the enterprise.”

“The power of AI/ML”

I meet regularly with leading industrial companies, many of them already using AI to modernize operations—for instance, for predictive maintenance, manufacturing anomaly detection, robotics and autonomous vehicles, supply chain optimization, and more. For example, Audi uses Cisco solutions for virtual reality prototypes and predictive maintenance. Argos Cement uses AI to analyze historical data and build digital twins and predictive models to maintain quality, reduce energy consumption, and increase throughput.

AI applications like these place high demands on the network. Think of the network as the nervous system connecting the brains in the data center to the industrial IoT assets in plants and in the field. In the award announcement, IoT Breakthrough states, “Cisco’s industrial solutions empower industries to leverage the power of AI/ML to drive innovation to meet current and future needs. The network’s high-bandwidth, low-latency connectivity between OT and IT domains transports large volumes of data generated by sensors, machines, controllers, and other devices to analytical applications in datacenters and the cloud.”

“Validated design guides that are blueprints”

Besides our technology, IoT Breakthrough also calls out Cisco for “publishing validated design guides that are blueprints for successful networking and security deployments… that achieve business objectives.” We provide more than 80 Cisco Validated Designs and architectures for industries including manufacturing, power and water utilities, oil and gas, mining, ports and terminals, roadways and intersections, and public transportation. My colleague Keith Higgins, Director of Product Marketing at Cisco, adds that “Validated designs improve IT/OT collaboration, which helps to reduce risk, increase operational efficiency, and accelerate implementation.”

Industrial companies also benefit from our partnerships and joint designs with Rockwell Automation®, Schneider Electric®, and CODESYS. Integration with Splunk gives OT teams the observability that’s needed for digital resilience.

Get started

Wherever your company is on the journey to network modernization, we can help you take the next step. I invite you to schedule a personalized consultation.

Sign up for the Cisco Industrial IoT Newsletter

Share

There’s a great deal of talk around the capability of Wi-Fi 7 (IEEE 802.11be) to revolutionize the wireless experience. It’s not hype. A key feature that delivers this transformative impact is multi-link operation (MLO). A mandatory and defining component of 802.11be, MLO enables a multi-link device (MLD) to simultaneously operate across multiple frequency bands, including 2.4 GHz, 5 GHz, and 6 GHz.

Access point (AP) and non-AP MLDs learn each other’s MLO parameters and capabilities through the multi-link information elements exchanged in frames like Beacons and Association Request/Response. In this blog, I’ll illustrate MLO’s impact on wireless connectivity and show you how it works in simultaneous transfer/receive (STR) mode.

How does multi-link operation (MLO) enhance wireless connectivity?

MLO introduces significant benefits for a variety of use cases. Key enhancements include:

• Simultaneous use of multiple bands. MLDs can transmit (Tx) and receive (Rx) data over more than one band at the same time. This is useful in environments with heavy congestion, as it avoids interference on any single band.
• Improved throughput. MLO leverages the combined capacity of multiple channels across different bands to enable higher aggregate throughput. This makes Wi-Fi 7 ideal for bandwidth-heavy applications like video streaming, virtual reality, and online gaming.
• Reduced latency. By offloading traffic across multiple channels. This is particularly useful in gaming, video conferencing, or other apps that require real-time communication.
• Better reliability and robustness. If one band (for example, 2.4 GHz) experiences congestion, then station (STA) MLDs can seamlessly switch to a less congested band (such as 6 GHz) without dropping the connection. This is extremely helpful in spaces with busy radio frequency (RF) traffic, such as stadiums, apartments, and offices.

Type of MLO operation modes

Wi-Fi 7 defines several single and multi-radio MLO modes, with stations able to support these modes based on their respective hardware capabilities. Various software thresholds—such as bandwidth requirements, band preferences, RF congestion, and QoS—will influence and guide a station’s choice of operating mode.

Among these modes, MLSR is required to be supported by all AP and non-AP MLDs. Support for EMLSR and STR modes is mandatory for AP MLDs, but optional for non-AP MLDs (stations). STR is currently incorporated by most vendors, making this mode an excellent starting place for dissection.

MLO’s STR mode in action

In STR operation, each link can be used to Tx or Rx concurrent physical layer protocol data units (PPDUs) without any synchronization. Figure 2 illustrates an example where an AP MLD and a non-AP MLD are operating over an STR link pair. Both devices contend for access to the wireless medium and engage in subsequent frame exchanges on those links.

After the AP MLD and the non-AP MLD complete a multi-link setup to successfully establish link 1 and link 2, and with the links enabled, AP 2 can receive data frames from STA 2 on link 2. Meanwhile, AP 1 contends for the wireless medium and, upon securing a transmit opportunity (TXOP), transmits data frames to STA 1 on link 1.

Next, let’s conduct a lab test using Cisco’s CW9178 AP running on Catalyst 9800 Wireless LAN controller (WLC) to demonstrate STR in action.

The access point under test (APUT) is configured to operate on 2.4 GHz (20 MHz) and 5 GHz (40 MHz) bandwidths with a WPA3-SAE WLAN. In the first step of the test, Wi-Fi 7/802.11be/MLO is enabled on both bands. We are using a Qualcomm 7800-based STR/MLMR-capable station, while the CW9178 AP serves as the sniffer—capable of capturing data across multiple bands and decoding Wi-Fi 7 frames.

Next, let’s associate the STAUT and check the capability details in both the WLC and Wireshark. During the association process, multiple elements are exchanged: the MLO information elements for the 5 GHz Association link, as well as the “Per-STA Profiles” information elements containing details about the non-association link (2 GHz).

The WLC identifies the STA as STR capable if the “Maximum Number of Simultaneous Links” value in the ML information element of the association request is non-zero. This indicates the number of radios the station is using for its association. See Figure 4 below for the corresponding Wireshark capture.

The Catalyst 9800 WLC provides a clear display of the STA’s 802.11be capabilities, including MLD links with Slot IDs and bands, MLO mode support (STR/eMLSR), and Tx/Rx RF and data statistics for each band. Equivalent CLI commands are also available, though not covered in this blog.

Now that the STA has associated on the 5G band with an STR link to both the 5G and 2G bands, let’s initiate traffic for one minute to verify STR operation. Using the IxChariot server, we will begin full-bandwidth Downlink UDP traffic. Initially, traffic will flow only on the 5G band, as it is the only active association link. However, the STA will soon assess the need for a secondary link to achieve higher bandwidth. It will then send a QoS Null data frame over the secondary (2G) link. The AP acknowledges this request and enables simultaneous data transmission across both bands.

Figure 6 shows the sequence starting with data on channel 36, followed by a QoS Null data frame on channel 6, and concluding with simultaneous data transmission on both channel 6 and channel 36.

The Catalyst 9800 WLC offers a comprehensive view of the client’s performance on each MLO link, with monitors providing detailed Tx/Rx data along with RF statistics.

Following the one-minute traffic run, the average throughput measured is 747 Mbps, as shown in Figure 8.

To provide a comparison, the test was repeated under the same conditions, but with 802.11be/MLO disabled, running in 802.11ax mode instead. The average throughput was 506 Mbps.

The table below summarizes the throughput comparison between clients. The impact is indeed transformative: Wi-Fi 7 with STR MLO significantly outperforms Wi-Fi 6, delivering a 47% throughput increase, along with more efficient spectrum utilization.The CW9178, CW9176I, and CW9176D APs, along with 9800 series wireless controllers, will fully support Wi-Fi 7 capabilities and features in the upcoming IOS XE 17.15.2 (currently in Beta) release.

The CW9178, CW9176I, and CW9176D APs, along with 9800 series wireless controllers, will fully support Wi-Fi 7 capabilities and features in the upcoming IOS XE 17.15.2 (currently in Beta) release.

The first in a series of blogs throughout 2025 highlighting the state of IPv6 across the industry, best practices to consider, and how Cisco is helping customers on their journeys with its products and services.

The complex history of IPv6

IPv6: a protocol with a long and winding history, and one that is sure to evoke a wide range of reactions upon mention – from skepticism to curiosity, from dismissal to openness, from indifference to fear, and everything in between. Most of the time, the first things I hear are either “It’s never going to happen” or “What’s going on with IPv6 anyway?” The first is quite easy to address – it is happening. The progress may not be uniform around the world nor across market segments, but the data is there, and it may come as a surprise to many.

The rise of IPv6 traffic

The percentage of global IPv6 traffic Google sees across all its properties from users did not cross the 1% threshold until 2013. Since then, it has risen dramatically, hitting around 48% at the end of 2024. Going by country, the United States is at 53%, while France, Germany, and India are at 78%, 76% and 72%, respectively. As of 2022, Akamai saw 52% of their US traffic as IPv6 and Facebook was seeing over 61% in the US. And yet when one digs into the data, you find that Residential and Mobile segments have driven a lot of these numbers, with Enterprise and Public Sector lagging.

Delayed adoption despite early promise

Given these prominent levels of adoption, it is natural to wonder why it has taken so long to deploy a protocol that is 30 years old (!). Many people have memories of the 1995-2015 time period where there was a lot of talk and hype around IPv6, but nothing ever seemed to materialize. Network professionals got rounds of training, it was incorporated into exam material, and we even had previous government mandates, but nothing ever seemed to get deployed.

Around the same time as the creation of IPv6, the industry also developed some life extenders for IPv4 – CIDR, VLSM, NAT and RFC 1918 private address space – that turned out to be so effective they delayed the need for IPv6 not just by a couple years, but by several decades. But as successful as they were, they still could not overcome the fact that 32 bits simply isn’t enough space for today’s global Internet. We ran out of new public IPv4 addresses to hand out in the mid 2010’s and are still feeling the consequences: Prices have skyrocketed on the secondary markets. ISP’s have had to increasingly deploy Carrier Grade NAT and shoulder the operational issues that accompany it. Enterprises have had to constantly re-address their networks to squeeze every last bit out of each subnet. Furthermore, many have had to deal with the pain of overlapping private address space, as different parts of their network started using the same address blocks independently. This forces more and more NAT just to achieve internal communication, let alone external connectivity.

The shift towards IPv6

The good news is we had a solution ready to go – it had just been in hibernation. However, it was going to require a team effort, an endeavor that has been working well in some areas, but that we still struggle with in others. Service Providers, both mobile and terrestrial, have IPv6-enabled many of their networks (with some choosing to run a single-stacked IPv6 core), large content providers have turned on dual-stack to serve as many potential customers as possible, and major operating systems vendors have ramped up their support. Combine these with developments like Happy Eyeballs (an algorithm built into most endpoints that will attempt IPv6 first, but quickly fail over to IPv4 without any noticeable delay to the user) and you begin to see why adoption has significantly increased.

However, more work is needed within Enterprises. There are a whole set of middleboxes, software suites, monitoring and management tools, identity and policy products, and other operational considerations that present challenges not faced by mobile and home users.

Governmental support and IPv6 moving forward

Many governments around the world, including the United States with OMB M-21-07, have seen this and are putting more emphasis behind closing these gaps [1]. They foresee an IPv6-only future and know that remaining in a dual-stack state indefinitely is the worst situation to be in, even though it is almost certainly required in the short-term. This future is not just about overcoming address exhaustion, but also presents new and exciting opportunities around architecture and operations that simply were not possible in a constrained IPv4 world. While Cisco has published a bit on this previously [2], my colleagues and I are going to use the rest of 2025 to lay out a series of blogs that will help you on that journey: how to think about and plan your new (nearly infinite) address space, how to transition from IPv4-only to IPv6-only, considerations for security and operations, the role of fabrics and other architectural designs, and what management and monitoring looks like in an IPv6 world. Stay tuned!