Webinar - CIP-015 Is Here: Paths to Compliance for Every Organization  Register Today
Support

SOLUTIONS

OT Asset Management
Configuration & Change Management
Policy Compliance
Vulnerability Management

PLATFORM

Industrial Defender Platform
Phoenix for SMBs
Services
Partners

INDUSTRIES

Power
Oil & Gas
Water
Manufacturing
US Government
See all

RESOURCES

Blog
Podcast
Resource Library
OT Cybersecurity Risk Assessment Calculator
Innovations by Industrial Defender
FAQ

COMPANY

About Us
How We Compare
Team
Events
Press
Careers
Contact Us

SUPPORT

REQUEST DEMO

NERC

CIP-015-01 Approved: NERC CIP Requirements for Internal Network Security Monitoring (INSM)

Ray Lapena
June 26, 2025

On June 26, 2025, the Federal Energy Regulatory Commission (FERC) issued Order No. 907, formally approving NERC Reliability Standard CIP-015-1: Cyber Security – Internal Network Security Monitoring (INSM). This new requirement applies to all entities that own or operate high and medium impact BES Cyber Systems, which now must begin planning for compliance with mandatory internal network monitoring.

What is NERC CIP-015-1 and Internal Network Security Monitoring?

In 2023, FERC directed the North American Electric Reliability Corporation (NERC) to develop new or modified Critical Infrastructure Protection (CIP) reliability standards requiring Internal Network Security Monitoring (INSM) for CIP-networked environments.

INSM provides ongoing visibility of communications between networked devices within a trusted zone and detects malicious activity that has bypassed perimeter controls. It also enables early detection of anomalous network activity, increasing the chances of quick mitigation and recovery.

With CIP-015-1 now formally approved, INSM is mandatory for high and medium impact BES Cyber Systems. FERC has also directed NERC to expand the scope to include systems outside the perimeter (more on that below).

What is required under the approved CIP-015-1?

The standard applies to all registered entities that own or operate applicable BES Cyber Systems at high or medium impact. It requires responsible entities to implement internal network monitoring for:

  • All High Impact BES Cyber Systems (with or without external routable connectivity), and
  • Medium Impact BES Cyber Systems with external routable connectivity

CIP-015-1 Requirements Include:

(These are abbreviated highlights of NERC CIP-015-1. Reference NERC's website for the complete language.)

NERC CIP-015-1 involves Requirements (R1, R2, etc.) that specify mandatory actions, and Measures (M1, M2, etc.) that describe how compliance with those requirements can be demonstrated.

  • R1 – Entities must implement one or more documented process(es) for internal network security monitoring of networks protected by the Responsible Entity’s Electronic Security Perimeter(s) of high impact BES Cyber Systems and medium impact BES Cyber Systems with External Routable Connectivity to provide methods for detecting and evaluating anomalous network activity.
    • 1.1 – Implement, using a risk-based rationale, network data feed(s) to monitor network activity; including connections, devices, and network communications
    • 1.2 – Implement one or more method(s) to detect anomalous network activity using the network data feed(s) from Part 1.1.
    • 1.3 – Implement one or more method(s) to evaluate anomalous network activity detected in Part 1.2. to determine further action(s).
  • M1 – Requires evidence of document processes and implementation.
  • R2 – Entities must implement or more documented process(es) to retain internal network security monitoring data associated with network activity determined to be anomalous
  • M2 – Examples of evidence may include, but are not limited to, documentation of the internal network security monitoring data retention process(es), system configuration(s), or system-generated report(s) showing data retention with timelines
  • R3 – Entiteis must implment one or more documented process(es) to protect internal network security monitoring data collected in support of Requirement R1 and data retained in support of Requirement R2 to mitigate the risks of unauthorized deletion or modification.
  • M3 – Evidence may include, but is not limited to, documentation demonstrating how internal network security monitoring data is being protected from the risk of unauthorized deletion or modification.

When do entities need to comply with CIP-015-1?

  • By October 1, 2028 – Implementation required for systems in Control Centers and backup Control Centers
  • By October 1, 2030 – Required for all other medium impact systems with ERC

What to watch: Expanding scope

The approved CIP-015-1 is limited to networks inside ESPs. However, FERC has ordered NERC to expand the scope to include access control systems outside the perimeter. That future version is expected to apply INSM to:

  • Systems within the Electronic Security Perimeter (ESP) and one or more of the following:
    • Network segments connected to EACMS and PACS outside the ESP
    • Network segments between EACMS and PACS outside the ESP
    • Network segments internal to EACMS and PACS outside the ESP
  • Communications to and from access systems like badge readers, VPNs, Active Directory servers, SIEMs, and related infrastructure

Background:

INSM shifts the focus from solely defending the perimeter to monitoring the east-west traffic that moves laterally within trusted network zones. The CIP Reliability Standards have traditionally focused on protecting the electronic security perimeter of networks. However, FERC identified a gap in these standards as they do not adequately address potential vulnerabilities within the internal network to cyber threats.

In 2023, the Federal Energy Regulatory Commission (FERC) proposed new security requirements for high- and medium-impact bulk electric system facilities. The proposal would require these facilities to "maintain visibility over communications between networked devices." More specifically, FERC has directed the North American Electric Reliability Corporation (NERC) to develop new or modified Critical Infrastructure Protection (CIP) reliability standards that require internal network security monitoring (INSM) for CIP-networked environments.

INSM provides ongoing visibility of communications between networked devices within a trusted zone and detects malicious activity that has bypassed perimeter controls. Additionally, INSM allows for early detection of anomalous network activity, indicating a potential attack, increasing the chances for quick mitigation and recovery.

FERC wrote: “We find that, while the CIP Reliability Standards require monitoring of the electronic security perimeter and associated systems for high and medium impact BES Cyber Systems, the CIP-networked environment remains vulnerable to attacks that bypass network perimeter-based security controls traditionally used to identify the early phases of an attack. This presents a gap in the currently effective CIP Reliability Standards.”

INSM Development Timeline

January 2022:

FERC made the proposed rule for new security requirements for high- and medium-impact bulk electric system facilities.

January 2023:

FERC published the final rule, ordering NERC to develop new or modified Critical Infrastructure Protection (CIP) reliability standards that require internal network security monitoring (INSM) for CIP-networked environments.

December 2023:

NERC released its first draft for the new INSM requirements, initially as an addition to CIP-007.

January 2024 – Assessment of Low-Impact Requirements

NERC submitted its feasibility report on implementing INSM for certain categories of Bulk Electric Systems (BES), focusing on 'low impact BES' and 'medium impact BES without external routable connectivity (ERC)'.

While advising continued INSM implementation at originally scoped BES, NERC proposed the NERC, E-ISAC and FERC continue to monitor risk and needs to update the roadmap for INSM for lower impact systems. The report emphasized the importance of not implementing INSM as a “bolt-on” control - there needs to be a solid foundation established for this.

The high‐level roadmap for low impact would include:

  • Requirements for low impact BES Cyber System asset inventories
  • Requirements for designing, constructing, and documenting defensible network architectures to remove insecure by design network configurations (i.e., segmentation, conduits & zones, traffic analysis points, etc.)
  • Requirements for strong multi‐factor authentication for interactive remote access
  • Standards changes should not negatively incentivize entities to delay changes, or implement BES Cyber
  • Systems in order to circumvent standards requirements through compliance loopholes or abuse of exceptions such as:
  • Maintaining non‐supported end of life equipment and applications to alleviate compliance overhead to the detriment of security.”

February 2024 – CIP-015-01 As A Distinct New Standard:

Based on the feedback received during the initial posting, the DT decided to create a new reliability standard, designated as Reliability Standard CIP-015-1. This revised approach is clearer to the objective of detecting and evaluating anomalous network activity. NERC opened the second draft for a formal comment period on "CIP-015-01 – Cyber Security – Internal Network Security Monitoring".

Concurrently, CIP-007 will be restored to its previously enforced version.

Comments on the first draft of CIP-015-1 were taken from February 27 through March 18. There were 73 sets of responses, including comments from approximately 160 different people from approximately 102 companies.

April 2024:

Draft 2 of CIP-015-01 was released, with some language clarifications. Comments were taken from April 5-April 17. Additional ballots for the standard and implementation plan were conducted, along with a non-binding poll of the associated Violation Risk Factors and Violation Severity Levels. The final ballot resulted in approval.

The CIP-015-1 standard had an approval of 76.57% with a quorum of 93.36%.

The implementation plan had an approval of 82.1% with a quorum of 93.31%.

June 2025 – FERC Approval of CIP-015-1:

On June 26, 2025, FERC issued Order No. 907, formally approving CIP-015-1 and the associated implementation plan. The order also directed NERC to expand the scope of INSM in a future update to include Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS) outside the ESP.

June 2026 – Expanded INSM Scope Due:

Twelve months from FERC’s approval, the next version of the standard is due. It must extend INSM requirements to cover the broader CIP-networked environment, including internal monitoring of EACMS and PACS even when they reside outside the Electronic Security Perimeter.

INSM Implementation Deadlines:

  • October 1, 2028: Implementation deadline for medium impact BES Cyber Systems with External Routable Connectivity (ERC)
  • October 1, 2030: Implementation deadline for systems in Control Centers and backup Control Centers

Navigating OT Security & Compliance

The development of INSM requirements underlines the necessity for organizations to continuously enhance their visibility and monitoring strategies, aligning them with these emerging requirements. Staying abreast of these developments is not just about compliance, but also about fortifying network security in an increasingly digital world.

The importance of enhancing visibility within network environments remains critical. Organizations should be proactive in establishing clear baselines and differentiating between secure and vulnerable aspects of their network.

These new requirements echo debates around security vs. compliance – whether any given organization is actually pursuing a high level of security or just meeting the requirements set forth by various regulations and industry standards. Some argue that a focus on compliance can distract from achieving a truly secure environment and may lead to a "check the box" mentality, where an organization is more focused on meeting the letter of the law rather than the spirit of it. However, compliance often serves as a foundation for ensuring that organizations have the appropriate security controls in place.

Overall, security and compliance are interrelated and both are important to protect the organization from different types of risks. Compliance can be seen as a basic requirement for security, which should be followed by further actions, controls and program to continuously improve security maturity.

Industrial Defender helps organizations both meet compliance needs and strengthen overall security. We have long been strategic partners for electric utilities in meeting NERC CIP requirements and making it easier to pass their audits. We also deliver deeper-level asset data and vital endpoint information, along with historical context and change detection, to identify cyber risks and mature security postures beyond basic requirements.

To learn more about how we can partner with the power & electric utilities industry, please visit https://www.industrialdefender.com/industries/electric-utilities-cybersecurity.

Data Sheet: Internal Network Security Monitoring - Meeting NERC CIP-015-1 Requirements

View Resource

Stay up to date.

Sign up for our newsletter to receive the latest
Industrial Defender news, updates and content.

SOC 2® Type II Certified
PRODUCTS
Industrial Defender Platform
SERVICES
Cyber Diligence ServiceCopilOT ServiceTMCommissioningSupportTrainingSustain
SOLUTION BY TYPE
OT Asset ManagementVulnerability ManagementSecurity Event MonitoringCompliance Reporting
SOLUTION BY FUNCTION
SecurityComplianceOperationsExecutive
SOLUTION BY INDUSTRY
Building AutomationChemicalElectricFederal GovernmentFood & AgricultureMaritimeMetals & MiningOil & GasPharmaceuticalsRailWater
RESOURCES
Resource CollectionGlossaryDefenderSphereIT-OT Integration LabOT Cybersecurity Risk CalculatorInnovations by IDGlossary
COMPANY
About UsHow We CompareTeamEventsPressCareersContact Us