Support

CIP-015-01 Approved: NERC CIP Requirements for Internal Network Security Monitoring (INSM)

June 26, 2025

On June 26, 2025, the Federal Energy Regulatory Commission (FERC) issued Order No. 907, formally approving NERC Reliability Standard CIP-015-1: Cyber Security – Internal Network Security Monitoring (INSM). This new requirement applies to all entities that own or operate high and medium impact BES Cyber Systems, which now must begin planning for compliance with mandatory internal network monitoring.

What is NERC CIP-015-1 and Internal Network Security Monitoring?

In 2023, FERC directed the North American Electric Reliability Corporation (NERC) to develop new or modified Critical Infrastructure Protection (CIP) reliability standards requiring Internal Network Security Monitoring (INSM) for CIP-networked environments.

INSM provides ongoing visibility of communications between networked devices within a trusted zone and detects malicious activity that has bypassed perimeter controls. It also enables early detection of anomalous network activity, increasing the chances of quick mitigation and recovery.

With CIP-015-1 now formally approved, INSM is mandatory for high and medium impact BES Cyber Systems. FERC has also directed NERC to expand the scope to include systems outside the perimeter (more on that below).

What is required under the approved CIP-015-1?

The standard applies to all registered entities that own or operate applicable BES Cyber Systems at high or medium impact. It requires responsible entities to implement internal network monitoring for:

  • All High Impact BES Cyber Systems (with or without external routable connectivity), and
  • Medium Impact BES Cyber Systems with external routable connectivity

CIP-015-1 Requirements Include:

  • R1.1 – Risk-based identification
    Entities must determine, using documented, risk-based rationale, which networks within defined ESPs will be monitored.
  • R1.2 – Detection of anomalous activity
    The INSM system must compare incoming network traffic against a defined baseline to detect anomalous traffic.
  • R1.3 – Evaluation of anomalous activity
    Once anomalous traffic is detected, it must be evaluated for potential security events.
  • R2 – Retention of anomalous traffic data
    Only data related to detected anomalous activity must be retained—not all traffic. It must be preserved at least long enough to complete the evaluation in R1.3.
  • R3 – Protection of INSM data
    The data captured and retained must be protected against unauthorized modification or deletion.

When do entities need to comply with CIP-015-1?

  • By October 1, 2028 – Implementation required for systems in Control Centers and backup Control Centers
  • By October 1, 2030 – Required for all other medium impact systems with ERC

What to watch: Expanding scope

The approved CIP-015-1 is limited to networks inside ESPs. However, FERC has ordered NERC to expand the scope to include access control systems outside the perimeter. That future version is expected to apply INSM to:

  • Systems within the Electronic Security Perimeter (ESP) and one or more of the following:
    • Network segments connected to EACMS and PACS outside the ESP
    • Network segments between EACMS and PACS outside the ESP
    • Network segments internal to EACMS and PACS outside the ESP
  • Communications to and from access systems like badge readers, VPNs, Active Directory servers, SIEMs, and related infrastructure

Background:

INSM shifts the focus from solely defending the perimeter to monitoring the east-west traffic that moves laterally within trusted network zones. The CIP Reliability Standards have traditionally focused on protecting the electronic security perimeter of networks. However, FERC identified a gap in these standards as they do not adequately address potential vulnerabilities within the internal network to cyber threats.

In 2023, the Federal Energy Regulatory Commission (FERC) proposed new security requirements for high- and medium-impact bulk electric system facilities. The proposal would require these facilities to "maintain visibility over communications between networked devices." More specifically, FERC has directed the North American Electric Reliability Corporation (NERC) to develop new or modified Critical Infrastructure Protection (CIP) reliability standards that require internal network security monitoring (INSM) for CIP-networked environments.

INSM provides ongoing visibility of communications between networked devices within a trusted zone and detects malicious activity that has bypassed perimeter controls. Additionally, INSM allows for early detection of anomalous network activity, indicating a potential attack, increasing the chances for quick mitigation and recovery.

FERC wrote: “We find that, while the CIP Reliability Standards require monitoring of the electronic security perimeter and associated systems for high and medium impact BES Cyber Systems, the CIP-networked environment remains vulnerable to attacks that bypass network perimeter-based security controls traditionally used to identify the early phases of an attack. This presents a gap in the currently effective CIP Reliability Standards.”

INSM Development Timeline

January 2022:

FERC made the proposed rule for new security requirements for high- and medium-impact bulk electric system facilities.

January 2023:

FERC published the final rule, ordering NERC to develop new or modified Critical Infrastructure Protection (CIP) reliability standards that require internal network security monitoring (INSM) for CIP-networked environments.

December 2023:

NERC released its first draft for the new INSM requirements, initially as an addition to CIP-007.

January 2024 – Assessment of Low-Impact Requirements

NERC submitted its feasibility report on implementing INSM for certain categories of Bulk Electric Systems (BES), focusing on 'low impact BES' and 'medium impact BES without external routable connectivity (ERC)'.

While advising continued INSM implementation at originally scoped BES, NERC proposed the NERC, E-ISAC and FERC continue to monitor risk and needs to update the roadmap for INSM for lower impact systems. The report emphasized the importance of not implementing INSM as a “bolt-on” control - there needs to be a solid foundation established for this.

The high‐level roadmap for low impact would include:

  • Requirements for low impact BES Cyber System asset inventories
  • Requirements for designing, constructing, and documenting defensible network architectures to remove insecure by design network configurations (i.e., segmentation, conduits & zones, traffic analysis points, etc.)
  • Requirements for strong multi‐factor authentication for interactive remote access
  • Standards changes should not negatively incentivize entities to delay changes, or implement BES Cyber
  • Systems in order to circumvent standards requirements through compliance loopholes or abuse of exceptions such as:
  • Maintaining non‐supported end of life equipment and applications to alleviate compliance overhead to the detriment of security.”

February 2024 – CIP-015-01 As A Distinct New Standard:

Based on the feedback received during the initial posting, the DT decided to create a new reliability standard, designated as Reliability Standard CIP-015-1. This revised approach is clearer to the objective of detecting and evaluating anomalous network activity. NERC opened the second draft for a formal comment period on "CIP-015-01 – Cyber Security – Internal Network Security Monitoring".

Concurrently, CIP-007 will be restored to its previously enforced version.

Comments on the first draft of CIP-015-1 were taken from February 27 through March 18. There were 73 sets of responses, including comments from approximately 160 different people from approximately 102 companies.

April 2024:

Draft 2 of CIP-015-01 was released, with some language clarifications. Comments were taken from April 5-April 17. Additional ballots for the standard and implementation plan were conducted, along with a non-binding poll of the associated Violation Risk Factors and Violation Severity Levels. The final ballot resulted in approval.

The CIP-015-1 standard had an approval of 76.57% with a quorum of 93.36%.

The implementation plan had an approval of 82.1% with a quorum of 93.31%.

June 2025 – FERC Approval of CIP-015-1:

On June 26, 2025, FERC issued Order No. 907, formally approving CIP-015-1 and the associated implementation plan. The order also directed NERC to expand the scope of INSM in a future update to include Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS) outside the ESP.

June 2026 – Expanded INSM Scope Due:

Twelve months from FERC’s approval, the next version of the standard is due. It must extend INSM requirements to cover the broader CIP-networked environment, including internal monitoring of EACMS and PACS even when they reside outside the Electronic Security Perimeter.

INSM Implementation Deadlines:

  • October 1, 2028: Implementation deadline for medium impact BES Cyber Systems with External Routable Connectivity (ERC)
  • October 1, 2030: Implementation deadline for systems in Control Centers and backup Control Centers

Navigating OT Security & Compliance

The development of INSM requirements underlines the necessity for organizations to continuously enhance their visibility and monitoring strategies, aligning them with these emerging requirements. Staying abreast of these developments is not just about compliance, but also about fortifying network security in an increasingly digital world.

The importance of enhancing visibility within network environments remains critical. Organizations should be proactive in establishing clear baselines and differentiating between secure and vulnerable aspects of their network.

These new requirements echo debates around security vs. compliance – whether any given organization is actually pursuing a high level of security or just meeting the requirements set forth by various regulations and industry standards. Some argue that a focus on compliance can distract from achieving a truly secure environment and may lead to a "check the box" mentality, where an organization is more focused on meeting the letter of the law rather than the spirit of it. However, compliance often serves as a foundation for ensuring that organizations have the appropriate security controls in place.

Overall, security and compliance are interrelated and both are important to protect the organization from different types of risks. Compliance can be seen as a basic requirement for security, which should be followed by further actions, controls and program to continuously improve security maturity.

Industrial Defender helps organizations both meet compliance needs and strengthen overall security. We have long been strategic partners for electric utilities in meeting NERC CIP requirements and making it easier to pass their audits. We also deliver deeper-level asset data and vital endpoint information, along with historical context and change detection, to identify cyber risks and mature security postures beyond basic requirements.

To learn more about how we can partner with the power & electric utilities industry, please visit https://www.industrialdefender.com/industries/electric-utilities-cybersecurity.