On June 26, 2025, the Federal Energy Regulatory Commission (FERC) issued Order No. 907, formally approving NERC Reliability Standard CIP-015-1: Cyber Security – Internal Network Security Monitoring (INSM). This new requirement applies to all entities that own or operate high and medium impact BES Cyber Systems, which now must begin planning for compliance with mandatory internal network monitoring.
In 2023, FERC directed the North American Electric Reliability Corporation (NERC) to develop new or modified Critical Infrastructure Protection (CIP) reliability standards requiring Internal Network Security Monitoring (INSM) for CIP-networked environments.
INSM provides ongoing visibility of communications between networked devices within a trusted zone and detects malicious activity that has bypassed perimeter controls. It also enables early detection of anomalous network activity, increasing the chances of quick mitigation and recovery.
With CIP-015-1 now formally approved, INSM is mandatory for high and medium impact BES Cyber Systems. FERC has also directed NERC to expand the scope to include systems outside the perimeter (more on that below).
The standard applies to all registered entities that own or operate applicable BES Cyber Systems at high or medium impact. It requires responsible entities to implement internal network monitoring for:
CIP-015-1 Requirements Include:
The approved CIP-015-1 is limited to networks inside ESPs. However, FERC has ordered NERC to expand the scope to include access control systems outside the perimeter. That future version is expected to apply INSM to:
INSM shifts the focus from solely defending the perimeter to monitoring the east-west traffic that moves laterally within trusted network zones. The CIP Reliability Standards have traditionally focused on protecting the electronic security perimeter of networks. However, FERC identified a gap in these standards as they do not adequately address potential vulnerabilities within the internal network to cyber threats.
In 2023, the Federal Energy Regulatory Commission (FERC) proposed new security requirements for high- and medium-impact bulk electric system facilities. The proposal would require these facilities to "maintain visibility over communications between networked devices." More specifically, FERC has directed the North American Electric Reliability Corporation (NERC) to develop new or modified Critical Infrastructure Protection (CIP) reliability standards that require internal network security monitoring (INSM) for CIP-networked environments.
INSM provides ongoing visibility of communications between networked devices within a trusted zone and detects malicious activity that has bypassed perimeter controls. Additionally, INSM allows for early detection of anomalous network activity, indicating a potential attack, increasing the chances for quick mitigation and recovery.
FERC wrote: “We find that, while the CIP Reliability Standards require monitoring of the electronic security perimeter and associated systems for high and medium impact BES Cyber Systems, the CIP-networked environment remains vulnerable to attacks that bypass network perimeter-based security controls traditionally used to identify the early phases of an attack. This presents a gap in the currently effective CIP Reliability Standards.”
January 2022:
FERC made the proposed rule for new security requirements for high- and medium-impact bulk electric system facilities.
January 2023:
FERC published the final rule, ordering NERC to develop new or modified Critical Infrastructure Protection (CIP) reliability standards that require internal network security monitoring (INSM) for CIP-networked environments.
December 2023:
NERC released its first draft for the new INSM requirements, initially as an addition to CIP-007.
January 2024 – Assessment of Low-Impact Requirements
NERC submitted its feasibility report on implementing INSM for certain categories of Bulk Electric Systems (BES), focusing on 'low impact BES' and 'medium impact BES without external routable connectivity (ERC)'.
While advising continued INSM implementation at originally scoped BES, NERC proposed the NERC, E-ISAC and FERC continue to monitor risk and needs to update the roadmap for INSM for lower impact systems. The report emphasized the importance of not implementing INSM as a “bolt-on” control - there needs to be a solid foundation established for this.
The high‐level roadmap for low impact would include:
February 2024 – CIP-015-01 As A Distinct New Standard:
Based on the feedback received during the initial posting, the DT decided to create a new reliability standard, designated as Reliability Standard CIP-015-1. This revised approach is clearer to the objective of detecting and evaluating anomalous network activity. NERC opened the second draft for a formal comment period on "CIP-015-01 – Cyber Security – Internal Network Security Monitoring".
Concurrently, CIP-007 will be restored to its previously enforced version.
Comments on the first draft of CIP-015-1 were taken from February 27 through March 18. There were 73 sets of responses, including comments from approximately 160 different people from approximately 102 companies.
April 2024:
Draft 2 of CIP-015-01 was released, with some language clarifications. Comments were taken from April 5-April 17. Additional ballots for the standard and implementation plan were conducted, along with a non-binding poll of the associated Violation Risk Factors and Violation Severity Levels. The final ballot resulted in approval.
The CIP-015-1 standard had an approval of 76.57% with a quorum of 93.36%.
The implementation plan had an approval of 82.1% with a quorum of 93.31%.
June 2025 – FERC Approval of CIP-015-1:
On June 26, 2025, FERC issued Order No. 907, formally approving CIP-015-1 and the associated implementation plan. The order also directed NERC to expand the scope of INSM in a future update to include Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS) outside the ESP.
June 2026 – Expanded INSM Scope Due:
Twelve months from FERC’s approval, the next version of the standard is due. It must extend INSM requirements to cover the broader CIP-networked environment, including internal monitoring of EACMS and PACS even when they reside outside the Electronic Security Perimeter.
INSM Implementation Deadlines:
The development of INSM requirements underlines the necessity for organizations to continuously enhance their visibility and monitoring strategies, aligning them with these emerging requirements. Staying abreast of these developments is not just about compliance, but also about fortifying network security in an increasingly digital world.
The importance of enhancing visibility within network environments remains critical. Organizations should be proactive in establishing clear baselines and differentiating between secure and vulnerable aspects of their network.
These new requirements echo debates around security vs. compliance – whether any given organization is actually pursuing a high level of security or just meeting the requirements set forth by various regulations and industry standards. Some argue that a focus on compliance can distract from achieving a truly secure environment and may lead to a "check the box" mentality, where an organization is more focused on meeting the letter of the law rather than the spirit of it. However, compliance often serves as a foundation for ensuring that organizations have the appropriate security controls in place.
Overall, security and compliance are interrelated and both are important to protect the organization from different types of risks. Compliance can be seen as a basic requirement for security, which should be followed by further actions, controls and program to continuously improve security maturity.
Industrial Defender helps organizations both meet compliance needs and strengthen overall security. We have long been strategic partners for electric utilities in meeting NERC CIP requirements and making it easier to pass their audits. We also deliver deeper-level asset data and vital endpoint information, along with historical context and change detection, to identify cyber risks and mature security postures beyond basic requirements.
To learn more about how we can partner with the power & electric utilities industry, please visit https://www.industrialdefender.com/industries/electric-utilities-cybersecurity.