On June 26, 2025, FERC formally approved standard CIP 015-1. Internal Network Security Monitoring (INSM) is now a CIP standard for high impact facilities and medium impact facilities with external routable connectivity (ERC) systems. FERC further ordered NERC to revise the standard to include external electronic access control or monitoring systems (EACMS) and physical access control systems (PACS) within the next 12 months. What does this mean for you?
Although compliance begins in 2028 (36 months for high impact facilities and 60 months for medium impact facilities), early planning is essential due to the level of complexity involved with implementation.
Pre-application upgrades: Utilities should begin preparing now, focusing on hardware upgrades, replacing legacy switches without SPAN capabilities, if needed, and considering fiber optic tap challenges. New architectures will need to conform to CIP-005 ESP requirements.
Outage planning: Implementation is likely to require system downtime. Coordination with operations is key for implementation schedules.
Timeline: Smaller organizations may need several months, while larger ones could take years to fully comply.
Baseline behavior: Understand what “normal” looks like in your environment to detect anomalies. Consider integration into CIP-008 Incident Response plans.
Our expert panelists talk about what’s required for the implementation of the new NERC CIP 015 standard, in new construction projects and existing power facilities, including documented processes and evidence of implementation, risk-based monitoring, anomaly detection, data evaluation, retention and protection against unauthorized access, among others.
Network segmentation is essential to ensure visibility into “East-West” traffic. This visibility helps detect and contain threats that may spread internally. Second, maintaining a comprehensive inventory of assets is critical. Organizations need to know exactly the assets they have in their environment, including detailed information such as firmware versions and serial numbers. This level of detail supports effective vulnerability management and incident response. Lastly, Security Operations Center (SOC) integration is needed to centralize monitoring and response efforts. All monitoring data must feed into the SOC, where clear escalation paths are outlined to ensure timely and coordinated responses to potential threats.
Meeting the standard is just the starting point. Strong cybersecurity requires full packet inspection, tools that understand operational technology (OT) protocols, and well-developed incident response plans. Monitoring must go beyond data collection to deliver real-time insights and support from trained personnel.
Understanding normal network behavior is key to detecting threats. A layered approach that combines network baselining, threat detection and cross-site correlation is recommended. Monitoring internal traffic is just as important as monitoring outside traffic.
Organizations need a combination of NSM, security information and event management (SIEM) and asset inventory tools.
OT-specific tools are essential and the choice between active and passive monitoring depends on the environment.
Virtualized systems add complexity and require additional oversight.
Effective implementation depends on strong network segmentation, a complete asset inventory and integration with a security operations center (SOC) that has a clear outline of procedures.
Legacy systems can be protected through segmentation and enhanced monitoring, but long-term plans should include replacement. For new builds, cybersecurity must be integrated early following standards like ISA/IEC 62443, with clearly defined roles in contracts. Threats like GPS spoofing, which can disrupt time synchronization, must be addressed through continuous monitoring and anomaly detection. By taking a Cyber Asset Lifecycle Management (CALM) approach, organizations can reduce costs through early implementation, enhance their overall security posture and build forward-thinking operations that are resilient and safe, while meeting compliance.
NERC CIP 015-1 is more than a compliance requirement, it’s an opportunity to strengthen OT cybersecurity. Organizations that act early will be better positioned to improve visibility, detection and move from a reactive security program to a proactive security program.
Watch our LinkedIn Live session, where our industrial cybersecurity professionals and industry experts share valuable insights on how your organization can meet NERC CIP 015-1 requirements while implementing a robust 24/7 remote monitoring program for your OT assets.
