Full Report
On June 26, 2025, the Federal Energy Regulatory Commission (FERC or the Commission) issued Order No. 907 1 formally approving...
Analysis Summary
# Regulation/Compliance: NERC CIP-015-1 (Internal Network Security Monitoring - INSM)
## Overview
NERC Critical Infrastructure Protection (CIP) Standard CIP-015-1 mandates the implementation of Internal Network Security Monitoring (INSM), specifically east-west monitoring, for network traffic inside Electronic Security Perimeters (ESPs) across the North American electric sector. The goal is to enhance security visibility inside trust zones where perimeter defenses are insufficient, shifting focus to detecting adversarial behavior within the network.
## Key Details
- Issuing Authority: Federal Energy Regulatory Commission (FERC), approving a North American Electric Reliability Corporation (NERC) standard.
- Effective Date: The final compliance deadline for CIP-015-1 is October 1, 2028.
- Jurisdiction: North American Electric Sector (Registered Entities). The primary scope is within Electronic Security Perimeters (ESPs).
- Status: Final (Approved by FERC on June 26, 2025).
## Requirements
### Mandatory Requirements (CIP-015-1)
1. **R1.1 (Data Collection):** Implement, using a risk-based rationale, network data feeds to monitor network activity, including connections, devices, and network communications *within* ESPs protecting High and Medium Impact Bulk Electric System (BES) Cyber Systems with External Routable Connectivity (ERC).
2. **R1.2 (Detection):** Detect anomalous network activity using the network data feeds collected under R1.1.
3. **R1.3 (Evaluation):** Evaluate anomalous network activity detected in R1.2 to determine if further action is required.
4. **R2 (Data Retention):** Retain INSM data associated with anomalous network activity long enough to support the evaluation actions defined in R1.3.
5. **R3 (Data Protection):** Protect all collected and retained INSM data from unauthorized modification or deletion.
### Recommended Practices (Anticipating CIP-015-2)
1. Begin preparing resources and internal plans to scope monitoring to include Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS) outside of the ESP boundaries, as directed by FERC for CIP-015-2.
2. Prioritize solutions that deliver security outcomes first, rather than viewing implementation purely as a compliance exercise.
3. Adopt a holistic project mindset for INSM deployment, focusing on understanding the environment rather than simply purchasing a monitoring appliance ("box").
## Affected Organizations
- Industries: North American Electric Sector.
- Organization Size: Applies to **Registered Entities** managing High Impact and Medium Impact Bulk Electric System (BES) Cyber Systems with External Routable Connectivity (ERC).
- Geographic Scope: North America (where NERC standards apply).
## Compliance Timeline
- **June 26, 2025:** FERC formally approved NERC CIP-015-1.
- **Within 1 Year of Approval (Approx. Mid-2026):** NERC is required to develop and submit modifications to CIP-015-1 to expand the scope to include EACMS and PACS outside the ESP ($\text{CIP-015-2}$).
- **October 1, 2028:** Final deadline for **full compliance** with current CIP-015-1 requirements (INSM inside ESPs).
## Implementation Guidance
### Assessment Phase
1. Review and finalize the current list of High Impact and Medium Impact facilities that possess ERC.
2. Identify existing data collection capabilities currently operating within identified ESPs.
3. Assess the feasibility of acquiring network activity data feeds from existing network infrastructure within the ESPs.
### Implementation Phase
1. Prioritize implementation projects across High and Medium Impact Control centers that have ERC.
2. Determine where the complex task of analyzing detected anomalous activity will be performed (e.g., dedicated OT SOC, centralized security team).
3. Begin evaluating potential INSM solutions that align with the organization's specific environment and OT protocols.
### Validation Phase
1. Test the implemented monitoring feeds (R1.1) to ensure all necessary network communications inside the ESP are captured.
2. Tune detection algorithms (R1.2) to accurately flag anomalous activity without generating excessive false positives.
3. Verify that retained data (R2) supports the necessary actions required when anomalous activity is evaluated (R1.3).
## Technical Requirements
- Implementation of Internal Network Security Monitoring (INSM) focusing on east-west traffic monitoring ($\text{inside}$ ESPs).
- Use of network data feeds to monitor connections, devices, and communications.
- Ability to detect and analyze anomalous network activity.
- Mechanisms to protect collected and retained INSM data integrity.
- Consideration for monitoring network segments connected to, internal to, or between EACMS and PACS outside the ESP (for anticipation of $\text{CIP-015-2}$).
## Penalties & Enforcement
- Fines: Specific fine structure is not detailed in the summary, but NERC compliance failures typically result in penalties enforced by FERC.
- Other Consequences: Violations of NERC Reliability Standards are subject to significant enforcement actions, including mandated remediation plans and public accountability.
- Enforcement: Enforcement is managed through NERC’s compliance monitoring protocols, reports, and audits conducted by the Commission or its designated entity.
## Related Standards
- **NERC CIP Standards:** CIP-015 builds upon the existing framework that governs protection for Bulk Electric System (BES) Cyber Systems, particularly those related to perimeter security (ESPs).
- **Frameworks mentioned in context:** Asset owners are encouraged to adopt security-led initiatives (like Dominion Energy) where security outcomes drive compliance, implying alignment with broader OT security best practices (e.g., NIST SP 800-82 principles).
## Resources
- Official Documentation: FERC Order Approving CIP-015-1 (Order No. 907, published July 2, 2025, 191 FERC $\text{\textordmasculine}$ 61,224).
- Guidance Documents: SANS Buyer’s Guide to NERC CIP-015.
- Tools: The Dragos Platform is cited as a specialized solution designed for INSM requirements.
## Practical Recommendations
1. **Start Planning Now:** Asset owners must immediately align internal resources and planning to meet the October 1, 2028, deadline for monitoring within ESPs.
2. **Future-Proof Scope:** Actively plan for the anticipated expansion of CIP-015-2 to include EACMS and PACS traffic outside the ESP to avoid future resource strain.
3. **Focus on Visibility:** Treat INSM deployment as a security enhancement project focused on achieving operational visibility, ensuring compliance follows as a natural outcome.
4. **Engage Experts:** Seek partnerships with vendors that possess deep understanding of the OT environment and INSM principles, rather than relying solely on off-the-shelf perimeter solutions.