NERC CIP-015-2: EACMS, PACS, SCI Monitoring Explained

If you’re just getting your arms around the NERC CIP-015-1 requirements for Internal Network Security Monitoring within Electronic Security Perimeters (ESP), we have important news: CIP-015-2 is coming, and it significantly expands the scope of INSM obligations.

In June 2025, FERC proposed to approve CIP-015-1 while simultaneously directing NERC to develop modifications that extend internal network security monitoring to include electronic access control or monitoring systems (EACMS) and physical access control systems (PACS) outside of the ESP.

Since then, the NERC Project 2025-02 drafting team has been working to draft revisions to the Standard and posted an initial draft for industry comment and ballot. NERC released the results of the initial industry ballot on January 20, 2026, which passed at 84.33%. Notably, CIP-015-2 includes the term Cyber Systems in the Requirement language and includes Shared Cyber Infrastructure (SCI) in the Applicability column in addition to EACMS and PACS.

This expansion isn’t arbitrary. It addresses a critical security gap that adversaries have exploited.

In this two-part blog series, we’ll examine why EACMS, PACS, and SCI security monitoring is essential for comprehensive security (Part 1) and then explore how to prepare your organization for these expanded requirements (Part 2).

To understand why EACMS, PACS, and SCI monitoring matters, let’s examine how these systems function within the CIP-networked environment.

EACMS are Cyber Assets that perform electronic access control or electronic access monitoring of the ESP or BES Cyber Systems including Intermediate Systems. Examples include:

• Authentication servers (Active Directory, RADIUS, TACACS+)
• Remote access servers and jump hosts
• Network monitoring and management systems
• Security information and event management (SIEM) systems
• Intrusion detection systems at ESP boundaries
• Systems that manage or monitor electronic access points

PACS are Cyber Assets that control, alert, or log access to the Physical Security Perimeter(s), exclusive of locally mounted hardware or devices at the PSP such as motion sensors, electronic lock control mechanisms, and badge readers. Examples include:

• Card access systems
• Biometric authentication devices
• Door controllers
• Visitor management systems
• Physical access logging and alarm systems

Both of these terms are new definitions associated with Project 2016-02 Modifications to CIP Standards | Virtualization. They were adopted by the NERC Board of Trustees in May 2024 and are filed and pending approval from FERC. In September 2025, FERC issued a NOPR proposing to approve the revisions but has not issued a final rule as of the time of this publication.

Cyber Systems are one or more Cyber Assets, Virtual Cyber Assets, or Shared Cyber Infrastructure. Shared Cyber Infrastructure is one or more programmable electronic devices, including the software that shares the devices’ resources, that:

• Hosts one or more Virtual Cyber Assets (VCA) included in a BES Cyber Systems (BCS) or their associated Electronic Access Control or Monitoring Systems (EACMS) or Physical Access Control Systems (PACS); and hosts one or more VCAs that are not included in, or associated with, BCS of the same impact categorization; or
• Provides storage resources required for system functionality of one or more Cyber Assets or VCAs included in a BCS or their associated EACMS or PACS; and also for one or more Cyber Assets or VCAs that are not included in, or associated with, BCS of the same impact categorization. SCI does not include the supported VCAs or Cyber Assets with which it shares its resources.

Examples of SCI include:

• Virtualization hosts
• Shared hypervisor management platforms
• Shared SAN or NAS systems
• Shared database platforms or clusters

EACMS, PACS, and SCI outside the ESP represent a classic “trusted system” scenario. These systems become high‑value targets because they often possess visibility, authority, and connectivity that adversaries can weaponize. They:

• Have legitimate connections into the ESP: By design, EACMS, PACS, and SCI often communicate with BES Cyber Systems inside the ESP to perform their functions. These trusted pathways can bypass traditional perimeter monitoring, making them ideal channels for adversaries to pivot inward once compromised.
• Often have privileged functional authority: Even when they are not OS-level administrators, these systems frequently perform high‑impact functions such as:
  
  • Authentication and authorization
  • Logical and physical access enablement
  • Monitoring, alarming, and supervisory functions

  This means an attacker controlling EACMS, PACS, or SCI can influence or enable actions that can affect BES Cyber Systems.
  

• Provide valuable reconnaissance: Compromise of these systems grants attackers detailed operational awareness, including:
  
  • User roles, accounts, and authentication behaviors
  • Physical access patterns (PACS)
  • System naming, topology, and trust relationships
  • Alarm thresholds, responses, and monitoring logic (SCI)
  • Maintenance windows and operator behavior

  This intelligence significantly improves an adversary’s ability to plan, disguise, and optimize further attacks, including lateral movement into the ESP.

The adversary gains access to an EACMS, PACS, or SCI outside the ESP through:

• Phishing attacks targeting administrators
• Exploitation of unpatched vulnerabilities
• Credential theft or reuse
• Supply chain compromise of management software

Once inside the EACMS, PACS or SCI, the adversary:

• Creates backdoor accounts or maintains access through legitimate credentials
• Establishes command and control channels
• Conducts reconnaissance of the ESP and its contents
• Maps trusted connections and communication pathways

Using the compromised EACMS, PACS, or SCI as a launching point, the adversary:

• Leverages trusted connections to access systems within the ESP
• Appears as legitimate traffic from a trusted source
• Bypasses ESP boundary monitoring because they’re using authorized channels
• Avoids detection by existing CIP-015-1 monitoring focused within the ESP

Now inside the ESP with an apparent legitimate presence, the adversary can:

• Perform reconnaissance
• Access BES Cyber Systems
• Manipulate operational data
• Prepare for disruptive actions
• Maintain long-term persistent access

This isn’t theoretical. It’s the attack pattern observed in real-world OT compromises.

In directing NERC to develop CIP-015-2, FERC was explicit about the security gap:

FERC’s position is clear: you cannot secure the ESP if you’re blind to adversary activity in the systems that connect to it. INSM must extend to the entire CIP-networked environment to be effective. The Project 2025-02 Drafting team included the Cyber System and SCI terms in CIP-015-2 to ensure consistent internal network security monitoring coverage when virtualization or shared storage environments are used.

Now that we understand why EACMS, PACS, and SCI monitoring is critical and how adversaries exploit the current security gap, the question becomes: what does CIP-015-2 mean for practical implementation, and how can utilities prepare?

In Part 2 of this series, we’ll examine the version of CIP-015-2 that passed initial industry ballot (noting that there may be minor changes prior to final industry ballot), explore the architectural and scoping challenges of implementing EACMS,PACS, and SCI monitoring, and provide actionable steps you can take now to prepare your organization for these expanded obligations.