Preparing for CIP‑015‑2: How to Implement INSM for EACMS, PACS, and SCI Monitoring

In Part 1 of this series, we explored why FERC directed NERC to expand Internal Network Security Monitoring (INSM) beyond the Electronic Security Perimeter (ESP). We examined how unmonitored Electronic Access Control or Monitoring Systems (EACMS), Physical Access Control Systems (PACS), and Shared Cyber Infrastructure (SCI) create blind spots adversaries can exploit, and how CIP‑015‑2 closes this security gap.

Now it’s time to shift from why to how:

While the standard has only passed initial industry ballot and may undergo minor refinements before final approval, the core structure is expected to hold. Entities should anticipate that CIP‑015‑2 will extend:

• Collection
• Detection
• Analysis
• Retention
• Protection

…across EACMS, PACS, and SCI outside the ESP, mirroring the framework established in CIP‑015‑1, which is scoped to network activity between assets protected by the ESP.
This means INSM is no longer limited to the ESP — it now applies across the broader CIP‑networked environment, wherever communications relevant to BES Cyber Systems occur.

Utilities will need to implement network data feeds that capture east-west network activity involving:

• High Impact BCS, and Medium Impact BCS with ERC, and their associated:
  
  • EACMS
  • PACS
  • PCAs
• SCI consistently supporting these systems, such as virtualization hosts, hypervisors, shared SAN/NAS systems, or clustered management platforms

Collection should capture:

• Communications between EACMS, PACS, PCAs, and BCS (including traffic routed through SCI)
• East‑west communications among EACMS, PACS, and SCI outside the ESP
• Administrative access to EACMS and PACS
• Traffic to/from BES Cyber Systems with ERC
• Network activity sufficient to detect malicious behaviors and support timely Cyber Security Incident response
• Configuration changes to access‑control or monitoring policies

Positive takeaway:
Organizations with flexible OT monitoring architectures including support for SPAN, port mirroring, RSPAN, ERSPAN, vxlan, TAP, virtual collection, and distributed sensors can extend visibility into these environments without extensive changes to their environments

CIP‑015‑2 requires utilities to detect anomalous activity involving these systems, such as:

• Unauthorized or unexpected access into the ESP from EACMS and PACS
• Abnormal authentication patterns
• Privilege escalations or configuration changes
• Communication with unexpected destinations
• Protocol or management‑traffic anomalies

Establishing behavioral baselines allows organizations to effectively monitor for these types of anomalous activities, as deviations from the norm can be rapidly flagged for investigation. Many utilities are discovering that tiered baselining approaches evolving from minimal viable rules to optimized site‑specific baselines make detection more manageable at scale. Platforms that support rule grouping, summarization, and bulk updates significantly reduce baselining workload.

Beyond monitoring for unauthorized access and abnormal authentication, comprehensive anomaly detection strategies also encompass a broader set of threat indicators. These include tracking configuration changes that may signal policy drift or malicious intent, as well as identifying behaviors consistent with known threat actors.

The Dragos Platform operationalizes OT threat detections by: detecting policy violations, recognizing known threat behaviors, flagging suspicious or novel activity, and identifying clear indicators of compromise. This significantly streamlines implementation and baselining work by giving teams clearer starting points for what “normal” looks like, reducing manual rule creation, accelerating tuning activities, and helping IT and OT teams converge on a shared, evidence‑based view of baseline network behavior.

By layering the four types of threat detection, organizations can achieve a more holistic defense posture that improves visibility and response capabilities across their critical OT environments, including the CIP-networked environment.

Detected activity must be evaluated to determine whether it reflects:

• Legitimate administrative activity
• A misconfiguration or operational artifact
• Reconnaissance or pre‑attack positioning
• An active compromise requiring incident response

INSM becomes most effective when organizations define clear triage paths, integrate SOC tools with OT-specific context, and ensure cross-team collaboration across operations, engineering, network infrastructure, and compliance groups. Modern OT monitoring platforms help by providing contextual details analysts would otherwise need to gather manually.

A core component of CIP-015 is understanding when a detection should lead to the activation of CIP-008 incident response processes. By establishing workflows that connect anomaly detection with CIP-008 procedures, teams can ensure that potential incidents are promptly escalated, properly documented, and thoroughly investigated in accordance with regulatory expectations. This integrated approach not only facilitates compliance but also enhances the organization’s overall resilience by bridging detection, analysis, and response activities across both IT and OT environments.

The Dragos Platform supports this process by enriching detections with OT‑specific context, linking observed activity to known assets, industrial processes, and threat behaviors so that analysts can more quickly distinguish benign conditions from reconnaissance or active compromise. Dragos‑provided investigation playbooks further support this workflow by guiding analysts through consistent, repeatable triage and analysis steps aligned to common OT threat scenarios.

CIP‑015‑2 requires entities to:

• Retain only anomalous network data required for evaluation
• Protect it from unauthorized modification or deletion
• Preserve logs supporting potential CIP‑008 investigations

While CIP-015-2 does not prescribe a set time frame for data retention, if a detection requires activation of CIP-008 incident response processes, CIP-008 requires data or evidence retention for three (3) calendar years. Centralized retention models and separated analysis/collection tiers often simplify compliance obligations, especially in distributed substation environments.

The Dragos Platform allows customers to define flexible retention policies aligned to their operational and regulatory needs. Investigative cases and evidence associated with those cases are preserved to support long‑term documentation and defensible investigation records when CIP‑008 processes are initiated.

CIP‑015‑2 introduces potential scoping complexity because EACMS, PACS, and SCI often exist outside of traditional OT boundaries. SCI may also be challenging because it is a new definition introduced by Project 2016-02 Virtualization, which is pending approval from FERC, meaning that entities may not have included that classification in their current asset inventories.

These systems may be:

• Distributed across many locations
• Shared across multiple ESPs or business units
• Hosted within enterprise IT environments
• Running on virtualized platforms mixing CIP and non‑CIP functions

Common challenges utilities encounter include:

• Unclear ownership of EACMS/PACS systems
• Outdated or incomplete network diagrams
• Need for on‑site verification of architectures
• Variability in physical layouts and aging hardware

A thorough scoping effort early in the process prevents downstream rework and ensures an accurate understanding of how CIP‑015‑2 applies.

Extending INSM outside the ESP typically requires adjustments in several key areas:

• ACMS and PACS may live in IT networks lacking OT visibility tooling
• Virtual switches, hypervisors, and SAN/NAS fabrics may require specialized collection

• Additional sensors may be needed to monitor non‑ESP environments
• Cross‑team coordination is essential when sensors must be deployed in IT‑managed networks

• INSM data must be correlated across ESP‑internal, EACMS, PACS, and SCI environments
• Analysts need unified visibility to understand east‑west movement patterns

Platforms with centralized management, flexible deployment models, and strong IT/OT protocol understanding greatly reduce architectural friction.

Dragos Platform includes centralized management, flexible deployment models, and strong IT/OT protocol understanding greatly reduce architectural friction. These capabilities facilitate seamless integration across both operational technology and information technology networks, enabling organizations to respond rapidly to evolving threats and compliance requirements.

Centralized management streamlines sensor deployment and monitoring, making it easier to coordinate between IT and OT teams, especially when visibility and data collection span multiple environments. Flexible deployment options—such as support for SPAN, TAP, virtual, and flow-based collection—allow security teams to tailor monitoring to the unique topologies of each network segment, minimizing blind spots.

Additionally, deep IT/OT protocol expertise ensures that security tools can accurately interpret traffic and events from diverse sources, helping analysts correlate data, detect lateral movement, and maintain unified situational awareness across the entire infrastructure.

OT security platforms built for CIP‑015‑1 generally extend well to CIP‑015‑2 if they offer:

• Sensors that operate in both OT environments and environments that contain devices that support OT environments like EACMS, PACS and SCI
• Support for SPAN, TAP, virtual, and flow‑based collection
• Centralized management of distributed sensors

• Ability to track how activity in EACMS and PACS environments could propagate toward the ESP
• Unified threat‑intelligence and detection logic across zones

• Understanding of IT protocols (AD, RDP, LDAP, SMB, syslog, DNS, TCP/IP, OSDP) and OT protocols (DNP3, Modbus, BACnet, OPC UA)
• Ability to distinguish legitimate administrative behavior from suspicious activity
• Baseline workflows suited for diverse sites

These capabilities help utilities operationalize INSM more efficiently and reduce the burden on SOC teams.

Even before final approval, utilities can begin taking practical steps:

Develop a clear understanding of system placement, interdependencies, and network paths by conducting thorough network mapping exercises, reviewing architectural diagrams, reviewing existing CIP-002 inventory or NERC CIP asset lists, and collaborating with both IT and OT teams to identify how systems connect and interact across environments. Utilize tools for network discovery and traffic analysis to visualize connections, document dependencies, and validate the accuracy of system locations and communication flows.

Identify where visibility is limited or missing entirely by performing a thorough review of current monitoring tools and processes, map network traffic to identify blind spots, and consult with both IT and OT teams to ensure all critical interfaces and assets are covered.

Additionally, validate these findings against up‑to‑date network diagrams, confirm sensor placement aligns with actual data flows, document any architectural changes that may introduce new blind spots, and establish a recurring review process so visibility gaps are identified and addressed as environments evolve.

Many applicable systems live in IT-managed environments — collaboration is essential. To achieve this, utilities should proactively involve IT teams throughout the process by sharing network maps, coordinating on system inventories, and aligning on monitoring responsibilities.

Regular cross-functional meetings, joint workshops, and shared documentation platforms can facilitate clear communication, ensure that both IT and OT perspectives are considered, and help quickly resolve integration challenges. By fostering a culture of joint ownership and open dialogue, organizations can better identify risks, close visibility gaps, and streamline the operationalization of INSM requirements across diverse technical landscapes.

Look for platforms that can scale across substations, control centers, generation sites, and virtualized environments by evaluating their ability to support centralized management, and flexible deployment models.

Assess whether the solution offers modular architecture, automated provisioning, and dynamic resource allocation to accommodate varying site sizes and technical requirements. Additionally, ensure the platform provides robust interoperability with existing IT and OT systems, allowing for unified monitoring and streamlined operations as your network evolves.

For additional guidance on evaluating technologies and solution providers that support INSM, see this SANS buyer’s guide.

Define sensor placement, aggregation logic, and cross-team workflows by first conducting a comprehensive analysis of your network topology and critical asset locations described in steps above. Place sensors at key junctions—such as network ingress/egress points, between IT and OT boundaries, and near high-value assets—to maximize visibility and minimize blind spots.

Establish clear aggregation logic to ensure collected data is efficiently centralized and correlated, enabling timely detection of anomalies and threats. Develop cross-team workflows by mapping out responsibilities, communication protocols, and escalation paths between IT, OT, and security teams, ensuring all parties are aligned in incident detection and response.

For utilities seeking assistance, Dragos offers expertise in optimal sensor deployment, advanced aggregation strategies, and the development of collaborative workflows tailored to complex industrial environments, as detailed in this NERC CIP solution brief.

Document detection workflows, baselining approaches, triage tiers, and escalation paths.

Organizations that establish a consistent deployment taxonomy (e.g., Not Started → Installed → Commissioned → Ingesting → Operationalized) find it easier to communicate progress and track readiness across all levels of their organization.

If you’re developing your CIP‑015‑1 implementation strategy, avoid designing a program that stops at the ESP boundary. CIP‑015‑2 expands INSM responsibility to the broader CIP‑networked environment.

Organizations that take this comprehensive view now will reduce rework, accelerate deployment timelines, and build a monitoring architecture that scales through 2028 and beyond.

See how this approach has been implemented in practice by large utilities, including Dominion Energy.

The transition from CIP‑015‑1 to CIP‑015‑2 is more than a compliance step — it’s an opportunity to achieve visibility across systems adversaries routinely exploit. With thoughtful planning and the right monitoring capabilities, utilities can strengthen both security and operational resilience.

Watch the on-demand webinar to understand how utilities are approaching internal network security monitoring for CIP-015 and beyond.
Watch Now