INSIGHTS

Internal Network Security Monitoring for Utilities

Internal Network Security Monitoring (INSM) is transforming how electric utilities protect critical infrastructure. With NERC CIP-015 requirements and evolving cyber threats, INSM provides essential visibility into trusted network zones while supporting regulatory compliance and operational resilience.

INSM Fundamentals

Internal network security monitoring (INSM) provides continuous visibility into trusted network zones, enabling utilities to detect threats that bypass perimeter defenses.

INSM Requirements

NERC CIP-015 mandates comprehensive internal network security monitoring capabilities for High and Medium Impact BES Cyber Systems. Requirements include monitoring network data feeds, detecting anomalous activity, analyzing threats, protecting monitoring data, and retaining investigation records.

CIP-015 Compliance Deadline: October 1, 2028

Asset owners have just over 3 years to implement internal network security monitoring for High and Medium Impact BES Cyber Systems. Start planning now.

Case study

Dominion Energy Case Study: INSM Readiness as a Natural Consequence of Strong Security

This case study examines how Dominion Energy transformed their security posture through a comprehensive implementation of the Dragos Platform for internal network security monitoring. What distinguishes Dominion’s approach is their fundamental recognition that “being compliant doesn’t equal being cyber secure.”

DOWNLOAD THE case study

Related Resources

Blog

NERC CIP-015-1 Is Approved—Here’s What Asset Owners Need to Do

July 8, 2025 06:10 PM

6 min read

Shelby Brooks

Webinar

NERC CIP-015: Monitoring Deep Inside Critical Networks to Keep Adversaries Outside

Tim Conway (SANS) & Robert M. Lee (Dragos) share how to approach INSM for CIP-015—covering planning, implementation, compliance prep, and what effective INSM looks like in practice

August 19, 2025 08:56 PM

Blog

Key Insights for NERC CIP-015 Compliance: Anomaly Detection vs. Detecting Anomalous Activity

July 31, 2024 05:45 PM

4 min read

Shelby Brooks

FAQ

Internal Network Security Monitoring involves continuous observation and analysis of network traffic within an organization’s internal infrastructure. For electric utilities, INSM focuses on detecting anomalous activities that may indicate potential threats or vulnerabilities within trusted network zones.

INSM requirements for utilities include network data collection from trusted zones, anomaly detection capabilities, threat analysis and evaluation processes, data protection mechanisms, retention procedures for investigative purposes, and integration with broader cybersecurity operations aligned with NERC CIP-015 standards.

Internal network security monitoring provides enhanced threat detection within trusted zones, improved incident response capabilities, regulatory compliance support, better asset protection from lateral movement attacks, operational visibility into network behavior, and qualification for FERC Order 893 cost recovery incentives.

INSM implementation involves conducting network architecture assessments, identifying monitoring points within BES Cyber Systems, evaluating current detection capabilities, developing data management procedures, training personnel on CIP-015 requirements, and partnering with experienced INSM solution providers.

Utilities should seek INSM solutions with OT-native capabilities, passive monitoring techniques, industrial protocol understanding, scalable data management, NERC CIP compliance reporting features, threat intelligence integration, expert implementation support, and proven electric utility sector experience.

See the Dragos Platform in Action

Take the next step to protect your ICS environment now with a free demo.

REQUEST PLATFORM DEMO