INSIGHTS

Internal Network Security Monitoring for Utilities

NERC CIP-015 requires continuous visibility inside trusted OT network zones. Learn what the standard requires, when deadlines hit, and how to prepare.

INSM Fundamentals
INSM shifts monitoring from the perimeter to inside the Electronic Security Perimeter and other trusted network zones, detecting adversaries who have already bypassed traditional defenses using legitimate credentials and protocols.
INSM Requirements
NERC CIP-015 mandates comprehensive internal network security monitoring capabilities for High and Medium Impact BES Cyber Systems. Requirements include monitoring network data feeds, detecting anomalous activity, evaluating detected anomalous activity, protecting monitoring data, and retaining investigation records.
CIP-015 Compliance: Key Deadlines
The first CIP-015 compliance deadline is October 1, 2028 for high and medium impact Control Centers and backup Control Centers with ERC. CIP-015-2 as proposed, extends requirements to EACMS, PACS, and SCI through 2031. Multi-year procurement and infrastructure timelines mean planning should already be underway.
Case study
This case study examines how Dominion Energy transformed their security posture through a comprehensive implementation of the Dragos Platform for internal network security monitoring. What distinguishes Dominion’s approach is their fundamental recognition that “being compliant doesn’t equal being cyber secure.”
Related Resources
Webinar
Tim Conway (SANS) & Robert M. Lee (Dragos) share how to approach INSM for CIP-015—covering planning, implementation, compliance prep, and what effective INSM looks like in practice
FAQ

Internal Network Security Monitoring involves continuous observation and analysis of network traffic within an organization’s internal infrastructure. For electric utilities, INSM focuses on detecting anomalous activities that may indicate potential threats or vulnerabilities within trusted network zones.

INSM requirements under NERC CIP-015 include collecting network data feeds from within the ESP, detecting anomalous network activity using behavioral baselines and protocol analysis, evaluating detected anomalies through documented processes, protecting monitoring data, and retaining records sufficient for investigation.

INSM provides visibility into east-west network activity within trusted zones, enabling detection of adversaries using legitimate credentials, faster incident response, support for NERC CIP-015 compliance, operational awareness of network behavior changes, and eligibility for FERC Order 893 cost recovery incentives.

Implementing INSM for CIP-015 involves scoping applicable BES Cyber Systems with ERC, assessing network architecture for sensor placement, validating that collected data accurately reflects the environment, operationalizing detection and evaluation workflows, and documenting processes for audit defensibility.

Utilities should seek INSM solutions with OT-native capabilities, passive monitoring techniques, industrial protocol understanding, scalable data management, CIP-015 audit evidence and documentation support, threat intelligence integration, expert implementation support, and proven electric utility sector experience.

CIP-007 R4 focuses on security event monitoring at the host level, tracking north-south traffic into and out of the ESP. CIP-015 adds east-west visibility within the ESP, detecting adversaries who have already bypassed perimeter defenses.CIP-015 complements, not replaces, CIP-007 R4.

CIP-015-1 applies to High and Medium Impact BES Cyber Systems with External Routable Connectivity at Control Centers (by October 2028) and remaining applicable assets (by October 2030). CIP-015-2 expands scope to include EACMS, PACS, and SCI outside the ESP with proposed phased implementation timelines in 2029 and 2031.

CIP-015-1 requires INSM within the Electronic Security Perimeter. CIP-015-2 expands that requirement to EACMS, PACS, and SCI outside the ESP. CIP-015-1 will be retired when CIP-015-2 takes effect. Entities should plan their INSM architecture to cover the full in-scope environment now.

CIP-015-1 applies to High Impact BES Cyber Systems with and without ERC, and Medium Impact BES Cyber Systems with ERC. Medium Impact systems without ERC and Low Impact systems are currently out of scope.

FERC Order 893 established incentive-based rate treatments for utilities that voluntarily adopt advanced cybersecurity practices, including INSM. Early adoption may qualify for cost recovery through transmission rate incentives. Consult your regulatory team for applicability to your entity.

Take the next step to protect your ICS environment now with a free demo.