Internal Network Security Monitoring for Utilities
NERC CIP-015 requires continuous visibility inside trusted OT network zones. Learn what the standard requires, when deadlines hit, and how to prepare.
Internal Network Security Monitoring involves continuous observation and analysis of network traffic within an organization’s internal infrastructure. For electric utilities, INSM focuses on detecting anomalous activities that may indicate potential threats or vulnerabilities within trusted network zones.
INSM requirements under NERC CIP-015 include collecting network data feeds from within the ESP, detecting anomalous network activity using behavioral baselines and protocol analysis, evaluating detected anomalies through documented processes, protecting monitoring data, and retaining records sufficient for investigation.
INSM provides visibility into east-west network activity within trusted zones, enabling detection of adversaries using legitimate credentials, faster incident response, support for NERC CIP-015 compliance, operational awareness of network behavior changes, and eligibility for FERC Order 893 cost recovery incentives.
Implementing INSM for CIP-015 involves scoping applicable BES Cyber Systems with ERC, assessing network architecture for sensor placement, validating that collected data accurately reflects the environment, operationalizing detection and evaluation workflows, and documenting processes for audit defensibility.
Utilities should seek INSM solutions with OT-native capabilities, passive monitoring techniques, industrial protocol understanding, scalable data management, CIP-015 audit evidence and documentation support, threat intelligence integration, expert implementation support, and proven electric utility sector experience.
CIP-007 R4 focuses on security event monitoring at the host level, tracking north-south traffic into and out of the ESP. CIP-015 adds east-west visibility within the ESP, detecting adversaries who have already bypassed perimeter defenses.CIP-015 complements, not replaces, CIP-007 R4.
CIP-015-1 applies to High and Medium Impact BES Cyber Systems with External Routable Connectivity at Control Centers (by October 2028) and remaining applicable assets (by October 2030). CIP-015-2 expands scope to include EACMS, PACS, and SCI outside the ESP with proposed phased implementation timelines in 2029 and 2031.
CIP-015-1 requires INSM within the Electronic Security Perimeter. CIP-015-2 expands that requirement to EACMS, PACS, and SCI outside the ESP. CIP-015-1 will be retired when CIP-015-2 takes effect. Entities should plan their INSM architecture to cover the full in-scope environment now.
CIP-015-1 applies to High Impact BES Cyber Systems with and without ERC, and Medium Impact BES Cyber Systems with ERC. Medium Impact systems without ERC and Low Impact systems are currently out of scope.
FERC Order 893 established incentive-based rate treatments for utilities that voluntarily adopt advanced cybersecurity practices, including INSM. Early adoption may qualify for cost recovery through transmission rate incentives. Consult your regulatory team for applicability to your entity.