On June 26, the Federal Energy Regulatory Commission (FERC) formally approved Reliability Standard CIP-015-1 (Cyber Security – Internal Network Security Monitoring), which the North American Electric Reliability Corporation (NERC) had submitted in response to a Commission directive. The final rule entered the Federal Register on July 2, 2025.

In addition, the Commission directed NERC to modify the standard to extend internal network security monitoring (INSM) to include electronic access control or monitoring systems (EACMS) and physical access control systems (PACS) outside of the electronic security perimeter.

 

What Does It Mean?

Your utility must act expediently to comply with CIP-015-01. Utilities will need monitoring tools with deep and wide asset intelligence and network control. Unlike the previous NERC CIP standards that focused almost entirely on protecting the electronic security perimeter of networks, CIP-015-01 addresses blind spots within the internal network.

 

Why Does This Matter?

The attack surface continues to grow as devices that help the day-to-day management of utilities also expand. When the notice of proposed rulemaking for CIP-015-01 appeared in the Federal Register in 2023, it specifically referred to the  SolarWinds attack as a major reason for the need for wider and deeper monitoring and also stated that “…an attacker can bypass all network perimeter-based security controls traditionally used to identify the early phases of an attack.”

According to ASIS, the following serve 145 million households and businesses in the US[i]:

  • 7,300 power plants
  • 300,000 transmission and distribution stations
  • 160,000 miles of high-voltage transmission lines
  • 5 million miles of local distribution lines

The number of susceptible points on the U.S. electrical networks has been increasing by about 60 per day, making them increasingly vulnerable to cyberattacks (per NERC). Moreover, with the addition of solar power into the electric grid, new vulnerabilities have entered the system. A March 2025 Forescout report shows that over 50% of solar power inverters are made in China —with 3 vendors accounting for 46 new vulnerabilities that impact electric grid stability and user privacy.

Go deeper: Watch our solar power grid webinar with the Head of Security Research on-demand.

Stopping state-sponsored hackers

In recent years, state-sponsored organizations have exploited critical infrastructure cybersecurity gaps, including those in Denmark and Ukraine and a water utility near Pittsburgh. As Dr. Robin Berthier, a network auditor and cybersecurity research scientist explained , “This standard bolsters the grid’s defense mechanisms by enhancing visibility and response capabilities.”

Avoiding hefty fines and PR damage

NERC has the authority to issue fines up to a maximum rate of $1,000,000 per day violation of a Reliability Standard Requirement. Keep in mind, that’s $1 million ‘per violation.’ NERC has fined a single organization $10 million for standards violations.

 

What Organizations Are Affected by the New Standard?

Any organization identified as a “Registered Entity” and involved in operating or supporting North America’s bulk electric system (BES) must comply with CIP-015-01. They include:

  • Electric Utilities – Transmission operators, generation operators, and balancing authorities.
  • Independent System Operators (ISOs) and Regional Transmission Organizations (RTOs) – Organizations that manage the flow of electricity on the grid and coordinate regional transmission.
  • Reliability Coordinators – Entities responsible for ensuring that the BES operates reliably under varying conditions.

Go deeper: Watch industrial monitoring experts in utilities discuss the nuance and challenges of today’s NERC CIP, including CIP-015.

What Is Internal Network Security Monitoring (INSM) Exactly?

According to FERC, INSM is a subset of network security monitoring that is applied within a trust zone, such as a perimeter zone with elevated credentials inside of an entity’s internal network. For this final rule, the trust zone applicable to INSM is the CIP-networked environment. INSM enables continuous visibility into communications between networked devices within the trust zone and detection of malicious activity that has avoided perimeter controls. INSM also helps detect anomalous network activity that indicates an in-progress attack, increasing the probability of early detection as well as faster mitigation and recovery from an attack.

INSM consists of three stages: (1) collection; (2) detection; and (3) analysis. Together, they provide early detection and alerting of intrusions and malicious activity. This lowers the probability that an attacker can gain operational control of a target system and reduces lateral movement once an attacker is within the internal network.

Note: CIP-015-01 does not apply to IT and IoT environments. According to FERC’s final rule, “OpenPolicy’s proposal to extend the definition of the term CIP-networked environment to include information technology and Internet of Things environments is outside the scope of this proceeding, which focuses on INSM implementation in operational technology environments.”

 

How Does My Organization Comply with CIP-015-01?

The following are the major requirements of the new standard:

  1. Develop baselines of the network traffic* inside your CIP-networked environment.
  2. Monitor, detect, and evaluate anomalous activity, connections, devices and software.
  3. Implement process(es) for retaining INSM data associated with anomalous network activity
  4. Identify anomalous activity to a high level of confidence by:
    • Logging network traffic
    • Maintaining logs and other data collected regarding network traffic
    • Implementing measures to minimize the likelihood of an attacker removing evidence of their tactics, techniques and procedures from compromised devices
    • Protect INSM monitoring data collected and retained in support of the above

*Network traffic goes beyond tracking volume. Organizations must monitor behavior across network communications and protocols – and remove blind spots.

 

When Is the CIP-015-01 Compliance Deadline?

The FERC action is effective September 2, 2025. Starting from that day, your utility will have three years to deploy monitoring in line with the new standard, which means you need to have a compliant monitoring solution and the surrounding processes deployed by September 2, 2028. While that may seem like a long runway to deploy, the often slow procurement process at medium-to-large-sized utility companies can last up to 18 months, leaving just a year and a half to deploy. That can be challenging when deploying over a large territory.

Since NERC is expected to develop the recommendations for extending CIP=015-01 to include EACMS and PACS environments within 12 months, you can reasonably expect that eventual compliance with those portions of the standard will likely be required approximately around September 2029.

Learn how we can help you streamline NERC CIP compliance.

[i] ASIS International. Girding the Grid. Accessed December 20, 2024 from the following source: https://www.asisonline.org/security-management-magazine/monthly-issues/security-technology/archive/2024/february/girding-the-grid/