By Michael Spangenberg, MRO Senior Risk Assessment and Mitigation Engineer CIP

The purpose of NERC Reliability Standard CIP-015-1 is to improve the probability of detecting anomalous or unauthorized network activity to facilitate improved response and recovery from an attack. To achieve the purpose of CIP-015-1, registered entities—the utility companies required to comply with NERC Reliability Standards—with high and medium impact bulk electric system (BES) cyber systems with external routable connectivity will be required to collect east-west network traffic within an electronic security perimeter (ESP) for detection of, and response to, anomalous activity.¹ Additionally, registered entities are required to implement processes to retain and protect the data associated with network activity determined to be anomalous. The implementation plan includes two enforcement dates depending on the characteristics of the BES cyber system. (See Figure 1.)

CIP-015-1, Requirement 1 (R1)

R1. Each Responsible Entity shall implement one or more documented process(es) for internal network security monitoring of networks protected by the Responsible Entity’s Electronic Security Perimeter(s) of high impact BES Cyber Systems and medium impact BES Cyber Systems with External Routable Connectivity to provide methods for detecting and evaluating anomalous network activity. The documented process(es) shall include each of the following requirement Parts: [Violation Risk Factor: Medium] [Time Horizon: Same Day Operations and Operations Assessment].

Requirement 1 of the CIP-015-1 standard outlines the implementation of documented processes for internal network security monitoring of networks protected by registered entities’ ESP for the applicable systems. For example, each registered entity should review the complete list of ESPs to ensure internal processes provide a clearly documented connection between an applicable system and the ESP protecting it. While performing this exercise, it is important to document any unique characteristics, architecture, implementations, or data collection opportunities associated with the BES cyber systems and the associated ESPs (e.g., network design, network equipment capabilities, Wide Area Network connectivity, number of BES cyber assets (BCAs) included in a BES cyber system (BCS), and types of industrial control systems (ICS) protocols used).

For additional reference, Robert Lee, CEO and Founder of Dragos–an industrial cybersecurity company that provides technology, intelligence, and services to protect operational technology (OT) environments and critical infrastructure–presented at MRO’s 2018 Security Conference on the topic of Collection Manage Frameworks (CMF).² Lee explained that building and maintaining a CMF is one approach for identifying gaps in data collection and data feeds to help with detection of, and response to, adversary behavior. Documenting and maintaining the characteristics of the BCSs and the associated ESPs, including a CMF, may assist in implementing and maintaining an INSM program.

CIP-015-1, Requirement 1.1

1.1 Implement, using a risk-based rationale, network data feed(s) to monitor network activity; including connections, devices, and network communications.

Requirement 1.1 describes how registered entities should implement, using a risk-based rationale network data feed(s) to monitor network activity, including connections, devices, and network communications. The risk-based rationale should consider the relevant data that will be needed for cybersecurity monitoring purposes. In determining the location and data collection methods, registered entities may consider information such as adversary analysis (tactics, techniques, and procedures), ICS protocols used within ESPs, and the data types available within the ESPs. At MRO’s 2024 Security Conference, experts from the Salt River Project described their company’s INSM journey, specifically explaining what data they collected to detect the adversary behaviors within their environments.³

Or, you could walk through scenarios of real attacks seen in the electricity industry. For example, the 2016 attack on Ukraine power grid leveraged the CRASHOVERIDE malware attempting to send illegitimate commands to field cyber assets.⁴ Entities may want to ensure that the network data feeds can detect the behavior of Distributed Network Protocol 3 (DNP3) traffic being generated from a cyber asset not explicitly implemented to perform DNP3 communication to field cyber assets.

CIP-015-1, Requirement 1.2

1.2 Implement, one or more method(s) to detect anomalous network activity using the network data feed(s) from Part 1.1.

Requirement 1.2 will require method(s) for detecting anomalous network activity using the network data feeds from R1.1. The CIP-015-1 rationale describes detection techniques and methods to consider when determining the desired anomalous network activity and prescribed data to be collected.⁴ The method(s) should include how the detection systems will be tuned to ensure the anomalous network activity to be detected is providing appropriate notifications and alerts. Additionally, registered entities may determine that additional network data feeds or modifications of existing network data feeds are needed to appropriately detect the desired anomalous network activity.

CIP-015-1, Requirement 1.3

1.3 Implement one or more methods(s) to evaluate anomalous network activity detected in Part 1.2. to determine further actions(s).

Requirement 1.3 requires the implementation of method(s) for evaluating anomalous network activity detected in Part 1.2 and determining next steps. Evaluation of anomalous network activity detected initiates the analysis process of a detection. The analysis may include escalation processes that include CIP-008 cybersecurity incident response, reviewing playbooks with operational staff, or other analysis processes, as determined.

CIP-15-1, Requirement 2 and Requirement 3

Requirement 2 defines the processes for retaining INSM data associated with network activity determined to be anomalous until the R1.3 evaluation processes are complete. Requirement 3 further defines the protection of INSM data in support of R1 data collection and data retained in support of R2 to mitigate the risks of unauthorized deletion or modification. When implementing methods for R1, registered entities will need to consider the R2 and R3 requirements to ensure the tools and systems supporting INSM have the appropriate data retention and protections capabilities.

FERC Order 907 and CIP-015-2 (NERC SDT 2025-02)

While approving CIP-015-1, the Federal Energy Regulatory Commission (FERC) directed NERC to develop modifications to CIP-015-1 to extend INSM to include Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS) outside of the ESP. The NERC Standards Project 2025-02 has been formed to make the modifications directed by FERC within the required 12-month timeframe (by September 1, 2026). Registered entities should consider the potential modifications to the INSM program outside of an ESP in their implementation of CIP-015-1.

Next Steps

Implementation of an INSM program will require intentional collaboration between departments within your organization. Initiating this collaboration, developing processes and architecture, and forming partnerships with both internal and external stakeholders will inform you of the methods and tools needed to implement INSM at your organization. At the same time, registered entities should include CIP-015-1 and INSM into their internal controls program. For example, a registered entity may be planning an EMS upgrade in three years, therefore it should include INSM collection requirements and the testing of the INSM collection throughout the project, such as Factory Acceptance Testing (FAT) and Site Acceptance Testing (SAT).

Entities might also consider incorporating their INSM implementation into onboarding or commissioning processes for new applicable Cyber Assets. Tim Conway, Technical Director of ICS and SCADA Programs, SANS, gave a presentation at MRO’s 2025 Reliability, Security and Compliance Summit on the 2015 Ukraine attack, including proposed mitigation techniques that address the current evolving threats. Conway explained the concept of “Secure by Deployment”⁶ – where deployment of systems and security controls requires an innate conversation between all stakeholders (e.g., registered entities, vendors, integrators, original equipment manufacturers, etc.) to achieve the operational and security desires of an organization. We encourage registered entities to consider this concept regardless of where they are in the deployment of an INSM program. Proper planning with intentional collaboration, both internally and externally, will be key to detecting and mitigating the consequence of threats to the reliability and security of the BES.

Have an implementation or compliance question? Contact [email protected].

References:

¹ NERC. (2024a, May 9). CIP-015-1 – cyber security – internal network security monitoring page 1 of 9. NERC. https://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-015-1.pdf

² Lee, R. (2018, November 20). ICS Scada Security. Vimeo. https://vimeo.com/301876668?share=copy

³ Johnson-Barbier, M., & Heyen, B. (2024, October 10). Internal Network Security Monitoring (INSM). Vimeo. https://vimeo.com/1018409735

⁴Assante, M. J., Lee, R. M., & Conway, T. (2017, August 2). ICS Defense Use Case No. 6: Modular ICS Malware. SANS Institute Industrial Control Systems (ICS). https://www.sans.org/blog/industrial-control-systems-library

⁵ Technical rationale for reliability standard CIP-015-1. NERC. (2024, April 24). https://www.nerc.com/pa/Stand/Project_202303_INSM_DL/2023-03%20Technical%20Rationale%20FB%20clean.pdf

⁶ Midwest Reliability Organization. (2025, June 4). MRO Summit 2025 – security track day 1. Vimeo. https://vimeo.com/1090609908