On July 2, 2025, the Federal Energy Regulatory Commission formally approved NERC Reliability Standard CIP-015-1, sending a clear signal to every responsible entity operating high and medium, impact Bulk Electric System (BES) Cyber Systems with External Routable Connectivity: perimeter defenses alone are no longer enough. 

Plant managers, OT engineers, and CISOs suddenly faced a new reality. By October 1, 2028, you must implement Internal Network Security Monitoring (INSM) focused squarely on east-west traffic inside your Electronic Security Perimeters (ESPs). The goal? Detect anomalous or unauthorized activity before it disrupts operations, compromises reliability, or triggers a CIP-008 incident. 

Unlike the “spray-and-pray” perimeter attacks of the past, today’s adversaries thrive on lateral movement inside trusted zones-scanning PLCs, pivoting via legitimate protocols, and living off the land for weeks. Hasbro’s March 2026 incident showed what happens when visibility stops at the firewall. CIP-015-1 is NERC’s direct response to that blind spot. 

At Shieldworkz, we believe every regulatory shift is an opportunity to build genuine resilience. This post dissects the anatomy of NERC CIP-015-1, the tactical requirements that will separate compliant from non-compliant organizations, the real-world threats exploiting east-west traffic today, and the practical defensive shifts you can make right now. 

Before we dive in, don’t forget to check out our previous post on Top 15 OT Security Threats in Industrial Manufacturing sector

The Background 

The electric sector has watched ransomware and state-aligned actors target industrial organizations with alarming precision. In 2025 alone, Dragos tracked 119 ransomware groups that collectively impacted 3,300 industrial organizations-a 49% year-over-year surge. Manufacturing took the hardest hit. Yet the most telling statistic? 88% of OT networks still struggle with detection and response capabilities, while only 30% have meaningful visibility into their environments. 

Attackers no longer need zero-days. They buy credentials from initial access brokers, use living-off-the-land techniques, and move laterally inside ESPs using the very protocols your control systems rely on-Modbus, DNP3, OPC UA. North-south perimeter tools miss this entirely. East-west traffic is where the real damage happens. IoT industrial security and legacy ICS assets make the problem worse. Many devices lack logging, so the only reliable signal is the network conversation itself. 

CIP-015-1 closes that gap by mandating continuous, risk-based monitoring of internal communications-the “chatter” between assets you once considered trusted. 

Today’s Blog Post Dissects……exactly what NERC CIP-015-1 demands, why east-west visibility is now non-negotiable for OT security and ICS network protection, and how Shieldworkz’s agentic-AI-powered Network Detection and Response platform turns compliance into a genuine operational advantage. You’ll walk away with a clear implementation roadmap and the confidence that your plant can meet the October 2028 deadline without disrupting production. 

The Timeline 

The journey to full enforcement didn’t happen overnight: 

• June 2024 - NERC files CIP-015-1 with FERC. 

• June 26, 2025 - FERC issues approval order. 

• October 1, 2028 - Mandatory compliance for high- and medium-impact BES Cyber Systems with ERC. 

Future updates (CIP-015-2) will expand INSM to Electronic Access Control and Monitoring Systems (EACMS) and Physical Access Control Systems (PACS) outside the ESP, further tightening the net. Entities must retain evidence of compliance for at least three calendar years. Passive monitoring is strongly preferred-OT downtime is never an option. 

What CIP-015-1 Demands: Key Requirements for Compliance 

The standard is refreshingly focused. Requirement R1 requires you to implement documented processes for INSM that include: 

• Risk-based network data feeds - Monitor connections, devices, and communications inside the ESP.

• Anomaly detection methods - Establish behavioral baselines and flag deviations.

• Evaluation and action - Investigate anomalies and link them to your incident response plan.

R2 mandates retention of data associated with confirmed anomalous activity until the incident is resolved. R3 requires protection of that monitoring data against unauthorized deletion or modification. 

In plain language: East-west traffic visibility is now mandatory. You must move beyond signature-based perimeter tools and actively baseline normal operations so you can spot the subtle signals-unexpected device pairings, unusual protocol commands at 3 a.m., or sudden spikes in internal traffic. 

What Went Wrong in OT Environments Before CIP-015 

Historical patterns show three recurring failure points that CIP-015-1 directly addresses: 

1. Identity-first lateral movement - Attackers steal or fatigue MFA, then walk the network as legitimate users. 

2. Living-off-the-land techniques - PowerShell, RDP, legitimate OT protocols-all blend into normal east-west chatter. 

3. Third-party and supply-chain tunnels - A compromised vendor VPN or IoT device becomes the perfect internal launchpad. 

Without east-west monitoring, dwell time averages 42 days in OT ransomware cases-plenty of time to map your control loops and prepare disruption. 

The Implementation Strategy: How Shieldworkz Turns Compliance Into Resilience 

Meeting CIP-015 doesn’t require a forklift upgrade. Here’s the practical playbook we deploy with clients: 

1. Risk-based asset and conduit inventory - Map every device and communication path inside your ESPs. 

2. Deploy passive sensors at strategic chokepoints - Focus first on high-impact production cells. 

3. Capture and inspect east-west traffic - Use Deep Packet Inspection purpose-built for industrial protocols. 

4. Build behavioral baselines with AI - Let machine learning learn your normal operations. 

5. Detect, evaluate, and act - Automated alerts feed directly into your CIP-008 playbook. 

6. Retain and protect evidence - Tamper-proof storage with automated audit reports. 

7. Test, tune, and prove compliance - Tabletop exercises plus ready-to-submit dashboards. 

How Shieldworkz Makes East-West Monitoring Straightforward and Effective 

We built our platform from the ground up for environments exactly like yours. Here’s what sets us apart: 

• Fully passive, zero-impact monitoring - No agents on critical OT assets unless you choose lightweight ones for deeper visibility. 

• Deepest OT/IoT protocol coverage - Legacy PLCs, modern sensors, everything in between. 

• Agentic AI that learns your facility - Real-time behavioral baselines that spot deviations traditional tools miss. 

• Contextual, actionable alerts - Not just “something’s wrong”-but why it matters to reliability. 

• Automated compliance artifacts - Dashboards and evidence packs ready for NERC audits. 

• Optional 24/7 Managed SOC - Let our OT experts handle tuning and response so your team stays focused on the plant floor. 

Clients consistently report reduced mean-time-to-detect lateral threats by over 80% and dramatically shorter audit prep cycles. 

How to Prevent Future Gaps and Future-Proof Your Program 

Adopt these proven tactics today: 

1. Micro-segmentation of crown-jewel assets - Keep engineering workstations, SCADA servers, and IoT devices in isolated east-west zones. 

2. Continuous Identity Threat Detection & Response (ITDR) - Monitor for anomalous account behavior inside the ESP. 

3. Immutable monitoring data - Protect your INSM logs the same way you protect backups. 

4. Regular tabletop exercises - Simulate east-west compromise scenarios quarterly. 

Start early. With CIP-015-2 on the horizon, early adopters gain operational resilience and competitive advantage. 

Conclusion: Turn CIP-015 Into Your Competitive Edge 

The Hasbro breach and the 3,300 ransomware-impacted industrial sites in 2025 proved one thing: size and perimeter defenses are no longer enough. NERC CIP-015-1 is your mandate to move from reactive to proactive-monitoring the east-west traffic that actually runs your operations. 

By implementing INSM the right way, you’ll not only hit the October 2028 deadline, you’ll slash dwell times, reduce outage risk, strengthen OT security and IoT industrial security, and protect the critical infrastructure your communities depend on. 

At Shieldworkz, we don’t just help you check the box. We partner with you to build a cyber, physical security program that evolves with the threats and keeps your plant running safely, reliably, and profitably. 

Additional resources    

Comprehensive Guide to Network Detection and Response NDR in 2026 here
A downloadable report on the Stryker cyber incident here    
Remediation Guides here  
OT Security Best Practices and Risk Assessment Guidance here 
IEC 62443-based OT/ICS risk assessment checklist for the food and beverage manufacturing sector here