Mastering NERC CIP-015: A Guide to Internal Network Security Monitoring (INSM) for the Bulk Electric System

The power grid is an essential lifeline and securing it against cyber threats is non-negotiable. The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards lie at the foundations of this defense. Among them, NERC CIP-015-1: Cyber Security, Internal Network Security Monitoring (INSM) is a crucial layer of protection that focuses on detecting threats that have already bypassed perimeter defenses.

Today’s post will serve as a guide and break down the fundamentals and essentials of NERC CIP-015, focusing on how to effectively detect, evaluate, and respond to network anomalies to ensure compliance and fortify your operational technology (OT) environment.

How can pipeline de-risk operations? Read our post to learn about a comprehensive approach.

Let’s dive right in.

What is NERC CIP-015?

NERC CIP-015 mandates that responsible entities develop and implement a program for Internal Network Security Monitoring (INSM). The core idea is simple but powerful: you can't rely solely on perimeter defenses. You must have visibility inside your network to spot malicious activity that might have slipped through.

This standard applies to high and medium-impact Bulk Electric System (BES) Cyber Systems. Its primary goal is to ensure that entities can detect and respond to anomalous network activity, including potential reconnaissance, command and control (C2) traffic, and lateral movement by an attacker within the trusted network boundaries.

The standard requires entities to establish a baseline of normal network traffic. This baseline is the foundation upon which your entire monitoring strategy is built. Without knowing what's normal, identifying what's abnormal is impossible.

Detecting, Evaluating, and responding to anomalies

CIP-015 revolves around a three-step cycle: detect, evaluate, and respond. Let's explore each phase.

Detection: Detecting the unseen

The first step is to continuously monitor your internal network for activity that deviates from your established baseline. Your detection strategy should be designed to catch a variety of potential threats.

· Establish a network baseline: Before you can detect anomalies, you must define what "normal" looks like. This involves capturing and analyzing network traffic over a period to understand typical communication patterns, protocols used, device connections, and data flow volumes between your BES Cyber Systems.

· Monitor for security events: Your INSM solution must be capable of detecting specific types of events, including:

· Reconnaissance: An attacker scanning your network to identify assets, open ports, and vulnerabilities.

· Unexpected outbound connections: A compromised device "phoning home" to an external command and control server.

· Anomalous internal connections: A workstation attempting to connect to a programmable logic controller (PLC) it has never communicated with before.

· Unauthorized protocol usage: The presence of protocols like FTP or Telnet where they are not expected or allowed.

· Leverage monitoring tools: Use tools like Intrusion Detection Systems such as Shieldworkz (NDR), Security Information and Event Management (SIEM) systems with OT-specific connectors, and Network Security Monitoring (NSM) platforms that understand industrial protocols (e.g., Modbus, DNP3, IEC 61850).

Evaluation: Isolating noise from threats

Not every anomaly is a malicious attack. A network change, a new device, or a misconfiguration can all trigger alerts. The evaluation phase is critical for triaging these alerts to determine if they constitute a genuine Cyber Security Incident.

· Triage and investigation: When an anomaly is detected, your security team must investigate. This involves analyzing packet captures (PCAPs), reviewing logs, and correlating the event with other data points to understand its context.

· Impact assessment: Determine the potential or actual impact of the event. Is it affecting a single system or multiple? Does it pose a risk to the reliable operation of the BES?

· Declaration of an Incident: Based on the evidence gathered during the investigation, you must have a clear process to formally declare a Cyber Security Incident, which then triggers your response plan.

Response: Taking timely and decisive action

Once a Cyber Security Incident is declared, a swift and coordinated response is essential to contain the threat and restore normal operations. Your response must align with your entity's incident response plan as required by other NERC CIP standards (like CIP-008).

· Containment: The immediate priority is to stop the bleeding. This could involve isolating the affected systems from the network, blocking malicious IP addresses, or disabling compromised user accounts.

· Eradication and recovery: Once contained, the threat must be removed from your environment. This may involve reimaging systems, restoring from clean backups, and patching vulnerabilities. The goal is to safely return the systems to a known-good state.

· Reporting: NERC has specific reporting requirements. The incident must be documented and reported to the Electricity Information Sharing and Analysis Center (E-ISAC) and other relevant authorities according to regulatory timelines.

NERC CIP-015 INSM compliance checklist

You can use this checklist as a starting point to develop or audit your NERC CIP-015 program. For more information, talk to Shieldworkz.

1. Program Development and documentation

· [ ] Do you have a documented INSM program?

· [ ] Does the program define the scope of monitored assets (all applicable medium and high-impact BES Cyber Systems)?

· [ ] Is the program approved by a CIP Senior Manager?

2. Baselining

· [ ] Have you established a baseline of normal network traffic for the in-scope environment?

· [ ] Is there a process to review and update the baseline periodically or after significant network changes?

3. Monitoring and detection

· [ ] Is an INSM solution (e.g., IDS, NSM) deployed to monitor internal network traffic?

· [ ] Are detection rules and signatures in place to identify potential reconnaissance, unauthorized connections, and anomalous traffic patterns?

· [ ] Are logs and alerts from the INSM solution being collected and sent to a central analysis platform (like a SIEM)?

· [ ] Is there a defined process for monitoring these alerts 24/7?

4. Evaluation and response

· [ ] Is there a documented procedure for evaluating detected anomalies?

· [ ] Does the procedure define criteria for declaring a Cyber Security Incident?

· [ ] Is the INSM evaluation process integrated with your overall Incident Response Plan (as per CIP-008)?

· [ ] Are personnel trained on the procedures for evaluation and response?

5. Record keeping

· [ ] Are you maintaining records of your INSM program, baseline data, and detected anomalies as required?

· [ ] Are records of incident response actions being kept for audit purposes?

By methodically addressing these points through an OT/ICS security partner like Shieldworkz, you can build a robust INSM program that not only meets NERC CIP-015 requirements but also significantly enhances the security and resilience of your critical operations.

Talk to our NERC CIP expert for a free consultation.