Cyber threats targeting industrial control systems are evolving quickly. Attackers are no longer focused only on breaching the Electronic Security Perimeter (ESP) of critical infrastructure environments. Instead, they increasingly exploit adjacent systems-authentication services, remote access platforms, badge readers, and virtualization infrastructure-to pivot into operational technology (OT) networks.

Before we move forward, don’t forget to check out our previous post on Decoding the Strategic Quiet of Iranian Cyber Groups, here.

Recognizing this shift, the North American Electric Reliability Corporation (NERC) has introduced NERC CIP-015-2, a proposed cybersecurity standard that significantly expands Internal Network Security Monitoring (INSM) requirements. The goal is simple but powerful: increase visibility into critical systems that sit outside the traditional ESP but still influence Bulk Electric System (BES) Cyber Assets.

For plant managers, OT engineers, and CISOs, this change is important. Many support systems-such as Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS)-have historically operated outside the primary monitoring scope. Yet these systems often hold the “keys to the kingdom,” enabling attackers to impersonate legitimate users or bypass physical safeguards.

In this article, we break down NERC CIP-015-2 in plain language. We’ll explain what changed, why it matters, what the new monitoring requirements look like, and how organizations can prepare now to protect critical infrastructure.

Why NERC CIP-015-2 Matters for Industrial Cybersecurity

For years, most compliance programs focused heavily on perimeter defense. If the Electronic Security Perimeter was protected, the assumption was that internal systems were relatively safe.

Modern attacks prove otherwise.

Threat actors now exploit trusted systems inside or adjacent to OT environments. Once inside, they move laterally-often undetected.

High-profile campaigns have demonstrated this shift:

• State-sponsored groups targeting energy infrastructure

• Supply chain compromises affecting management software

• Credential theft through remote access services

• Physical intrusion attempts leveraging badge system vulnerabilities

These tactics exploit gaps in internal monitoring visibility.

That gap is precisely what CIP-015-2 aims to close.

Instead of focusing solely on external threats, the new standard expands monitoring to include systems that manage access to critical infrastructure.

Understanding the Foundation: Internal Network Security Monitoring (INSM)

Before exploring the changes in CIP-015-2, it’s important to understand Internal Network Security Monitoring (INSM).

INSM refers to the continuous monitoring of network traffic within a protected environment to detect abnormal behavior, malicious activity, or unauthorized communication between systems.

Unlike traditional perimeter monitoring, INSM focuses on east-west traffic-the movement of data between internal systems.

Why east-west traffic matters

Attackers who breach a network rarely attack critical systems immediately. Instead, they move laterally to gather intelligence and escalate privileges.

Without internal monitoring, these movements often go unnoticed.

Key objectives of INSM

Effective internal monitoring enables organizations to:

• Detect lateral movement inside OT networks

• Identify compromised credentials or privileged accounts

• Monitor communications between critical systems

• Identify abnormal traffic patterns

• Investigate incidents quickly

CIP-015-1 introduced INSM within the Electronic Security Perimeter.

CIP-015-2 expands that scope significantly.

What Changed in NERC CIP-015-2

The biggest change in CIP-015-2 is the expansion of monitoring requirements beyond the ESP to include critical support infrastructure.

Previously, many organizations monitored only traffic inside the perimeter.

However, attackers often target systems outside the ESP that control access to it.

CIP-015-2 addresses this risk by expanding monitoring requirements to three key areas:

1. Electronic Access Control or Monitoring Systems (EACMS)

2. Physical Access Control Systems (PACS)

3. Shared Cyber Infrastructure (SCI)

These systems often sit outside the traditional perimeter but still interact with BES Cyber Systems.

Core Expansion: From ESP to EACMS and PACS

Electronic Access Control or Monitoring Systems (EACMS)

EACMS systems manage logical access to critical infrastructure networks.

Examples include:

• Authentication servers

• Jump hosts and remote access gateways

• Security information and event monitoring tools

• Remote access management systems

• Directory services

These platforms often sit outside the ESP but control who can access the OT environment.

If compromised, they allow attackers to:

• Authenticate as legitimate users

• Establish trusted sessions

• Bypass perimeter controls

This makes them a major target.

Why monitoring EACMS matters

Without monitoring these systems, attackers can manipulate authentication mechanisms or remote access pathways with little visibility.

CIP-015-2 ensures these environments receive the same level of network monitoring as core OT systems.

Physical Access Control Systems (PACS)

While cybersecurity often focuses on digital threats, physical access is equally critical.

PACS systems manage entry to facilities where critical systems reside.

Common PACS technologies include:

• Badge access readers

• Door controllers

• Security cameras and access logs

• Building entry management systems

If attackers gain control of PACS systems, they could:

• Disable physical access restrictions

• Manipulate entry logs

• Facilitate unauthorized facility access

Physical compromise of control centers or substations can have severe operational consequences.

CIP-015-2 recognizes that physical access systems are part of cybersecurity.

Shared Cyber Infrastructure (SCI)

The modern OT environment increasingly relies on shared digital infrastructure.

Examples include:

• Virtualization platforms

• Shared storage environments

• Hypervisors

• Virtual network infrastructure

These systems support multiple operational technologies simultaneously.

A compromise here can impact multiple BES Cyber Systems at once.

CIP-015-2 therefore includes monitoring requirements for traffic associated with this infrastructure.

The Security Gap CIP-015-2 Addresses

The expansion in CIP-015-2 is driven by a critical visibility gap.

Many utilities currently lack insight into communications between support systems and critical infrastructure.

These blind spots create ideal conditions for attackers.

Key gaps the standard addresses

1. Adversary pivot points

Attackers frequently compromise identity infrastructure first.

Once credentials are stolen, they can access OT networks legitimately.

2. Lack of east-west visibility

Without monitoring internal network paths, lateral movement remains invisible.

3. Support system compromise

Authentication servers, virtualization hosts, or remote access gateways are often less protected than control systems.

These weaknesses make them ideal entry points.

Regulatory Drivers Behind the Change

The expansion in CIP-015-2 was strongly influenced by federal regulators and evolving threat intelligence.

The Federal Energy Regulatory Commission (FERC) directed NERC to enhance internal monitoring capabilities following evidence that advanced threat actors were targeting supporting infrastructure.

One driver cited in regulatory discussions was the emergence of highly sophisticated nation-state campaigns targeting energy systems.

These campaigns showed that attackers were:

• Targeting remote management systems

• Compromising identity infrastructure

• Exploiting access control systems

In response, regulators concluded that monitoring only inside the ESP was insufficient.

Key Technical Monitoring Requirements in CIP-015-2

The proposed standard introduces expanded monitoring requirements covering new network segments and communication pathways.

Organizations must monitor:

1. Network segments connected to EACMS outside the ESP

Traffic entering or leaving authentication systems must be monitored.

2. Traffic paths between EACMS and PACS located outside the ESP

Communications between logical and physical access systems must be visible.

3. Internal segments within these external support systems

Even traffic between internal support systems must be analyzed.

Practical Challenges Utilities Face

While the goal of CIP-015-2 is clear, implementation will not be simple.

Many utilities face several challenges.

1. Visibility across distributed infrastructure

Industrial networks often span multiple facilities:

• Substations

• Control centers

• Generation plants

• Remote monitoring sites

Monitoring all these locations requires new architectures.

2. Legacy OT environments

Many industrial environments run systems that were not designed with cybersecurity monitoring in mind.

Legacy protocols may lack logging or encryption capabilities.

Organizations must therefore deploy specialized monitoring tools.

3. Complex hybrid IT-OT networks

EACMS and PACS often sit in hybrid environments where IT and OT networks intersect.

Traditional IT security tools may generate excessive false positives when applied to OT traffic.

4. Compliance documentation

Meeting monitoring requirements is only part of the challenge.

Organizations must also:

• Document monitoring coverage

• Maintain audit evidence

• Demonstrate incident response capabilities

Step-by-Step Approach to CIP-015-2 Readiness

Utilities should start preparing now-even before the standard becomes mandatory.

Step 1: Map your access control infrastructure

Identify all systems that manage logical or physical access.

This includes:

• Active directory services

• Remote access gateways

• Badge systems

• Door controllers

• Identity management platforms

Understanding where these systems live in the network is essential.

Step 2: Identify network communication paths

Next, map communication flows between:

• EACMS and BES systems

• PACS and facility networks

• Shared infrastructure components

These communication paths will fall under the expanded monitoring scope.

Step 3: Deploy internal monitoring capabilities

Organizations should implement tools that can monitor OT network traffic without disrupting operations.

These tools typically provide:

• Passive network monitoring

• Protocol analysis

• Asset discovery

• anomaly detection

Step 4: Establish detection and response processes

Monitoring is only useful if alerts are investigated quickly.

Utilities should define:

• Incident detection workflows

• escalation procedures

• response playbooks

Step 5: Document compliance readiness

Finally, organizations must document:

• Monitoring architecture

• asset inventories

• security controls

This documentation becomes critical during compliance audits.

Timeline and Industry Status

NERC’s drafting team published the CIP-015-2 revisions in late 2025 as part of Project 2025-02.

Industry stakeholders have already shown strong support.

Key milestones include:

• January 2026: Industry ballot passed with 84.33% approval

• 2026–2027: Standard refinement and regulatory review

• 2028–2029: Expected phased implementation

High-impact control centers and large utilities will likely face earlier compliance deadlines.

Organizations that begin preparing now will avoid last-minute implementation challenges.

Protecting BES Cyber Assets in the Modern Threat Landscape

Ultimately, the purpose of CIP-015-2 is not just compliance.

It is about protecting Bulk Electric System reliability.

Electric grids depend on thousands of interconnected systems.

A compromise in access control infrastructure can ripple across the network.

Modern attackers understand this.

They target the weakest link-not always the core control systems.

By expanding monitoring visibility, utilities gain the ability to:

• Detect attackers earlier

• prevent lateral movement

• protect operational continuity

How Shieldworkz Helps Utilities Prepare for CIP-015-2

Preparing for CIP-015-2 requires deep expertise in OT, ICS, and industrial cybersecurity.

This is where Shieldworkz plays a critical role.

Shieldworkz specializes in protecting industrial infrastructure across sectors such as:

• Power and utilities

• Oil and gas

• manufacturing

• mining

OT-specific monitoring expertise

Shieldworkz helps organizations deploy internal network monitoring designed for OT environments, ensuring compliance without disrupting operations.

Asset visibility across complex networks

Shieldworkz solutions help utilities identify and monitor:

• BES Cyber Assets

• EACMS systems

• PACS infrastructure

• shared OT/IT platforms

This visibility is essential for understanding the full monitoring scope.

Incident detection and threat intelligence

Shieldworkz provides:                                                                      

• OT threat detection

• industrial network analytics

• incident response support

These capabilities enable utilities to detect and respond to threats faster.

Compliance-aligned architecture

Shieldworkz helps organizations build monitoring architectures aligned with evolving standards such as:

• NERC CIP-015

• NERC CIP-013

• NERC CIP-010

This ensures organizations remain compliant while strengthening operational security.

The Future of Internal Network Security in OT

CIP-015-2 reflects a broader shift in industrial cybersecurity.

The industry is moving away from perimeter-centric security toward continuous internal monitoring.

Future regulatory standards will likely continue expanding visibility requirements.

Organizations that invest early in monitoring capabilities will gain significant advantages:

• improved threat detection

• stronger resilience

• faster compliance readiness

Conclusion

The proposed NERC CIP-015-2 standard marks a significant evolution in how critical infrastructure protects its operational networks.

By expanding Internal Network Security Monitoring (INSM) beyond the Electronic Security Perimeter to include EACMS, PACS, and shared cyber infrastructure, regulators are addressing a major visibility gap that attackers increasingly exploit.

For utilities and industrial operators, the message is clear:

Security must extend beyond the perimeter.

Organizations that begin mapping their access control systems, deploying internal monitoring tools, and building incident response capabilities today will be far better prepared for tomorrow’s threats-and tomorrow’s compliance requirements.

Shieldworkz helps utilities and industrial operators secure their OT environments while preparing for evolving standards like NERC CIP-015-2.

If your organization needs help with:

• Internal network security monitoring

• OT threat detection

• compliance readiness for NERC standards

• protecting BES Cyber Assets

Visit shieldworkz.com or contact the Shieldworkz cybersecurity team to learn how we can help you build a resilient industrial security architecture.

Book a free consultation on security posture, threat intelligence management, infrastructure monitoring, OT security and IEC 62443 compliance, here.

Additional resources
NERC CIP-015-1 Compliance Checklist and KPI Tracker

NERC CIP Evidence Pack: How to Document SCADA Patch & Change Management for Audits

NERC CIP Roadmap for 2026: Practical Steps for Power Generation to Protect PLCs and RTUs