Why NERC CIP-015-1 for Internal Network Security is a Must-Have for ICS Defense

The threat landscape for the North American Bulk Electric System (BES) is evolving with the emergence of a new mix of threats and risks. With adversaries increasingly bypassing traditional perimeter defenses to move laterally inside critical networks, the threats are now more potent and disruptive than ever before. Beyond disruption, the possibility of threat actors retaining access to gird-linked networks poses a long term threat that needs to be addressed fairly quickly. 

The North American Electric Reliability Corporation (NERC) has responded to such challenges by launching a pivotal new standard: CIP-015-1 – Internal Network Security Monitoring (INSM). The new standard is not just a compliance tick-box but instead it represents a fundamental shift in securing Industrial Control Systems (ICS) by calling for deep and ongoing visibility across the trust zone.

Do not forget to check our previous blog post on “How to engineer real OT security outcomes with IEC 62443 risk assessment” here.

Beyond the perimeter: Understanding the purpose of CIP-015-1

Historically, NERC CIP standards have focused heavily on securing the electronic security perimeter (ESP). This was essentially an extrapolation of physical security measures based on access control. The prevailing thought was that all threats emerge from outside the perimeter and if the fences are strong, nothing can come inside.   

While broadly aligned with the threat spectrum prevailing at that time, this left a blind spot: what happens once an attacker breaches the initial defense and manages to sneak inside? An attacker who has managed to land inside the network can move laterally (known as "East-West" traffic) to compromise critical operational technology (OT) assets. The attacker can also come inside with assistance from an ally inside the network. 

The core purpose of CIP-015-1 is to substantially enhance the probability of detecting anomalous or unauthorized network activity within the ESP, thereby facilitating rapid and accurate response and recovery from an attack.

Why internal monitoring is critical:

• Discovering lateral movement: Attackers often use valid (stolen) credentials along with regular protocols to move within the network, bypassing signature-based perimeter defenses. INSM is designed to detect these subtle, anomalous behaviors early in the attack lifecycle.

• Early attack detection: The faster an internal intrusion is detected, the less damage an adversary can inflict on critical functions. INSM enables early detection within the attack lifecycle.

• Obtaining data for forensics: Collecting, organising and retaining internal network data is essential for understanding the scope, method, and duration of an attack, dramatically improving incident response and forensic analysis. This is also essential from a compliance reporting standpoint as well.

The actionable requirements: What can entities do?

CIP-015-1 mandates a robust, documented process for Internal Network Security Monitoring for high-impact BES Cyber Systems (with or without external routable connectivity) and medium-impact BES Cyber Systems with external routable connectivity.

The requirements can broken down into three main areas:

Network Security Monitoring (requirement 1)

This is essentially the core of the standard that requires a proactive, risk-based approach to monitoring.

• R1.1: Implement Network Data Feeds: Entities must use a risk-based rationale to select and implement network data feed(s) that effectively monitor network activity, including connections, devices, and communications. This means strategically placing sensors to gain the right amoung of visibility into key OT traffic and protocols.

• R1.2: Detect Anomalous Activity: Implement one or more method(s) to detect anomalous network activity using the collected data feeds. This requires baselining "normal" network behavior—understanding what your OT environment should look like, to effectively flag deviations.

• R1.3: Evaluate Anomalous Activity: Establish methods to evaluate the detected anomalous activity to determine the necessary response or further action, ensuring appropriate escalation when a real threat is identified.

Data Retention (requirement 2)

• R2: Retain INSM Data: You must define and implement processes for retaining INSM data associated with anomalous network activity for a sufficient duration to complete the evaluation process (R1.3). This ensures vital evidence is not lost before an investigation concludes.

Data protection (requirement 3)

• R3: Protect INSM Data: Processes must be in place to protect INSM data (both collected and retained) from unauthorized deletion or modification. The data itself is a critical asset for security and compliance and must be secured against tampering.

Recommended key steps for compliance and enhanced defense

Meeting CIP-015-1 is an opportunity to significantly elevate your organization's security posture. Here are actionable steps to move from compliance to true resilience:

Looking ahead to CIP-015-2

It's important to note that NERC has already been directed by FERC to develop subsequent modifications (potentially CIP-015-2) to widen INSM's scope. This next standard in this series is expected to extend monitoring to systems that reside outside the ESP, specifically Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS).

Utilities should consider this future expansion in their planning now, as the goal is a comprehensive, internal monitoring approach that covers all entry and access points into the CIP-networked environment.

By proactively implementing and managing a robust INSM program under NERC CIP-015-1, electric utilities are not merely meeting a regulatory requirement, they are building a critical, non-negotiable layer of defense that is essential for protecting the stability and reliability of the Bulk Electric System.

To learn more about NERC CIP-015-1,talk to a NERC CIP expert.