NERC CIP-015 & Internal Network Security Monitoring (INSM): Your Guide to Stronger OT Security

Imagine this: a sophisticated attacker slips past your firewall, your perimeter defenses hold, but inside your trusted network zone, malware quietly maps your PLCs, alters setpoints, and waits. No alarm sounds-because you’re only watching the edges.

That scenario is no longer hypothetical. Today’s OT Security threats thrive on “east-west” traffic-communications happening inside your Electronic Security Perimeter (ESP). That’s exactly why the North American Electric Reliability Corporation (NERC) introduced CIP-015-1 and its focus on Internal Network Security Monitoring (INSM).

As always, before moving forward, don’t forget to check out our previous blog post onHandala’s next gambit: From "hack-and-leak" to "cognitive siege"here.

As a plant manager, OT engineer, or CISO responsible for critical infrastructure, you already know the stakes: downtime costs millions, regulatory fines add up fast, and a single breach can cascade into blackouts or safety incidents. In this in-depth guide, we’ll walk you through what NERC CIP-015 really means, the top ICS network protection risks you face right now, practical steps to implement INSM, and-most importantly-how Shieldworkz’s agentic-AI-powered platform makes compliance straightforward while delivering real-time critical-infrastructure defense.

Why Traditional Perimeter Security Falls Short in OT Environments

For years, OT teams relied on the “castle-and-moat” approach: strong firewalls at the ESP, strict external routable connectivity rules, and hope that nothing nasty got inside. But modern attackers don’t just knock at the front door. They use IT compromises, supply-chain vectors, or insider actions to land inside your trusted zones-then move laterally.

East-west traffic-the conversations between PLCs, RTUs, HMIs, SCADA systems, and IoT sensors-has become the new attack surface. And because these devices often run legacy protocols with limited built-in security, once an attacker is inside, they can blend in with normal operations.

Recent data drives the point home. In 2025, 96% of OT security incidents originated from IT-level compromises, and 60% of organizations experienced at least one OT incident. Nation-state and hacktivist attacks on critical infrastructure doubled compared to 2024, with ransomware still causing real operational disruptions across power, manufacturing, and energy sectors.

Perimeter tools simply can’t see what’s happening inside your network. That visibility gap is what NERC CIP-015 was designed to close.

What Is NERC CIP-015? The Standard That Changes the Game

Approved by the Federal Energy Regulatory Commission (FERC) on June 26, 2025 (effective September 2, 2025), NERC CIP-015-1 is the first reliability standard to mandate Internal Network Security Monitoring (INSM) for high- and medium-impact Bulk Electric System (BES) Cyber Systems.

Instead of focusing only on north-south traffic crossing your perimeter, CIP-015-1 requires you to monitor, detect, and analyze activity inside trusted network zones. The goal is simple but powerful: catch anomalous behavior early so you can respond before physical consequences hit.

Core Requirements of CIP-015-1 (R1–R3)

The standard boils down to three clear mandates for applicable BES Cyber Systems:

R1: Collection, Detection, and Analysis You must implement network data feeds to collect information on connections, devices, and communications. Use a risk-based approach to detect activity that deviates from your normal baseline. Then evaluate anomalies to decide if response or mitigation is needed.
R2: Data Retention Keep INSM data tied to detected anomalies until investigations or actions are complete.
R3: Data Protection Protect all collected and retained monitoring data from unauthorized deletion or modification.

These requirements are intentionally outcome-focused. NERC doesn’t prescribe exact tools-just that your solution must deliver continuous, passive monitoring without disrupting time-sensitive OT processes.

The Power of Internal Network Security Monitoring (INSM)

INSM is not another point solution-it’s a capability. It shifts your OT Security posture from reactive perimeter defense to proactive, inside-the-network visibility.

Unlike signature-based tools that hunt for known malware, INSM relies on baselining: learning what “normal” looks like in your unique environment-down to the protocol chatter between specific PLCs. Once the baseline is established, any deviation (new device, unusual command, unexpected data flow) triggers detection.

This approach is perfect for OT because it’s passive. No agents on fragile legacy devices. No risk of disrupting production. Just deep, contextual visibility into east-west traffic across your entire ICS environment.

Today’s Top Threats Targeting ICS and IoT Networks

You already feel the pressure. Here’s what’s actually happening in the wild:

Lateral movement after IT compromise: Attackers land via phishing or a vendor laptop, then pivot quietly inside your OT zone.
Supply-chain and firmware attacks: Compromised updates or third-party devices introduce persistent backdoors.
Insider threats and misconfigurations: A disgruntled employee or simple human error can open doors that perimeter tools never see.
Ransomware with OT impact: Groups now understand industrial protocols and deliberately target processes for maximum disruption.
Nation-state prepositioning: Sophisticated actors map your control loops today so they can act tomorrow.

The numbers are sobering. Over 3,300 industrial organizations faced ransomware in recent years, and new OT-aware ransomware variants continue to surge. IoT devices alone see 820,000 daily attacks. Without INSM, these threats can live undetected for months.

Step-by-Step: How to Implement INSM for Compliance and Real Protection

Implementing INSM doesn’t have to be overwhelming. Here’s a practical playbook:

Map Your Environment Start with complete asset discovery-every PLC, RTU, switch, and IoT sensor. You can’t baseline what you can’t see.
Establish Risk-Based Baselines Capture normal traffic patterns over weeks (or months for seasonal operations). Focus first on high-impact BES Cyber Systems.
Deploy Passive Monitoring Use network taps or SPAN ports to feed data to a dedicated INSM solution. Ensure it supports industrial protocols without introducing latency.
Enable Anomaly Detection and Analysis Set up automated alerts for deviations. Build workflows so your team can quickly evaluate whether an anomaly requires investigation.
Handle Data Retention and Protection Automate secure storage and tamper-proofing for anomaly-related data to meet R2 and R3.
Integrate with Existing Processes Feed INSM insights into your SOC, incident response plan, and compliance reporting.
Test and Tune Continuously INSM is a program, not a one-time project. Review baselines quarterly as your network evolves.

Implementation Timeline: Don’t Wait to Get Started

October 1, 2028: High-impact BES Cyber Systems and medium-impact systems with External Routable Connectivity (ERC) must comply.
October 1, 2030: All other applicable BES Cyber Systems with ERC.

CIP-015-2 is already in motion. The final ballot passed in March 2026, extending INSM requirements to Electronic Access Control and Monitoring Systems (EACMS) and Physical Access Control Systems (PACS) located outside the ESP. Expect expanded compliance around September 2029.

Strategic Considerations That Separate Success from Struggle

Baseline vs. Signature: Signatures miss zero-days. Baselines catch the unknown.
Passive is non-negotiable: Anything that could introduce latency or require agents on OT devices risks operational disruption.
Program, Not Project: You’ll manage terabytes of telemetry. Treat INSM as an ongoing capability with people, processes, and technology.
Vendor Choice Matters: Look for solutions purpose-built for OT-wide protocol support, AI-driven anomaly detection, and seamless compliance reporting.

How Shieldworkz Makes NERC CIP-015 & INSM Straightforward

At Shieldworkz, we built our platform specifically for environments like yours. Our Network Detection and Response (NDR) solution delivers exactly what CIP-015-1 demands-and more.

Passive, agentless monitoring across legacy PLCs, modern IoT, SCADA, and everything in between.
Automated baselining that learns your facility’s unique “normal” in hours, not weeks.
Real-time anomaly detection with contextual risk scoring aligned to IEC 62443 and NERC CIP.
Built-in compliance automation-evidence collection, audit-ready reports, and data protection baked in.
24/7 Managed Security Services so your team stays focused on operations while we handle monitoring, threat hunting, and response.

Whether you run a utility substation, manufacturing plant, or oil & gas facility, Shieldworkz gives you the widest OT coverage, fastest deployment (no downtime), and predictive insights that turn raw telemetry into actionable intelligence. We don’t just help you check a compliance box-we help you strengthen ICS network protection and critical-infrastructure defense for the long haul.

Preparing for CIP-015-2 and the Road Ahead

The expansion to EACMS and PACS means even broader visibility requirements are coming. The good news? Starting your INSM program today with the right partner positions you ahead of the curve-no costly rip-and-replace later.

Conclusion: Turn Compliance into Competitive Advantage

NERC CIP-015 & Internal Network Security Monitoring (INSM) isn’t just another checkbox-it’s the evolution your OT environment needs to stay ahead of today’s threats. By shifting from perimeter-only defense to deep internal visibility, you’ll detect anomalies faster, respond with confidence, and protect the physical processes that keep society running.

Ready to move from “compliant” to “confident”?

Download our free NERC CIP-015-1 Compliance Playbook at shieldworkz.com or request a personalized demo today. Our team will map your environment, show you live anomaly detection in a safe environment, and outline a clear path to full INSM capability-without disrupting a single process.