On June 26, 2025, the Federal Energy Regulatory Commission (FERC) approved Order No. 907, giving the green light to NERC CIP-015-1. If you’re in the electric sector, this is a big deal.
CIP-015-1 introduces a new requirement: Internal Network Security Monitoring (INSM) inside Electronic Security Perimeters (ESPs). It applies to High and Medium Impact Bulk Electric System (BES) Cyber Systems that have External Routable Connectivity (ERC) in short, the critical systems that help keep the grid stable and the lights on.
So Why Is This Important?
For years, cybersecurity strategies in the energy sector focused on building strong perimeters to keep bad actors out but with each year attacks are getting more sophisticated. Attackers are getting in through supply chain compromise, misconfigurations, lack of segmentation and even insider access. Once inside, they move laterally, often unnoticed.
This is where the changes to the regulation come into play. This new standard shifts the focus inward from the perimeter to what’s happening inside your environment. It’s about watching the east-west traffic inside ESPs where attackers often lurk. It’s about detecting threats early before they escalate into major incidents.
Think of it as adding radar to your internal airspace, not just building higher walls.
What CIP-015-1 Requires
CIP-015-1 introduces enforceable standards for detecting and responding to anomalous network activity within ESPs. At a high level, Responsible Entities must:
- Collect, detect, and analyze network activity inside ESPs (R1).
- Retain INSM data tied to anomalous activity (R2).
- Protect collected INSM data from modification or deletion (R3).
This applies to High and Medium Impact BES Cyber Systems with External Routable Connectivity (ERC), with enforcement beginning October 1, 2028.
The goal is simple but powerful: create visibility into east-west traffic where traditional security tools often fall short.
Looking Ahead: CIP-015-2 and Expanded Monitoring Requirements
While CIP-015-1 focuses on internal ESP traffic, FERC has directed NERC to expand the standard in CIP-015-2. This future version will include monitoring of Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS) outside of the ESP.
It’s worth remembering that because EACMS and PACS often interface directly with systems inside the ESP, if left unmonitored they create blind spots that adversaries can exploit. In this way there is a chance they will move laterally, escalate privileges, or impersonate trusted entities.
CIP-015-2 will require visibility into:
- Networks connected to EACMS and PACS outside the ESP
- Traffic between EACMS and PACS components
- Internal segments within EACMS and PACS systems
Asset owners should start planning now—not just for the current standard, but for what’s coming next.
Five Practical Initial Steps
1. Inventory What’s in Scope
Start by identifying all High and Medium Impact BES Cyber Systems with External Routable Connectivity (ERC). Use discovery tools to create a real-time asset inventory, this ensures you’re not missing any critical systems that fall under the regulation.
2. Check Your Current Monitoring Capabilities
Evaluate whether you’re already collecting internal network data inside Electronic Security Perimeters (ESPs). What tools are in place? Are you getting visibility into east-west traffic, or just the perimeter? Knowing your baseline helps prioritize next steps.
3. Leverage Existing Infrastructure
Look at what’s already available: SPAN ports, network taps, firewalls, or switches. In many cases, you don’t need to install new hardware to begin collecting internal traffic data. Understanding what you can reuse makes implementation faster and more cost-effective.
4. Define Anomalies and Response Plans
Think about how you’ll detect and respond to suspicious activity. What constitutes “anomalous” behavior in your environment? Who will be alerted, and how will issues be escalated? Getting clear on this now avoids confusion later when rapid response matters most.
5. Evaluate INSM Tools That Fit OT
Choose tools purpose-built for industrial environments. Look for passive, agentless solutions that support OT protocols and won’t disrupt operations. The best platforms provide deep visibility, work with existing tech, and help you align with regulatory timelines.
How Armis Supports Your CIP-015 Journey
Armis provides a purpose-built platform to meet the demands of INSM in complex OT/ICS environments. We help energy asset owners achieve and maintain compliance—while also strengthening their overall security posture.
Visibility Inside the ESP
Armis delivers real-time asset discovery and traffic analysis across OT, IT, and IoT systems within the ESP, without requiring agents or intrusive scanning.
Anomaly Detection and Analysis
Our platform uses behavioral baselining and AI-driven threat detection to identify abnormal east-west traffic, unauthorized communication attempts, and signs of compromise, supporting R1.2 and R1.3.
Retention and Protection of INSM Data
Armis retains network activity data associated with anomalies and ensures it is protected from tampering, satisfying both R2 and R3 requirements.
Prepared for CIP-015-2
Unlike point products, Armis can extend visibility beyond the ESP, monitoring EACMS and PACS environments today, ensuring you’re already positioned to meet the likely demands of CIP-015-2.
Compliance Meets Resilience
CIP-015 is more than a regulation, it’s a strategic inflection point. Internal network visibility is no longer optional; it’s foundational for securing modern electric infrastructure.
At Armis, we help you meet today’s requirements while building toward the security capabilities that will be expected tomorrow. With our platform, you don’t have to choose between compliance and operational excellence, you get both.
Next Steps
Want to understand how Armis can help your organization prepare for CIP-015-1 and beyond? Read the solution brief.
Share this Article
Get Updates
Sign up to receive the latest from Armis.