FERC Finalizes INSM Standard: CIP-015-1 and the New Visibility Mandate for the Grid
By Patrick Miller
On June 26, the Federal Energy Regulatory Commission issued Order No. 907, approving the new NERC Reliability Standard CIP-015-1: Cyber Security – Internal Network Security Monitoring (INSM). This marks a critical shift in how we approach cybersecurity within the Bulk Electric System. It also raises the bar significantly on what’s expected for visibility inside the network perimeter.
This one isn’t just about compliance. It’s about changing and advancing our approach on how we defend our most critical systems against an increasingly sophisticated set of adversaries who are getting harder and harder to detect.
Overview
FERC’s new Order No. 907 approves NERC Reliability Standard CIP-015-1, introducing mandatory Internal Network Security Monitoring (INSM) for high and medium impact BES Cyber Systems. FERC also approved the associated violation risk factors and violation severity levels, implementation plan, and effective date.
But the rule goes further. FERC has directed NERC to expand the standard within 12 months to include monitoring of Electronic and Physical Access Control Systems (EACMS) and Physical Access Control Systems (PACS) outside the electronic perimeter.
This blog breaks down what’s required, what’s changing, and what utilities should be doing now to prepare for this expanded visibility mandate across the CIP-networked environment.
Why This Standard Matters
Over time, as technology and threats change, new CIP standards and requirements need to be added to keep pace with the new risks. While the CIP standards already include many security controls covering governance, prevention, detection, and response, what’s been missing is formal direction on how to detect threats once they’re already inside the trust zone.
CIP-015-1 changes that. It requires responsible entities to implement internal network monitoring for:
All High Impact BES Cyber Systems (with or without external routable connectivity), and
Medium Impact BES Cyber Systems with external routable connectivity.
This is about lateral movement, or east-west traffic that rarely crosses traditional security boundaries but often leads to privilege escalation, reconnaissance, and persistence. INSM helps you find those activities faster, ideally before they become incidents.
What’s Required Under CIP-015-1
At its core, CIP-015-1 introduces a new requirement: implementing Internal Network Security Monitoring (INSM) within networks protected by Electronic Security Perimeters (ESPs) that house high-impact BES Cyber Systems and medium-impact BES Cyber Systems with External Routable Connectivity (ERC).
This is not simply about deploying another sensor. INSM is a distinct detection methodology centered around establishing a baseline of expected internal network behavior and identifying anomalous activity, not just known threats or signature matches.
Here’s a breakdown of what entities are required to do under Requirement R1:
R1.1 – Risk-Based Identification
Entities must determine, using documented, risk-based rationale, which networks within defined ESPs will be monitored. This includes identifying the location of traffic feeds and methods used to collect and forward the traffic to the INSM system. The intent is not to require full packet capture across all zones, but to focus on points that yield the highest probability of detecting abnormal activity.R1.2 – Detection of Anomalous Activity
The INSM system must compare incoming network traffic against the defined baseline to detect anomalous traffic. Detection logic should be behavior-based rather than signature-driven. That means activity deviating from the established “normal” is flagged for analysis, even if it doesn’t match a known malware signature.R1.3 – Evaluation of Anomalous Activity
Once anomalous traffic is detected, it must be evaluated for potential security events. Entities are responsible for investigating these alerts and determining whether they are benign anomalies, misconfigurations, or actual indications of compromise.R2 – Retention of Anomalous Traffic Data
Only data related to detected anomalous activity must be retained, not all network traffic. This data must be preserved at least long enough to complete the evaluation in R1.3. False positives can be discarded after analysis, but any event deemed suspicious must be escalated into the CIP-008 incident response process and retained accordingly.R3 – Protection of INSM Data
The data captured and retained under R2 must be protected against unauthorized modification or deletion. The standard doesn’t prescribe specific controls, but aligns with CIP-011-2 data protection practices. Entities can meet this requirement by classifying the data as BES Cyber System Information (BCSI) and protecting it under existing CIP-011 controls.
The standard applies to all registered entities that own or operate applicable BES Cyber Systems at high or medium impact, including GOs, GOPs, TOs, TOPs, RCs, BAs, and DPs (as applicable).
The phased implementation timelines (detailed in the Implementation Plan) allow:
36 months from FERC approval for systems in Control Centers and backup Control Centers
24 months for all other medium impact systems with ERC
Notably, the scope of CIP-015-1 is limited to networks inside ESPs. Systems such as EACMS, PACS, or PCAs not inside an ESP are explicitly out of scope for this version. That said, FERC has ordered NERC to expand the scope.
FERC's Clarification (and Expansion): What Counts as "Internal"?
Here's where things get interesting. In the original directive (Order No. 887), FERC used the term CIP-networked environment, but didn’t define it. NERC also didn’t propose a definition in their petition. In this final rule, FERC clarified and expanded it for the industry. Importantly, FERC opened the definition with, “We clarify that the term CIP-networked environment does not cover all of a responsible entity’s network.”
The CIP-networked environment now includes traffic inside an electronic security perimeter but also extends beyond the perimeter - specifically:
The systems within the Electronic Security Perimeter (ESP), and one or more of the following:
Network segments that are connected to EACMS and PACS outside of the electronic security perimeter;
network segments between EACMS and PACS outside of the electronic security perimeter; or
network segments that are internal to EACMS and PACS outside of the electronic security perimeter
Communications to and from access systems like badge readers, VPNs, AD servers, SIEMs, and related infrastructure
FERC states that the CIP-networked environment encompasses east-west traffic within EACMS networks and PACS networks, as well as east-west traffic between EACMS and PACS, in addition to east-west traffic within the electronic security perimeter. Further, communication between PACS and controllers and communications to and from EACMS used solely for electronic access monitoring are included in the term CIP-networked environment. Finally, no distinctions can be made within categories of EACMS and PACS based on level of risk.
Why? Because attackers don’t care about what we draw on network diagrams. They often compromise access systems outside the perimeter, and then pivot inward as trusted communications. If those outer systems aren’t monitored, you may never see it coming.
The below graphic depicts the CIP-networked environment (i.e., the “trust zone”) that consists of the Cyber Systems, including the delineated networked segments that are subject to the INSM requirements.
FERC Docket No. RM24-7-000, page 26
What Comes Next?
CIP-015-1 is approved, but it’s not the final form. FERC made that clear in Order No. 907. While the current version applies only to networks inside the Electronic Security Perimeter (ESP) associated with high-impact BES Cyber Systems and medium-impact BES Cyber Systems with External Routable Connectivity (ERC), FERC has directed NERC to expand the scope.
The next version of the standard, due within 12 months, must extend INSM to cover the broader CIP-networked environment. That includes:
Electronic Access Control or Monitoring Systems (EACMS) and
Physical Access Control Systems (PACS)
even when they reside outside an ESP.
This expansion reflects a growing concern that adversaries are using trust relationships and access control infrastructure as a stepping stone into critical assets. FERC cited evidence, including threat intelligence from CISA and the Volt Typhoon campaign, showing how attackers are compromising identity infrastructure to gain persistent access and pivot within trusted environments.
What’s coming next?
A broadened monitoring obligation:
INSM will not just be for systems inside ESPs. Expect to see requirements that include lateral movement detection across EACMS and PACS zones—especially those managing authentication, access control, or event correlation.New asset and network inventories:
Entities will need to identify and document which EACMS and PACS components qualify under the new scope. This will likely mean mapping new data flows, communications pathways, and risk-based monitoring locations.Changes to implementation strategies:
INSM for ESP-protected networks was already a heavy lift. Extending those capabilities to control systems outside the ESP—many of which lack centralized visibility or rely on third-party services—will require new architectural thinking and likely budget adjustments.Integration with other ongoing projects:
The changes ahead may intersect with other standards development projects (e.g., Project 2023-09 for redefining EACMS). The overlap could introduce confusion if not clearly scoped—something entities will need to track closely as the drafting process begins.
For now, CIP-015-1 remains scoped to the ESP, and that’s where compliance efforts should begin. But forward-looking entities would be wise to start inventorying and baselining EACMS and PACS systems now. The intent from FERC is clear: if a system plays a critical role in controlling or authenticating access to BES Cyber Systems, it will eventually require internal monitoring.
What It Means for You
If you’re a registered entity with high or medium impact BES Cyber Systems, this is now part of your future.
CIP-015-1 brings with it a new category of operational responsibility: internal visibility. You’re no longer just defending the border. You’re being asked to know what’s happening inside your own walls.
Here’s what you should be doing now:
Start with scoping
Identify which BES Cyber Systems fall under the initial applicability—namely, high impact systems and medium impact systems with External Routable Connectivity inside the ESP. Map the internal networks they reside on and understand how traffic flows.Define a risk-based rationale
Requirement R1.1 gives you flexibility, but not an escape route. You’ll need a documented, risk-based justification for where and how you monitor. This includes sensor placement, data sources, and traffic visibility logic.Get ahead on baselining
You can’t detect anomalies if you don’t know what normal looks like. That means building a behavioral baseline for internal communications—at a level of fidelity that supports real detection without overwhelming your analysts.Plan for data storage and protection
Requirement R2 only mandates retention of anomalous activity—not all traffic—but you’ll need mechanisms to identify, preserve, and protect that data long enough to support analysis and escalation. Think of this as a leaner, smarter extension of your incident response data handling.Prepare for expanding scope
While the current standard stops at the ESP boundary, FERC has made it clear: that boundary is temporary. EACMS and PACS systems will be brought into scope soon, even if they’re outside the ESP. Begin inventorying those systems now—particularly those managing centralized access, authentication, and monitoring functions.Don’t wait for the deadline
Implementation is phased—36 months for Control Centers, 24 months for other medium impact systems—but the work required is substantial. Procurement, design, integration, and tuning all take time. Starting early reduces your risk of compliance gaps and deployment shortcuts under pressure.
At the end of the day, this isn’t just about checking a new box. It’s about reducing dwell time, improving situational awareness, and giving defenders a chance to detect adversaries before they trigger a cascading failure in critical infrastructure.
Conclusion
CIP-015-1 represents more than a new compliance requirement, it’s a shift in how we think about cybersecurity within the BES. It acknowledges what many have known for years (and what has been proven through Volt Typhoon and similar threat actors): perimeter protections are necessary, but they’re not sufficient. Today’s threats don’t always come from the outside, and when they do, they don’t stop at the firewall.
By formalizing the need for internal network visibility, this standard begins to close a longstanding gap. It moves us toward earlier detection, better situational awareness, and more resilient operations.
Yes, implementing INSM will require effort. It means carefully scoping your systems, documenting your rationale, and building a monitoring approach that’s tailored to your risk profile. But done right, it won’t just meet a standard, it will improve your ability to respond to the threats that matter most.
CIP-015-1 is a meaningful step in the right direction. And with FERC already calling for an expanded scope, this is only the beginning. The message is clear: knowing what’s happening inside your network is no longer a best practice, it’s a baseline expectation.
