Monitoring Meets Mandate: Will the Next CIP-015 Standard Deliver on FERC’s Vision?

By Patrick Miller

FERC approved CIP-015-1, but also ordered NERC to expand it. The new SAR outlines how INSM requirements will extend beyond the ESP to include EACMS and PACS systems. This post breaks down how the SAR aligns with FERC’s directive, what still needs attention, and why internal visibility is no longer optional.

Project 2025-02: Will the Next INSM Standard Deliver on FERC’s Visibility Mandate?

When FERC issued Order No. 907 approving NERC CIP-015-1, it came with a clear caveat: the standard didn’t go far enough. While it established a long-overdue requirement for Internal Network Security Monitoring (INSM) inside Electronic Security Perimeters (ESPs), FERC simultaneously directed NERC to expand the standard within 12 months.

Their reasoning was unambiguous—systems outside the ESP (like EACMS and PACS) that have deep trust relationships with BES Cyber Systems are still ripe targets for lateral movement and credential abuse, as demonstrated by campaigns like Volt Typhoon.

In response, NERC has now published a Standard Authorization Request (SAR) under Project 2025-02 to initiate this next phase of the CIP-015 standard. So, the question is: does the SAR meet FERC’s directive? Here’s what the industry needs to know…

What FERC Ordered

FERC’s directive in Order No. 907 wasn’t vague. The Commission instructed NERC to modify CIP-015-1 to:

  • Expand INSM requirements beyond the ESP

  • Include Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS)

  • Capture traffic across what it called the “CIP-networked environment”

FERC explicitly defined the CIP-networked environment as:

the systems within the electronic security perimeter and one or more of the following: (1) network segments that are connected to EACMS and PACS outside of the electronic security perimeter; (2) network segments between EACMS and PACS outside of the electronic security perimeter; or (3) network segments that are internal to EACMS and PACS outside of the electronic security perimeter.
— FERC Order 907, paragraph 43

This definition is important. It closes any debate about whether “outside the ESP” means “out of scope.” FERC made it clear. If the system participates in trust, access, or visibility for BES Cyber Systems, it belongs in the monitoring footprint.

What the SAR Proposes

NERC’s SAR for Project 2025-02 largely reflects FERC’s intent. It proposes revisions to CIP-015 to:

  • Extend INSM applicability to EACMS and PACS outside the ESP

  • Monitor east-west communications between these systems, including:

    • PACS controller-to-device traffic

    • EACMS systems used solely for access logging or monitoring

    • Inter-device and cross-segment traffic patterns that support access/authentication

This is a meaningful and welcome clarification. The SAR directly addresses east-west traffic monitoring as a priority for internal detection. It signals that INSM is not limited to signature-based alerts or north-south firewall events. It must include behavioral and lateral movement visibility.

The SAR also outlines that:

  • INSM obligations will continue to apply to High Impact BES Cyber Systems, and Medium Impact BES Cyber Systems with External Routable Connectivity

  • Low Impact systems and Medium Impact systems without ERC are out of scope

  • The definition of “CIP-networked environment” may be formalized (though it stops short of directly adopting FERC’s wording verbatim)

Where It Aligns, and Where to Watch

Overall, the SAR shows strong alignment with FERC’s expectations, but a few areas warrant attention as the drafting process moves forward:

Strong Alignment

  • Scope Expansion: Includes EACMS and PACS outside the ESP, just as FERC required.

  • Risk-Based Approach: Acknowledges the need for practical implementation while maintaining visibility goals.

  • East-West Visibility: SAR explicitly calls for monitoring of internal traffic between control systems, an essential step.

  • Timeliness: Commits to delivery within 12 months of FERC’s final rule, meeting the regulatory deadline.

Watch Areas

  • Definition of the “CIP-networked environment”: FERC already defined this term. The SAR suggests it may be defined by the drafting team. There’s a risk of fragmentation or reinterpretation if FERC’s definition isn’t directly adopted. Clarity here is critical.

  • INSM Functionality and Fidelity: While east-west traffic is addressed, the SAR doesn’t yet speak to…

    • Minimum detection capabilities (e.g., anomaly detection, behavioral baselining)

    • Alert correlation, response workflows, or retention handling for anomalous traffic. These may be covered during drafting, but stakeholders should push for functionally meaningful controls—not just box-checking.

  • Integration with Other CIP Standards: The SAR states other standards may be revised “if necessary.” But access and trust relationships cross multiple CIP domains (CIP-005, -007, -010, etc.). The drafting team should consider cohesive updates across standards to avoid gaps or conflicting obligations.

Final Thoughts: Don’t Wait for the Ink to Dry

The SAR sets a strong foundation for expanding INSM, but what comes next will depend on how effectively the drafting team translates that intent into clear, operational requirements. This isn’t just about regulatory alignment. It’s a chance for the industry to meaningfully reduce dwell time, detect lateral movement, and bring trusted but often overlooked systems into the visibility fold.

Whether or not the term "CIP-networked environment" becomes formally defined in the standard, FERC has already drawn the boundary lines. If a system facilitates access, enforces policy, or supports monitoring for BES Cyber Systems, it’s part of the security picture, and it’s in scope for INSM.

Actionable Steps to Take Now

Even before the revised standard is complete, entities can (and should) get ahead:

  1. Inventory Trust Relationships: Begin identifying EACMS and PACS systems—even those outside the ESP—that have direct or indirect influence over BES Cyber Systems. Focus on those that authenticate, authorize, or log access activity.

  2. Map East-West Communication Paths: Document lateral traffic patterns between access control systems, logging infrastructure, and BES Cyber Systems. Pay special attention to multi-site PACS implementations, federated identity platforms, and shared VLANs.

  3. Assess Current Monitoring Capabilities: Evaluate what, if anything, is currently being monitored on these non-ESP systems. Identify where visibility is lacking and where sensors, taps, or SPANs may need to be deployed or adjusted.

  4. Review INSM Detection and Retention Policies: CIP-015-1 requires retention of detected anomalous activity—but only for ESP-resident systems. Use this time to design or tune detection logic, alerting workflows, and retention practices that can scale to expanded scope.

  5. Engage with the SAR Drafting Process: The upcoming standard will define the future compliance landscape. Participate in drafting team calls, provide comment when SAR revisions are posted, and make sure operational realities are part of the conversation.

  6. Plan for Procurement and Budget Cycles: New visibility often means new tooling. Start building business cases now for expanded INSM coverage, whether through existing NIDS platforms, flow monitoring, endpoint telemetry, or other controls.

This isn’t just about being ready for the audit. It's about being ready for the threat. And in a world where determined and capable attackers such as Volt Typhoon have already figured out how to exploit trust, access, and credential infrastructure, internal visibility isn’t just prudent, it’s essential.

Featured Posts

Featured
Monitoring Meets Mandate: Will the Next CIP-015 Standard Deliver on FERC’s Vision?
Monitoring Meets Mandate: Will the Next CIP-015 Standard Deliver on FERC’s Vision?

FERC approved CIP-015-1—but also ordered NERC to expand it. The new SAR outlines how INSM requirements will extend beyond the ESP to include EACMS and PACS systems. This post breaks down how the SAR aligns with FERC’s directive, what still needs attention, and why internal visibility is no longer optional.

Read More →
Texas SB 75: A Lone Star Model for Grid Resilience
Texas SB 75: A Lone Star Model for Grid Resilience

Texas SB 75 establishes a first-of-its-kind Grid Security Commission to evaluate and enhance the resilience of the state’s electric grid and critical infrastructure. With a broad all-hazards focus, from cyber threats to EMPs, this bipartisan law signals Texas’ intent to lead on proactive, cross-sector grid security. Learn what’s required, what’s coming, and why it matters now.

Read More →
Broad Scope, Big Impact: NY Mandates Cyber Rules for Public Sector
Broad Scope, Big Impact: NY Mandates Cyber Rules for Public Sector

New York's new cybersecurity law, Chapter 177 of 2025 (S.7672A / A.6769A), introduces mandatory incident reporting, ransom payment disclosures, annual training, and data protection requirements for public-sector entities. Its broad definitions suggest applicability to both IT and OT systems, signaling a significant expansion in cybersecurity oversight for municipalities and public authorities.

Read More →
Help Shape the Future of the NERC CIP Standards
Help Shape the Future of the NERC CIP Standards

NERC is asking for industry input on the future of CIP Standards. As part of its 2025 Work Plan, NERC has launched a survey to identify and prioritize emerging security risks to the Bulk Power System. The results will directly inform a roadmap for updating the CIP Standards to address today’s evolving threat landscape. What’s happening, why it matters, and how you can participate before the July 22 deadline.

Read More →
FERC Quietly Closes The Books on RM20-12-000
FERC Quietly Closes The Books on RM20-12-000

FERC has officially closed Docket RM20-12-000, ending a five-year inquiry into potential gaps in the CIP Reliability Standards. While the docket is withdrawn, the underlying concerns—data security, anomaly detection, and coordinated cyberattacks—are being addressed through recent standards like CIP-015-1 (INSM) and proposed updates to CIP-003.

Read More →
Patrick Miller