What NERC CIP-015 Means
Shelby Brooks is an Associate Principal Consultant at industrial cybersecurity company Dragos, Inc., and is the primary Subject Matter Expert who interfaces with customers to perform architecture reviews, tabletop exercises, customer workshops, maturity assessments, and a range of other activities. She is a key member of Dragos’ core team focusing on the upcoming Internal Network Security Monitoring (INSM) requirements.
On June 26, 2025, FERC issued Order No. 907 formally approving North American Electric Reliability Corporation Critical Infrastructure Protection (CIP) Standard CIP-015-1. The new standard will require Internal Network Security Monitoring (INSM) (east-west monitoring) for network traffic within Electronic Security Perimeters (ESPs), intended to improve early detection of threats that bypass traditional perimeter defenses.
CIP-015 acknowledges that adversaries can infiltrate trusted zones and highlights the importance of continuous internal visibility. By implementing INSM, entities will be better equipped to detect an adversary during the initial stages of an intrusion and reduce the risk of an adversary establishing a foothold in the environment.
Organizations with High and Medium Impact BES Cyber Systems should begin aligning resources and internal plans to meet the CIP-015-1 requirements within the implementation timeline.
See Figure One.
Why Traditional Defenses Are No Longer Enough
Historically, NERC CIP standards have focused on preventive controls – such as strong perimeter defenses, vulnerability management, and patching — based on the assumption that these measures would be sufficient to keep threats out.