FERC’s New Visibility Mandate: What CIP-015-1 Means for Critical Infrastructure Security—and How Léargas Helps

On June 20, 2025, the Federal Energy Regulatory Commission (FERC) finalized a new cybersecurity requirement that could fundamentally change how electric utilities defend their operational technology networks. This new standard—known as CIP-015-1—introduces a mandatory requirement for Internal Network Security Monitoring (INSM). And it’s not a suggestion—it’s a shift in the way we approach security inside critical systems.

At Léargas Security, we view this as a crucial step forward in helping critical infrastructure operators gain much-needed visibility into their environments. Here’s what the new rule means, why it matters, and how our platform is purpose-built to help utilities stay compliant and secure.

What Is CIP-015-1 and Why Now?

The energy sector has long relied on “perimeter-first” defenses—tools like firewalls, VPNs, and access control systems—to keep cyber threats at bay. But attackers have adapted. They know how to breach these barriers and move laterally inside trusted networks, often undetected until damage is already done.

CIP-015-1 directly addresses this blind spot. For the first time, NERC and FERC are requiring asset owners to implement continuous monitoring of internal network communications. This means tracking east-west traffic within electronic security perimeters (ESPs), detecting suspicious or anomalous behavior, and protecting the integrity of that monitoring data.

In short: the regulators are no longer asking, “Are you guarding the gates?” They’re asking, “Can you see what’s happening inside the walls?”

What’s Required Under CIP-015-1?

The new standard is built around three core requirements:

1. Deploy INSM Technologies and Processes (R1)

Organizations must implement tools and workflows to detect unauthorized or unusual activity on internal networks. These tools may include passive network sensors, flow collectors, intrusion detection systems, or anomaly detection engines—so long as they don’t interfere with real-time operations.

2. Retain Monitoring Data Until Investigations Are Closed (R2)

If suspicious activity is detected, the data associated with those events must be preserved for the duration of the investigation. This ensures that any forensic analysis or root cause reviews are based on verifiable evidence.

3. Protect INSM Data from Tampering (R3)

It’s not enough to collect and store data—you must also ensure it’s protected from unauthorized modification or deletion. Think log integrity, access controls, and verifiable audit trails.

Initially, these requirements apply to high- and medium-impact Bulk Electric System (BES) Cyber Systems that have routable connectivity outside the ESP. However, the rule also instructs NERC to expand these requirements to include Electronic Access Control and Monitoring Systems (EACMS) and Physical Access Control Systems (PACS) within the next 12 months.

Key Deadlines to Watch

Here’s the timeline you need to keep in mind:

- June 2025: FERC approves CIP-015-1. The countdown begins.
- Within 12 months: NERC must expand the standard to include EACMS and PACS.
- Within 36–60 months: Full implementation period ends. By this point, organizations must have technology and processes in place and fully documented.

While this may feel like a long window, implementation and tuning of monitoring technologies across segmented OT networks is not something that can—or should—be rushed.

How Léargas Security Bridges the Gap

At Léargas, we’ve long believed that visibility is the foundation of security. Our Unified XDR platform was designed from day one to address the exact kinds of challenges that CIP-015-1 now brings to the forefront.

Here’s how we help organizations not only meet these requirements but strengthen their overall security posture in the process:

- OT-Friendly Monitoring

We deploy passive sensors and non-intrusive agents tailored for sensitive control system environments. This ensures critical operations are not disrupted while still delivering full-spectrum visibility.

- Baselining and Anomaly Detection

Our platform builds a behavioral baseline for your network and flags deviations in real-time. You’ll know immediately if lateral movement, command injection, or unusual peer-to-peer communication occurs within your ESP.

- Investigation-Ready Data Retention

We maintain full-fidelity network data with immutable logs and detailed metadata, helping your teams comply with retention and audit requirements.

- Built-In Integrity Controls

All collected data is protected by default using cryptographic integrity mechanisms. Tamper-evidence, data validation, and access auditing are all baked in.

- Scalable Coverage for EACMS and PACS

As CIP-015-1 expands to include access control systems, Léargas ensures your monitoring capabilities grow with it—without the need for re-architecting.

- Expert Guidance and Documentation

We don’t just drop a tool into your network and leave. Our engineers help craft policies, document procedures, and prepare you for NERC audits with clarity and confidence.

Why This Matters Now

The intent behind CIP-015-1 is clear: to bring accountability and transparency to the parts of the network that have too often been in the dark. It’s not just about compliance—it’s about resilience. Visibility is the key to early detection, fast containment, and smarter recovery.

Whether you’re an electric utility trying to get ahead of the curve or a critical infrastructure operator anticipating similar mandates in your sector, the time to act is now. These rules aren’t going away—and attackers aren’t slowing down.

Let’s Talk

If you’re planning your path to compliance—or just want to better understand how internal network visibility fits into your broader security strategy—we’re here to help.

Book a demo or reach out to our team today to explore how Léargas can support your goals and secure your environment from the inside out.

Léargas Security Proud to Support Ryan Vargas’ Podium Drive

This past weekend, Ryan Vargas delivered a strong podium finish in the NASCAR North America series, once again proving his consistency and determination behind the wheel of the #28 Dodge Challenger.

As an associate sponsor, Léargas Security is proud to support Ryan Vargas as he continues to showcase the focus, discipline, and adaptability that define successful competitors on and off the track.

Ryan’s performance came with its share of challenges. After qualifying, an individual unexpectedly walked onto pit road, forcing Ryan to take evasive maneuvers that damaged the clutch. Under drizzling rain and with the clock ticking, the DJK Racing team worked relentlessly to replace the clutch on pit road before the race, demonstrating the kind of teamwork and composure that mirrors the values we hold at Léargas Security.

Thanks to the guidance and mentorship of DJ Kennington and the DJK Racing team, Ryan was able to refocus and charge to the front, turning what could have been a setback into a moment of resilience and excellence.

Read about Ryan’s podium finish here

At Léargas Security, we believe in supporting individuals and teams who don’t back down in the face of adversity and who approach every challenge with preparation and determination. Ryan Vargas embodies these values, and we are honored to stand with him as he continues to build momentum this season.

Congratulations to Ryan, DJ Kennington, and the entire DJK Racing team for a weekend that showed the true spirit of racing and the power of perseverance.

Detecting the Undetectable: How Léargas Uses AI and ICS Datasets to Identify Threats in OT Environments

What’s New?

The latest release of the Léargas XDR platform introduces enhanced detection and analysis functionality that fuses Zeek protocol visibility, ICS-specific threat patterns, and AI-driven reasoning powered by our internal Multi-modal Command Processor (MCP).

AI Meets ICS Threat Intelligence

Our platform now integrates with known ICS/OT threat datasets, specifically aligned to real-world attacks cataloged under frameworks like MITRE ATT&CK for ICS. By incorporating dataset-driven pattern matching, Léargas goes beyond simple anomaly detection to identify how adversaries operate—flagging techniques like:

  • Unauthorized parameter modification

  • Remote system discovery

  • Unusual device handshake behavior

  • Program uploads/downloads on field devices

Combined with rule-based detections, this dual-approach architecture increases our accuracy and reduces false positives, especially in high-noise environments like SCADA or DCS networks.

Behavioral Baselines That Actually Mean Something

Industrial networks often rely on ‘normal’ behaviors that vary drastically across environments. Léargas now includes logic to dynamically baseline protocol behavior across key OT protocols like:

  • Modbus TCP

  • ENIP/CIP

  • S7COMM

  • BACnet

  • OPC UA

  • DNP3

Our system detects anomalies by comparing ongoing behavior against known-good patterns sourced from historical traffic and community-validated datasets. When something doesn’t fit—even if it’s not malicious yet—we’ll tell you.

Enhanced Protocol Analysis and Executive Summaries

Technical doesn’t have to mean unreadable. Our AI pipeline transforms dense ICS logs into human-readable summaries with structured insights for both analysts and executives:

  • AI-generated threat technique summaries

  • Executive risk assessments without fluff

  • Per-protocol analysis enriched with known field descriptions

Security teams can quickly distinguish between operational noise and legitimate risk—no manual parsing of logs or field codes required.

Built for Analysts, Not Just Engines

Our system was designed from the ground up for real-world practitioners. Every event is enhanced with technical context, such as field descriptions and protocol usage patterns, to support rapid triage and investigation. Summarized reports can be automatically delivered via email or consumed by other SOAR systems.

Why This Matters

ICS environments can’t rely on traditional IT defenses. They require purpose-built tooling that understands process safety, device behavior, and attacker methodology.

Léargas Security is proud to offer a platform that doesn’t just detect—but interprets.

If you’re struggling with blind spots in your OT visibility or want to validate assumptions about what’s really happening in your industrial network, let’s talk. We’ve built a platform to bring clarity to complexity.

Ready to see it in action? Book a demo and let us show you how Léargas is changing the game in ICS/OT detection and analysis.

Patrick Kelley of Critical Path Security to Provide Expert Training on Zeek at Co-op Cyber Tech 2025

Léargas Security is excited to announce that Patrick Kelley, our CEO and seasoned cybersecurity expert, will deliver specialized training on leveraging Zeek for advanced cybersecurity monitoring at the upcoming Co-op Cyber Tech conference. The event, a leading technical conference addressing cybersecurity in the cooperative space, is scheduled for June 24 – 26, 2025, in Denver, Colorado.

In this highly anticipated session, titled “Zeek: Leveraging ACID and OT Protocols,” Patrick will offer practical, hands-on training tailored for critical infrastructure and operational technology (OT) professionals. Participants will gain invaluable insights into effective deployment and use of Zeek for comprehensive network visibility and threat detection across IT and OT environments.

Training Highlights Include:

  • Zeek Deployment Best Practices: Optimal sensor placement strategies (external, internal, between network segments).
  • Comprehensive Zeek Management: Mastering Zeek command-line tools and service control (zeekctl).
  • Advanced Scaling Techniques: Distributed Zeek deployment using Docker and Ansible for enhanced performance.
  • OT-Specific Protocol Analyzers: Hands-on exercises covering critical protocols such as ENIP/CIP, S7Comm, BACnet, DNP3, Modbus, and Profinet.
  • CISA ATT&CK-based Control-system Indicator Detection (ACID): Practical guidance for implementing detection capabilities for critical OT security events.
  • Integrating Zeek with AI: Leveraging Large Language Models (LLMs) and Multi-modal Command Processors (MCPs) to bridge IT and OT knowledge gaps.

Patrick Kelley brings over 25 years of experience in critical infrastructure, government contracting, and cybersecurity across various industries, including extensive experience as a Fractional CISO and within ultra-high-net-worth sectors. Recognized as an industry expert, Patrick frequently contributes insights to major news outlets including NBC, CNN, Fortune, Bloomberg, Guardian, and The Motley Fool.

Join Patrick at Co-op Cyber Tech 2025 to enhance your cybersecurity capabilities with Zeek. This training promises actionable knowledge attendees can immediately apply to fortify their cybersecurity posture.

For further details or inquiries, please contact Patrick Kelley directly at patrick.kelley@leargassecurity.com.

We look forward to seeing you in Denver!

Date: June 24 – 26, 2025
Location: Denver, Colorado

Speaking at GTBA 2025: Ransomware Threats in Telecom and Broadband

We’re pleased to share that Patrick Kelley, CEO of Critical Path Security and Léargas Security, will be speaking at the 2025 GTBA Annual Meeting of the Membership, hosted by the Georgia Rural Telephone and Broadband Association.

📍 Location: Hammock Beach, Daytona Beach, FL
📅 Dates: June 15–19, 2025
🗣 Topic: Ransomware in Telecom and Broadband: Real-World Impact and Response Strategies

Why This Talk Matters

Rural telecommunications and broadband providers have become prime targets for ransomware groups seeking to exploit infrastructure gaps and critical service dependencies. As attackers refine their tactics—often hitting operations where recovery is slow and costly—preparedness is no longer optional.

Patrick will dive into the latest ransomware attack trends, walk through recent case studies, and outline actionable steps for detection, response, and prevention tailored for rural ISPs and telcos.

What Attendees Will Gain

  • A clearer understanding of ransomware attack vectors in telecom infrastructure

  • Guidance on securing legacy and modern broadband systems

  • Tips for building layered defenses without breaking the budget

  • Real-world examples of ransomware playbooks and how to counter them

  • Discussion on insurance, legal pressure, and operational resilience

Who’s Behind the Attacks?

Several nation-state and cybercriminal groups have increasingly targeted the telecom and broadband sector:

  • VOLT TYPHON (aka FIN12/Wizard Spider): Known for high-speed ransomware operations (Ryuk, Conti) following phishing or compromised RDP. They often exploit soft targets that still deliver high-impact service disruption.

  • VOLT KAPPA (aka Sandworm/TeleBots): Notorious for disruptive attacks like NotPetya. Their recent use of tools like Prestige ransomware or Raspberry Robin makes them a concern for any org running legacy OT/ICS assets.

  • LockBit 3.0: Targets managed service providers and broadband infrastructure in double-extortion campaigns.

  • ALPHV/BlackCat: Focused on supply chain attacks with an eye toward telecom and SaaS providers.

  • Scattered Spider (VOLT KOBALT): Uses advanced social engineering and SIM-swapping to compromise telecom-linked identity platforms.

If you work in rural broadband or telecom and want to get ahead of the next threat wave, don’t miss this session.

Stay tuned for the full GTBA agenda, and we look forward to connecting with industry peers at Hammock Beach.

Speaking at GridSecCon 2025: Mental Health in Cybersecurity and the Maslach Burnout Inventory

We’re proud to announce that Patrick Kelley, CEO of Critical Path Security and Léargas Security, will be speaking once again at GridSecCon 2025. His breakout session, titled “Mental Health in Cybersecurity: Leveraging the Maslach Burnout Inventory,” will take place on October 8, 2025, from 3:00 PM to 4:00 PM PT.

Why This Talk Matters

Cybersecurity is more than threat detection and response—it’s a high-pressure profession where burnout, imposter syndrome, and emotional fatigue are common, yet rarely discussed. The stakes are high, the expectations relentless, and the human toll is real.

In this session, Patrick will offer a brutally honest and personal look at the psychological cost of doing this work, the systemic flaws that exacerbate mental strain, and how the Maslach Burnout Inventory can be used as a tangible tool to assess and manage burnout.

What Attendees Will Learn

  • How to recognize the warning signs of burnout before they escalate

  • How to use the Maslach Burnout Inventory to self-assess and spark change

  • Resilience strategies that have real-world applicability in high-stress environments

  • How to advocate for healthier team culture and systemic improvements in cybersecurity organizations

This isn’t a surface-level motivational talk. It’s a call for accountability and change—from the ground up and the top down.

For the Community, By the Community

Patrick’s voice in this space is deeply rooted in experience. From running Managed Security Operations Centers and Incident Response teams, to counseling colleagues through moments of extreme stress, he brings an honest, no-nonsense perspective that many in our industry have lived—but few have said aloud.

Join us at GridSecCon 2025 and be part of the conversation we all need to be having.
Learn more and register here: GridSecCon 2025 Event Summary