On June 20, 2025, the Federal Energy Regulatory Commission (FERC) finalized a new cybersecurity requirement that could fundamentally change how electric utilities defend their operational technology networks. This new standard—known as CIP-015-1—introduces a mandatory requirement for Internal Network Security Monitoring (INSM). And it’s not a suggestion—it’s a shift in the way we approach security inside critical systems.
At Léargas Security, we view this as a crucial step forward in helping critical infrastructure operators gain much-needed visibility into their environments. Here’s what the new rule means, why it matters, and how our platform is purpose-built to help utilities stay compliant and secure.
What Is CIP-015-1 and Why Now?
The energy sector has long relied on “perimeter-first” defenses—tools like firewalls, VPNs, and access control systems—to keep cyber threats at bay. But attackers have adapted. They know how to breach these barriers and move laterally inside trusted networks, often undetected until damage is already done.
CIP-015-1 directly addresses this blind spot. For the first time, NERC and FERC are requiring asset owners to implement continuous monitoring of internal network communications. This means tracking east-west traffic within electronic security perimeters (ESPs), detecting suspicious or anomalous behavior, and protecting the integrity of that monitoring data.
In short: the regulators are no longer asking, “Are you guarding the gates?” They’re asking, “Can you see what’s happening inside the walls?”
What’s Required Under CIP-015-1?
The new standard is built around three core requirements:
1. Deploy INSM Technologies and Processes (R1)
Organizations must implement tools and workflows to detect unauthorized or unusual activity on internal networks. These tools may include passive network sensors, flow collectors, intrusion detection systems, or anomaly detection engines—so long as they don’t interfere with real-time operations.
2. Retain Monitoring Data Until Investigations Are Closed (R2)
If suspicious activity is detected, the data associated with those events must be preserved for the duration of the investigation. This ensures that any forensic analysis or root cause reviews are based on verifiable evidence.
3. Protect INSM Data from Tampering (R3)
It’s not enough to collect and store data—you must also ensure it’s protected from unauthorized modification or deletion. Think log integrity, access controls, and verifiable audit trails.
Initially, these requirements apply to high- and medium-impact Bulk Electric System (BES) Cyber Systems that have routable connectivity outside the ESP. However, the rule also instructs NERC to expand these requirements to include Electronic Access Control and Monitoring Systems (EACMS) and Physical Access Control Systems (PACS) within the next 12 months.
Key Deadlines to Watch
Here’s the timeline you need to keep in mind:
- June 2025: FERC approves CIP-015-1. The countdown begins.
- Within 12 months: NERC must expand the standard to include EACMS and PACS.
- Within 36–60 months: Full implementation period ends. By this point, organizations must have technology and processes in place and fully documented.
While this may feel like a long window, implementation and tuning of monitoring technologies across segmented OT networks is not something that can—or should—be rushed.
How Léargas Security Bridges the Gap
At Léargas, we’ve long believed that visibility is the foundation of security. Our Unified XDR platform was designed from day one to address the exact kinds of challenges that CIP-015-1 now brings to the forefront.
Here’s how we help organizations not only meet these requirements but strengthen their overall security posture in the process:
- OT-Friendly Monitoring
We deploy passive sensors and non-intrusive agents tailored for sensitive control system environments. This ensures critical operations are not disrupted while still delivering full-spectrum visibility.
- Baselining and Anomaly Detection
Our platform builds a behavioral baseline for your network and flags deviations in real-time. You’ll know immediately if lateral movement, command injection, or unusual peer-to-peer communication occurs within your ESP.
- Investigation-Ready Data Retention
We maintain full-fidelity network data with immutable logs and detailed metadata, helping your teams comply with retention and audit requirements.
- Built-In Integrity Controls
All collected data is protected by default using cryptographic integrity mechanisms. Tamper-evidence, data validation, and access auditing are all baked in.
- Scalable Coverage for EACMS and PACS
As CIP-015-1 expands to include access control systems, Léargas ensures your monitoring capabilities grow with it—without the need for re-architecting.
- Expert Guidance and Documentation
We don’t just drop a tool into your network and leave. Our engineers help craft policies, document procedures, and prepare you for NERC audits with clarity and confidence.
Why This Matters Now
The intent behind CIP-015-1 is clear: to bring accountability and transparency to the parts of the network that have too often been in the dark. It’s not just about compliance—it’s about resilience. Visibility is the key to early detection, fast containment, and smarter recovery.
Whether you’re an electric utility trying to get ahead of the curve or a critical infrastructure operator anticipating similar mandates in your sector, the time to act is now. These rules aren’t going away—and attackers aren’t slowing down.
Let’s Talk
If you’re planning your path to compliance—or just want to better understand how internal network visibility fits into your broader security strategy—we’re here to help.
Book a demo or reach out to our team today to explore how Léargas can support your goals and secure your environment from the inside out.
