At the June Federal Energy Regulatory Commission (FERC) meeting, the North American Electric Reliability Corporation (NERC) CIP-015-1 was formally approved. The new standard signals a significant shift for the North American electric sector, mandating internal network security monitoring of industrial control systems (ICS) within the electronic security perimeter, moving beyond protection at the network edge. Within the year, it will also cover electronic access control and physical access control systems.
The final rule approves CIP-015-1, which NERC submitted in response to Order No. 887. The FERC has also directed NERC to develop further modifications to proposed Reliability Standard CIP-015-1, within 12 months of the effective date of the final rule in this proceeding, to extend internal network security monitoring to include electronic access control or monitoring systems (EACMS) and physical access control systems (PACS) outside of the electronic security perimeter.
Internal network security monitoring is a form of network security monitoring applied within a trust zone, such as a perimeter zone with elevated credentials on an internal network. Under this rule and Order No. 887, the trust zone is the CIP-networked environment. It maintains visibility over communications between devices within a trust zone and helps detect malicious activity that has bypassed perimeter defenses. It supports identifying abnormal network activity early, improving mitigation and recovery efforts.
Internal network security monitoring operates in three stages: collection, detection, and analysis. Together, these enable early detection and alerting, making it harder for attackers to gain a foothold or operational control. It also strengthens incident response by providing better data on the extent of an attack inside the trust zone and offers insight into lateral (east-west) traffic, building a fuller picture of intrusions beyond perimeter monitoring alone.
In January 2023, in Order No. 887, the Commission directed NERC to develop new or revised CIP Reliability Standards mandating internal network security monitoring for high-impact bulk electric system (BES) cyber systems, regardless of external connectivity, and for medium-impact systems with external routable connectivity. The Commission explained that current standards focus on perimeter defenses but lack monitoring inside the trusted CIP-networked environment, leaving a security gap.
Internal network security monitoring requirements aim to close that gap by establishing baselines for network activity, monitoring for unauthorized activity, and giving entities flexibility in how they identify anomalies, as long as they log, retain, and protect data with enough fidelity to investigate incidents and guard against tampering.
The FERC said that it is “persuaded by the comments of NERC, IRC, and Trade Associations to clarify the scope of the term CIP-networked environment. First, the term CIP-networked environment does not cover all of a responsible entity’s network. Rather, the scope of CIP-networked environment includes the systems within the electronic security perimeter and one or more of the following: (1) network segments that are connected to EACMS and PACS outside of the electronic security perimeter; (2) network segments between EACMS and PACS outside of the electronic security perimeter; or (3) network segments that are internal to EACMS and PACS outside of the electronic security perimeter.”
The Commission determined that it is appropriate because the compromised EACMS and PACS outside the electronic security perimeter can provide an avenue for an attacker to access the OT (operational technology) environment inside the electronic security perimeter to undertake any number of malicious acts as described in Order No. 887. It added that the implementation of internal network security monitoring at each of the above networked segments should allow a responsible entity to detect and respond to malicious or unauthorized access to the electronic security perimeter.
In line with the clarified scope of the CIP-networked environment, the FERC noted that extending proposed Reliability Standard CIP-015-1 to EACMS and PACS includes east-west traffic within EACMS networks and PACS networks, as well as traffic between EACMS and PACS, in addition to east-west traffic inside the electronic security perimeter. Communications between PACS and controllers, and communications to or from EACMS used solely for electronic access monitoring, also fall within the definition of the CIP-networked environment.
“We note that one aspect of OpenPolicy’s recommended definition of the term CIP-networked environment is already incorporated into the delineated network segments discussed above: implementation of INSM at operational technology environments, guarding against disruptions in industrial and control environments,” the FERC highlighted. “OpenPolicy’s proposal to extend the definition of the term CIP-networked environment to include information technology and internet of things environments is outside the scope of this proceeding, which focuses on INSM implementation in operational technology environments.”
FERC declines to prejudge the need for a potential noncompliance abeyance that NERC may establish in the future. “We also decline to direct NERC to conduct a feasibility study that includes a review of threat intelligence information containing indicia of malicious activity targeting EACMS or PACS that may have a material impact on the reliability of the Bulk-Power System. This threat is already well-established, and a feasibility study is unnecessary.”
For example, open-source intelligence reports indicate that malicious actors are targeting an identity and access management system, serving as an electronic access control system, to enable lateral movement, the type of movement internal network security monitoring is intended to detect and respond to, to gain access to critical OT trust zones that can disrupt electrical substations, impacting bulk-power system reliability.
Robert M. Lee, CEO and co-founder at Dragos Inc., an industrial cybersecurity company, wrote in a LinkedIn post that it is great to see FERC formally approve NERC CIP-015-1 for internal network security monitoring. “This will support all those in the electric community that have already gone this path and all those that are trying to gaining immense visibility and detection capabilities into the adversaries and issues in our bulk electric system networks.”
FERC, based on its consideration of the record, adopts the 12-month deadline proposed in the Notice of Proposed Rulemaking (NOPR). “While we recognize that parties might benefit from additional time, we are not persuaded at this time that additional time is needed to address the modifications directed in this order. To the extent NERC concludes during the standards drafting process that additional time is needed, NERC may request, and the Commission will consider whether to grant, an extension at that time.”
The FERC-725B information collection requirements are subject to review by the Office of Management and Budget (OMB) under section 3507(d) of the Paperwork Reduction Act of 1995. OMB’s regulations require approval of certain information collection requirements imposed by agency rules. Upon approval of a collection of information, OMB will assign an OMB control number and expiration date. Respondents subject to the filing requirements will not be penalized for failing to respond to these collections of information unless the collections of information display a valid OMB control number.
The Commission received no comments on the validity of the burden and cost estimates in the NOPR. It solicits comments on the need for this information, whether the information will have practical utility, the accuracy of the burden estimates, ways to enhance the quality, utility, and clarity of the information to be collected or retained, and any suggested methods for minimizing respondents’ burden, including the use of automated information techniques.
The NERC Compliance Registry, as of April 2025, identifies approximately 1,636 unique U.S. entities that are subject to mandatory compliance with CIP Reliability Standards. Of this total, we estimate that 400 entities will face an increased paperwork burden under the proposed Reliability Standard CIP-015-1.
Based on these assumptions, FERC estimates the reporting burden in the final rule. The estimated responses and burden hours for each of Years 1 through 3 are 2,400 responses and 136,000 hours annually. The annual cost burden for each of these years is projected at US$11,595,360.
The FERC is required to prepare an Environmental Assessment or an Environmental Impact Statement for any action that may have a significant adverse effect on the human environment. The Commission has categorically excluded certain actions from this requirement as not having a significant effect on the human environment. Included in the exclusion are rules that are clarifying, corrective, or procedural, or that do not substantially change the effect of the regulations being amended. The action proposed herein falls within this categorical exclusion in the Commission’s regulations.
