Background: NERC CIP-015
In January of 2023 the Federal Energy Regulatory Commission (FERC) released FERC Order 887 which addresses a critical security gap in Critical Infrastructure Protection (CIP) standards, the lack of internal network security monitoring (INSM).
The current NERC CIP standards only require solutions that use traditional detection systems that identify malicious code based on known rules and signatures. The new legislation will now require electric cooperatives to implement INSMs to detect malicious activity in east-west network traffic. INSMs establish a baseline of network activity and detect anomalies that would bypass traditional detection systems, improving an organization’s ability to detect novel threats. Without INSM, organizations have limited visibility into malicious activities inside their networks, leaving them vulnerable if attackers breach initial defenses like firewalls and anti-virus software.
Implementation of NERC CIP-015
Once approved, Bulk Electronic Systems (BESs) will have 36 months to implement INSM, and medium-impact BESs with external routable connectivity (ERC) will have 60 months to do so.
While the approval of the NERC CIP-015 requirements have not been finalized, preparation on the part of electric cooperatives should start as soon as possible. Darktrace is committed to helping electric cooperatives meet the requirements for INSM and help reach compliance standards.
Why is internal network security monitoring important?
NERC CIP-015 aims to enhance the detection of anomalies or unauthorized network activity within CIP environments, underscoring the importance of monitoring East-West traffic within trust zones. This approach enables faster response and recovery times.
INSMs are essential to detecting threats that bypass traditional defenses. For example, insider threats, sophisticated new attack techniques, and threats that exploit compromised credentials—such as those obtained through phishing or other malicious activities—can easily bypass traditional firewalls and antivirus software. These threats either introduce novel methods or leverage legitimate access, making them difficult to detect.
INSMs don’t rely on rules and signatures to detect anomalous activity, they spot abnormalities in network traffic and create alerts based on this activity making them vital to detecting sophisticated threats. Additionally, INSM sits behind the firewall and provides detections utilizing the passive monitoring of east west and north south traffic within the enforcement boundary.
Buyers should be aware of the discrepancies between different INSMs. Some systems require constant tuning and updating, external connectivity forcing holes in segmentation or have intrusive deployments that put sensitive OT assets at risk.
What are the NERC CIP-015 requirements?
The goal of this directive is to ensure that cyber threats are identified early in the attack lifecycle by mandating implementation of security systems that detect and speed up mitigation of malicious activity.
The requirements are divided into three sections:
- Network security monitoring
- Data retention for anomalous activity
- Data protection
NERC CIP-015 emphasizes the importance of having documented processes and evidence of implementation, with a focus on risk-based monitoring, anomaly detection, evaluation, retention of data, and protection against unauthorized access. Below is a breakdown of each requirement.
R1: Network Security Monitoring
The NERC CIP-015 requires the implementation of and a documented process for monitoring networks within Electronic Security Perimeters (ESPs) that contain high and medium impact BES Cyber Systems.
Key parts:
Part 1.1: Use a risk-based rationale to implement network data feeds that monitor connections, devices, and communications.
Part 1.2: Detect anomalous network activity using the data feeds.
Part 1.3: Evaluate the anomalous activity to determine necessary actions.
M1: Evidence for R1 Implementation: Documentation of processes, including risk-based rationale for data collection, detection events, configuration settings, and network baselines.
Incorporating automated solutions for network baselining is essential for effective internal monitoring, especially in diverse environments like substations and control centers. Each environment requires unique baselines—what’s typical for a substation may differ significantly from a control center, making manual monitoring impractical.
A continuous internal monitoring solution powered by artificial intelligence (AI) simplifies this challenge by instantly detecting all connected assets, dynamically learning the environment’s baseline behavior, and identifying anomalies in real-time. Unlike traditional methods, Darktrace’s AI-driven approach requires no external connectivity or repeated tuning, offering a seamless, adaptive solution for maintaining secure operations across all environments.
R2: Data Retention for Anomalous Activity
Documented processes must be in place to retain network security data related to detected anomalies until the required actions are completed.
Note: Data that does not relate to detected anomalies (Part 1.2) is not required to be retained.
M2: Evidence for Data Retention (R2): Documentation of data retention processes, system configurations, or reports showing compliance with R2.
R3: Data Protection: Implement documented processes to protect the collected security monitoring data from unauthorized deletion or modification.
M3: Evidence for Data Protection (R3): Documentation demonstrating how network security monitoring data is protected from unauthorized access or changes.
How to choose the right INSM for your organization?
Several vendors will offer INSM, but how do you choose the right solution for your organization?
Here are seven questions to help you get started evaluating potential INSM vendors:
- How does the solution help with ongoing compliance and reporting including CIP-015? Or any other regulations we comply with?
- Does the solution provide real-time monitoring of east-west traffic across critical systems? And what kind of threats has it proven capable of finding?
- How deep is the traffic visibility—does it offer Layer 7 (application) insights, or is it limited to Layers 3-4?
- Is the solution compatible with our existing infrastructure (firewalls, IDS/IPS, SIEM, OT networks)?
- Is this solution inline, passive, or hybrid? What impact will it have on network latency?
- Does the vendor have experience with electric utilities or critical infrastructure environments?
- Where and how are logs and monitoring data stored?
How Darktrace helps electric utilities with INSM requirements
Darktrace's ActiveAI Security Platform is uniquely designed to continuously monitor network activity and detect anomalous activity across both IT and OT environments successfully detecting insider threats and novel ransomware, while accelerating time to detection and incident reporting.
Most INSM solutions require repeated baselining, which creates more work and increases the likelihood of false positives, as even minor deviations trigger alerts. Since networks are constantly changing, baselines need to adjust in real time. Unlike these solutions, Darktrace does not depend on external connectivity or cloud access over the public internet. Our passive network analysis requires no agents or intrusive scanning, minimizing disruptions and reducing risks to OT systems.
Darktrace's AI-driven threat detection, asset management, and incident response capabilities can help organizations comply with the requirements of NERC CIP-015 for internal network security monitoring and data protection. Built specifically to deploy in OT environments, Darktrace / OT comprehensively manages, detects, evaluates, and protects network activity and anomalous events across IT and OT environments, facilitating adherence to regulatory requirements like data retention and anomaly management.
See how INSM with Darktrace can enhance your security operations, schedule a personalized demo today.
Disclaimer
The information provided in this blog is intended for informational purposes only and reflects Darktrace’s understanding of the NERC CIP-015 INSM requirements as of the publication date. While every effort has been made to ensure the accuracy and reliability of the content, Darktrace makes no warranties or representations regarding its accuracy, completeness, or applicability to specific situations. This blog does not constitute legal or compliance advice and readers are encouraged to consult with qualified professionals for guidance specific to their circumstances. Darktrace disclaims any liability for actions taken or not taken based on the information contained herein.
References
1. https://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-015-1.pdf
![WHOIS Look records of the C2 endpoint vhs[.]delrosal[.]net.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/69e6bd15391fbfb9bc810102_Screenshot%202026-04-20%20at%204.56.01%E2%80%AFPM.png)
![Earliest observed transaction record for blackice[.]sol on public ledgers.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/69e6bd3a9035e7b16c8df83c_Screenshot%202026-04-20%20at%204.56.40%E2%80%AFPM.png)
