NERC CIP-015-1  ·  FERC Order 907  ·  Effective September 2025

CIP-015 Mandates Lateral Movement Detection.
AtlasCyber Already Does.

Internal Network Security Monitoring (INSM) is now a federal requirement for Bulk Electric System (BES) Cyber Systems. AtlasCyber delivers full INSM compliance: behavioral detection, documented response, and continuous visibility inside your Electronic Security Perimeter (ESP).

Full PCAP · R1.1 | Behavioral Detection · R1.2 | Documented Response · R1.3 | Sovereign & Air-Gapped Deployable | MITRE ATT&CK Mapped
Deadline 1 October 1, 2028 High-impact BES Cyber Systems + Medium with ERC
Deadline 2 October 1, 2030 Medium-impact BES Cyber Systems without ERC

Understanding the Standard

What CIP-015 Requires and Why It Was Written

The Problem

Perimeter Security Was Not Enough

NERC CIP standards historically focused on what sits at the perimeter: firewalls, access controls, patch cycles. Nation-state actors demonstrated that crossing the perimeter was achievable and that once inside, lateral movement through OT networks could go undetected indefinitely. FERC Order 907 mandated visibility inside the ESP itself.

The Standard

FERC Order 907 · CIP-015-1

Approved June 2025 and effective September 2, 2025, CIP-015-1 requires Internal Network Security Monitoring (INSM) for applicable Bulk Electric System (BES) Cyber Systems. Three requirements: collect network data from inside the Electronic Security Perimeter (ESP) (R1.1), detect anomalies in that data (R1.2), and evaluate and document response (R1.3).

Who Is In Scope

BES Cyber System Applicability

CIP-015 applies to High-impact BES Cyber Systems and Medium-impact systems with External Routable Connectivity. High-impact facilities include major generation assets, control centers operating above defined thresholds, and transmission substations at 500 kV or above. Review your CIP-002 categorizations to confirm scope.

The Three Requirements

R1.1

Network Data Collection

Collect network traffic data from inside the ESP. The standard requires raw or equivalent traffic feeds from within the ESP, not just perimeter logs or firewall data.

R1.2

Anomaly Detection

Apply detection capabilities to collected data to identify deviations from established baselines. Signature-only detection is insufficient. Behavioral analysis of OT protocol usage is what the standard requires.

R1.3

Evaluation and Documented Response

Evaluate detected anomalies and document the response. Audit-ready, structured output is required, not just alert logs.

Compliance Timeline

June 2025 FERC Order 907 approved. CIP-015-1 finalized.
Sept 2, 2025 CIP-015-1 becomes effective as a NERC Reliability Standard.
Oct 1, 2028 Compliance required for High-impact BES Cyber Systems and Medium-impact with ERC.
Oct 1, 2030 Compliance required for remaining Medium-impact BES Cyber Systems without ERC.

Compliance Coverage

Every CIP-015 Requirement. Mapped.

AtlasCyber was designed for the ESP. Here is how each requirement is satisfied, from passive network data collection to auditable documented response.

R1.1

Network Data Collection

Passive full-PCAP capture inside the ESP with zero impact on OT operations or device communications.

  • Full packet capture at ESP ingress and egress points
  • Passive tap deployment, no traffic interference
  • IT and OT protocol coverage in a single sensor
  • Compatible with existing SPAN and TAP infrastructure
  • Air-gapped and isolated environment capable
R1.2

Anomaly Detection

Behavioral analysis against OT and ICS protocol baselines. Detects deviation without relying on signature databases.

  • Automated asset discovery and communication mapping
  • Protocol-level behavioral baseline per asset
  • East-west lateral movement detection
  • New device and unexpected connection alerting
  • MITRE ATT&CK for ICS auto-mapping on every detection
R1.3

Documented Response

ClemAI generates structured, audit-ready incident evaluations with response documentation built into every finding.

  • Automated incident evaluation with narrative context
  • Timestamped, tamper-evident response records
  • MITRE-mapped structured output per incident
  • Export-ready for compliance audit packages
  • Feeds into SOC workflows or operates standalone

Data Retention and Protection

CIP-015 requires INSM data to be retained and protected per the standard's specifications. AtlasCyber stores collected PCAP and detection records locally inside the ESP with configurable retention windows and access controls aligned to CIP-015 data protection requirements.

Air-Gapped and Sovereign Environments

AtlasCyber operates in fully air-gapped, isolated, and sovereign cloud environments. No external data transfer is required at any point in the pipeline, from capture through detection through documented response output. Purpose-built for utility OT environments where connectivity constraints are non-negotiable.

The Threat That Wrote the Mandate

Volt Typhoon Was Inside US Utility Infrastructure for Years. Undetected.

CISA, NSA, and FBI confirmed that Volt Typhoon had pre-positioned itself inside US critical infrastructure including power utilities. The attackers used legitimate OT protocols and slow lateral movement that perimeter tools never flagged. CIP-015 was the regulatory response. The only way to detect this class of threat is behavioral visibility inside the ESP itself.

01 Living Off the Land Only native tools and protocols, nothing to flag. No malware signatures exist. Behavioral deviation is the only signal that reveals the threat.
02 Years of Dwell Time Nation-state actors move on timelines of months to years, maintaining quiet persistence before triggering any observable action in the environment.
03 IT/OT Lateral Movement Attackers pivot from IT into OT through engineering workstations and HMIs. Internal network monitoring is the only way to catch the crossing.
04 Pre-Positioned Access The goal is persistent access, maintained and ready. When geopolitical conditions shift, the capability to disrupt grid operations is already in place.
AtlasCyber for CIP-015

Built for the ESP. Not Retrofitted for It.

Most INSM tools started as IT security platforms and added OT modules. AtlasCyber started inside the ESP. That distinction matters for deployment complexity, detection accuracy, and CIP-015 audit readiness.

AtlasCyber
AtlasCyber

Full CIP-015 R1.1 · R1.2 · R1.3 Coverage in a Single Deployment

Passive PCAP capture inside the ESP, behavioral anomaly detection across IT and OT protocols, and ClemAI-generated structured incident documentation. All three CIP-015 requirements satisfied with no additional tooling required.

  • Full PCAP capture at ESP boundary (R1.1)
  • Behavioral anomaly detection, IT and OT (R1.2)
  • ClemAI structured documented response (R1.3)
  • MITRE ATT&CK for ICS auto-mapping
  • East-west lateral movement detection
  • Air-gapped and sovereign environment capable
  • Passive deployment, zero operational impact
  • CIP-015 data retention and protection
SOC Integration or Standalone Operation AtlasCyber feeds structured detections and MITRE-mapped findings into your existing SOC as a dedicated OT visibility layer. No dedicated SOC? AtlasCyber operates as your OT threat hunting capability, delivering findings your engineering or security team can act on directly.

In Production

Running Inside US Utility Infrastructure Today

CI Fortify · CISA/DOE

"Assume that threat actors will have some access to the OT network."

CI Fortify Planning Guidance, CISA/DOE Critical Infrastructure Resilience Initiative
  • Lateral movement detected inside the ESP via behavioral deviation from OT communication baselines, not signatures.
  • MITRE ATT&CK for ICS applied automatically to each detection, with structured response documentation generated by ClemAI.
  • Air-gapped deployment inside an isolated OT environment. No external connectivity required at any stage.

What Production Ready Actually Means

AtlasCyber is not a proof of concept, a lab simulation, or a pilot-phase product. It has been deployed inside live utility OT environments, capturing real traffic, detecting real anomalies, and producing the structured audit output that satisfies CIP-015 R1.3.

When the 2028 deadline approaches, utilities procuring INSM solutions for the first time will face long implementation timelines and compliance risk from late deployment. AtlasCyber customers are already past that problem.

CIP-015 FAQ

Common Questions

What is NERC CIP-015 and what does it require?

NERC CIP-015-1 (FERC Order 907) mandates Internal Network Security Monitoring inside the Electronic Security Perimeter of BES Cyber Systems. Approved June 2025, effective September 2, 2025. Three requirements: R1.1 — collect network traffic data from inside the ESP; R1.2 — run anomaly detection against those feeds; R1.3 — evaluate and document the response to detected anomalies.

What is the CIP-015 compliance deadline?

October 1, 2028 — High-impact BES Cyber Systems and Medium-impact systems with External Routable Connectivity (ERC).

October 1, 2030 — Medium-impact BES Cyber Systems without ERC.

Vendor evaluation, procurement, and implementation take longer than most compliance programs expect. If High-impact systems are in scope, the 2028 clock is already running.

What is Internal Network Security Monitoring (INSM)?

INSM is continuous visibility into traffic and behavior inside the ESP, not just at the perimeter. Perimeter firewalls and IT SIEM tools cannot see east-west lateral movement between OT assets. CIP-015 was written because threats like Volt Typhoon demonstrated that perimeter monitoring alone is insufficient.

Which BES Cyber Systems are in scope?

2028 deadline: High-impact BES Cyber Systems and Medium-impact with ERC.

2030 deadline: Medium-impact BES Cyber Systems without ERC.

High-impact systems include certain control centers, generation facilities, and transmission substations. Applicability is determined by your CIP-002 categorizations.

Can AtlasCyber operate in an air-gapped or isolated environment?

Yes. AtlasCyber is fully capable in air-gapped, sovereign cloud, and isolated OT environments. All PCAP capture, anomaly detection, and R1.3 documented response output runs inside your ESP. No external connectivity is required at any stage.

Do we need to build a SOC to comply with CIP-015?

No. CIP-015 R1.3 requires a documented evaluation and response process, not a 24/7 SOC. AtlasCyber integrates as a dedicated OT visibility and threat hunting layer into your existing security operations, or operates standalone for utilities without a dedicated SOC. ClemAI generates structured, MITRE-mapped documented response that your team acts on directly.

How does AtlasCyber detect east-west lateral movement without signatures?

AtlasCyber captures full PCAP inside the ESP and runs behavioral analysis against per-asset OT protocol baselines. When an asset communicates in a pattern that deviates from its established behavior — different destination, unusual protocol, unexpected timing — the system flags it regardless of whether the traffic carries known malicious signatures. Every detection auto-maps to MITRE ATT&CK for ICS.

CIP-015 Compliance

Satisfy CIP-015 INSM Requirements.
Already Running in Production.

Behavioral detection, documented response, and continuous visibility inside your ESP. Fully capable in air-gapped, sovereign, and isolated environments. Integrates into your SOC or operates as your standalone OT threat hunting layer.

October 1, 2028 deadline  ·  High-impact BES Cyber Systems + Medium with ERC