NERC CIP-015-1 · FERC Order 907 · Effective September 2025
CIP-015 Mandates Lateral Movement Detection.
AtlasCyber Already Does.
Internal Network Security Monitoring (INSM) is now a federal requirement for Bulk Electric System (BES) Cyber Systems. AtlasCyber delivers full INSM compliance: behavioral detection, documented response, and continuous visibility inside your Electronic Security Perimeter (ESP).
Understanding the Standard
What CIP-015 Requires and Why It Was Written
Perimeter Security Was Not Enough
NERC CIP standards historically focused on what sits at the perimeter: firewalls, access controls, patch cycles. Nation-state actors demonstrated that crossing the perimeter was achievable and that once inside, lateral movement through OT networks could go undetected indefinitely. FERC Order 907 mandated visibility inside the ESP itself.
FERC Order 907 · CIP-015-1
Approved June 2025 and effective September 2, 2025, CIP-015-1 requires Internal Network Security Monitoring (INSM) for applicable Bulk Electric System (BES) Cyber Systems. Three requirements: collect network data from inside the Electronic Security Perimeter (ESP) (R1.1), detect anomalies in that data (R1.2), and evaluate and document response (R1.3).
BES Cyber System Applicability
CIP-015 applies to High-impact BES Cyber Systems and Medium-impact systems with External Routable Connectivity. High-impact facilities include major generation assets, control centers operating above defined thresholds, and transmission substations at 500 kV or above. Review your CIP-002 categorizations to confirm scope.
The Three Requirements
Network Data Collection
Collect network traffic data from inside the ESP. The standard requires raw or equivalent traffic feeds from within the ESP, not just perimeter logs or firewall data.
Anomaly Detection
Apply detection capabilities to collected data to identify deviations from established baselines. Signature-only detection is insufficient. Behavioral analysis of OT protocol usage is what the standard requires.
Evaluation and Documented Response
Evaluate detected anomalies and document the response. Audit-ready, structured output is required, not just alert logs.
Compliance Timeline
Compliance Coverage
Every CIP-015 Requirement. Mapped.
AtlasCyber was designed for the ESP. Here is how each requirement is satisfied, from passive network data collection to auditable documented response.
Network Data Collection
Passive full-PCAP capture inside the ESP with zero impact on OT operations or device communications.
- Full packet capture at ESP ingress and egress points
- Passive tap deployment, no traffic interference
- IT and OT protocol coverage in a single sensor
- Compatible with existing SPAN and TAP infrastructure
- Air-gapped and isolated environment capable
Anomaly Detection
Behavioral analysis against OT and ICS protocol baselines. Detects deviation without relying on signature databases.
- Automated asset discovery and communication mapping
- Protocol-level behavioral baseline per asset
- East-west lateral movement detection
- New device and unexpected connection alerting
- MITRE ATT&CK for ICS auto-mapping on every detection
Documented Response
ClemAI generates structured, audit-ready incident evaluations with response documentation built into every finding.
- Automated incident evaluation with narrative context
- Timestamped, tamper-evident response records
- MITRE-mapped structured output per incident
- Export-ready for compliance audit packages
- Feeds into SOC workflows or operates standalone
Data Retention and Protection
CIP-015 requires INSM data to be retained and protected per the standard's specifications. AtlasCyber stores collected PCAP and detection records locally inside the ESP with configurable retention windows and access controls aligned to CIP-015 data protection requirements.
Air-Gapped and Sovereign Environments
AtlasCyber operates in fully air-gapped, isolated, and sovereign cloud environments. No external data transfer is required at any point in the pipeline, from capture through detection through documented response output. Purpose-built for utility OT environments where connectivity constraints are non-negotiable.
Volt Typhoon Was Inside US Utility Infrastructure for Years. Undetected.
CISA, NSA, and FBI confirmed that Volt Typhoon had pre-positioned itself inside US critical infrastructure including power utilities. The attackers used legitimate OT protocols and slow lateral movement that perimeter tools never flagged. CIP-015 was the regulatory response. The only way to detect this class of threat is behavioral visibility inside the ESP itself.
Built for the ESP. Not Retrofitted for It.
Most INSM tools started as IT security platforms and added OT modules. AtlasCyber started inside the ESP. That distinction matters for deployment complexity, detection accuracy, and CIP-015 audit readiness.
Full CIP-015 R1.1 · R1.2 · R1.3 Coverage in a Single Deployment
Passive PCAP capture inside the ESP, behavioral anomaly detection across IT and OT protocols, and ClemAI-generated structured incident documentation. All three CIP-015 requirements satisfied with no additional tooling required.
- Full PCAP capture at ESP boundary (R1.1)
- Behavioral anomaly detection, IT and OT (R1.2)
- ClemAI structured documented response (R1.3)
- MITRE ATT&CK for ICS auto-mapping
- East-west lateral movement detection
- Air-gapped and sovereign environment capable
- Passive deployment, zero operational impact
- CIP-015 data retention and protection
In Production
Running Inside US Utility Infrastructure Today
"Assume that threat actors will have some access to the OT network."
CI Fortify Planning Guidance, CISA/DOE Critical Infrastructure Resilience Initiative- Lateral movement detected inside the ESP via behavioral deviation from OT communication baselines, not signatures.
- MITRE ATT&CK for ICS applied automatically to each detection, with structured response documentation generated by ClemAI.
- Air-gapped deployment inside an isolated OT environment. No external connectivity required at any stage.
What Production Ready Actually Means
AtlasCyber is not a proof of concept, a lab simulation, or a pilot-phase product. It has been deployed inside live utility OT environments, capturing real traffic, detecting real anomalies, and producing the structured audit output that satisfies CIP-015 R1.3.
When the 2028 deadline approaches, utilities procuring INSM solutions for the first time will face long implementation timelines and compliance risk from late deployment. AtlasCyber customers are already past that problem.
CIP-015 FAQ
Common Questions
What is NERC CIP-015 and what does it require?
NERC CIP-015-1 (FERC Order 907) mandates Internal Network Security Monitoring inside the Electronic Security Perimeter of BES Cyber Systems. Approved June 2025, effective September 2, 2025. Three requirements: R1.1 — collect network traffic data from inside the ESP; R1.2 — run anomaly detection against those feeds; R1.3 — evaluate and document the response to detected anomalies.
What is the CIP-015 compliance deadline?
October 1, 2028 — High-impact BES Cyber Systems and Medium-impact systems with External Routable Connectivity (ERC).
October 1, 2030 — Medium-impact BES Cyber Systems without ERC.
Vendor evaluation, procurement, and implementation take longer than most compliance programs expect. If High-impact systems are in scope, the 2028 clock is already running.
What is Internal Network Security Monitoring (INSM)?
INSM is continuous visibility into traffic and behavior inside the ESP, not just at the perimeter. Perimeter firewalls and IT SIEM tools cannot see east-west lateral movement between OT assets. CIP-015 was written because threats like Volt Typhoon demonstrated that perimeter monitoring alone is insufficient.
Which BES Cyber Systems are in scope?
2028 deadline: High-impact BES Cyber Systems and Medium-impact with ERC.
2030 deadline: Medium-impact BES Cyber Systems without ERC.
High-impact systems include certain control centers, generation facilities, and transmission substations. Applicability is determined by your CIP-002 categorizations.
Can AtlasCyber operate in an air-gapped or isolated environment?
Yes. AtlasCyber is fully capable in air-gapped, sovereign cloud, and isolated OT environments. All PCAP capture, anomaly detection, and R1.3 documented response output runs inside your ESP. No external connectivity is required at any stage.
Do we need to build a SOC to comply with CIP-015?
No. CIP-015 R1.3 requires a documented evaluation and response process, not a 24/7 SOC. AtlasCyber integrates as a dedicated OT visibility and threat hunting layer into your existing security operations, or operates standalone for utilities without a dedicated SOC. ClemAI generates structured, MITRE-mapped documented response that your team acts on directly.
How does AtlasCyber detect east-west lateral movement without signatures?
AtlasCyber captures full PCAP inside the ESP and runs behavioral analysis against per-asset OT protocol baselines. When an asset communicates in a pattern that deviates from its established behavior — different destination, unusual protocol, unexpected timing — the system flags it regardless of whether the traffic carries known malicious signatures. Every detection auto-maps to MITRE ATT&CK for ICS.
Satisfy CIP-015 INSM Requirements.
Already Running in Production.
Behavioral detection, documented response, and continuous visibility inside your ESP. Fully capable in air-gapped, sovereign, and isolated environments. Integrates into your SOC or operates as your standalone OT threat hunting layer.
October 1, 2028 deadline · High-impact BES Cyber Systems + Medium with ERC