The June 26 ratification of a new critical infrastructure protection standard, CIP-015, mandates the implementation of internal network security monitoring (INSM) for entities responsible for power generation, distribution, and transmission.
This mandate, submitted by the North American Electric Reliability Corporation (NERC) and ratified by the Department of Energy’s Federal Energy Regulatory Commission (FERC), impacts CIP-networked environments including medium and large bulk electric system network traffic inside an electronic security perimeter.
The impact could be substantial for these networks, requiring a cultural shift in operations. The standard’s aim is to detect anomalous network traffic during an ongoing incident. The standard also mandates that organizations define trust zones where INSM requirements should apply.
The Societal Impact of NERC CIP-015
While NERC CIP-015 explicitly targets large and medium bulk electric systems (BES), the implications ripple across the broader utility landscape. State, local, and tribal governments—particularly those running municipal water systems, regional transit networks, or public power co-ops—should see CIP-015 as a signal flare. Even if your environment isn’t regulated by NERC, the expectations for lateral visibility and behavioral awareness are rising fast. More to the point, society runs on power.
Public water and wastewater utilities alone consume around 56 billion kWh of electricity annually—roughly 1.5 to 4% of total U.S. electricity use. A single medium-sized wastewater treatment plant uses about 11 million kWh per year. These services represent some of the largest municipal energy consumers.
Meanwhile, electric cooperatives serve over 42 million customers and account for tens of terawatt-hours of electricity consumed annually.
Bottom line: if your utility provides or consumes critical services, you are part of the broader reliability and resilience conversation. Society depends on your uptime, and your uptime depends on that of other utility operations..
Enhancing Internal Network Security Monitoring
CIP-015 mandates INSM to detect behavioral anomalies through baselining. This isn’t plug-and-play. It demands a cultural shift in operations—understanding “normal” behavior, integrating threat intelligence, and mapping change across systems and configured environments.
In utilities especially, and irrespective of size, change management is critical, any change can jeopardize process integrity; these processes have significant public health and safety implications. For environments with cyber-physical systems (CPS), the configured environment ideally should be subject to zero trust, especially device-to-device communication.
Revisiting Microsegmentation and Zero Trust in NERC CIP-015
A networked conversation consists of a subject and an object. A subject can be a user, or service account; an object is any protected resource sought by the subject. Zero Trust Architecture (ZTA) works when you can answer who, what, where, when, why, how, and how long —across every subject-object interaction, and these data points support zero-trust principles.
Microsegmentation helps reduce the blast radius of a potential incident, but due to resource constraints and the high volume of traffic which must be inspected, traditional Layer 2 switches usually aren’t up to the task. OT environments especially need Layer 3-capable access switches for microsegmentation to be effective. Further, in addition to disrupting operations, switch implementations at lower levels of the Purdue Model typically increase rather than decrease time to value (TTV).
For many state and local government (SLG) [8] utilities, cost and complexity make this a tough sell, which is why INSM is better positioned to give your utility the insight it needs without the immediate lift of a full, network-based ZTA implementation.
Moving Towards ZTA with NERC CIP-015
For simplicity, INSM does not require ZTA, though ZTA is enhanced by INSM. INSM should be treated as a stepping stone toward ZTA. Of course, zero-trust in an OT environment will look a bit different than it would in a pure-play IT environment, but there are efficiencies to be gained by integrating directly into your existing security operations capabilities.
Modern security operations include tools such as security information and event management (SIEM), security orchestration and automated response (SOAR), managed extended detection and response (MDR/XDR), and case management. All these tools and processes form the core competency of traditional managed security service providers (MSSPs), which is good news for skeleton crews with ever-expanding responsibilities and diminished time.
Additionally, there are MSSPs that focus solely on CPS environments and though this corner of the market has lagged pure-play IT cybersecurity, the tide is shifting.
Ease Operational Burdens with Improved Detection and Response
INSM doesn’t have to be a resource drag. For under-resourced municipal IT/OT teams, Claroty’s platform can serve as a digital force multiplier. MSSPs, especially those with CPS expertise, can help shoulder the operational burden—accelerating detection, response, and compliance efforts.
Whether you’re managing supervisory control and data acquisition (SCADA) in a water district or DCS in a light rail system, the right telemetry can empower your small team to make big moves.
Fund It Forward: Budgeting and Grants
SLG utilities often rely on complex funding cycles, but INSM aligns beautifully with existing state and federal programs.
Tie INSM to your emergency management or Homeland Security funding strategy
Position ZTA as a public safety initiative
Map these upgrades to known resilience gaps from exercises or annualized risk assessments.
CISA, FEMA, and DOE all provide grants or guidance for critical infrastructure protection, and CIP-015 aligns squarely with those expectations.
The Claroty Advantage
CIP-015 isn’t just a compliance checkbox, it is transformational. It offers a critical inflection point for overarching cybersecurity strategy considerations and utilities aspiring toward ZTA.
With all this in mind, here’s how deploying the Claroty Platform can support this journey.
Deploy Claroty Edge: Ideal for air-gapped networks or remote substations. Edge collects protocol and asset insights without needing full infrastructure revamps.
Integrate with Claroty CTD: Push that intelligence into continuous threat detection to improve security posture.
Leverage AppDB (Project File Analysis): Enrich your situational awareness by analyzing backup configurations and engineering workstations.
Claroty’s ecosystem is designed to empower utilities of all types—public or private, co-op or investor-owned—to meet the moment.
Request your free demo of the Claroty Platform and see how far it can take you.
