Skip to main content

TrendAI™ Joins OpenAI Daybreak as Trusted Cybersecurity Partner

Learn why
Return to research homepage

The Attackers Are Already Inside: NERC CIP-015 Is How the Grid Fights Back

NERC CIP-015 is the first NERC CIP standard to mandate internal network security monitoring for Bulk Electric System environments. Here is what it requires, why OT environments make compliance hard, and how TrendAI™ addresses each obligation.

Compliance & Risks Cyber Risk Cyber Threats IoT & OT CISO & Security Leaders SOC & Threat Analysts
June 22nd, 2026 10 min read Amruta Namjoshi , Bharat Mistry

Key Takeaways

  • Perimeter security alone cannot stop today's most dangerous grid adversaries.
  • NERC CIP-015 mandates continuous east-west visibility inside the Electronic Security Perimeter (ESP) for the first time.
  • Legacy operational technology (OT) protocols and zero-downtime requirements rule out most conventional monitoring tools.
  • Compliance deadlines begin in September 2028, and preparation starts now.
  • The TrendAI Vision One™ platform delivers passive, protocol-aware visibility across IT, OT, and cloud, with no agents on operational systems and no risk to grid availability.

NERC CIP-015 is the newest North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection standard. It is the first to require electric utilities to monitor cybersecurity threats from inside the Electronic Security Perimeter (ESP), not just at its edges. For electric utility security or compliance teams, it is one of the most significant regulatory developments in years. Here is why it exists, what it demands, and what it means for organizations operating Bulk Electric System (BES) assets.

Every major cyberattack on critical infrastructure follows roughly the same playbook. Someone gets in: through a phishing email, a compromised vendor, an exposed remote access point. Then they go quiet. They move slowly, carefully learning the environment, mapping which systems control what, and positioning themselves for maximum impact. By the time anyone notices something is wrong, the attacker has often been inside for weeks, sometimes months. Case in point: the Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that Volt Typhoon maintained persistent access inside victim networks for at least five years without detection. The China-aligned group targets U.S. critical infrastructure, including the energy sector.

This is the threat NERC CIP-015 was built to address.

The NERC CIP-015 standard that looks inward 

NERC CIP-015 is the latest addition to NERC’s Critical Infrastructure Protection framework, the set of standards that governs cybersecurity for organizations owning or operating assets that support the BES. What makes CIP-015 different from prior standards is where it focuses: not the perimeter, but inside the ESP.

The urgency for this visibility is real. Cyberattacks targeting U.S. utilities increased by nearly 70% in 2024, rising from 689 to 1,162 incidents, a trajectory that makes internal visibility not a compliance matter but an operational necessity.

For a long time, grid security was largely a story about walls. Define the boundary around your critical systems—the ESP—control what crosses it, and you have done your job. Earlier NERC CIP standards built that model piece by piece. They established which systems needed protecting, how to harden them, how to manage access, and how to handle the risks introduced by vendors and supply chains.

While those foundations matter, they are built on an assumption that does not always hold: that your perimeter will keep malicious actors out. NERC CIP-015 asks what happens when it does not.

The answer it requires is internal network security monitoring, the ability to see what is happening inside the perimeter continuously, and to detect behavior that should not be there.

Where CIP-015 fits in the bigger picture 

It helps to understand NERC CIP-015 not as a standalone requirement but as the culmination of a compliance journey that has been building for years.

The earlier CIP standards established the foundations, categorizing which systems need protecting, hardening those systems, locking down perimeters, managing configurations, and addressing supply chain risks. Each standard assumed the previous ones were working. Each one tightened the model a little further.

CIP-015 is what happens when you follow that logic to its conclusion. If your systems are categorized, hardened, surrounded by a defined perimeter, and your vendors are vetted, then what is the one thing still missing? Knowing what is happening on the inside in real time. That is what CIP-015 delivers as a regulatory requirement, and why it closes a critical gap in the CIP framework: real-time visibility inside the perimeter.

What “inside the ESP” actually means 

In a grid environment, the systems inside an ESP are constantly talking to each other: Supervisory Control and Data Acquisition (SCADA) platforms communicate with field devices, engineering workstations exchange data with control systems, industrial sensors report to monitoring software, and vendor platforms connect to operational infrastructure for diagnostics and updates.

This internal communication, east-west traffic, is where lateral movement happens. It is the network equivalent of intruders who have already made it past the front door and are now quietly moving from room to room. If your security tools are only watching the entrance, you will never see them.

Most traditional security architectures have a blind spot here. They are designed to monitor what crosses the boundary, not what moves within it. CIP-015 closes that gap by requiring organizations to monitor internal communications, establish baselines of normal behavior, detect anomalies, and maintain the ability to investigate when something looks wrong.

It also requires organizations to account for what is connected to their operational networks, not just the assets in the formal inventory, but everything. That includes contractor laptops, vendor diagnostic equipment, and devices connected without authorization. In complex operational environments, unmanaged and unknown devices are a real and persistent risk, and CIP-015 treats them accordingly.

Why grid environments make this particularly hard 

Achieving the kind of internal visibility CIP-015 requires is straightforward in theory but difficult in practice, especially in operational technology (OT) environments.

The challenge begins with language. Industrial systems communicate very differently from enterprise IT environments. They rely on protocols such as DNP3 (Distributed Network Protocol) for SCADA, IEC 61850 for substation automation, Modbus for legacy control systems, and OPC UA (Open Platform Communications Unified Architecture) for data exchange between industrial software and hardware.

A traditional security monitoring tool that only understands standard IP traffic is effectively blind in this context. It can detect that data is moving, but it cannot interpret whether that activity is normal or meaningful. As a result, it lacks the context needed to identify when something is wrong.

Then there is the question of what can realistically be touched. Many operational environments still rely on legacy equipment running firmware that has not been updated in years. These systems often cannot support security agents, cannot be patched on standard IT cycles, and cannot tolerate disruption.

Any monitoring approach that depends on installing software on each endpoint is therefore impractical across much of grid infrastructure. Instead, visibility needs to come from the network itself, gathered passively and without affecting the operational systems at all.

Perhaps most importantly, these systems cannot go down or be rebooted. In enterprise IT, a short outage or restart is an inconvenience. In an electric utility environment, availability is non-negotiable; even planned reboots can be unacceptable due to the risk of service disruption.

Any monitoring solution that introduces latency, instability, or operational risk is not a solution at all.

What NERC CIP-015 actually requires 

For BES owners and operators, NERC CIP-015 establishes four core internal monitoring obligations:

  • Monitor communications inside the ESP. Organizations must have continuous visibility into east-west traffic, the communications between systems inside the ESP, not just traffic crossing the perimeter boundary.
  • Detect anomalous network behavior. Organizations must be able to identify deviations from established baselines of normal operational activity, giving security teams an early warning when something inside the network does not look right.
  • Identify unauthorized devices and connections. Organizations must account for everything connected to their operational networks, including devices that fall outside formal asset inventories, such as contractor equipment, vendor diagnostic tools, and unmanaged OT devices.
  • Investigate potential threats quickly. Organizations must maintain the capability to investigate suspicious activity, which requires sufficient context and event correlation to understand what is happening across the environment and act before it escalates.

These are not aspirational guidelines. They are documented compliance obligations for organizations operating assets that support the BES. The Federal Energy Regulatory Commission (FERC) approved the first version, CIP-015-1, in June 2025. Phased compliance deadlines begin in September 2028 for high-impact BES Cyber Systems and in September 2030 for all other applicable systems. In short, the window to prepare is now.

How the TrendAI Vision One™ platform addresses NERC CIP-015 requirements 

The TrendAI Vision One™ platform addresses NERC CIP-015 in a way that goes beyond meeting only minimum requirements. It provides the kind of operational visibility that makes a difference when an attack is in progress.

The platform natively understands the language of industrial environments. Core sensors including TrendAI™ TippingPoint™ and TrendAI™ Deep Discovery™ Inspector provide documented support for industrial protocols such as DNP3 and Modbus. Deeper OT protocol coverage, including IEC 61850 for substation automation and OPC UA for industrial data exchange, is delivered through the integrated OT ecosystem within TrendAI Vision One™. In every case, it does not just detect that traffic exists; it interprets what that traffic is doing. That level of context is what distinguishes meaningful anomaly detection from background noise.

Inside the ESP, the TrendAI Vision One™ platform provides continuous east-west traffic monitoring, watching the communications between control systems, SCADA platforms, OT devices, and enterprise tools where lateral movement happens. When behavior deviates from the established baseline, AI-driven analytics surface it for investigation before it can escalate into a real incident.

Asset discovery runs continuously, combining passive traffic analysis with active scanning through network sensors already deployed in the environment, no new appliances, no new agents required. Together they surface everything on the network: managed systems alongside IoT devices, IP cameras, OT equipment, contractor laptops, and rogue or forgotten servers that never made it into the formal inventory. For CIP-015 compliance, this distinction matters. You cannot respond to a threat introduced by an unknown device if you did not know the device was there. In complex grid environments, the unknown devices are rarely the ones you would expect.

All of this happens without agents on operational systems and without any impact on operational availability. Where active discovery is needed, it runs through sensors already in place. There is nothing new to procure and nothing new to justify to operations teams. The platform’s monitoring is passive and nonintrusive where the environment demands it, and actively illuminating where compliance requires it—invisible to the infrastructure it protects, and fully visible to the security teams who need to act.

What makes TrendAI Vision One™ powerful for grid security is the cross-environment correlation. Attacks targeting BES infrastructure rarely stay in one place. They start in enterprise IT, move into OT, and often involve cloud infrastructure along the way. TrendAI Vision One™ connects those dots across all three environments in a single platform, so security teams see the full picture of an attack rather than fragmented signals that are easy to miss.

The shift CIP-015 represents 

There is a broader significance to NERC CIP-015 beyond its specific requirements. It marks a shift in how regulators think about grid security, from a model centered on prevention and perimeter control to one that acknowledges the need for detection and response capability from the inside out.

That shift reflects how the threat landscape has evolved. The most dangerous adversaries targeting critical infrastructure are not stopped by perimeters alone. They are patient, well-resourced, and skilled at staying hidden. The only way to find them is to look where they are hiding, inside the network, in the traffic between systems, in the subtle behavioral deviations that precede an impact event.

NERC CIP-015 makes that kind of visibility a regulatory requirement. TrendAI Vision One™ makes it operational.

Next steps

For a deeper look at the threat dynamics behind CIP-015, read Why East-West Visibility Matters for Grid Security.

Compliance deadlines begin in September 2028. Speak with a TrendAI™ expert to map your path to NERC CIP-015 readiness.