The draft version of the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standard for Internal Network Security Monitoring (INSM), is expanding to include Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS). This mandated change will expand the current scope outside of the Electric Security Perimeter (ESP). For many utilities, this will result in program and architectural changes, as well as regulatory risk management decisions. Understanding how this change will impact your environment and your INSM program is critical to ensure compliance and limit risk.
Among the key issues that the draft CIP-015-2 standard raises for covered entities are:
Whether to monitor in-scope traffic only
- Accurately identifying boundaries between CIP and non-CIP environments
- Defining in-scope communication
- Assessing evidence collection maturity
Background: The Lead Up to CIP-015-2
On June 26, 2025, the Federal Energy Regulatory Commission (FERC) issued Order 907 approving the NERC Reliability Standard CIP-015-1, which requires INSM inside the ESP for U.S. and Canadian electric utilities. Realizing that the initial version still left a reliability and security gap, in the same order, FERC directed NERC to modify the standard to extend INSM to include EACMS and PACS outside the ESP.
In November 2025, the NERC drafting team tasked with responding to Order 907 published its draft of the proposed changes, referred to as Project 2025-02 Internal Network Security Monitoring Standard Revision. The public comment period closed January 16, 2026. While the industry left many comments, the initial ballot was overwhelmingly positive.
If you are a High Impact Bulk Electric System Cyber System (BCS) or a Medium Impact BCS with external routable connectivity (ERC) in North America, now is the time to refamiliarize yourself with the evolving requirements for INSM that will impact you.
Summary of Changes to CIP-015-1 in the Project 2025-02 Draft
In keeping with FERC’s intent to extend the scope of INSM, the primary proposed change made to CIP-015-1 by the NERC drafting team was to update applicable systems to include EACMS and PACS. This applies to both High Impact BCS and Medium Impact BCS with ERC. The team also includes Shared Cyber Infrastructure (SCI) with scope, which refers to virtualization technologies that support an applicable system.
Implications of CIP 015-2 on High- and Medium-Impact BCS
While the proposed changes are minimal in concept, they may have a major impact on your environment and INSM program. Depending on where your EACMS and PACS are located and the maturity of your INSM program, significant changes may be needed. If you’re subject to the INSM reliability standard, be sure to carefully consider the three following items:
Expanded Applicability with the Inclusion of EACMS, PACS and
Reassess network visibility requirements not only within the ESP but also into support systems that previously may not have required INSM. This may require additional monitoring points, switch configuration changes, zoning redesign or updated architecture to monitor EACMS/PACS traffic paths. For existing Nozomi customers with robust visibility, additional Nozomi sensors may be considered in scope.
Clarification of the CIP-Networked Environment
FERC Order 907 and clarification order 907-A also provided clarity around the term “CIP-networked environment,” which is critical to defining what entities will monitor and how auditors will evaluate your INSM program. This is a key term to understand as you implement INSM — even though it’s not an official NERC term found in the glossary.
According to Order 907 and 907-A, the CIP-networked environment:
- Does not cover all of a responsible entity's network
- Includes the systems within the electronic security perimeter
- Includes systems that satisfy one or more of the following:
- network segments that are connected to EACMS and PACS outside of the electronic security perimeter
- network segments between EACMS and PACS outside of the electronic security perimeter
- network segments that are internal to EACMS and PACS outside of the electronic security perimeter
Additionally:
- For shared network segments located outside the ESP only the east-west traffic for access monitoring of EACMS and PACS is within scope
- Only communications between BES Cyber Systems, EACMS, PACS, and PCAs are in scope
Top Priority for Responsible Entities: Redefine Your CIP-Networked Environment
Entities should use this guidance to refine their network monitoring architecture and may choose to limit monitoring to in-scope traffic only. Ensuring accurate boundary identification between CIP and non‑CIP environments and traffic becomes even more important as the standard expands into EACMS and PACS. The burden will fall to teams to clearly define in-scope communication.
Entities should also assess whether their existing evidence collection of network data flows is mature enough to meet the stricter documentation language. As with other NERC CIP requirements, those who take a narrow approach may achieve compliance, but will limit the intended security and operational benefits.
For more help clarifying what the evolving NERC CIP-015 standards mean to you or with implementing your INSM program, contact us today.
