Drive To Survive: NERC CIP-015-1 Is Changing The Cybersecurity Race, Are You Ready?
During my six years working in critical infrastructure cybersecurity, I’ve seen an evolution of the race between threat actors developing attacks and defenders who are innovating to counter them. This dynamic reminds me of Formula 1, watching Lando Norris's championship win last week exemplified how technological innovation, operations, team culture and partnerships combine as key attributes to success.
Lando’s title win embodies the characteristics we need to be successful defenders in cybersecurity, built upon resilience, strategic composure, and a finely tuned support system. His consistent performance under pressure over the entire series of races meant he was crowned champion, following that amazing final decisive podium.
We can learn a lot from this mindset as the cybersecurity race for electric utilities undergoes significant change. The recent North American Electric Reliability Corporation (NERC) CIP-015-1 standard requires utilities to continuously monitor activity inside their operational networks.
This fundamentally shifts the Cybersecurity race, moving from a position of simply monitoring North-South or perimeter traffic, comparable to the “pit lane” in F1 racing, into a world of East-West traffic monitoring, comparable to Full Track Surveillance.
Are you ready?
Critical National Infrastructure Under Attack
The 2025 U.S. Annual Threat Assessment highlights advanced persistent threats (APTs) targeting U.S. critical national infrastructure from hostile states such as Russia, China, Iran, and North Korea exploiting ransomware, AI, social engineering and advanced intrusion tools.
According to the E-ISAC, Electricity Information Sharing and Analysis Center, major nation state actors are continuously targeting the U.S. energy sector. China-linked activity includes Salt Typhoon, Linen Typhoon and Voilet Typhoon. Pro-Russian hacktivist groups such as NoName057(16) have also been linked to attacks on the sector.
Last year Volt Typhoon, another China state-sponsored threat actor, targeted the energy, transportation, and water sectors in the US and Canada. Its campaigns affected industrial sectors including Electricity Power Generation, Transmission and Distribution. Chinese hackers were active in Massachusetts’ Littleton Electric Light & Water Departments (LELWD) for over 300 days without detection. These attacks demonstrate the growing breadth and depth of capabilities to compromise U.S. infrastructure.
The sector continues to face daily threats from both nation state actors and criminal gangs from a cyber, physical, and hybrid perspective. Increased geopolitical and economic tensions will further complicate the threat landscape and industry supply chains.
From Pit Lane Monitoring to Full Track Surveillance
Like the F1 Circuit, critical asset owners and operators are increasingly adopting new technologies that connect operations systems and information systems to improve performance. But the interconnected nature of those technologies exposes operations to new safety threats in the form of cybersecurity risks. Governments around the world are working to protect citizens and critical national infrastructure from the cybersecurity threats through regulatory compliance and standards.
The North American Electric Reliability Corporation (NERC) is responsible for strengthening the reliability and security of the bulk power system.
The NERC Critical Infrastructure Protection (CIP) standards include regulatory requirements that make collecting and archiving network traffic more important than ever. These standards require utilities to monitor network traffic data at the control center, the plant, and the substation. Utilities are subject to regular NERC compliance audits and vulnerability assessments.
NERC CIP-015-1 is a game-changer requiring internal (East-West) traffic visibility
Monitoring only North-South traffic is like watching cars only as they enter and exit the pit lane. But the real action and danger can happen anywhere on the track. Full visibility across the network is like having cameras and sensors on every turn and straight.
The NERC CIP-015-1 standard, formally approved in June 2025, signals a significant shift for the North American electric sector. It mandates internal network security monitoring (INSM) of industrial control systems (ICS) within the electronic security perimeter, moving beyond protection at the network edge. Within the year, it will also cover electronic access control and physical access control systems.
Pit Lane Monitoring - Old approach
Utilities traditionally monitored only the “pit lane” (perimeter traffic). FERC’s Order No. 887 directed NERC to develop new or revised CIP Reliability Standards requiring internal network security monitoring for high-impact bulk electric system (BES) cyber systems, as well as medium-impact systems with external routable connectivity. The order noted that current standards focus on perimeter defenses but lack monitoring inside the trusted CIP-networked environment, leaving a security gap.
Internal network security monitoring requirements aim to close that gap by establishing baselines for network activity, monitoring for unauthorized activity, and allowing flexibility in how anomalies are detected. Entities must log, retain, and protect data with enough fidelity to investigate incidents and prevent tampering.
Full Track Surveillance - Now Required
Internal network security monitoring operates in three stages: collection, detection, and analysis. Together, these enable early detection and alerting, making it harder for attackers to gain a foothold or operational control. It also strengthens incident response by providing better data on the extent of an attack inside the trust zone and offers insight into lateral (east-west) traffic, building a fuller picture of intrusions beyond perimeter monitoring alone.
NERC CIP-015-1 mandates visibility into internal communications between devices
Internal network security monitoring is applied within a trust zone, such as a perimeter zone with elevated credentials on an internal network. Under this rule and Order No. 887, the trust zone is the CIP-networked environment. It maintains visibility over communications between devices within a trust zone and helps detect malicious activity that has bypassed perimeter defenses. It supports identifying abnormal network activity early, improving mitigation and recovery efforts.
This is like having full-track surveillance in an F1 race, with cameras on every turn and sensors on every straight. Internal monitoring helps detect and contain threats before they escalate. It is like spotting a tire wobble or oil leak before it causes a crash.
Our Strategic Recommendations
CIP-015-1 acknowledges that even the strongest walls will not stop attackers and visibility inside the network is critical. The benefits of faster detection, stronger forensics, and more defensible audits outweigh the challenges of legacy system monitoring and alert tuning, if organizations treat CIP-015-1 as more than just another checkbox item.
To realize its full value and potential:
• Treat Internal network security monitoring (INSM) as a strategic investment that goes beyond compliance to build resilience
• Align INSM with risk management tying monitoring outcomes to true risk reduction
• Break down silos to promote collaboration across IT, OT, and compliance teams
• Build in guardrails that separate data collection from analysis and use immutable storage
Historically, utilities have had to comply with NERC CIP standards like CIP-007-6, CIP-009-6, and CIP-010-3, which require constant monitoring, event logging, alert generation, and data preservation of all traffic that travels into or out of the Electronic Security Perimeter (ESP), or North-South network traffic.
Conclusion
Design for Tomorrow Today
CIP-015-1 addresses the ESP, a critical mile marker but not the end of the zero-trust journey. Your architecture should also anticipate CIP-015-2 expansion, which may extend monitoring to the Electronic Access Control or Monitoring Systems (EACMS), Physical Access Control Systems (PACS), and other integrated systems.
In a world where attackers are already inside, visibility is power, and table stakes. There are many good cybersecurity tools on the market to help with asset visibility, threat detection and incident response. Keysight can help to optimize and scale those solutions, for example such as the provision of Network Taps which are recommended to ensure compliance by capturing all network traffic reliably.
Keysight’s visibility architecture is already designed for the expansion of NERC CIP-015-1 and CIP-015-2 monitoring requirements. Network Taps provide continuous, lossless traffic access across IT and OT environments, while Network Packet Brokers deliver adaptive aggregation, filtering, and routing of data to the appropriate analysis and storage systems. This design enables utilities to extend visibility without redesigning infrastructure, ensuring that monitoring remains audit-defensible and aligned with zero-trust principles as compliance expectations mature.
To take the next step in making sure compliance translates into real strength, contact your Keysight visibility expert for details about using Keysight Taps and network packet brokers to build the visibility layer that optimizes operations now, and lays the foundation for the future.
Winning the Cybersecurity Race
It is time to shift from pit-lane focus to full-track awareness. In today’s threat landscape, visibility equals speed, safety, and control. To learn how to race smart and monitor the whole track, check our new NERC CIP-015 White Paper and watch our video about Critical National Infrastructure Security.