Discover how the latest NERC CIP standard for Internal Network Security Monitoring (INSM) shifts the focus inside your network, and how Tenable can help deliver the comprehensive visibility required to achieve compliance and enhance security.

Key takeaways:

1. NERC CIP-015 mandates Internal Network Security Monitoring (INSM) to detect threats that bypass perimeter defenses, focusing on east-west traffic within the Bulk Electric System (BES).
2. With compliance deadlines looming in 2028 and 2030, entities must begin planning and implementation now to ensure a smooth path to compliance.
3. Tenable OT Security addresses all core CIP-015 requirements (R1, R2, R3) by providing continuous asset discovery, anomaly detection, data retention, and access control.

In the critical infrastructure landscape, the evolution of cybersecurity threats is necessitating a profound shift in defense strategies. Traditional perimeter-based defenses, while essential, are no longer sufficient. Recognizing this, the North American Electric Reliability Corporation (NERC) introduced NERC CIP-015, a standard for Internal Network Security Monitoring (INSM) that represents a critical shift in securing the Bulk Electric System (BES).

This standard is not just another compliance checklist; it is a mandate for achieving deep visibility inside your network — the very place where adversaries often operate undetected after bypassing initial defenses. The purpose of NERC CIP-015 is to improve the probability of detecting anomalous or unauthorized network activity, enabling a more effective response and recovery from an attack.

Tenable OT Security is specifically designed to help organizations meet the technical and operational demands of the evolving NERC CIP-015 standard, enabling you to build a robust security posture that turns a compliance requirement into a strategic advantage.

Mapping Tenable OT Security to NERC CIP-015 requirements

Let’s break down how Tenable OT Security capabilities align directly with the core requirements.

R1 – Network Security Monitoring

To satisfy the requirements of NERC CIP-015, organizations must implement a comprehensive monitoring solution. Tenable OT Security is purpose-built to help you address R1 by enabling you to:

• Gain complete visibility with continuous, real-time monitoring of all network traffic, including both north-south and lateral (east-west) communications between critical assets, to ensure no activity goes unseen.
• Automatically discover all of your OT assets and map your entire OT asset inventory, including IoT assets and shadow IT, to create comprehensive and continuously updated inventory — a foundational step for any compliance initiative.
• **Detect advanced threats **by establishing a dynamic baseline of normal network behavior and leveraging advanced detection methods to automatically identify and alert on any deviation, generating events whenever a deviation from normal, established network behavior is detected. This allows you to move beyond traditional signature-based detection to uncover novel threats. generating security alerts or log entries whenever a deviation from normal, established network behavior is detected.
• Track and analyze device configuration changes and their associated communication streams, providing a critical audit trail for change management.
• Contextualize OT risk intelligence with deep packet inspection (DPI) to gain detailed situational awareness. This enriches alerts with critical context, enabling a more informed and rapid response.
• Prioritize with Risk-Based Vulnerability Management by automatically identifying vulnerabilities and assigning a Vulnerability Priority Rating (VPR) for each, so you can prioritize remediation efforts on the most critical exposures first. Tenable OT Security creates a network map showing a clear visualization of the central asset and its network connections to other devices, so you can gain complete visibility, automatically discover all of your OT assets, and map your entire OT asset inventory. Source: Tenable, November 2025

R2 – Data Retention

Effective incident response and forensic investigations depend on reliable, protected data. Tenable OT Security ensures you have the evidence you need when it matters most by:

• Maintaining a comprehensive audit trail: Log all network traffic metadata and industrial control system (ICS) device activities to support forensic investigations and security evaluations.
• Tracking configuration changes: Implement configuration file version control that automatically detects and highlights changes between a device’s current and previous configurations, providing a clear audit trail for change management.
• Integrating with your enterprise IT ecosystem: Securely export event data to external Syslog, SMTP, and SIEM platforms, enabling long-term storage and seamless integration with your existing security operations. Tenable OT Security’s Code Revision feature tracks and logs every program version on the programmable logic controller (PLC), allowing users to set a baseline and instantly compare it against other revisions to quickly identify unauthorized or impactful code changes that could cause downtime or introduce security risks. Source: Tenable, November 2025

R3 – Data Protection

The security and integrity of the monitoring data itself is a key component of NERC CIP-015. Tenable OT Security helps you protect this data from unauthorized access or alteration by allowing you to:

• Enforce least privilege: Create custom, role-based access management policies to define precisely who can access the platform and what actions they can perform.
• Monitor for policy violations: Configure real-time alerts on attempts to bypass security policies, change configurations, or access sensitive data, helping you prevent unauthorized access.
• Establish clear accountability: Leverage a detailed audit trail that establishes clear responsibility and accountability for all activities on the network, simplifying compliance audits and post-incident analysis. NERC CIP-015’s Internal Network Security Monitoring mandate in action in Tenable OT Security, detecting exploitation and lateral movement inside the Electronic Security Perimeter. Source: Tenable, November 2025

By leveraging these capabilities, organizations can navigate the complexities of NERC CIP-015 with confidence, transforming a regulatory requirement into an opportunity to build a more resilient and secure OT environment. Tenable OT Security provides the visibility, detection, and data protection needed to not only meet the standard but stay ahead in an evolving threat landscape.

Navigating the CIP-015 compliance timeline

NERC CIP-015 took effect on September 2, 2025, so the clock is officially ticking for applicable entities to achieve compliance. While some of the deadlines may seem distant, the phased implementation plan and the complexity of these projects mean the time to start preparing is now.

The key compliance deadlines are:

• September 2, 2028: For high-impact BES Cyber Systems and medium-impact BES Cyber Systems with External Routable Connectivity (ERC) located in Control Centers.
• September 2, 2030: For all other applicable medium-impact BES Cyber Systems with ERC.

Procuring, deploying, and operationalizing a robust set of solutions and processes for compliance is a significant undertaking. Starting now allows you to properly plan, pilot, and implement a proven OT/ICS security monitoring solution like Tenable OT Security. This way, you can avoid a last-minute scramble and ensure you are well-prepared to meet these critical deadlines.

Take the next step towards NERC CIP compliance

Navigating the complexities of NERC CIP-015 and securing your critical infrastructure requires more than just a tool — it requires a strategic partner. With Tenable as your partner, you can confidently monitor and ensure compliance with the latest regulatory frameworks and standards while building a more resilient, secure operational environment.

Don’t wait for the deadline. Proactive preparation is the key to a smooth compliance journey and more secure infrastructure. To learn more about how Tenable OT Security can help you meet the requirements of NERC CIP-015, or to discuss your unique compliance challenges, request a demo or contact us to get in touch with one of our compliance experts.

Official NERC and FERC Resources

• NERC CIP-015-1 Standard: link to the official standard document published by the North American Electric Reliability Corporation.
• FERC Order No. 907: the official Federal Energy Regulatory Commission order and rule text formally approving the standard.

Learn more

• Request a personalized demo to see Tenable OT Security in action.
• Contact a Tenable OT Security expert to discuss your unique challenges.
• Explore our NERC CIP resources to learn more about securing your critical infrastructure.

Matt Tucker

Security Engineer, Tenable

Matt Tucker is a seasoned cybersecurity expert with a focus on protecting critical infrastructure and operational technology environments. As a security engineer at Tenable, he helps organizations navigate complex regulatory landscapes, including NERC-CIP compliance, and implement robust security solutions to defend against a constantly evolving threat landscape. With a passion for bridging the gap between IT and OT security, Matt provides strategic guidance to help companies build resilient and future-proof security programs.