Protecting Critical Infrastructure: NERC CIP-015-01 and Internal Network Security Monitoring (INSM)

by , | May 20, 2026 | Cybersecurity, Power Generation, Water & Wastewater | 0 comments

The bulk power system faces cybersecurity threats that perimeter defenses alone can no longer contain. A new reliability standard from the North American Electric Reliability Corporation (NERC), Critical Infrastructure Protection 015-01, addresses this gap by requiring internal network security monitoring for high- and medium-impact bulk electrical systems.

In this episode of the Emerson Automation Experts podcast, I connected with Nick Janouskovec, Global Cybersecurity Product Marketing Manager for Emerson’s business supporting the power and water industries, to unpack what the standard requires, the compliance timelines utilities must plan for, and the practical challenges of deploying monitoring inside operational technology environments.

With 14 years at Emerson across cybersecurity roles spanning instruction, product support, and product strategy, Nick offers a grounded perspective on translating regulatory text into real-world implementation. Our conversation covers passive network monitoring, baselining normal behavior, managing false positives, and the organizational change needed to make compliance meaningful rather than a checkbox exercise.

Why This Matters Now

The first compliance deadline, October 1, 2028, applies to centralized primary and backup control systems, and the scope and complexity of the work mean utilities that delay planning risk falling behind well before the second deadline hits in 2030.

Key Takeaways

  • Threats persist long after initial access. Advanced persistent threats can maintain dwell times inside compromised systems ranging from more than two months to hundreds of days, making internal monitoring essential for detection.
  • Two hard deadlines are on the calendar. Centralized control systems (primary and backup) must comply with all other medium- and high-impact sites that have external, routable communication by October 1, 2030.
  • Operational technology protocol awareness reduces noise. Emerson has been deploying internal network security monitoring technology for nearly a decade and partners with products tuned to industrial protocols, helping reduce false positives and protect system reliability during implementation.
  • Start with a network inventory. The single most important action leaders can take in the next 90 days is to conduct a realistic assessment of their network architecture to understand what assets exist and how they interconnect before planning sensor deployment.

Listen to the full podcast episode to hear Nick detail the compliance requirements, implementation pitfalls, and best practices that can help turn this standard into a genuine operational advantage for your utility. Visit the Cybersecurity Services for Power and Water section on Emerson.com to learn more about plant- and fleet-wide cybersecurity products and services to support NERC CIP compliance and industry standards such as the NIST cybersecurity framework, ISA99, and IEC 62443.

Transcript

Jim: Hi, everyone, and welcome to another Emerson Automation Experts podcast. I’m your host, Jim Cahill. The North American Electric Reliability Corporation, or NERC, is, “A not-for-profit international regulatory authority dedicated to effectively and efficiently reducing risk to the reliability and security of the bulk power systems.” They work with bulk power system operators to develop and enforce mandatory reliability standards. Today I’m joined by Nick Janouskovec to discuss one of the recent standards, NERC CIP 015-01, and that’s the NERC Critical Infrastructure Protection Requirements for Internal Network Security Monitoring. And you may hear us refer to it by the acronym INSM. Welcome to the podcast, Nick.

Nick: Hi, thank you. Great to be here.

Jim: Well, it’s great having you here to educate us on this important topic. Let’s start by me asking you to introduce yourself and briefly describe your role in cybersecurity for utilities and critical infrastructure.

Nick: Sure. So, my name is Nick Janouskovec, and I am currently the Global Cybersecurity Product Marketing Manager for Power and Water Solutions at Emerson. My role kind of sits at the intersection of product strategy and standards like the NERC CIP standard that we’re going to discuss today and taking those compliance requirements and providing our customers solutions that are practical, scalable, and reliable that do not disrupt their operations. I’ve been with Emerson for about 14 years in a variety of roles. But all of them have been around cybersecurity, from instructor to product support engineer, and now in the marketing team, leading the product strategy for our cybersecurity solutions.

Jim: Well, that’s going to be great background for our discussion. Well, let’s jump into the meat of the matter. What exactly is NERC CIP 015-01, and why is it such a critical standard for utilities today?

Nick: Right. So the first thing is that it is exactly like you mentioned before. It is the standard specifically requiring internal network security monitoring or INSM for our high-impact bulk electrical systems and medium-impact bulk electrical systems. What it does is that it has part of the recognition that really our traditional defenses and perimeter defenses are no longer sufficient to just resolve the cybersecurity threats that we have today. So this will allow, will require utilities to monitor both the east-west and north-south traffic to make sure that the modern threats that we face today aren’t bypassing our typical perimeter controls and moving laterally once they are inside of our OT [Operational Technology] environments.

Jim: Got it. So what problem is CIP 015-01, specifically trying to solve that previous CIP standards did not fully address.

Nick: Right. So as I mentioned previously, it really is looking at trying to resolve the gaps that we have and dealing with the issues of what happens once someone actually gains access to a system. What happens if your remote access is compromised? What happens if someone, successfully initiated a phishing campaign and got credentials for your team and got within a system? Or do you have somebody inside the organization that might be an insider threat because they’re disgruntled or unhappy with the current situation? This standard will really help employ the monitoring and detection of those abnormal behaviors and malicious activities that happen from inside that control system. Whereas all the traditional stuff before really focused on keeping people out. This is saying, well, what happens when they get in and how do we detect that in fight against that?

Jim: that makes a lot of sense. I know all the layers of defenses and everything we’ve been talking about for years, but this goes assuming they are successful and in there. So what do we do now? So yeah, makes sense to me.

Nick: Yeah, it’s really interesting too, Jim, because, you know, one of the things that we talk about with these, guys are like, what do they call it? Advanced persistent threats. Once they’re in, they have long dwell times inside systems, sometimes in excess of two months to like hundreds of days within systems. And once they’re there, it’s hard to connect to them because they establish a foothold and they’re using living what we call living off the land techniques and things that are already there. And in some cases, legitimate activities like they’re just logged in and on, you know, on a device. And it just makes it really hard.

Jim: Yeah, I can see that just kind of simulating what an everyday user might do in there. So what are the key compliance requirements organizations need to understand under this standard?

Nick: Yeah, so I think in a very high level, obviously, they need to identify what of their, you know, bulk electrical systems, you know, cyber systems would fall or be impacted by this, right? And then they would need to then, actually go through the effort to deploy the INSM-capable devices and start analyzing that traffic.

From there, then there’s requirements around, you know, actually generating alerts and reporting based on any of those anomalous activities or unauthorized communications that we kind of discussed about before. So, it’s obviously identifying, establishing, and then, alerting.

But then after that, they have to, they have a responsibility to retain that data, for audit purposes or, forensic, capabilities afterwards for, incident response or analysis, from a, post-mortem kind of thing, if something bad were to happen. So they have to retain that. And then there really has to be an integration from a people and policy standpoint, from who’s doing the monitoring and changing your operational stance to be able to update those workflows.

So there’s a multi-pronged thing. So it’s not just a technology requirement that you shall have this thing. It’s a process document, you know, documentation process, building the whole program around it. And then the training of the personnel and getting the personnel ready for it. Yeah.

Jim: So not just the men are slapping in some technology and everything’s great. I can see there’s a whole life cycle to this thing. Right. So, Nick, from a scheduling perspective, what are the major compliance timelines and deadlines utilities should be planning for now?

Nick: So there are two main dates for the utilities that they need to be aware of. The first, both of them are October 1st dates. The first one’s October 1st of 2028. They are, that is a requirement for customers who have, or utilities rather, that have centralized control systems, both the primary and the backup control systems must meet the compliance deadline for that. The following date is October 1st of 2030, and that is for all other medium and high sites that have external routable communication. So that’s communication that comes in and out of the production facilities, or what is considered to be the bulk electrical systems that are cybersecurity compliant.

Jim: So it’s not hitting right away, but you talked about the scope of what they need to do. There’s a lot of work that needs to happen between now and those deadlines.

Nick: Yeah, that really is something that folks should be taking a look at early on because there’s a lot of planning. There’s a lot of architectural design and understanding the system. And it’s a big task and it’s not something that should be underestimated because it’s going to be complex and it’s going to require a lot of organizational change in a lot of cases.

Jim: Oh yeah, workflows, everything else. So what is internal network security monitoring and how does it function in an operational technology or OT environment?

Nick: Right. So in the OT environment, in most cases, INSM is going to involve passively monitoring the OT network communications and then establish some sort of baseline of what is considered to be normal behavior that will then allow us to identify anything that would be considered anomalous.

So usually we do this through like passive sensors where we take a mirror or copy of the network traffic and send it to a secondary network. And then we utilize technologies that have an understanding or experience working with industrial protocols. And that way, the goal really is to not interfere with that real-time network traffic and just to create that visibility without the risk to the safety of the plant and the reliability of the plant.

And then from there, they take that and ingest that and analyze that for those anomalies, but it also serves other functions too, because it is also includes network monitoring, so it provides a lot of other knock-on benefits to really overall increase the reliability for the customers from, you know, a visibility of what’s going on in the network standpoint.

Jim: Yeah, it sounds like it could help with troubleshooting and not just bad guys, going around there.

Nick: Do you have a problem on a network switch? Is there errors? Is something down? Is something not working? Is something offline? It’s going to become a lot more apparent and you’ll be able to react to that a lot quicker because of the existence of this, you know, these devices and this monitoring beyond what you may already have.

Jim: That makes sense. So what are some of the most common challenges utilities face when implementing INSM at scale?

Nick: Yeah, so the first one is a lot of these systems are older. They’ve been in existence for a long time. So there’s a limited visibility or understanding of what’s there from an asset inventory standpoint. A lot of that gets lost over time.

So really the big first challenge is understanding what the network looks like and what all is physically there. The other, the next one is that, like I mentioned, I kind of hinted at it in the first one is that they’re complex, they’re big, but they’re also fragile. It’s not something that you can just, go in and hammer on. You have to be very careful because you don’t want to disrupt them.

So we have to take them with a very soft touch and not, because we don’t want to disrupt the net. The other thing too that’s a risk is that there’s a lot of risk for false positives because some of the tools that some folks might use are not necessarily designed for industrial protocols. And they might find that there’s noise or false positives.

The other thing too is that a lot of these are in control systems that operate stuff that runs for very long periods of time. So there might be things or things that don’t run very often. And so there might be something that might appear anomalous, but it’s just because it happens once or twice a year. But it is something that would routinely happen once or twice a year. And that might be another source of false positives. So we have to understand from an operational standpoint, how does the plant work too? Because we might panic about something that really we shouldn’t panic about.

Jim: Yeah, it’s those infrequent things that may trigger something and trying to, I guess some of that you improve as you go as you hit some of those false positives.

Nick: Yeah. In addition to that, you know, there’s also like the human element too that’s a challenge too is because right now, there’s an unprecedented interest in cybersecurity expertise, and we might not have the manpower or the knowledge within our organizations to implement this. So that could be a challenge for some of the utilities trying to set this up.

And then, of course, the other issue is then making sure that you have something to do with all of this information and alerts once you have it. That’s that manpower issue and making sure that you have the resources who can look at this stuff and make heads or tails of it and make it useful.

Jim: Yeah, that’s important. All right, so how should utilities think about aligning CIP 15-01 with other CIP standards like CIP 005, 007, and 008?

Nick: Sure, yeah, I think the big thing here is that 015 should be seen as complementary and not separate. This should be like a building on. So one of the things too is this will help us validate our electronic perimeter assumptions from like CIP 005. It will really also support CIP 7 from an integrity and malicious code detection efforts because it will, you know, this will be yet another kind of built-in suspenders approach. of identifying, malicious activity in the integrity of the system.

And then, for the incident response piece under CIP 008, this is going to give us, evidence and data to analyze from an incident response standpoint. So when you look at this and you really look at the strengths of the INSM, it’s really just, if it’s done properly, it’s really just complementary to the entire CIP program, really then just creating additional overhead. It really should just fit in, you know, to those three other pieces and really mesh well to increase that. There’s just the reliability and the confidence in those other three pieces, I think.

Jim: Yeah, the way you described it earlier, it’s like the ones inside. So it does seem very complementary and you’re not having to figure out between all of them that they are complementary. So based on your experience, what best practices or lessons learned have emerged from organizations that are already working towards compliance?

Nick: First, starting early and understanding your architecture and your asset inventory is really going to be key to this because a lot of times, you don’t know what you don’t know, right? That’s just an added, an age-old kind of saying. And once you dig into this, you might find that there’s a lot more there that you need to take into account for.

And then from there, really, I think customers should take the approach of looking at the visibility and the baselining and see what’s there and understand it and making sure that it matches what they think that it should, they should be getting. Before they start really jumping in and tuning these and making assumptions based on the reports, they need to give it some time to soak and really understand what they’re seeing.

The other thing too is, I think I mentioned this before and I’ll expand on it, is really involving the operations team to understand how the plant works and treat it more as a multi-use device instead of just a security initiative, because the operations team is going to give you a lot better insight to what’s going on and what should be going on, and they’re also going to find value in a lot of the information that you might derive from this as well.

Jim: Nick, let me ask you, how can Emerson solutions help customers meet CIP 015-01 requirements in a practical and scalable way?

Nick: Sure. Things that I think come to mind. One is Emerson, we’ve had experience deploying INSM technology for almost close to a decade now, and we’ve brought a lot of lessons learned forward with that. So, and I think coupled with that, we have chosen to partner with products that have deep OT protocol awareness. And I think this really helps with the integration, the control system architecture.

So some of those things that I mentioned before that are concerning to our customers, like not being aware or getting a lot of noise because you don’t have a product that’s tuned to specific OT protocols. The partnership allows us to make sure that they understand what communication we have in our systems and to validate that with each other to make sure that it works correctly.

The other thing too is that it allows us to really identify which products, which features really align with our customers to make sure that it is truly scalable for the system and right-sized for the system, because there’s a lot of risk of maybe buying something that’s too big for your system or too small for your system.

In addition to that, with our experience, we understand the fragility of these control systems, and we have had practice and experience deploying them so that we can make sure that the reliability and production of these facilities is not interrupted while we’re doing this. I think those are some of the really big takeaways for why Emerson can help.

Jim: Yeah, it seems like that experience can go a long way. So I guess from a utilities perspective, how can proactive compliance with CIP 01501 create a competitive advantage beyond simply just meeting the regulatory requirements.

Nick: Yeah, so, you know, we talked about a few of these ideas already, but I think that faster incident response, better threat detection is going to help reduce the utility’s risk of an actually unexpected or unplanned outage. And if the unfortunate were to happen, having products like this helps with the forensics, which can increase the recovery time from incidents like this, because you can come to better answers more quickly to understand what happened, how it happened, and then implement changes to make sure that it you reduce the risk that it can happen again.

So I think that the thing that’s going to really come is the resiliency and that, trust differentiator that, we have put these things into place so that way we can ensure that we are best protected for our customers. When I’m speaking from the utilities point of view, that they’re best protected for their customers to make sure that they’re getting a reliable, safe source of energy.

Jim: Yeah, that resiliency is such an important point there. So I guess as we wind things down here, for leaders that may be just starting on this journey, what is 1 action they should take in the next 90 days to set themselves up for success?

Nick: Yeah, I think that the first thing that we should do is do a realistic inventory of our networking and an assessment of our networking, understand what assets are there, how they all interconnect and communicate between the different OT networks. So that way, we can properly start identifying where the sensor deployment for these products should be done and how we can do that safely.

I think that that knowledge will, and having that accurate knowledge will help speed up, the process to make these decisions, faster, cheaper, and more effective, and ultimately give you better results and satisfaction with deploying of that product because you’re going to get the quality data that you expect and you want when you’re going to spend a lot of time and money and effort to implement something like this, you want to have quality results.

So proper planning upfront and setting it up is really going to help reduce risks and increase your satisfaction, I think.

Jim: Yeah, so assessments is where to begin, and maybe that’s also the start of forming that team of cross-functional people there and to get the buy-in you need to for whatever you’re going to execute in there to make sure it’s a successful project to get you there.

Nick: Get the operations and the security teams all involved, looking at it, and understanding how it all works together is going to be critical, I think. Yes, you’re 100% right.

Jim: That’s great advice there. I guess for our viewers and listeners, you can learn more by visiting the ICS Security Power and Water Cybersecurity Suite section on Emerson.com. Well, Nick, you know, I’ve learned a lot in just this short time we’ve been discussing this, and I hope the same for our listeners. So thank you so much for sharing your expertise with us today.

Nick: Absolutely happy to. Really enjoyed our time together, Jim, and hope to see you again soon. Thank you.

-End of transcript-

Comments

Author

Featured Expert

Follow Us

We invite you to follow us on Facebook, LinkedIn, Twitter and YouTube to stay up to date on the latest news, events and innovations that will help you face and solve your toughest challenges.

Do you want to reuse or translate content?

Just post a link to the entry and send us a quick note so we can share your work. Thank you very much.

Our Global Community

Emerson Exchange 365

This blog features expert perspectives from Emerson's automation professionals on industry trends, technologies, and best practices. The information shared here is intended to inform and educate our global community of users and partners.

 

Privacy Policy | Cookie Policy | Data Protection Statement

PHP Code Snippets Powered By : XYZScripts.com