Real-World Execution to Comply with NERC CIP-015-1

For years, the  NERC (North American Electric Reliability Corporation)  CIP compliance focused heavily on securing the perimeter. CIP-006 governed physical access, CIP-007 locked down ports and services, and CIP-005 defined the ESP (Electronic Security Perimeter). The underlying assumption was that if you controlled what crossed the boundary, you controlled the risk. 

CIP-015-1 rejected that assumption, and it has been in effect since September 2025. With the first major compliance deadline in September 2028, the gap between “we’ve read the standard” and “we have a working architecture” is starting to matter. 

FERC (Federal Energy Regulatory Commission) approved NERC CIP-015-1 as the INSM (Internal Network Security Monitoring) standard on June 26, 2025, through Order 907. The standard became effective on September 2, 2025. The compliance deadline is September 2, 2028, for High Impact BES (Bulk Electric System) Cyber Systems and Medium Impact BES Cyber Systems with ERC (External Routable Connectivity) at Control Centers. All other applicable medium-impact systems must comply by September 2, 2030.

The core requirement is operationally significant:

• Electric utility companies must monitor traffic inside their ESPs, not just what enters and exits the boundary.

• R1 requires entities to collect network data feeds based on a risk-based rationale, detect anomalous activity, evaluate detected anomalies, and retain associated data long enough to support investigations.

• R2 and R3 cover protecting and controlling access to the retained data. 

Regulators are already looking ahead, with NERC being directed to expand the standard by September 2026 to cover EACMS (Electronic Access Control and Monitoring Systems) and PACS (Physical Access Control Systems) outside the ESP, which are included in the future CIP-015-2. That deadline is now only months away. 

Deploying INSM inside an OT environment is not the same as deploying a SIEM (Security Information and Event Management) in a corporate data center. Monitoring must be passive as active scanning is not an option in live ICS environments. A wide range of protocols is often used, including Modbus, DNP3, IEC 61850, PROFINET, and EtherNet/IP, alongside standard IP traffic. Asset inventories are often incomplete, meaning INSM projects typically begin with discovery before any detection is possible. In addition, getting monitoring data out of the OT zone to an IT-side retention system, without introducing new security risks requires intentional architectural planning, not just configuration.

What looks like a short OT project on paper can easily take 18 months or longer when deployment, change management, and documentation are factored in. For electric utility companies with 2028 assets in scope, the window for long-term planning is closing.

OPSWAT’s OT security portfolio maps directly to the CIP-015-1 requirements.

MetaDefender OT Security™ addresses R1.1 through R1.3, with passive, agentless network monitoring via SPAN/TAP architectures with no traffic injection and no disruption to control loops.

Deep packet inspection across hundreds of OT and IT protocols delivers the asset discovery, traffic baselining, and anomaly detection R1 demands. This enables security teams to identify behavioral anomalies such as unexpected Modbus commands, unauthorized engineering workstation connections, and unknown devices that traditional IT security tools often overlook.

MetaDefender NetWall™  provides what is needed to support the R2 data transport challenge. Its unidirectional security gateway exports INSM telemetry from the OT zone to IT-side analytics and SIEM platforms in one direction only, hardware-enforced, no return path. Electric utility companies can satisfy the data transfer requirements without opening a bidirectional channel that creates new exposure.

To be precise, MetaDefender NetWall moves data securely, while the retention and access control obligations of R2 and R3 are fulfilled by the receiving system. The full compliance architecture is MetaDefender OT Security collecting and detecting, NetWall transporting safely, and an IT-side SIEM retaining and controlling access.

For electric utility companies running Emerson’s DeltaV™ or Ovation™ automation platforms, the compliance path is more direct. These platforms are deployed in hundreds of power generation, water, and wastewater facilities, fitting within the BES asset owners within the scope of CIP-015-1.  OPSWAT and Emerson announced a global reseller agreement in April 2026, making OPSWAT’s cybersecurity portfolio available through Emerson’s power and water cybersecurity suite.  

The existing DeltaV Alliance already includes MetaDefender Kiosk™ and the MetaDefender Unidirectional Security Gateway for the DeltaV platform. This integration provides removable media control and unidirectional data export architecture that supports the CIP-003-9 and CIP-015-1 R2 requirements, respectively.

The new agreement extends OPSWAT’s OT patch management to Emerson’s Ovation platform across more than 800 sites globally, using MetaDefender Endpoint™ and My OPSWAT™ Central Management on premises. For DeltaV and Ovation customers, purpose-built CIP-ready architecture is available through the existing Emerson relationship.

The CIP 015-1 standard does not sit alone. The intersection of CIP-003-9, which takes effect in April 1, 2026, and CIP-015-1 is where OPSWAT’s portfolio becomes especially effective. The CIP-003-9 regulatory requirements also cover removable media and transient cyber assets for Low Impact BES Cyber Systems.

In OT environments, removable media and transient cyber assets are routinely used for patching and firmware updates in air-gapped systems. OPSWAT solutions help scan and sanitize removable media and vendor laptops before it touches a control system asset. With CIP-003-9 taking effect, if your program relies on policy rather than technology controls, that gap is auditable in your next cycle.