FERC Moves To Bolster Cybersecurity
On June 26, FERC approved a new reliability standard (CIP-015-1) proposed by the North American Electric Reliability Corporation ("NERC") to enhance cybersecurity of the nation's bulk electric system ("BES").[1] In a related ruling, FERC withdrew a Notice of Inquiry ("NOI") that requested comments as to whether Critical Infrastructure Protection ("CIP") reliability standards adequately addressed "cybersecurity risks pertaining to data security, detection of anomalies and events, and mitigation of cybersecurity events."
CIP-015-1
NERC submitted CIP-015-1 as a proposed reliability standard in response to a FERC directive[2] to develop certain new or modified reliability standards to extend internal network security monitoring ("INSM")[3] to include electronic access control or monitoring systems and physical access control systems outside of the electronic security perimeter ("ESP"). The ESP controls traffic at the external electronic boundary of a cyber system and provides a first layer of defense for network-based attacks. In FERC's view, CIP-015-1 improves upon the currently effective CIP reliability standards by requiring INSM for all "high impact" BES Cyber Systems[4] with and without external routable connectivity[5] and "medium impact" BES Cyber Systems with external routable connectivity to ensure the identification of anomalous network activity indicating an ongoing attack.
Clarification: "CIP-Networked Environment"
In Order No. 887, a prior rulemaking on bulk electric internal security monitoring, FERC used the term "CIP-networked environment" to define the "trust zone" in which INSM requirements should apply. In Order No. 907, FERC clarified that the "CIP-networked environment" extends beyond the ESP and includes the systems within the ESP and network connections among and between electronic access control or monitoring systems ("EACMS")[6] and physical access control systems ("PACS")[7] external to the ESP. FERC noted that it is necessary to defend against attacks external to the ESP because they may compromise systems such as EACMS and PACS and then infiltrate the perimeter under the guise of a trusted communication.
Given this clarification, FERC acknowledged that CIP-015-1, which requires INSM only within the ESP, is not fully compliant with the Commission's directive in Order No. 887. Therefore, FERC also directed NERC to develop further modifications to CIP-015-1, within 12 months of the effective date of Order No. 907, to extend INSM to include EACMS and PACS outside of the ESP.
Withdrawal of NOI
After considering the National Institute of Standards and Technology ("NIST") cybersecurity framework, FERC embarked on the NOI to ascertain whether the CIP reliability standards should be bolstered to counter the risk of "coordinated cyberattack to the security and reliability" of the BES. After issuance of the NOI, FERC and NERC undertook multiple steps to address "emerging issues and to improve the cybersecurity posture of the BES,' citing to the creation of better control center communication (CIP-012-1) and directing NERC "to develop modifications to the CIP reliability standards to require protection regarding the availability of communication links and data communicated…between control centers."
Regarding the potential risk of a coordinated cyberattack on geographically distributed targets, on March 16, 2023, the Commission approved reliability standard CIP-003-9 (Security Management Controls).[8] The reliability standard requires entities with BES facilities whose assets are designated low impact to have methods for determining and disabling vendor remote access. NERC also performed an in-depth analysis of the risk presented by low impact cyber facilities and reported on whether those criteria should be modified to address coordinated cyberattacks. Based on those findings, NERC revised reliability standard CIP-003 and, on December 20, 2024, NERC filed proposed reliability standard CIP-003-11 (Security Management Controls) for Commission approval.[9] The proposed reliability standard would, among other things, require entities to "mitigate the risks posed by a coordinated attack using distributed low impact bulk electric system Cyber Systems by adding controls to authenticate remote users; protecting the authentication information in transit; and detecting malicious communications to or between assets containing low impact BES Cyber Systems with external routable connectivity."
Based on the above activity, FERC determined that withdrawal of the NOI was warranted, but without prejudging whether to approve the revised CIP-003-11.[10]
Effective Dates
CIP-015-1 will become effective on Sept 2, 2025. The termination of the NOI will become effective on July 31, 2025.
Implications for You
Entities responsible for compliance with NERC CIP standards—particularly those operating high and medium impact BES Cyber Systems—should begin preparing for the implementation of CIP-015-1 by assessing internal network security monitoring capabilities within the ESP. Stakeholders should also anticipate further changes within the next year as FERC has directed NERC to expand these monitoring requirements to include systems outside the ESP, such as EACMS and PACS. These developments underscore the need to regularly evaluate cybersecurity practices, network architecture, and vendor access protocols to ensure alignment with evolving regulatory expectations.
If you have any questions, please contact the author of this advisory.
[1] Critical Infrastructure Protection Reliability Standard CIP-015-1-CyberSecurity – Internal Network Security Monitoring, Order No. 907 (Docket No. RM24-7-000) June 26, 2025 ("Order No. 907"). The "Bulk Electric System" or "BES" refers to the electrical generation resources, transmission lines, interconnections with neighboring systems, and associated equipment, generally operated at 100 kV or higher.
[2] Internal Network Sec. Monitoring for High & Medium Impact Bulk Electric System Cyber Systems, Order No. 887, 182 FERC ¶61,021 (2023) ("Order No. 887").
[3] INSM is a subset of network security monitoring that is applied within a "trust zone," such as a perimeter zone with elevated credentials inside of an entity's internal network.
[4] NERC defines BES Cyber Systems as "One or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity." See NERC, Glossary of Terms Used in NERC Reliability Standards (February 26, 2025). BES Cyber Systems are categorized as high, medium, or low impact depending on the functions of the assets housed within each system and the risk they potentially pose to the reliable operation of the Bulk-Power System. Reliability Standard CIP-002-5.1a (BES Cyber System Categorization).
[5] External routable connectivity is "[t]he ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection."
[6] EACMS are "Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems."
[7] PACS are "Cyber Assets that control, alert, or log access to the Physical Security Perimeter(s), exclusive of locally mounted hardware or devices at the Physical Security Perimeter such as motion sensors, electronic lock control mechanisms, and badge readers."
[9] N. Am. Elec. Reliability Corp., Petition for approval of Proposed Reliability Standards CIP-003-11, Docket No. RM25-8-000 (filed Dec. 20, 2024).
[10] Potential Enhancements to the Critical Infrastructure Protection Reliability Standards, withdrawal of Notice of Inquiry and Terminating of Rulemaking Proceedings issued June 26, 2025 (Docket No. RM20-12-000) ("Withdrawal Order").