Internal Network Security Monitoring + iolite secure

NERC CIP-015-1

+

Operational Insight & Threat Detection for Connected Infrastructure

Assume Compromise is Possible
Detect and Respond to Internal Network Behavior

WHAT IS CIP-015-1

NERC CIP-015-1 is a part of the broader NERC CIP framework, which governs cybersecurity for North American electric utilities. It is a reliability standard designed to protect abnormal or unauthorized activity inside operational networks.

CIP-015-1 expands NERC monitoring expectations beyond perimeter defenses. Earlier CIP standards emphasized continuous security monitoring but were primarily focused on North/South traffic. CIP-015 introduces explicit requirements for internal network monitoring. Assume compromise is possible. Detect and respond to anomalous internal network behavior.

WHO IT APPLIES TO

CIP-015 applies to Responsible Entities operating Bulk Electric System (BES) infrastructure including:

Responsible Entities

  • Balancing Authorities
  • Distribution providers
  • Generator Owner and Operators
  • Transmission Owners and Operators
  • Reliability Coordinators
  • High Impact BES Cyber Systems, and Medium Impact BES Cyber Systems with External Routable Connectivity (ERC)

Facilities in Scope

Mission Critical systems responsible for grid reliability and restoration:

  • Load Shedding Systems (UFLS / UVLS) — Automatically shed 300 MW+ of load, operate without human intervention, are part of regulated reliability programs
  • Remedial Action Schemes (RAS) — Automated systems designed to protect grid stability during faults or disturbances
  • Transmission Protection Systems — Systems responsible for detecting and responding to faults on transmission assets
  • Blackstart / Cranking Paths — Infrastructure used to restore power generation after a blackout, including initial startup paths between generation units

And for all other entities: All Bulk Electric System (BES) Facilities

HOW IOLITE HELPS

Iolite provides a comprehensive solution designed specifically for the unique challenges of operational technology (OT) environments, helping organizations meet and exceed NERC CIP-015-1 requirements.

CIP-015 represents a major shift in cybersecurity for critical infrastructure. iolite enables organizations to meet CIP-015 requirements natively while improving real security outcomes, not just audit readiness

  1. From Perimeter Defense
  2. To Continuous Monitoring and Detection

Native Internal Network Visibility

  • Continuous monitoring of OT, IT and IoT traffic
  • Full visibility of Internal ESP (not just the perimeter)

Intelligent Anomaly Detection

  • Behavioral baselining
  • Reduced false positives with customizable detections

Contextual Alerting & Evaluation

  • Alerts mapped to operational processes and threat relevance

OT First, not IT Adapted

  • A platform built for low resource environments
  • Designed for connected infrastructure monitoring across IT + OT
  • Focused on operational insight + threat detection convergence

KEY REQUIREMENTS

CIP-015 addresses East/West communications inside the Electronic Security Perimeter (ESP), and is built around three core requirements (R1–R3):

R1 – Internal Network Monitoring & Detection

Organizations must implement network data feeds to:

  • Collect network telemetry — Including Connections, Devices, and Network Communications
  • Detect anomalous network activity — Baseline vs abnormal behavior; threat indicators or deviations
  • Evaluate anomalies — Determine severity & determine response actions

R2 – Data Retention

  • Retain internal network security monitoring data related to detected anomalies
  • Keep data until response actions are complete
You don't need to store everything, only what's relevant to investigations.

R3 – Data Protection

Protect monitoring data from:

  • Unauthorized deletion
  • Tampering or modification
This ensures forensic integrity and audit defensibility.

WHERE ORGANIZATIONS STRUGGLE AND HOW IOLITE HELPS

Existing approaches often rely on heavy footprint IDS sensors, specialized monitoring agents and high-cost asset management systems. There is a need for lightweight, low overhead network sensors and targeted monitoring in constrained environments.

Organizations of all size may be looking for solutions such as:

  • Selective replacement of high-cost sensors at renewal cycles
  • Instrumentation of smaller network segments
  • Supplemental monitoring alongside incumbent IDS vendors
  • Closing coverage gaps in distributed OT environments

1. Lack of Internal Visibility

Most OT environments were never designed for internal monitoring — lack deep packet visibility or east-west traffic insight.

2. Defining "Anomalous" Behavior

No baseline of "normal" OT communications — high false positives from IT-centric tools.

3. Fragmented Tooling

Firewalls ≠ internal monitoring. SIEMs lack OT context. IDS tools are noisy or incomplete.

4. Data Retention & Integrity

Storing the right data (not everything) is hard — ensuring tamper-proof logs across environments is harder.

5. Operational Burden

Manual analysis of alerts, limited OT cybersecurity talent, difficulty tying alerts to real operational risk.