In response to evolving cyber threats and the need for enhanced security measures within critical infrastructure sectors, NERC is set to mandate the implementation of INSM. On January 19, 2023, FERC issued Order 887, instructing NERC to develop requirements within the CIP Reliability Standards for INSM on all high-impact Bulk Electric System (BES) Cyber Systems and medium-impact BES Cyber Systems with External Routable Connectivity (ERC). In the future, it may be extended to include the rest of medium-impact BES Cyber Systems as well as low-impact BES Cyber Systems.

Specifically, the order mandates NERC to create forward-looking, objective-based Reliability Standards that address three security objectives outlined in the order.  This directive, embodied in the new CIP-015-1 standard and outlined in Project 2023-03, represents a significant shift from traditional perimeter-focused security strategies to a more comprehensive approach that includes internal network traffic monitoring.

The Impact on Network Security

Traditionally, network security has focused on protecting the perimeter, leaving internal traffic relatively unmonitored. Malicious actors who breach the perimeter defenses can exploit this gap. By mandating INSM, NERC addresses this vulnerability, ensuring that critical entities can monitor and analyze internal network traffic for anomalous activities.

This shift brings challenges and opportunities for professionals in the field. The need for real-time internal network visibility requires the adoption of advanced monitoring tools and strategies. Businesses must now account for internal threats as rigorously as they do for external ones, which involves a comprehensive understanding of normal network behavior and the ability to identify deviations rapidly.

The phased timeline for implementation, based on asset classification, means that organizations must prioritize their efforts according to the criticality of their assets to ensure the most crucial components of the infrastructure are secured first. This reduces the overall risk profile while allowing for a manageable rollout of INSM capabilities.

Steps for Implementing INSM

To comply with the new INSM requirements, entities must follow a structured approach that includes the following steps:

Design and Document a Risk-Based Rationale: Develop a risk-based rationale to determine critical network data feeds. This means assessing the potential impact of different assets and prioritizing those most vital to the company’s operations and security.

Map and Categorize Network Data Feeds: Map and document all network data feeds, classifying and categorizing them based on a risk-based rationale. This step is essential for understanding the flow of data within the network and identifying key points for monitoring.

Design the INSM implementation criteria, which involves two parts:

Part 1:

Document Anomalous Network Detection Events: Maintain comprehensive records of all detected anomalous network activities, including detailed descriptions of the anomalies, timestamps, affected systems, and the nature of the suspicious behavior.

Record Configuration Settings of Internal Network Security Monitoring Systems: Document the configuration settings of all internal network security monitoring systems, including software settings, hardware configurations, applied policies, and any custom rules or filters in place.

Maintain a Baseline of Network Communication to Detect Anomalies: Establish and maintain a baseline of everyday network communication, representing the expected data flow patterns within the network under typical conditions.

Document Other Methods to Identify Anomalous Network Activity: Document other methods to identify anomalous network activity. This could include behavioral analytics, machine learning algorithms, threat intelligence integration, and heuristic analysis.

Part 2:

Document Methods Used to Evaluate Anomalous Activity: Once anomalies are detected, document the methods and processes used to evaluate these activities, including the tools and techniques used, the criteria for determining the severity of an anomaly, and the steps taken to analyze and understand the suspicious behavior.

Record Actions Taken in Response to Detected Anomalies: Document all actions taken in response to detected anomalies, including immediate measures such as containment and mitigation and long-term actions like system updates or policy changes.

Establish and Document Escalation Processes: Document other escalation processes for handling detected anomalies, particularly those that cannot be resolved at the initial response level. This could include integration with existing CIP-008 Cyber Security Incident Response Plans, ensuring a cohesive and coordinated approach to incident management.

How ITEGRITI Can Add Value

The upcoming CIP-015-1 standard and Project 2023-03 initiatives are pivotal shifts in network security for critical infrastructure sectors. By mandating INSM, NERC is addressing the need for comprehensive internal network visibility and security. ITEGRITI, with its expertise in cybersecurity and compliance, is well-positioned to assist organizations in critical infrastructure sectors in meeting the new INSM requirements. Here’s how ITEGRITI can add value:

Risk-Based Rationale Development: ITEGRITI can help Responsible Entities develop and document a robust risk-based rationale to identify critical network data feeds, ensuring a focused and effective monitoring strategy.

Network Data Mapping and Categorization: Leveraging its experience, ITEGRITI can assist in mapping and categorizing network data feeds, providing a clear and comprehensive overview of internal network traffic.

INSM Implementation Design: ITEGRITI can guide companies through the design and documentation of INSM implementation criteria, ensuring compliance with the CIP-015-1 standard. This includes setting up systems to detect and document anomalous network activities, establishing baselines, and developing response and escalation protocols.

Training and Webinars: ITEGRITI educates and equips professionals with the knowledge and skills needed to implement and manage INSM effectively through targeted webinars and training sessions.


ITEGRITI serves multiple sectors including energy, healthcare, and financial services across the United States and Canada. We assess, design, and improve cybersecurity and compliance programs to enhance defenses, detect breaches, minimize business disruption, and reduce incident recovery time, supported by internal controls to measure, monitor, and report ongoing program health. Our comprehensive approach includes incident readiness and tabletop exercises to prepare for and test responses to cybersecurity events. ITEGRITI. We Secure Critical Infrastructure.

Contact Us:

ITEGRITI Services: