Cyberattacks on electric utilities have escalated into a high-frequency, strategic threat. U.S. utilities experienced a 70 percent surge in attacks in 2024 alone, a trend that intensified through 2025. These attacks are driven by geopolitical tensions and the increasing exposure of operational technology (OT).
To address this threat, the North American Electric Reliability Corporation (NERC) updated the Critical Infrastructure Protection (CIP) standard to mandate Internal Network Security Monitoring (INSM). Approved in June 2025, NERC CIP-015-1 requires electric utilities to monitor and analyze traffic inside their trusted network perimeters to detect early signs of a cyberattack.
Implementing NERC CIP-015-1 presents significant technical and operational hurdles as utilities shift from defending the perimeter to continuous internal monitoring. The right tools can help utilities overcome those hurdles.
Why Utilities Are Targeted with Cyberattacks
On average, utilities faced more than 1,100 weekly cyberattacks in 2022, with some reports showing a 200 percent increase in 2023. Utilities are considered “target-rich” due to their critical nature and reliance on OT that lacks robust security.
Many utilities still operate outdated, legacy infrastructure not designed for Internet connectivity. Grid modernization, which involves the addition of IoT sensors, smart meters, solar panels and other distributed energy resources, creates thousands of new entry points.
However, phishing remains the primary method for initial access, accounting for a high percentage of breaches. Attackers also use third-party vendors as an entry point to reach the main utility network. State-sponsored actors engage in long-term, stealthy infiltration to map networks for future disruption. Cybercriminals target utilities with ransomware and DDoS attacks to disrupt service.
What Is NERC CIP-015-1?
NERC CIP standards are a mandatory, evolving set of cybersecurity and physical security requirements aimed at protecting North America’s bulk electric system. Historically, these standards focused on the Electronic Security Perimeter (ESP). However, utilities often lacked visibility into “east-west” traffic between devices inside the network.
NERC CIP-015-1 is designed to close this “visibility gap” by specifically targeting the most dangerous modern attack patterns. Attackers often enter through a low-security system and move laterally to reach critical controls. By monitoring east-west traffic, CIP-015-1 makes it much harder for an intruder to move undetected.
Continuous internal monitoring aims for early detection, allowing utilities to stop an attack before it can cause a blackout or physical damage. It is also designed to identify internal threats that would otherwise bypass firewalls. By baselining “normal” behavior, AI-driven monitoring tools can spot unusual commands even if the attacker is using legitimate system protocols.
Most Utilities Are Not Prepared for Compliance
Widespread internal monitoring is a relatively new frontier for the industry, and most utilities are now racing to meet the upcoming deadlines for NERC CIP-015-1 compliance. They must implement an INSM system for high- and medium-impact systems by Oct. 1, 2028. They have until Oct. 1, 2030, for other applicable systems. However, many North American utilities are still in the planning stages.
The right products can help utilities to meet the new requirements. Cisco Cyber Vision embeds security sensors within network switches and routers to provide deep visibility into OT assets and east-west traffic. It allows utilities to detect anomalies and unauthorized changes within substation networks without deploying additional hardware.
Cisco industrial routers and switches act as security sensors, using their embedded CPUs to run Cyber Vision software and monitor internal traffic at the edge. Cisco Taos provides threat intelligence feeds to Cisco security tools, which aids in identifying new threats to industrial control systems.
How Cerium Can Help
As a longtime Cisco partner, Cerium has training and certifications to help utility customers implement the Cisco Cyber Vision solution. Our team will assess your environment and develop a strategic plan to comply with NERC CIP-015-1. We will also ensure that the plan prepares you for NERC CIP-015-2, which is expected later in 2026. Contact us to schedule a confidential consultation.
