NERC CIP-015: what New England utilities need to do before July 2026

NERC CIP-015-1 — Internal Network Security Monitoring (INSM) — starts to apply to High and certain Medium-impact BES Cyber Systems in July 2026. If you are a New England transmission or generation operator, your to-do list is now measurable in months, not fiscal years.

What CIP-015 actually requires

At a plain-English level: you need to be able to detect suspicious activity inside your Electronic Security Perimeter, not just at its boundary. That implies east-west visibility, anomaly baselining, and a documented analysis and response process.

Five steps to start this week

1. Inventory first. Stand up a passive asset-discovery tool on a mirror port (Dragos, Claroty, Nozomi — pick one). Validate it against your CIP-002 asset list.
2. Baseline for 30 days. Resist the urge to tune rules in the first week. You want signal, not noise.
3. Decide who watches. 24/7 OT SOC, co-managed with IT, or outsourced? Document the answer before the audit asks.
4. Update CIP-007-6 R4 evidence. Your event-monitoring evidence must now include INSM outputs. Your auditor will ask.
5. Tabletop the analysis-and-response path. Including the call to the E-ISAC, not just to IT.

Where we help

BCF operates OT-safe assessments and co-managed OT monitoring for several ISO-NE footprint utilities. If you want a 90-minute readiness workshop with your engineering, IT, and compliance leads in the same room, we do those as fixed-fee engagements.

Contact: intake@bostoncomputerforensics.com or (617) 848-5962.