MixMode’s Third-Wave AI: Achieving NERC CIP-015-1 Compliance and Beyond

By MixMode Threat Research / Aug 21, 2025
MixMode Threat Research

MixMode Threat Research is a dedicated contributor to MixMode.ai’s blog, offering insights into the latest advancements and trends in cybersecurity. Their posts analyze emerging threats and deliver actionable intelligence for proactive digital defense.

In our first blog, we outlined the challenges of NERC CIP-015-1, which mandates Internal Network Security Monitoring (INSM) within Electronic Security Perimeters (ESPs), exposing the limitations of traditional SIEM, IDS, and NTA tools in SCADA and air-gapped Sensitive Compartmented Information Facilities (SCIFs).

Our second blog highlighted the need for an OT-centric approach, introducing MixMode’s Third-Wave AI as a solution rooted in SCADA and mechanical engineering.

In this final blog of our three-part series, we detail how MixMode meets CIP-015-1’s requirements, addresses common issues like infrastructure duplication and OT standard sacrifices, and prepares utilities for future standards like CIP-015-2. With a self-contained, air-gapped platform, MixMode delivers granular monitoring, low false positives, and zero trust compliance, tailored for SCADA and SCIFs under the highest security scrutiny.

Meeting CIP-015-1 Requirements with MixMode

MixMode’s Third-Wave AI delivers a self-contained, air-gapped platform that requires no updates, no signatures, and minimizes false positives. Evolving from OT and SCADA, it provides value to IT environments in critical infrastructure, supporting unlimited sensors without per-sensor licensing costs. Its living, self-evaluating baseline, updated every 2.5 minutes using dynamical systems, models entities—defined as any entity taking action, including IP addresses, users, and applications functioning as users or nodes (e.g., SCADA applications, IoT devices). Enhancements are managed through a formal change management process, including independent testing, staging, and manual deployment, ensuring adaptability without compromising isolation.

R1.1: Network Data Feeds

MixMode ingests packet data, data streams, and logs from network infrastructure (e.g., taps, SPAN ports) to monitor entity activities within ESPs. Its AI-driven baseline, updated every 5 minutes using dynamical systems, adapts to evolving SCADA and SCIF environments, capturing changes in behavior (e.g., a new application initiating DNP3 traffic) without manual reconfiguration. MixMode’s AI, rooted in OT and SCADA, seamlessly models diverse entities, ensuring comprehensive coverage tailored to SCADA, IoT, or user-specific patterns. Its unsupervised learning eliminates manual configuration, providing audit-ready documentation for the risk-based rationale. Operating locally, MixMode preserves SCIF-grade isolation, with enhancements delivered via a formal change management process. Unlimited sensors enable granular monitoring across all Purdue levels (0–3) without infrastructure duplication.

R1.2: Detect Anomalous Network Activity

MixMode’s AI detects anomalies across entities by comparing real-time behavior to its 2.5-minute baseline, identifying zero-day attacks, insider threats, and ICS-specific anomalies (e.g., malformed Modbus packets) without signature dependency. The dynamical systems approach, grounded in SCADA expertise, minimizes alerts, eliminating alert fatigue. Local processing ensures uninterrupted anomaly detection in air-gapped SCIFs, and the formal change management process allows adaptation to new entity behaviors without IT-based retrofitting. Unlimited sensors ensure comprehensive threat detection across Purdue levels without connectivity risks or infrastructure expansion.

R1.3: Evaluate Anomalous Activity

MixMode’s dashboards and forensic tools prioritize anomalies, providing context (e.g., severity, affected entity) based on its 2.5-minute baseline updates. Analysts can trace anomalies (e.g., unauthorized application traffic) with detailed insights, supporting escalation decisions. Case management integrates with CIP-008 workflows, ensuring auditable incident response. Unlimited sensors provide granular data for evaluation, reinforcing zero trust without requiring IT-centric solutions. Local dashboards maintain SCIF-grade isolation while enabling real-time and historical analysis for audits.

Data Retention and Protection

MixMode stores data, alerts, and logs locally with encryption and access controls, meeting CIP-015-1’s tamper-proof retention requirements. Reporting features generate auditable evidence of entity-specific monitoring, proven effective in SCADA and SCIF environments. Local storage ensures compliance with SCIF protocols without infrastructure changes.

Preparing for CIP-015-2 and Beyond

FERC’s directive to expand CIP-015 to include Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS) by June 26, 2026, will challenge traditional methods. MixMode’s unlimited sensor capability and formal change management process enable seamless scalability to cover badge systems, VPNs, or Active Directory, ensuring readiness for CIP-015-2 without compromising isolation or requiring infrastructure duplication.


Why MixMode Excels

MixMode’s Third-Wave AI, with its OT and SCADA origins, addresses common issues and meets critical needs:

  • Its self-learning AI requires no updates, unlike vendors relying on machine learning models and scripts and rules.
  • The dynamical systems approach minimizes alerts, resolving the compliance vs. operational security dilemma.
  • MixMode’s self-contained design supports Purdue Security Model granularity without compromising SCIF-grade isolation, with secure enhancements via a formal change management process.
  • Compatibility with SCADA and SCIF environments ensures efficient processing, with unlimited sensors avoiding infrastructure duplication.
  • MixMode’s AI models diverse entities, aligning with OT standards and providing audit-ready documentation.
  • Continuous entity verification enforces zero trust, while granular monitoring ensures least privilege.

Choose MixMode for True CIP-015-1 Compliance

Many vendors claim to provide 100% coverage for NERC CIP-015-1, but few can deliver a solution that meets its rigorous requirements in SCADA and air-gapped SCIF environments without compromising operational security. MixMode’s Third-Wave AI, rooted in SCADA and mechanical engineering, delivers compliance with a living, self-evaluating baseline, unlimited sensors, and a formal change management process, ensuring granular monitoring, low false positives, and zero trust compliance. It provides value to IT environments while excelling in SCADA and SCIFs, ready for CIP-015-2 and beyond.

Utilities should evaluate vendors claiming full CIP-015-1 compliance by asking:

  • Can your solution operate without external connectivity, maintaining Airgapped isolation?
  • Does your platform rely on machine learning models and scripts and rules requiring updates, or can it self-adapt to SCADA environments?
  • How does your solution minimize false positives to focus on genuine threats?
  • Can your platform model diverse entities (IP addresses, users, applications) without manual configuration, supporting Purdue Security Model granularity?
  • How will your solution adapt to CIP-015-2’s expanded scope without additional costs?
  • What processes ensure secure enhancements in air-gapped SCIFs?

Deploy MixMode pilot programs now to meet CIP-015-1 deadlines (October 2028 and 2030). Schedule a MixMode Demo today to start securing your grid with a solution that upholds the sanctity of isolated environments while delivering unmatched visibility and security.

For more details on NERC CIP-015-1, visit www.nerc.com or FERC’s Federal Register notices.

Signup for the MixMode Wave Newsletter
Your Monthly Resource for the Latest News, Events and Resources
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.