The Need for an OT-Centric Approach: Addressing CIP-015-1’s Unique Demands

By MixMode Threat Research / Aug 19, 2025
MixMode Threat Research

MixMode Threat Research is a dedicated contributor to MixMode.ai’s blog, offering insights into the latest advancements and trends in cybersecurity. Their posts analyze emerging threats and deliver actionable intelligence for proactive digital defense.

In our first blog, we discussed how NERC CIP-015-1, effective September 2, 2025, challenges traditional cybersecurity tools like SIEM, IDS, and NTA, which struggle to meet the standard’s Internal Network Security Monitoring (INSM) requirements in SCADA and air-gapped Sensitive Compartmented Information Facilities (SCIFs).

These IT-centric tools rely on machine learning models and scripts and rules that require frequent updates, generate excessive false positives, and compromise air-gapped isolation, forcing utilities to double up infrastructure or sacrifice OT standards.

In this second blog of our three-part series, we explore why an OT-centric approach is critical for addressing CIP-015-1’s unique demands and introduce MixMode’s Third-Wave AI, a transformative solution with origins in SCADA and mechanical engineering. Evolving from OT and SCADA, MixMode delivers a self-contained, air-gapped platform that aligns with the Purdue Security Model, enforces zero trust and least privilege, and provides value to IT environments in critical infrastructure.

Why an OT-Centric Approach Matters

NERC CIP-015-1 requires continuous internal monitoring within Electronic Security Perimeters (ESPs) to detect and respond to anomalous activity in high- and medium-impact Bulk Electric System (BES) Cyber Systems. This poses unique challenges for SCADA and air-gapped SCIF environments, where operational reliability, protocol-specific monitoring (e.g., DNP3, Modbus), and strict isolation are non-negotiable. Traditional tools, designed for IT environments, fail to address these OT-specific needs:

  • Infrastructure Duplication: Resource-intensive IT solutions require additional hardware, increasing costs and complexity in SCADA environments.
  • Sacrificed OT Standards: Retrofitting IT tools to SCADA networks compromises OT standards, lacking the granularity needed for industrial control systems.
  • Compromised Zone Isolation: Cloud-dependent updates breach air-gapped SCIFs, undermining security.
  • False Positive Overload: Rigid rules and models produce excessive alerts, overwhelming analysts in high-stakes environments.
  • Update Dependency: Frequent updates for machine learning models and scripts and rules are impractical in air-gapped settings.

An OT-centric solution, rooted in the unique requirements of SCADA and SCIFs, is essential to meet CIP-015-1’s demands while addressing these common issues. Such a solution must support the Purdue Security Model’s granular monitoring, operate without external connectivity, and adapt dynamically to evolving threats without sacrificing operational integrity.


Introducing MixMode’s Third-Wave AI

MixMode’s Third-Wave AI is purpose-built for OT environments, with origins in SCADA and mechanical engineering before the term SCADA was used. Unlike IT-centric solutions that struggle to align with SCADA needs, MixMode evolved from OT, delivering a self-contained, air-gapped platform that also provides value to IT environments in critical infrastructure. Key features include:

  • Its self-learning AI requires no updates, eliminating risks associated with external connectivity in SCIFs, unlike vendors relying on machine learning models and scripts and rules.
  • The dynamical systems approach minimizes alerts, focusing analysts on genuine threats and resolving the compliance vs. operational security dilemma.
  • MixMode operates locally, supporting the Purdue Security Model’s granular requirements without compromising SCIF-grade isolation. Enhancements are delivered via a formal change management process, including independent testing, staging, and manual deployment.
  • Compatibility with SCADA and SCIF environments ensures efficient processing on legacy systems, with unlimited sensors and optimized data ingestion for critical entity traffic (e.g., ICS protocols), avoiding infrastructure duplication.
  • MixMode’s AI models diverse entities (IP addresses, users, applications) without manual configuration, aligning with OT standards and providing audit-ready documentation.

These features address the common issues of traditional tools, ensuring compliance and security without operational trade-offs. Looking Ahead MixMode’s OT-centric design positions it as a leader in addressing CIP-015-1’s challenges, but how does it specifically meet the standard’s technical requirements?

In our final blog, we’ll dive into how MixMode’s Third-Wave AI delivers compliance with CIP-015-1’s requirements, prepares for CIP-015-2, and empowers utilities to secure their grid.

Stay tuned for a detailed exploration of MixMode’s capabilities.

Explore MixMode’s OT-centric approach to SCADA and SCIF security by scheduling a demo of MixMode today and discover how it overcomes traditional tool limitations.

Signup for the MixMode Wave Newsletter

Your Monthly Resource for the Latest News, Events and Resources

Signup for the MixMode Wave Newsletter
Your Monthly Resource for the Latest News, Events and Resources
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.