The NERC CIP-015-1 Challenge: Why Traditional SCADA Security Falls Short
Is your SCADA security stack ready to meet the future of cybersecurity demands in critical infrastructure? Do you rely on rules, scripts, and threat intelligence feeds to keep your systems secure, only to find them struggling to keep pace with evolving threats? Have you been forced to double up your infrastructure to accommodate new security solutions, straining budgets and operational efficiency? Have you had to sacrifice your SCADA Operational Technology (OT) standards by retrofitting IT-based solutions that only partially deliver the desired security outcomes? Have you compromised the isolation of your air-gapped zones due to the limitations of proprietary next-generation security software?
These challenges highlight a critical gap in traditional cybersecurity tools, particularly in SCADA environments and air-gapped Sensitive Compartmented Information Facilities (SCIFs) under the highest security scrutiny.
The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standard CIP-015-1, effective September 2, 2025, demands a new approach to securing critical infrastructure, exposing the inadequacies of conventional methods.
In this first blog of our three-part series, we explore the challenges of CIP-015-1 and why traditional tools fall short, setting the stage for an OT-centric solution.
Understanding NERC CIP-015-1
Approved by the Federal Energy Regulatory Commission (FERC) on June 26, 2025, via Order No. 907, NERC CIP-015-1 mandates Internal Network Security Monitoring (INSM) within Electronic Security Perimeters (ESPs) for high- and medium-impact Bulk Electric System (BES) Cyber Systems. With compliance deadlines of October 2028 (high/medium-impact systems with External Routable Connectivity) and October 2030 (other medium-impact systems), the standard requires entities to monitor internal network traffic to detect and respond to malicious or anomalous activity. Key requirements include:
- Implementing network data feeds to monitor connections, devices, and communications within ESPs, justified by a risk-based rationale.
- Detecting anomalous or unauthorized activity using these data feeds.
- Evaluating detected anomalies to determine necessary actions, integrating with CIP-008 incident response processes.
- Securely retaining network traffic logs to prevent tampering and support investigations.
This shift from perimeter-based defenses to continuous internal monitoring significantly increases the complexity and cost of securing SCADA networks, particularly in air-gapped SCIFs designed for the highest security scrutiny.The Shortcomings of Traditional ToolsTraditional cybersecurity tools—Security Information and Event Management (SIEM), Intrusion Detection Systems (IDS), and Network Traffic Analysis (NTA)—are ill-equipped to meet CIP-015-1’s demands in SCADA and air-gapped SCIF environments:
- SIEM generates excessive alerts based on static rules, overwhelming analysts and risking missed threats in critical SCADA systems. The reliance on predefined correlations fails to adapt to dynamic OT environments, leading to analyst fatigue.
- IDS depends on signature-based detection, missing novel attacks like zero-day exploits and requiring frequent updates that are incompatible with air-gapped SCIFs, where connectivity is prohibited.
- NTA produces false positives due to rigid baselining and often relies on machine learning models and scripts and rules that require cloud connectivity, violating strict isolation requirements.
These IT-centric tools exacerbate common issues:
- Infrastructure Duplication: Resource-intensive solutions require additional hardware, doubling infrastructure costs and complicating maintenance in SCADA environments.
- Sacrificed OT Standards: Retrofitting IT-based tools to SCADA networks compromises OT-specific standards, as they lack granularity for protocols like DNP3 or Modbus, leading to incomplete protection.
- Compromised Zone Isolation: Solutions requiring cloud connectivity or external updates breach air-gapped zones, undermining SCIF security.
- False Positive Overload: Excessive alerts from rigid rules and models burden analysts, diverting focus from genuine threats.
- Update Dependency: Reliance on machine learning models and scripts and rules that need frequent updates introduces risks in air-gapped environments.
The flood of false positives and operational compromises forces utilities into a dilemma:
Prioritize compliance with CIP-015-1 or maintain operational security without disrupting critical operations. This trade-off is unsustainable in high-stakes SCADA and SCIF environments. The Path Forward NERC CIP-015-1 exposes the critical shortcomings of traditional cybersecurity methods, highlighting the need for an OT-centric solution that aligns with the Purdue Security Model, supports zero trust and least privilege, and maintains air-gapped isolation without infrastructure expansion or OT standard sacrifices. In our next blog, we’ll explore why an OT-focused approach is essential for CIP-015-1 compliance and introduce MixMode’s Third-Wave AI, a platform rooted in SCADA and mechanical engineering, designed to address these challenges. Stay tuned for a deeper look at how to secure your grid effectively.