NERC CIP-015-2 Raises the Stakes for OT Visibility. Access Control Has to Keep Up.

As NERC CIP-015-2 brings internal network security monitoring into sharper focus, utilities need more than visibility into OT network activity. They need enforceable, identity-based access controls that reduce unnecessary exposure, limit lateral movement, and provide the audit-ready telemetry required to support evolving NERC CIP readiness. AppGate ZTNA helps deliver that control with direct-routed, least-privilege access well-suited to the performance, security, and operational demands of OT environments. 

Electric utilities are entering a new phase of North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) readiness. With CIP-015-1 approved and CIP-015-2 moving the conversation forward, internal network security monitoring (INSM) is no longer just a future-state planning exercise. Utilities are evaluating solutions, preparing for evidence collection, and thinking through how to monitor activity inside trusted OT environments with enough clarity to detect anomalous behavior before it becomes a larger operational risk.

That pressure is understandable. In electric utility environments, the impact of a cyber event can extend far beyond financial loss. A disruption to power generation, transmission, or distribution can affect hospitals, water treatment facilities, emergency services, and other critical infrastructure that depends on a stable grid. The consequences can quickly snowball from an issue inside a utility environment to a broader public safety concern.  

CIP-015-2 reflects that reality. It expands the focus on internal network visibility, requiring responsible entities to think more carefully about how they monitor network activity, detect anomalous behavior, evaluate what they find, and retain evidence to support compliance. NERC’s technical rationale explains that the Federal Energy Regulatory Commission directed NERC to modify CIP-015-1 to extend INSM to Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS) outside the Electronic Security Perimeter (ESP), addressing a reliability and security gap in the broader CIP-networked environment.  

But visibility is only one side of the problem, and CIP-015-2 does not create a need for access control so much as it reinforces the need for controls utilities should already be putting in place.

Monitoring can help utilities understand what is happening inside their environments. It can help establish baselines, identify unexpected communication patterns, and support investigation and response. But monitoring does not, by itself, prevent overbroad access, reduce unnecessary exposure, or stop unauthorized users and devices from seeing sensitive OT resources in the first place.

That is where Zero Trust Network Access becomes essential.

Why CIP-015-2 Is About More Than Monitoring

At its core, INSM is about understanding the communication profile of the OT network. What systems are communicating? What does normal activity look like? What traffic is entering the environment? How are users and devices interacting with critical systems? What activity appears anomalous enough to require investigation?

Those are not small questions. They require utilities to collect, analyze, retain, and protect evidence across complex OT environments, often over long audit timelines. Utilities are already talking with vendors, buying solutions, and preparing for audits that can involve years of evidence gathering, gap identification, remediation, and documentation.  

For many organizations, that creates a practical challenge: how do you make monitoring meaningful when access itself is still too broad?

Legacy access models, especially VPN-based approaches, often place users on the network rather than granting access only to the specific systems or services they need. Once connected, users may have more visibility and reach than their role requires. That creates more opportunity for lateral movement, more ambiguity in investigations, and more work for teams trying to prove who accessed what, when, and why.

CIP-015-2 increases the importance of internal visibility, but it also makes clear why prevention and access enforcement matter. The more tightly access is controlled, the easier it becomes to reduce unnecessary pathways, limit exposure, and produce cleaner, more useful evidence when activity needs to be reviewed.  

Zero Trust Gives Utilities a Stronger Access Foundation

Zero Trust is highly relevant to NERC CIP, particularly CIP-005-7 R2 controls on Interactive Remote Access (IRA), because it aligns access with identity, context, and least privilege. Instead of assuming that a user, device, or system should be trusted because it is inside a network boundary, Zero Trust requires access to be explicitly granted, continuously evaluated, and limited to the resources required for the task.

For utilities, that matters across multiple access scenarios: field technicians connecting to OT assets, third-party vendors supporting operational systems, engineers accessing segmented SCADA zones, and internal teams moving between IT and OT environments.

AppGate ZTNA supports this model by enforcing access before a session is established. Specifically, AppGate directly enforces policy at the access layer, cloaks underlying OT resources, and allows only authorized users and devices to connect under context-aware conditions. It also supports least-privilege access, adapts based on user, device, and risk context, and provides granular visibility into access activity.  

That distinction is important. Traditional monitoring tools are designed to observe activity after traffic has reached sensitive environments. AppGate ZTNA takes a different approach by reducing what users and devices can see or reach before access is granted.

How AppGate ZTNA Helps Utilities Strengthen CIP-015-2 Readiness

AppGate ZTNA is not an INSM replacement, and it is not a new response to CIP-015-2. It is the Zero Trust access control layer that helps utilities reduce the risk INSM is designed to detect by limiting access to the right users, systems, and timeframes while generating evidence for compliance and investigation.

Several capabilities are especially relevant for utilities preparing for evolving NERC CIP requirements:

  • Identity-centric access control. AppGate ZTNA grants access based on verified identity, device posture, MFA, and contextual policy rather than static network location or IP-based trust. This helps ensure that only authorized users can reach approved OT resources.
  • Direct-routed architecture. AppGate ZTNA does not require traffic to be backhauled through a vendor-hosted cloud or centralized inspection point to reach protected resources. This matters in regulated environments where cloud traversal can introduce concerns around control, performance, and operational dependency.  
  • Cloaking and Single Packet Authorization. AppGate ZTNA leverages cloaking and Single Packet Authorization to prevent unauthorized probing and keep protected systems invisible until access is explicitly approved.  
  • Granular segmentation. AppGate ZTNA can segment access down to individual systems or ports, helping reduce lateral movement risk and limit each user or vendor to only the resources required.
  • Time-bound access. Utilities can provide time-bound access for approved users and third parties, then automatically expire that access at the end of the configured window.
  • Session logging and audit support. AppGate ZTNA captures structured access event data that can help utilities understand and demonstrate who accessed what, when, and under what conditions. Session logging and auditing are key capabilities for satisfying audit requirements and supporting forensic investigation.  

Together, these capabilities help utilities strengthen the access side of CIP readiness. INSM helps identify anomalous activity. AppGate ZTNA helps reduce the number of unnecessary access paths that anomalous activity can exploit.

From Compliance Pressure to Operational Resilience

The growing attention around CIP-015-2 is not just about checking a regulatory box. It reflects a larger shift in how utilities must secure operational environments.

OT networks are more connected than they used to be. Control centers, substations, remote assets, vendors, engineering workstations, and distributed resources all introduce new access and visibility challenges. The more distributed the environment becomes, the less effective perimeter-based assumptions become.

That is why modern access control must work with monitoring, not apart from it.

Utilities need to know what is happening inside their environments, but they also need to limit what can happen in the first place. They need to reduce blind spots, but they also need to reduce unnecessary access. They need evidence for compliance, but they also need security controls that support day-to-day operations without adding latency, cloud dependency, or operational complexity.

AppGate ZTNA was designed for that kind of environment. Its direct-routed, identity-centric approach helps utilities enforce least-privilege access to sensitive OT systems while preserving performance and control. It supports secure remote and third-party access without exposing the broader network. And it provides the access telemetry needed to complement existing monitoring and compliance workflows.

As CIP-015-2 moves forward, utilities should view INSM readiness as more than a monitoring project. It is an opportunity to modernize how access is granted, limited, observed, and proven.

Because in critical infrastructure, visibility matters. But visibility is stronger when it is paired with control.

Ready to strengthen NERC CIP readiness with Zero Trust access built for OT? Learn how AppGate ZTNA helps utilities reduce attack surface, secure remote and third-party access, and complement internal monitoring with direct-routed, identity-centric enforcement. 

Receive News and Updates From AppGate