By NHI Mgmt Group Editorial TeamPublished 2026-05-11Domain: Governance & RiskSource: Appgate

TL;DR: CIP-015-2 expands internal network security monitoring expectations for electric utilities, but the practical challenge is that monitoring cannot by itself prevent overbroad OT access or lateral movement, according to Appgate. The governance gap is access control that still assumes trusted network placement instead of identity, context, and least privilege.


At a glance

What this is: This is an analysis of how CIP-015-2 changes utility readiness planning, with the core finding that internal network visibility is necessary but insufficient without stronger access control.

Why it matters: It matters because IAM, PAM, and NHI teams supporting OT and critical infrastructure need controls that reduce exposure before monitoring has to explain it after the fact.

By the numbers:

👉 Read Appgate's analysis of CIP-015-2 readiness and OT zero trust access


Context

CIP-015-2 raises the bar for internal network security monitoring in electric utility environments, but the underlying governance issue is broader than evidence collection. The main problem is that trusted network placement has historically been treated as a proxy for access legitimacy, even though OT environments now include remote operators, vendors, engineers, and segmented assets that need tighter control.

That is why the article’s central point matters to IAM and OT security teams: visibility helps detect abnormal activity, but it does not stop unnecessary exposure, overbroad reach, or lateral movement. In critical infrastructure, access control and monitoring have to be designed together, because compliance evidence is only as useful as the access model that generates it.

CIP-015-2 also extends the conversation beyond the Electronic Security Perimeter by forcing utilities to think about what should be visible, what should be reachable, and what should be retained for investigation. That makes the topic relevant not just to compliance teams, but to identity architects, PAM owners, and anyone responsible for remote access into operational environments.


Key questions

Q: How should utilities reduce OT exposure while preparing for CIP-015-2?

A: Utilities should reduce exposure by limiting who can reach OT assets, not just by improving what they can see after the fact. Identity-centric access, MFA, device posture checks, and task-scoped entitlements reduce unnecessary pathways, while monitoring records the sessions that remain. That combination gives compliance teams cleaner evidence and security teams less lateral movement risk.

Q: Why is internal monitoring not enough for critical infrastructure access risk?

A: Internal monitoring tells you that something happened, but it does not prevent overbroad access from existing in the first place. In OT environments, a user who can reach too many systems creates more operational risk than a monitoring dashboard can offset. Access control has to shrink the reachable surface before detection becomes meaningful.

Q: What breaks when utilities rely on VPN access for OT operations?

A: VPN access often turns network connectivity into a stand-in for authorization, which makes lateral movement easier and audit evidence less precise. Once a user is on the network, proving what they were entitled to reach becomes harder. Utilities should prefer explicit, per-resource access decisions over broad network admission.

Q: Who is accountable for access evidence when CIP-015-2 audits occur?

A: Accountability sits with the utility’s security, IAM, and operational technology teams together, because access evidence depends on how entitlements are designed and how sessions are logged. If the access model is broad or the logs are incomplete, the organisation owns that gap. Framework alignment typically maps to NIST Cybersecurity Framework 2.0 and, where specific controls are in scope, NIST SP 800-53 Rev 5 Security and Privacy Controls.


Technical breakdown

Why trusted network placement no longer equals trusted access

Traditional OT access models often assume that once a user or device is inside a network boundary, it can be trusted to reach what it needs. CIP-015-2 challenges that assumption by expanding the monitoring scope and making internal movement more visible to auditors and defenders. In practice, network location is a weak proxy for authorization because it says nothing about user intent, device health, or task scope. Identity-centric policy has to replace boundary trust if utilities want to reduce unnecessary pathways and produce evidence that actually means something.

Practical implication: stop using network placement as a substitute for explicit authorization and context-aware access decisions.

How internal network security monitoring and zero trust work together

INSM is designed to observe communication patterns, establish baselines, and flag anomalous behavior inside OT environments. Zero trust access controls address the earlier stage of the problem by deciding who can reach which systems, under what conditions, and for how long. The two are complementary, not interchangeable. Monitoring can show that an unexpected session occurred. Zero trust can reduce the number of sessions that should never have been possible. That distinction is especially important where utilities must preserve evidence while limiting operational exposure.

Practical implication: pair monitoring with identity-based enforcement so fewer risky sessions ever reach the OT network.

Why session logging matters for compliance and incident response

CIP-015-2 pushes utilities toward more disciplined evidence collection, which means access logs need to be structured enough to support both compliance review and forensic reconstruction. Good session logging records who connected, what they accessed, under which policy, and whether the session was time-bound or exceptional. That evidence becomes weak when access is broad, static, or tied only to IP addresses. The stronger the access model, the cleaner the audit trail, because the record reflects explicit decisions rather than inherited trust.

Practical implication: require session logs that tie each access event to identity, policy, and time window.



NHI Mgmt Group analysis

Monitoring without access reduction is an evidence strategy, not a security strategy. CIP-015-2 makes internal visibility more important, but visibility does not narrow the attack surface by itself. Utilities that rely on INSM alone will know more about risky sessions without necessarily preventing them. The practitioner conclusion is straightforward: evidence collection must sit on top of a tighter access model, not replace it.

Legacy VPN-style trust creates unnecessary blast radius in OT environments. When users are placed onto the network instead of being granted specific system access, investigations become harder and lateral movement becomes easier. That is the governance failure this article exposes: broad connectivity is being mistaken for legitimate operational need. Practitioners should treat every extra reachable subnet as an avoidable exposure.

Identity-centric OT access is the control plane CIP-015-2 is implicitly rewarding. The article points toward a model where identity, device posture, MFA, and session scope matter more than network location. That is the direction utilities need because access decisions should be explainable at audit time and enforceable at session time. The practitioner conclusion is to align access governance with identity, not topology.

Time-bound access is the practical answer to third-party and temporary operational need. Utilities will continue to depend on vendors, engineers, and field staff who do not need standing connectivity. The governance lesson is that temporary work should create temporary access, with expiry and traceability built in. Practitioners should use this article to re-check where access remains open after the task ends.

Named concept, visibility-control coupling: CIP-015-2 shows that internal monitoring only becomes operationally useful when the access layer has already reduced what can happen. The article surfaces a recurring problem in critical infrastructure security, namely that evidence-rich environments still remain overly permissive. The practitioner conclusion is to treat visibility and enforcement as one programme, not two separate projects.

From our research:

  • Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
  • A separate finding shows that systems with least-privileged AI access had a 17% incident rate versus 76% for over-privileged systems, a 4.5x gap that mirrors the utility access problem.
  • For a broader view of exposure patterns, see 52 NHI Breaches Analysis for the recurring control failures that turn excessive access into operational compromise.

What this signals

The practical signal for utility programmes is that compliance-driven visibility work should not be allowed to outrun access redesign. If internal monitoring improves while broad connectivity remains in place, the programme will generate more evidence without materially lowering blast radius.

Identity blast radius: in OT environments, the relevant unit of risk is no longer the perimeter but the set of systems a user can reach once admitted. That is why utilities should pair access governance with references like NIST Cybersecurity Framework 2.0 and NIST SP 800-207 Zero Trust Architecture.

With 69% of security leaders saying identity management must fundamentally shift to address agentic AI systems, per the 2026 Infrastructure Identity Survey, the broader lesson is that identity programmes are being asked to govern more than human logins. Utilities that modernise OT access now will find it easier to extend the same governance model to vendors, workloads, and AI-driven operations later.


For practitioners

  • Map OT access paths to explicit identity controls Replace network-location assumptions with rules that bind each user, vendor, and device to specific approved resources, device posture, and MFA requirements. Prioritise remote access paths that currently depend on broad VPN reach or inherited subnet trust.
  • Reduce standing reach into sensitive OT segments Review which remote users can see or touch control-centre, substation, and engineering zones by default, then remove access that is not tied to a current task or ticket. Focus first on pathways that create the largest lateral movement potential.
  • Standardise time-bound access for vendors and temporary operators Issue access only for the window needed to complete the work, then expire it automatically and retain the session record for audit and investigation. This is especially important where third-party support currently relies on persistent credentials or long-lived remote entitlements.
  • Align session logs with compliance evidence needs Ensure each access event captures identity, target system, policy context, and session duration so audit evidence can be reused for incident analysis without reconstruction work. The more explicit the policy trail, the easier it is to demonstrate control effectiveness.

Key takeaways

  • CIP-015-2 is really a control-design problem as much as a monitoring problem, because visibility cannot compensate for overbroad access.
  • Utilities should expect audit evidence to get more demanding, which makes identity-centric access and structured session logging operational necessities, not nice-to-haves.
  • The strongest readiness posture pairs internal network monitoring with zero trust enforcement so fewer risky sessions are possible in the first place.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST Zero Trust (SP 800-207), NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4The article centers on identity-based access control for OT environments.
NIST Zero Trust (SP 800-207)3.1Zero Trust access by identity, context, and least privilege is the core access model here.
NIST SP 800-53 Rev 5AC-6Least privilege is required to reduce unnecessary reach into utility OT systems.
CIS Controls v8CIS-6 , Access Control ManagementThe article is about controlling and auditing access paths into sensitive environments.

Apply zero trust principles to restrict OT reach to verified users, devices, and sessions only.


Key terms

  • Internal network security monitoring: Internal network security monitoring is the practice of observing traffic and activity inside trusted environments to detect anomalies, evidence misuse, and support investigations. In OT settings, it is most useful when paired with access controls that reduce exposure before suspicious activity can spread.
  • Zero trust network access: Zero trust network access is an access model that grants users and devices only the specific resources they need, based on identity and context rather than network location. For OT, it reduces the blast radius of remote access and creates cleaner evidence for audits and incident response.
  • Electronic Access Control or Monitoring Systems: Electronic Access Control or Monitoring Systems are components in NERC CIP environments that control or observe access to critical assets. When they sit outside the Electronic Security Perimeter, they become especially important because they can expand both visibility and risk if not governed tightly.

What's in the full article

Appgate's full analysis covers the operational detail this post intentionally leaves for the source:

  • Utility-specific discussion of how AppGate ZTNA maps to OT access patterns and segmented environments
  • The access-layer features the vendor says matter most for supporting audit evidence and session traceability
  • The direct-routed deployment considerations that affect regulated OT performance and control
  • How the vendor positions cloaking, Single Packet Authorization, and time-bound access in utility environments

👉 Appgate's full post covers the access model, monitoring context, and OT enforcement details

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-11.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org