TL;DR: CIP-015-2 expands internal network security monitoring expectations for electric utilities, but the practical challenge is that monitoring cannot by itself prevent overbroad OT access or lateral movement, according to Appgate. The governance gap is access control that still assumes trusted network placement instead of identity, context, and least privilege.
NHIMG editorial — based on content published by Appgate: Electric utilities and NERC CIP-015-2 readiness
By the numbers:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems.
Questions worth separating out
Q: How should utilities reduce OT exposure while preparing for CIP-015-2?
A: Utilities should reduce exposure by limiting who can reach OT assets, not just by improving what they can see after the fact.
Q: Why is internal monitoring not enough for critical infrastructure access risk?
A: Internal monitoring tells you that something happened, but it does not prevent overbroad access from existing in the first place.
Q: What breaks when utilities rely on VPN access for OT operations?
A: VPN access often turns network connectivity into a stand-in for authorization, which makes lateral movement easier and audit evidence less precise.
Practitioner guidance
- Map OT access paths to explicit identity controls Replace network-location assumptions with rules that bind each user, vendor, and device to specific approved resources, device posture, and MFA requirements.
- Reduce standing reach into sensitive OT segments Review which remote users can see or touch control-centre, substation, and engineering zones by default, then remove access that is not tied to a current task or ticket.
- Standardise time-bound access for vendors and temporary operators Issue access only for the window needed to complete the work, then expire it automatically and retain the session record for audit and investigation.
What's in the full article
Appgate's full analysis covers the operational detail this post intentionally leaves for the source:
- Utility-specific discussion of how AppGate ZTNA maps to OT access patterns and segmented environments
- The access-layer features the vendor says matter most for supporting audit evidence and session traceability
- The direct-routed deployment considerations that affect regulated OT performance and control
- How the vendor positions cloaking, Single Packet Authorization, and time-bound access in utility environments
👉 Read Appgate's analysis of CIP-015-2 readiness and OT zero trust access →
CIP-015-2 and OT access control: are utilities ready?
Explore further
Monitoring without access reduction is an evidence strategy, not a security strategy. CIP-015-2 makes internal visibility more important, but visibility does not narrow the attack surface by itself. Utilities that rely on INSM alone will know more about risky sessions without necessarily preventing them. The practitioner conclusion is straightforward: evidence collection must sit on top of a tighter access model, not replace it.
A few things that frame the scale:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
- A separate finding shows that systems with least-privileged AI access had a 17% incident rate versus 76% for over-privileged systems, a 4.5x gap that mirrors the utility access problem.
A question worth separating out:
Q: Who is accountable for access evidence when CIP-015-2 audits occur?
A: Accountability sits with the utility’s security, IAM, and operational technology teams together, because access evidence depends on how entitlements are designed and how sessions are logged. If the access model is broad or the logs are incomplete, the organisation owns that gap. Framework alignment typically maps to NIST Cybersecurity Framework 2.0 and, where specific controls are in scope, NIST SP 800-53 Rev 5 Security and Privacy Controls.
👉 Read our full editorial: NERC CIP-015-2 pushes utilities toward zero trust access