RiskWatch
Energy & Utilities · NERC CIP + EPA AWIA + TSA SD

NERC CIP through CIP-015, east-west not just the perimeter.

FERC FY2025 NERC CIP audits flagged third-party oversight failures, cloud documentation gaps, and DER miscategorization. CIP-015-1 requires INSM east-west of the ESP. 12,000+ ICS incidents in 2024. Built for utility CISOs running electric + water + gas across the same OT/IT evidence vault — without spreadsheet sprawl.

  • NERC CIP-002 through CIP-015 INSM coverage
  • OT + IT unified — east-west traffic + ESP perimeter
  • EPA AWIA + TSA SD-2021-02 multi-sector ready
  • FERC-audit evidence trail · 3rd-party oversight tracked
Start 30-day free trialWatch 4-min platform tour
No credit card · CIP-002 through CIP-015 ship day 1
Multi-sector regulatory stack · 2026
Electric + water + gas. Same CISO. Overlapping deadlines.
Live countdown · live deadlines auto-route to the program owner
NERC CIP-003-9·electric
Low-impact BCS protections enforceable
All low-impact BES Cyber Systems · transient devices + supply chain
34d
past due
TSA SD-2021-02F·gas
Pipeline cybersecurity directive expires · renewal due
Critical hazardous liquid + natural gas pipelines + LNG facilities
3d
past due
AWIA RRA + ERP·water
Risk + Resilience Assessment recertification
Community water systems serving 3,301 – 49,999 people
56d
Jun 30, 2026
CIP-015-2 modification·electric
FERC-ordered INSM expansion to EACMS + PACS
NERC modification deadline · entity compliance follows
119d
Sep 1, 2026
One CISO running 3 sectors · 4 mandatesStop tracking deadlines in spreadsheets.
What it is

What is risk management software for energy and utilities?

One CISO running electric + water + gas faces four 2026 mandates simultaneously. RiskWatch keeps the OT and IT control evidence on one library, runs east-west INSM monitoring per CIP-015, tracks third-party oversight (the FERC FY2025 audit-finding pattern), and maintains a deadline calendar across NERC CIP-002 through CIP-015, EPA AWIA, and TSA SD-2021-02. FERC-audit-ready packages produced on demand.

Why utilities move to RiskWatch

FERC FY2025 audits flagged the same gaps. CIP-015 turns east-west into the audit finding.

FERC's 2025 audit summary made the gaps explicit: third-party oversight, cloud documentation, DER miscategorization, physical segmentation. CIP-015 makes east-west the next audit target. And the resource constraint at small co-ops and munis — one CISO covering IT + OT + compliance — only compounds. Here's where it actually breaks.

Pain #1

FERC FY2025 audits flagged 3rd-party oversight failures across CIP-003, 006, and 010.

FERC's 2025 NERC CIP audit summary identified entities that contracted most of their compliance program to a third-party but didn't perform oversight to ensure that the third-party fulfilled the responsibilities — exactly the gap that turns into a “higher chance of undetected noncompliance.” Vendor-task tracking with SLAs, attestation cadences, and compensating-control evidence captured per delegated CIP requirement — not just the contract.

Pain #2

ESP perimeter logs aren't INSM. CIP-015 makes east-west the audit finding.

CIP-015-1 (approved 2025, modified 2026) requires east-west traffic monitoring inside the Electronic Security Perimeter for high and medium impact BES Cyber Systems. Most utilities have CIP-005 perimeter logs and assume they're covered. They aren't. INSM coverage tracked per BCS · high vs medium impact split · 36-month compliance window from FERC approval modeled · gaps surfaced before the audit.

Pain #3

One CISO. Three sectors. Four 2026 deadlines. Spreadsheet calendars don't scale.

Multi-sector utilities (electric + water + gas) face overlapping mandates: NERC CIP-003-9 (Apr 1, 2026), TSA SD-2021-02F renewal (May 2, 2026), EPA AWIA RRA recertification (Jun 30, 2026), CIP-015-2 modification (Sep 1, 2026). One regulatory calendar, one evidence vault, one program-owner routing — across electric, water, and gas. Same controls library, sector-aligned mappings.

NERC CIP-002 through CIP-015

All 14 CIP standards. Including the new CIP-015 INSM.

StandardScopeFocus area
CIP-002BES Cyber System CategorizationDER aggregation flagged in FY2025 audits
CIP-003Security Management ControlsCIP-003-9 enforceable Apr 1, 2026 (low-impact)
CIP-004Personnel & TrainingCloud personnel access — FY2025 gap area
CIP-005Electronic Security PerimeterPerimeter ≠ INSM (see CIP-015)
CIP-006Physical Security of BES Cyber SystemsVisitor logs + 24×7 monitoring
CIP-007System Security ManagementPatch + ports + malicious code
CIP-008Incident Reporting & ResponseE-ISAC reporting + lessons-learned
CIP-009Recovery Plans for BES Cyber SystemsBCDR exercise cadence
CIP-010Configuration Change & VulnerabilityBaseline + change auth + vuln assessments
CIP-011Information Protection (BCSI)Information handling + storage
CIP-012Communications Between Control CentersConfidentiality + integrity in transit
CIP-013Supply Chain Risk ManagementVendor risk · 3rd-party oversight evidence
CIP-014Physical Security (critical substations)Threat assessment + 3rd-party reviewer
CIP-015Internal Network Security MonitoringEast-west detection inside ESP · NEW 2026
CIP-015-1 · INSM

Perimeter logs aren't INSM. East-west or it's an audit finding.

CIP-015-1 was approved September 2, 2025 — high-impact control centers must comply within 36 months of FERC approval, with CIP-015-2 (currently in NERC's 2025-02 standards project) extending scope to EACMS and PACS by September 1, 2026. The INSM tracker maintains coverage per BES Cyber System with high vs medium impact split, surfaces gaps quarterly, and integrates with OT-native platforms (Dragos, Nozomi, Claroty) and operational SIEMs.

  • Per-BCS coverageINSM posture per high and medium impact BES Cyber System; gaps surface 90 days before the audit window
  • OT-native integrationsDragos · Nozomi · Claroty · SIEM — feed into the same control evidence vault as IT data
  • 36-month timeline modeledcompliance milestones tied to your FERC approval date; quarterly readiness % rolled to the board
  • FERC-aligned evidenceR1/R2/R3 evidence packaged for the audit window with retention metadata captured
CIP-015-1 · Internal Network Security Monitoring
East-west traffic inside the ESP. Per BCS.
High-impact control centers · 36-mo compliance window from FERC approval
BCS-CC-01HighPrimary Control Center
100%
INSM cov.
BCS-CC-02HighBackup Control Center
87%
INSM cov.
BCS-SUB-14MediumTransmission Substation 230kV cluster
64%
INSM cov.
BCS-GEN-07MediumGeneration Unit 7 · 1,200 MW
48%
INSM cov.
BCS-DR-03MediumDistribution control · DER aggregation
22%
INSM cov.
CIP-015-1 · 3 requirements
R1Network communication data collected within ESP
R2Anomalous activity detection on collected data
R3Evaluation, documentation, and retention of detections
Perimeter logs ≠ INSM. East-west or audit finding.ESP isn't the boundary anymore.
Multi-sector regulatory stack · 2026
Electric + water + gas. Same CISO. Overlapping deadlines.
Live countdown · live deadlines auto-route to the program owner
NERC CIP-003-9·electric
Low-impact BCS protections enforceable
All low-impact BES Cyber Systems · transient devices + supply chain
34d
past due
TSA SD-2021-02F·gas
Pipeline cybersecurity directive expires · renewal due
Critical hazardous liquid + natural gas pipelines + LNG facilities
3d
past due
AWIA RRA + ERP·water
Risk + Resilience Assessment recertification
Community water systems serving 3,301 – 49,999 people
56d
Jun 30, 2026
CIP-015-2 modification·electric
FERC-ordered INSM expansion to EACMS + PACS
NERC modification deadline · entity compliance follows
119d
Sep 1, 2026
One CISO running 3 sectors · 4 mandatesStop tracking deadlines in spreadsheets.
Multi-sector regulatory stack

One CISO. Three sectors. Four 2026 deadlines.

Multi-sector utilities — especially municipal and cooperative providers running electric + water + gas — face overlapping mandates that no single-framework tool surfaces. CIP-003-9 enforceable April 1. TSA SD-2021-02F renewal due May 2. EPA AWIA RRA recertification June 30. CIP-015-2 NERC modification September 1. The deadline stack is one regulatory calendar, one evidence vault, one routing path to the program owner — sector-aware.

The same OT/IT control evidence covers NERC CIP, AWIA, and TSA SD simultaneously. Score one access-control practice against three regulators. Running 3 mandates in 3 spreadsheets is how the May-2 deadline becomes the September 1 incident.

See your sector mix mapped to the deadline calendar
The FERC audit asked about east-west visibility inside the ESP. Our CIP-005 perimeter logs were never going to answer that question.
DR
Daniel R.
CISO · Investor-owned utility · Electric + gas · 2.4M customers
INSM coverage · high BCS
100%
from 0 in 9 months
FERC audit findings
0
FY2026 cycle
3rd-party oversight gaps
↓ 92%
with vendor register
NERC CIP Pack · 44 pages
Energy & Utilities
NERC CIP + EPA AWIA + TSA SD Pack
PDF · 44 pages · CIP-015 ready

Multi-Sector Utility Compliance Pack

Forty-four pages covering NERC CIP-002 through CIP-015 (including INSM scope worksheets), EPA AWIA RRA template, TSA SD-2021-02 mapping, the FERC FY2025 audit-finding remediation checklist, and the multi-sector regulatory deadline calendar.

  • CIP-002 through CIP-015 control libraries
  • CIP-015 INSM scope + 36-mo readiness worksheet
  • EPA AWIA RRA + TSA SD-2021-02 mapping
  • FERC FY2025 audit-finding remediation checklist
Get the pack

Looking for the broader compliance-frameworks crosswalk? Find it on the compliance frameworks hub.

FAQ

Common questions, answered up front.

About NERC CIP-002 through CIP-015 INSM, the FERC FY2025 audit findings, EPA AWIA, TSA SD-2021-02, and how RiskWatch covers all of them.

What is risk management software for energy and utilities?
Risk management software for energy and utilities is a platform that helps electric, water, and natural-gas utilities operate the cybersecurity, physical security, and reliability compliance programs the sector requires — NERC CIP-002 through CIP-015 for the bulk electric system, EPA AWIA Risk and Resilience Assessments for community water systems, and TSA Security Directive Pipeline-2021-02 for critical pipelines. RiskWatch unifies the OT and IT control evidence, tracks vendor and third-party oversight per CIP-013, runs east-west INSM posture per CIP-015, and produces FERC-audit-ready packages without spreadsheet sprawl.
Which NERC CIP standards does the platform cover?
All currently-effective standards: CIP-002 (BES Cyber System Categorization), CIP-003 through CIP-003-9 (Security Management Controls — low-impact protections enforceable April 1, 2026), CIP-004 (Personnel & Training), CIP-005 (Electronic Security Perimeter), CIP-006 (Physical Security), CIP-007 (System Security Management), CIP-008 (Incident Response), CIP-009 (Recovery Plans), CIP-010 (Configuration Change), CIP-011 (Information Protection), CIP-012 (Control Center Communications), CIP-013 (Supply Chain), CIP-014 (Physical Security of critical substations), and CIP-015-1 (Internal Network Security Monitoring — east-west detection inside the ESP, with CIP-015-2 modifications expanding scope to EACMS and PACS).
What does the FERC FY2025 NERC CIP audit summary tell utilities to focus on?
FERC's FY2025 audit findings centered on four areas: (1) DER asset miscategorization under CIP-002-5.1a — auditors found one entity with 500+ DERs totaling 1,700+ MVA not factored into impact assessments; (2) physical segmentation violations where entities ran BES and non-BES generation from the same control center with the same personnel; (3) third-party oversight failures across CIP-003, CIP-006, and CIP-010 where compliance was outsourced without measurable oversight; (4) cloud-service documentation gaps under CIP-004 and CIP-010 where entities couldn't produce the agreements demonstrating compliance. RiskWatch tracks each of these as first-class concerns, not as audit-prep afterthoughts.
How does CIP-015 INSM differ from CIP-005 ESP monitoring?
CIP-005 covers the Electronic Security Perimeter — the boundary between the BES Cyber System and external networks. Most utilities have CIP-005 perimeter logs and IDS/IPS at that boundary. CIP-015 (INSM, Internal Network Security Monitoring) requires monitoring east-west traffic inside the ESP — communications between BES Cyber Systems and Cyber Assets within the same trust zone. The audit finding pattern is consistent: utilities show their CIP-005 perimeter logs, the auditor asks about east-west detection, and the gap becomes a violation. CIP-015-1 was approved September 2, 2025 with high-impact control centers required to comply within 36 months; CIP-015-2 modifications (in NERC's 2025-02 standards project) extend the scope to EACMS and PACS outside the ESP by September 1, 2026.
Does this platform cover water utilities under EPA AWIA, not just NERC CIP?
Yes. America's Water Infrastructure Act (AWIA) requires community water systems serving more than 3,300 connections to maintain Risk and Resilience Assessments and Emergency Response Plans, with cybersecurity controls now formally evaluated as part of the EPA sanitary survey. The current 2026 deadline is June 30 for systems serving 3,301–49,999 people (RRA recertification, with ERP six months later). RiskWatch ships an AWIA-aligned RRA workflow with cybersecurity inventories tied to the same OT/IT evidence vault that drives NERC CIP — same data, multiple regulatory frameworks scored simultaneously.
How does the platform handle natural-gas pipelines under TSA SD-2021-02?
TSA Security Directive Pipeline-2021-02F (the current, performance-based version effective May 3, 2025 through May 2, 2026, with a renewal expected) requires critical hazardous-liquid and natural-gas pipeline owner/operators to implement specific cybersecurity outcomes — incident reporting, designated cybersecurity coordinator, cybersecurity incident response, and cybersecurity assessment programs. RiskWatch maps SD-2021-02 controls to the same control library as NERC CIP and EPA AWIA, so a multi-sector utility (electric + gas) doesn't operate three parallel compliance programs.
Can the platform handle OT/ICS environments, not just IT?
Yes. The platform is built for OT/IT convergence — SCADA, ICS, EMS, DMS, and historian environments are first-class. Asset inventory captures cyber assets, BES Cyber Systems, EACMS, PACS, and Protected Cyber Assets per CIP-002 categorization. Network segmentation maps the ESP, electronic access points, and INSM coverage. Vulnerability scanning supports OT-aware approaches (passive collection, vendor-blessed active scans). Logging integrates with operational SIEMs (Splunk, QRadar) and OT-specific platforms (Dragos, Nozomi, Claroty). Over 12,000 ICS-related cybersecurity incidents were reported in 2024 — OT-aware compliance isn't a nice-to-have.
Is there a free trial?
Yes. The 30-day free trial includes full access — NERC CIP-002 through CIP-015 control libraries, EPA AWIA RRA workflow, TSA SD-2021-02 mappings, INSM tracker, multi-sector deadline stack, third-party oversight register, and the FERC audit-evidence vault. You can run a real readiness assessment against your own environment and decide before purchasing.
Ready for the 2026 utility regulatory stack?

Run your first NERC CIP cycle this week.

Start a 30-day free trial — CIP-002 through CIP-015 INSM, EPA AWIA RRA, TSA SD-2021-02 mappings, multi-sector deadline stack, third-party oversight register. No credit card required.

Start free trialBook a demo

No credit card required · 30-day free trial · Cancel anytime