CIP-015 Compliance Is Not a Loot Drop

Jori VanAntwerp

CEO and Founder at EmberOT || Web

For over two decades, Jori has enabled industrial and IT organizations to be successful in reducing risk, increasing compliance, and improving their overall security efforts. He has had the pleasure of working with companies such as Gravwell, Dragos, CrowdStrike, FireEye, McAfee, and is now CEO & Founder at EmberOT, a cybersecurity startup focused on making security a reality for critical infrastructure.

Why checking every R1 through R3 box doesn’t mean you’ll catch anything real.

If you’re scoping CIP-015 right now, you’ve probably already had the conversation. A vendor shows up with a deck. There’s a matrix, each row a requirement, each column a green checkmark next to their product name. You sign. You deploy. You file the evidence packet. The auditor goes away happy.

In RPG terms, it’s a loot drop. Pick up the item, gain the compliance stat, move on with your quest.

The real work starts after the purchase order clears.

The Trap That Looks Like a Win

Here’s the uncomfortable truth buried in CIP-015-1: you can technically meet every requirement and deliver zero actual security value. Collect data under R1.1? Check. Run anomaly detection under R1.2? Check. Document an evaluation process under R1.3? Check. Retain anomalous data under R2, protect it under R3? Check and check. You have a compliant program sitting on top of a blind environment.

This is the compliance trap, and it shows up by default when teams treat the standard as a shopping list. It’s the mimic in the corner of the dungeon: shaped like treasure, full of teeth.

Three flavors of it show up again and again.

The alert flood nobody reads. Pure anomaly detection in OT generates noise at a volume your team cannot absorb. Every maintenance window, every seasonal load shift, every vendor firmware push throws a flag. The console lights up. Your team triages for a week, then they start ignoring it. The detection stays running. Functionally, it has gone dark.

The tool mismatch that forces a rollback. Deep packet inspection is a specialist’s instrument, built for forensic deep-dives and one-off investigation. Stand it up as the engine for continuous monitoring and the deployment starts creating friction the operations team cannot absorb. 

The visibility that stops at the wrong layer. Most deployments land at Purdue Level 3 and call it done. That’s the easy ground: managed switches, SPAN ports, helpful network teams. Levels 1 and 2, where the PLCs, RTUs, and protective relays actually live, stay dark. In the environments we’ve assessed, more than 80% have full coverage at Level 3 and meaningful gaps below it. An attacker moving lateral between field devices does not care about your Level 3 dashboard.

Any one of these turns your compliance program into a prop. All three at once and you have paid for the privilege of being blind.

Aim for Capability

CIP-015 exists because perimeter-first security stopped working. Attackers get in. Credentials get compromised. Supply chain burns you in ways no firewall was ever going to catch. The standard is NERC’s acknowledgement that once someone is inside your trust zone, you need to see them.

A program that checks boxes but cannot see lateral movement at Level 1 and 2 is theater with a PO number attached. The bill comes due later: an incident on a system your community depends on, that you never saw coming. Regulatory pain is the easy part.

The good news: this is solvable. It takes discipline about what you are buying and why, honest conversations about where your visibility actually stops, and a deployment plan that works with OT realities. The technical bar is reachable. The mindset shift does most of the heavy lifting.

Start with the question that matters: if an attacker were already inside my ESP right now, would I know? If the honest answer is no, the work ahead is building the capability to see them.

Next Steps

Last week we dropped the CIP-015-1 Compliance Guide. It walks each requirement, names the traps, and lays out a 90-day path from “we need to do something” to audit-ready and actually more secure. No vendor hyperbole. Field notes from people who have solved this problem before.

If you’re in the middle of scoping CIP-015 and the vendor decks are starting to blur together, the guide is a good next stop. Straight talk. Practical. Built for the people who will actually implement this.

Grab it. Read it. Argue with it. Then come back and tell us what we got wrong.

~Jori 🤘🔥