CIP-015 Compliance on a Budget

Jori VanAntwerp

CEO and Founder at EmberOT || Web

For over two decades, Jori has enabled industrial and IT organizations to be successful in reducing risk, increasing compliance, and improving their overall security efforts. He has had the pleasure of working with companies such as Gravwell, Dragos, CrowdStrike, FireEye, McAfee, and is now CEO & Founder at EmberOT, a cybersecurity startup focused on making security a reality for critical infrastructure.

For this week’s article, I wanted to share a scrappy, starter-gear approach to CIP-015 compliance and  internal network security monitoring (INSM) that respects your budget and your timeline.

The CIP-015 deadline is real. The requirements are serious. And the first question that comes up in every conversation with utilities, before any technical discussion, is the same one: how much is this going to cost us?

If you’re a mid-size co-op, a municipal utility, or a G&T trying to scope this against a budget that was set months ago, the honest answer is that some of the quotes you’ve received are going to give you heartburn. Hardware-heavy deployments, SPAN port builds, enterprise licenses, consulting engagements. The sticker shock is real, and it has driven more than a few teams into analysis paralysis.

Remember: CIP-015 programs that actually work almost always start small.

Start where the pain is

Deploying visibility in one to three high-priority areas will teach you more in 30 days than spreading thin across ten sites will teach you in a year. OT environments vary site-to-site, vendor-to-vendor, decade-to-decade. Visibility placed at a priority location, your control center, a critical substation, the site that keeps your grid operator up at night, starts generating real insight on day one. You see what’s actually on the wire. You learn your environment. You discover the devices you didn’t know you had. You understand how your systems actually talk to each other, which is often different from how the documentation says they do.

Think of it like rolling up a D&D character. You don’t kit out a party with legendary weapons in session one. You start with basic gear, take a few swings, learn how the combat system works, and level up toward the bigger fights. The party that tries to skip straight to endgame raids gets wiped.

CIP-015 works the same way. The program gets stronger as the program gets smarter.

Insight is more than threat detection

One thing worth naming before we go further: visibility at these levels is useful for a lot more than catching threats.

Most of the industry talks about OT monitoring like it’s a threat hunting tool. That’s part of the value, but only part. The same data that helps you spot a suspicious command sequence also tells you which devices are retrying too often (a failing link before it causes an outage), which automations are generating unexpected chatter (a misconfiguration before it becomes a ticket), and which communication patterns drift over time (early warning of hardware going soft).

Insight into your environment pays dividends across operations, safety, resilience, and efficiency. And there’s a second-order effect worth understanding: the healthier and more efficient your environment runs, the less noise there is to cut through when something actually goes wrong. Good visibility helps you run a cleaner environment, and a cleaner environment makes the monitoring job easier. The two compound.

Any program you scope under the CIP-015 banner should be earning its keep in all of those columns, not just the security one.

The 90-day starter arc for CIP-015 compliance

Our CIP-015 Compliance Guide lays out a 90-day implementation path that respects this logic. Short version:

Days 1 to 30. Deploy visibility in one to three high-priority areas. The places that matter most. Let the tooling learn your environment and start generating initial insight. You are learning and discovering at this stage. This is your session zero.

Days 31 to 60. Expand coverage to the remaining in-scope systems, with specific attention to Purdue Levels 1 and 2 where the visibility gaps are worst. Integrate findings with your existing CIP-008 incident response process. Train your SOC on triage. The program starts to have teeth here.

Days 61 to 90. Optimize. Review 60 days of insight, tune your program against operational reality, finalize documentation, run an internal audit. Audit-ready compliance sitting on top of visibility that actually works. That is the goal.

Three months. Incremental. Achievable. And importantly, affordable, because you’re not paying for enterprise-scale infrastructure you haven’t yet proven you need.

What to look for in a starter deployment

A few things matter more than others when you are picking tooling for that first deployment. These apply whether you buy from us or from someone else.

Autonomous at the edge. A sensor that depends on a central hub to function turns into a useless box the minute the uplink drops. The tooling you put in a remote substation should collect, process, alert, and retain forensic data locally without phoning home.

No forklift in the future. Whatever you buy for site one should be the same product running at site forty. Every time a vendor’s architecture forces a rip-and-replace to scale, your budget takes the hit twice.

Deployment without drama. If getting visibility online requires weeks of SPAN port work and managed switch upgrades, the cost of the tooling is the smallest line item. Look for options that work with what you already have, including passive broadcast capture.

Complete context, not just today’s compliance checkboxes. Compliance requirements shift. CIP-015-2 is already in motion. Anything you deploy today should be gathering the full picture of your environment, not just what the current standard happens to ask for. When the auditor wants a risk-based rationale, the answer shouldn’t be “let’s go build one.” The answer should be “here is the data, here is the rationale it supports.” That only happens if the tooling was gathering the right context from day one.

These aren’t unique asks, but rather table stakes for OT monitoring that respects your reality. Any vendor worth your budget should be able to answer all four in one conversation.

Don’t cold-lift a 500-pound program

The utilities that end up paying the most for CIP-015 compliance will be the ones who try to cold-lift a 500-pound program. Nobody deadlifts their max on the first rep. You warm up. You work up in sets. You build the base that makes the heavy weight possible. Skip that process and you don’t hit a PR, you pull something. CIP-015 is no different. It also burns out the staff you were counting on to run the program once it’s live.

You should be exploring now. You should be having the internal conversations about scope now. You should be deploying something small in the next quarter to start learning your environment. You should not be writing a check for a forty-site rollout in week one.

Time is an asset. Use it wisely.

Next steps

The OT security community is genuinely generous. The people who have already started this journey talk openly about what worked and what didn’t. Reach out to peers at other utilities, find the folks asking good questions on LinkedIn, show up in the NERC working groups and ISACs. You will learn more from a 30-minute call with someone six months ahead of you than from any vendor deck.

And if you want to add us to the list, we’d love to help. Reach out and we’ll have a conversation. No pitch, no heartburn. Just talk about where you’re starting and where you could reasonably be by the end of the quarter.

~Jori 🤘🔥