Lighting the Map: Mapping INSM in OT

Let’s talk about mapping INSM to what you can actually see across NERC, FERC, NIST, and NIS2.

Mapping INSM means documenting where you have visibility, where you do not, and how your monitoring aligns to trust zones, east-west flows, and regulatory expectations. If you run an OT security program in 2026, you have four regulators waiting for an answer to the same question, and the answers cannot diverge.

NERC CIP-015-1 went effective in September 2025, with enforcement starting October 1, 2028 for the first cohort and October 1, 2030 for the second. CIP-015-2 cleared its final industry ballot in March 2026 and is moving toward NERC Board adoption and FERC filing, with a tentative effective date in mid-2029. NIS2 transposition deadlines for EU member states passed in October 2024, and national enforcement is already underway in jurisdictions that have implemented it. NIST SP 800-82 Revision 3 has been the federal benchmark and the de facto procurement standard since 2023.

The frameworks are written by different bodies for different sectors in different languages. They are all asking some version of the same question. What is happening inside your trust zone? How would you know? Can you prove it?

This post is the map I would draw if I were starting the work today.

What Mapping INSM Actually Answers

Stripped of acronyms, the four documents converge on a small set of operational asks. Build visibility inside the boundary you have established. Use that visibility to detect activity that does not belong. Make decisions about the activity you detect, and retain the evidence long enough to act on it and audit it later. Protect the evidence so an adversary cannot delete it during cleanup.

CIP-015-1 phrases this as R1.1 (risk-based network data feeds), R1.2 (detect anomalous activity), R1.3 (evaluate and respond), R2 (retain anomalous data), and R3 (protect retained data). CIP-015-2 carries that forward and extends the scope to include Electronic Access Control or Monitoring Systems, Physical Access Control Systems, and Shared Cyber Infrastructure outside the electronic security perimeter. The change closes the visibility gap FERC identified when it approved CIP-015-1 in Order 907.

NIS2’s Article 21 calls for “appropriate and proportionate” technical, operational, and organizational measures, with network monitoring, segmentation, and incident handling specifically named, plus a 24-hour significant-incident notification window to national CSIRTs. NIST SP 800-82 Revision 3 is the technical reference underneath both regimes, providing OT-tailored guidance for the SP 800-53 control families that handle audit logging, system monitoring, configuration management, and incident response.

The frameworks vary across sectors and continents. The discipline they describe does not.

The practical consequence: a well-built INSM program documented against one of the four maps to the others with marginal additional work. The rationale that defends a feed placement decision to a NERC auditor reads almost identically to the rationale a Dutch or Italian regulator would accept under NIS2’s appropriate-and-proportionate test. One disciplined map serves four sets of paperwork.

The Map You Actually Need (the Operational Core of Mapping INSM)

Four pieces of work. None of them exotic. The challenge is making them disciplined enough to be defensible.

Identify the trust zones you actually have. A trust zone in NERC language is an Electronic Security Perimeter scoped to High Impact and Medium Impact BES Cyber Systems with External Routable Connectivity. In NIS2 and NIST terms, it is whatever boundary your risk assessment has identified as the line between trusted and untrusted for a given asset group. The deliverable is the same in either case: a documented inventory of trust zones, what is supposed to be inside each one, and where the boundary actually sits today. The boundary in the documentation and the boundary in reality are not always the same boundary. Discovering the gap between them is one of the highest-value outcomes of the mapping work.

Map east-west flows inside each zone. Who talks to whom. Which protocols. Which directions. Which frequencies. Which assets aggregate traffic from many sources, and which are leaf nodes. The point of this work is to produce a flow map that survives contact with the operations team. If the engineer running the substation looks at the map and says, “You missed the GOOSE traffic between those two relays,” the map is not finished yet. The east-west work has its own depth and its own failure modes. East-West Traffic Is the Final Boss goes deeper on the structural reasons IT-derived flow tooling struggles with the broadcast, multicast, and raw Ethernet patterns that dominate Levels 1 and 2.

Find the chokepoints worth instrumenting. Not every segment needs its own feed. Some segments aggregate so much traffic that a single sensor produces outsized coverage of the environment. Others are leaf branches where instrumentation costs more than it produces. Network architects know where these points sit: at aggregation switches between functional cells, at the boundaries between control rooms and field networks, at the uplinks from remote sites. Chokepoints are where the math of feeds versus coverage tips in your favor. This is also where the risk-based rationale required by CIP-015-1 R1.1 starts to write itself. You are not justifying every possible sensor placement. You are justifying the specific placements your risk assessment says you need.

Identify where the light does not reach. The places you cannot see today. The remote substation with no managed switch and no SPAN port. The legacy DCS at Level 2 with proprietary protocols your current tooling does not parse. The vendor-managed network segment you do not have credentials for. The greenfield project that came online faster than your monitoring program could keep up. Naming these honestly in your map is what separates a defensible program from an aspirational one.

The 2025 SANS State of ICS/OT Cybersecurity Survey put numbers on where the dark territories usually sit. Only 12.6% of organizations reported full visibility across the ICS Cyber Kill Chain. By Purdue level: 19.7% reported full visibility at Level 3, 10% at Level 2, thinner still at Level 1, and 17.5% at remote sites. Half of all incidents in the survey period originated from unauthorized external access pathways. The pattern repeats across sectors and across geographies. The deeper into the operational environment, the dimmer the light.

What Makes a Plan Enforceable

A plan becomes enforceable when an auditor can read it, follow the logic from risk to rationale to decision, and reach the same conclusion you did. That standard sounds higher than it is. It comes down to documenting four things.

The rationale for what you are watching. Why this feed, at this location, with this scope. Tied to what your risk assessment said mattered. Tied to the assets and flows your map identified as consequential. This is CIP-015-1 R1.1 in plain language. It is also the documentation NIS2 inspectors look for under Article 21’s appropriate-and-proportionate test, and the audit trail NIST 800-82 expects under the assessment control family.

The logic for what counts as anomalous. Detection without context produces alert floods, which is the failure mode CIP-015 Compliance Is Not a Loot Drop walks through in detail. The deliverable here is the operational definition: what does normal look like for this environment, against what baseline, with what thresholds, and what specifically would change that picture in a way that requires evaluation. Detection logic that cannot be explained to the operator running the affected process is detection logic that will eventually be ignored.

The handoff from detection to response. What happens when the system flags something. Who is notified. What evidence gets pulled. How the decision gets made about whether to act, escalate, or stand down. CIP-015-1 R1.3 calls this evaluation. NIS2 wires it into the 24-hour CSIRT notification requirement. NIST 800-82 maps it to the incident response control family. The deliverable is the same in all three cases: a documented path from detection event to operational decision.

The retention and protection of the evidence. Long enough to evaluate. Long enough to defend the evaluation. Protected against the kind of cleanup an adversary would attempt after the fact. CIP-015 R2 and R3 spell this out. NIS2 and NIST 800-82 layer their own data integrity requirements on top. Done right, one retention architecture serves all of them.

A program that ties these four threads together is a program an auditor can defend and a SOC can operate.

Where the Dark Territory is Hardest to Light

The mapping work tends to surface a consistent pattern. East-west visibility at Level 3 is usually in reasonable shape. Levels 1 and 2, and remote sites at any level, are where the light does not reach.

There is a structural reason for that. Most monitoring tools were built around assumptions that hold at the IT/OT boundary and at Level 3, and break further down. They assume TCP sessions. They assume managed infrastructure with TAPs and SPAN ports available. They assume operators have rack space, power budget, and processing margin for dedicated appliances. None of that is reliably true at a remote substation, a small water treatment plant, a Level 1 cell in a manufacturing line, or any other place where the actual physical process lives. 

This happens to be the architecture problem EmberOT was built around, with software-only flow-based monitoring that runs on hardware customers already have and sees broadcast and multicast traffic without requiring SPAN or TAP infrastructure that often is not available in the field.

The architectural point holds regardless of vendor choice. If your map shows dark territory at the layers where the consequence is highest, the architectural response is the only response that scales. You cannot patch your way into visibility. You cannot policy your way into it. You either deploy something that can see down there, or you accept the gap and document it as a risk accepted by your governance process. The undocumented gap is the one that costs you in both the audit and the incident review.

For teams that need to start in the constrained way most programs actually start, CIP-015 Compliance on a Budget walks through the 90-day starter arc and what to look for in tooling that will not force a forklift later.

What the Map is For

The four frameworks will keep evolving. CIP-015-2 will become CIP-015-3. NIS2 will see amendments. NIST will issue revisions. The discipline underneath does not change.

The map is the artifact that lets you keep up. Once you have it, you can answer the four questions every regulator is actually asking. Where are your trust zones. What flows inside them. What does normal look like. What would you do about the deviation that mattered.

The map also sets up the question that comes next, which is what to prioritize among the threats it reveals. That is a different discipline, and the 2024-2025 ICS/OT Vulnerability Intelligence Report lays out the Five Lenses framework for that work. Mapping tells you what is visible. The Five Lenses tell you what to act on first.

October 1, 2028 is closer than it looks. The teams that will be ready are the ones drawing the map now.