Complying with FERC Order 887: A Guide to Strengthening Grid Security

The Federal Energy Regulatory Commission (FERC) oversees the reliability and security of the U.S. power grid, setting the standards that utilities need to follow to protect critical infrastructure. To address evolving risks, FERC issued Order 887, establishing a clear, new regulatory expectation for utilities.

What is FERC Order 887?

Issued January 19, 2023 and effective April 10, 2023, FERC Order 887 establishes mandatory internal monitoring requirements for the Bulk Electric System (BES), which includes high-voltage transmission networks, generation facilities, substations, and control centers essential to delivering electricity reliably across the U.S. The requirements apply to owners and operators of high-impact BES systems and medium-impact BES cyber systems with external, routable connections to broader corporate and third-party networks.

The resulting standard (CIP-015-1) became effective September 2, 2025, with phased compliance. Certain control centers — including those managing major transmission hubs and regional grids — must meet the mandate by Sept 2, 2028, as these facilities oversee systems whose failures would have the greatest public impact. Other entities, such as generation plants and smaller substations, have an additional 24 months to comply.

The Order recognizes that most of today’s security focuses on the network perimeter — effectively guarding the ‘front door’ while leaving internal activity unmonitored. CIP-015-1 closes that gap by requiring utilities to monitor internal, or “east-west,” network traffic inside Critical Infrastructure Protected (CIP) environments. Once attackers move past the perimeter, internal monitoring is often the only reliable way to detect lateral movement and malicious activity.

• Requirement 1.1 specifically requires utilities to collect internal network traffic data — such as packet captures, flow records, and device communications — to monitor internal connections and identify unauthorized devices or activity.
• Requirement 1.2 mandates that organizations use that data to detect anomalous behavior that deviates from a normal baseline, revealing suspicious access, lateral movement, and operational interference before critical systems are affected.
• Requirements 1.3 and 1.4 further require utilities to retain that network data and protect it from tampering or deletion, ensuring defenders preserve the evidence needed to investigate and respond to the attacks.

Together, these requirements make comprehensive internal network visibility essential; and a modern network detection and response (NDR) platform is a practical, packaged solution to collect, retain, protect, and analyze the internal network data that CIP-015-1 requires. 

Perimeter Defenses Are No Longer Enough to Protect Grid Operations

Perimeter tools like firewalls and IPS inspect traffic entering and leaving the network, but they do not evaluate internal communications, encrypted flows, or user behavior, creating blind spots that adversaries exploit to disrupt operations and — in the most severe cases — take down critical infrastructure.

• Ukrainian utilities attack (2015): Russian actors used legitimate credentials to silently compromise three Ukrainian utilities in 2015, causing power outages for more than 225,000 customers within 30 minutes. Credential-based access made perimeter defense signals irrelevant, allowing attackers to mimic normal user activity and progress from initial entry to operational impact without interruption.
• SolarWinds supply chain attack (2020): In one of the most significant supply chain attacks on record, Russia’s Foreign Intelligence Service (SVR), specifically a group known as Nobelium or APT29, entered through a trusted software update and spent nearly a year moving laterally across the networks of roughly 18,000 customers — including the Pentagon, the U.S. Department of Homeland Security, and the U.S. Treasury. Because the activity appeared legitimate, perimeter tools detected nothing. Attackers remained invisible, giving them time to explore networks, map relationships, and harvest credentials for future operations.
• Volt Typhoon operations (2021-present): Volt Typhoon, a Chinese state-sponsored group known for targeting critical infrastructure, operates similarly, using valid credentials and native system tools to blend into normal network traffic. With this cover, the threat group is able to gather intelligence and move laterally without detection by perimeter defenses.

How Utilities Can Meet FERC Order 887’s Internal Monitoring Requirements

FERC Order 887 sets clear expectations for utilities to maintain visibility within critical network environments, requiring covered entities to monitor internal network activity within CIP environments.

ExtraHop NDR monitoring establishes a ground truth of normal behavior — the foundation for detecting anything that deviates from it. Unlike logs or endpoint data, which attackers can change or disable, passively observed network traffic cannot be tampered with, making it the most reliable signal for defenders. However, CIP-015-1 requires more than just monitoring and detection: utilities must also retain network data and keep it secure from tampering or deletion. Using an NDR platform that stores full network traffic and metadata for 30–365 days — with secure offsite storage and encryption at rest — ensures that all requirements are met, giving defenders the visibility and evidence they need to detect, investigate, and stop attacks.

Effective internal monitoring requires seeing inside every part of the network. Attackers often hide activity in encrypted traffic or obscure protocols. Decrypting and inspecting this traffic exposes hidden threats, including unauthorized lateral movement, misuse of credentials, and attempts to steal or manipulate critical data, stripping away the cover attackers rely on to remain invisible.

Aligning Compliance and Operational Readiness for Grid Security 

FERC’s internal network security requirements raise the standard for monitoring internal activity, reflecting a threat landscape where attackers operate inside of networks and regulatory priorities have shifted to proactive detection. For utilities, adopting internal monitoring isn’t just about compliance; it increases the probability of early detection and mitigation of attacks that could disrupt the grid. High-fidelity internal visibility provides defenders with insights into lateral movement, credential misuse, and anomalous activity, safeguarding both critical infrastructure and the communities that rely on it.

Modern attacks on critical infrastructure are quieter, more targeted, and harder to detect than ever. Learn more with our breakdown of Akira ransomware and its stealthy tactics.