On March 5, 2026, the North American Electric Reliability Corporation took a decisive step forward in securing critical infrastructure by passing the final ballot for the latest revision to its internal network security monitoring standard. The new standard, known as NERC CIP 015-2, fundamentally changes how utilities must view and monitor the perimeter of their operational technology networks. Instead of focusing solely on the internal environment of the electronic security perimeter, the mandate now expands to encompass external systems that control and monitor access.
This regulatory update directly addresses a glaring security gap that threat actors have increasingly exploited. By treating systems outside the core network—such as electronic access control or monitoring systems, physical access control systems, and shared cyber infrastructure—as trusted entities, organisations unknowingly provided adversaries with a perfect disguise. If an attacker compromises a trusted remote access server or an authentication gateway, their lateral movement into the protected operational environment appears as entirely legitimate traffic. They effectively bypass the internal monitoring altogether.
The danger of the trusted pivot point
The core issue that the Federal Energy Regulatory Commission recognised is that you cannot secure an electronic security perimeter if you are blind to the activity occurring on the systems that connect to it. Traditional network architectures often rely on implicit trust. Once a user or a device authenticates at the boundary, they are granted broad access to internal resources. This model creates a massive vulnerability.
Adversaries know that directly attacking a heavily defended operational technology network is difficult. Instead, they target the softer exterior: the systems designed to manage access. This might include an unpatched jump host, a vulnerable authentication server, or a compromised physical access control system. Once inside these systems, attackers establish persistence, steal credentials, and map the network. Because the compromised system is already trusted by the core network, the attacker can move laterally with impunity.
What the expansion means for critical infrastructure
For utilities and other entities managing critical infrastructure, the expansion of the monitoring requirements means a significant re-evaluation of their security posture. Compliance will no longer be achieved simply by monitoring the traffic within the electronic security perimeter. Organisations must now deploy deep visibility, logging, and monitoring across all systems that facilitate access.
This presents several operational challenges:
- Redefining the monitored environment to include all external access systems
- Managing the massive increase in network telemetry and log data
- Distinguishing between legitimate administrative access and sophisticated lateral movement
- Securing the shared cyber infrastructure that hosts these access systems
However, simply adding more monitoring tools to a fundamentally flawed, inherently trusted network architecture is an exercise in diminishing returns. It creates more noise without solving the root problem: the existence of broad, implicitly trusted connections.
Securing the new perimeter with zero trust access
Rather than trying to bolt additional monitoring onto legacy remote access systems, the most effective way to address the requirements of the expanded standard is to eliminate the trusted pivot point entirely. This is achieved by adopting a zero trust architecture.
In a zero trust model, no user, device, or system is inherently trusted, regardless of their location or prior authentication. Every single request for access must be continuously verified. This approach directly neutralises the threat of a compromised access control system being used to move laterally into the operational technology environment.
When you implement an identity-first, zero trust strategy, you are not just monitoring access; you are precisely controlling it. The need to desperately monitor for anomalous lateral movement is drastically reduced because lateral movement itself is made mathematically impossible.
How Agilicus inherently solves the compliance challenge
The Agilicus AnyX platform is designed specifically to secure critical infrastructure and operational technology without relying on implicit trust or complex network perimeters. By deploying our platform, organisations naturally achieve the visibility and control required by the updated reliability standards.
Here is how our approach aligns with the new requirements:
- Identity-native access: Access is granted on a per-user, per-resource basis. We integrate seamlessly with your existing single sign-on providers to ensure that only authenticated and authorised individuals can reach specific assets.
- Continuous verification: Every interaction is verified. We enforce strong multi-factor authentication, ensuring that stolen credentials alone are useless to an attacker.
- No inbound ports: Our platform uses an outbound-only connection model. Your critical systems are completely hidden from the public internet, eliminating the attack surface that adversaries typically scan and exploit.
- Granular audit trails: Because we broker every connection at the application layer, we provide a comprehensive, identity-aware audit log of exactly who accessed what, and when. This provides the exact evidentiary data that auditors require for compliance.
By replacing legacy jump hosts and broad network connections with precise, identity-aware access controls, you remove the vulnerable external systems that the new standard aims to monitor. The Agilicus platform acts as an uncompromisable, perfectly monitored electronic access control system.
Preparing for the future of operational security
The passage of the final ballot for this standard revision is a clear indicator of where the industry is heading. Regulators and security professionals recognise that the perimeter is no longer a static line; it is anywhere access occurs. Attempting to secure this dynamic environment with traditional network monitoring is no longer sufficient.
The expansion of monitoring requirements should be viewed as an opportunity to modernise your entire approach to remote access. By moving away from implicit trust and embracing an identity-first access platform, you not only achieve regulatory compliance but also fundamentally harden your operational infrastructure against the most sophisticated cyber threats.
Are you ready to secure your external access systems and meet the new monitoring mandates? Contact us today to learn how our zero trust platform can simplify your compliance efforts while providing frictionless, secure access for your workforce.