NERC CIP-007 R4 Compliance: What Packet Capture Gives You That Logs Can't

Key Takeaways

  • NERC CIP-007 was the most violated NERC CIP standard in 2022, with 108 reported noncompliance instances

  • R4 requires BES (Bulk Electric System) System operators to log specific security events, retain those logs for 90 consecutive calendar days, and review them at intervals no greater than 15 days

  • Log retention satisfies the compliance floor — it does not support the forensic depth required to investigate incidents that logs alone cannot reconstruct

  • A documented real-world compliance case showed a SIEM database failure eliminating 90 days of event log records with no independent evidence layer remaining

  • Full packet capture provides a tamper-resistant, independent record of network activity that survives log infrastructure failures and supports after-the-fact forensic investigation

  • SentryWire operates beneath existing SIEM and log management infrastructure, adding packet-level evidence without replacing the tools already in place

CIP-007 was the most violated NERC CIP standard in 2022, with 108 reported noncompliance instances. R4, which governs security event monitoring, sits at the center of many of those violations. Most responsible entities focus on satisfying the logging requirements R4 prescribes. Fewer ask what those logs cannot tell them when a cyber security incident actually unfolds. This article explains what R4 requires, where log-only approaches leave forensic gaps, and what full packet capture adds to a NERC CIP-007 compliance posture without replacing existing log infrastructure.

What NERC CIP-007 R4 Actually Requires

NERC CIP-007 R4 governs security event monitoring for BES Cyber Systems and the cyber assets that support them. The standard requires responsible entities to implement documented processes that log specific categories of security events, retain those logs for a minimum of 90 consecutive calendar days, and review them at intervals no greater than 15 days to identify incidents that may not have triggered real-time alerts.

The four event types R4 mandates at minimum are:

  • Detected successful login attempts

  • Detected failed access attempts

  • Detected malicious code

  • Audit log failures

These represent the floor. Systems with broader logging capability are expected to capture more. Relying on "per system capability" limitations to reduce logging scope creates audit risk that enforcement actions have scrutinized in practice.

R4.1 frames the logging requirement explicitly around "after-the-fact investigations of Cyber Security Incidents." That framing matters. NERC CIP-007 acknowledges that some incidents are identified retroactively rather than in real time, and that the log record must support investigation of those incidents after the fact. Whether that log record provides sufficient forensic depth to actually conduct that investigation is a separate question the standard does not resolve.

What Logs Tell You, and What They Don't

Security event logs record that something happened. A successful login. A failed access attempt. A malicious code detection. A configuration change event. The log captures a timestamp, a system identifier, and an event type — useful for confirming that monitoring processes are operating and for triggering alerts when defined thresholds are met.

What logs cannot do is reconstruct what happened at the network level. The table below shows where each evidence source stops.

Evidence Question Security Event Logs Full Packet Capture
Did an event occur? Yes Yes
When did it occur? Yes Yes
What was the session content? No Yes
What lateral movement followed? Partial Yes
What data was accessed or exfiltrated? Maybe Yes
Can the session be replayed? No Yes
Does it survive a SIEM failure? No Yes

The distinction becomes critical the moment an investigation begins. Security analysts investigating a cyber security incident under NERC CIP-007 need more than a confirmed event timestamp and type. They need to reconstruct attacker behavior, trace movement through the BES Cyber System environment, and determine the scope of any compromise. Logs identify what happened. Packets show how.

In a documented compliance case under CIP-007-6, an entity's SIEM database was corrupted for 48 days. The entity rebuilt indexes and restored normal operation within that period, but the centralized 90-day log retention record was compromised for the duration. Local logs remained on individual devices, but the consolidated audit record did not survive intact. An independent packet capture record, captured at line rate to hardened appliance storage, would have remained available regardless of the SIEM failure.

Where Log-Only Compliance Falls Short in Practice

Two scenarios illustrate the practical gap between meeting R4 log requirements and maintaining genuine forensic readiness.

In the first scenario, an alert fires at day 60 of the 90-day retention window. The log confirms the event timestamp and type. It cannot reconstruct the network session that preceded the alert, identify whether lateral movement occurred across other BES Cyber Assets or electronic security perimeter systems, or determine what data was involved in the session. Incident response proceeds on log metadata alone, which limits the investigation from the start and constrains the documentation required for CIP-008 incident reporting.

In the second scenario, a threat intelligence organization publishes a new indicator of compromise 30 days after suspected intrusion activity occurred. The indicator was not known at the time of the original network activity. Logs may show connection records from the relevant period, but without packet data, analysts cannot verify whether that indicator was present in actual traffic, reconstruct the session associated with it, or extract artifacts for further analysis. The 90-day log window may still be open. The forensic depth required for the investigation is not available within it.

Both scenarios reflect the same underlying reality: CIP-007 R4 compliance and forensic readiness address different requirements. Satisfying the logging standard demonstrates that security event monitoring processes are documented and operating. Forensic readiness means having the evidence needed to investigate an incident with sufficient depth to understand what occurred, determine scope, and document findings that hold up to regulatory scrutiny. Standard CIP-007 R4 sets a compliance floor. Full packet capture raises the forensic ceiling above it.

How Full Packet Capture Strengthens NERC CIP-007 R4 Posture

Full packet capture preserves the complete network session, not just the event record. When a security event alert fires, analysts can move from the log entry to the underlying packet data and examine session content, protocol behavior, and connection sequences with full forensic fidelity. The network communication that generated the alert becomes available for reconstruction and analysis rather than inference drawn from summary records.

Three capabilities packet capture adds on top of log compliance:

  • Retroactive signature search-back. When new indicators of compromise are published, those signatures can be applied to stored packet data from before the new intelligence was available — addressing threats that generated no alert at the time of capture because the relevant indicator did not yet exist.

  • Independent evidence layer. Retained packet records survive SIEM infrastructure failures and provide auditors with network-level evidence beyond what log systems can supply.

  • CIP-008 documentation support. Packet-level evidence strengthens the documentation of how a security event was detected, investigated, and resolved, directly supporting incident reporting requirements.

For more on how packet-level evidence supports compliance-driven investigation, seenetwork forensics and why packet-level evidence matters and SentryWire'smaturity model for event log management.

How SentryWire Addresses NERC CIP-007 R4 in ICS/OT Environments

SentryWire functions as the packet evidence layer beneath existing SIEM and log management infrastructure. It does not replace the tools already in place for CIP-007 R4 log compliance. It captures the packet-level evidence that log records reference but cannot contain, and it does so in a way that is designed for the operational constraints of ICS/OT network environments.

The platform integrates a Suricata IDS engine, enabling signature-based detection alongside full packet capture and supporting retroactive search-back across stored packet data. When new indicators of compromise are published, analysts can run those signatures against months of retained traffic without waiting for the next capture window. That capability directly supports the after-the-fact investigation requirement that R4.1 makes explicit.

SentryWire's appliance-based architecture, built on commodity hardware, supports long-term packet retention well beyond the 90-day log minimum. For ICS/OT environments where network security monitoring must operate without affecting operational technology performance, SentryWire sustains high-speed capture at consistent throughput without introducing latency or disruption to OT network communications.

For utilities and critical infrastructure operators planning deployments on the multi-year timelines that NERC CIP compliance demands, the combination of log independence, long-term retention, and ICS/OT-aware architecture supports a forensic posture that performs under both audit scrutiny and real incident conditions.

Explore SentryWire's ICS/OT security capabilities, review how full packet capture supports compliance-driven forensic readiness, or contact the team to discuss deployment requirements for your network environment.

Frequently Asked Questions

What does NERC CIP-007 R4 require?

R4 requires responsible entities to log specific security events at the BES Cyber System level, retain those logs for a minimum of 90 consecutive calendar days, and review them at intervals no greater than 15 days to identify undetected cybersecurity incidents. Mandated event types include detected successful logins, detected failed access attempts, detected malicious code, and audit log failures.

Is full packet capture required for NERC CIP-007 compliance?

Full packet capture is not mandated by CIP-007 R4. The standard requires security event logging and retention. Packet capture provides forensic depth beyond what the standard prescribes, enabling session reconstruction, lateral movement analysis, and retroactive signature search-back that log records cannot support on their own.

What is the difference between log compliance and forensic readiness under NERC CIP-007?

Log compliance means documenting and retaining security events in accordance with R4 requirements. Forensic readiness means having the evidence needed to investigate a cyber security incident with sufficient depth to reconstruct attacker behavior, trace lateral movement, and produce defensible findings. CIP-007 R4 addresses the first. Full packet capture addresses both.

What happens if a SIEM fails during the 90-day retention window?

In documented compliance cases, SIEM database failures have compromised the centralized 90-day log retention record. Local logs may remain on individual devices, but the consolidated audit record required for compliance review is at risk. An independent packet capture record maintained on hardened appliance storage provides a corroborating evidence layer that survives SIEM infrastructure failures.

How does SentryWire integrate with existing SIEM infrastructure?

SentryWire operates as a packet capture layer beneath existing SIEM and log management systems and does not replace those tools. It integrates with Splunk, Elastic, and SOAR platforms to enrich detection workflows with packet-level context, and captures the network-level evidence that SIEM records identify but cannot contain.

Can packet capture data support NERC CIP audit documentation?

Retained packet data provides a corroborating evidence layer that supports audit documentation of how security events were detected, investigated, and resolved. For CIP-008 incident reporting, packet-level evidence strengthens the documentation of incident scope, attacker behavior, and response actions.

Reviewed and Approved by SentryWire

SentryWire delivers enterprise-grade full packet capture for network security monitoring, forensics, and compliance. Trusted by federal agencies and critical infrastructure operators, SentryWire provides complete network visibility where it matters most.

Previous
Previous

Why Financial Services Firms Need Full Packet Capture

Next
Next

Securing Critical Infrastructure: How Full Packet Capture Strengthens ICS/OT Network Security