NST began work in 2015 to support a large Transmission Owner/Operator in WECC preparing for their first audit under the newly effective Version 5 of the CIP Standards. NST reviewed compliance documentation including RSAWs and compliance evidence in preparation for the audit, conducted mock interviews of SMEs and managers, and led training seminars on the “Dos and Don’ts” of audit witness testimony.
Pursuant to the results of that engagement, the client requested NST to perform a “deep dive” on the controls supporting CIP-009. NST reviewed existing Internal Controls describing compliance processes to evaluate how well the documented controls aligned with both the existing program documentation, and how well the controls met the intent of the CIP-009 Standard Requirements. NST also conducted SME interviews to collect information about other controls not formally documented to incorporate into the analysis. NST provided guidance on the modification of controls and supported updates to documentation including policies, plans, processes, procedures, and associated evidence.
After the overwhelming success of the first project, the Entity contracted NST to complete a large-scale, enterprise-wide Cyber Vulnerability Assessment (CVA) for both high and medium impact BES Cyber Systems. NST assessed over 2000 BES Cyber Assets and associated EACMS, PACS, and PCAs across six (6) business units, each with unique data types and formats. To manage this complexity, NST developed a suite of custom scripts to process and organize the data into one cohesive format. The consistent formatting facilitated efficient analysis and ensured that all assets were assessed using the same criteria.
NST led the CVA, performing all activities recommended in the former Guidelines & Technical Basis for both a Paper and Active Vulnerability Assessment. Among other activities, NST conducted a walkdown of Physical Security Perimeters and physical security zones, including scanning for Network Discovery, Network Port and Services Identification, Vulnerabilities, and Wireless Networks. NST identified all devices within the Electronic Security Perimeter and ensured that all inbound and outbound traffic passed through a documented Electronic Access Point.
Though the client originally intended to retain NST solely for one CVA, NST’s performance has warranted an extension of the contract annually for over six years.
Throughout the years, NST and this Entity have collaborated to mature this VA process and provide value above and beyond the activities identified in the former Guidelines and Technical Basis. As part of the matured process, NST conducts gap analyses for documented procedures, analysis of all enabled/disabled interactive user accounts and associated passwords, review of patch status to identify devices which may have been missed, and identification of devices at or nearing End of Life. The annual CVA has become one of the most important checks of internal controls for dozens of requirements, and year over year ensures that the Entity has a comprehensive view of their compliance and security postures.
