NST began work in 2009, soon after the release of the NERC CIP v1 Standards, to support a Gap Analysis of the utility’s compliance posture. During the project, NST consultants taught SMEs their new responsibilities and guided the development of their program. This initial effort concluded the following year, allowing for the utility to easily transition into the increased compliance obligations prior to the effective date.
NST returned in 2014 during the transition to NERC CIP v5 to provide a Gap Analysis and subsequent remediation support to ensure the utility demonstrated a strong compliance posture prior to the effective date. Additionally, the utility requested assistance in the completion of the inaugural CIP-010 VA. Though the utility had not gone through the formal process before, the effort went without a hitch and NST was invited to return the following year. Since then, NST has conducted every Annual CIP-010 VA for the utility (both Paper and Active). Over time, NST has refined the process to both include opportunities for controls testing (CIP-005 and CIP-007) and decrease costs for the annual VA.
NST supported the entire v5 transition. To support the changeover, the utility requested NST consultants’ assistance in the development of policies, processes, procedures, and other
documentation required by the new Standards. Upon project completion, the utility requested that NST provide a full-time equivalent consultant to provide high-level support and guidance on the further refinement of their compliance program. Since then, NST has played a key role across the board of compliance responsibilities both “on the program” and “in the program”.
Work done “on the program” looks to improve efficiency and compliance posture at the foundational level by improving the documentation and activities governing the CIP compliance program. NST has assisted this utility “on the program” through projects such as:
· Mock Audits,
· Gap Analyses,
· Assessments of high-risk requirements,
· Tune-ups and efficiency improvements,
· Internal controls development, and
· CIP-013 Supply Chain Risk Management (SCRM) program development.
Work done “in the program” represents the activities necessary for compliance, especially those directly mandated by the NERC CIP Standards. NST has played a significant role “in the program” with this utility, including:
· CIP-010 Paper and Active Vulnerability Assessments,
· RSAW reviews,
· Evidence preparation and audit guidance,
· PNC investigations and associated mitigation plans,
· Root Cause Analyses (RCA),
· Extent of Condition (EOC) Analyses, and
· CIP-005 Firewall Ruleset Reviews.
NST continues to support this utility’s day-to-day operations and program maintenance with a consultant on hand for all things NERC CIP. Additionally, NST returns each year to conduct the utility’s CIP-010 VA. NST and the utility have grown and matured together, and continue to partner on NERC CIP to this day.
