In 2023, NST was requested to provide a Gap Assessment of this Entity’s NERC CIP compliance program at a medium impact Control Center. Though the organization had developed robust policies and procedures that aligned with the Standards, the implementation of those requirements was not consistently integrated into technical workflows.
NST worked directly with technical SMEs to understand their day-to-day responsibilities and activities. NST collaborated with both compliance personnel and technical teams to bridge the gap between documented controls and operational activities. NST assisted in remediation efforts identified during the assessment and updated program documentation to align with both compliance requirements and technical execution.
Following the initial Gap Assessment and associated remediation, NST returned to provide support for various projects across the NERC CIP compliance program, including preparation for an upcoming audit, support with CIP-002 categorization procedures, an annual CIP-008 tabletop exercise, NERC CIP training for SMEs, and other general support on an ad-hoc basis.
In 2025, NST and the Entity partnered on a new challenge to assess the vendor remote access program at low impact generation sites in preparation for enforcement of CIP-003-9. The Entity supported two methods of remote access for vendors and needed to determine if both methods aligned with the new requirements. NST conducted an extensive review of program and technical documentation, along with discussions between technical SMEs, compliance personnel, and third parties.
NST investigated all components of the program, including firewalls, contractual agreements, procedures, and variations between locations. At the same time, the Entity was in the process of implementing anew tool across its environments to log and monitor communications, as well as to detect malware introduced through vendor remote access. NST provided suggestions for fine-tuning the logging functionality to significantly reduce the size of log files without sacrificing critical information. Throughout the engagement, NST and the Entity collaborated to update documentation to account for new controls and definitions included in the Standard.
During this engagement, NST once again bridged the gap between technical SMEs, compliance personnel, and third parties embedded at each location. NST encouraged open discussions around shared responsibilities and helped clarify ownership across the program.
