NST and this utility began working together in 2013 in preparation for an upcoming audit. Soon after, NST was requested once again to lead a remediation effort addressing findings identified during the initial engagement.
The following year, the utility called upon NST once again to assist with the transition to NERC CIP v5, beginning with SME training over the changes for the v5 Standards. NST also completed an annual CIP-002 assessment and a Vulnerability Assessment before transitioning to updating policies and procedures to align with the new versions. Finally, NST helped the utility to implement tools in their environment for patching and event logging.
In 2020, the utility requested NST’s help to develop aCIP-013 program in alignment with the newly introduced Standard. In addition to the program itself, NST developed an implementation plan including all actions necessary to put the program fully into effect in order to ensure that the SMEs were confident with plenty of time before the effective date.
NST has also supported the organization’s CIP-010 Vulnerability Assessments (VAs). The utility was confident in their program, but wanted a “second set of eyes” to identify areas for improvement. Since 2016, NST has returned annually to support the Vulnerability Assessment and over the years, NST and the utility have collaborated to both streamline the VA process and to increase the breadth of the review.
One addition to this project has been an in-depth review of EAP configurations to account for potential “drift” throughout the year. Each year, NST conducts a CIP-005 Deep Dive℠ to look for potential security and compliance concerns, such as overly permissive network ranges, communications allowed to/from unknown IP addresses, and potential instances of Interactive Remote Access crossing the ESP boundary.
Since introducing these additional checks into the project, this project has evolved into a detective control for the utility to identify potential security and compliance gaps above and beyond the minimum requirements for a CIP-010 VA.
Between 2016 and 2026 NST has completed the VA on time and on budget, and though the observations have been minor, NST has worked with the utility to ensure that both observations and recommendations aligned with their goals. The utility’s involvement throughout the project ensured that SMEs were well-informed of the results of the VA, and as such, well-equipped for subsequent remediation efforts.
