The utility had questions about deficiencies in their CIP-010-3 processes. First, they wanted to focus on improving their primary requirement: managing their configuration processes. A secondary focus was on identifying deficiencies in their Annual Vulnerability Assessments (AVA). Finally, they wanted to review new ways for handling Transient Cyber Assets (TCA) and Removable Media.
PFES reviewed all NERC CIP policies and procedures concerned with CIP-010-3 with a deep dive into the plans focused on baselines and configuration change management. We provided detailed comments within procedures and recommendations on how to improve processes for baselining applicable systems and the handling of change management as an organization.
PFES Subject Matter Experts additionally reviewed the AVA process to ensure that the plans in place met requirements. We provided the client with recommendations on how to improve processes and present artifacts of evidence for easy review during an audit.
Our experts also reviewed new requirements and processes to address TCAs and RM and made recommendations to improve processes and presentation of evidence.
PFES was able to identify key areas of the program, that may have caused areas of concern during an audit.
Our utility client was able to remediate areas of concern, thereby reducing their risk exposure of being found non-compliant.
And, through the implementation of the outlined recommendations, the utility is fostering a better compliance and cybersecurity culture.