PFES’ client, a West coast power generating owner operator, struggled with a lack of resources to enact the changes necessary to meet NERC CIP compliance goals, leaving them with multiple open enforcement items. Chief among their issues were deficiencies within policies and procedures that did not reflect actual processes. They also lacked the proper tools for monitoring and reporting functionality to assess compliance and security posture. And, were unable to stay current with NERC CIP standards, requirements, and pending effective enforcement dates.
PFES reviewed all NERC CIP policies and procedures to identify deficiencies and close compliance gaps. We also integrated new SIEM and configuration management tools to meet security objectives and ongoing compliance stance assessments. The client now has situational awareness of BES Cyber Systems and associated assets. Further, we partnered on the implementation of NERC CIP low impact facility policies and security controls (effective date, 1/1/20) as well as the implementation of a NERC CIP supply chain risk management program (effective date, 10/1/20).
We instituted a GRC platform integration for automation of manual processes and revamped their NERC CIP-008-6 incident response plan to meet new requirements (effective date, 1/1/21). Finally, we implemented a Transient Cyber Asset (TCA) and Removable Media (RM) program for low and medium impact BES systems.
Over a three-and-a-half-year period, there was substantial growth in the maturity of the compliance program resulting in the client receiving zero possible violations during a 2020 audit.
Additionally, this power system now has a comprehensive and sustainable NERC CIP compliance program.