The Beginning

NST began work in 2014 following a request from the utility to conduct a Vulnerability Assessment (VA) of the utility’s high impact Control Centers. This initial project laid the foundation for a long-term, multifaceted engagement that would touch every aspect of their NERC CIP compliance program.

Transition to CIP v5 and Beyond

Following the successful completion of the 2014 VA, we were contracted in 2015 to assist the utility in transitioning from version 3 to version 5 of the NERC CIP Standards. This complex transition required a comprehensive overhaul of their existing cybersecurity and compliance processes.

Our expertise proved invaluable, leading to an extended engagement. We provided Staff Augmentation for their Cybersecurity and Compliance teams, a relationship that has continued through 2024. Over the years, our work has touched every CIP standard and requirement, with particular focus on CIP-005 (Electronic Security Perimeter), CIP-007 (Systems Security Management), CIP-009 (Recovery Plans for BES Cyber Systems), and CIP-010(Configuration Change Management and Vulnerability Assessments).

Key Projects and Milestones

Throughout our decade-long partnership, we've been integral to numerous critical projects and recurring compliance activities:

1. Audits and Assessments: We participated in both a full FERC audit and a full NPCC audit, as part of the Cybersecurity and Compliance teams. As part of those teams, we also participated in two third party Mock Audits.
2. Annual Vulnerability Assessments: Since 2014, we've conducted the annual high impact VA. Additionally, we've performed all annual medium impact Substation VAs since 2015, providing comprehensive security insights across their infrastructure.
3. Disaster Recovery Testing: We've led all CIP-009 Disaster Recovery Procedure testing since 2015, ensuring the utility's readiness to respond to and recover from potential incidents.
4. Infrastructure Upgrades: Our team assisted with two significant EMS Upgrade projects, as well as the onboarding of multiple new substations and a new Control Center. These projects required careful planning and execution to maintain compliance throughout the transitions.
5. Documentation Overhaul: We helped to comprehensively revise and rewrite most of their CIP program documentation and work instructions, providing clarity, consistency, and alignment with evolving standards.
6. Network Security Enhancement: We developed and deployed a unified firewall configuration for all their substation firewalls, greatly reducing the management overhead and enhancing their overall security posture.

Ongoing Partnership

Our relationship with this transmission utility continues to evolve. We are currently in the contracting process for several more projects, demonstrating the client's trust in our expertise and the value we bring to their operations.

This long-term engagement demonstrates our ability to provide comprehensive, adaptable support across the full spectrum of NERC CIP compliance. From initial assessments to ongoing staff augmentation, infrastructure upgrades, and continuous improvement of security measures, we've been a trusted partner in ensuring this transmission utility's cybersecurity and compliance excellence for over a decade.

‍