NST began work in 2011 to conduct a combined Gap Analysis and Mock Audit. The Entity was prepping for an audit and looking for as much help as they could get, so NST decided on a mixed approach to cover all bases. The project provided the perfect middle ground between the pressure of a real audit scenario and the transparency of a Gap Assessment. During the engagement, NST identified multiple areas of concern including some related to CIP-002 asset identification and CIP-003 change management as well as CIP-007 ports and services, patching, and account management. As such, NST was invited to assist in the assessment and filing of self-reports, including Extent of Condition (EOC) analyses, Root Cause Analyses (RCAs). NST soon became more integrated with the Entity’s NERC CIP compliance team, and the two parties stuck together through the entire mitigation process, including delivery of evidence for interim milestones and final mitigation.
In 2014, the release of NERC CIP v5 prompted NST and the Entity to ramp up once again to meet new compliance obligations. Though the new requirements entailed a substantial overhaul, the transition provided an opportunity to capitalize on the positive momentum of the program. With the program in a more mature state, the Entity then requested NST once again for the replacement of their Energy Management System (EMS). The EMS vendor had little knowledge of the responsibilities of a NERC CIP program, so NST served as the bridge to ensure that the new system was set up correctly at go-live. Further, to support the transition in full, NST organized the recertification with MRO in accordance with the NERC Rules of Procedure.
Since 2017, NST has been integrated into the Entity’s team and provided support across the board. NST assists with annual responsibilities including policy and procedure updates, CIP-010 Paper and Active Vulnerability Assessments, and tabletop drills for CIP-008 and CIP-009. NST also helps the Entity stay on the forefront of new Standards and technology, including the establishment of a CIP-013 Supply Chain Risk Management (SCRM) process in 2020 as well as the modification of CIP-004 and CIP-011 programs to support BCSI in the cloud in 2024. From full-steam-ahead audit prep to daily responsibilities, we’ve been joined at the CIP through every step of the way.
