NST began work in 2005 with this utility on a series of security and compliance assessments. With the success of those initial assessments, the utility has regularly engaged NST to conduct various periodic and impromptu assessments, as well as to lead important remediation projects. The core team from NST and the utility continue to collaborate almost twenty years later!
NST and the utility partnered for over a decade as the CIP Standards evolved and as the utility grew both through development and acquisition. NST supported NERC CIP Vulnerability Assessments, Audit Preparations, Program Development (as the Standards were retired/replaced), and NERC CIP Training Module Development.
In more recent years, NST has helped conduct required assessments ahead of the commissioning of the new Supervisory Control and Data Acquisition (SCADA) / Energy Management System (EMS). Per CIP-010, new High Impact BES Cyber Systems must have an active vulnerability assessment performed prior to being added to a production environment. For the new SCADA/EMS, NST conducted both the required vulnerability assessment, and a compliance program review. The compliance program review was meant to ensure that the proposed compliance program was achievable, sustainable, and most importantly – compliant. NST reviewed and assessed program documentation and produced multiple revisions in collaboration with the utility’s SMEs to ensure that documentation accurately captured the new EMS systems’ configurations and processes. Following the Gap Analysis, NST performed the required active Vulnerability Assessment for new Cyber Assets.
In 2022, the utility approached NST with a novel challenge: their program documentation describing logging capabilities pursuant to CIP-007 Requirement R4 Part 4.1 needed improvement.
In this instance, the utility’s documentation did not adequately account for or explain the technical limitations preventing some devices from the performance of regular logging. The utility requested that NST review approximately 4,200 devices across 88 substations and separate them into two “tranches” – those with logging capabilities, and those without. NST further grouped devices by type and function in order to facilitate the assessment of devices of a similar class under a single framework using a sampling methodology.
NST and the utility collaborated to update the documented definition of logging to more clearly articulate the difference between each tranche and memorialize the logging capabilities or limitations of each. Likewise, NST recorded all steps taken to assess each device or grouping of devices, created a template for recording such information in the future, and provided guidance on how to store and present such evidence if requested by the regional entity.
In 2023 the utility embarked on a long-term project to upgrade End-of-Service-Life infrastructure at its Transmission Substations to “digitize” communication pathways. The planned upgrades draw the NERC CIP Requirements for External Routable Connectivity (ERC) into scope for all Transmission Substations with medium impact BES Cyber Systems, and as such the utility requested support from NST in identifying the necessary documentation and process updates needed to support this increased compliance scope. NST performed a gap assessment between current documentation and the additional ERC Requirements and worked with the utility to develop an action plan for implementation that included a rollout of new processes at low impact sites first to test and validate the model for ERC with minimal compliance risk. The project is ongoing.
This utility continues to choose NST to conduct annual Paper Vulnerability Assessments and periodic Active Vulnerability Assessments. This includes both their medium and high impact BES Cyber Systems. This utility regularly evaluates other vendors and continues to return to NST because of NST’s ability to deliver these projects on-time, on-budget and in a way that satisfies even the most demanding auditor.
