Itegriti logo

We Secure Critical Infrastructure™

Inc 5000
Itegriti logo

We Secure Critical Infrastructure™

Cybersecurity  +  Compliance  +  Managed Services

How an innovative electric power producer is reducing compliance burden through process improvements, efficiencies, and automation2023-08-17T02:55:27+00:00
Loading...

Client:

Our client operates ~80 power plants across the United States and protects thousands of cyber assets.  Like many other entities required to comply with NERC CIP and TSA SD02, they are overwhelmed by the amount of effort required to sustain compliance.

Problem:

Critical Infrastructure assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.

Our client owns and operates electric and natural gas assets that are operationally reliant on cyber assets that if destroyed, degraded, misused, or otherwise rendered unavailable, would affect the reliable operation of Critical Infrastructure assets. They must comply with two cybersecurity mandates, NERC CIP for electric assets and TSA SD02 for gas pipelines.

To maintain security and regulatory compliance with these standards and directives, organizations must collect auditable evidence for each applicable requirement.  In addition to the tremendous amount of work involved in the ongoing management, performance, and evaluation of these cyber and physical security controls, our client invested over 2,000 hours preparing for their latest NERC CIP regulatory audit.

Solution:

This client selected ITEGRITI because of our reputation, domain level expertise, and value.

The joint client-ITEGRITI team was asked to consider all options for greater efficiencies.  After allowing ITEGRITI the opportunity to issue an initial data request and perform discovery, they helped us coordinate Test of Design (TOD) workshops where we are collaborating with the client team.  Key workshop activities designed by ITEGRITI include:

  • Increasing ownership and accountability by developing clarity around roles, responsibilities, and assignment, and inform the team of rationale for each control objective – why and what could happen if not performed.
  • Discussing the latest regulator audit report to understand control failures and cause.
  • Ensuring control set is aligned with the latest regulator versions and review controls to ensure they are designed to best addresses the risk.
  • Finding opportunities to utilize Robotic Process Automation (RPA) or automate evidence collection and validation (e.g., seek the elimination of work tickets where evidence can be shared “system to system”).
  • Increasing systems integration, bidirectional data feed Governance, Risk and Compliance (GRC) to ticketing.
  • Inspecting and modifying process and GRC workflows for task assignment, escalation, validation, and evidence capture.
  • Institutionalizing knowledge to reducing reliance and minimize impact from employee changes and improving confidence in control effectiveness through the standardization of task and review activities.

Results:

This is an active project, starting with the two most difficult NERC CIP and TSA Standards.  We are currently in a “check and adjust” phase, reviewing the list of observations with key stakeholders and leadership.  Feedback will be incorporated into our approach for all remaining areas, with “check and adjust” gates after key milestones.  Once all TOD workshops are completed, we will prepare a roadmap where priority is established based on relative cost and benefit.

ITEGRITI also identified a new and innovative method to significantly improve efficiencies.  We are discussing the performance of a Proof of Concept (POC) so we can better understand the effort, application, and result on a small set of tasks before committing to full implementation.

Conclusion:

Since 2008, The ITEGRITI team has assisted organizations with IT and OT cybersecurity and compliance projects throughout the United States & Canada supporting Critical Infrastructure across healthcare, oil & gas, and electric sectors, supporting utilities, transmission, municipalities, cooperatives, and generation representing coal, natural gas, and renewables – wind, solar, hydro, and geothermal.

Talk to an expert today

Related Case Studies

How an electric utility deployed experienced and trusted resources to complete key projects on their To-Do Lists and Get Stuff Done (GSD)

By |August 15th, 2023|

Client: A Fortune 150 utility with electric and natural gas operations that serve over nine million customers. Solution: Originally contracted to assess the audit readiness [...]

Comments Off on How an electric utility deployed experienced and trusted resources to complete key projects on their To-Do Lists and Get Stuff Done (GSD)

How an innovative electric power producer is reducing compliance burden through process improvements, efficiencies, and automation

By |August 14th, 2023|

Client: Our client operates ~80 power plants across the United States and protects thousands of cyber assets.  Like many other entities required to comply with [...]

Comments Off on How an innovative electric power producer is reducing compliance burden through process improvements, efficiencies, and automation
Go to Top