White Paper

how a major utility company achieved zero compliance violations

[1+1+1=0]

Converging IT, OT and Physical Security For Continuous NERC-CIP Compliance and Enterprise Security.

More than a decade ago, the North American Electric Reliability Corporation (NERC) approved Critical Infrastructure Protection (CIP) standards CIP-001 through CIP-009, designed to provide new and improved regulatory accountability. NERC-CIP basically carries two primary purposes. The first is to provide a cyber-security framework to identify critical cyber assets and the second is to protect those assets. Critical assets, as defined by the standards, are those systems, equipment or facilities that if affected by destruction or otherwise would be detrimental to the reliability or operability of the Bulk Electric System (BES). For companies in the public utility, gas, water and other critical sectors, staying current with regulations and recordkeeping for safety, security and access has been an insurmountable challenge to overcome. Since the mandate hit the books, companies have struggled with compliance—many failing to resolve how to effectively comply with the three most critical areas of the NERC-CIP standards: CIP-001 (Sabotage Reporting), CIP-002 (Critical Cyber Asset Identification) and CIP-004 (Insider Threat).

AlertEnterprise Inc. has successfully worked with companies across the utility and critical infrastructure spectrum to address and resolve all areas of NERC-CIP compliance. The following is a current, real-world example of how technology helped one of our high-profile customers achieve the ultimate goal: continuous compliance and zero violations.

The Utility Customer Profile

With thousands of natural gas and electric customers spread across almost one third-of the state, the Utility understood the risk of data theft and NERC-imposed fines. Their goal was to unify its enterprise Identity and Access Management (IAM) to meet NERC-CIP requirements, with an integrated access and reporting mechanism across
IT, Physical Access and Control Systems/SCADA). The Utility approached the potential pain points of NERC-CIP head on—access to physical and logical systems; controls; documentation; onboarding, off-boarding, terminations; and more—using AlertEnterprise technology to automate compliance and bridge the gap between physical and logical systems.

Since working with AlertEnterprise, the Utility company has obtained continuous compliance and zero violations—an attainable and sustainable goal—all with a unified enterprise IAM software platform.

Challenges of the Utility Customer

The client had these familiar challenges:
As you could imagine, or have experienced, CIP compliance tasks were becoming unmanageable for the Utility company, and it was difficult to perform quarterly access reviews. Manual access checks were spotty and tedious and 24-hour revocation became a concern, as well as establishing good internal controls by personnel to revoke access.

Technology from AlertEnterprise Automates Compliance

With a vision of centralized access, the Utility customer turned to AlertEnterprise and its proven IAM solutions. They successfully centralized management of all identity lifecycle for employees and contractors; established a central identity repository for contractors; and increased user access management functionality and credential levels through a single platform. They were able to achieve this vision:
To safeguard vulnerabilities in an entity’s systems requires an automated risk management solution, especially as regulations continue to develop. The expansion of NERC compliance monitoring self-certifications, audits and spot-checks continue to grow in size and scope. Along with this expansion, we’ve continued to observe an increase in the amount of documentation required by NERC-CIP. Utilities are far from mastering these requirements and struggle to do so with traditional compliance methods, especially with newly proposed NERC-CIP standards on track for approval in 2020.

AlertEnterprise Delivers

About AlertEnterprise

AlertEnterprise hides the complexity of integration across ERP, GRC, IAM and Security applications. We identify and uncover blended threats that exist across IT applications, Physical Access Control Systems and Industrial Controls to deliver holistic prevention of fraud, theft and acts of sabotage.

The AlertEnterprise Suite of Solutions

How AlertEnterprise Leverages Technology So Utilities Can Maintain Continuous Compliance

What Utilities Need to Know

The key mandates of NERC-CIP require a deep understanding of risk to critical assets, in addition
to effective and continual monitoring of access. A simple mistake in understanding monitoring of access has resulted in millions of dollars in theft, in addition to NERC and FERC imposed fines. If you require any information on this topic, contact AlertEnterprise today at 510.440.0840 or info@alertenterprise.com.

You May Also Be Interested In

Utilities/ Energy

Dedicated convergence of Information Technology, Operational Technology, HR and Physical Security systems for the highest levels of Critical Infrastructure protection.