[1+1+1=0]
Converging IT, OT and Physical Security For Continuous NERC-CIP Compliance and Enterprise Security.
More than a decade ago, the North American Electric Reliability Corporation (NERC) approved Critical Infrastructure Protection (CIP) standards CIP-001 through CIP-009, designed to provide new and improved regulatory accountability. NERC-CIP basically carries two primary purposes. The first is to provide a cyber-security framework to identify critical cyber assets and the second is to protect those assets. Critical assets, as defined by the standards, are those systems, equipment or facilities that if affected by destruction or otherwise would be detrimental to the reliability or operability of the Bulk Electric System (BES). For companies in the public utility, gas, water and other critical sectors, staying current with regulations and recordkeeping for safety, security and access has been an insurmountable challenge to overcome. Since the mandate hit the books, companies have struggled with compliance—many failing to resolve how to effectively comply with the three most critical areas of the NERC-CIP standards: CIP-001 (Sabotage Reporting), CIP-002 (Critical Cyber Asset Identification) and CIP-004 (Insider Threat).
AlertEnterprise Inc. has successfully worked with companies across the utility and critical infrastructure spectrum to address and resolve all areas of NERC-CIP compliance. The following is a current, real-world example of how technology helped one of our high-profile customers achieve the ultimate goal: continuous compliance and zero violations.
The Utility Customer Profile
With thousands of natural gas and electric customers spread across almost one third-of the state, the Utility understood the risk of data theft and NERC-imposed fines. Their goal was to unify its enterprise Identity and Access Management (IAM) to meet NERC-CIP requirements, with an integrated access and reporting mechanism across
IT, Physical Access and Control Systems/SCADA). The Utility approached the potential pain points of NERC-CIP head on—access to physical and logical systems; controls; documentation; onboarding, off-boarding, terminations; and more—using AlertEnterprise technology to automate compliance and bridge the gap between physical and logical systems.

Since working with AlertEnterprise, the Utility company has obtained continuous compliance and zero violations—an attainable and sustainable goal—all with a unified enterprise IAM software platform.
Challenges of the Utility Customer
- Multiple access control, IT, HR and Learning Management Systems applications that didn’t talk to each other
- Decentralized Physical Access Control Systems (PACS), some legacy, with limited integration
- Separate processes to assign and monitor access to its most delicate, high-risk areas, including generation and transmission
- Mounting access authorizations conducted through email exchange, leading to delays in authorizations, provisioning errors and unrevoked access credentials
- Reliance on hand-tracked authorizations—on massive spreadsheets—for CIP compliance
Technology from AlertEnterprise Automates Compliance
- Elevate critical business processes around identity and access management/governance in an integrated solution
- Attain the highest levels of compliance with audit/regulatory and reporting requirements holistically
- Drive the entire access management equation to end-to-end automation and integration
- Implement a single solution for cross platform provisioning of access and a solid pathway to staying CIP compliant with converged physical and logical systems
AlertEnterprise Delivers
- Multiple access control, IT, HR and Learning Management Systems applications that didn’t talk to each other
- Decentralized Physical Access Control Systems (PACS), some legacy, with limited integration
- Separate processes to assign and monitor access to its most delicate, high-risk areas, including generation and transmission
- Mounting access authorizations conducted through email exchange, leading to delays in authorizations, provisioning errors and unrevoked access credentials
- Reliance on hand-tracked authorizations—on massive spreadsheets—for CIP compliance
About AlertEnterprise
How AlertEnterprise Leverages Technology So Utilities Can Maintain Continuous Compliance
- Extends access management and risk analysis beyond IT applications to include physical access control systems
- Creates a unified access and reporting mechanism across applications in all domains (IT, Physical Access Control Systems/SCADA)
- Establishes an all-encompassing strategy for on-boarding/off-boarding related to access management, managing contractor access as well as validation of certification and background checks
- Offers holistic business alignment for security risk and compliance posture alignment
What Utilities Need to Know
The key mandates of NERC-CIP require a deep understanding of risk to critical assets, in addition
to effective and continual monitoring of access. A simple mistake in understanding monitoring of access has resulted in millions of dollars in theft, in addition to NERC and FERC imposed fines. If you require any information on this topic, contact AlertEnterprise today at 510.440.0840 or info@alertenterprise.com.