Success Stories

Success Stories

We all know that actions speak louder than words.  Learn through our success stories, that is, our actions, why Encari is the premier provider of NERC CIP compliance consulting services.
Merchant Generator

Encari was engaged by a merchant generation firm to help it address its responsibilities under CIP-002 for identification of critical assets.  Encari first worked with the firm to develop a defensible risk based assessment methodology for critical asset identification.  Encari then applied this methodology to determine whether the entity did or did not have critical assets as defined in CIP-002.  As a final step, Encari thoroughly documented the methodology and how it was applied.  This documentation will be required whenever the entity is subject to a reliability audit.  It will also serve as the basis for the annual application of the methodology required by CIP-002.  The customer was very pleased with the thorough and careful manner in which Encari accomplished this project.


Generation compliance

Several large utilities and independent generation companies have engaged Encari to assist in supporting their diverse NERC CIP compliance initiatives.  Because of how most generation plants are organized and staffed, this task requires distinct skills and approaches than are typically applied toward control center compliance.  Encari has worked for a large number of generation companies, and its prevalent NERC CIP compliance consulting activities include:

  • Identifying critical cyber assets – Doing this in a generation plant often involves tracing cables and interviewing plant staff knowledgeable about each cyber asset.
  • Identifying electronic security perimeter(s) (ESPs) and physical security perimeter(s) (PSPs) – Because of the compliance cost that will be incurred if ESPs and PSPs are too widely / broadly established, Encari examines all options for keeping these perimeters as small as possible.  Often, an investment in additional switches will yield a manifold return through lower ongoing NEC CIP compliance costs.
  • Cyber security policies, processes, procedures, and programs – In many electric utilities, generation plants were not the focus of cyber security policies, processes, procedures and programs that were established for NERC CIP compliance or other purposes.  Encari reviews existing cyber security policies, processes, procedures and programs in order to confirm their applicability to generation plants, and assists in developing and implementing new ones, if required.
  • Network segmentation – Because in many generation plants there are links between their control networks and the corporate IT networks, it is imperative that these links be broken.  On the other hand, these links are typically established due to corporate staff needing access to particular generation plant information.  There are many ways to resolve these issues, and addressing them has been a large focus of the NERC CIP compliance consulting services Encari has provided for generation companies.
  • Technical feasibility exceptions – There are always a number of cyber assets at generation plants that cannot run anti-virus software, can only accept upper-case letter passwords, etc.  While these do not need to be replaced, technical feasibility exceptions need to be pursued and carefully documented, and measures need to be taken to mitigate the risks resulting from the pursued technical feasibility exceptions.
  • Security training – Generating plant personnel are often very focused on the machinery of the plant and much less focused on the cyber assets controlling the machinery.  There is often a greater requirement for cyber security training (CIP-004, R2) at generation plants than there is in control centers.
 
Multi-State Utility

A large utility that operates in multiple states engaged Encari to assess its compliance with the NERC CIP Reliability Standards for both its transmission and generation operations.  The utility requested Encari to review their NERC CIP compliance documentation and identify any insufficiencies / aspects of non-compliance that may exist in both its documentation and its underlying processes and procedures.

Encari conducted this review in two phases: One for transmission and one for generation.  For both phases, Encari identified and documented all encountered deficiencies and provided extensive practical recommendations regarding how all deficiencies may be effectively addressed.
 
Large Western Utility

A large electric utility in the Western US requested that Encari assist its staff in performing all activities required to achieve compliance with all requirements prescribed in NERC CIP Reliability Standards CIP-002-1 thru CIP-009-1.  Encari's efforts included:

  • Developing cyber security policies and aligning them, as appropriate, with the utility's corporate information technology (IT) security policies.
  • Developing required processes, procedures and programs, including:
    • Information protection program.
    • Change control and congfiguration management program.
    • Cyber security awareness and training programs.
    • Several physical security plans.
    • Technical architecture for sustainable compliance and ease of administration.
    • Unified situational awareness capability combining physical, cyber, and human aspects of security.
    • Malicious software prevention program.
    • Technical feasibility exception management program.
    • Incident response plan.

This entity’s goal was not only to have NERC CIP compliant cyber security policies, processes, procedures and programs, but also to ensure all established NERC CIP compliant mechanisms were sustainable; that is, cyber security policies, processes and procedures and programs that could realistically be maintained on an ongoing basis without requiring additional head count, unmanageable workload imposed on existing staff, or dependency upon external consulting firms.

Encari worked closely with utility staff members throughout this five-month engagement.  The result of Encari's collaborative effort with the utility were sustainable and compliant cyber security policies, processes, procedures and programs that addressed all applicable functions within the utility, as well as all applicable cyber assets.
 
Midwestern Investor-Owned Utility

Encari’s consultants have worked for over four years with one large Midwestern investor-owned utility, helping them to secure their control systems and comply with NERC CIP requirements.  Encari began its engagement by assisting this utility in compliying with the NERC Urgent Action 1200 standard in 2005.  When the NERC Standards Drafting Team started working on the NERC CIP Reliability Standards, Encari’s consultants partnered with the utility’s staff members to provide extensive input into that process; some of the resulting questions were addressed by FERC in Order 706, which established the NERC CIP Reliability Standards.  Encari has continued working with the utility to comply and maintain compliance with CIP versions 1 and 2.

Some of the areas in which Encari consultants have assisted this utility include:

  • Developing a technical architecture for sustainable NERC CIP compliance and ease of administration.
  • Developing workflows for compliance with several NERC CIP Reliability Standards and requirements.
    • These workflows were developed separately for generation facilities, substations, and control centers.
  • Defining job tasks with appropriate separation of duties.
  • Developing a unified situational awareness capability combining physical, cyber, and human aspects of security.
  • Providing training to staff members on incident handling and hacker techniques for CIP-008 compliance.
  • Implementing a change management system and procedures.
  • Developing cyber security training modules for CIP-004 compliance.
  • Designing and implementing procedures and technologies for user authentication, patch management, malicious software prevention, and other requirements of CIP-005 and CIP-007.

Lastly, Encari is currently assisting this utility in developing requests and mitigation plans for technical feasibility exceptions.
 
Municipal Utility

Encari was engaged by a Midwestern municipal electric utility that was facing CIP deadlines in June, 2009.  They needed to be auditably compliant for the “first thirteen” CIP requirements and compliant for the remaining 28 requirements.  

They requested that Encari undertake three tasks in this project:

  • Review the risk-based assessment methodology (RBAM) the utility had used to identify critical assets and re-assess their identification of critical cyber assets.
  • Assess the compliance documentation for the first thirteen requirements to determine whether any insufficiencies existed.
  • Conduct a gap assessment of the utility’s NERC CIP compliance posture with respect to the 28 requirements for which compliance was coming due in order to identify any areas of remediation that were required.

Encari successfully concluded this project on schedule and within the prescribed budget.  Several questions regarding the RBAM used to identify critical assets were raised, which focused on whether the RBAM had been properly conducted and whether the utility might in fact have unintentionally overstated the number of critical assets for which it was responsible.  The utility is currently reviewing both its critical asset identification and its NERC registrations with its Regional Entity.

 
 
More Articles...
<< Start < Prev 1 2 Next > End >>

Page 1 of 2