Client Situation
A leading energy company wanted an independent assessment of their CIP-010-3 processes to assess and remediate any compliance gaps within their policies, procedures, and processes.
Requirements were to assess deficiencies within their change management, configuring monitoring, vulnerability assessment methodology, handling of Transient Cyber Assets and Removable Media processes, policies, and procedures.
Key Challenges
The utility had questions about deficiencies in their CIP-010-3 processes. First, they wanted to focus on improving their primary requirement: managing their configuration processes. A secondary focus was on identifying deficiencies in their Annual Vulnerability Assessments (AVA). Finally, they wanted to review new ways for handling Transient Cyber Assets (TCAs) and Removable Media (RM).
Our Approach
Launch reviewed all NERC CIP policies and procedures concerned with CIP-010-3 with a deep dive into the plans focused on baselines and configuration change management. We provided detailed comments within procedures and recommendations on how to improve processes for baselining applicable systems and the handling of change management as an organization.
Launch subject matter experts additionally reviewed the AVA process to ensure that the plans in place met requirements. We provided the client with recommendations on how to improve processes and present artifacts of evidence for easy review during an audit.
Our experts also reviewed new requirements and processes to address TCAs and RM and made recommendations to improve processes and presentation of evidence.
Results
- Launch was able to identify key areas of the program, that may have caused areas of concern during an audit.
- Our utility client was able to remediate areas of concern, thereby reducing their risk exposure of being found non-compliant.
- And, through the implementation of the outlined recommendations, the utility is fostering a better compliance and cybersecurity culture.