NERC CIP Consulting + Compliance Services

ICF International partners with North American Electric Reliability Corporation (NERC) Registered Entities in building and maturing NERC Critical Infrastructure Protection (CIP) programs that improve their cybersecurity postures and reduce compliance risk within operational, budgetary, and resource constraints.

 

 

ICF provides NERC CIP consulting and compliance services to electric utilities and Registered Entities with the ultimate objective of strengthening enterprise resilience through robust security practices and controls aligned with CIP Standards and Requirements. ICF recognizes that organizations face complex internal and external challenges in implementing and maintaining effective NERC CIP programs. Registered Entities must proactively manage NERC CIP programs and execute supporting cybersecurity practices to achieve compliance with the NERC CIP Standards.

Effective NERC CIP programs require management's support with the proper “tone at the top” that promotes a culture of compliance emphasizing adherence to the CIP Standards. ICF understands that Registered Entities face various internal challenges that increase compliance risk, such as legacy IT infrastructure, budgetary constraints, and a lack of skilled resources. To help overcome their internal challenges, ICF supports Registered Entities in developing standardized processes embedded with auditable security controls that minimize performance issues and program inefficiencies, and ultimately mitigate compliance risks.

Registered Entities face increasing external cyber risks from a more persistent threat environment, and increased compliance risk due to evolving NERC Reliability and CIP Standards. Registered Entities’ Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) employ a network architecture that increases reliance on computer-based controls, potentially creating new vulnerabilities and elevating Registered Entities’ needs for cyber risk mitigation.

Meanwhile, the ongoing maturation of NERC Reliability and CIP Standards increases the compliance scope for Registered Entities’ operations and imposes more demanding cyber security requirements on existing IT infrastructure and resources. Without a strong NERC CIP program, Registered Entities weaken their ability to effectively respond to regulatory changes and resultantly increase the risk of:

  • Fines and penalties resulting from self-reports and regulatory settlements for noncompliance, system outages, and operations loss

  • Extrinsic risks such as the impairment of the organization’s public reputation and ability to uphold the reliability of critical infrastructure

To combat these external regulatory and cyber challenges, ICF supports Registered Entities in establishing and maturing self-sustaining NERC CIP programs that remediate cyber vulnerabilities, mitigate cyber threats, and enable efficient response to changes in regulatory requirements.

ICF consultants are equipped with the resources and expertise to confront the organizational and regulatory challenges facing Registered Entities. ICF’s NERC CIP advisory services draw upon industry experience, professional benchmarks, and cybersecurity best practices (e.g., COBIT, COSO, ISO, ITIL, NIST, SANS) to deliver prudent solutions that mitigate cyber risk while reducing compliance risk. Our consultants are certified professionals (e.g., CISA, CISSP, CRISC, PMP) with significant audit and advisory experience and possess deep knowledge of the electric utility industry’s regulatory environment.  

 

Related Resources

  • NERC CIP Management Consulting Services—ICF brings industry insight and professional guidance to an organization's management and operational activities that fulfill the following CIP Standards:
    • CIP-003 - Security Management Controls
    • CIP-004 - Personnel & Training
    • CIP-008 - Incident Reporting and Response Planning
    • CIP-009 - Recovery Plans for Critical Cyber Assets

  • NERC CIP Technical Consulting Services—ICF provides cybersecurity knowledge and professional guidance to support a Registered Entity's IT infrastructure and the technical controls that protect its critical cyber assets, as required by the following CIP Standards:
    • CIP-002 - Critical Cyber Asset Identification
    • CIP-005 - Electronic Security Perimeter(s)
    • CIP-006 - Physical Security of Critical Cyber Assets
    • CIP-007 - Systems Security Management

  • NERC CIP Strategic Consulting Services—ICF supports key management and senior-level personnel in developing cybersecurity strategies that address the organization's needs and management's expectations, including program governance, leadership, and oversight; mergers and acquisitions; regulatory interpretations and changes; compliance tools and controls; resource allocation; evidence and artifact; and policy and procedures development and improvement.

  • NERC CIP Compliance Education and Training—ICF coaches personnel on the requirements and interpretations of the NERC CIP Standards and provides education on the activities, documentation, roles, and disciplines necessary to achieve compliance for all of the NERC CIP Standards (i.e., CIP-002 through CIP-009). Training can be tailored to address internal initiatives and compliance objectives.

  • Subject Matter Expert (SME) Witness Testimony Training—ICF brings extensive experience in audit support and mock audit services to deliver robust SME testimony coaching and audit response training.

  • On-site NERC CIP Audit Support—From assistance in fulfilling data requests to performing quality assurance on documentation and providing input during audit interviews, ICF helps Registered Entities manage and facilitate audits and reduce exposure to compliance risk.

  • NERC CIP Program Controls Matrix—ICF provides Registered Entities with a management and administration tool that enables personnel responsible for the NERC CIP program to effectively manage and administer the full scope of the program. The Controls Matrix provides a comprehensive view of an organization's program, supporting activities and compliance operations, policies, artifacts, and process owners.

  • Reliability Standards Audit Worksheets (RSAW) Development and Maintenance—ICF supports Registered Entities in the development and maintenance of Reliability Standards Audit Worksheets (RSAWs) in preparation for audits. Services include drafting narratives, citing artifacts, and ensuring RSAWs accurately reflect the compliance posture.

  • NERC CIP Mock Audit—ICF performs NERC CIP Mock Audits for Fortune 500 utilities and municipalities across the United States and Canada. ICF’s methodologies are designed to emulate the rigor and independence of a Regional Entity Audit—to prepare the organization for audit, identify program weaknesses, and develop corrective actions needed to strengthen the program and achieve compliance.

  • NERC CIP Gap Assessment—ICF conducts Gap Assessments to determine the maturity and completeness of a NERC CIP Program, identifying and scoring gaps as well as the program's strengths. ICF provides recommendations based on utility industry best practices and professional standards such as National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO) Standards, and other relevant guidance.

  • Cyber Vulnerability Assessment (CVA)—ICF's CVA leverages processes and methodologies built from best practices, industry experience, and client feedback to deliver a comprehensive CVA for CIP-005 and CIP-007 assets, supplemented with ICF's intimate familiarity with trusted technology (e.g., Nessus, Gold Disk, Retina, etc.) and deep technical knowledge.

  • Physical Security Assessment (PSA)—ICF's PSA utilizes site visits, physical walk-throughs, and direct observation to determine compliance with physical and electronic controls associated with Physical Security Perimeters (PSP) that protect CIP-005, CIP-006, and CIP-007 assets.

  • Self-Certification Support—ICF's Self-Certification Framework provides Registered Entities with reasonable assurance and documentation to support Self-Certification Reporting to Regional Entities and other U.S. regulators. It is comprised of comprehensive test plans and reporting mechanisms to document results and includes testing services that determine the extent to which a Registered Entity's controls are designed appropriately and operating effectively to meet NERC CIP Standards.

  • NERC CIP Program Remediation and Project Management Office (PMO) Support—ICF supports Registered Entities in remediating program weaknesses and gaps by providing Project Management Office (PMO) support, remediation status reporting, and developing and implementing corrective actions.

 

  • Project

    NERC CIP Gap Assessment

    ICF reviewed the RFC Registered Entity’s NERC CIP Program and supporting policies, procedures, and program artifacts against the NERC CIP Standards and Requirements to identify program strengths and weaknesses.

  • Project

    NERC CIP Mock Audit

    ICF reviewed the SERC Registered Entity’s NERC CIP Program administered by its Transmission Substations, Generation, Control Center, NERC CIP Physical Access Control System assets, and NERC CIP Electronic Access Control and/or Monitoring.

  • Project

    NERC CIP Program Controls Matrix

    ICF developed a NERC CIP Program Controls Matrix that maps NERC CIP Program policies, procedures, process owners, and audit artifacts to each requirement of the NERC CIP Standards.

  • Project

    NERC CIP Strategic Advisory Services

    ICF evaluated the NERC CIP Program governance structure and resources of the WECC Registered Entity in providing effective governance, leadership, and oversight.

Contact Info

Email:
info (at) icfi (dot) com

Phone:
+1.703.934.3603 or +1.800.532.4783

Address:
9300 Lee Highway, Fairfax, VA 22031-1207 USA

Find an ICF Office near you »

 
 

© Copyright 1992–2014 ICF International, Inc. All Rights Reserved.