Security Controls & Framework Solutions
Governance programs need to establish controls so the company can begin managing the security processes and practices that have been implemented. This is a very difficult task to accomplish for even the most mature security teams. Archer has been providing guidance and solutions on how to build security controls and utilize security frameworks for utilities and other energy companies for many years.
In recent years, the focus has turned to the NIST Cyber Security Framework (CSF) and Cybersecurity Capability and Maturity Model (C2M2) solutions for the energy sector. Unfortunately, these are mere guidelines that require a tremendous amount of thought and design to actually utilize in your organization. The benefits of using the CSF and C2M2 as tools are outstanding but they need to be applied correctly.
Archer staff members have been intimately involved in the creation and promotion of both the NIST CSF and the energy sectors C2M2. We are able to help companies understand how to use these frameworks to build a measurable and sustainable cyber security program.
Some of our solution offerings include:
– Hands-on design of security controls and applicable metrics
– C2M2 Evaluations
– NIST Cyber Security Framework (CSF) implementation workshops
Physical Security Assessments
Physical security is the lifeblood of cyber security. Without it…there really is no cyber security! But that isn’t all we focus on at Archer when it comes to the physical protections needed for critical infrastructure. Our highly qualified physical security specialists have practical, real-world experience in assuring that an organization’s security risks are well protected holistically. We are able to assist military institutes, financial institutes, academia, gas and oil facilities, hospitals, generation plants, airline control centers, substations and many other critical organizations build and/or assess their security program. If you are in need of a 3rd party audit of your physical security environment we can help.
We are also qualified to perform NERC CIP-014-1 physical security assessments. This is a specialized skill that requires full knowledge of this requirement and the ability to assure that the reports and follow-up documentation is audit-ready.
NERC Compliance Services
Sometimes it can seem so overwhelming. The task of achieving compliance with enforceable or soon to be enforceable NERC and Regional Entity Reliability Standards is difficult, to say the least. We should know as we have been helping organizations consisting of investor-owned utilities, municipal power systems, independent power producers, Rural Electric Cooperative and G&Ts, and public power agencies wade through the NERC mandatory requirements for over a decade.
Our team of experts are:
- Previous Chief Operating Officer of the Western Electricity Coordinating Council (WECC)
- Former utility compliance officers and chief information security officers.
- Former Regional Entity NERC and FERC auditors
- Team members from the NERC 2003 Blackout Investigative Team
- Previous members of Standard Development Teams
- Members and/or chairs of various NERC, SERC, and WECC committees and subcommittees
- Active participants in the development of the NIST Cybersecurity Framework (CSF)
- Developers of the Department of Energy (DOE) Cybersecurity Capability Maturity Model (C2M2)
We know the NERC standards inside and out. It is our specialty and our subject matter experts have more hands-on experience than any other consulting firm in North America. If you are looking for expert assistance in assuring your organization has a sustainable NERC compliance program and is capable of fully addressing their compliance obligation, then look no further than Archer!
With over 300 actual NERC Operations and Planning (O&P) and Critical Infrastructure Protection (CIP) audits performed as auditors for a compliance enforcement agent (CEA) all over North America, we have the experience and working knowledge to help you and your organization. Our NERC Compliance Services department offers assistance covering NERC O&P and CIP Reliability Standards and includes, but is not limited, to the following:
- Audit Interview Training – Provide training to client personnel to help them prepare for interviews and questions that are likely to be posed during a NERC/Regional Entity audit.
- Audit Support (during actual audit) – Assist client in gathering data and answering auditor’s questions during the NERC/Regional Entity on-site/off-site audit.
- BES Cyber Asset Inventory validation – Provide analysis of a utilities BES Cyber Assets to assure that they have been properly categorized.
- BES Cyber System Identification Workshops – Facilitate a workshop with key subject matter experts to develop a list of BES Cyber Systems using a methodology that is aligned with the expectations of the Regional Entity and FERC CIP auditors.
- CIP-002-5.1 Assessment Methodology validation – Review a utilities methodology being used to determine facility high, medium and low rankings and categorizing of Cyber Assets.
- CIP-014 top to bottom consulting, assessments & testing – Provide consulting and assessment services that meet all the requirements within the CIP-014 Standard.
- Cyber Asset Inventory walk-downs and/or validation – Help utilities build or validate an inventory of all Cyber Assets located in the High, Medium and Low facilities.
- Documentation only reviews – Review client’s compliance documentation and develop recommendations for additions and modifications to comply with NERC and Regional Entity requirements.
- Enforcement settlement consultation and support – Assist client in preparing for a settlement hearing and negotiating a settlement with the Regional Entity following receiving notification of an alleged violation.
- Evidence Preparation Training – Provide training on the appropriate form and content of evidence to be presented and the correct style and guidelines for writing within Reliability Standard Audit Worksheets (RSAWs)
- Gap Analysis – Review client’s compliance documents and procedures to identify gaps with respect to complying with NERC and Regional Entity Reliability Standards.
- Inherent Risk Assessments (IRA) – Conduct risk assessments covering Generation, Transmission, Load, Planning, Operations, Events, Changes to the System, and Agreements and/or review Regional Entity final IRA of client and provide findings and recommendations to correct any gaps found and identify Reliability Standards that pose the highest risk.
- Internal Compliance Program Development – Review client’s functional responsibilities and assist in developing an internal compliance program that meets or exceeds FERC, NERC, and Regional Entity compliance requirements/expectations. Provide recommendations on staffing, structuring, and organizing the internal compliance function. Ensure that the ICP has all the necessary attributes.
- Internal Controls Evaluation (ICE) – Evaluate client’s controls for identified risks and associated Reliability Standards identified in the IRA and provide findings and recommendations to client’s regarding their controls.
- NERC CIP-008 and CIP-009 facilitated exercises – Help develop exercise scenarios that best test the utilities capabilities to follow its NERC CIP incident response and recovery plans.
- Procedures and Programs – Assist client in developing and implementing formal procedures and programs that are necessary to demonstrate compliance and achieve sustained compliance. Prepare training material and assist client in training all applicable personnel regarding procedures that they are responsible for following.
- RSAW preparation (review, re-write or creation) – Assist client in either reviewing prepared RSAW write-ups and providing recommendations for improvement, or creating prepared RSAWs based on information and evidence provided by client.
- Mock Audits – Perform a confidential internal audit of the client’s implementation of its functional responsibilities to help the client prepare for NERC and Regional Entity compliance audits.
- Version transition planning – Provide consulting services and planning to support a transition from a previous NERC Operation & Planning or CIP Standard to a new one.
Industry Product Alignment
Many of our subject matter experts have been helping suppliers align their product features and marketing messages with the industry for years. Archer personnel have been key decision makers, buyers and implementers of many security and compliance tools within the utility environments. This special insight and utility experience allows us to help assure you are connecting with the utility in just the right way.
We also help your organization map product features to the NERC CIP Standards, ES-C2M2 maturity indicator levels and the NIST Cybersecurity Framework where applicable. This can help give you that extra edge when engaging your next potential client.
This service often includes:
– Market collateral assessments
– Mapping current features to security regulations
– Sales staff training sessions
– Target market reports
– Messaging workshops
Cyber Security Assessments
If you are in the energy sector, you know how important your industrial control environments are to your reliable operations. In order to assure the continued reliability and, perhaps, enhance it as well, you don’t want just anyone coming in to perform a cyber security assessment of these critical systems.
Archer employs some of the energy sector’s most seasoned and skilled cyber security assessment professionals. We have worked in the utility space and been responsible for performing vulnerability and general cyber assessments on industrial control environments at generation plants, substations, control rooms, control houses, associated data centers, switchyards, oil refineries, gas facilities for decades. We know how to do it right and we know what really matters.
We also know that the back office is equally important and are adept at providing internal audit and security teams with cyber security assessments on corporate system environments as well!!
Our cyber security assessments include:
– Penetration testing
– Vulnerability assessments
– Cyber security risk assessments
Compliance Program Development
There is no more important matter than establishing and maintaining a solid compliance program. Far too many organizations do not put the due diligence into properly organizing or establishing the necessary building blocks required for such a program. Archer Energy Solutions’ subject matter experts have been designing compliance programs for organizations for many years including working with executives to help them align this critical function with the rest of the company.
Proper design is more than just following a “template” considered best practice. It is about working hand-in-hand with our clients to understand their business, compliance objectives and specific constraints. Only then can we provide the guidance that will work. Of course there are some must-have elements of any compliance program but to truly develop one that works for an organization requires a deep understanding of how it functions. Ask us how we can help your organization develop or improve your compliance program today.