Bill Lawrence came to SecurityGate.io to serve as Chief Information Security Officer with an incredible background. In the announcement of Bill joining our team you can read the details including how he flew jets in the U.S. Navy, taught cybersecurity courses at the U.S. Naval Academy, and most recently, was Vice President and Chief Security Officer for the North American Electric Reliability Corporation (NERC).
Keeping the Nation’s Grid Secure
At NERC’s Electricity Information Sharing and Analysis Center (E-ISAC) Bill directed security risk assessment and mitigation initiatives for protecting critical electricity infrastructure across North America. These initiatives include the very popular GridSecCon annual conference series and GridEx, a biennial security tabletop exercise with thousands of participants. The E-ISAC also promotes sharing of security information between industry and government sources for the benefit of enhanced security for electric grid operations.
For many years, Bill worked with utilities of all sizes to comply with the security baselines within the NERC Critical Infrastructure Protection standards, and then go beyond them. Every 3 to 6 years, depending on the organization type, federal regulations mandate electric utility companies to report their compliance against security standards through an assessment using the NERC CIP assessment framework. It’s in this area where Bill says SecurityGate.io’s help is so valuable.
The Common Stumbling Blocks for Utilities
Preparing for a NERC CIP audit can be daunting. Ensuring your organization is in alignment with everything needed to meet the requirements is a tremendous amount of work. Well before an auditor begins the official process of assessing an organization’s compliance to the NERC CIP standards, the organization goes through its own assessment process.
This is a very manual, time-consuming undertaking and can be very expensive. Often, consultants are involved to help run the assessment and provide guidance on what to do with the results. The longest part of the process is collecting and organizing the data into something the organization can make decisions with.
Data is collected from all over. In many cases, travel to on-site locations is required and in-person interviews are held. Questionnaires requesting specific types of information are sent out to employees across the organization, as well as suppliers and vendors. The process is exhaustive and can be disruptive to the organization. Employees far and wide may be contributing time to the assessment that is taken from their regular duties.
All of the data collected is then cleaned up and organized, and ultimately turned into reports that tell the organization where the compliance shortcomings are. Getting to this point can take months.
Why Bill Believes SecurityGate.io Can Bring Value to Utilities Conducting NERC-CIP Assessments
This is the exact type of scenario SecurityGate.io was started for. Introducing digital automation and fast Software as a Service (SaaS) workflows to the assessment process reduces a majority of the manual work. Customers often note how much easier an assessment is to complete and how much less operational disruption there is with their teams.
The SecurityGate.io platform brings all the people needed for the assessment together in one place to contribute the information they need to share. One of the great things about this is they don’t all have to be there at the same time, or for the same amount of time. They can contribute their data on their own schedule as it’s convenient. Gone are the days of getting everyone in a conference room (or virtual meeting) for several days, so that each person can give their report. Most SecurityGate.io customers say travelling for assessments has been completely eliminated by the use of our platform.
The only bigger challenge of an assessment than collecting data is turning it into something meaningful and useful. Digital automation shines here. All the collected information is cleaned, organized, and turned into metrics and reports automatically, and instantly as the data is received by the SecurityGate.io platform. It maps each answered security question back to NERC CIP controls and shows exactly what is missing and what meets compliance.
The analysis of the assessment data is a critical step. Organizations want to be sure they are not going to be penalized for being out of compliance. Fines for not meeting the standards can be extremely high as we saw with Duke Energy a few years ago.
Beyond compliance, the platform goes a step further. It shows a risk analysis of the entire organization and what next steps should be prioritized. As is often said in cybersecurity circles, compliance doesn’t necessarily mean security. While compliance to NERC CIP is a great step in the right direction, the organization should fully understand where it is vulnerable and what should be done about it. Making the decisions about where to focus first can be difficult and is a problem the platform addresses directly with the risk analysis reports.
Ultimately, the reason Bill believes SecurityGate.io is such a valuable asset for electric utility companies is that the platform drastically cuts down the time and effort for collecting data and making it useful. Organizations can now feel confident about their NERC CIP compliance status going into official audits.
Bill says the security practitioners on the front lines will also enjoy having SecurityGate.io involved. Because they have the assessment results so much faster and compliance “suitcased”, the security teams have more time to make any needed remediations or improvements before the audit and get back to their security roles. More time means less stress, which means decisions can be thoroughly vetted in a methodical approach to cybersecurity tactics.
At SecurityGate.io, we exist to help critical infrastructure organizations make cybersecurity improvements faster so they can protect what matters. We would love to show you how our platform can make a difference in your processes for compliance and cyber posture improvement.
Contact us here and watch a quick 3 minute video demo of our platform.