Development of NERC CIP Program

Client Situation

The owner-operator of a portfolio of clean, efficient, and responsive power needed to develop a NERC CIP program with a six-month implementation time frame.

Strive oversaw the rebuild of existing networks and the implementation of all cybersecurity controls required by NERC CIP to meet compliance requirements.

Key Challenges

With a regulatory deadline quickly approaching, the owner-operator of a portfolio of clean, efficient, and responsive power had a new NERC CIP compliance program in place which lacked maturity and wasn’t sure to pass inspection. Their uncertainty was compounded by an outdated network architecture that would not support the NERC CIP controls needed to be compliant. Further, they sorely lacked subject matter expertise in-house regarding NERC CIP compliance.

Our Approach 

Strive was able to quickly and efficiently review all of our client’s NERC CIP policies and procedures to identify deficiencies and close compliance gaps. We then helped redesign, rebuild, and test their network while causing minimal impact to the production environment. The implementation featured multiple security, compliance and reporting systems needed to meet NERC CIP objectives, including EAP, IDS, SIEM, and configuration management tools enabling checks to validate continuous compliance posture.

A physical security plan was implemented for protection of BES Cyber Systems, a cyber vulnerability assessment was conducted to identify risk, and a mitigation strategy was implemented. Finally, we rolled out of a comprehensive NERC CIP strategy throughout the organization.


  • Strive created a state-of-art sustainable NERC CIP compliant production environment that also met security objectives.
  • These well thought out policies and procedures not only met audit expectations, but resulted in an audit-validated NERC CIP compliance program.