Our Regulatory Compliance services include, but are not limited to:
NERC CIP and O&P Compliance
Strive provides NERC CIP and O&P consulting services by utilizing industry-leading professionals. Our NERC CIP and O&P consultants have years of experience within ICS/OT environments, some of whom were former regional auditors with extensive credentials and audit knowledge to provide industry best-in-class services.
NERC CIP and O&P Program Development
Our Subject Matter Experts will work with support personnel to develop processes suited for even the most stringent compliance demands. Strive will also assess areas of the organization’s program where deficiencies reside and provide remediation services to ensure that compliance is sustainable. Strive SMEs will build a resource plan to identify where time and energy should be focused to maintain a strong compliance program.
NERC CIP and O&P Gap Analysis
Our Gap Assessments will identify potential problem areas in your compliance program allowing you to identify gaps and avoid potential areas of non-compliance. Our Gap Assessments are scalable, allowing for the review of single or multiple requirement areas and internal controls evaluations. Strive provides expert mitigation recommendations that will aid in the fostering of solid compliance program performance.
NERC CIP and O&P Policy Review and Development
Strive SMEs leverage years of experience within the NERC CIP and Cybersecurity industries to review your organization’s current policies, offer evidence-based observations, and recommend actions to close any gaps within your policies and procedures and make them audit-ready. Strive SMEs can also develop policies and procedures through interviews with your organization’s SMEs to document practices already in place but undocumented.
NERC CIP and O&P Audit Preparation
Audits are intimidating, yet a necessary measure of success for a compliance program. Preparing for an audit can place a heavy burden on support staff. Strive can alleviate that burden by preparing your RSAWs, validating evidence, and educating your Subject Matter Experts for a positive audit outcome. Strive SMEs will also train your organization’s SMEs on best practices for interviews.
NERC CIP-002-5.1 BES System Categorization
Has your organization had trouble categorizing your BES Systems? Strive can perform an onsite or virtual NERC CIP-002-5.1 BES System Categorization workshop presented by former CIP-002-5.1 regional auditors. This will allow your organization’s SMEs to learn how to properly categorize your BES cyber systems and be highly confident entering an audit of your CIP-002 categorization posture.
Physical Security Assessments
Security assessments of your organization’s facilities are critical to evaluate existing physical security programs and safeguard your people and assets. Strive Subject Matter Experts have years of experience in ICS/OT environments and expertise in the latest technologies to implement solutions and access controls without impacting production. Strive SMEs are experienced in both NERC CIP-006 and NERC CIP-014.
Our TSA Security Guidelines services include, but are not limited to:
Pipeline Cyber Asset Classification
Does your organization need assistance performing a TSA Pipeline Criticality Assessment? Strive will help your organization determine if your pipelines are considered critical and apply baseline or enhanced security measures dependent on the outcome.
Corporate Security Plan
Is your organization having trouble getting your compliance program off the ground? Strive will work with your internal stakeholders to create a comprehensive corporate security plan that not only meets your organization’s compliance needs but also lays the foundation for an effective cybersecurity program.
Physical security of our clients’ assets and personnel is of the utmost importance to Strive. Strive leverages former physical security auditors from NERC regions to review your physical security program and measures. Our SMEs will work with your organization to identify gaps and create a plan of action with milestones to ensure that your people and assets remain safe.
II.B.2.a. Multi-Factor Authentication
Strive SMEs will design, implement, and test your remote access environment for non-service account accessing Information and Operational Technology systems in a manner compliant with the most current version of NIST Special Publication 800-63B, Digital Identify Guidelines, Authentication and Lifecycle Management standards for use of multifactor cryptographic device authenticators.
I.B.2.b. Network Segmentation
Network segmentation (physical and logical zones) is required by II.B.2.b. sufficient to ensure the Operational Technology system can operate at necessary capacity even if the Information Technology system is compromised. They will identify and document IT and OT interdependencies. Our experts have years of experience designing and implementing DMZs and Access Control Lists to least privilege along with state-of-the-art monitoring capabilities to ensure your network security.
II.B.2.c. Logging, Alerting, and Retention
Logging within your environment is required to meet compliance II.B.2.c. standard. Strive will design and implement your environment to meet log retention, configuration, alerting, and align your SIEM with a relevant threat model built using MITRE’s Adversarial Tactics Techniques & Common Knowledge (ATT&CK) for ICS.
II.B.2.d. & II.B.2.e Traffic Filtering and Monitoring
I.B.2.d. & II.B.2.e requires Pipeline Operators to monitor email, websites, and endpoints for malicious software and communications. It also requires these organizations to create access control lists, which restrict communication to known malicious external sites and communications required for operation between their OT and IT environments. Strive SMEs have decades of experience performing these tasks and will help your organization to become compliant.