Simplify compliance to NERC CIP with ServiceNow

Disconnected technology, teams, and antiquated tools put critical infrastructure at risk and opens the door to penalties.

When we think of NERC CIP and ServiceNow, we must think of it as a two-way street and in some cases a shared responsibility between the end-state utility and ServiceNow.

At the end of the day, it is the responsibility of the end-state utility to adhere to NERC CIP; and with ServiceNow, we can ensure and prove that adherence.

We generally find customers start with the NERC CIP standards 3, 7, and 10, which are tightly coupled; and then 9 and 13. Each of these require different teams working together and some foundational technology in place. Let’s take a closer look at how the ServiceNow Platform, Integrated Risk Management (IRM), IT, OT, Security Operations, Third-party Risk Management (TPRM), and Business Continuity Management (BCM) products can help you address:

• CIP-003 – platform capabilities help you tether your assets to controls.
• CIP-007 – use Integrated Risk Management (IRM) and the CMDB to manage your IT and OT assets
• CIP-010 – manage the change and vulnerability management processes and provide assurance that you did that change correctly without putting your critical infrastructure at risk.
• CIP-013 – TPRM ensures suppliers are adhering to NERC CIP best practices.
• CIP-009 – BCM helps you implement backup and recovery processes with regular testing. 

The foundation for everything is our intelligent ServiceNow Platform to connect people, functions, and systems – driving innovation and streamlining energy operations.

With Advanced Security Protection with ServiceNow Vault you can have BCSI (bulk electric system information), the data you’re trying to protect, in the cloud and expand the platform to help automate and optimize NERC CIP processes. No matter what CIP process you are accountable for managing or attesting, the platform can assist by improving your approach to managing CIP. Utilities like yours are now in a position to transform every aspect of your value chain.

Implementing and managing NERC CIP 7 & 10 controls is perhaps one of the more complex and challenging processes you have to endure.

To help address this ServiceNow IRM, IT, OT, and Security Operations solutions provide an end-to-end approach to identifying IT and OT vulnerabilities, facilitating patch management orchestration, managing the change, and providing the evidentiary support to auditors which demonstrates that the process was managed effectively.

By optimizing these processes, it opens up opportunities for you to continue to innovate around these assets and begin to explore cybersecurity use cases such as attack path prevention, threat hunting, playbook automation, and adversarial simulation.

Achieving baseline capabilities to support NERC CIP is just the start of where you can go once you have a 360-view of your assets.

The CIP 13 requirements can be addressed using ServiceNow Third-party Risk Management. Make sure that the partners that you’re working are adhering to the standards that protect your sensitive information within your environment. As the number of suppliers grow it’s essential to have a program in place that will scale. Overlooking this can result in serious reputational and financial risks.

Finally let’s talk about how ServiceNow can help you address CIP 9, which is all about backup, recover, and management of recovery plans from an end-to-end perspective.

You’ve no doubt got a playbook in the event of a disruption to get your critical systems back online. This is obviously not something you create and forget.  Systems are constantly changing, and technology is being added so these playbooks must be reviewed, and the plans tested on a regular basis. Doing this manually is extremely challenging.

Our Business Continuity Management solution is available to help automate this process more effectively and efficiently, in addition to providing capabilities to better manage notifications during a crisis.

The ServiceNow platform and solutions can help you better manage your operational risk and ability to comply with NERC CIP, the regulatory oversight to ensure that your critical infrastructure is protected 24 x 7 x 365.