Do you have direct experience with NERC CIP audit expectations?

Yes. Every IAM program we deliver against the BES is mapped to NERC CIP-004 through CIP-013 with the artifact set Regional Entity auditors request. Our deliverables include CIP-004-7 personnel risk assessment evidence, CIP-005-7 ESP access logs, CIP-007-6 patch management evidence, and CIP-010-4 configuration change records.

Can you support OT environments with IGA tooling that was built for IT?

Carefully. The naive answer is no — OT systems are not designed to be probed by IGA tooling, and aggressive enumeration will trigger ICS protective behaviors. We engineer read-only governance over OT, with IGA actions limited to the IT-side identities that connect into OT. The boundary is real and we respect it.

How do you handle the contractor surge during planned outages?

Outage-window contractor lifecycle is the most operationally demanding scenario in utility IAM. We engineer pre-staged provisioning aligned to the outage schedule, sponsorship workflows tied to the work management system, and aggressive offboarding latency targets. Audit evidence is captured per access; reconciliation is automated.

What is a typical engagement shape for a Medium-Impact utility?

90-day diagnostic + CIP-aligned reference architecture, then phased build over 6-9 months. CIP audit-ready evidence by month six on the first scope; broader rollout follows on the next audit cycle.

Do you work with NERC Regional Entity self-reports?

Yes. Several of our active programs include support for NERC self-reports and mitigation plan execution. We engage early enough to influence the mitigation plan rather than reacting after a finding.

Industry / ENERGY & UTILITIES

Identity that survives the NERC CIP audit.

IGA, PAM, and zero-trust programs for utilities, generators, and pipeline operators. NERC CIP, TSA Pipeline Security, and IEC 62443 aligned.

Request servicesAll industries

Energy and utilities IAM — grid operator identity controls and SCADA access governance

Frameworks aligned

NERC CIP
TSA Pipeline Security
IEC 62443
NIST 800-53
NIST 800-82
API 1164

Where we deliver

Use cases we have shipped in energy & utilities.

Use case · 01
Bulk Electric System (BES) cyber asset access
Access governance for Medium and High Impact BES Cyber Assets. CIP-004 personnel risk assessment, CIP-005 ESP access governance, and CIP-007 patch management evidence engineered as a byproduct of operations.
Use case · 02
Operational Technology (OT) identity
Identity and privileged access for SCADA, DCS, and PLC environments. Read-only governance over ICS, vendor remote-access flows aligned to TSA Pipeline Security Directive expectations.
Use case · 03
Privileged remote access for field operations
Privileged remote access for substation, plant, and pipeline field operators without VPN dependency. Time-bounded, ticket-bound, recorded — engineered around real operational tempo.
Use case · 04
Vendor + contractor lifecycle for outage windows
Identity lifecycle for the contractor populations that surge during planned outage windows. Sponsorship, attestation, and offboarding aligned to your work management system.
Use case · 05
NERC CIP-013 supply chain identity
Vendor identity governance under CIP-013 supply chain cyber security. Vendor risk attestation, access scoping, and offboarding evidence captured per agreement.
Use case · 06
Customer identity for utility billing portals
Customer identity for residential and commercial billing self-service. Fraud-aware MFA, account recovery flows engineered around real customer-service operational tempo.
Use case · 07
IT/OT convergence identity architecture
Identity architecture spanning the IT enterprise and OT operational environments. Boundary patterns, federation, and access governance engineered with the right separation rather than collapsed into a single fabric.

Energy & Utilities engagements

The buyer archetypes we have shipped programs for.

We hold NDA on most engagements. Tiers below reflect the buyer archetypes we have shipped programs for. References available on request, after mutual NDA.

TB
Tier-1 US Bank
FFIEC · SOX
CB
Custody Bank
GLBA · FFIEC
FA
Federal Agency
FedRAMP High
SS
State System
StateRAMP
HS
Top-10 Hospital
HIPAA · HITRUST
HP
Health Payer
HIPAA
FP
FinTech Platform
PCI-DSS · SOC 2
AM
Asset Manager
SOX · SOC 2

How we engage

Practices that anchor this industry.

FAQ

Common questions.

Do you have direct experience with NERC CIP audit expectations?+
Yes. Every IAM program we deliver against the BES is mapped to NERC CIP-004 through CIP-013 with the artifact set Regional Entity auditors request. Our deliverables include CIP-004-7 personnel risk assessment evidence, CIP-005-7 ESP access logs, CIP-007-6 patch management evidence, and CIP-010-4 configuration change records.
Can you support OT environments with IGA tooling that was built for IT?+
Carefully. The naive answer is no — OT systems are not designed to be probed by IGA tooling, and aggressive enumeration will trigger ICS protective behaviors. We engineer read-only governance over OT, with IGA actions limited to the IT-side identities that connect into OT. The boundary is real and we respect it.
How do you handle the contractor surge during planned outages?+
Outage-window contractor lifecycle is the most operationally demanding scenario in utility IAM. We engineer pre-staged provisioning aligned to the outage schedule, sponsorship workflows tied to the work management system, and aggressive offboarding latency targets. Audit evidence is captured per access; reconciliation is automated.
What is a typical engagement shape for a Medium-Impact utility?+
90-day diagnostic + CIP-aligned reference architecture, then phased build over 6-9 months. CIP audit-ready evidence by month six on the first scope; broader rollout follows on the next audit cycle.
Do you work with NERC Regional Entity self-reports?+
Yes. Several of our active programs include support for NERC self-reports and mitigation plan execution. We engage early enough to influence the mitigation plan rather than reacting after a finding.

Talk to us

Ready to scope a energy & utilities engagement?

Same-day reply during business hours. NDA on request before discovery.

Request servicesTalk to a practice lead

Industry / ENERGY & UTILITIES

Identity that survives the NERC CIP audit.

IGA, PAM, and zero-trust programs for utilities, generators, and pipeline operators. NERC CIP, TSA Pipeline Security, and IEC 62443 aligned.

Request servicesAll industries

Frameworks aligned

NERC CIP
TSA Pipeline Security
IEC 62443
NIST 800-53
NIST 800-82
API 1164

Where we deliver

Use cases we have shipped in energy & utilities.

Use case · 01
Bulk Electric System (BES) cyber asset access
Access governance for Medium and High Impact BES Cyber Assets. CIP-004 personnel risk assessment, CIP-005 ESP access governance, and CIP-007 patch management evidence engineered as a byproduct of operations.
Use case · 02
Operational Technology (OT) identity
Identity and privileged access for SCADA, DCS, and PLC environments. Read-only governance over ICS, vendor remote-access flows aligned to TSA Pipeline Security Directive expectations.
Use case · 03
Privileged remote access for field operations
Privileged remote access for substation, plant, and pipeline field operators without VPN dependency. Time-bounded, ticket-bound, recorded — engineered around real operational tempo.
Use case · 04
Vendor + contractor lifecycle for outage windows
Identity lifecycle for the contractor populations that surge during planned outage windows. Sponsorship, attestation, and offboarding aligned to your work management system.
Use case · 05
NERC CIP-013 supply chain identity
Vendor identity governance under CIP-013 supply chain cyber security. Vendor risk attestation, access scoping, and offboarding evidence captured per agreement.
Use case · 06
Customer identity for utility billing portals
Customer identity for residential and commercial billing self-service. Fraud-aware MFA, account recovery flows engineered around real customer-service operational tempo.
Use case · 07
IT/OT convergence identity architecture
Identity architecture spanning the IT enterprise and OT operational environments. Boundary patterns, federation, and access governance engineered with the right separation rather than collapsed into a single fabric.

Energy & Utilities engagements

The buyer archetypes we have shipped programs for.

We hold NDA on most engagements. Tiers below reflect the buyer archetypes we have shipped programs for. References available on request, after mutual NDA.

TB
Tier-1 US Bank
FFIEC · SOX
CB
Custody Bank
GLBA · FFIEC
FA
Federal Agency
FedRAMP High
SS
State System
StateRAMP
HS
Top-10 Hospital
HIPAA · HITRUST
HP
Health Payer
HIPAA
FP
FinTech Platform
PCI-DSS · SOC 2
AM
Asset Manager
SOX · SOC 2

How we engage

Practices that anchor this industry.

FAQ

Common questions.

Do you have direct experience with NERC CIP audit expectations?+
Yes. Every IAM program we deliver against the BES is mapped to NERC CIP-004 through CIP-013 with the artifact set Regional Entity auditors request. Our deliverables include CIP-004-7 personnel risk assessment evidence, CIP-005-7 ESP access logs, CIP-007-6 patch management evidence, and CIP-010-4 configuration change records.
Can you support OT environments with IGA tooling that was built for IT?+
Carefully. The naive answer is no — OT systems are not designed to be probed by IGA tooling, and aggressive enumeration will trigger ICS protective behaviors. We engineer read-only governance over OT, with IGA actions limited to the IT-side identities that connect into OT. The boundary is real and we respect it.
How do you handle the contractor surge during planned outages?+
Outage-window contractor lifecycle is the most operationally demanding scenario in utility IAM. We engineer pre-staged provisioning aligned to the outage schedule, sponsorship workflows tied to the work management system, and aggressive offboarding latency targets. Audit evidence is captured per access; reconciliation is automated.
What is a typical engagement shape for a Medium-Impact utility?+
90-day diagnostic + CIP-aligned reference architecture, then phased build over 6-9 months. CIP audit-ready evidence by month six on the first scope; broader rollout follows on the next audit cycle.
Do you work with NERC Regional Entity self-reports?+
Yes. Several of our active programs include support for NERC self-reports and mitigation plan execution. We engage early enough to influence the mitigation plan rather than reacting after a finding.

Talk to us

Ready to scope a energy & utilities engagement?

Same-day reply during business hours. NDA on request before discovery.

Request servicesTalk to a practice lead

Identity that survives the NERC CIP audit.

Use cases we have shipped in energy & utilities.

Bulk Electric System (BES) cyber asset access

Operational Technology (OT) identity

Privileged remote access for field operations

Vendor + contractor lifecycle for outage windows

NERC CIP-013 supply chain identity

Customer identity for utility billing portals

IT/OT convergence identity architecture

The buyer archetypes we have shipped programs for.

Practices that anchor this industry.

Identity Governance Administration

Privileged Access Management

Zero Trust

Common questions.

Ready to scope a energy & utilities engagement?

Identity that survives the NERC CIP audit.

Use cases we have shipped in energy & utilities.

Bulk Electric System (BES) cyber asset access

Operational Technology (OT) identity

Privileged remote access for field operations

Vendor + contractor lifecycle for outage windows

NERC CIP-013 supply chain identity

Customer identity for utility billing portals

IT/OT convergence identity architecture

The buyer archetypes we have shipped programs for.

Practices that anchor this industry.

Identity Governance Administration

Privileged Access Management

Zero Trust

Common questions.

Ready to scope a energy & utilities engagement?