Case Study
Audit remediation for a US renewables business
Background
A major renewables business had identified several gaps relating to its business following an internal audit. This audit had evaluated their Operational Technology (OT) Networks including their Process Control Network (PCN), the Process Information Network (PIN) along with access from external sources against group-defined policies that provided security best practices (GDP). The client’s renewables business comprises multiple operational sites producing a significant amount of energy.
Group-defined policies (GDP) had been implemented across the whole enterprise to provide assurance that the PCNs and SCADA networks were adhering to consistent global policies and procedures. This ensured secure and robust network infrastructure and services across the operational technology landscape.
With audit deadlines looming and gaps across multiple areas, the organisation asked us to resolve the issues identified in the audit.
The challenge
The audit uncovered gaps across several critical areas, including third-party access, user training, infrastructure security, and policy documentation.
In addition to the internal gap challenges, this group policy also needed to be applied to third parties, such as manufacturers, support companies, cabling contractors, and OT software providers.
Within just 18 months we remediated all internally identified gaps relating to the client OT infrastructure and achieved full sign-off from the internal audit team – well ahead of the multi-year deadline.
What we did
We began with a deep-dive review of the GDPs to fully understand the defined policies and how they relate to process control infrastructure in a renewables environment.
We then analysed the audit findings to identify the gaps against the GDPs and implemented policies, procedures and architecture to close those gaps and ensure they conformed to the Enterprise GDPs.
This encompassed:
- Third-party engagement and architecture redesign: Ensure a recommended three-tier architecture was in place so third-party access was routed securely through distinct network zones and multiple firewalls: enterprise, process information, and process control network
- Training and certification: Ensured all mandatory training for client and third-party personnel accessing the PCN was in place and being tracked. Tiered training levels ensured that each user had the correct access rights and knowledge based on their role.
- Security: Created a comprehensive set of operational policies and procedures to address items including system hardening, anti-malware, user access, removable media and backup and restore.
- Business continuity planning: Ensured a robust BCP was in place to mitigate issues in the event of any emergencies – from cybersecurity threats to extreme weather events such as hurricanes.
- Lifecycle management: Reviewed inventories to identify and document any end-of-life hardware.
- Licensing reviews: Ensured every device that operates on the OT infrastructure had a valid licence – including routers, switches, servers and software.
What we achieved
Within just 18 months we remediated all internally identified gaps relating to the client OT infrastructure and achieved full sign-off from the internal audit team – well ahead of the multi-year deadline. We continued to work with third-party suppliers to ensure conformance to OT GDPs. Key achievements included:
- Audit closure ahead of schedule: All internal compliance milestones achieved within 18 months.
- Increased operational resilience: Enhanced infrastructure and delivered detailed procedures and policies to strengthen preparedness for cyber and physical threats.
- Improved third-party governance: Vendors aligned with security architecture, policies and procedures.
- Future-proofed OT environment: Established processes and training for ongoing compliance.
Why prosource.it?
Delivering this scale of transformation in a live, multi-site environment with minimal disruption is a testament to our deep OT domain expertise and collaborative, hands-on approach. Being entrusted with the operational technology of a global enterprise’s renewables business reflects the confidence they had in us and our expertise.
Get in Touch
Talk to us today to explore how we can support your organisation's technology needs.
