Program Manager – NERC CIPLocation: Charlotte, NC/Remote
Major Duties & ResponsibilitiesThe NERC CIP Program Manager is a NERC CIP compliance expert who manages, implements, and administers the NERC CIP Program and ensures Company Facilities remain in compliance with NERC reliability standards relating to the Generator Owner, Generator Operator, and Transmission Owner functions. The individual in this position will have a cybersecurity technical background and will lead CIP subject matter experts and facility personnel in administering, tracking, overseeing, reviewing, updating, documenting and performing the Low and Medium Impact CIP activities associated with the CIP Program across the fleet, with specific focus on the medium impact environments at our power plant locations. The position will functionally report to the Director – NERC Compliance and will be responsible for managing the CIP Cyber Security Technician(s) in accomplishing all NERC CIP requirements. The NERC CIP Program Manager will maintain a current working knowledge of regulatory standards and how they apply to each of the facilities’ operations. The NERC CIP Program Manager will use dedicated software programs to analyze, track, and schedule activities and work closely with the employees at the facilities, corporate IT personnel, corporate engineering personnel, and outside contractors as appropriate to ensure that the CIP Program remains in compliance with the NERC standards.
•Lead the NERC CIP compliance team in the execution and implementation of the CIP program across the fleet.•Lead and/or oversee implementation of CIP Medium Impact upgrade projects at the sites.•Demonstrate in-depth understanding of the NERC CIP Standards.•Prepare regular updates on NERC CIP compliance progress.•Administer the facilities’ NERC CIP compliance program, both Medium and Low Impact, and capture, analyze, and maintain program KPI’s.•Administer CIP process workflow processes and support facility staff and CIP SMEs in executing required tasks, providing approval to these activities as required.•Monitor and verify CIP compliance-related tasks with required timelines are completed prior to their due date.
•Develop and implement effective processes for identifying, securing, and maintaining compliance-related documentation and evidence as required.•Communicate NERC compliance information, standards, and requirements in a clear, concise manner to the Subject Matter Experts (SME) and facility staff.•Coordinate, support, and/or lead facility staff and CIP team members to control the state of network and applications, champion change control process, and ensure that documents (e.g. baseline configurations and ESP diagrams) change in synchronism with hardware and systems.•Coordinate, support, and/or lead facility staff and CIP team members in the security patch review and installation process.•Maintain a working knowledge of the equipment, systems, and patch sources for devices in the CIP program.•Maintain updated patch review documentation to facilitate monthly patch review processes.•Review and identify all applicable patches within 35 days of release.•Determine the applicability of patches associated with the equipment and systems in the CIP program and ensure that applicable patches are installed within 35 days of their review.•Develop mitigation plans for patches that cannot be installed within 35 days of the review.•Develop, administer and/or present CIP compliance training and awareness programs annually and as needed.•Perform periodic internal compliance assessments and spot checks on applicable Standards, including assistance with performing Cyber Vulnerability Assessments at Medium Impact facilities.•Manage and oversee the procurement and usage of third-party providers of CIP-related services as necessary.•Track findings of CIP-related activities and develop implementation strategies to mitigate identified issues.•Assess industrial control systems such as GE Mark V, Mark VI, and Siemens T3000 as well as others typically used in power generation for vulnerabilities and security risk.•Ensure that Company facilities create and maintain up-to-date physical security and network diagrams using tools such as Microsoft Visio
• Maintain working knowledge of the cyber security capabilities of operating systems, networking devices, control systems, and vendor offerings.• Maintain a working knowledge of applicable and future NERC CIP standards and provide advice, direction, and support to others on their intent and application.• Participate in the standard drafting process as determined appropriate.• Develop and maintain a body of required CIP policies & procedures, and associated job aids to ensure the sites are compliant with all NERC CIP standards.• Develop, implement, and track violation mitigation plan action items to ensure they are thoroughly and timely completed.• Be the primary leader in compliance audits conducted by internal or outside entities.
Education/Experience Required• Bachelor’s degree in Computer Science, Information Systems/Security, Computer or Systems Engineering, or related technical degree with 3-6 years of direct NERC CIP experience.• Minimum of three years of experience in industrial electronic controls and operational technology.• Experience with security platforms and applications such as but not limited to firewalls, routers, switches, network access control systems, SIEM, patch deployment tools, and remote access.• In depth knowledge of and experience with NERC practices and protocols related to the CIP Standards, including:o Regulatory compliance, internal controls, risk assessments, quality assurance, and process managemento Ability to understand and analyze FERC/NERC regulatory requirements.o Experience managing, evaluating, and reporting status of regulatory compliance activities.o Experience developing and implementing policies, standards, and governance processes.• Strong leadership, management, interpersonal, problem-solving, organizational, prioritizing, and time-management skills to manage multiple responsibilities and deadlines at once.• Excellent verbal and written communication skills required to communicate in a collaborative, concise and professional manner.
• Ability to work professionally with operating personnel and other business units on compliance activities or projects.• Excellent work ethic with dedication to completing tasks in a timely manner and the ability to work independently as well as in a team setting.• Experience in the use of network tools such as Wireshark, nMap, and NPView, or similar.• Working knowledge of Microsoft Word, Excel, PowerPoint, Teams, and Visio.• A background investigation will be required for this position.• Periodic travel estimated at 25%.