Program Manager

Program Manager – NERC CIP

Location: Charlotte, NC/Remote

Major Duties & Responsibilities

The NERC CIP Program Manager will use dedicated software programs to analyze, track, and schedule activities and work closely with the employees at the facilities, corporate IT personnel, corporate engineering personnel, and outside contractors as appropriate to ensure that the CIP Program remains in compliance with the NERC standards.

• Lead the NERC CIP compliance team in the execution and implementation of the CIP program across the fleet.
• Lead and/or oversee implementation of CIP Medium Impact upgrade projects at the sites.
• Demonstrate in-depth understanding of the NERC CIP Standards.
• Prepare regular updates on NERC CIP compliance progress.
• Administer the facilities’ NERC CIP compliance program, both Medium and Low Impact, and capture, analyze, and maintain program KPI’s.
• Administer CIP process workflow processes and support facility staff and CIP SMEs in executing required tasks, providing approval to these activities as required.
• Monitor and verify CIP compliance-related tasks with required timelines are completed prior to their due date.
• Develop and implement effective processes for identifying, securing, and maintaining compliance-related documentation and evidence as required.
• Communicate NERC compliance information, standards, and requirements in a clear, concise manner to the Subject Matter Experts (SME) and facility staff.
• Coordinate, support, and/or lead facility staff and CIP team members to control the state of network and applications, champion change control process, and ensure that documents (e.g. baseline configurations and ESP diagrams) change in synchronism with hardware and systems.
• Coordinate, support, and/or lead facility staff and CIP team members in the security patch review and installation process.
• Maintain a working knowledge of the equipment, systems, and patch sources for devices in the CIP program.
• Maintain updated patch review documentation to facilitate monthly patch review processes.
• Review and identify all applicable patches within 35 days of release.
• Determine the applicability of patches associated with the equipment and systems in the CIP program and ensure that applicable patches are installed within 35 days of their review.
• Develop mitigation plans for patches that cannot be installed within 35 days of the review.
• Develop, administer and/or present CIP compliance training and awareness programs annually and as needed.
• Perform periodic internal compliance assessments and spot checks on applicable Standards, including assistance with performing Cyber Vulnerability Assessments at Medium Impact facilities.
• Manage and oversee the procurement and usage of third-party providers of CIP-related services as necessary.
• Track findings of CIP-related activities and develop implementation strategies to mitigate identified issues.
• Assess industrial control systems such as GE Mark V, Mark VI, and Siemens T3000 as well as others typically used in power generation for vulnerabilities and security risk.
• Ensure that Company facilities create and maintain up-to-date physical security and network diagrams using tools such as Microsoft Visio
• Maintain working knowledge of the cyber security capabilities of operating systems, networking devices, control systems, and vendor offerings.
• Maintain a working knowledge of applicable and future NERC CIP standards and provide advice, direction, and support to others on their intent and application.
• Participate in the standard drafting process as determined appropriate.
• Develop and maintain a body of required CIP policies & procedures, and associated job aids to ensure the sites are compliant with all NERC CIP standards.
• Develop, implement, and track violation mitigation plan action items to ensure they are thoroughly and timely completed.
• Be the primary leader in compliance audits conducted by internal or outside entities.

• Bachelor’s degree in Computer Science, Information Systems/Security, Computer or Systems Engineering, or related technical degree with 3-6 years of direct NERC CIP experience.
• Minimum of three years of experience in industrial electronic controls and operational technology.
• Experience with security platforms and applications such as but not limited to firewalls, routers, switches, network access control systems, SIEM, patch deployment tools, and remote access.
• In depth knowledge of and experience with NERC practices and protocols related to the CIP Standards, including:

o Regulatory compliance, internal controls, risk assessments, quality assurance, and process management

o Ability to understand and analyze FERC/NERC regulatory requirements.

o Experience managing, evaluating, and reporting status of regulatory compliance activities.

• Strong leadership, management, interpersonal, problem-solving, organizational, prioritizing, and time-management skills to manage multiple responsibilities and deadlines at once.
• Excellent verbal and written communication skills required to communicate in a collaborative, concise and professional manner.
• Ability to work professionally with operating personnel and other business units on compliance activities or projects.
• Excellent work ethic with dedication to completing tasks in a timely manner and the ability to work independently as well as in a team setting.
• Experience in the use of network tools such as Wireshark, nMap, and NPView, or similar.
• Working knowledge of Microsoft Word, Excel, PowerPoint, Teams, and Visio.
• A background investigation will be required for this position.
• Periodic travel estimated at 25%.