Loading
CASE STUDY | POWER GENERATION
Recent ActivityRecent Activity

Energy Company Achieved Readiness in Eight Months

A major energy company achieved CIS Controls maturity with unified security, compliance reporting, and industrial control system protection.

Share This:

LinkedInLinkedIn
XX
FacebookFacebook
PrintPrint
EmailEmail
rows-of-power-transmission-towers-on-field-of-grass

A major US-based energy company wants to protect its assets from cyber threats. They have operational assets ranging from power generation, transmission, and distribution. They also have a range of IT assets for employees, customers, and billing systems.

Challenge
  • Faced inconsistent security maturity across tens of thousands of geographically distributed IT and OT assets
  • Lacked clarity on current cybersecurity posture with multiple, overlapping regulatory requirements like NERC CIP and PII
  • Needed to align IT and OT under a common cyber security framework, despite doubts about applying CIS controls to industrial environments
  • Required a solution that could work across a multi-vendor OT environment without compromising operational integrity
Solution
  • Verve® by Rockwell Automation
  • CIS Controls framework
  • Automated asset inventory and endpoint manager
  • Structured remediation roadmap with patching, configuration changes, segmentation, and compensating controls
  • Ongoing compliance monitoring, new procedures, and training
Result
  • Achieved CIS Controls maturity level across all in-scope assets within 8 months
  • Gained complete asset visibility and threat insight across OEM control systems
  • Improved security posture while maintaining operational reliability
  • Built a sustainable compliance and monitoring program, integrated into corporate security operations
  • Reduced long-term cyber risk through proactive remediation

A major US-based company approached Verve by Rockwell Automation with a bold vision—to unify its IT and OT assets under a single standard. At the time, applying CIS Controls to OT assets at scale was considered controversial due to the concern that you’d compromise the integrity of the OT assets.

Challenge

The company faced an expansive and diverse attack surface with operational assets that included power generation from coal, gas, wind, and hydro in addition to transmission and distribution networks.

They also managed a vast IT footprint that encompassed employee systems, billing platforms, and customer data. All were subject to different regulatory requirements that included NERC CIP and PII protections.

Leadership recognized the growing threat landscape. They sought to move beyond fragmented and reactive cyber strategies with a clear but ambitious objective—establish measurable cyber security maturity across all computing assets in under 1 year.

Solution

They needed a scalable, actionable framework and partner to help them operationalize it across tens of thousands of assets. The company selected the CIS Critical Security Controls (CIS CSC) as its guiding framework.

Deployed Assessment Tools

Verve by Rockwell Automation’s automated asset inventory safely scanned and fingerprinted the company’s IP addresses across the OT network. Our endpoint manager gathered 1,000+ pieces of information on Windows, Unix, and Linux assets, embedded asset firmware, and other configuration information.

Rockwell Automation also used the data in the asset inventory to conduct a passive assessment on the software and firmware gathered to assess the OT systems without harming them.

Developed Roadmap for Remediation

Once the foundation was built, Rockwell Automation proceeded with passive vulnerability assessments, network segmentation reviews, and a detailed gap analysis against over 120 CIS subcontrols.

From there, Rockwell Automation worked with the energy company and developed a roadmap for remediation. It prioritized action based on risk and operational feasibility. Remediation activities included software removal, patch deployment, password policy enforcement, segmentation, and compensating controls when compliance was not technically achievable.

Consolidated Reporting with Compliance Monitoring

To sustain long-term success, the company implemented a compliance monitoring system that consolidated reporting across all assets and controls, and trained personnel on new procedures and security elements. This allowed the OT security team to maintain oversight and confirmed that all new assets introduced into the network maintained compliance going forward.

Result

Raised Cyber Maturity Across Assets

In 8 months, the energy company achieved its goal of raising cyber maturity across tens of thousands of assets using CIS Controls. Every asset type—from IT servers to substation control systems—were assessed, remediated, and integrated into a single compliance monitoring framework.

Reduced Long-Term Risk

This project demonstrated that rapid and secure transformation is possible in even the most complex OT environments. Not only did the energy company improve their security posture, they also reduced long-term risk by addressing root-cause vulnerabilities instead of relying solely on detection-based tools.

Positioned for Long-Term Success

A combination of hardened procedures, a continuously monitored compliance system, and deeply integrated tools positioned the company for long-term success with their security maturity. All while scaling operations.

They also avoided operational disruptions and regulatory fines by proactively addressing vulnerabilities and implementing controls that aligned with both internal policies and external mandates.

Published July 28, 2025

Topics: Build Resilience Cybersecurity Power Generation
Subscribe to Rockwell Automation

Receive the latest news, thought leadership and information directly to your inbox.

Subscribe now

You may also be interested in

Loading
Loading
Loading
Loading
  1. Chevron LeftChevron Left Rockwell Automation Home Chevron RightChevron Right
  2. Chevron LeftChevron Left Com... Chevron RightChevron Right
  3. Chevron LeftChevron Left News Chevron RightChevron Right
  4. Chevron LeftChevron Left Case Studies Chevron RightChevron Right
  5. Chevron LeftChevron Left Energy Company Achieved Readiness in Eight Months Chevron RightChevron Right
Please update your cookie preferences to continue.
This feature requires cookies to enhance your experience. Please update your preferences to allow for these cookies:
  • Social Media Cookies
  • Functional Cookies
  • Performance Cookies
  • Marketing Cookies
  • All Cookies
You can update your preferences at any time. For more information please see our {0} Privacy Policy
CloseClose