A major US-based energy company wants to protect its assets from cyber threats. They have operational assets ranging from power generation, transmission, and distribution. They also have a range of IT assets for employees, customers, and billing systems.
- Faced inconsistent security maturity across tens of thousands of geographically distributed IT and OT assets
- Lacked clarity on current cybersecurity posture with multiple, overlapping regulatory requirements like NERC CIP and PII
- Needed to align IT and OT under a common cyber security framework, despite doubts about applying CIS controls to industrial environments
- Required a solution that could work across a multi-vendor OT environment without compromising operational integrity
- Verve® by Rockwell Automation
- CIS Controls framework
- Automated asset inventory and endpoint manager
- Structured remediation roadmap with patching, configuration changes, segmentation, and compensating controls
- Ongoing compliance monitoring, new procedures, and training
- Achieved CIS Controls maturity level across all in-scope assets within 8 months
- Gained complete asset visibility and threat insight across OEM control systems
- Improved security posture while maintaining operational reliability
- Built a sustainable compliance and monitoring program, integrated into corporate security operations
- Reduced long-term cyber risk through proactive remediation
A major US-based company approached Verve by Rockwell Automation with a bold vision—to unify its IT and OT assets under a single standard. At the time, applying CIS Controls to OT assets at scale was considered controversial due to the concern that you’d compromise the integrity of the OT assets.
Challenge
The company faced an expansive and diverse attack surface with operational assets that included power generation from coal, gas, wind, and hydro in addition to transmission and distribution networks.
They also managed a vast IT footprint that encompassed employee systems, billing platforms, and customer data. All were subject to different regulatory requirements that included NERC CIP and PII protections.
Leadership recognized the growing threat landscape. They sought to move beyond fragmented and reactive cyber strategies with a clear but ambitious objective—establish measurable cyber security maturity across all computing assets in under 1 year.
Solution
They needed a scalable, actionable framework and partner to help them operationalize it across tens of thousands of assets. The company selected the CIS Critical Security Controls (CIS CSC) as its guiding framework.
Deployed Assessment Tools
Verve by Rockwell Automation’s automated asset inventory safely scanned and fingerprinted the company’s IP addresses across the OT network. Our endpoint manager gathered 1,000+ pieces of information on Windows, Unix, and Linux assets, embedded asset firmware, and other configuration information.
Rockwell Automation also used the data in the asset inventory to conduct a passive assessment on the software and firmware gathered to assess the OT systems without harming them.
Developed Roadmap for Remediation
Once the foundation was built, Rockwell Automation proceeded with passive vulnerability assessments, network segmentation reviews, and a detailed gap analysis against over 120 CIS subcontrols.
From there, Rockwell Automation worked with the energy company and developed a roadmap for remediation. It prioritized action based on risk and operational feasibility. Remediation activities included software removal, patch deployment, password policy enforcement, segmentation, and compensating controls when compliance was not technically achievable.
Consolidated Reporting with Compliance Monitoring
To sustain long-term success, the company implemented a compliance monitoring system that consolidated reporting across all assets and controls, and trained personnel on new procedures and security elements. This allowed the OT security team to maintain oversight and confirmed that all new assets introduced into the network maintained compliance going forward.
Result
Raised Cyber Maturity Across Assets
In 8 months, the energy company achieved its goal of raising cyber maturity across tens of thousands of assets using CIS Controls. Every asset type—from IT servers to substation control systems—were assessed, remediated, and integrated into a single compliance monitoring framework.
Reduced Long-Term Risk
This project demonstrated that rapid and secure transformation is possible in even the most complex OT environments. Not only did the energy company improve their security posture, they also reduced long-term risk by addressing root-cause vulnerabilities instead of relying solely on detection-based tools.
Positioned for Long-Term Success
A combination of hardened procedures, a continuously monitored compliance system, and deeply integrated tools positioned the company for long-term success with their security maturity. All while scaling operations.
They also avoided operational disruptions and regulatory fines by proactively addressing vulnerabilities and implementing controls that aligned with both internal policies and external mandates.
Published July 28, 2025
You may also be interested in