Electric utilities, water districts, and natural gas providers in Southern California face Volt Typhoon pre-positioning, NERC CIP audit penalties up to $1 million per day, and OT/IT convergence risks that generic MSPs are not equipped to handle. IT Center is.
The 2024 CISA/FBI/NSA joint advisory confirmed what utility security teams feared: Chinese and Russian nation-state actors have already pre-positioned inside U.S. critical infrastructure networks. Southern California's electric grid, municipal water systems, and natural gas infrastructure are not hypothetical targets — they are active target sets.
Volt Typhoon is a Chinese state-sponsored threat group assessed by CISA, NSA, and the FBI to be deliberately embedding itself inside U.S. critical infrastructure — not for immediate data theft, but to position for potential disruption of communications and power in a future geopolitical crisis, particularly one involving Taiwan.
Their technique is "living off the land" (LotL): using legitimate system tools like PowerShell, WMI, and built-in Windows utilities to avoid detection. They target edge devices — VPN appliances, routers, and firewalls — as entry points into utility OT environments.
Sandworm is Unit 74455 of Russia's GRU military intelligence directorate. In December 2015, they cut power to 230,000 Ukrainians using the BlackEnergy malware — the first confirmed cyberattack to cause a physical power outage. They repeated this in 2016 with Industroyer/Crashoverride, designed specifically to attack IEC 61850, IEC 101, IEC 104, and ANSI/IEEE C37.118 industrial protocols used in substations and grid control systems worldwide.
Sandworm is also responsible for NotPetya (2017), which caused $10 billion in global damages by destroying disk MBRs via a worm disguised as ransomware. U.S. utilities remain an assessed target category.
Both threat actors exploit the same structural vulnerability: the IT/OT boundary where enterprise networks touch SCADA, DCS, and substation automation systems. A misconfigured firewall rule, an unpatched VPN appliance, or a vendor remote access connection left open becomes the bridge from a spear-phishing email to a relay protection system. IT Center's role is to harden that boundary, monitor for LotL behaviors, and ensure your incident response plan treats a power outage as the threat model — not just data theft.
The North American Electric Reliability Corporation's Critical Infrastructure Protection standards are mandatory reliability standards for bulk electric system owners, operators, and users in North America. In California, compliance is enforced by WECC as NERC's regional entity. Non-compliance penalties can reach $1 million per violation per day.
Requires identification and categorization of all BES Cyber Systems as High, Medium, or Low impact based on their effect on the reliable operation of the bulk electric system. Miscategorization is itself a violation.
Establishes security management controls to protect BES Cyber Systems against compromise. Requires documented cybersecurity policies, leadership accountability, and exception handling processes.
Mandates personnel risk assessments (background checks), security awareness training, and cybersecurity training for all personnel with access to BES Cyber Systems or associated Physical Access Control Systems.
Requires establishment of Electronic Security Perimeters around BES Cyber Systems, restricting and monitoring all inbound and outbound communications. All remote access must use multi-factor authentication and encrypted sessions.
Mandates Physical Security Plans for Physical Security Perimeters protecting High and Medium impact BES Cyber Systems. Includes visitor control, logging of physical access, and monitoring of unauthorized access attempts.
Covers ports and services management, security patch management (35-day patch assessment requirement), malicious code prevention, security event monitoring, and system access control for BES Cyber Systems and Electronic Access Points.
Requires documented Cyber Security Incident Response Plans, identification of Reportable Cyber Security Incidents, and mandatory reporting to E-ISAC and ICS-CERT within specified timeframes. Annual exercises required.
Mandates documented recovery plans, backup and storage of BES Cyber System information, testing of recovery plans at least annually, and communication during recovery operations.
Requires baseline configurations for all BES Cyber Systems, documentation and authorization of all changes, quarterly vulnerability assessments, and annual penetration testing for High impact systems.
Establishes controls for identifying, classifying, and protecting BES Cyber System Information throughout its lifecycle, including secure storage, handling, transit, and disposal procedures.
Requires utilities to develop plans for managing cybersecurity risks in the ICS supply chain for hardware, software, and services. Vendor risk assessments and contract provisions requiring security incident notification are required.
Requires risk assessment of transmission stations whose loss could result in widespread instability or cascading failures within the interconnection. Requires physical security plans and third-party verification.
WECC conducts compliance audits, spot checks, and self-certification reviews of entities on the NERC Compliance Registry. Penalties under NERC's Compliance Monitoring and Enforcement Program can reach $1,000,000 per violation per day. Duke Energy paid $10 million in 2019 for 127 violations. Pacific Gas & Electric has faced multiple CIP enforcement actions. Utilities that treat NERC CIP as a checkbox exercise rather than an operational security program face the largest exposure. IT Center helps you build compliance into your IT operations — not bolt it on at audit time.
The America's Water Infrastructure Act of 2018 amended the Safe Drinking Water Act to require community water systems serving more than 3,300 people to conduct Risk and Resilience Assessments and develop Emergency Response Plans. The EPA enforces these requirements and has issued additional cybersecurity guidance following the 2021 Oldsmar, Florida water treatment incident where an attacker briefly increased sodium hydroxide to dangerous levels via remote access.
IT Center supports water and wastewater utilities across Riverside County, San Bernardino County, and Los Angeles County in conducting the technical portions of AWIA RRAs — specifically the SCADA/ICS vulnerability assessment, remote access security review, network architecture diagram creation, and NIST CSF gap analysis. We document findings in formats that satisfy EPA certification requirements and help build Emergency Response Plans that work operationally, not just on paper.
The most dangerous misconception in utility IT is that a firewall between the corporate network and the control system network is sufficient segmentation. Volt Typhoon's documented techniques specifically target the remote access and historian connections that span this boundary — OSIsoft PI servers, vendor VPN tunnels, and engineering workstations that reach both zones. Proper segmentation requires architecture, not just a ruleset.
Utility IT and OT teams operate under a unique combination of regulatory pressure, aging infrastructure, and expanding attack surface. These are the pain points IT Center is specifically built to address.
WECC compliance audits require continuous evidence collection — log retention, access review documentation, configuration change records, and training records. Most utility IT teams cannot sustain this burden without dedicated tooling and process. IT Center implements automated evidence collection for CIP-005, CIP-007, and CIP-010 using centralized SIEM and configuration management platforms.
SCADA and DCS systems often run Windows XP, Windows Server 2008, or embedded Linux versions that vendors no longer patch. CIP-007-6 requires a 35-day patch assessment — not necessarily patch application, but documented assessment with justification for any patches not applied. IT Center builds compensating controls documentation and network-based mitigation strategies for systems that cannot be patched without voiding vendor support.
Utility OT vendors — GE, Schneider Electric, ABB, SEL, Landis+Gyr — require remote access for diagnostics and firmware updates. CIP-005-6 R2 mandates that all interactive remote access to BES Cyber Systems use MFA and encrypted sessions. Unmanaged VPN tunnels and persistent vendor accounts are among the most common CIP violation categories. IT Center implements a vendor access management platform with session recording, time-limited credentials, and automated de-provisioning.
CIP-013-1 requires utilities to assess and manage cybersecurity risks from hardware and software vendors in the ICS supply chain. This includes software integrity verification, vendor security posture assessment, and contract language requiring notification of security events. Most utilities lack a structured process. IT Center builds the CIP-013 plan, vendor questionnaire library, and software verification workflow.
Physical access control systems — badge readers, cameras, and mantraps protecting control rooms and relay houses — must be included in the CIP-006 Physical Security Plan when they protect High or Medium impact BES Cyber Systems. The IT systems managing these access controls are themselves in scope. IT Center assesses the PACS IT footprint and ensures CIP-006 documentation covers all electronic components of physical security.
Unmanned substations present the hardest OT security challenge: remote locations with cellular or microwave WAN connectivity, aging protection relays, and limited on-site monitoring. Volt Typhoon specifically targets these low-attention, high-value nodes. IT Center designs substation network architectures with OT-aware firewalls (Fortinet FortiGate, Cisco IE series), cellular backup monitoring, and tamper-detection integration aligned with CIP-006 requirements.
Every service IT Center delivers to utilities is designed around two simultaneous requirements: keeping operations running without interruption, and maintaining defensible compliance documentation. At $300 per computer user per month flat rate, you get the full stack.
Ongoing compliance program management for CIP-002 through CIP-014. We implement the technical controls, maintain evidence for WECC audits, manage the 35-day patch assessment cycle, conduct annual CIP-010 vulnerability assessments, and document all CIP-005 Electronic Security Perimeter rules. Your internal compliance team sets policy — we execute and document.
AI-powered SOC monitoring across your enterprise IT network and OT network DMZ. We deploy passive network sensors that detect protocol anomalies in DNP3, Modbus, IEC 60870-5-101/104, and OPC communications without active scanning that could trip relay protection. SIEM correlation rules tuned for utility threat models including LotL behavior detection for Volt Typhoon indicators.
Architecture, implementation, and documentation of Purdue Model-based zone segmentation for your control system environment. Includes firewall design and deployment, jump server configuration, data diode assessment for historian replication paths, and CIP-005 ESP documentation. We design for both security and operational reliability — no controls that create protective relay false trips.
CIP-005-6 R2 compliant vendor access platform with MFA enforcement, encrypted session tunneling, real-time session monitoring, video recording of all vendor OT sessions, and automated credential expiration. We provision and de-provision all GE, Schneider, ABB, and AMI vendor access through a centralized controlled gateway — no persistent tunnels left open between audits.
Technical assistance for water and wastewater utilities completing AWIA 2018 RRAs. We conduct the cybersecurity component — SCADA vulnerability assessment, remote access review, network architecture documentation, NIST CSF gap analysis — and produce output structured for EPA certification. We also develop and test the Emergency Response Plan cybersecurity components.
CIP-008-6 compliant Cyber Security Incident Response Plans that treat power outage as a possible outcome. Includes E-ISAC notification procedures, ICS-CERT coordination workflows, tabletop exercise facilitation, and coordination with your NERC-registered TOP/BA on reportable incident criteria. Annual plan testing per CIP-008 requirements included.
Full managed IT for the enterprise side of your utility — Microsoft 365 administration, email security (SEG with DKIM/DMARC/SPF), endpoint protection (EDR/XDR), help desk for administrative staff, backup and disaster recovery for business systems, and network infrastructure management for office locations. Flat $300/computer user/month covers everything on the IT side with no per-ticket billing.
Quarterly vulnerability assessments of all BES Cyber Systems as required by CIP-010-3. For High impact systems, annual penetration testing with documented methodology, scope limitations appropriate for operational technology, and remediation tracking. All testing windows coordinated with your operations team and documented in CIP-010 format for WECC audit submission.
IT Center's team has direct experience with the platforms that run Southern California utilities — from the historian that feeds your energy management system to the GIS that maps your distribution network. We don't need a learning curve at your expense.
Real-time operational data historian. We secure the PI Server, PI AF, PI Web API endpoints, and the historian replication path from Level 2 to the DMZ using one-way data flow controls.
HMI/SCADA platforms widely used in electric transmission and generation. We secure the Windows Server infrastructure, configure CIP-007-compliant antivirus and application whitelisting within the ESP.
Grid management and substation automation platform. We secure EcoStruxure Grid, Power SCADA Operation, and ADMS components while maintaining compliance with Schneider's hardening guides and WECC requirements.
ABB DCS and grid automation platforms used in generation and transmission. We manage patch coordination with ABB's patching advisories and ensure connectivity to ABB Remote Diagnostic Center uses CIP-005 R2 compliant vendor access protocols.
GIS backbone for electric and gas network data. We manage ArcGIS Enterprise server infrastructure, user access controls via ArcGIS Portal, and integration security between ArcGIS and your OMS/DMS systems — ensuring sensitive infrastructure mapping data is access-controlled and auditable.
Outage Management System used by large investor-owned and municipal utilities. We secure the Oracle WebLogic application server stack, manage database access controls, and ensure OMS integration with SCADA/DMS complies with ESP boundary controls.
Advanced Metering Infrastructure head-end systems managing two-way communication with smart meters. We secure the AMI head-end server infrastructure, manage RF network controller access, and assess MDMS integration security.
Common in water and wastewater treatment plants running pump stations and chemical feed systems. We apply CIP-007 controls to FactoryTalk View and FactoryTalk Historian servers and secure Ethernet/IP communications within the OT zone.
Most MSPs were built to serve dental offices and law firms. IT Center serves industries where a misconfigured firewall rule is not an inconvenience — it is a potential public safety event.
We operate in the Western Electricity Coordinating Council region and understand how NERC CIP is enforced specifically in California. WECC's compliance monitoring approach, spot check triggers, and audit evidence expectations differ from other regional entities. We build your program to WECC's standards, not generic NERC guidance.
We do not apply enterprise IT practices to OT environments. We don't run vulnerability scans against protection relays. We don't push Windows updates to engineering workstations without coordinating with your operations team. Every change in the OT zone goes through your change management process and is documented for CIP-010.
Generic MSPs are built to stop phishing and ransomware. IT Center's security architecture for utilities is designed against the Volt Typhoon threat model — living-off-the-land techniques, persistent access on edge devices, and lateral movement from IT to OT. We hunt for the behaviors that commodity antivirus misses entirely.
NERC CIP compliance generates enormous IT overhead: evidence collection, log retention, quarterly vulnerability assessments, annual penetration tests, access reviews, and configuration change documentation. At $300/computer user/month, all of that labor is included. There are no surprise invoices for audit prep or compliance consulting hours.
Our office is at 1159 Pomona Rd Suite B, Corona, CA 92882 — in Riverside County, close to SCPPA member utilities, Inland Empire water agencies, and Southern California Gas service territory. When you need on-site support for a substation assessment or network installation, we are already local.
We treat every CIP control as a documentation exercise, not just a technical task. Firewall rule changes generate CIP-005 documentation. Patch assessments generate CIP-007 records. Vendor access sessions generate CIP-005 R2 logs. When WECC auditors arrive, your evidence package is already assembled — we don't scramble at audit time.
Tell us about your utility — electric, water, wastewater, or gas — and we'll schedule a no-obligation assessment of your current IT/OT posture, NERC CIP or AWIA compliance gaps, and vendor access risks. No sales pitch. A real technical conversation with people who know your environment.
Call directly: (888) 221-0098
Email: sales@itcosc.com
1159 Pomona Rd Suite B · Corona, CA 92882
We'll respond within one business hour during normal hours.