A National Energy Utility
A national energy utility serving 4.2 million customers automated certificate lifecycle management across its SCADA infrastructure and 180 substations, closing NERC CIP audit findings, eliminating certificate-related grid monitoring outages, and achieving unified IT/OT certificate visibility for the first time.
SCADA Certificate Management Challenges in Critical Energy Infrastructure
NERC CIP audit findings for certificate and key management deficiencies
The utility's most recent NERC CIP audit identified findings under CIP-005-7 (Electronic Security Perimeters) and CIP-007-6 (System Security Management) related to certificate management on Bulk Electric System (BES) Cyber Systems. Auditors found that TLS certificates securing SCADA communications between the energy management system (EMS) and remote terminal units (RTUs) at substations were not inventoried, lacked defined rotation schedules, and in 23 cases had expired without detection. The findings carried potential penalties and required a documented mitigation plan with evidence of remediation within 12 months.
Certificate expiry causing grid monitoring blind spots
The utility's SCADA infrastructure relied on TLS-secured connections between the central EMS, 180 substations, 14 generation facilities, and 6 regional control centers. When certificates expired on substation RTUs or communication processors, the SCADA system lost telemetry from affected substations — creating grid monitoring blind spots that operators had to compensate for with manual phone-based status checks. Three certificate expirations in a single quarter caused monitoring gaps affecting 12 substations, each lasting 2 to 6 hours until field technicians could physically access the substation to replace the expired certificate.
IT/OT visibility gap preventing unified security governance
The utility's IT security team managed corporate network certificates using standard enterprise tools, but had no visibility into the OT certificate environment. SCADA certificates were managed by the OT engineering team using a combination of vendor-provided utilities, local certificate stores, and manual tracking in maintenance management systems. The two teams operated independently with different CAs, different key management practices, and no shared inventory. This fragmentation made it impossible to enforce consistent certificate policies across the IT/OT boundary or produce unified compliance reports for NERC CIP auditors.
Automated SCADA Certificate Lifecycle Management with QCecuring
Comprehensive SCADA certificate discovery across all grid assets
QCecuring's agentless scanners discovered all TLS certificates across the utility's SCADA infrastructure — EMS servers, substation RTUs, communication processors, ICCP links to neighboring utilities, generation facility control systems, and regional control center endpoints across 180 substations and 14 generation facilities. The platform identified 2,400+ certificates, including 340 that were previously unknown to both the IT and OT teams. Discovery was performed using passive network scanning that did not inject traffic into SCADA communication channels, ensuring zero impact on real-time grid operations.
SSL/TLS Certificate Lifecycle ManagementNERC CIP-aligned certificate governance and policy enforcement
QCecuring enforced certificate policies aligned with NERC CIP requirements — minimum TLS 1.2 for all BES Cyber System communications, RSA 2048 or ECDSA P-256 key strength, certificates issued only from the utility's approved CA hierarchy, and maximum 397-day validity with automated renewal triggers at 60 days before expiry. The platform mapped each certificate to its associated BES Cyber System and Electronic Security Perimeter, enabling CIP-005 and CIP-007 compliance reporting at the asset level. Policy violations were flagged immediately and routed to the appropriate OT or IT team for remediation.
SSL/TLS Certificate Lifecycle ManagementMaintenance-window-aware renewal for substation and generation assets
QCecuring's renewal workflows integrated with the utility's outage management system to schedule certificate deployments during planned maintenance windows. For substations, renewals were coordinated with scheduled relay testing or transformer maintenance to minimize additional site visits. For generation facilities, certificate deployments were aligned with unit outage schedules. The platform pre-staged certificates and validated them against target system requirements before the maintenance window, and automated deployment used the utility's existing secure remote access infrastructure to push certificates to substation equipment without requiring physical site visits for routine renewals.
SSL/TLS Certificate Lifecycle ManagementMeasurable Impact on Grid Security and Regulatory Compliance
NERC CIP findings closed in 8 months
The utility closed all certificate-related NERC CIP findings under CIP-005-7 and CIP-007-6 within 8 months of QCecuring deployment — 4 months ahead of the 12-month remediation deadline. The mitigation plan evidence package, generated directly from the QCecuring platform, was accepted by the regional entity without additional information requests.
Zero monitoring outages
After deploying QCecuring CLM, the utility experienced zero certificate-related SCADA communication failures over a 14-month period, compared to three incidents in the quarter before deployment that caused monitoring blind spots across 12 substations. Automated renewal ensured all certificates were replaced well before expiry.
2,400+ certificates under management
QCecuring consolidated certificate management across the IT/OT boundary for the first time, bringing 2,400+ certificates under unified governance. The 340 previously unknown certificates were brought into compliance, and both the IT security team and OT engineering team now operate from a shared certificate inventory with role-based access appropriate to their responsibilities.
When a certificate expires on a substation RTU, we lose visibility into that part of the grid. In our business, blind spots are not acceptable — they are safety risks. QCecuring eliminated certificate expiry as a source of monitoring gaps and gave us the unified IT/OT visibility we needed to satisfy our NERC CIP auditors. The maintenance-window integration was critical — we cannot touch substation equipment outside of planned outages, and QCecuring respects that constraint.
Related Products & Industry
More Customer Success Stories
A Global Banking Institution
A global banking institution with operations across 12 countries automated certificate lifecycle management for its payment gateway infrastructure, eliminating certificate-related outages and reducing PCI DSS audit preparation time from weeks to hours.
Read case studyA Leading Healthcare System
A leading healthcare system operating 14 hospitals and 200+ outpatient clinics automated certificate lifecycle management across its Epic and Cerner EHR environments, eliminating certificate-related clinical system downtime and reducing HIPAA audit preparation from weeks to hours.
Read case studyA Global Manufacturing Company
A global manufacturing company operating 22 production facilities across 8 countries unified certificate lifecycle management across its OT and IT environments, securing SCADA and OPC UA communications while achieving IEC 62443 compliance for its industrial control systems.
Read case studyFrequently Asked Questions
How does QCecuring discover certificates on substation equipment without disrupting SCADA communications? +
QCecuring uses passive, network-based scanning that observes TLS handshakes and certificate presentations without injecting traffic into SCADA communication channels. For substations connected via serial or non-IP protocols, the platform discovers certificates on the communication processors and gateways that bridge SCADA traffic to the IP network. This approach ensures zero impact on real-time grid monitoring and control operations.
Does the platform support NERC CIP evidence generation for audits? +
Yes. QCecuring generates NERC CIP compliance reports that map certificate state to specific CIP requirements — CIP-005-7 for Electronic Security Perimeters and CIP-007-6 for System Security Management. Reports include certificate inventory by BES Cyber System, rotation history, policy compliance status, and exception tracking. Evidence packages are exportable in formats accepted by regional entities and can be generated on demand for audit preparation.
How are certificate renewals coordinated with utility maintenance schedules? +
QCecuring integrates with the utility's outage management system to align certificate deployments with planned maintenance windows. The platform pre-stages certificates and validates them before the window opens. During the maintenance window, automated deployment pushes renewed certificates to substation and generation facility equipment using the utility's existing secure remote access infrastructure. For routine renewals, this eliminates the need for dedicated site visits.
Ready to Secure Your Enterprise?
Experience how our cryptographic solutions simplify, centralize, and automate identity management for your entire organization.