Lower Colorado River Authority (LCRA), headquartered in Austin Texas, has embarked on a long-term vision to standardize management of 6,000+ NERC CIP System Control OT Cyber Assets and networking equipment within 350  substations across Texas. LCRA operates and maintains equipment at about 440 substations across Texas. 

LCRA’s goal was to implement a system capable of integration and cybersecurity of existing OT devices from multiple manufacturers and models while seamlessly adding any device type from any vendor in the future. A key business driver is the need to permit IED engineering access remotely from a central location with scripting to allow password login to end devices and to centrally secure the vendor applications necessary for device communication. Other key business drivers are to establish a secure password repository and to improve reporting for CIP-010 Baselines including configuration, firmware, ports, and services and cyber security reporting for remote engineering access sessions. LCRA was previously tracking all baseline information and passwords in a manually maintained database and manually changed passwords. LCRA had little to no reporting over remote engineering access sessions to substation devices. LCRA has now implemented secure remote access to substation devices and has implemented the functionality necessary to meet the business objectives. This presentation will discuss lessons learned, benefits realized, and the constraints encountered in designing and deploying this system. Specifically, it will detail how a cybersecurity-focused architecture resolved secure remote access to support NERC CIP compliance.