Bulk Electric System (BES) operators and transmission owners under NERC CIP face a recurring compliance question during audits: "Show me your vulnerability management process."
The relevant standards are CIP-007-6 (Systems Security Management) and CIP-010-4 (Configuration Change Management and Vulnerability Management). Together they require you to identify, assess, and track security vulnerabilities in your BES Cyber Systems — and document that you've done it.
This post covers what that documentation actually needs to look like, and where most teams fall short.
What CIP-007 Requires
CIP-007-6 R2 covers security patch management. The requirement is that you have a documented process for:
- Identifying and evaluating security patches for applicable BES Cyber Systems
- Applying patches within 35 calendar days of availability for Critical patches, or documenting a mitigation plan if you can't
- Tracking patch status
The key word is documented. The standard doesn't say you must patch everything immediately — it says you must have a process, apply it consistently, and be able to show the evidence.
What auditors actually look for:
- A written patch management policy or procedure
- Evidence that you're monitoring for new patches (not just checking quarterly)
- Ticket or log records showing patches were evaluated and either applied or mitigated
- Justification for any deferred patches (most OT patches require outage windows)
What CIP-010 Adds
CIP-010-4 R3 covers vulnerability management for Transient Cyber Assets and adds an annual vulnerability review requirement. For most organisations this means running an annual vulnerability assessment (typically a credentialed scan) and documenting the results.
The gap that trips up most teams is that CIP-010 requires you to track which vulnerabilities were identified, which were remediated, and which were accepted as residual risk. A spreadsheet updated once a year doesn't cut it if a critical vulnerability was published in February and your review was in October.
The Documentation Gap
Most OT teams know this in theory. In practice, the problem is operational:
CISA publishes 500+ ICS advisories per year. Your BES Cyber Systems might involve equipment from 10-20 vendors. Manually checking for relevant advisories, logging them, evaluating patch applicability, and tracking disposition requires someone to do it — consistently, every week, not just before audit season.
The teams that pass audits cleanly are the ones who have made this a regular operational process rather than a pre-audit scramble. That means:
1. Automated monitoring for new advisories from your specific vendors
2. A consistent record of when advisories were received, evaluated, and actioned
3. Written justification when patches are deferred (maintenance window, production freeze, tested-and-rejected, etc.)
What an Audit Trail Looks Like
An effective CIP-007 audit trail for a single advisory might look like:
- Date received: 15 January 2026 — CISA advisory ICSA-26-015-03, Siemens SIMATIC S7-1500, CVSS 8.1
- Evaluation date: 17 January 2026
- Applicability: Yes — we operate S7-1500 CPU 1516-3 PN/DP, firmware V2.9.2
- Patch available: Yes — firmware V2.9.7 resolves the vulnerability
- Disposition: Deferred — requires coordinated outage window
- Mitigation: Network access restriction to affected devices per ICS-CERT guidance; outage window scheduled Q2 2026
- Patch applied: 4 April 2026
That record, replicated for each relevant advisory, is what auditors want to see. It demonstrates a functioning process, not just a policy document.
How OTWarden Helps
OTWarden automates the monitoring and alerting step — the part that creates the initial record and ensures nothing is missed.
When a CISA advisory is published that matches a vendor or product on your watchlist, you receive an email within 2 hours containing the advisory ID, severity, CVSS score, affected products, and remediation guidance. Professional and Team subscribers receive a monthly PDF report listing all advisories matched to their watchlist during the period — suitable for use as evidence in a CIP-007 audit.
The report won't replace your ticket system or your mitigation documentation, but it gives you an accurate, timestamped record of which advisories were identified and when. That's the starting point for everything else.
You can start a 14-day free trial at otwarden.com — no credit card required.