Corporate Risk Solutions Team

CRSI provides technical expertise and strategic leadership to deal with compliance, security, and reliability issues in a comprehensive manner.

We believe that North American energy companies will be safer and more efficient if they have deep, anticipatory foresight into the full range of issues effecting the industry.

To provide that foresight, CRSI maintains a highly experienced staff of consultants who look beyond immediate work efforts to discover the missing piece that most firms don’t even look for. CRSI invests substantial time and effort in the continued personal and professional development of our employees.

Each member of our team is committed to excellence and when it comes down to it, your service is only as good as the team that helps you provide it. We absolutely believe our people make the difference, and we’ll put our team up against anyone as it relates to their knowledge of Regulatory Compliance in the energy industry.

 

Scott Roe

LinkedIn

Michael Gammon

Harford Field, III

LinkedIn

Steven Ostrov

LinkedIn

Executive Team

Scott R. Roe

Scott Roe

- President, CEO, Chairman
LinkedIn

Professional Experience / Credentials

  • 31 years of government, private-sector, and electric utility security experience, which has included Fortune 500 companies in the U.S. and internationally
  • Specializes in providing consulting services in the following areas: NERC CIP Compliance, regulatory compliance; security master planning; physical and information protection programs (assessments, systems design and policy and procedures); security project management; business continuity planning; security awareness and training programs; and testimony services for commissions, legislative bodies and legal proceedings
  • Experienced in providing consulting support to many industries, including: manufacturing; financial; pharmaceutical; oil and gas; energy (gas and electric); water, community/municipal housing districts; and hospitals.
  • Experienced in working in rural and dense urban environments as well as with stand-alone, single tenant deployments; wide area/campus deployments; and multi-tenant, multi-purpose developments and high rise buildings
  • Has provided NERC CIP compliance support for more than 50 utilities throughout North America
  • Has provided on-site NERC Audit support to various electric utilities
  • Has completed hundreds of operational security evaluations and counterintelligence inspections of special government programs for military and designated U.S. Critical Infrastructure
  • Has completed extensive audit support including participating in on-site NERC Audits, TFE Reviews and Mitigation Plan Reviews for Regional Entities
  • Has completed several hundred Security Risk & Vulnerability Assessments in support of security enhancement projects
  • Extensive experience providing Security System Design and Construction Management Services for major clients including many multi-state deployments
  • Completed numerous designs for extremely sophisticated integrated Corporate Security Control Centers
  • Extensive experience in Security Management (Physical, Personnel and Information) and consulting within the designated U.S. Critical Infrastructure Industries
  • Supported DOE/NRC Security Functions for Special Ammunition Sites
  • Former Member of a European Nuclear Accident Incident Response Alert (NAIRA) Team

Certifications / Education / Training

  • Certified Protection Professional (CPP)
  • Physical Security Professional (PSP)
  • Certified Security Project Manager (CSPM)
  • Advanced CPTED Practitioner – Well-Versed in Crime Foreseeability and CPTED (Crime Prevention Through Environmental Design) Concepts
  • Successfully Completed the Fundamentals of Auditing for NERC Compliance Coursework
  • Attended NERC Cyber Security Standards Workshop – Dallas, TX, 2006
  • Attended SPP CIP Cyber Security Standards How-To Workshop – Dallas, TX, 2008

Professional Associations

  • ASIS International
  • Security Industry Association
  • BICSI
  • FBI InfraGard Program
  • International Association of Campus Law Enforcement (IACLEA)

Selected Publications, Lectures and Seminars

Mr. Roe is a highly sought after speaker and presenter at various security forums. Mr. Roe has presented on and published numerous white papers on NERC CIP Compliance, utility security, business continuity planning, cyber vulnerability assessments and penetration testing, reducing workplace violence, the advantages of a role-based access control program, using integrated security management systems to meet compliance with the NERC CIP Standards, and security project and construction management for the following events / organizations:

  • Midwest Consolidated Security Forum
  • Honeywell Utility Security Forum
  • ASIS International Convention
  • Securitas / ASIS Kansas City Conference
  • Industrial Security Conference
  • Next Generation Power & Energy
  • ISC West (Las Vegas, Nevada)
  • Higher Education Security Conference (Boston, Massachusetts)
Read More >

Leadership Team

Harford Field III

Harford Field III

- Manager Consulting Services
LinkedIn

Relevant Experience

Physical Security Assessment: Conducted threat vulnerability assessments and created mitigating security plans based on extensive research and guidance from NERC requirements pertaining to CIP-014, North American Transmission Forum (NATF), Department of Homeland Security (DHS), National Incident Protection Plan (NIPP 2013), and various other governmental/private security authorities.

  • Developed and led CIP-014-2 implementation at major transmission utilities
  • Created physical security risk & vulnerability assessment programs including training modules for classroom and hands-on applications
  • Designed scalable security plans and procedures that incorporated threat level variables
  • Selected and installed physical security systems at facilities for various critical infrastructure sectors
  • Developed and managed NERC CIP compliance projects including cyber vulnerability assessments, gap analyses, mock audits, SME skills training, and NERC audit support
  • Developed and managed CFATS compliance assessment, gap analysis, security design and audit support according to DHS Risk-Based Performance Standards (RBPS)

Project Management: Created and maintained dozens of extensive project plans in order to keep projects on schedule, within budget, and to established performance metrics.  Ensured clients received efficient and effective time usage leading to on-time and high-quality deliverables.

  • On-site management for 15 months of NERC CIP-014-2 implementation at major west coast transmission utility completed on time and on budget
  • On-site management for 18 months of NERC CIP V5 implementation at major west coast transmission utility completed on time and on budget with seamless transition from NERC V3
  • Managed two assessment teams and led complete program development and execution of NERC CIP014-2 Requirements R4-6 at a major, multi-state, north central US generation & transmission company
  • Provided supervision and coordination of multiple NERC CIP mock audits, CVAs, SME training and NERC audit support
  • Designed and managed physical security solution for major US bank trading floor building in New York City
  • Managed and contributed designs for ???
  • Oversaw physical security projects throughout the US for military, government and commercial entities

Education

  • Associate in Applied Science – Community College of the Air Force
  • Bachelors of Science in Business and Public Administration – University of Texas
  • Master of Arts in International Affairs – University of North Georgia

Certifications & Training

  • ASIS Certified Protection Professional (CPP)
  • ASIS Certified Physical Security Professional (PSP)
  • Certified in Homeland Security Level IV (CHS-IV)
  • Chemical-terrorism Vulnerability Information (CVI) Authorized User
  • National Incident Management System (NIMS) 700 & 800 Level Training – FEMA
  • Leadership and Project Management – American Management Association
  • Electronic Warfare Systems Technology – US Air Force
  • Member, InfraGard Security Network – InfraGard/FBI

Employee Narrative

Mr. Field possesses more than seventeen years of security-related experience, training and study including military intelligence and consultative offerings of security solutions to critical infrastructure entities such as nuclear, conventional and renewable power-generation & transmission facilities.  As a US Air Force veteran involved in intelligence, Mr. Field has many years in the hi-tech field including voice recognition technology licensing to companies such as Microsoft and Silicon Graphics, oversaw the largest implementation of ADSL high-speed internet technology, and was director of multimedia products at STB Systems in Dallas, Texas. In addition, he has extensive solutions sales experience and expertise working with Compaq, Dell, Microsoft, Silicon Graphics, PMC-Sierra, Siemens, and many other technology companies.

Read More >

Consultant Team

Michael J. Gammon

Michael J. Gammon

- Senior Technical Advisor

Relevant Experience

NERC 693 Operations Mock Audit: Lead in planning and managing of Mock Audits for companies, such as, a large public power entity or large integrated investor owned utilities.

  • Documented entities’ needs for successful NERC 693 Operations compliance developed from an in-depth review of Reliability Audit Standard Worksheets and compliance evidence
  • Created successful simulated audit experience
  • Ensured readiness of Client subject matter experts (SME) through SME training and reinforced during mock audit simulation

NERC CIP Compliance Mock-Audit: Assisted in planning and managing of Mock Audits for companies, such as, a large public power entity or large integrated investor owned utilities.

  • Documented entities’ needs for successful NERC 693 Operations compliance developed from an in-depth review of Reliability Audit Standard Worksheets and compliance evidence
  • Created successful simulated audit experience
  • Ensured readiness of client subject matter experts (SME) through SME training and reinforced during mock audit simulation

NERC CIP V5 Implementation Program: For nearly two (2) years, provided “embedded” daily consultant work for a very large, integrated, Investor-Owned Utility (IOU) within WECC.

  • Created overarching project plan for the development and completion of processes and tools supporting the identification and categorization of BES Cyber Systems required under NERC Reliability Standard CIP-002-5.1
  • Managed resources and task completion to ensure successful program implementation by established company deployment date
  • Developed and implemented policies, processes, procedures, tools, and reports developed under company documentation and format standards
  • CIP-002-5.1 program recognized by WECC Regional Compliance Entity as an “industry leader” following a WECC V5 Readiness Audit

NERC CIP V5 Implementation Program: Lead and assisted multiple organizations in the development of programs supporting CIP-002-5.1, CIP-004-6, CIP-008-5, and CIP-009-6.

  • Development of policies, processes, procedures, and tools required by the CIP Standards
  • Gap assessment reviews of Client execution processes/procedures and resulting compliance evidence

Additional support:  provided guidance, gap assessments, and/or quality reviews for the following topical areas of the past three years.

  • PER-005-5 – evaluated and developed processes, procedures and tools to provide a successful Operator Training Program for a Client which successfully passed the scrutiny of a NERC compliance audit
  • FAC-008-3 – evaluated Facilities and supporting evidence to develop facility ratings for several generating Facilities
  • Internal Compliance Program (ICP) – gap assessment and evaluation of organizational strengths regarding their ICP
  • Common Emissions Monitoring (CEM) – evaluated and performed gap assessment for CEM quality assurance plan against EPA regulations and other related regulatory documents

Education

  • Bachelor of Science in Electrical Engineering – University of Missouri, Columbia
  • Masters of Science in Electrical Engineering – University of Missouri, Rolla

Certifications & Training

    • Chemical-terrorism Vulnerability Information – US Department of Homeland Security, Office of Infrastructure Protection
    • National Incident Management System (NIMS) 700 & 800 Level Training – FEMA
    • Project Management – American Management Association

Employee Narrative

Mr. Gammon has extensive knowledge of transmission, generation, and distribution real-time operations practices, principles, and systems, including SCADA and EMS systems. Prior to CRSI, he led organizations in successful preparation and execution of numerous NERC 693 Operations and CIP audits. He is regarded as an expert in knowledge in and practical application of the NERC 693 Operations Standards and is very educated in the CIP Standards. He is also very familiar with the NERC Rules of Procedure (RoP) and has participated in NERC committees regarding the RoP prior to joining CRSI.  Mr. Gammon is experienced with successful NERC settlement negotiations and processes and with successful preparations and submissions regarding changes with Responsible Entity functional registrations.  Mr. Gammon demonstrates strong communication skills in writing and oral communications and has consistently earned the praise of many clients for his work.

Read More >

Steven M. Ostrov

- IT Staff Consultant
LinkedIn

Relevant Experience

NERC CIP Cyber Vulnerability Assessments: Conducted numerous assessments within 5 regions, including RF, WECC, MRO, FRCC, and SPP, evaluation of firewall rule sets, reporting utilities native to the Operating System, capture of system information

  • Identified cyber vulnerabilities to client networks by reviewing network documentation and performing physical walk downs of BES Cyber Assets/Systems/Facilities at medium and high impact Facilities for Transmission Assets
  • Network Discovery, Network Design Verification and EAP Identification
  • Assets reviewed for appropriate security controls as defined by industry best practices and North American Electric Reliability Corporation (NERC) CIP Standards and Requirements CIP-005-5 R1 and R2; CIP-006-6 R1, Parts 1.1 and 1.10; CIP-007-6 R1, R2, R3, and R5; and CIP-010-2 R1 and R2
  • Identified communication paths using network diagrams, asset lists, and nMap (or Nessus) scan results of networks
  • Analyze running configurations for Cyber Assets to baseline configurations and analyzed findings to determine the root causes
  • Compared asset listed on the network diagrams to ensure no devices are misrepresented in location (logical or physical) or connectivity and verified against actual devices during physical walk downs of ESPs

NERC CIP v5 Policy and Procedure Creation: Created comprehensive full or partial compliance documentation and processes policy/procedure sets for various entities (including public power and investor-owned utilities) RF, WECC, MRO, FRCC, and SPP NERC regions to developed for major independently owned and public power integrated utilities within SPP, WECC and FRCC.

  • Developed and verified client needs through interviews and industry knowledge
  • Constructed policies and procedures for use within the entities and instructed personnel on roles and responsibilities
  • Confirmed NERC CIP v5 Standards and requirements were implemented into the entities’ compliance plans
  • Created a robust set of documents for compliance maintenance and client presentation to NERC auditors
  • Assured quality of evidence and records through document editing, formatting, and highlighting the documents’ purpose

Guided a large multi-regional Generator Owner and Operator (with no previous NERC CIP obligations) through organization structuring and implementation of a new NERC CIP v5 program:

  • Performed a NERC CIP v5 Gap Analysis of the entity’s existing policies and procedures which identified the areas in need of development
  • Drafted suite of policies, procedures, templates and workflows for compliance with the NERC CIP v5 Standards in coordination with feasibility reviews by client personnel

NERC CIP Compliance Mock Audit: Member of Audit Team

  • Responsible for Auditing CIP Standards CIP-007-6 and CIP-010-2
  • Interviewed SMEs, questioned them regarding their documentation to determine if standard compliance is met based on formal evidence collection using defined NERC Audit protocols, focused solely on compliance with the NERC CIP Standards
  • RSAW & Evidence Analysis of NERC Standards CIP-002-5 through CIP-014-2
  • Made entities aware of their compliance issues through notating areas of needed improvement throughout the entire Mock Audit process
  • Ensured compliance and ease of evidence compilation and storage through SME questioning and training

NERC Annual Training: Reviewed and updated NERC CIP computer based training

  • Updated training material to reflect changes from version 3 to version 6
  • Conducted Table Top training session focusing on continuity of operations, CIP Exceptional Circumstances, PACS Maintenance, Access Changes

NERC Reliability Standard Audit Worksheet (RSAW) Creation and Review: Completed Gap analysis on NERC Standards CIP-002-5 through CIP-011-2

  • RSAW & Evidence Analysis of NERC Standards CIP-002-5 through CIP-014-2
  • Updated RSAWs were deficient in meeting NERC Guidelines
  • Transitioned RSAWs from NERC CIP version 3 to version 6
  • Provided direction on developing supporting evidence that can meet auditor expectations including the development and creation of RSAW Evidence Packages

Technology Comparison: Researched NERC CIP Compliant alternative technology solutions for a Multi-Regional, Multi National Responsible Entity

  • Prepared documentation of solutions and alternative technical solutions to meet NERC CIP compliance
  • Implemented identified technical solutions saving substantial cost to the Entity

GAP Analysis: Compared Responsible Entities Critical Infrastructure Protection (CIP) compliance posture with all FEC approved CIP standards and requirements

  • RSAW and Evidence Analysis
  • Prepared reports on CIP-007-6, CIP-011-2, CIP-007-6 Security Event Monitoring, CIP-007-6 System Security Management, CIP-007-6 Physical Ports, CIP-007-6 Logical and Services, CIP-007 Malicious Code Prevention, CIP-007-6 Patch Identification, Assessment, and Implementation, CIP-010-2 Change Management, CIP-011-2 Reuse and Disposal of Electronic Media

Education

  • Associate of General Studies – Pima Community College, Tucson
  • Associate in Applied Science in Electronic Systems Technology – Community College of the Air Force
  • Associate in Applied Science Communication Applications Technology – Community College of the Air Force
  • Bachelor of Arts in Intelligence Studies (Magna Cum Laude) – American Military University
  • Masters of Science Information Technology (with Honors) – American Military University

Certifications & Training

  • Credentialed Space Professional (CSP)
  • Tripwire Enterprise 8.3 Professional – Tripwire Inc.
  • Tripwire 8.3 Operator – Tripwire Inc.
  • Nessus 6 Fundamentals – Tenable Network Security Inc.
  • Industrial Control Systems Cyber Emergency Response Team (100W & 210W-01) – The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), U.S. Department of Homeland Security
  • Chemical-terrorism Vulnerability Information – US Department of Homeland Security, Office of Infrastructure Protection
  • National Incident Management System (NIMS) 700 & 800 Level Training – FEMA
  • Fundamentals of Successful Project Management – Skillpath

Employee Narrative

Steven M. Ostrov has over 26 years of security-related experience. During his distinguished active duty military career he served in numerous leadership positions and specialized in Communications Research, Electronic Warfare (EW), Space Systems Architecture and Radar Systems Technology.  As a military veteran Mr. Ostrov completed two oversea tours, two Middle East deployments, and retired at the rank of Master Sergeant from the USAF in 2014.  He is the recipient of numerous USAF & NSA awards, including the Defense Meritorious Service Medal and Army Commendation Medal.

Read More >

Client Advocate

Efficient. Effective. Sustainable.

Let's Talk Solutions