Customer Case Study
A Major North American Electric Utility
When Compliance Can’t Wait: Governing Access Across Critical Infrastructure at Scale
Customer Overview
A large North American electric utility responsible for the generation, transmission, and distribution of power across a geographically diverse service territory operates in one of the most highly regulated critical infrastructure environments in the world.
The organization supports approximately 7,000 employees, 5,000 contractors, and manages physical access for more than 70,000 cardholders across offices, substations, control centers, and other operational facilities. Physical security, access authorization, and audit readiness are critical not only to daily operations, but also to meeting mandatory NERC CIP physical and electronic access management requirements.
The engagement was led by the utility’s Corporate Security and Compliance teams, working closely with IT and operational stakeholders responsible for ensuring continuous compliance with NERC CIP requirements, including CIP-004 personnel access controls and physical and electronic access authorization obligations.
Industry:
Utilities, Power & Energy
Cardholders:
70,000+
Access Levels Centralized:
280,000+
Workforce:
12,000
The Challenge
As regulatory scrutiny increased and infrastructure continued to evolve, the utility faced growing challenges managing physical access at scale:
- Regulatory Complexity: NERC CIP requirements place strict obligations on utilities to control, authorize, review, and revoke physical and electronic access to critical assets. Proving compliance during audits required extensive documentation, access logs, and evidence of timely authorization and revocation.
-
Fragmented Access Management: Physical access was managed through a combination of disconnected PACS systems, manual processes, and locally maintained records. Correlating access activity with authorized personnel during audits was time-consuming and error-prone.
- Manual Authorization & Revocation: Approvals, changes, and access removals relied heavily on email and spreadsheets. Demonstrating that access was granted appropriately—and revoked within required timelines—required significant manual effort.
- Audit Readiness Pressure: During NERC audits, teams were forced into reactive evidence collection, pulling data from multiple systems to answer basic questions: Who had access? When was it approved? Was it still valid at the time of entry?
The utility needed a centralized, enterprise-grade solution that could operationalize access governance, reduce audit risk, and support compliance without disrupting existing security infrastructure.
The Solution
The utility selected RightCrowd SmartAccess as the foundation of its physical identity and access management strategy.
Rather than replacing existing systems, RightCrowd SmartAccess was deployed as a central access governance layer, unifying identity, authorization, and audit evidence across the organization’s physical security ecosystem.
- Centralized Access Governance: RightCrowd SmartAccess became the system of record for physical and electronic access authorization, providing a single view of who is approved to access which facilities—and why.
- NERC-Aligned Authorization Workflows: Access approvals were standardized and aligned to NERC CIP access authorization expectations, supporting documented approvals, periodic reviews, and least-privilege access enforcement.
- Automated Provisioning & Revocation: Integrated with existing PACS infrastructure, RightCrowd SmartAccess enabled consistent provisioning and timely revocation of access, with time-stamped records that could be produced during audits.
- Audit-Ready Visibility: Security and compliance teams gained immediate visibility into access activity across facilities, allowing them to retrieve logs and authorization records without manual reconciliation.
- Enterprise-Scale Deployment: Designed for large, distributed environments, the platform scaled across thousands of users and access levels while supporting local operational requirements and centralized oversight.
The Results
The deployment of RightCrowd SmartAccess delivered immediate and measurable improvements across security operations and compliance readiness.
Operational Improvements:
- Centralized management of ~70,000 cardholders and ~280,000 access levels
- Reduced reliance on spreadsheets and manual approvals
- Improved consistency of access policies across facilities
Compliance & Audit Benefits:
- Clear, defensible access authorization records aligned to NERC CIP requirements
- Simplified evidence collection during audits
- Improved confidence in meeting CIP-004 access authorization and revocation expectations
Strategic Impact:
- Shift from reactive audit response to proactive compliance posture
- Stronger collaboration between security, compliance, and operations teams
- A scalable foundation to support future regulatory and operational demands
Why RightCrowd
For utilities operating under strict regulatory oversight, physical access governance is not optional. It is foundational to reliability and trust, and it must be repeatable, provable, and scalable.
Standardizing on the RightCrowd SmartAccess platform allowed this utility to operationalize NERC CIP access requirements, by centralizing authorization, automating revocation, and delivering audit-ready evidence. They transformed physical access management from a compliance burden into a controlled, repeatable process.
RightCrowd SmartAccess doesn’t replace your NERC CIP program—it gives you the operational proof auditors expect, while reducing manual effort and compliance risk across physical and electronic access environments.
Transforming access control at your workspace is easier than you think.
You can leave it to the experts at RightCrowd.
- Trusted by the Fortune 50
- Seamless Integration
- Globally Scalable
