Find, Fix and Track Entity, Docket No. RC12-7-000 (January 31, 2012)
Reliability Standard: CIP-005-2
Requirement: R2
Region: WECC
Issue: WECC determined that FFT Entity violated CIP-005-2 R2 because its electronic access control system does not deploy appropriate use banners on all of its interfaces. More specifically, the web user and command line interfaces do not provide full administration capabilities of the firewall. In response, FFT Entity submitted a pair of late-filed Technical Feasibility Exceptions (TFE) asserting that it was technically infeasible to meet the requirements of the Standard.
Finding: This issue posed only a minimal risk to the reliability of the BPS because WECC accepted FFT Entity’s TFE argument that it is technically infeasible to meet the Standard’s requirements. Additionally, WECC noted FFT Entity timely implemented six measures to mitigate risk. First, FFT Entity restricted and controlled access to the control system by requiring a two-factor authentication. Second, FFT Entity permitted access to only a small number of IP addresses that were linked to firewall administrators’ domain accounts. Third, all firewall administrators underwent background checks. Fourth, all administrators were required to acknowledge an acceptable use banner on their workstation computers before operating the software. Fifth, accounts with access to the system were limited to the minimum privilege level necessary to administer the system. Sixth, FFT Entity required passwords to administrative accounts to be complex, changed at least annually, and deleted should any administrator leave or no longer have responsibility for the device.
Find, Fix and Track Entity, Docket No. RC12-8 (February 29, 2012)
Reliability Standard: CIP-005-2
Requirement: R5; R5.2
Region: FRCC
Issue: FRCC determined FFT Entity violated CIP-005-2 R5 because FFT Entity did not sufficiently demonstrate that it had updated its documents within 90 days of the modification of the network or controls. A year before the FRCC spot check, FFT Entity removed the back-up requirements for its intrusion protection devices from its restoration plan. FFT Entity updated its documents to address the removal two years later.
Finding: FRCC determined that this issue posed only a minimal risk to the reliability of the BPS because while FFT Entity did not properly document the installation of the new back-up requirements for its intrusion protection devices, all personnel were adequately trained in recovery of the newly installed intrusion protection devices which were appropriately configured.
Unidentified Registered Entities (UREs), Docket No. RC12-13 (June 29, 2012)
Reliability Standard: CIP-005-2
Requirement: 3
Region: SERC
Issue: Two UREs in the SERC region submitted identical self-reports stating that neither had reviewed access logs for attempted or actual unauthorized access within the 90-day time frame set forth in the Reliability Standard. Both URE’s reviewed access logs one day late which was caused by a mistake in the internal tracking mechanism used to alert UREs to the date review was required. The date UREs previously reviewed the access lists was incorrectly entered into the system, and therefore the next due date was off by one day.
Finding: The violation was deemed by SERC to pose minimal risk to BPS reliability because UREs reviewed the lists one day late, and no issues were found that required review or reporting. Also, both UREs have systems in place to alert staff when reviews are due, however, the incorrect date entered for the previous review caused the next review due date to be off by one day.