Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)
Reliability Standard: CIP-007-2a
Requirement: R9
Region: NPCC
Issue: During a compliance audit, NPCC determined that FFT Entity’s parent company did not timely update its information security standard testing document to reflect a revised 30-day requirement (from a 90-day requirement).
Finding: NPCC found that the issue constituted a minimal risk to BPS reliability since no cyber security incidents occurred during the 8-month period when the document was not updated. In addition, FFT Entity’s parent company conducted its annual procedure review in accordance with the Reliability Standards.
Find, Fix and Track Entity, Docket No. RC12-8 (February 29, 2012)
Reliability Standard: CIP-007-2a
Requirement: R9
Region: NPCC
Issue: In the course of a CIP compliance audit, NPCC determined that FFT Entity violated CIP-007-2a R9 because it failed to properly update its information security standard documents to reflect the change from a 90-day requirement to a 30-day requirement. FFT Entity did, however, conduct its annual procedure review in conformity with the Standard and the updates reflected in CIP-007-3.
Finding: NPCC determined that this issue posed only a minimal risk to the reliability of the BPS because there were no system or control changes that occurred during the 8-month period in which the plan used the incorrect 90-day requirement. In addition, the annual procedure review was performed in conformity with the Standard and updated to reflect the changes reflected in CIP-007-3. NPCC noted that FFT Entity violated the Standard previously, but determined the instant remediated issue arose from the same conduct and, consequently, should not be viewed as an aggravating factor.
Unidentified Registered Entity (URE), Docket No. RC12-13 (June 29, 2012)
Reliability Standard: CIP-007-2a
Requirement: 7
Region: FRCC
Issue: While conducting a CIP Compliance Audit, FRCC found that URE had not deleted its data storage media prior to redeploying CAs (in particular, dispatch training workstations) outside of an ESP. In order to avoid any unauthorized access of sensitive cyber security or reliability data, entities are required to erase all stored historical information prior to reusing equipment containing such data.
Finding: The violation was deemed to pose minimal risk to BPS reliability because the relevant systems were not essential for reliable operation, and most information that was required to be erased had been by use of a multiple pass erase procedure. It was noted that although the systems had been removed from the ESP, PSP protections were still in place, and the systems were under the operation and control of URE’s control center staff.
Unidentified Registered Entity (URE), Docket No. RC12-16 (September 28, 2012)
Reliability Standard: CIP-007-2a
Requirement: 6
Region: FRCC
Issue: URE self-reported that, due to an error in the internal clock, a distributed control system human machine interface device within one of its generation sites did not have continuous monitoring for 45 days. The device, which is most active during start-up, still had alarms for communications failures and intrusion detection system alerts.
Finding: FRCC found that the issue constituted only a minimal risk to BPS reliability since the device was contained within a PSP and was not accessible remotely from outside the ESP. In addition, there were no records of any unauthorized access to the device during the time when the continuous monitoring was out of service. Although URE had one prior violation and one prior remediated issue with this Reliability Standard, FRCC found that this issue does not involve recurring conduct since the prior instances involved a hardware failure of the log collector device and late-filed Technical Feasibility Exceptions.
Unidentified Registered Entity 8 (TRE_URE8), Docket No. RC13-9-000 (May 30, 2013)
Reliability Standard: CIP-007-2a
Requirement: 3
Region: Texas RE
Issue: For a period of about four and a half months, TRE_URE10 could not show that all assessments of security patches were performed within 30 days of availability from the vendor(s), even though it has self-certified that procedures and personal performance goals had been implemented for conducting 30-day assessments of security patches.
Finding: Texas RE found that this issue posed a minimal, but not a serious or substantial, risk to BPS reliability, as TRE_URE8 had in place mitigating and compensating measures and did conduct, but not document, the required assessments.