NERC FFT Reports: Reliability Standard CIP-002-1

Alert

26 min read

 

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-002-1

Requirement: R1

Region: FRCC

Issue: FFT Entity self-reported that it did not have a risk-based assessment methodology (RBAM) by the required compliance date.

Finding: FRCC found that this issue constituted only a minimal risk to BPS reliability since, once FFT Entity applied its RBAM, it was discovered that FFT Entity (a small entity) did not have any CAs that could impact BPS reliability.

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-002-1

Requirement: R2

Region: SERC

Issue: As the result of a compliance audit, SERC determined FFT Entity violated R2 because it failed to provide evidence that considered all of its assets in the performance of the risk-based assessment methodology. Evidence showed that FFT Entity only considered 21 of 28 assets.

Finding: SERC found that this issue constituted only a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS because FFT Entity does not have any CAs and does not own or operated any of the CCA criteria set out in proposed CIP-002-4, and FFT Entity has a risk based assessment methodology.

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-002-1

Requirement: R4

Region: SERC

Issue: During a compliance audit, SERC determined FFT Entity failed to sign and date its annual approval of the list of CAs and CCAs in violation of R4.

Finding: SERC found that this issue constituted only a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS because FFT Entity does not have any CAs, does not own or operate any facilities that would meet any of the Critical Asset Criteria set forth in the proposed CIP-002-4, and does not own or operate any BPS equipment.

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-002-1

Requirement: R3

Region: SPP

Issue: During a spot check, SPP found that FFT Entity’s list of CCAs included four Cisco switches that were located outside the ESP and that were not essential to the function of FFT Entity’s CAs.

Finding: SPP found that this issue constituted only a minimal risk to BPS reliability since the relevant four switches did not qualify as CCAs and should not have been included on the CCAs list. Therefore, FFT Entity had no actual CCAs that were unprotected or otherwise at risk of being compromised.

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-002-1

Requirement: R3

Region: SPP

Issue: Through a spot check, SPP determined that FFT Entity had incorrectly identified ten network switches located within FFT Entity’s ESP as Protected Cyber Assets instead of CCAs (since those switches serve as the communication interface between the operator consoles and some of FFT Entity’s systems essential to the reliable operation of FFT Entity’s control center).

Finding: SPP found that the issue constituted a minimal risk to BPS reliability. FFT Entity provided the same level of cyber security protection to Protected Cyber Assets and CCAs and, therefore, the improper classification of the network switches did not have any actual impact on the BPS.

Find, Fix and Track Entity, Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-002-1

Requirement: R3, R4

Region: ReliabilityFirst

Issue: During a compliance audit, it was found that FFT Entity had issues with CIP-002-1 R3 and R4. FFT Entity’s risk-based assessment methodology (RBAM) shows that FFT Entity has no CAs, and FFT Entity has document showing it has no CAs, but it did not have a list reflecting that it had no CCAs, as required by CIP-002-1 R3. As such, FFT Entity did not annually approve its CCAs list (even if the list is null), as required by R4, because no such list was in existence.

Finding: ReliabilityFirst found the issue constituted a minimal risk to BPS reliability because FFT Entity has no CAs or CCAs, and therefore, the issue was merely a documentation problem.

Find, Fix and Track Entity, Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-002-1

Requirement: R3

Region: SPP RE

Issue: While conducting a spot check, the CIP audit team for SPP RE found that FFT Entity’s CCA list had substantive errors, such as incorrectly classifying a host integration server as a CCA. Also, systems that were taken out of service were shown as in-service on a subsequent CCA list even through there were still out of service.

Finding: SPP RE found the violation constituted a minimal risk to BPS reliability because the problem was documentation related and was due only to the addition of an asset not determined to be a CCA, rather than the omission of an asset determined to be a CCA. In terms of the out-of-service systems being listed as “in-service”, it was found that no CCA that was out of service was ever put back into service.

Find, Fix and Track Entity, Docket No. RC12-7-000 (January 31, 2012)

Reliability Standard: CIP-002-1

Requirement: R1, R2, R3

Region: NCEA

Issue: NCEA determined three FFT Entities violated CIP-002-1 R1, R2 and R3 because all did not include in their methodology or assessment the CIP assets of third-party entities that were performing tasks on their behalf. As such, because of different compliance schedules, there were gaps in time where these assets were not in compliance.

Regarding FFT Entity in violation of R1, NCEA noted two issues. First, NCEA found that a third party had a flawed risk-assessment methodology in determining its CA List in that it considered business criteria instead of being solely reliability-based. As a result, the entity still had substations and control centers on its CA List. Second, NCEA discovered a separate third-party entity improperly eliminated assets from consideration for the CA List because it accepted risk levels less than unity. Consequentially, under this methodology, the third party had a primary control center declared as a “high criticality asset,” but still eliminated it from the CA List.

Regarding FFT Entity in violation of R2, NCEA pointed to two separate breaches. First, one third-party entity insufficiently referenced the requirements in Standards CIP-002 through CIP-009 related to emergency situations. Second, another third-party entity failed to prove that its policy was available to all personnel with access to, or responsibility for, CCAs.

Regarding FFT Entity in violation of R3, NCEA determined that third-party entities failed to provide sufficient information to indicate whether they met the requirement of the Standard as of July 1, 2008 or at their spot check.

Finding: These issues posed only a moderate risk to the reliability of the BPS because NCEA determined that, despite the errors, the third-party entities were preparing for compliance with the CIP Standards as required by the Approved Implementation Plan. As such, there was no actual impact to reliability of the BPS as a result of these issues.

Find, Fix and Track Entity, FERC Docket No. RC12-8 (February 29, 2012)

Reliability Standard: CIP-002-1

Requirement: R4 (2 violations by 2 separate entities)

Region: SPP

Issue: During an audit, SPP found that FFT Entity’s risk-based assessment methodology (RBAM) was not approved by a designated senior manager as required. The RBAM was only reviewed and approved by a compliance officer.

Finding: SPP found that this issue constituted only a minimal risk to the BPS since this was primarily a documentation issue as FFT Entity was actually reviewing its RBAM. In addition, a senior manager approved the RBAM for the prior year.

Find, Fix and Track, Unidentified Registered Entity, Docket No. RC12-10 (March 30, 2012)

Reliability Standard: CIP-002-1

Requirement: R3

Region: SERC

Issue: URE’s list of CCAs improperly included CAs (one router and two firewalls) not essential to operating CAs, meaning the subject assets should not have been deemed CAs and should not have been included on URE’s list of CAs.

Finding: SERC found the violation constituted a minimal risk to BPS reliability because the router and firewalls were not CCAs. The firewalls had protective measures in place following CIP Standards, and the router was not located inside of the ESP nor was it used for access control or monitoring of the ESP.

Unidentified Registered Entity, Docket No. NP12-11 (April 30, 2012)

Reliability Standard: CIP-002-1

Requirement: R1; R1.2.2; R1.2.3

Region: MRO

Issue: During a spot check, MRO found that URE’s risk-based assessment methodology (RBAM) was deficient because it was not the exclusive evaluation criteria for the assessment of control centers and generation resources and failed to define the criteria and steps it follows to identify CAs.

Finding: MRO determined that the violation posed a minimal risk to BPS reliability because its control centers were CAs subject to CA protection, and once the violation was corrected, none of the generation resources at issue were considered critical.

Unidentified Registered Entity, Docket No. NP12-11 (April 30, 2012)

Reliability Standard: CIP-002-1

Requirement: R2

Region: FRCC

Issue: During a spot check, FRCC determined that URE failed to properly apply its risk-based assessment methodology for developing a list of CAs because URE’s list of CAs did not correlate to the RBAM criteria.

Finding: FRCC determined that the violation posed a minimal risk to BPS reliability of the BPS because FRCC determined the inconsistency was likely due to a wording error and that the CA list did correlate with the RBAM once the error was remedied. URE mitigated the violation by correcting its RBAM.

Unidentified Registered Entity, Docket No. RC12-12 (May 30, 2012)

Reliability Standard: CIP-002-1

Requirement: R1; R1.1

Region: RFC

Issue: While conducting a CIP compliance audit, RFC found that URE had two versions of its risk-based assessment methodology (RBAM) that were not risk-based. The RBAMs listed the types of facilities where URE would conduct annual reviews and stated that the characteristics of URE left it unable to “impact the Bulk Electric System.” It further stated that it would conduct an annual review to determine its ability to impact the BPS. The RBAMs did not contain any procedures or evaluation criteria.

Finding: The violation was found to pose minimal risk to BPS reliability because even though the RBAM did not contain all the required elements, it did have information on the kinds of assets to be reviewed, and URE had no such assets. And, URE’s RBAM did consider all interconnections points and load size.

Unidentified Registered Entity, Docket No. RC12-12 (May 30, 2012)

Reliability Standard: CIP-002-1

Requirement: R4

Region: SERC

Issue: SERC Audit Staff reported that URE’s risk-based assessment methodology (RBAM) and list of CAs and CCAs had not been approved by delegated authority on a yearly basis and URE failed to delegate to a single senior manager the responsibility and authority for its CIP obligations, including implementation and compliance and management of a CIP program.

Finding: The issue was found to pose minimal risk to BPS reliability because URE has no CAs nor does it own or operate facilities considered CAs and even through URE had not assigned the responsibility of CIP compliance in writing, the RBAMs had been reviewed and approved by the manager and URE had no CAs or CCAs which was reflected on the lists.

Unidentified Registered Entity (URE), Docket No. RC12-13 (June 29, 2012)

Reliability Standard: CIP-002-1

Requirement: 1

Region: SERC

Issue: While conducting a spot-check, the SERC team found that past versions of URE’s risk-based assessment methodology (RBAM) did not acknowledge assets listed in sub-requirements R1.2.1 through R1.2.7 in its RBAM.

Finding: The violation was deemed by SERC to pose minimal risk to BPS reliability because URE is a partial requirements supplier that has no CAs and does not own any transmission or generation assets.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

Reliability Standard: CIP-002-1

Requirement: 1

Region: SERC

Issue: During an audit, SERC determined URE had failed to develop a sufficient RBAM for determining whether or not it had Critical Assets that included all of the requirements in fulfillment of R1. URE provided documentation that failed to describe an RBAM that included procedures and evaluation criteria for identifying Critical Assets, as well as failed to address the assets in R1.2.1 through R1.2.7 and how URE would evaluate if any such assets should be considered Critical Assets in the event of acquisition.

Finding: SERC determined the issue posed a minimal risk to the reliability of the BPS because URE has no Critical Assets and does not own or operate any facilities that meet the criteria for Critical Assets set forth in CIP-002-4.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

Reliability Standard: CIP-002-1

Requirement: 1

Region: SERC

Issue: During an audit, SERC discovered that URE failed to provide evidence of procedures and evaluation criteria for its RBAM that was in place at the beginning of the compliance period (per R1). SERC reviewed additional information from URE and found URE’s initial RBAM consisted of printed copies of CIP-002-1 containing handwritten notes stating URE did not own assets listed in each of the R1.2 sub-requirements, as well as handwritten dates specifying review of the printed copy the standard and the handwritten notes. Based on the assessment, URE identified no Critical Assets. SERC determined this document did not fulfill the requirements of R1; consequently, URE developed a RBAM in accordance with CIP-002-3 R1.

Finding: SERC determined the issue posed a minimal risk to the reliability of the BPS because even though the evaluation criteria did not meet the requirements of the Standard, URE conducted an assessment to determine Critical Assets each year and has no Critical Assets, as well as does not own or operate any facilities that meet the criteria for Critical Assets set forth in CIP-002-4.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

Reliability Standard: CIP-002-1

Requirement: 1

Region: Texas RE

Issue: During an audit, Texas RE found that URE’s documented RBAM did not contain its Qualified Scheduling Entity (QSE) control centers within the scope of assets to be considered for evaluation when identifying Critical Assets (CAs), which does not fulfill R1. URE had delegated some of its responsibilities to its QSE; consequently, the QSE control centers were not included in URE’s RBAM used to identify CAs. Texas RE determined the scope of the infraction spanned from when URE was required to comply with this Standard to when URE updated its RBAM and re-performed its CAs identification with consideration given to its QSE’s control centers. The identification established that URE had no CAs.

Finding: Texas RE determined the issue posed a minimal risk to the reliability of the BPS because URE did not own any CAs or Critical Cyber Assets (CCAs) at any time. Furthermore, the inclusion of the QSE in URE’s RBAM did not yield any new CAs or CCAs. Also, the QSE in question does not have the ability to control the URE facility. Thus, Texas RE determined the issue was documentation related.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

Reliability Standard: CIP-002-1

Requirement: 3

Region: WECC

Issue: WECC performed an offsite audit of URE’s compliance with R3 (among other Standards) and found that URE failed to develop a null list of its CCAs (per R3). The Audit Team also determined that URE knew it did not have any CCAs because it had developed a null list of its Critical Assets. WECC determined the issue occurred from when the Standard became enforceable until URE developed its null list of CCAs.

Finding: WECC determined this issue posed a minimal risk to the reliability of the BPS because URE had previously applied its RBAM and already knew prior to the occurrence of the issue that it did not have any Critical Assets and, as a result, did not have any CCAs. Consequently, WECC determined the potential for malicious conduct to CCAs did not exist.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

Reliability Standard: CIP-002-1

Requirement: 4

Region: FRCC

Issue: During a FRCC CIP Compliance Audit, FRCC discovered URE did not maintain a null list of Critical Cyber Assets (CCAs) and did not obtain the required signature of the senior manager (per R4). Starting on the mandatory and enforceable date of the Standard, URE’s RBAM did not contain a null list of CCAs, and while it did contain a documented Critical Asset (CA) null list with the senior manager’s typed name, there was no ink signature.

Finding: FRCC determined this issue posed a minimal risk to the reliability of the BPS because though the URE failed to document the null list with no CCAs, it had documented the null list with no CAs. Furthermore, the signature issue resulted from lack of documentation and was revised.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

Reliability Standard: CIP-002-1

Requirement: 4

Region: SERC

Issue: URE submitted a self-report stating that an employee approved the RBAM, the null list of Critical Assets, and the null list of Critical Cyber Assets before being designated as the senior manager with overall responsibility for leading and managing URE’s implementation of, and adherence to, CIP-002 through CIP-009. The self-report was in response to an inquiry from SERC staff during a separate assessment of enforcement action. SERC determined that URE did not formally assign a senior manager with overall responsibility for leading and managing URE’s application of, and compliance with, CIP-002 through CIP-009 for approximately three years. Consequently, all of URE’s approvals of its RBAM, Critical Asset list, and Critical Cyber Asset list that preceded the designation of a senior manager were not in compliance with the relevant Standards.

Finding: SERC determined the issue posed a minimal risk to the reliability of the BPS because URE identified a senior manager as its single point of contact for URE’s utilities program, who was responsible for approving the risk-based assessment methodology, list of Critical Assets, and list of Critical Cyber Assets. In addition, URE has no Critical Assets and does not own or operate any facilities that meet the criteria for Critical Assets set forth in CIP-002-4.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

Reliability Standard: CIP-002-1

Requirement: 4

Region: SERC

Issue: URE submitted a self-report stating that it failed to have a senior manager or delegate(s) annually approve the list of Critical Assets and Critical Cyber Assets (CCAs) in two prior years (per R4). SERC reviewed additional information and found that URE applied its established RBAM to all associated assets, resulting in null lists for Critical Assets and CCAs. Yet, URE’s senior manager failed to sign and date the Critical Asset and CCA list for the two prior years in question. However, URE’s senior manager signed the RBAM for four consecutive years and had approved and signed the Critical Asset and CCA lists, which were null, for the two years prior to the period in question.

Finding: SERC determined the issue posed a minimal risk to the reliability of the BPS because URE’s senior manager approved and signed the RBAM. Furthermore, URE has no Critical Assets and does not own or operate any facilities that meet the criteria for Critical Assets set forth in CIP-002-4.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

Reliability Standard: CIP-002-1

Requirement: 4

Region: WECC

Issue: WECC performed an offsite audit of URE’s compliance with R4 (among other Standards) and found that URE failed to have a CIP senior manager sign its null list of its CCAs (per R4). The Audit Team also determined that URE knew it did not have any CCAs because it had developed a null list of its Critical Assets. WECC determined the issue occurred from when the Standard became enforceable until URE’s CIP senior manager signed its null list of Critical Assets and CCAs.

Finding: WECC determined this issue posed a minimal risk to the reliability of the BPS because URE had previously applied its RBAM and already knew prior to the occurrence of the issue that it did not have any Critical Assets and, as a result, did not have any CCAs. Consequently, WECC determined the potential for malicious conduct to CCAs did not exist.

Unidentified FFT Entity, FERC Docket No. RC13-1 (October 31, 2012)

Reliability Standard: CIP-002-1

Requirement: 3

Region: TRE

Issue: During a compliance audit, TRE found that FFT Entity, since it did not properly follow its risk-based assessment methodology (RBAM), improperly excluded one device from its list of CCAs. But, even though the device was not on the list, FFT Entity still provided that device with all of the security measures required by the Reliability Standards.

Finding: TRE found that the issue only constituted a minimal risk to BPS reliability since the excluded CCA was contained within a PSP and ESP, which are continuously monitored and can only be accessed by authorized personnel.

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-2-000 (November 30, 2012)

Reliability Standard: CIP-002-1

Requirement: 1.1

Region: SPP

Issue: During an audit, the SPP CIP audit team discovered that URE's RBAM for identifying Critical Assets did not include evaluation criteria for assessing Critical Assets (per R1.1)

Finding: SPP found the issue posed a minimal risk to the reliability of the BPS since URE did have a documented RBAM that it used to identify its Critical Assets, even though the RBAM did not contain evaluation criteria. The RBAM in question still considered the assets listed in R1.2, and URE determined that it did not have any CAs or CCAs implementing the original RBAM.

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-2-000 (November 30, 2012)

Reliability Standard: CIP-002-1

Requirement: 1.2.1

Region: TRE

Issue: During an audit, TRE discovered that URE had a RBAM that did not consider reliability-related to its function services. The services in question were provided by and performed by its QSE, and the RBAM did not consider the QSE's control center and backup control center. URE was noncompliant until implementing a revised RBAM.

Finding: TREfound the issue posed a minimal risk to the reliability of BPS because the CA identification procedures implemented by URE did include the control center and backup control center in question (per R2), even though the RBAM did not account for the control center and backup control center of URE's QSE. In addition, direct control over the physical operation of the facility did not involve the QSE, as it is only served as a communication conduit. Consequently, the URE facility could have accommodated communications in the event of loss of communications by the QSE control center and the backup control center.

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-2-000 (November 30, 2012)

Reliability Standard: CIP-002-1

Requirement: 1; 1.2.1

Region: FRCC

Issue: During an audit, FRCC found that URE failed to produce sufficient evidence that it had considered control centers and back-up control centers in its RBAM for a span of approximately two and a half years (in noncompliance with R1). Standard R1.2.1 requires that URE consider control centers or back-up control centers in its RBAM, even though URE does not own any.

Finding: FRCC found the issue posed a minimal risk to the reliability of the BPS since URE took into account all asset types owned that are required by R1 and failed to consider control centers or back up control centers because it does not own any.

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-2-000 (November 30, 2012)

Reliability Standard: CIP-002-1

Requirement: 1; 2; 3; 4

Region: WECC

Issue: URE self-certified a possible noncompliance with R1. In particular, URE reported its status as "Beginning Work." Subsequently, the compliance audit revealed that URE did not have a documented RBAM until August 30, 2010, as WECC had previously alleged. In addition, on August 6, 2010 WECC found that URE failed to identify or document a RBAM to identify its CAs (per R1). Furthermore, WECC found that URE failed to develop a list of its identified CAs from the application of an RBAM (per R2), as well as failed to develop a list (a null list at that) of associated CCAs essential to the operation of a CA (per R3). Lastly, WECC found URE failed to maintain a list of CAs and a list of CCAs that were approved by a senior manager (per R4).

Finding: WECC found the issue posed a minimal risk to the reliability of the BPS since URE found that it never had any CCAs essential to the operation of the CA when it applied its RBAM in 2011. WECC verified this information during on-site Compliance Audit. Subsequently, WECC determined URE does not have CCAs essential to the operation of the BPS, and as a result, the BPS was never exposed or compromised by the failure to comply with the documentation requirements of the violations in question. Furthermore, the issues in question stem from URE's failure to implement and document an RBAM for the period from December 31, 2009 to August 29, 2010.

Unidentified Registered Entity 1 (URE1), Docket No. RC13-6-000 (February 28, 2013)

Reliability Standard: CIP-002-1

Requirement: 1.2

Region: TRE

Issue: While conducting a CIP compliance audit, TRE found URE1 had a compliance issue with CIP-002-1 because its risk-based assessment methodology (RBAM) did not include all of URE1's assets during its development. URE1 had not considered a contractor's control center as a possible Critical Asset despite that contractor being responsible for certain function activities.

Finding: The issue was deemed to pose minimal risk to BPS reliability and not serious or substantial risk. Once the control center was considered, no change to URE1's list of CAs or CCAs occurred because the control center was determined to not be a Critical Asset. The contractor did not perform any operations related to URE1's generation unit.

Unidentified Registered Entity 1 (URE1), Docket No. RC13-6-000 (February 28, 2013)

Reliability Standard: CIP-002-1

Requirement: 3

Region: SERC

Issue: URE1 submitted a self-report to SERC explaining a compliance issue with CIP-002-1 as it had not initially identified all workstations and laptops in its control center and back-up control center as CCAs. As such, the items were not included on its then-current CCA list.

Finding: The issue was deemed to pose minimal risk to BPS reliability and not serious or substantial risk. The relevant equipment was located in the secured control center and was protected by security controls in place at URE1.

Unidentified Registered Entity 4 (URE4), Docket No. RC13-6-000 (February 28, 2013)

Reliability Standard: CIP-002-1

Requirement: 1, 2, 4

Region: RFC

Issue: While conducting a compliance audit, RFC found that URE4 had no documented risk-based assessment methodology (RBAM) for identifying Critical Assets (R1). As such, URE4 could not show that it was applying its RBAM yearly to create a list of Critical Assets as required (R2) or that the RBAM was being approved on an annual basis (R4).

Finding: The issue was deemed to pose minimal risk to BPS reliability and not serious or substantial risk. The risk to BPS operations was mitigated because URE4 has no Critical Assets. URE4 did have a spreadsheet with Critical Asset determination criteria; however, it did not have a documented and approved RBAM.

Unidentified Registered Entity 1 (TRE_URE1), Docket No. RC13-9-000 (May 30, 2013)

Reliability Standard: CIP-002-1

Requirement: R1.2.1

Region: Texas RE

Issue: Texas RE determined, following a compliance audit, that TRE_URE1 failed to evaluate a control center performing functions of the entities listed in its risk-based assessment methodology (RBAM). As of the date the standard become applicable and for a period of two years and two months after, URE1’s RBAM did not include a third-party control center that performed some of its day-ahead schedules and real-time communications.

Finding: Texas RE found that this issue posed a minimal, but not a serious or substantial, risk to BPS reliability. The control center, not included in the RBAM, is not a Critical Asset. TRE_URE1 re-performed the application of its RBAM including this control center and no Critical Assets or CCAs were identified. This showed that the control center was not a Critical Asset or CCA. The third-party control center does not perform operations associated with the generation unit.

Unidentified Registered Entity 2 (NPCC_URE2), Docket No. RC13-9, May 30, 2013

Reliability Standard: CIP-002-1

Requirement: 3

Region: NPCC

Issue: NPCC_URE2 self-reported an issue with CIP-002-1 R3 to NPCC when NPCC_URE2 found that after adding new devices within an Electronic Security Perimeter (ESP), it had not updated its list of Critical Cyber Assets (CCAs). In particular, NPCC_URE2 converted remote network terminal units (NTUs) from serial communication protocol to an internet protocol (IP) routable protocol, and added a network switch to the communication path over a 4-month period. While NPCC_URE2 added the NTUs to the CCA inventory, the network switches were not added.

Finding: NPCC found that the issue posed a minimal risk to the reliability of the BPS because the network switches at issue were located behind a firewall appliance that is an electronic access point for the substation ESP, and NPCC_URE2’s IT engineer who maintains all of the network switches treated the devices as if they were CCAs.

Unidentified Registered Entity 2 (TRE_URE2), Docket No. RC13-9-000 (May 30, 2013)

Reliability Standard: CIP-002-1

Requirement: R2

Region: Texas RE

Issue: Texas RE found, after a compliance audit, that TRE_URE2 did not properly apply its risk-based assessment methodology (RBAM) in that it failed assess a contractor’s control centers and backup control centers and incorrectly included the plant control room as a Critical Asset in its critical asset list. The control room was improperly on the list for roughly two years.

Finding: Texas RE found that the issue posed a minimal, but not a serious or substantial, risk to BPS reliability. Once these control centers were considered, the URE still determined that it had no additional CAs. At the time of the violation, TRE_URE2 accurately identified the other CAs on its CA list. The third-party control center does not perform operations associated with the generation unit. TRE_URE2’s only generating asset contributes only a minor amount of generation to its system.

Unidentified Registered Entity 2 (TRE_URE2), Docket No. RC13-9-000 (May 30, 2013)

Reliability Standard: CIP-002-1

Requirement: R3

Region: Texas RE

Issue: Texas RE in conducting a compliance audit found that TRE_URE2 and did not correctly identify its Critical Cyber Assets (CCA). Two assets in URE2’s list of CCAs lacked use a routable protocol to communicate outside the Electronic Security Perimeter, lacked use a routable protocol within a control center, or were not dial-up accessible for a period of two years. Thus these assets did not meet CCA requirements and should not have been included in the list.

Finding: Texas RE found that the issue posed a minimal, but not a serious or substantial, risk BPS reliability. TRE_URE2 still lacked any CCAs even after TRE_URE2 included the correct assets in its list. The third-party control center does not perform operations associated with the generation unit. TRE_URE2’s only generating asset contributes only a minor amount of generation to its system.

Top