NERC FFT Reports: Reliability Standard CIP-003-3

Alert

12 min read

 

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-003-3

Requirement: R2

Region: RFC

Issue: Following a self-report, RFC determined FFT Entity violated R2 because it failed to identify its senior manager in charge of approving the implementation of and adherence to the CIP standards by name, title and date of designation.

Finding: RFC found that this issue constituted only a minimal risk to bulk power system reliability because the FFT Entity only had one senior manager who performed the CIP senior manager duties through the violation period and the FFT Entity did not have any CCAs.

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-003-3

Requirement: R2

Region: SERC

Issue: During an audit, SERC found that FFT Entity did not possess documentation showing the date it designated a delegate with responsibilities for compliance with the CIP Reliability Standards.

Finding: SERC found that this issue constituted only a minimal risk to BPS reliability since FFT Entity does not own or operate any facilities that qualify as CAs (either under the current criteria or the proposed new criteria).

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-003-3

Requirement: R2

Region: WECC

Issue: FFT Entity self-certified that it had not properly documented that it had appointed a successor senior manager with CIP responsibilities within 30 days of the previous senior manager’s retirement.

Finding: WECC found that this issue constituted only a minimal risk to BPS reliability since this was only a documentation issue and the relevant senior manager role was continuously filled. In addition, FFT Entity does not have any CCAs.

Find, Fix and Track, Unidentified Registered Entity, Docket No. RC12-10 (March 30, 2012)

Reliability Standard: CIP-003-3

Requirement: R2.1

Region: TRE

Issue: URE did not have a senior manager charged with responsibility and authority for CIP Reliability Standards compliance.

Finding: TRE found the violation constituted a minimal risk to BPS reliability because URE has no CCAs. URE did have a senior manager in place prior to the Standards date of enforcement, however, the information was not documented within 30 days of the effective day as required. Also, URE has a peak load of only 120 MW lessening and risk to overall BPS reliability.

Unidentified Registered Entities, Docket No. RC12-12 (May 30, 2012)

Reliability Standard: CIP-003-3

Requirement: R2.2

Region: TRE

Issue: Three UREs in the TRE region submitted identical self-reports reporting that the single senior manager delegated the responsibility of CIP compliance had left the company, but the CIP procedures were not updated to reflect that information within 30 days as required. The violation period was determined to be from the 30th day after the manager’s departure until four months later when the UREs updated their internal compliance program.

Finding: The issue was deemed to pose minimal risk to BPS reliability because TRE found it to be an administrative oversight and another manager had assumed the responsibility but UREs did not update their documentation to reflect the change In addition, the UREs have no CAs.

Unidentified Registered Entity (URE), Docket No. RC12-13 (June 29, 2012)

Reliability Standard: CIP-003-3

Requirement: 2

Region: WECC

Issue: Because URE has no CAs or CCAs, it had no senior manager formally delegated to ensure compliance with CIP Reliability Standards. Prior to April 1, 2010, registered entities with no CAs or CCAs were not required to have a senior manager delegated to ensure compliance with the CIP Standards; however, effective that date, the CIP Standards were revised to require that all registered entities must have a senior manager assigned with overall responsibility for CIP compliance whether or not the entity has CAs or CCAs.

Finding: The issue was deemed to pose minimal risk to BPS reliability because URE has no CAs or CCAs and does not operate any facilities that would be considered CAs.

Unidentified Registered Entity (URE), Docket No. RC12-13 (June 29, 2012)

Reliability Standard: CIP-003-3

Requirement: 6

Region: FRCC

Issue: URE submitted a self-report stating that it had made a change to cyber security controls but did not have the appropriate documents showing the approval of the control owner or manager, which is required by URE’s change control and configuration management procedure.

Finding: The violation was deemed to pose minimal risk to BPS reliability. The change had been approved verbally, and subsequent CA testing showed no adverse effects from the change.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

Reliability Standard: CIP-003-3

Requirement: 1/1.1

Region: SPP RE

Issue: During an audit, SPP RE found URE had failed to address all of the requirements in Standards CIP-002 through CIP-009 in its cyber security policy, presenting an issue with R1.1. Specifically, SPP RE found that URE failed to address the requirement for information protection associated with CCAs (CIP-003-3 R4) in its cyber security policy, which is required by R1.1.

Finding: SPP RE determined the issue posed a minimal risk to the reliability of the BPS. This instance of noncompliance presented a documentation issue. While prior versions of URE’s cyber security policy did include all requirements in Standards CIP-002 through CIP-009, URE’s latest revision failed to include the requirement at issue. In addition, URE failed to include CIP-003-3 R4 in its cyber security policy, even though it had a documented program in place to identify, classify and protect information associated with CCAs (per CIP-003-3 R4).

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

Reliability Standard: CIP-003-3

Requirement: 2

Region: SERC

Issue: URE submitted a self-report stating that it did not designate a new senior manager within 30 days of the departure of URE’s previous senior manager (per R2) responsible for CIP compliance. URE produced documentation showing that a senior manager had been designated and documented; however, the senior manager unexpectedly left roughly seven months later, after which URE failed to formally assign a new senior manager for 193 days. During this period, URE had a plant manager acting as the CIP senior manager. URE also provided a document detailing its leadership designation program, which stipulates the identification of the senior manager, delegates, and any changes to the senior manager be documented within 30 days of the effective date. The program indicated that there were no identifiable exceptions for its cyber security policy. SERC found that URE’s documented program in place met the intent of the Standard, nevertheless, URE failed to comply with its documented program. URE also confirmed that it had not assigned any delegates.

Finding: SERC determined the issue posed a minimal risk to the reliability of BPS because URE had an acting CIP senior manager (the plant manager) during the period in question, though he was not officially delegated. Furthermore, URE has no Critical Assets and does not own or operate any facilities that meet the criteria for Critical Assets set forth in CIP-002-4.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

Reliability Standard: CIP-003-3

Requirement: 5

Region: WECC

Issue: URE submitted a self-report consistent with a violation issue of CIP-003-1 R5.3. Specifically, URE disclosed two instances in which employees were granted access to Critical Cyber Asset (CCA) information without having completed the training required under URE’s CCA program. The first infraction arose when an employee was granted electronic access to URE’s CIP document library (Library) without completing URE’s CIP program training. The second case of noncompliance occurred when an employee was granted access to the Library in error; URE detected the mistake and revoked this employee’s access rights. WECC determined these two occasions demonstrated that URE failed to manage access to CCA information in accordance with its CCA program.

Finding: WECC determined the issue posed a minimal risk to the reliability of the BPS because the risks posed by URE’s noncompliance were offset by the fact that URE quickly detected and mitigated both instances of noncompliance. Furthermore, based on the prompt detection and mitigation, URE evidenced that it regularly reviews its access privilege lists throughout the year, rather than waiting for an annual review. The risks were further mitigated by the limited scope of the issue, given the first individual granted access was merely lacking complete training (a requirement unique of URE’s program which is above and beyond the measures prescribed under R5), and the second individual never accessed or attempted to access CCA information prior to the detection and revocation of the individual’s access.

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-2-000 (November 30, 2012)

Reliability Standard: CIP-003-3

Requirement: 2

Region: RFC

Issue: URE self-reported that while the CIP senior manager had been performing the role and functions as required by R2, URE1 had not to officially identified the senior manager by name, title and date of designation in a cyber-security policy procedure, (per R2.1).

Finding: RFC found the issue posed a minimal risk to the reliability of the BPS because the risk was mitigated by the fact that the CIP senior manager was executing the role and functions (in compliance with R2) even though the designation was not documented in a cyber-security policy procedure, as required by the Standard. In addition, URE has no Critical Assets.

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-3-000 (December 31, 2012)

Reliability Standard: CIP-003-3

Requirement: 2; 2.1; 2.2

Region: TRE

Issue: URE self-reported to TRE the results of its internal audit during which URE found a violation of R2.2 of CIP-003-3; URE failed to document the change in a senior manager in charge of applying and abiding by CIP-002-3 through CIP-009-3 within 30 days, pursuant to CIP-003-3 R2.2. The previous operation supervisor worked as a senior manager for approximately two years, which was documented, but when URE appointed a new senior manager, it failed to document this change. URE also self-reported a failure to document the identification of the new manager by name, title, and date of assignment, pursuant to CIP-003-3 R 2.1.

Finding: TRE found that the issue posed a minimal risk to the reliability of the bulk power system for the following reasons: (1) despite the failure to document the new assignment of the senior manager within 30 days, the senior manager had been well instructed of his new role as the responsible party for applying and abiding by CIP-002-3 through CIP-009-3; (2) URE's staff size is relatively small enough that all employees received verbal notice about the new senior manager and his function in the company; (3) there was no gap between the previous and the new supervisors, curtailing the risk to the BPS.

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-3-000 (December 31, 2012)

Reliability Standard: CIP-003-3

Requirement: 5; 5.1

Region: RFC

Issue: URE self-reported a violation of R5 of CIP-003-3 to RFC. URE violated R5 of CIP-003-3 in that it did not confirm the personnel list who gives access to Critical Cyber Asset (CCA) information at URE's generating plant in 2011. URE's CCA information is stored in electronic files in a document management system at particular places at its generating plant. URE did confirm the personnel list who gives access to CCA information in the document management system for the same year. URE provided documentation for the two changes to the personnel list who gives access by changing the document management system.

Finding: RFC found that the issue posed a minimal risk to the reliability of the bulk power system since while URE was preparing for the annual CIP self-certification, it discovered and solved the issues. Furthermore, URE had documentation of the two changes to the personnel list through the management process. RFC also determined that it was unlikely that an individual who should not be on the personnel list would be included given that the two people who were I charge of approving authority to the six people on the personnel list knew that the six people on the list were in charge of authorizing access.

Unidentified Registered Entity 4 (URE4), Docket No. RC13-6-000 (February 28, 2013)

Reliability Standard: CIP-003-3

Requirement: 2/2.2

Region: RFC

Issue: While conducting a compliance audit, RFC found that URE4 was unable to show that a change to its senior manager designee had been documented within 30 calendar days of the effective date of change.

Finding: The issue was deemed to pose minimal risk to BPS reliability and not serious or substantial risk. The risk to BPS operations was mitigated because the issue documentation related. URE4 did have a senior CIP manager, but failed to document the assignment.

Unidentified Registered Entity 1 (FRCC_URE1), Docket No. RC13-9, May 30, 2013

Reliability Standard: CIP-003-3

Requirement: 2.2

Region: FRCC

Issue: FRCC_URE1 self-reported an issue with CIP-003-3 R2.2 to FRCC when it found that it had not documented the appointment of a new senior manager within 30 calendar days of the effective date, after the previous senior manager resigned and had been formally removed. The issue arose during a self-audit and the internal control policy document was updated 8 days later.

Finding: FRCC determined that the issue posed a minimal risk to the reliability of the BPS because FRCC_URE1 is a small entity that does not own any Critical Assets or Critical Cyber Assets and the issue lasted for only a short time. In addition, the new senior manager was trained on the CIP standards as he had been the compliance officer on staff for three years.

Unidentified Registered Entity 2 (SPP_URE2), Docket No. RC13-9-000 (May 30, 2013)

Reliability Standard: CIP-003-3

Requirement: R4

Region: SPP RE

Issue: SPP RE, during a CIP Compliance Audit, found that SPP_URE2 failed to protect Critical Cyber Asset (CCA) information as outlined in its CIP information protection program. CCA information must be encrypted if transmitted externally under the provisions of the program, but SPP_URE2 externally transmitted 10 hard drives containing unencrypted CCA information.

Finding: SPP RE found that this issue posed a minimal, but not a serious or substantial, risk to BPS reliability. SPP_URE2 affirmed that the host files on all of the 10 hard drives were deleted before being sent for destruction. No CIP protected information would have be accessible without special software if the hard drives were obtained by a third-party. SPP_URE2 did not use a carrier to transfer hard drives from one facility to another on any other occasion.

Top