Unidentified Registered Entity 3 (WECC_URE3), Docket No. RC13-9-000 (May 30, 2013)
Reliability Standard: CIP-007-3a
Requirement: 6
Region: WECC
Issue: WECC_URE3 self-reported that it did not implement required protective measures for a single Cyber Asset. The Cyber Asset lacked automated tools or organizational process controls to monitor system events. WECC_URE3 failed to timely file a technical feasibility exception (TFE) request.
Finding: WECC found that this issue posed a minimal, but not a serious or substantial risk to BPS reliability. The violation only impacted a single Cyber Asset that was located within an Electronic Security Perimeter that monitored system events and controlled electronic access.
Unidentified Registered Entity 4 (WECC_URE4), Docket No. RC13-9-000 (December 31, 2013)
Reliability Standard: CIP-007-3a
Requirement: 5
Region: WECC
Issue: Following a compliance audit, WECC found that for one year WECC_URE4 could not show that it changed its passwords for its admin/shared/services accounts.
Finding: WECC found that this issue posed a minimal, but not a serious or substantial, risk to BPS reliability, as there was no access to the accounts outside of a PSP or ESP. Only authorized personnel could gain access.
