NERC FFT Reports: Reliability Standard CIP-008-2

Alert

3 min read

 

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-008-2

Requirement: R1/1.4

Region: NPCC

Issue: During a compliance audit, NPCC determined that FFT Entity’s parent company did not timely approve an information security standard incident management document concerning updating the cyber security incident response plan.

Finding: NPCC found that the issue constituted a minimal risk to BPS reliability since the information security standard incident management document was updated within 2 months of the 30-day criteria going into effect.

Find, Fix and Track Entity, Docket No. RC12-7-000 (January 31, 2012)

Reliability Standard: CIP-008-2

Requirement: R1

Region: ReliabilityFirst

Issue: FFT Entity self-reported that it breached CIP-008-2 R1 in that its Cyber Security Incident Response Plan (Response Plan) included a process for updating the Response Plan within 90 calendar days of any changes, rather than the 30 days required by CIP-008-2 R1.

Finding: The issue posed only a minimal risk to the reliability of the BPS because FFT Entity, in the time before reporting the issue, made no changes that would have required updating the plan. As such, FFT Entity’s breach did not extend beyond a clerical error in failing to update the response time from 90 days to 30 days to match the amended version of CIP-008-2 R1.

Find, Fix and Track Entity, Docket No. RC12-8 (February 29, 2012)

Reliability Standard: CIP-008-2

Requirement: R1; R1.4

Region: NPCC

Issue: FFT Entity self-reported a violation of CIP-008-2 R1 because it discovered that while its information security standard incident management document properly required the Cyber Security Incident Response Plan be updated within 30 days of any changes, the change to the security standard incident management document was done 70 days late. Because the cyber security policy is a single corporate document that is relied upon by multiple affiliated entities for compliance with CIP-008-2 R1.4, FFT Entity’s subsidiaries were also in violation of the Standard.

Finding: This issue posed only a minimal risk to the reliability of the BPS because the information security standard incident management document was updated less than three months late and no interim and future risks were identified. NPCC noted that FFT Entity violated the Standard previously, but determined the instant remediated issue arose from the same conduct and, consequently, should not be viewed as an aggravating factor.

Unidentified Registered Entity (URE), Docket No. RC12-16 (September 28, 2012)

Reliability Standard: CIP-008-2

Requirement: 1.4

Region: NPCC

Issue: URE self-reported that it did not timely revise its Cyber Security Incident Response and Reporting Plan, based on Version 2 of the CIP Standards, to reflect the change in the reporting requirement from 90 days to 30 days.

Finding: NPCC found that the issue constituted only a minimal risk to BPS reliability since this issue is a documentation problem.

Unidentified FFT Entity, FERC Docket No. RC13-1 (October 31, 2012)

Reliability Standard: CIP-008-2

Requirement: 1.4

Region: TRE

Issue: During a compliance audit, TRE found that the 2009 and 2011 versions of FFT Entity's Cyber Security Incident response plan provided that changes are to be incorporated into the plan within 90 days and not within 30 days as required.

Finding: TRE found that the issue only constituted a minimal risk to BPS reliability since the issue is documentation-based, and no changes to the Cyber Security Incident response plan occurred during the relevant time period.

Top