Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)
Reliability Standard: CIP-003-2
Requirement: R1, R2, R3, R4
Region: TRE
Issue: FFT Entity self-reported that its Cyber Security Policy did not: (a) incorporate a risk-based assessment (R1), (b) discuss the identification of CA (R2), (c) discuss the identification of CCAs (R3), or (d) include the requirement for an annual approval of a risk-based methodology (R4).
Finding: TRE found that this issue constituted only a minimal risk to BPS reliability since FFT Entity had actually documented a risk-based assessment methodology and used it to identify CA and CCAs (a list of which was approved by a senior manager). In addition, FFT Entity made its Cyber Security Policy available to personnel who had access to CCAs.
Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)
Reliability Standard: CIP-003-2
Requirement: R2
Region: SERC
Issue: During a compliance audit, SERC determined that FFT Entity did not have a single senior manager who had been assigned responsibility and authority for compliance with the CIP Reliability Standards.
Finding: SERC found that the issue constituted a minimal risk to BPS reliability since FFT Entity does not own or operate any facilities that would qualify as CAs under the proposed criteria in CIP-002-4.
Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)
Reliability Standard: CIP-003-2
Requirement: R2.3
Region: TRE
Issue: During an audit, TRE determined that when FFT Entity delegated authority for approving exceptions to its security policy, it only listed the title and date of the designation and did not include the name of the delegate.
Finding: TRE found that the issue constituted only a minimal risk to BPS reliability since the title and position were held by the same person. FFT Entity also presented other documents showing that the specific person was being referred to in the delegation of authority.
Find, Fix, Track and Report, Docket No. RC12-2 (November 30, 2011)
Reliability Standard: CIP-003-2
Requirement: R1
Region: RFC
Issue: Through a self-certification, it was determined that FFT Entity failed to implement its cyber security policy requiring it to change its passwords every 90 days from the date of compliance with CIP-003-2 R1. FFT Entity did not change its passwords until eight months later.
Finding: RFC determined the issue posed a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS which was mitigated by the fact that FFT Entity’s cyber security policy is more stringent than that required by CIP-007-2 R5.3.3.
Find, Fix, Track and Report, Docket No. RC12-2 (November 30, 2011)
Reliability Standard: CIP-003-2
Requirement: R5
Region: RFC
Issue: FFT Entity self-certified non-compliance with CIP-003-2 R5 once it determined it did not document its program for managing access to protected CCA information nor did it maintain a list of designated personnel responsible for authorizing logical or physical access to protected information.
Finding: RFC determined that the issue posed a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS which was mitigated by the fact that the issue was a result of a documentation failure on the part of FFT Entity. FFT Entity did have physical and electronic access controls surrounding all information regarding CCAs that limited access to only authorized personnel which included electronic access control lists as well as limiting physical access to badge access rooms only to individuals who had completed CIP training and a personnel risk assessment (PRA). Also, FFT Entity had delegated authorizing responsibility to designated personnel but failed to document a list of those responsible personnel.
Find, Fix and Track Entity, FERC Docket No. RC12-6 (December 30, 2011)
Reliability Standard: CIP-003-2
Requirement: R3
Region: Texas RE
Issue: FFT Entity self-reported that it had not correctly documented an exception to its Cyber Security Policy regarding monthly ports and services checks as it mandated in its Desk Procedures.
Finding: The issue posed no significant risk. The ports and services check that failed to be performed is also required by the Reliability Standards. FFT Entity’s Desk Procedures actually mandated more frequent checks than the one annual check that the Standard requires. FFT Entity simply began its monthly checks again as specified in its Desk Procedures in advance of the annual check deadline.
Find, Fix and Track, Unidentified Registered Entities, Docket No. RC12-10 (March 30, 2012)
Reliability Standard: CIP-003-2
Requirement: R2
Region: SERC
Issue: Two UREs in the SERC region self-reported that they had not designated a senior manager to be responsible for compliance with the CIP Reliability Standards because neither URE has CAs or CCAs. However, once CIP-003-2 R2 became effective, the UREs were required to comply with that Standard, even though UREs determined they had no CCAs when using their risk-based assessment methodology.
Finding: SERC found the violation to constitute a minimal risk to BPS reliability because neither URE has CAs nor own or operate any facilities that would meet the CA criteria outlined in the proposed CIP-002-4. In addition, both UREs have a director responsible for NERC compliance and both have a risk-based assessment methodology in place which was reviewed annually to ensure no CA or CCAs were added.
Unidentified Registered Entity, Docket No. NP12-11 (April 30, 2012)
Reliability Standard: CIP-003-2
Requirement: R2
Region: WECC
Issue: URE self-certified that it did not own any CAs or CCAs. As a result, URE did not believe it was responsible for the CIP standards, but R2 became enforceable for entities that do not have CAs or CAAs on April 1, 2010.
Finding: WECC determined that the violation posed a minimal risk to BPS reliability because URE did not own any CAs or CCAs. URE mitigated the issue by assigning a senior manager the requisite responsibility.
Unidentified Registered Entity, Docket No. NP12-11 (April 30, 2012)
Reliability Standard: CIP-003-2
Requirement: R2; R2.3
Region: NPCC
Issue: During a Compliance Audit, NPCC determined URE was in violation of R2.3 because a delegation letter from the URE’s executive manager to two other executives granting them authority and responsibility for CIP-002 through CIP-009 compliance was not documented within thirty calendar days. The delegation letter was relied upon by multiple affiliates.
Finding: NPCC determined that the violation posed a minimal risk to BPS reliability because the documentation was only four days late and no actions were taken pursuant to the delegation for the duration of the violation. URE mitigated the violation by documenting the specific actions delegated.
Unidentified Registered Entity (URE), Docket No. RC12-14 (July 30, 2012)
Reliability Standard: CIP-003-2
Requirement: 2
Region: TRE
Issue: While conducting a spot-check, TRE found that the manager initially assigned to be the CIP reliability manager was not the person who actually signed and approved URE’s existing RBAM and the lists of CAs and CCAs owned by URE. URE identified a manager with the overall CIP compliance upon registering with NERC, but another individual was ultimately delegated CIP compliance responsibilities without URE formally documenting the information.
Finding: The issue was deemed by TRE to pose minimal risk to BPS reliability because the issue was of short-term and documentation based. During the relevant time period, URE did have a senior manager tasked with CIP compliance, but it had not documented the relevant information.
Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)
Reliability Standard: CIP-003-2
Requirement: 2
Region: SERC
Issue: During an audit, SERC found that URE failed to produce evidence demonstrating that the designated senior manager was assigned the role at the beginning of the compliance period (per R2). SERC reviewed documents provided by URE and decided that URE did not properly assign a Senior Manager with overall responsibility and authority for leading and managing URE’s implementation of, and adherence to the CIP Standards. But since URE identified that it had no Critical Cyber Assets in a prior year, it was exempt from compliance with CIP-003-1 R2 and was only required to be compliant when CIP-003-2 R2 became effective.
Finding: SERC determined the issue posed a minimal risk to the reliability of the BPS because URE has no Critical Assets and does not own or operate any facilities that meet the criteria for Critical Assets set forth in CIP-002-4. Furthermore, URE applied three prior years’ RBAMs, resulting in null lists for Critical Assets and indicating that URE did not acquire any Critical Assets or CCAs in the omitted year.
