NERC FFT Reports: Reliability Standard CIP-004-1 | White & Case LLP International Law Firm, Global Law Practice
NERC FFT Reports: Reliability Standard CIP-004-1

NERC FFT Reports: Reliability Standard CIP-004-1

White & Case NERC Database

This page contains the FFT (Find, Fix and Track) summaries. Click here to read the NOP (Notice of Penalty)/ACP (Administrative Citation of Penalty) summaries.

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-004-1

Requirement: R2, R3, R4

Region: MRO

Issue: FFT Entity self-reported that it had not added two contractors to its list of personnel having authorized cyber or unescorted physical access to CCAs, and therefore, they did not receive the required cyber security training by the required date (R2). In addition, FFT Entity self-reported that one contractor was added to the CCA access list prior to the compliance date but had no PRA before having access to CCAs (R3). FFT Entity did not add three contractors who accessed personal computers to the CCA access list. FFT Entity did not remove two janitors (from a contractor) with unescorted physical access rights from its CCA access list within seven days of their termination (R4).

Finding: MRO found that the violations constituted only a minimal risk to BPS reliability because two of the computers were later deemed non-critical CAs and were removed from the ESP, and the third allowed view only privileges. Further, the janitors did not have access to CCAs, they just had not been removed from the list.

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-004-1

Requirement: R2, R3, R4

Region: SERC

Issue: FFT Entity self-reported that one employee who had not received the mandated cyber security training and one employee who had not received his personnel risk assessment were on the list of personnel with access to a Control Center (R2, R3). In addition, FFT Entity self-reported that it had permitted four of its employees who were not on the list of personnel with authorized cyber or unescorted physical access to CCAs to have access to CCAs (R4).

Finding: SERC found that these issues constituted only a minimal risk to BPS reliability since the relevant employees who were inappropriately included on the Control Center access list had been employed by FFT Entity for over six years when the incident occurred. In addition, the four employees who were not on the CCA access list were also long-term employees of FFT Entity.

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-004-1

Requirement: R3

Region: WECC

Issue: FFT Entity self-reported that it did not revoke the access rights of one of its contractors when his criminal background check expired. FFT Entity’s records improperly listed his criminal background check as being conducted on December 9, 2008 (instead of December 9, 2002, the date the criminal background check was actually performed).

Finding: WECC found that this issue constituted only a minimal risk to BPS reliability since the issue was confined to a single contractor who only had access rights to one PSP that housed two CCAs. In addition, the relevant individual was a long-time contractor in good standing and did not even access the PSP after his criminal background check expired.

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-004-1

Requirement: R4

Region: RFC

Issue: As the result of a spot check, RFC determined FFT Entity violated R4 because it failed to include the specific electronic access rights of personnel with authorized cyber access to CCAs on its lists of authorized personnel.

Finding: RFC found that this issue constituted only a minimal risk to bulk power system reliability because it was only a documentation issue resulting from a failure to specify the electronic access rights to CCAs within its lists of authorized personnel.

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-004-1

Requirement: R4

Region: SERC

Issue: Following a self-report, SERC determined that FFT Entity violated R4 because 12 out of 191 individuals were omitted or incorrectly documented in its CCA lists. One contracted custodian was inadvertently given access to a PSP and used the access for 41 days.

Finding: SERC found that this issue constituted only a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS because all of the omitted individuals had PRAs, were up to date on training, including CIP training, and all had a valid business reasons for their access.

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-004-1

Requirement: R4

Region: TRE

Issue: FFT Entity self-reported that it did not timely update a manually kept list of personnel who had authorized cyber or unescorted physical access rights to CAs and CCAs when those access privileges were granted or revoked for 30 individuals.

Finding: TRE found that this issue constituted only a minimal risk to BPS reliability since all of the relevant individuals who had access to the CCAs had received personnel risk assessments and cyber security training. In addition, the relevant list was not used to determine who had access to the CCAs.

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-004-1

Requirement: R4.1

Region: MRO

Issue: FFT Entity self-reported that its CCA access lists of personnel having authorized cyber access or unescorted physical access to CCAs had not been updated within seven days to include 3 of 546 individuals.

Finding: MRO found that the violation constituted only a minimal risk to BPS reliability since the individuals had PRAs and cyber security training and did not access the CCAs while not on the access lists.

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-004-1

Requirement: R4.1

Region: MRO

Issue: FFT Entity self-reported that while it had timely removed three people from its list of personnel who had authorized cyber or unescorted physical access to the CCAs, it did not timely revoke their card access to the CCAs.

Finding: MRO found that this issue constituted only a minimal risk to BPS reliability since the relevant individuals transferred jobs and were not terminated for cause. In addition, the three individuals did not access the CCAs after they were removed from the CCA access list.

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-004-1

Requirement: R4.1

Region: MRO

Issue: During a compliance audit, MRO and another Regional Entity determined the FFT Entity could not produce evidence that it maintained and reviewed its list of personnel with authorized cyber access to CCAs.

Finding: The violation constituted only a minimal risk to bulk power system reliability because the FFT Entity conducted PRA and provided appropriate training prior to granting cyber access to CCAs on all authorized personnel.

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-004-1

Requirement: R2/2.1

Region: RFC

Issue: During a spot check, RFC determined that FFT Entity did not incorporate the proper use of the CCAs or actions plans and procedures to recover the CCAs after a cyber security incident into its training program.

Finding: RFC found that the issue constituted a minimal risk to BPS reliability. The relevant training program did include references to FFT Entity’s policies and procedures on the proper use of the CCAs and action plans and procedures for the recovery of the CCAs following a cyber security incident.

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-004-1

Requirement: R2.1, R3

Region: FRCC

Issue: FFT Entity self-reported that one of its employees did not receive the required training before receiving physical and logical access to the CCAs (R2.1). FFT Entity also self-reported that one of its employees was granted access to the CCAs, even though he did not receive a PRA within 30 days of receiving his access (R3).

Finding: FRCC found that the issues only constituted a minimal risk to BPS reliability. In regards to R2.1, the relevant employee’s training occurred only five days late and was conducted under constant supervision. In regards to R3, the relevant employee, a long-time employee of FFT Entity who already had access to the CCAs, received the PRA (which turned up no issues) within 73 days of being granted access.

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-004-1

Requirement: R3/3.1/3.3

Region: SPP

Issue: FFT Entity self-reported that the PRAs for its employees that were conducted before the Reliability Standard came into effect were improperly based on a five-year background rather than a seven-year time interval (R3.1). FFT Entity also self-reported that it did not timely complete PRAs for six individuals who possessed unescorted physical access rights to the CCAs and that it inadvertently granted access to a restricted area for a contractor who did not have a PRA (R3.3).

Finding: SPP found that the issues constituted a minimal risk to BPS reliability. The PRAs were actually being conducted (even though according to an improper interval). For the relevant individuals who did not have PRAs, they were all long-term employees who did not have any disciplinary actions brought against them and had received the required cyber security training. And, after the PRAs were conducted, no problems were discovered. In terms of the one contractor, the oversight was corrected within two months of him being improperly granted access, and the contractor never used his credentials to enter the PSP.

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-004-1

Requirement: R4

Region: MRO

Issue: FFT Entity self-reported that it did not review its CCA access list during the first quarter it was required to do so.

Finding: MRO found that the issue constituted a minimal risk to BPS reliability since only one CCA access list missed being reviewed for only one quarter. In addition, there were no individuals included on the CCA access list during the first quarter that should have been removed.

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-004-1

Requirement: R4.1

Region: SPP

Issue: Through a spot check, SPP determined that FFT Entity was not reviewing its systems vendor access list quarterly as required.

Finding: SPP found that the issue did not constitute a serious or substantial risk to BPS reliability since the systems vendor access list was being reviewed annually. In addition, none of the vendors on FFT Entity’s access list had any unauthorized access attempts.

Find, Fix, Track and Report, Docket No. RC12-2 (November 30, 2011)

Reliability Standard: CIP-004-1

Requirement: R2 (2.1, 2.3); R3; R4 (4.1, 4.2)

Region: MRO

Issue: Although FFT Entity had established, documented and maintained an annual cyber security training (CST) program for personnel having authorized cyber or authorized unescorted physical access to CCAs, the documentation could not show that all personnel had completed requiring training (R2.1) and that training was conducted at least annually, including the date the training was completed and attendance records (R2.3). Further, one employee of FFT Entity did not have a complete PRA, and FFT Entity could not show that PRAs had taken place within 30 days of authorized cyber or unescorted physical access to CCAs or updated at least every 7 years for three contractors (R3). Finally, FFT Entity had no procedure in place for notification by its vendors of terminated employees with CCA access nor did FFT Entity update and maintain the CCA access list as required by R4.1, and so access was not revoked for three contractors no longer requiring access within seven days

Finding: The issues posed a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS because, regarding R2, it was documentation that was lacking but FFT Entity had provided the required training to in both 2010 and 2011. Regarding R3, the PRA for the employee had been completed, but the records were incomplete and therefore FFT Entity conducted a new PRA for the employee and the contractors and found no issues. Finally, with respect to R4, none of the contractors had any access to FFT Entity’s facilities after termination. Also, none of the contractors had electronic access to FFT Entity’s CCAs, and the failure of the vendor to report the employees’ dismissal did not create any security-related events.

Find, Fix, Track and Report, Docket No. RC12-2 (November 30, 2011)

Reliability Standard: CIP-004-1

Requirement: R2 (2.1), R3, R4 (4.1, 4.2)

Region: NPCC

Issue: FFT Entity self-reported non-compliance with CIP-004-1 R2 because personnel with access to CCAs, including outside contractors and service vendors, were not timely trained on FFT Entity’s yearly cyber security training program. Three employees were found to have physical access to CCAs without having completed cyber security training subsequent to the compliance enforcement date. The time period in which the three employees had physical access past the compliance enforcement date was between 101 and 111 days (R2). In addition, FFT Entity self-reported non-compliance with CIP-004-1 R3 because a PRA had not been done before the required date for two individuals with access to CCAs (but had been completed prior to the self-report). The two employees had physical access to CCAs between 7.75 and 8 months until PRAs were finished. Finally, FFT Entity self-reported non-compliance with R4 because its PSP/ESP access rights list was not updated in the timeframe required to guarantee that revocation of access rights were completed as per R4.1.

Finding: NPCC found the violations posed a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS. No intentional or unintentional actions were committed by any of the three employees as a result of not completing cyber security training or not having a PRA before having physical access granted. The employees accessed areas that were staffed 24/7 and were monitored by cameras while access to those areas was logged.

Find, Fix, Track and Report, Docket No. RC12-2 (November 30, 2011)

Reliability Standard: CIP-004-1

Requirement: R4 (4.1)

Region: NPCC

Issue: FFT Entity found that CCA access lists associated with privileged users in the affiliate IT group were reviewed on an annual rather than quarterly basis as required by R4.1.

Finding: NPCC determined the issue posed a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS. There were no intentional or unintentional actions committed by the privileged users in the affiliate IT group due to the lack of quarterly access review and there was minimal potential impact because system logs are generated on a continual basis and reviewed every 90 days. Such log review includes validation of users who accessed or attempted access to the server and network switches. In addition, user access can only be granted access via an IT request form which is rescinded upon termination or change of duties.

Find, Fix, Track and Report, Docket No. RC12-2 (November 30, 2011)

Reliability Standard: CIP-004-1

Requirement: R4 (4.1)

Region: NPCC

Issue: FFT Entity self-reported non-compliance with CIP-004-1 R4 once it discovered that CCA access lists dealing with privileged users in the affiliate IT group were reviewed on an annual rather than quarterly basis as required R4.1.

Finding: NPCC found the issue posed a minimal risk and not a serious or substantial risk to the reliability of the BPS because system logs are generated on a continual basis and reviewed every 90 days and include validation of users who accessed or attempted access to the relevant IT equipment and user access can only be granted through an IT request form and is rescinded upon termination or change of duties. Plus each PC is located within a defined PSP which requires authorized unescorted PSP access which is reviewed on a monthly basis.

Find, Fix and Track Entity, FERC Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-004-1

Requirement: R2 (R2.1, R2.2.1)

Region: SPP RE

Issue: Four percent of FFT Entity personnel with authorized cyber or unescorted physical access to CCAs were found not to have been trained in the proper use of CCAs within 90 days of receiving their authorization. Also, for a two-year period, although support personnel were being trained on cyber security by the EMS/SCADA vendor, the training did not include the proper use of CCAs.

Finding: The risk presented by this issue was found to be minimal. The 4% of individuals that had not received training within 90 days of receiving access were well-trusted employees; none had a disciplinary proceeding. PRAs (Personnel Risk Assessments) confirmed that those employees did receive required cyber security training. And, while the EMS/SCADA vendor went untrained on the proper use of FFT Entity’s CCAs, the vendor’s support personnel all received CIP Standards training. Their work routinely necessitates knowledge of cyber security best practices, and therefore understood the import of their work with CCAs.

Find, Fix and Track Entity, Docket No. RC12-7-000 (January 31, 2012)

Reliability Standard: CIP-004-1

Requirement: R2, R3, R4

Region: NCEA

Issue: NCEA determined three FFT Entities violated CIP-004-1 R2, R3 and R4 because they failed to include in their methodology or assessment the CIP assets of other third-party entities that were performing tasks on their behalf. As such, because of different compliance schedules, there were gaps in time where these assets were not in compliance.

Regarding FFT Entity in violation of R2, a pair of third-party entities did not provide evidence that their security training program was reviewed annually or that it was updated as necessary.

Regarding FFT Entity in violation of R3, two third-party entities did not prove that they conducted PRAs for all employees, contractors, and service vendor personnel with authorized cyber access or unescorted physical access. Additionally, two other third-party entities indicated that PRAs were not updated every seven years or on a “for cause” basis, and four third-party entities reported no PRA results.

Regarding FFT Entity in violation of R4, NCEA determined many of its third-party entities were in violation of the Standard. These violations included: (1) failure to include on its access lists the names of employees, contractors, and service vendors with authorized cyber access and unescorted physical access; (2) failure to provide evidence that the access lists were reviewed quarterly; (3) failure to prove that the access lists were updated within seven days of any change in access rights; (4) failure to prove access was revoked within 24 hours for personnel terminated for cause; and (5) failure to prove access was revoked within seven calendar days for personnel who no longer required access.

Finding: These issues posed only a moderate risk to the reliability of the BPS because NCEA determined that, despite the errors, the third-party entities were preparing for compliance with the CIP Standards as required by the Approved Implementation Plan. As such, there was no actual impact to reliability of the BPS as a result of these issues.

Find, Fix and Track Entity, Docket No. RC12-7-000 (January 31, 2012)

Reliability Standard: CIP-004-1

Requirement: R3

Region: FRCC

Issue: During a spot check, FRCC determined that FFT Entity did not conduct personnel risk assessments (PRAs) as required by CIP-004-1 R3. This standard requires PRAs be completed within 30 days of personnel being granted access to FFT Entity’s Critical Cyber Assets. FRCC determined that five personnel were delayed one to five days past the required 30-day window to receive a PRA. FFT Entity has since completed the risk assessments with no negative results.

Finding: FRCC found that FFT Entity’s failure to conduct the PRA within the 30-day window posed only a minimal risk to BPS reliability for three reasons. First, the delay was minimal. Second, after the delay, FFT Entity completed the PRAs with satisfactory results. Third, the personnel had gone through a similar background check to the one required by this Standard at the time of their hiring.

Find, Fix and Track Entity, FERC Docket No. RC12-8 (February 29, 2012)

Reliability Standard: CIP-004-1

Requirement: R4.1

Region: TRE

Issue: FFT Entity self-reported that it did not possess sufficient documentation verifying that it was conducting comprehensive quarterly reviews of its lists of personnel with authorized access to the CCAs.

Finding: TRE found that this issue constituted only a minimal risk to the BPS since this was primarily a documentation issue. FFT Entity had an ongoing security program to guard against misuse and threats to its system, including card-key access, security cards and video surveillance located at access locations.

Unidentified Registered Entity, Docket No. RC12-12 (May 30, 2012)

Reliability Standard: CIP-004-1

Requirement: R4; R4.1

Region: MRO

Issue: MRO found during a spot check that URE had not reviewed physical and cyber access to an installed system responsible for CCA backup, as well as backup control center workstations for six quarters in violation of the quarterly review requirement of CIP-004-1.

Finding: MRO found the issue posed minimal risk to BPS reliability because access was limited to five authorized individuals who had installed the system and other protective measures were in place for system security. Also, the workstations are located separately from the primary EMS and are not usually turned on. URE did perform an annual vulnerability assessment and had not used its backup system or the relevant workstations for any reason other than their maintenance. No cyber incidents occurred during the reported period.

Unidentified Registered Entity (URE), Docket No. RC12-13 (June 29, 2012)

Reliability Standard: CIP-004-1

Requirement: 4.1

Region: RFC

Issue: URE submitted a self-report disclosing that it had not reviewed its access list of individuals with authorized cyber or authorized unescorted physical access rights for a CCA at one of its substations.

Finding: The violation was deemed by RFC to pose minimal risk to BPS reliability because upon review of the relevant list no changes were required.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

Reliability Standard: CIP-004-1

Requirement: 3

Region: SPP RE

Issue: During a multi-region spot check, SPP RE found that URE failed to perform PRAs for all personnel with unescorted physical access to CCAs (per R3). SPP RE reviewed PRA records of individuals with authorized cyber or authorized unescorted physical access to URE’s CCAs. When the spot check occurred, URE had an agreement in place with Entity A, which co-owns and operates Substation A, because URE owns the 115 kV assets located at Substation A (including certain assets that were deemed CCAs at the time of the spot check). The agreement stipulated that Entity A would perform PRAs on its employees that were granted authorized unescorted physical access to the CCAs at Substation A. URE received quarterly confirmation via email that the personnel employed by Entity A with CCA access fulfilled the requirements of CIP-004-1, including the PRA requirement. However, when the Spot Check team requested PRA verification for individuals in a group of sampled records, Entity A informed URE that the PRAs had not been performed for the fifteen Entity A employees with authorized unescorted physical access to Substation A and that the verification of compliance emails had been delivered in error. Consequently, URE was non-compliant with R3 since it did not ensure that PRAs were performed for all personnel with authorized unescorted physical access to CCAs.

Finding: SPP RE determined the issue posed a minimal risk to the reliability of the BPS because the improper access given to the Entity A employees in question was only physical. The employees of Entity A did not have electronic access to the CCAs, as the devices were only accessible by dial-up and used non-routable protocols. According to a CIP-006-1 interpretation, dial-up devices that use non-routable protocols (such as the ones in question) are not required to be enclosed within a “six-wall” physical border, since there is minimal risk of compromising other CCAs. Thus, unescorted physical access to the devices in question presents a minimal risk.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

Reliability Standard: CIP-004-1

Requirement: 4

Region: SERC

Issue: During a spot-check, SERC discovered URE could not produce evidence that it maintained lists of personnel with authorized cyber or authorized unescorted physical access to Critical Cyber Assets (CCAs), in compliance with R4, dating back to when the company was required to comply with the Standard. URE provided SERC with quarterly reviews of personnel with authorized cyber or authorized unescorted physical access to CCAs for the second, third, and fourth quarters of the year in which compliance took effect. The quarterly reviews revealed that URE did not update its access lists in a timely manner and missed 30.93% of the total personnel. URE indicated that the 30.93% of the individuals missing from their lists were authorized and had completed Personnel Risk Assessments (PRA) and CIP cyber security training. URE provided evidence that the PRAs had been conducted for sampled personnel, as well as produced CIP cyber security training records. Furthermore, URE provided evidence demonstrating that the missing individuals were accounted for and on a managed access list for the applicable individuals.

Finding: SERC determined the issue posed a minimal risk to the reliability of the BPS because the 30 missing personnel had valid PRAs and CIP cyber security training and had received authorization for cyber or unescorted physical access.

Unidentified Registered Entities (UREs), Docket No. RC12-16 (September 28, 2012)

Reliability Standard: CIP-004-1

Requirement: 2

Region: MRO

Issue: During a spot check, MRO determined that two UREs had not conducted a full annual review of their cyber security training programs as they did not review the training program material that was used to train third-party contractors and vendors who had access to their energy management system. According to an agreement with the UREs, the vendors and contractors were responsible for training their own employees.

Finding: MRO found that the issue constituted only a minimal risk to BPS reliability since all of UREs' employees and contractors had undergone the required cyber security training. UREs had also determined that the vendors' and contractors' training program satisfied the requirements of the Reliability Standard.

Unidentified FFT Entity, FERC Docket No. RC13-1 (October 31, 2012)

Reliability Standard: CIP-004-1

Requirement: 4.1

Region: SPP

Issue: During a compliance audit, SPP determined that FFT Entity was not conducting a quarterly review, as required, of its list of personnel with electronic access to CCAs.

Finding: SPP found that the issue only constituted a minimal risk to BPS reliability since FFT Entity was still reviewing, on a quarterly basis, its list of personnel with physical access rights to the CCAs. In addition, FFT Entity conducted an annual review of its CCA access privileges. FFT Entity, which has a low employee turnover rate, also had a small number of employees who had electronic access rights.

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-2-000 (November 30, 2012)

Reliability Standard: CIP-004-1

Requirement: 4

Region: TRE

Issue: During an audit, TRE discovered URE's original list of personnel with CCA access only contained general electronic access rights and lacked the required specific detail pertaining to the electronic access rights. The original list only specified if an employee had electronic access rights and failed to indicate the scope of their specific rights (per R4). The duration of the remediated issue was from the date the Standard was enforceable for URE until the time URE utilized the revised list.

Finding: Texas RE found the issue posed a minimal risk to the reliability of the BPS since URE implemented documented policies and procedures to manage personnel CCA electronic access rights, despite the fact the procedures lacked sufficient documented detail regarding the scope of an employee's electronic access rights. Furthermore, personnel electronic access rights were consistently monitoring. In addition, weekly review of the CCA access list is occurs in team meetings and necessary adjustments are immediately documented by the meeting leader. Also, the same four employees (out of five in the department) have maintained management of the electronic access authorizations and were familiar with the URE's personnel and procedures. Consequently, Texas RE deemed that the issue to be primarily related to a failure in documentation.

Unidentified Registered Entity 1 (URE1), Docket No. RC13-6-000 (February 28, 2013)

Reliability Standard: CIP-004-1

Requirement: 2, 3, 4 (2 violations)

Region: SERC

Issue: URE1 submitted a self-report to SERC explaining the following issues of compliance with the CIP-004-1 Reliability Standard. First, URE1 had no cyber-security training program meeting the requirements of R2 for employees with authorized cyber or authorized unescorted physical access to Critical Cyber Assets. Second, URE1 did not have a compliant PRA program for either its own personnel or contractor personnel. Third, URE1 did not have an accurate list of personnel with authorized cyber or authorized unescorted physical access to CCAs, including specific electronic and physical access rights to CCAs. Fourth, URE1's list of personnel with authorized cyber or authorized unescorted physical access to CCAs was not updated in a timely manner when personnel were reassigned and no longer needed CCA access.

Finding: The issue was deemed to pose minimal risk to BPS reliability and not serious or substantial risk. The risk to BPS operations was mitigated because in one instance the issue involved one contractor who had only remote electronic access to memory devices. The untrained contractor provided only technical support for memory devices that supported CCA servers. Regarding the PRA issue, all individuals had valid and current PRAs and CIP cyber security training.

Unidentified Registered Entity 1 (URE1), Docket No. RC13-6-000 (February 28, 2013)

Reliability Standard: CIP-004-1

Requirement: 3

Region: RFC

Issue: URE1 submitted a self-report explaining that a yearly review of its PRA program conducted by an outside consultant determined that three employees were given authorized cyber access to CCAs without having completed PRAs in the time prescribed by the Standard.

Finding: The issue was deemed to pose minimal risk to BPS reliability and not serious or substantial risk. The risk to BPS operations was mitigated by the following. The relevant individuals were either service dispatchers or IT support. The service dispatchers have read-only access to the energy control system and the IT support personnel have only operating system access and not application access. No rights were granted to the physical access control system.