NERC FFT Reports: Reliability Standard CIP-005-3a | White & Case LLP International Law Firm, Global Law Practice
NERC FFT Reports: Reliability Standard CIP-005-3a

NERC FFT Reports: Reliability Standard CIP-005-3a

White & Case NERC Database

This page contains the FFT (Find, Fix and Track) summaries. Click here to read the NOP (Notice of Penalty)/ACP (Administrative Citation of Penalty) summaries.

Unidentified Registered Entity (URE), Docket No. RC12-14 (July 30, 2012)

Reliability Standard: CIP-005-3a

Requirement: 5/5.3

Region: RFC

Issue: URE submitted a self-report disclosing that it had not kept electronic access logs for 90 days as required by the Reliability Standard. URE’s primary logging device had experienced an outage during which time access logs were being kept by a backup device but not for the required time period of 90 days.

Finding: The issue was deemed by RFC to pose minimal risk to BPS reliability because access logs were being kept through URE’s backup logging device, but that device maintains logs for 30 instead of the required 90 days.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

Reliability Standard: CIP-005-3a

Requirement: 1

Region: WECC

Issue: URE submitted a self-report concerning an issue with R1. URE decommissioned hard drives related to firewall management consoles that were Cyber Assets used in the access control and monitoring of URE’s ESP. During the decommissioning and disposal process, URE did not provide the protective measures to the hard drives stipulated in CIP-007 R7.3. The failure to follow its CIP-007 R7 disposal and redeployment procedures resulted in an issue with R1.

Finding: WECC determined the issue posed a minimal risk to the reliability of the BPS because the hard drives were stored in a locked cabinet within a secure facility that requires keycard access. Furthermore, only IT personnel had access to the area in question. In addition, the hard drives were part of a redundant array of independent disks (RAID); thus, no single disc would have been available for data retrieval without the other discs of the RAID.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

Reliability Standard: CIP-005-3a

Requirement: 2/2.2

Region: SPP RE

Issue: URE self-certified a noncompliance for failing to enable only ports and services required for operations and for monitoring Cyber Assets (CAs) within the ESP (per R2.2). URE stated two of its Unified Threat Management devices, which act as routers and access points to an ESP, contained ports open that were not specific to the operation and monitoring of CAs within the ESP.

Finding: SPP RE determined the issue posed a minimal risk to the reliability of the BPS because the relevant devices were connecting a control center ESP with another control center ESP via a private microwave link, which was owned and operated by URE. Thus, the risk was deemed minimal since the devices were not linked to the outside world.

Unidentified Registered Entity (URE), Docket No. RC12-16 (September 28, 2012)

Reliability Standard: CIP-005-3a

Requirement: 5, 3

Region: WECC

Issue: URE self-reported that it did not timely update its ESP documentation, within 90 days as required, after it added four Access Control and Monitoring devices to its ESP (5). In addition, URE self-reported that while it did maintain logs on its backup control center backup server, it did not timely review those logs as mandated (since the logs were not being forwarded to the backup control center primary server) (3).

Finding: WECC found that the issues constituted only a minimal risk to BPS reliability. In regards to R5, the Access Control and Monitoring devices were only used during vulnerability assessments to monitor the CCAs and CAs in the ESP. Both electronic and physical access to the devices were controlled, monitored and logged. For R3, the issue was limited to only six devices in the backup server, which were generating and maintaining access and system events logs. Access to the devices was restricted to authorized personnel, and remote logical access was only available through the virtual private network (whose logs were consistently maintained and reviewed).

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-2-000 (November 30, 2012)

Reliability Standard: CIP-005-3a

Requirement: 1

Region: RFC

Issue: URE self-reported that it failed to assess two security patches for the devices operating on the physical server (that run the virtual platform), which are Cyber Assets used in the access control and/or monitoring of the ESP, within 30 calendar days of availability of the patches as required by CIP-007-3 R3.1. URE had placed a new electronic access control and monitoring system into service and was supposed to administer and document security patch evaluations for all guest operating systems residing on the virtual platform. As a result, URE installed the patches without assessing them for applicability (in noncompliance with R1).

Finding: RFC found the issue posed a minimal risk to the reliability of the BPS because the risk was mitigated by the fact systems in question do not provide control functions for the BPS and that URE self-reported the issue. In addition, URE maintains remaining protections specified in CIP-005-3a R1.5 for these systems, which are located within the PSP.

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-2-000 (November 30, 2012)

Reliability Standard: CIP-005-3a

Requirement: 1; 1.5

Region: MRO

Issue: URE self-reported that it neglected to permit the security provisions specified in R3 for the Cyber Assets used in the access control and/or monitoring of the ESP (per R1.5). URE failed to properly assess five patches within 30 days, for devices designed for controlling and monitoring electronic access points. URE reported after investigation that none of the patches were applicable to its devices.

Finding: MRO found the issue posed a minimal risk to the reliability of the BPS since URE implements a patch management process that involves a detailed review process. In addition, URE only failed to assess ten percent of patches, and none of the patches were applicable to URE's devices. The average period of issues was 32 days, and URE identified, self-reported and mitigated this issue due to its internal audits.

Unidentified Registered Entity 3 (TRE_URE3), Docket No. RC13-9-000 (May 30, 2013)

Reliability Standard: CIP-005-3a

Requirement: R5.3

Region: Texas RE

Issue: TRE_URE3 self-reported that it failed to keep electronic access logs for 90 calendar days. No logs were retained for a new control center for roughly a month because the control center after it was installed was incorrectly configured.

Finding: Texas RE found that the issue posed a minimal, but not a serious or substantial, risk to the reliability of the bulk power system. All of these systems are located behind firewalls and inside the ESP, which logged access during the period of violation. There were no unauthorized access attempts.