NERC FFT Reports: Reliability Standard CIP-006-2

Alert

9 min read

 

Find, Fix, Track and Report, Docket No. RC12-2 (November 30, 2011)

Reliability Standard: CIP-006-2

Requirement: R1

Region: RFC

Issue: FFT Entity self-certified non-compliance with CIP-006-2 R1 once it determined it did not document all sub-requirements of CIP-006-2 R1 in its physical security plan. In particular, FFT Entity did not document that all CAs within an ESP did not reside within an identified PSP, and where a “six-wall” enclosed border could not be established, FFT Entity did not use and document alternative measures to control physical access to such CAs, and therefore RFC determined that FFT Entity failed to document sub-requirements of CIP-006-2 R1.1, R1.4, R1.5 and R1.6 in its physical security plan.

Finding: RFC determined that this issue posed a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS which was mitigated by the fact that the issue was the result of a documentation error because, even though FFT Entity’s physical security plan lacked proper documentation of the sub-requirements of CIP-006-2 R1, it had implemented all the physical security controls required by CIP-006-2 R1.

Find, Fix and Track Entity, Docket No. RC12-7-000 (January 31, 2012)

Reliability Standard: CIP-006-2

Requirement: R1; R1.4

Region: ReliabilityFirst

Issue: FFT Entity self-reported a violation of CIP-006-2 R1.4 for two reasons. First, FFT Entity’s physical security plan failed to address a response to loss and prohibition of inappropriate use of physical access controls. While FFT Entity’s training and corporate policies addressed these two issues, these policies were both not included in the physical security plan or approved by senior management. Second, FFT Entity’s physical security plan contained a provision that required FFT Entity to update the physical security plan within 90 calendar days of the implementation of any physical security system redesign or reconfiguration, instead of the mandatory 30-day window. While Version 1 of CIP-006 R1.7 allowed for a 90-day update period, Version 2 of CIP-006, created on April 1, 2010, mandates an update within 30 days.

Finding: This issue posed only a minimal risk to the reliability of the BPS because the issue was limited to a document error by two mitigating factors. First, while FFT Entity did not address response to loss or prohibition of inappropriate use of physical access controls in its physical security plan, it did address these issues in its corporate policies and trained all of its employees on both of these topics. Second, while FFT Entity failed to update its physical security plan to match the amended version of CIP-006 R1.7, it did not make any changes to its physical security plan that necessitated any updates.

Find, Fix and Track, Unidentified Registered Entity, Docket No. RC12-10 (March 30, 2012)

Reliability Standard: CIP-006-2

Requirement: R1/1.2

Region: FRCC

Issue: URE self-reported that its physical security plan, which had been approved by management, did not identify one PSP physical access point – a HVAC maintenance point in the ceiling – nor did it set forth how it controlled entry at the relevant access point. The access point had an unlocked latch. URE resolved the problem 461 days after it began.

Finding: FRCC found the violation constituted a minimal risk to BPS reliability because the access point in question was in a secured facility and under constant surveillance. The facility is surrounded by a 12-foot fence and armed security guards are posted at the gate and make periodic rounds to ensure the security of the facility. In addition, access to the facility is strictly controlled.

Find, Fix and Track, Unidentified Registered Entity, Docket No. RC12-10 (March 30, 2012)

Reliability Standard: CIP-006-2

Requirement: R2

Region: FRCC

Issue: URE self-reported that it had not identified one of the CAs used for authorization and logging of access to the PSP for a generating unit identified as a CA with designated PSPs. Also, Technical Feasibility Exception (TFE) reports were submitted late for the requirements where it was technically infeasible to adhere to strict compliance.

Finding: FRCC found the violation constituted a minimal risk to BPS reliability because the issue was documentation related. The relevant CA had all security measures that were technically possible in place and only the documentation detailing the limitations of the subject device was not submitted as required. The device was protected by firewall protection, password procedures and malware protection controls. The TFE was eventually submitted and accepted by FRCC.

Unidentified Registered Entity, Docket No. NP12-11 (April 30, 2012)

Reliability Standard: CIP-006-2

Requirement: R1; R1.6

Region: FRCC

Issue: During a spot check, FRCC determined that URE failed to maintain physical access logs and continuous escorting for all visitors on a specific day. On one occasion the timing of visitors’ exits were not recorded.

Finding: FRCC determined that the violation posed a minimal risk to BPS reliability because the visitors at issue were affiliated with a trusted vendor and continuously escorted. URE mitigated the violation by creating an awareness email for appropriate staff and establishing a plan to review visitor logs on a weekly basis.

Unidentified Registered Entity, Docket No. NP12-11 (April 30, 2012)

Reliability Standard: CIP-006-2

Requirement: R1; R1.1

Region: MRO

Issue: URE self-reported a violation of R1.1 because it failed to timely submit a Technical Feasibility Exception (TFE) request for its inability to provide a “six-wall” border for network cabling running between two PSPs. The TFE was submitted approximately 15 months late.

Finding: MRO determined that the violation posed a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS because the cable is located above the ceiling of a secured facility protected by multiple layers of physical access controls. URE mitigated the violation by submitting a TFE, which was accepted.

Unidentified Registered Entity, Docket No. NP12-11 (April 30, 2012)

Reliability Standard: CIP-006-2

Requirement: R2

Region: FRCC

Issue: During a spot check, FRCC determined that URE failed to identify six physical access control system CAs and afford them the requisite protection for approximately two years.

Finding: FRCC determined that the violation posed a minimal risk to BPS reliability because the CAs were protected by a corporate security standard that included limited access and video monitoring. The CAs were also within URE’s PSPs or on isolated networks. URE mitigated the violation by revising its risk-based assessment methodology and updating its physical access control system CA inventory.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

Reliability Standard: CIP-006-2

Requirement: 1

Region: WECC

Issue: URE submitted a self-report stating it failed to ensure its physical security plan was reviewed and approved by the CIP senior manager or delegate (per R1). Even though URE documented, implemented and maintained a physical security plan approved by a senior manager, it failed to fulfill the approval required under the effective date of CIP-006 Version 2. WECC determined while the PSP was approved by “a” senior manager, it was not authorized by “the” assigned Senior Manager or delegate at the time of the approval, in compliance with R1 Versions 2 and 3. URE indicated that this was the result of a failure to update the approval required for the physical security plan upon the effective date of Version 2, when the requirements of R1 changed to “The Responsible Entity shall document, implement, and maintain a physical security plan, approved by the senior manager” from “The Responsible Entity shall create and maintain a physical security plan approved by a senior manager” in Version 1. Given URE did document, implement and maintain a plan, WECC determined URE failed to recognize the implications of the change in wording of the Standard from Version 1 to Version 2. Once identified, URE delegated the individual responsible for approving the CIP-006 Plan in accordance with its CIP-003 R2 senior manager assignment.

Finding: WECC determined the issue posed a minimal risk to the reliability of the BPS since the physical security plan was maintained and approved by the individual who is responsible for URE’s overall corporate security. Moreover, URE assigned the individual as a delegate for the CIP Senior Manager after the noncompliance was discovered. WECC determined that this was URE’s second issue with CIP-006 R1, however, WECC concluded that this occurrence involved different conduct. Specifically, the CIP-006 violation in question is distinct from the previous CIP-006 violation in that the first violation pertained to unescorted access, whereas the CIP-006 issue at hand was a result of URE failing to fulfill the updated required approval provisions for the physical security plan upon the implementation of Version 2. As a result, WECC decided URE’s CIP-006 compliance history should not preclude the current CIP-006 issue from being an FFT.

Unidentified Registered Entity (URE), Docket No. RC12-16 (September 28, 2012)

Reliability Standard: CIP-006-2

Requirement: 5

Region: NPCC

Issue: URE self-reported that, for 16 months, one of its security officers did not follow URE's established procedure for checking if an unauthorized access attempt at the PSP had occurred. Instead of following the established procedure, upon receiving a forced door open alarm, the relevant security officer would attempt to determine if the person accessing the substation was an employee of URE (by relying on the camera system and seeing if the person would utilize the key at another PSP access point).

Finding: NPCC found that the issue constituted only a minimal risk to BPS reliability since the security officer was following his own procedures to ensure that that there was not an actual breach of the PSP.

Unidentified Registered Entity (URE), Docket No. RC12-16 (September 28, 2012)

Reliability Standard: CIP-006-2

Requirement: 6 (2 violations)

Region: NPCC

Issue: URE self-reported that, for 14 months, it was improperly limiting the requirement for logging physical entry into a PSP to the initial entry at the start of the work day. Thus, a worker with authorized unescorted physical access rights, after his initial entry into the PSP, would be able to exit and re-enter the PSP without logging in again (1st violation). In addition, URE self-reported that it was also not properly logging the physical entry of visitors into a PSP (as visitors were only required to initially log in and log out at the end of the work day, not every time they exited and re-entered the PSP) (2nd violation).

Finding: NPCC found that the issues constituted only a minimal risk to BPS reliability. For the first violation, it only involved personnel with authorized unescorted physical access rights. For the second violation, the visitors were always being escorted while they were in the PSP and they were only in the field control houses (which are staffed by URE personnel).

Top