NERC FFT Reports: Reliability Standard CIP-007-2

Alert

3 min read

 

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-007-2

Requirement: R5.1.1/5.1.2

Region: MRO

Issue: FFT Entity self-reported that access to a user account was granted to one employee without the required documented authorization (R5.1.1). In addition, FFT Entity self-reported that its operator system level user activity logs did not include, for a 40-day period, failed authentication attempts (R5.1.2).

Finding: MRO found that the issues constituted a minimal risk to BPS reliability. FFT Entity had numerous protective measures in place, including having a limited number of accounts with login rights to the servers, freezing account access after a certain number of failed login attempts, locking of firewall rules and ports to only allow necessary communication, installing anti-virus software to correct any malicious events on the servers and an intrusion detection system to correct any malicious events on the network, having a system manager to monitor server connectivity to the network and to report any changes to the hardware on the server, and imposing physical security limits on physical access to the servers. In addition, FFT Entity verified the system access configuration logs during the non-compliance period and no suspicious issues were discovered.

Find, Fix and Track Entity, Docket No. RC12-7-000 (January 31, 2012)

Reliability Standard: CIP-007-2

Requirement: R3

Region: MRO

Issue: FFT Entity self-reported a violation of CIP-007-2 R3 for its failure to document its assessment of available security patches within 30 days of the patches’ availability. FFT Entity searched the National Institute of Standards and Technology National Vulnerability Database (NIST NVD) for Common Vulnerabilities and Exposures (CVEs), but found no security patches or upgrades for the particular identified software. Because the NIST NVD CVE summary application names were not identical to the application names registered on the CAs of the vendor, however, FFT Entity missed the existence of a relevant, new security patch.

Finding: The remediated issue posed only a minimal risk to BPS reliability because users must access a malicious website in order to exploit the vulnerability of the missing patch. This threat is nullified because the ESP prohibits users from accessing websites outside the ESP.

Find, Fix and Track Entity, Docket No. RC12-7-000 (January 31, 2012)

Reliability Standard: CIP-007-2

Requirement: R4

Region: WECC

Issue: WECC determined FFT Entity violated CIP-007-2 because FFT Entity’s firewalls did not meet the requirements of the Standard. FFT Entity submitted two late Technical Feasibility Exceptions (TFE) asserting that its devices are incapable of running anti-malware software on its firewall as it is configured.

Finding: The issue posed only a minimal risk to the reliability of the BPS because WECC accepted FFT Entity’s TFE argument that it is technically infeasible for FFT Entity to comply with the Standard. WECC also accepted the TFE because FFT Entity timely implemented four measures to mitigate risk. First, FFT Entity put into operation a two-factor authentication for external interactive access. Second, any change to firmware on the unprotected device requires the system to reboot before the changes can take effect. Third, a network intrusion detection system monitors threats and catalogues security events on the local area network within the ESP. Fourth, the PSP and restricted access deters local misuse and introduction of malware.

Top