NERC FFT Reports: Reliability Standard CIP-007-3 | White & Case LLP International Law Firm, Global Law Practice
NERC FFT Reports: Reliability Standard CIP-007-3

NERC FFT Reports: Reliability Standard CIP-007-3

White & Case NERC Database

This page contains the FFT (Find, Fix and Track) summaries. Click here to read the NOP (Notice of Penalty)/ACP (Administrative Citation of Penalty) summaries.

Find, Fix, Track and Report, Docket No. RC12-2 (November 30, 2011)

Reliability Standard: CIP-007-3

Requirement: R4

Region: RFC

Issue: FFT Entity self-reported that it did not use anti-virus software and other malware prevention software for eight CCAs as required by CIP-007-3 R4. FFT Entity incorrectly assumed the eight CCAs were integrated components of the servers on which they reside and so no anti-virus software or other malware prevention tools was required; however, six of these CCAs were self-contained modules within the server that provide a separate network connection for personnel to remotely manage the server under emergency conditions. The remaining two CCAs run directly on server hardware without requiring an additional underlying operating system. As such, by their function, the eight CCAs were required to have anti-virus software and other malware prevention tools. FFT Entity had reported that the eight CCAs could not use anti-virus software and other malware prevention tools but it did not request a Technical Feasibility Exception (TFE) from RFC until 13 months after the compliance enforcement date.

Finding: RFC determined the issue posed a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS which was mitigated because FFT Entity had other measures in place to satisfy the purpose of CIP-007 R4, such as firewalls at the perimeter of the ESP with an intrusion prevention system that can detect and prevent many types of malware from propagating. In addition, FFT Entity had virus protection on workstations and servers as well as firewall software on its workstations and the CCAs’ passwords are safely stored in a server password database that is restricted to authorized personnel only. Finally, administrative access to the CCAs is limited to a small number of support personnel to further minimize risk exposure.

Find, Fix, Track and Report, Docket No. RC12-2 (November 30, 2011)

Reliability Standard: CIP-007-3

Requirement: R4

Region: RFC

Issue: RFC determined that the entity failed to use anti-virus software and other malware prevention tools to mitigate risk exposure to the 135 CCAs pursuant to CIP-007-3 R4.

Finding: RFC determined that this issue posed a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS which was mitigated by the fact that FFT Entity had compensating measures in place prior to the mandatory compliance date, which were ultimately approved by RFC.

Find, Fix and Track Entity, FERC Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-007-3

Requirement: R6.3

Region: NCEA (NERC Compliance Enforcement Authority)

Issue: FFT Entity self-reported that during review of its compliance with relevant Reliability Standards, it discovered that its product, a printer, lacked required procedures for logging security related events, such as authentication errors or setting changes.

Finding: This issue posed only a minimal risk to the reliability of the BPS. FFT Entity submitted a Technical Feasibility Exception (TFE) because FFT Entity is technically unable to meet this Requirement.

Find, Fix and Track Entity, FERC Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-007-3

Requirement: R5.3

Region: SPP RE

Issue: FTT Entity submitted three requests for TFEs (Technical Feasibility Exceptions) with regard to its Oracle database server and compliance with CIP-007-1. The server had a password that rendered compliance with CIP-007-1 R5.3 impossible. While all three requests were approved, the three TFEs expired before the FTT Entity was able to arrange compliance. FTT Entity submitted new TFE requests thereupon.

Finding: The issue posed little risk. Despite that FTT Entity’s first set of three requests expired, it continued the compensatory measures laid out in the TFEs. First, the database password was only accessible on a “need to know” basis to personnel who completed both security awareness training and background checks. Second, any scripts that included the password were contained within a secured ESP. Finally, the second set of TFEs contained the same mitigating measures.

Find, Fix and Track Entity, Docket No. RC12-7-000 (January 31, 2012)

Reliability Standard: CIP-007-3

Requirement: R4

Region: ReliabilityFirst

Issue: While conducting a compliance audit, ReliabilityFirst determined that FFT Entity violated CIP-007-3 R4 because it did not use anti-virus software and other malware prevention tools on all CCAs within the ESP. FFT Entity submitted two late Technical Feasibility Exception (TFE) requests stating that there were no available malware prevention tools for the proprietary operating systems flagged by ReliabilityFirst. ReliabilityFirst approved both TFEs.

Finding: The issue posed only a minimal risk to BPS reliability because FFT Entity proved that both CAs at issue run on proprietary operating systems on which malware prevention tools are unavailable. FFT Entity protects the CAs by locating them behind firewalls that restrict traffic, requiring remote access to the CAs to be approved by two-factor authentication, and providing video surveillance of the physical CAs. These measures were in place for the duration of the issue.

Find, Fix and Track Entity, Docket No. RC12-7-000 (January 31, 2012)

Reliability Standard: CIP-007-3

Requirement: R5.3

Region: ReliabilityFirst

Issue: FFT Entity self-reported an issue with CIP-007-3 R5 when it discovered that two local accounts on two of its servers within the ESP had passwords that had not been changed since their creation. ReliabilityFirst determined that this was a violation because the Standard requires passwords to be updated annually. The problem was identified when FFT Entity switched from a manual to an automated process to monitor the update of passwords.

Finding: This issue posed only a minimal risk to BPS reliability for four reasons. First, while the servers were located within the ESP, they were not CCAs. Instead, FFT Entity’s other utility used the servers for historic data archiving and logically isolated them from the EMS servers. Consequently, the exposed servers were not configured to affect the BPS. Second, FFT Entity verified that the two local accounts were never accessed. Third, the local accounts were only able to be accessed by a small group of information technology individuals, all equipped with CIP cyber security training and vetted by background checks. Fourth, the local accounts were only accessible inside the ESP, for which the requisite protections were in place.

Find, Fix and Track, Unidentified Registered Entity, Docket No. RC12-10 (March 30, 2012)

Reliability Standard: CIP-007-3

Requirement: R4

Region: SERC

Issue: URE self-reported that it mistakenly allowed a Technical Feasibility Exception (TFE) to expire for two switches designated as CAs on which it was not possible to install anti-virus and malware prevention tools. Once the TFE expired, URE was in violation of the Standard for failing to use the anti-virus software and malware prevention tools required by the CIP Standards and for not documenting the alternative security measures in place for the CAs.

Finding: SERC found the violation constituted a minimal risk to BPS reliability because the two switches cannot support the anti-virus software or malware prevention tools, but are protected by their location in a PSP and ESP while not covered by an approved TFE.

Unidentified Registered Entity, Docket No. NP12-11 (April 30, 2012)

Reliability Standard: CIP-007-3

Requirement: R1

Region: FRCC

Issue: URE self-reported that it failed to perform required testing on a new server when it was added to URE’s ESP in violation of R1.

Finding: FRCC determined that the violation posed a minimal risk to BPS reliability because URE reported that the server was accidently installed and was removed six days later. The server was never configured to communicate with other devices within or outside the ESP. URE mitigated the violation by removing the server.

Unidentified Registered Entity, Docket No. NP12-11 (April 30, 2012)

Reliability Standard: CIP-007-3

Requirement: R1

Region: RFC

Issue: URE self-reported that it failed to complete the required documentation of testing performed on new CAs within the ESP because the incorrect form was completed following the installation of new operator workstations on four occasions over a two-year period.

Finding: RFC determined that the violation posed a minimal risk to BPS reliability because a form containing substantially the same information as required by the correct form was submitted, and the correct form was eventually submitted within 30 to 120 days after installation. URE mitigated the violation by revising its procedures to combine the two forms at issue.

Unidentified Registered Entity, Docket No. NP12-11 (April 30, 2012)

Reliability Standard: CIP-007-3

Requirement: R8

Region: RFC

Issue: URE self-reported that it failed to conduct an annual cyber vulnerability assessment of the electronic access points to the ESP and the CAs within the ESP as scheduled due to a delay in the installation of new equipment.

Finding: RFC determined that the violation posed a minimal risk to BPS reliability because URE conducted the assessment 21 days after the scheduled date and by delaying the assessment new equipment was included in the assessment rather than equipment that would soon be obsolete. URE mitigated the violation by conducting the assessment and revising its compliance system to remind employees to conduct the annual cyber vulnerability assessment sixty days in advance of the due date.

Unidentified Registered Entity, Docket No. NP12-11 (April 30, 2012)

Reliability Standard: CIP-007-3

Requirement: R9

Region: WECC

Issue: URE self-reported that it did not document changes made to its CIP-007-3 R5 procedure within 30 days per the requirement of R9 because it did not update information regarding authentication password controls for access to CCAs for a year after the procedures were revised.

Finding: WECC determined that the violation posed a minimal risk to BPS reliability because URE’s revised procedures required stricter controls than previously documented. URE mitigated the violation by revising its documentation to reflect the revised process.

Unidentified Registered Entity, Docket No. RC12-12 (May 30, 2012)

Reliability Standard: CIP-007-3

Requirement: R3; R3.1

Region: MRO; RFC

Issue: URE submitted a self-report explaining that it had not assessed the applicability of a security patch on certain software within the 30-day prescribed timeframe, missing the deadline by 11 days. URE stated that patches and upgrades for certain applications installed on Energy Management System (EMS) Cyber Assets inside its ESP are provided by the application’s vendor, and URE has EMS system administrators responsible for monitoring and assessing application security patches. However, the EMS system administrator responsible for assessing and implementing patches on one particular application left URE without passing along the contact information for the relevant software to the EMS system administrator now responsible for that task. That EMS system administrator realized he hadn’t seen any notices to update the particular application in some time so he checked the vendor’s website and found that a security update had been released 41 days prior. He assessed and installed the security patch that same day and reported what he’d found to his supervisor.

Finding: The issue was found to pose minimal risk to BPS reliability because it was only one patch and it was discovered and correctly quickly. The patch was for software that was on machines with no internet connection and the software was set to “Protected Mode” for system security.

Unidentified Registered Entity, Docket No. RC12-12 (May 30, 2012)

Reliability Standard: CIP-007-3

Requirement: R6

Region: WECC

Issue: URE filed a self-report reporting that it had added non-critical assets to an ESP, but the assets were not set up to track system events and send the required alerts to URE’s server.

Finding: The issue was deemed to pose minimal risk to BPS reliability because it involved on 18% of all non-critical CAs housed in the ESP and all CAs, both critical and non-critical, have security controls in place to protect system integrity. In addition, all CAs were found to be in a PSP. URE had trained staff having access to the CAs and that staff had PRAs on file.

Unidentified Registered Entity (URE), Docket No. RC12-13 (June 29, 2012)

Reliability Standard: CIP-007-3

Requirement: 3/3.1

Region: MRO

Issue: URE submitted a self-report explaining it had not completed a security patch assessment to one device within the 30-day timeframe established in the Reliability Standard, but subsequent review found the patch was “not applicable” to the relevant device. URE stated the vendor had not alerted URE that the patch had been released.

Finding: The violation was deemed to pose minimal risk to BPS reliability because URE has a system in place that prohibits access to the device to any non-authorized individuals. Also, the one patch was not security related and was not required to be installed on the device in question.

Unidentified Registered Entity (URE), Docket No. RC12-13 (June 29, 2012)

Reliability Standard: CIP-007-3

Requirement: 5/5.1, 5.1.2, 5.3

Region: NPCC

Issue: URE submitted a self-certification that it did not have sufficient controls regarding authentication and accountability for access and user activity. In particular, URE found that if a user ignored the credentials window affiliated with a radio-frequency identification (RFID) system on particular terminals having access to the energy management system in URE’s control room and backup control center, the individual could manipulate the windows found on the desktop behind the credentials window.

Finding: The violation was deemed to pose minimal risk to BPS reliability because only those individuals with access to the control room were able to access the console where the RFID readers were enabled. Also, the relevant equipment was only used for operator training and was located in a training room where training on simulated real-time system events takes place. The training environment is installed on a network that is separated from the ESP.

Unidentified Registered Entity (URE), Docket No. RC12-14 (July 30, 2012)

Reliability Standard: CIP-007-3

Requirement: 4/4.2

Region: MRO

Issue: URE submitted a self-report disclosing that it had not conducted a monthly check for possible viruses to retired CA devices classified as CCAs that had not been removed from its network.

Finding: The issue was deemed by MRO to pose minimal risk to BPS reliability because the total number of CCAs involved was only 11% of all URE CCAs and the particular devices were not frequently used. The anti-virus signature update was only 18 days late and the relevant devices had other CIP protections set forth in the Reliability Standards.

Unidentified Registered Entity (URE), Docket No. RC12-14 (July 30, 2012)

Reliability Standard: CIP-007-3

Requirement: 6/6.4

Region: RFC

Issue: URE submitted a self-report disclosing that it had not kept system security logs associated with its system for monitoring network devices and that also serve as URE’s system log based performance monitoring software for 90 days as required by the Reliability Standard. URE’s primary logging device had experienced an outage during which time access logs were being kept by a backup device but not for the required time period of 90 days.

Finding: The issue was deemed by RFC to pose minimal risk to BPS reliability because security logs were being kept through URE’s backup logging device, but that device was only keeping the logs for a 30-day period instead of the required 90 days. No security events were reported during the relevant time period.

Unidentified Registered Entity (URE), Docket No. RC12-14 (July 30, 2012)

Reliability Standard: CIP-007-3

Requirement: 9

Region: RFC

Issue: URE submitted a self-report disclosing that it did not document a change caused from modifications made to its CCAs’ anti-virus program within the thirty-day time period required by the Standard. URE was required to update its cyber security program no later than 30 days after any changes.

Finding: The issue was deemed by RFC to pose minimal risk to BPS reliability because URE’s CAs and CCAs had anti-virus software in place for protection and RFC determined it was a one-time event of URE not following its formal cyber security policy.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

Reliability Standard: CIP-007-3

Requirement: 5

Region: RFC

Issue: URE submitted a self-report after finding that it did not change the passwords on 2 server accounts and 46 database accounts at least annually (in violation of R5.3). URE discovered that it had incorrectly classified the servers as user accounts in its password database and overlooked the servers in its annual change activity. URE concluded it failed to implement the procedure in place to initiate password changes for the 46 database accounts.

Finding: RFC determined the issue posed a minimal risk to the reliability of the BPS which was mitigated by the fact that neither the 2 server accounts nor the 46 database accounts are related to assets supporting real-time control or monitoring functions. In addition, both systems associated with the passwords in question are located within an ESP, which requires separate active directory user accounts to gain access. Moreover, the directory user accounts necessary to gain access to the ESP expire every 45 days; subsequently, the directory user accounts undergo multiple password changes.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

Reliability Standard: CIP-007-3

Requirement: 5/5.3.3

Region: MRO

Issue: URE submitted a self-report for failing to ensure that Critical Cyber Asset (CCA) passwords were changed at least annually (in accordance with R5.3.3). URE uses a custom script to report the status of account passwords (expired, locked or OK). URE’s script for reporting password status incorrectly reported the status of two CCA user accounts as being “locked,” when in fact they were not because the passwords did not have expiration dates enabled.

Finding: MRO deemed this issue posed a minimal risk to the reliability of the BPS. Though the two affected shared accounts did not have their passwords changed within the calendar year, both accounts had restricted privileges and neither contained administrative privileges. Furthermore, the accounts require additional application-specific login credentials, and the account passwords remained unchanged for less than two months (54 days) after expiration of the annual window.

Unidentified Registered Entity (URE), Docket No. RC12-16 (September 28, 2012)

Reliability Standard: CIP-007-3

Requirement: 3

Region: WECC

Issue: During a compliance audit, WECC found that URE had not properly documented its assessment of two security patches (involving the identification of potential security vulnerabilities) within 30 days of the patches becoming available.

Finding: WECC found that the issue constituted only a minimal risk to BPS reliability since URE had implemented a security patch management program as well as a configuration management process for all system patches. For these two patches, URE did not list the correct release date and ended up installing them four days and seven days late, respectively. The relevant assets are located within a PSP and ESP and are continuously monitored.

Unidentified Registered Entity (URE), Docket No. RC12-16 (September 28, 2012)

Reliability Standard: CIP-007-3

Requirement: 5

Region: WECC

Issue: URE self-reported that, on three occasions, it granted employees access to user accounts without the approval of the designated personnel, as required. But, URE quickly realized the error, and revoked access to the user accounts that same day.

Finding: WECC found that the issue constituted only a minimal risk to BPS reliability since each instance lasted less than a day. All three employees required access to the user accounts as part of their job responsibilities, and two of the individuals had completed their cyber security training and received a personnel risk assessment before they received access to the user accounts. In addition, the devices that are accessible through the user accounts were protected by an ESP and PSP.

Unidentified Registered Entity (URE), Docket No. RC12-16 (September 28, 2012)

Reliability Standard: CIP-007-3

Requirement: 5.3

Region: NPCC

Issue: URE self-reported that 20 of its CAs within its ESP, which were not covered under a Technical Feasibility Exception, did not possess the technical controls for compliance with all of the password requirements in the Reliability Standard.

Finding: NPCC found that the issue constituted only a minimal risk to BPS reliability since access to the CAs is controlled and monitored. URE also satisfied many of the password requirements and was granted a Technical Feasibility Exception.

Unidentified Registered Entity (URE), Docket No. RC12-16 (September 28, 2012)

Reliability Standard: CIP-007-3

Requirement: 9

Region: RFC

Issue: During a compliance audit, RFC found that URE had failed to timely document all the changes resulting from modifications to its systems or controls within 30 days of the change.

Finding: RFC found that the issue constituted only a minimal risk to BPS reliability since URE did document the changes from the modifications to its systems or controls (within 4 months in 2010 and within 2 months in 2011).

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-2-000 (November 30, 2012)

Reliability Standard: CIP-007-3

Requirement: 4

Region: RFC

Issue: URE self-reported that the system administrator followed the procedures for updating anti-virus and malware prevention signatures but failed to test the signatures for four electronic access control and/or monitoring systems prior to installing the signatures (per R4). Additionally, the system administrator neglected to follow URE's change management procedures, which prohibited updates to these systems without testing the signatures.

Finding: RFC found the issue posed a minimal risk to the reliability of the BPS because the risk was mitigated by the fact the systems in question do not provide control functions for the BPS and that URE self-reported the issue. In addition, URE has procedures in place for the update of anti-virus and malware prevention signatures, and the failure to comply with the procedures was an isolated incident. Furthermore, the systems in question are located behind firewalls that restrict access the traffic allowed to and from the systems.

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-2-000 (November 30, 2012)

Reliability Standard: CIP-007-3

Requirement: 6; 6.4

Region: NPCC

Issue: URE self-reported that two Cyber Assets failed to forward their logs from the backup control center to the server at the new control center for 90 days (in noncompliance with R6.4). A firewall was blocking communications between the servers.

Finding: NPCC found the issue posed a minimal risk to the reliability of the BPS due to the redundancy of the LANs at the control centers. During the period in question, daily operations were managed by the new control center, while the backup control center is prepared to manage operations if the other control center were to be compromised. These two assets were working correctly and logging (to themselves), but not sending their logs to the server, which caused a log retention problem.

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-2-000 (November 30, 2012)

Reliability Standard: CIP-007-3

Requirement: 7

Region: WECC

Issue: URE self-reported that it failed to follow the documented procedures when disposing of a CCA (per R7). SMEs reviewed the self-report and determined that when one CCA associated with URE failed and could not be rebooted, a technician who was not familiar with URE's R7 disposal procedure was tasked with removing the CCA because the staff usually assigned to handle CIP equipment failures were out of the office. Instead of completing the necessary decommissioning checklist, as required by R7, the technician implemented URE's corporate cyber asset removal procedure and completed corporate documentation.

Finding: WECC found the issue posed a minimal risk to the reliability of the BPS since there were compensating measures in place. While URE's technician did not complete the proper decommissioning checklist for CCA disposal in fulfillment of the standard, the technician did adhere to URE's Corporate Policy regarding CA disposal and documented the device's failure and removal. Though technician returned the device to the vendor, the device would not reboot or power on at the time of removal, and was also password protected, thus minimizing the risk that the device could be used as an access point to the ESP or that unauthorized retrieval of data could occur. In addition, the vendor confirmed that the device was received and destroyed.

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-3-000 (December 31, 2012)

Reliability Standard: CIP-007-3

Requirement: 1.3

Region: SPP

Issue: SPP conducted a CIP Compliance Audit of URE and found that URE violated R1of CIP-007-3 in that URE failed to provide documentation of test results for changes to Cyber Assets (CAs) inside the Electronic Security Perimeter (ESP). SPP found the issue while going over URE's test procedures for adding new CAs to the ESP or for changing current CAs inside the ESP.

Finding: SPP found that the issue posed a minimal risk to the reliability of the bulk power system because despite the failure to provide documentation of the test results, URE had in place change management tickets to guide the testing of changes to CAs inside the ESP, which recorded comments about the changes made to CAs. Although the comments do not comprise the test results, they demonstrate that changes to CAs were made under observation.

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-3-000 (December 31, 2012)

Reliability Standard: CIP-007-3

Requirement: 2; 2.1

Region: RFC

Issue: URE self-reported a violation of R2 of CIP-007-1 to RFC when it did not enable only those ports and services necessary for normal and emergency operations. URE deactivated other services and ports on four printers and two time servers whose sole function is to display the correct time.

Finding: RFC found that the issue posed a minimal risk to the reliability of the bulk power system because the printers are only accessible from the URE system and have no connection to the Internet. URE also uses directory service security groups for the printers designed to curtail unauthorized access. Time servers, likewise, do not have connection to the Internet and are not visible to the outside or the corporate networks, and only are used to synchronize the correct time with the local URE system. URE also has antivirus on the time servers and arranged the Electronic Security Perimeter (ESP) to curtail access to the printers and time servers, logs attempted security breaches and attempted alterations to configurations, and uses a system to detect intrusion and to monitor unordinary traffic.

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-3-000 (December 31, 2012)

Reliability Standard: CIP-007-3

Requirement: 4

Region: SPP

Issue: URE self-reported a violation of R4 of CIP-007-3 to SPP, stating it did not install malware prevention software on its Critical Cyber Assets (CCA). URE had submitted a TFE to SPP stating that its SCADA vendor told URE that anti-virus and malware protection software had not been tested for the CCA. However, SPP disapproved the TFE since SPP found that there were anti-virus software available for URE's operating system. URE violated R4 in that it did not install and use anti-virus software on its CCA for 22 days since the SPP disapproved the TFE.

Finding: SPP found that the issue posed a minimal risk to the reliability of the bulk power system because despite the 22 days of not running anti-virus software, URE still had protective measures that URE was using on its CCA under the TFE, such as storing all assets behind a firewall, which by default denied access, and monitoring the assets constantly by a security event and incident management server, which was programmed to alarm supervisors in the case of threatening activities. Furthermore, URE put up-to-date patches on the CAA in the operating system. SPP determined that these measures protected CAA from attack.

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-3-000 (December 31, 2012)

Reliability Standard: CIP-007-3

Requirement: 8; 8.2

Region: RFC

Issue: URE self-reported a violation of R8 of CIP-007-3 to RFC when it failed to provide a review in its cyber vulnerability assessment confirming that only ports and services necessary for operating four printers and two time servers were activated, which are Cyber Assets inside the Electronic Security Perimeter (ESP).

Finding: RFC found that this issue posed a minimal risk to the reliability of the bulk power system because the printers can only be accessed from the URE system and have no connection to the Internet. URE also uses directory service security groups designed to curtail unauthorized access. The time servers, similarly, do not have connection to the Internet, are not visible to the corporate or outside networks, and are only used to synchronize the correct time with the local control system network. Also, URE made the ESP to curtail access to the printers and time servers, logged security breach attempts and alteration to configuration attempts, as well as utilized a system to detect intrusion and to monitor unordinary traffic.

Unidentified Registered Entity 1 (SPP_URE1) Docket No. RC13-9-000 (May 30, 2013)

Reliability Standard: CIP-007-3

Requirement: R5.3; R5.3.1; R5.3.2; and R5.3.3

Region: SPP RE

Issue: SPP RE, during a compliance audit, found that SPP_URE1 could not technically enforce the password complexities required in R5.3.1, R5.3.2, and R5.3 for its storage area network (SAN) administrator account. No Technical Feasibility Exception (TFE) was requested for this account. In rectifying the issue, SPP_URE1 found that three other devices associated with its primary energy management system (EMS) could not technically enforce these password complexities. No TFE had been requested for these devices either.

Finding: SPP RE found that the issue posed a minimal, but not a serious or substantial, risk to BPS reliability. No remote access, only local, was possible on the administrator account. The devices in question were password protected, even though they did not have the capability to implement the mandated password complexities. A COP Physical Security Perimeter also protects the SAN device and the network switches.