NERC FFT Reports: Reliability Standard CIP-005-3


4 min read


Find, Fix and Track Entity, Docket No. RC12-7-000 (January 31, 2012)

Reliability Standard: CIP-005-3

Requirement: R1/R1.1

Region: ReliabilityFirst

Issue: During a compliance audit, ReliabilityFirst determined that FFT Entity failed to identify certain third-party vendor security device appliances as access points to ESPs. These appliances, which allow third-party vendors to monitor activity on FFT Entity’s network and identify any unauthorized activity, are directly connected to mirrored ports on routers within the ESP. In violation of the Standard, FFT Entity failed to report nine of these devices as access points to the ESP.

Finding: This issue posed only a minimal risk to BPS reliability because, although FFT Entity did not identify the appliances as access points to the ESP, FFT Entity did include the appliances on its network diagrams. In doing so, FFT Entity provided the same protections to the appliances as it does to all access points to the ESP. As such, FFT Entity’s breach of the Standard amounted to nothing more than a failure properly document the devices. Additionally, the appliances, because they are connected via mirrored ports and are located within the PSP, are only configured to monitor traffic and to report anomalies out of the ESP. The appliances are not configured to communicate information into the ESP

Find, Fix and Track Entity, Docket No. RC12-7-000 (January 31, 2012)

Reliability Standard: CIP-005-3

Requirement: R2

Region: WECC

Issue: WECC determined FFT Entity violated CIP-005-3 R2 because its electronic access control system did not meet the requirements of the Standard. FFT Entity submitted a Technical Feasibility Exception (TFE) stating that the device at issue cannot support the display of an appropriate use banner prior to an interactive access attempt.

Finding: The issue posed only a minimal risk to the reliability of the BPS because WECC accepted FFT Entity’s TFE assertion that it is technically infeasible for FFT Entity to comply with the Standard. WECC also accepted the TFE because FFT Entity timely implemented two measures to mitigate risk. First, the appropriate use banner does display for system administrative access after successful entry of a valid user ID, PIN, and two-factor authentication key. Second, all security events and network intrusions related to the device are catalogued.

Unidentified Registered Entity, Docket No. NP12-11 (April 30, 2012)

Reliability Standard: CIP-005-3

Requirement: R4

Region: RFC

Issue: URE self-reported that it failed to conduct an annual cyber vulnerability assessment of the electronic access points to the ESP and the CAs within the ESP as scheduled due to a delay in the installation of new equipment.

Finding: RFC determined that the violation posed a minimal risk to BPS reliability because URE conducted the assessment 21 days after the scheduled date and by delaying the assessment new equipment was included in the assessment rather than equipment that would soon be obsolete. URE mitigated the violation by conducting the assessment and revising its compliance system to remind employees to conduct the annual cyber vulnerability assessment 60 days in advance of the due date.

Unidentified Registered Entity 1 (WECC_URE1), Docket No. RC13-12-000 (May 30, 2013)

Reliability Standard: CIP-005-3

Requirement: R1; R1.5

Region: WECC

Issue: During a compliance audit, WECC found that WECC_URE1 failed to afford the required protections to a Cyber Asset responsible for access control and/or monitoring (ACM), as the device was not set for automated or manual alarms following detected cybersecurity incidents. Though it was logging events, the device did not alert personnel.

Finding: WECC found that this issue posed a minimal, but not a serious or substantial, risk to BPS reliability as the violation only affected one ACM device. The ESP was secured through other electronic protections during the time period of the violation.

Unidentified Registered Entity 3 (SPP_URE3), Docket No. RC13-9-000 (May 30, 2013)

Reliability Standard: CIP-005-3

Requirement: R4; R4.2; R4.3

Region: SPP RE

Issue: SPP RE found, during a compliance audit, that SPP_URE3 did not have a sufficient cyber vulnerability assessment (CVA) to detect all access points to the Electronic Security Perimeter (ESP) and to ensure that the ports and services enabled on an internal network switch were required for operations. Moreover, the CVA team did not meet R4.3, in its failure to conduct a secondary physical inspection of network wiring to detect access points that were not picked up by network scans. One internal network switch was also not identified as an electronic access point. With regards to R4.2, SPP_URE3 failed to verify that operations required the network switch’s enabled ports and services.

Finding: SPP RE found that the issue posed a minimal risk, not a serious or substantial risk, to BPS reliability. SPP_URE3’s CVA identified all externally communicating network access points (gateways) through mapping/vulnerability scanning, but it did not detect one internal network switch access point, which existed on an isolated network segment that was a connection point for only one remote workstation. The workstations enabled ports and services were deemed to be necessary for operations, and thus a required VPN session between the workstation and ESP firewall mitigated the risk caused by the network switch’s lack of a review of ports and services. The ESP firewall anti-virus would inspect any communications from the remote workstation and the ESP intrusion prevention system.