Unidentified Registered Entities 1-3 (UREs), Docket No. RC12-13 (June 29, 2012)
Reliability Standard: CIP-006-3a
Requirement: 2/2.2
Region: NPCC
Issue: While conducting a Compliance Audit, NPCC found three UREs to be in violation of CIP-006-3a because of their failure to complete cyber vulnerability assessments for servers that are associated with the physical access control system (PACS), as set forth in CIP-007-3 R8 and within the time prescribed under the Reliability Standards. UREs conducted the assessments six months late. UREs’ parent company conducts vulnerability assessments on a corporate level and failing to perform the vulnerability assessment affected multiple registered entities.
Finding: The issue was deemed by NPCC to pose minimal risk to BPS reliability because the relevant servers are not used to monitor or control BPS assets. The servers control the card reader system in place to control PSP physical access points. Also, the UREs all employ security guards and video cameras to monitor PSP access. UREs also have stringent controls in place for allowing physical access to CCAs.
NPCC considered that one of the UREs previously violated this Standard, but for other reasons, and therefore, NPCC did not consider the instant violation by URE1 to be a repeat violation.
Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)
Reliability Standard: CIP-006-3a
Requirement: 1/1.7
Region: NPCC
Issue: URE submitted a self-report disclosing it failed to update the physical security plan within 30 calendar days of the completion of any physical security system redesign or reconfiguration (per R1.7). The physical security plan was updated 155 days after the 30-day window had ended. The issue was discovered while performing the “extent of condition analysis milestone” for a Mitigation Plan associated with another URE subsidiary.
Finding: NPCC determined this issue posed a minimal risk to the reliability of the BPS since the issue was administrative in nature, given URE updated the physical security plan (in accordance with the Standard), but failed to do so within the specified time frame. Furthermore, all physical access control devices that grant access control, monitoring and logging at the designated Physical Security Perimeters (PSPs) were functioning and operating properly.
Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)
Reliability Standard: CIP-006-3a
Requirement: 2.2
Region: NPCC
Issue: URE submitted a self-report disclosing a violation of R2.2. URE has a management services agreement in which a third-party company serves as manager for URE to perform reliability compliance functions and monitoring associated with URE’s responsibilities as a NERC Registered Entity. During a NPCC CIP Compliance Audit of the third party’s affiliate, NPCC determined that the third party failed to perform a cyber vulnerability assessment for the servers that are involved with the physical access control system (PACS) in a timely manner on behalf of URE (in accordance with CIP-007-3 R8). All other required assessments for URE’s assets were completed by the second quarter of 2010; however, the cyber vulnerability assessment was not completed until six months later. This failure to complete the vulnerability assessment affected multiple registered entities, including URE.
Finding: NPCC determined this issue posed a minimal risk to the reliability of the BPS because the servers in question are used to control the card reader system that polices the Physical Security Perimeter’s (PSP) physical access points. The servers do not monitor or control BPS assets. Additionally, URE employs security guards and video cameras to monitor access to the PSP and has strict controls in place for providing physical access to Critical Cyber Assets.
Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)
Reliability Standard: CIP-006-3a
Requirement: 2.2
Region: WECC
Issue: URE submitted a self-report concerning an issue with R2.2. A WECC subject matter expert (SME) contacted URE to review the self-report; URE stated that it did not afford two panels the protections of CIP-007 R6, and said panels involved control access to all of URE’s PSPs.
Finding: WECC determined the issue posed a minimal risk to the reliability of the BPS because the panels are located within a locked cabinet with restricted key access, which fewer than five individuals have access to. Furthermore, the locked cabinets also have tamper switches installed to alert the entity upon opening the enclosures.
Unidentified Registered Entity (URE), Docket No. RC12-16 (September 28, 2012)
Reliability Standard: CIP-006-3a
Requirement: 1
Region: RFC
Issue: During a compliance audit, RFC found four dates where URE's visitor logs were missing required exit or log out information.
Finding: RFC found that the issue constituted only a minimal risk to BPS reliability. Pursuant to URE's internal auditing system, its security personnel review the visitor logs every few to days and, thus, had corrected discrepancies a few days after they occurred.
