NERC FFT Reports: Reliability Standard CIP-002-2

Alert

8 min read

 

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-002-2

Requirement: R4

Region: SERC

Issue: As the result of a compliance audit, SERC determined FFT Entity violated R2 because it failed to provide evidence that its senior manager or delegate approved, signed, and dated FFT Entity’s risk-based assessment methodology in 2010.

Finding: SERC found that this issue constituted only a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS because FFT Entity does not have any CAs and does not own or operated any of the CCA criteria set out in proposed CIP-002-4. Moreover, FFT Entity had a documented risk based assessment methodology.

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-002-2

Requirement: R4

Region: SERC

Issue: As the result of a compliance audit, SERC determined FFT Entity violated R4 because it failed to provide evidence that its senior manager or delegate approved, signed, and dated FFT Entity’s risk-based assessment methodology on an annual basis.

Finding: SERC found that this issue constituted only a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS because FFT Entity does not own or operated any of the CCA criteria set out in proposed CIP-002-4, and FFT Entity has a risk based assessment methodology.

Find, Fix, Track and Report, Docket No. RC12-2 (November 30, 2011)

Reliability Standard: CIP-002-2

Requirement: R1 (1.1)

Region: RFC

Issue: FFT Entity self-reported that it did not include actual evaluation criteria in its risk-based methodology (RBAM), such as engineering studies and discussions with subject matter experts as required by CIP-002-2 R1.1.

Finding: RFC determined that this issue posed a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS which was mitigated by the fact that the issue was administrative because FFT Entity did evaluate all its assets according to engineering studies and discussions with subject matter experts, and it did not identify any new facilities or change the designation of previously identified facilities from CAs after it included the required evaluation criteria in its RBAM.

Find, Fix and Track Entity, FERC Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-002-2

Requirement: R3

Region: Texas RE

Issue: Four devices on FFT Entity’s CCA list were outside of the PSP. However, the four devices had been added to the CCA list in error.

Finding: This issue was not a serious risk to the BPS. As part of a test platform, the four devices under discussion were mistakenly added to the CCA list and the list’s annual review had not yet happened.

Sabine River Authority of TX/LA("Sabine"), FERC Docket No. RC13-2-000 (November 30, 2012)

Reliability Standard: CIP-002-2

Requirement: 1; 2

Region: SERC

Issue: Sabine, as a GO, self-reported an issue with R1, stating that its Protection System maintenance and testing program did not contain maintenance and testing intervals, or a summary of maintenance and testing procedures for all Protection System devices. Sabine self-reported after the GOP informed Sabine that SERC had discovered deficiencies in the GOP's Protection System maintenance and testing procedures, which Sabine implemented for its GO functions (along with internal Sabine procedures). In addition, Sabine's maintenance and testing procedures did not address Associated Communication System (ACS) devices. Sabine does not own ACS devices; however the Protection System maintenance and testing procedure did not note this. Sabine also self-reported an issue with R2, stating it could not evidence that all Protection System devices were maintained and tested within the defined intervals or provide the date each Protection System device was last tested/maintained.

Finding: SERC found the issue posed a minimal risk to the reliability of the BPS since the generator Protection System devices were tested and maintained through the GOP's automated maintenance management system, which identified the test intervals and due dates to ensure Protection System devices were tested at the appropriate date. The system issued work orders that contained the necessary information and procedures to conduct testing and maintenance for each relevant Protection System device. In addition, Sabine's contractor produced email records verifying the monthly battery tests were performed during the period in question; however Sabine could not produce specific records as they were lost or misplaced. Sabine reviewed the monthly battery test records for the months before and after the period in question and found no abnormalities with the battery system. Also, Sabine was up to date with all of its Protection System device testing and maintenance procedures by March 31, 2011 and the omission of ACS devices was not significant. Furthermore, Sabine is an 81 MW hydro station which operates intermittently for a period of a few hours each day (Monday through Friday) based on the reservoir water level; it is not transmitted at any other times, and not considered a critical asset to the reliability of the BPS.

Unidentified Registered Entity (URE), Docket No. RC12-14 (July 30, 2012)

Reliability Standard: CIP-002-2

Requirement: 1, 2, 3, 4

Region: TRE

Issue: While conducting a spot-check, TRE found that the risk-based assessment methodology (RBAM) in place and used by URE to classify CAs at a new acquisition was not compliant with the requirements of R1 of the Reliability Standard. URE became the owner of a new station and undertook a review to identify CAs, ultimately determining the new station had no CCAs or CAs. However, the RBAM URE used to make the determination was based on other assets owned by URE. In addition, URE believed it had two years to update its existing RBAM to include information from the new facility. Regarding R2, URE was not creating its list of CAs by annually applying its RBAM to determine any updates the list should reflect. Regarding R3, URE had no list of identified CCAs required to operate CAs as required by the Reliability Standard. Finally, URE had no evidence that the senior manager or delegate had reviewed and approved the RBAM or the lists of CAs and CCAs URE was required to maintain pursuant to R4 of CIP-002-2.

Finding: The issues were deemed by TRE to pose minimal risk to BPS reliability because the issues were of short-term and documentation based. URE was aware it needed to update the RBAM, however, it believed more time was afforded to complete the task. While the issue was ongoing, URE had a documented RBAM that was compliant with the overall requirements and used for other assets owned by URE, and that RBAM resulted in a finding of no CCAs or CAs at the new station. URE’s updated RBAM showed the same conclusion that the new facility has no CCAs or CAs.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

Reliability Standard: CIP-002-2

Requirement: 3

Region: FRCC

Issue: URE submitted a self-report specifying three Cyber Assets, which were incorrectly identified as Critical Cyber Assets (CCAs), did not reside in the ESP (per R3). In addition, though it was well-secured within the ESP, one CCA was not listed on the CCA list for roughly thirteen months, until the list was revised.

Finding: FRCC determined this issue posed a minimal risk to the reliability of the BPS because URE only failed to document the list accurately, and the Cyber Assets in question had no applications installed that could impact BPS reliability. Additionally, the CCA that was left off of the list was secured within the ESPs and thus protected per the CIP Standards.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

Reliability Standard: CIP-002-2

Requirement: 4

Region: SERC

Issue: During an audit, SERC found that URE failed to produce a signed and dated record of the Senior Manager or delegate’s approval of the RBAM, the list of Critical Assets, and the list of Critical Cyber Assets (CCAs) for a calendar year (per R4). SERC reviewed documents provided by URE and discovered that URE failed to approve the RBAM, the list of Critical Assets, and the list of CCAs for one year. SERC determined that URE personnel signed the null list of Critical Assets and the null list of CCAs in three prior years, however, the individuals signing these lists in two prior years did not constitute valid signatures because they had not been assigned responsibility in writing for URE compliance with the CIP standards (as required by CIP-003 R2). Consequently, URE’s issue with R4 dated back to when URE was required to be compliant with the Standard. In addition, the RBAM was not approved in two prior years as required by versions 2 and 3 of the Standard.

Finding: SERC determined the issue posed a minimal risk to the reliability of the BPS because URE has no Critical Assets and does not own or operate any facilities that meet the criteria for Critical Assets set forth in CIP-002-4. Furthermore, URE applied three prior years’ RBAMs, resulting in null lists for Critical Assets and indicating that URE did not acquire any Critical Assets or CCAs in the omitted year.

Unidentified Registered Entity 3 (URE3), Docket No. RC13-6-000 (February 28, 2013)

Reliability Standard: CIP-002-2

Requirement: 4

Region: WECC

Issue: While conducting an off-site compliance audit, WECC found that URE3 did not have a CIP senior manager or a senior manager delegate sign and approve its risk-based assessment methodology (RBAM) or its CAs/CCAs null lists. URE3's general manager reviewed and approved the relevant documents, but that individual is not URE3's CIP designated senior manager or the delegated CIP senior manager

Finding: The issue was deemed to pose minimal risk to BPS reliability and not serious or substantial risk. URE3's general manager, who is responsible for designating the CIP senior manager position, had reviewed the RBAM and null lists of CAs and CCAs while the issue was ongoing. Also, the CIP senior manager reports to the general manager, and emails showed that the individual was aware of the CA and CCA lists. Finally, URE3 does not have any CAs or CCAs.

Top