NERC FFT Reports: Reliability Standard CIP-004-2

Alert

3 min read

 

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-004-2

Requirement: R2.2.4

Region: TRE

Issue: During a spot check, TRE found that FFT Entity’s personnel training program did not address actions plans and procedures for the recovery of CCAs after a Cyber Security Incident.

Finding: TRE found that this issue constituted only a minimal actual risk to BPS reliability (but a moderate potential risk). FFT Entity did have procedures in place for the recovery of CCAs and access to CCAs, but was not training its personnel on them. These recovery procedures were never triggered during FFT Entity’s non-compliance period.

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-004-2

Requirement: R4

Region: WECC

Issue: FFT Entity self-reported that it had not timely revoked, within seven days, the access rights of an individual (who worked for another entity at a co-owned facility) after he was terminated in good standing. When the individual left, the ID badge and substation card key were collected, but FFT Entity was not notified of the employee’s termination until two months later. Upon receiving notice, FFT Entity immediately revoked the individual’s access rights and updated its access list.

Finding: WECC found that this issue constituted only a minimal risk to BPS reliability since the relevant individual worked for a separate employer and, once he was terminated, he did not have electronic or physical access to CCAs. In addition, FFT Entity has a strong compliance culture.

Find, Fix, Track and Report, Docket No. RC12-2 (November 30, 2011)

Reliability Standard: CIP-004-2

Requirement: R4

Region: RFC

Issue: FFT Entity self-certified non-compliance with CIP-004-2 once it discovered it had not maintained its access list of personnel with cyber or unauthorized physical access to CCAs to include the specific electronic access rights for individuals with access rights to CCAs. In particular, once two employees received CIP training and completed a PRA according to procedure, they were granted access to CCAs but their names and access rights were not included on FFT Entity’s. Further, a compliance specialist was included on the access list even though FFT Entity did not grant the compliance specialist access rights.

Finding: RFC determined this issue posed a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS which was mitigated by the fact that the issue was a result of a documentation error because actual physical and electronic access rights were accurate and up to date even though the access list was not up-to-date. In addition, all individuals with cyber or unescorted physical access to CCAs had received CIP training, and completed PRAs before being granted access rights, and there were no instances of physical or electronic access that were not properly authorized and documented.

Unidentified FFT Entity, FERC Docket No. RC13-1 (October 31, 2012)

Reliability Standard: CIP-004-2

Requirement: 2

Region: TRE

Issue: During a compliance audit, TRE found that FFT Entity was not updating its cyber security training program on an annual basis since it did not modify the timeframe when changes need to be made to the cyber security incident response plan as required by the Reliability Standard. FFT Entity also had a remediated issue in regards to its four-day delay in revoking the CCA access rights of seven contractors who had not completed their training.

Finding: TRE found that the issue only constituted a minimal risk to BPS reliability since the FFT Entity's employees, who had current PRAs on file, were receiving timely training on the Reliability Standard. For the seven contractors, they also had current PRAs on file and had previously received the cyber security training. In addition, the employees and contractors were familiar with FFT Entity's security practices.

Top