NERC FFT Reports: Reliability Standard CIP-004-3

Alert

30 min read

 

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-004-3

Requirement: R4/4.2

Region: MRO

Issue: FFT Entity self-reported that it had not updated its CCA access list, as required, within 7 days of a contractor (an employee with FFT Entity’s janitorial service company) no longer required access to the CCAs.

Finding: MRO found that the issue constituted a minimal risk to BPS reliability since the relevant contractor’s physical access to the building (including the CCAs) had been timely revoked and, once the oversight was discovered, the access list was promptly updated.

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-004-3

Requirement: R4.1

Region: FRCC

Issue: FFT Entity self-reported an instance where it did not update its list, within seven days of an employee’s retirement, of authorized users who possessed electronic or unescorted physical access to the CCAs.

Finding: FRCC found that the issue constituted a minimal risk to BPS reliability since the relevant employee’s access rights were timely revoked and access cards destroyed when he left.

Find, Fix and Track Entity, Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-004-3

Requirement: R2

Region: ReliabilityFirst

Issue: FFT Entity found an instance of non-compliance with the Standard when it realized it gave an employee unescorted physical access to a PSP with CCAs prior to that employee finishing CIP training as required by the Standard. FFT Entity’s daily reconciliation of employee access rights to CCAs showed the improper access granted, and FFT Entity cancelled the employee’s access as soon as it was discovered.

Finding: ReliabilityFirst found the issue constituted a minimal risk to BPS reliability because the employee involved had finished initial and annual CIP training as required by FFT Entity’s affiliates and the subject employee had a PRA on file.

Find, Fix and Track Entity, Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-004-3

Requirement: R2, R3

Region: ReliabilityFirst

Issue: FFT Entity submitted a self-report stating that it had granted unescorted physical access to CCAs prior to that employee having a PRA (R3) on file and the employee completing cyber security training (R2) in violation of the Standard.

Finding: ReliabilityFirst found the issue constituted a minimal risk to BPS reliability because even though FFT Entity gave the employee unescorted physical access, the employee was located at a remote site and did not know he had such access. The employee did not attempt to or enter any PSPs. And, FFT Entity performed a PRA after giving the access and the PRA found no issues. The time period between when access was granted and when it was revoked was less than two business days.

Find, Fix and Track Entity, FERC Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-004-3

Requirement: R4

Region: WECC

Issue: During discussion with a WECC Subject Matter Expert regarding FFT Entity’s self-report, FFT Entity stated that, during the first quarter of 2011, it did not review one of its five access list types—the “Electronic SCADA” list. Furthermore, FFT Entity stated that on one occasion it did not update its access list within one week of the termination of an individual’s access requirements, failing to revoke access.

Finding: Under other circumstances poor maintenance of lists of personnel with physical and/or logical access to CCAs could jeopardize BPS security. In this case, WECC found that the issue constituted an unsubstantial risk to BPS reliability. FFT Entity made clear that all individuals with CCA (Critical Cyber Assets) access had been trained in personnel risk assessment and CIP. Furthermore, the relevant CCAs were located within a Physical Security Perimeter and Electronic Security Perimeter and provided the protections enumerated in CIP-005 and CIP-006.

Find, Fix and Track Entity, FERC Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-004-3

Requirement: R4

Region: WECC

Issue: FFT Entity self-reported that, during the first quarter of 2011, FFT Entity did not review one of its five access list types—the “Electronic SCADA” list. Furthermore, FFT Entity stated that on one occasion it did not update its access list within one week of the termination of an individual’s access requirements, failing to revoke access.

Finding: Under other circumstances, poor maintenance of lists of personnel with physical and/or logical access to CCAs could jeopardize BPS security. In this case, WECC found that the issue constituted an unsubstantial risk to BPS reliability. FFT Entity made clear that all individuals with access to CCAs had been trained in personnel risk assessment and CIP. Furthermore, the relevant CCAs were located within a Physical Security Perimeter and Electronic Security Perimeter and provided the protections enumerated in CIP-005 and CIP-006.

Find, Fix and Track Entity, Docket No. RC12-7-000 (January 31, 2012)

Reliability Standard: CIP-004-3

Requirement: R3

Region: ReliabilityFirst

Issue: FFT Entity self-reported a violation of CIP-004-3 R3 by mistakenly granting physical access to CCAs to a contractor. A month before FFT Entity notified ReliabilityFirst of the breach; a NERC compliance team notified FFT Entity that they identified an unexpected individual on the daily physical access report. In further investigation, FFT Entity discovered that it had erroneously granted physical access to CCAs to the wrong contractor. The problem arose when FFT Entity approved access to PSPs to a contractor working on the building’s fire alarm system, but accidentally provided access to a contractor working at a credit union. Because the credit union employee did not have a background check on file, he did not receive a PRA as required by CIP-004-3 R3. In addition, an employee of FFT Entity failed to issue user identification information for the credit union contractor when creating that person’s employee record. This oversight caused a null value for the credit union contractor in the employee database. And, the access request submitted for the fire alarm contractor was corrupted so, consequently, it too had a null value for user identification. As such, the null values matched, and the system erroneously granted the fire alarm contractor’s access request to the other contractor.

Finding: This issue posed only a minimal risk to BPS reliability for four reasons. First, the mistake was found within a day because FFT Entity precisely maintained its daily physical access report. Second, the credit union contractor was unaware that she had access to FFT Entity’s headquarters and did not attempt to use the access. Third, the credit union contractor works both in a separate physical facility and in a different city than FFT Entity’s headquarters. Fourth, all four of the PSPs that the credit union contractor was given access to are safeguarded by other protections. Two of the PSPs can only be accessed through biometric security. The other two PSPs are located in small, hard to find and access rooms in FFT Entity’s headquarters.

Find, Fix and Track Entity, Docket No. RC12-7-000 (January 31, 2012)

Reliability Standard: CIP-004-3

Requirement: R4/4.1

Region: FRCC

Issue: FFT Entity self-reported that it failed to meet the reporting requirement of CIP-004-3 R4.1. The Standard requires entities to update their list(s) of personnel with authorized access to Critical Cyber Assets (CCAs) within seven calendar days after a change in such personnel. In the instant case, FFT Entity transferred a staff member to a new position that did not require access to the CCAs. While FFT Entity did revoke the transferred employee’s access within a day, it failed to properly update the list of authorized users within the seven-day window. FFT Entity remedied the problem by updating the list six days after the compliance date.

Finding: FRCC determined the error was only a minimal risk to BPS reliability because FFT Entity did properly revoke access in accordance with CIP-004-3 R4.2, failing only to timely document the change. FRCC did note that FFT Entity violated CIP-004 three other times, but distinguished the instant error from the others because they were for different requirements and occurred more than three years ago. Further, the instant issue regarded failure to update the list of authorized users in the required period of time, where as previous errors regarded an overall lack of documentation.

Find, Fix and Track, Unidentified Registered Entity, Docket No. RC12-10 (March 30, 2012)

Reliability Standard: CIP-004-3

Requirement: R2

Region: FRCC

Issue: URE self-reported two violations of CIP-004-3. First, URE reported that it had not properly trained two employees prior to granting them CCA access. One employee had received annual training in 2009 and 2010, but the 2011 training was not completed until five months after it was due. The second individual was mistakenly given PSP access and that access was revoked within six days. During the time period, the employee was never aware he had PSP access. Second, URE granted CCA access to two contractors who had not received the required training for CCA access. The two contractors were employed by a trusted vendor for the purpose of tuning and maintaining generating plant equipment and were allowed access on two occasions for short time periods – 1 day and 3 days – during which time their activity was monitored by operating personnel.

Finding: FRCC found the violation constituted a minimal risk to BPS reliability. Regarding the first violation, the employees were long-term employees with PRAs on file. The first employee successfully completed his 2011 training, although five months late. The second employee received the wrong badge which would have granted access to the CCAs, but the individual was not aware he had access and did not attempt to gain access. With regard to the second violation, the contractors worked for a very large generating plant turbine equipment manufacturer and had the training and authorization to work on the plant equipment. During the time period, their access was controlled and any and all modifications to the equipment were undertaken after consulting with plant operations employees. URE previously violated this Standard, but the present violations were not considered a failure to mitigate a prior violation. The previous violation involved transmission-related functions. The generation-related functions are handled separately and are the focus of the instant violations, which is why FFT treatment was afforded.

Unidentified Registered Entity, Docket No. RC12-11 (April 30, 2012)

Reliability Standard: CIP-004-3

Requirement: R3

Region: FRCC

Issue: URE self-reported that it failed to conduct a personal risk assessment for a contractor with authorized unescorted physical access to CCAs in violation of R3. The contractor accessed the CCAs remotely to analyze data in connection with turbine tuning activities on three separate occasions for short periods of less than two hours.

Finding: FRCC determined that the violation posed a minimal risk to BPS reliability because the contractor operated pursuant to a trusted vendor contract under the direction from the plant system operator. The vendor was considered a specialist in the activity and was frequently used in the industry. The URE had a previous violation of CIP-004-3 but FRCC determined based on the dissimilar circumstances that the current violation did not represent a failure to mitigate a prior violation appropriately. URE completed mitigation activities including revoking access and creating a new procedure for retaining new vendor contractors that access systems remotely. The new procedure requires URE to conduct PRAs and training prior to granting any access to CCAs and also training personnel that grant access to CCAs.

Unidentified Registered Entity, Docket No. NP12-11 (April 30, 2012)

Reliability Standard: CIP-004-3

Requirement: R4

Region: WECC

Issue: URE self-reported that it did not revoke access for two former employees within seven days of their departure because their manager failed to notify URE’s compliance department that the employees had left. The first employee left on August 5, 2011, and that employee’s access should have been revoked by August 12, 2011 but was not revoked until August 30, 2011. The second employee left on August 12, 2011 and that employee’s access should have been revoked on August 19, 2011 but was not revoked until September 13, 2011.

Finding: WECC determined that the violation posed a minimal risk to BPS reliability because the employees at issue had PRAs and training prior to obtaining physical access to the CCAs, they did not have electronic access to the CCAs, and the CCAs were protected in a locked cabinet by monitoring and logging measures to detect unauthorized activity. URE mitigated the violation by revoking the access of the employees and distributing an email outlining its process for revoking employee’s access to CCAs.

Unidentified Registered Entity, Docket No. RC12-12(May 30, 2012)

Reliability Standard: CIP-004-3

Requirement: R2; R2.3

Region: FRCC

Issue: URE submitted a self-report explaining that one contractor had failed to finish his annual cyber security training after his annual training had expired. The contractor had logical access to the CCAs and attempted to access the system, 64 days after his training had expired, which alerted URE to the issue. The contractor’s access was revoked until he completed the required training the next day. The violation duration was 65 days. The contractor had completed cyber security training in previous years.

Finding: FRCC determined the issue posed a minimal risk to BPS reliability because the contractor had received the required training in previous years and was a trusted vendor having a long-term contract and the contractor had a PRA on file. During the time frame the contractor has expired credentials, he had CA access only once. This is the second violation of the relevant Standard by URE, but FRCC found it did not represent repeating conduct. The initial violation concerned an employee with only partial training, but this violation involved contractor training. And, the training lapse occurred because the contractor had not accessed the system until 64 days after his training expired.

Unidentified Registered Entity, Docket No. RC12-12 (May 30, 2012)

Reliability Standard: CIP-004-3

Requirement: R4

Region: WECC

Issue: URE filed a self-report discussing one occasion in which particular access rights to CCAs were not listed. URE further reported that access rights for personnel no longer needing access had not been revoked with the seven day required timeframe.

Finding: This issue was deemed to pose minimal risk to BPS reliability because the individuals involved had PRAs on file and had participated in Cyber Security Training and URE monitored and logged all electronic and physical access to the CCAs.

Unidentified Registered Entity (URE), Docket No. RC12-13 (June 29, 2012)

Reliability Standard: CIP-004-3

Requirement: 2

Region: TRE

Issue: URE submitted a self-report disclosing that it had mistakenly granted unescorted physical access rights to a newly hired planning supervisor at one of its plants prior to the individual completing cyber security training. TRE found that the issue was caused by two reasons. First, the individuals responsible for coding access badges were new to the position and granted the access upon request. Second, the form for requesting access did not include an entry to confirm that cyber security training had been finished. The supervisor had access for about six months until URE realized the compliance issue and revoked his access until all training was completed.

Finding: The issue was deemed to pose minimal risk to BPS reliability for the following reasons. (1) The supervisor had received some training prior to the grant of access. (2) The supervisor had received URE’s code of conduct and other corporate policies prior to the grant of access. The provided documentation included information that was contained in URE’s CIP training programs. (3) The supervisor had an up-to-date PRA on file. (4) Although the individual was granted physical access, he had no cyber access to CCAs during the relevant time period. In addition, TRE noted that there were only a small number of applications for such access. The individuals responsible for allowing access and coding badges were aware that cyber security training must be completed prior to being given access to PSPs with CCAs, and therefore, only this single event of non-compliance occurred.

Unidentified Registered Entity (URE), Docket No. RC12-13 (June 29, 2012)

Reliability Standard: CIP-004-3

Requirement: 4/4.1

Region: MRO

Issue: URE submitted a self-report explaining it had not removed completely an intern’s physical access rights to CCAs within the seven-day time requirement. The intern had been granted physical access at two locations. Upon his departure, a supervisor at one location terminated all access rights, but access to the second location was not revoked, as the intern’s supervisor was on vacation and was not aware the intern no longer needed the access. Upon returning to work the following month, the supervisor removed all access rights.

Finding: The violation was deemed to pose minimal risk to BPS reliability because when the individual left on his final day, he provided the security desk his badge, and all other URE employees were aware of his departure. The intern was not granted cyber access and physical access rights were completely removed 19 days after his departure. At no time did the intern attempt to access URE’s facilities after his last day.

Unidentified Registered Entity (URE), Docket No. RC12-13 (June 29, 2012)

Reliability Standard: CIP-004-3

Requirement: 4/4.1

Region: MRO

Issue: URE submitted a self-report explaining that it had violated CIP-004-3 R4.1 by not keeping its CCA access lists for contractors and vendors up to date. Specifically, a vendor was granted physical access to a CCA location before obtaining all necessary approvals. The access request was submitted to URE’s help desk, and the vendor was cleared for access. However, the request was not identified correctly so the step requiring the area steward’s approval prior to access was not part of the process. Once the mistake was discovered three days later, the area steward approved the vendor’s access rights. URE also reported that the vendor had received cyber security training and had a current PRA on file. On another occasion, a URE security guard accidently gave clearance to an individual with the same name as the individual needing the access. URE discovered the error during its quarterly review of its access lists. It was determined the individual had unauthorized access for eight days.

Finding: The non-compliance issues were deemed to pose minimal risk to BPS reliability because the first issue was a routing error and approval was ultimately granted. The second issue was caused by two individuals having the same name and the security guard not following established procedures for checking identification prior to coding access rights. Both individuals had CIP training and current PRAs on file. And, the individual wrongly granted physical access to the area, never attempted to access the area for which he had been given rights for an eight day period and which was over 100 miles away from the location where the individual works.

Unidentified Registered Entity (URE), Docket No. RC12-14 (July 30, 2012)

Reliability Standard: CIP-004-3

Requirement: 4/4.1

Region: MRO

Issue: URE submitted a self-report disclosing it had not revoked unescorted physical access rights granted to a contractor at two substations housing CCAs within the seven-day notification requirement. The contractor assumed by taking the badge from the individual that would be sufficient to revoke access privileges, but the badge is only one component in revoking CCA access.

Finding: The issue was deemed by MRO to pose minimal risk to BPS reliability because the contractor had up-to-date training and a PRA on file. MRO determined it was a one-time occurrence. URE performed a review of access logs and found no unauthorized access attempts. The contractor did not attempt to gain access to any CCAs prior to the revocation taking effect nor did he have any electronic access to CCAs.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

Reliability Standard: CIP-004-3

Requirement: 4

Region: RFC

Issue: URE self-reported an issue regarding R4 after URE failed to update its authorized access list for several Critical Cyber Assets (CCAs) to reflect the departure of an employee who no longer had cyber access to CCAs. The day after the employee resigned, URE revoked the employee’s authorized cyber and authorized unescorted physical access to CCAs. This is well within the seven calendar day window; however, URE did not remove this employee from the authorized access list, as required by R4.1, until eight days later.

Finding: RFC deemed this issue to pose a minimal risk to the reliability of the BPS which was mitigated by the timely revocation of the employee’s authorized cyber and authorized unescorted physical access to all CCAs. Consequently, the employee had no ability to gain access to CCAs. Furthermore, the employee was not terminated for cause.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

Reliability Standard: CIP-004-3

Requirement: 4

Region: RFC

Issue: URE submitted a self-report regarding R4 after an employee from URE transferred to a position that did not require authorized cyber and authorized unescorted physical access to Critical Cyber Assets (CCAs) from a position that required such access. URE’s access revocation process is initiated by an HR notification generated when an employee’s personnel record is updated to reflect a transfer. URE revoked the employee’s authorized cyber access, however, because the employee’s transfer occurred on a holiday, URE failed to update the personnel record to revoke physical access until three days after the requirement. URE revoked such access upon discovery of the failure.

Finding: RFC determined the issue posed a minimal risk to the reliability of the BPS. The employee transferred to a new position within the company, thus, the employee was still subject to its parent company’s Code of Conduct and Corporate Policy for Cyber Security. In addition, the employee had a valid personnel risk assessment, as well as cyber security training, prior to the issue arising. Also, the employee did not physically access the CCAs during the time period in question, and URE revoked the employee’s authorized cyber access in a timely manner.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

Reliability Standard: CIP-004-3

Requirement: 4

Region: RFC

Issue: URE verbally self-reported, and later submitted a self-report, that after an employee retired, it failed to update its shared account authorized access list for one Critical Cyber Asset (CCA) to reflect that the employee no longer had access to the CCA. However, URE did revoke this employee’s authorized cyber and authorized unescorted physical access to CCAs within the seven calendar day window. URE discovered the issue during the quarterly verification of the authorized access list, and the individual in question was removed from the list approximately six weeks after his retirement date (in compliance with R4.1).

Finding: RFC deemed this issue to pose a minimal risk to the reliability of the BPS which was mitigated by the timely revocation of the employee’s authorized cyber and authorized unescorted physical access to all CCAs. Additionally, URE changed the password to the shared account for the CCAs at issue in a timely manner, so the employee had no ability to gain access to CCAs. Furthermore, since the CCA in question is typically logged on at all times to facilitate plant operation, it was less likely that the infraction would have resulted in unauthorized logons to the CCAs. Also, the employee was not terminated for cause.

Unidentified Registered Entity (URE), Docket No. RC12-16 (September 28, 2012)

Reliability Standard: CIP-004-3

Requirement: 2, 3

Region: WECC

Issue: URE self-reported that it improperly granted a contractor access to its CCAs prior to the contractor completing his required cyber security training. URE detected the problem and revoked the contractor's access rights that same day (2). URE also improperly granted the contractor access rights without first conducting a personnel risk assessment (PRA) (3).

Finding: WECC found that the issues constituted only a minimal risk to BPS reliability since the issues only involved one contractor who had improper access for less than one day (as URE corrected the error within hours). In addition, all of URE's CCAs are protected by an electronic intrusion detection system and all access is logged and monitored. The CCAs are also contained within a PSP and ESP. After the contractor received a PRA and completed the cyber security training, he was granted access to the CCAs and CAs.

Unidentified Registered Entity (URE), Docket No. RC12-16 (September 28, 2012)

Reliability Standard: CIP-004-3

Requirement: 3

Region: WECC

Issue: URE self-reported that one of its control room operators, who had physical and cyber access to the SCADA system inside the control rooms, did not have a current personnel risk assessment (PRA) on file. Once it was discovered that the operator's PRA was five weeks overdue, URE expeditiously completed his renewable PRA.

Finding: WECC found that the issue constituted only a minimal risk to BPS reliability since the operator, a long-time employee with access to the control room, had previously received a PRA and was up to date on his CIP training. In addition, the control room was located in a PSP and ESP and subject to continuous video monitoring. There were also onsite security personnel stationed at all access points and PSPs.

Unidentified FFT Entity, FERC Docket No. RC13-1 (October 31, 2012)

Reliability Standard: CIP-004-3

Requirement: 3

Region: WECC

Issue: FFT Entity self-reported that, for 43 days, one of its employees with physical access to the PSP did not have a current PRA on file. The PRA was not updated until 43 days after the previous one had expired.

Finding: WECC found that the issue only constituted a minimal risk to BPS reliability since the relevant employee was in good standing with FFT Entity and had received all of the required training. In addition, all of FFT Entity's CCAs were protected by both an identified PSP and ESP.

Unidentified FFT Entity, FERC Docket No. RC13-1 (October 31, 2012)

Reliability Standard: CIP-004-3

Requirement: 4

Region: RFC

Issue: FFT Entity self-reported that it did not update within seven days its list of personnel with physical access rights to the CCA after a contract security officer (who possessed authorized unescorted physical access rights) resigned. FFT Entity did not update its list until 5 months after the security guard resigned. The retired contract security officer also retained his physical access badge (which had been disabled by FFT Entity) for 15 days after the badge was disabled.

Finding: RFC found that the issue only constituted a minimal risk to BPS reliability since the contract security officer had received cyber security training and, while still employed, had a current PRA on file. In addition, the security officer did not have electronic access rights to the CCAs, and FFT Entity's operations personnel were continuously monitoring the area where the security officer had access.

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-2-000 (November 30, 2012)

Reliability Standard: CIP-004-3

Requirement: 4

Region: RFC

Issue: URE self-reported that an employee who had authorized unescorted physical access to a PSP no longer required such access and URE failed to disable the employee's physical access to an emergency exit from the PSP within seven calendar days (in noncompliance with R4). This error arose because the name of the emergency exit did not match the name of the other doors in the PSP. URE revoked the employee's access upon discovery.

Finding: RFC found the issue posed a minimal risk to the reliability of the BPS because the risk was mitigated by the fact that the employee in question transferred departments within URE and URE tracks door access with through badges and visual monitoring. Furthermore, the door is only accessible by way of an adjacent vacant room, which is only accessible through a door that is generally locked when unattended. In addition, URE had revoked the employee's access from all other PSP entrances, as well as rescinded the employee's authorized cyber access. Consequently, it was deemed unlikely that the individual would have been capable of gaining undetected access through the door in question and compromise the integrity of the CCAs. Moreover, the employee had completed a valid personnel risk assessment and cyber security training. URE became aware of the issue during one of the periodic entitlement reviews of physical security access privileges.

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-2-000 (November 30, 2012)

Reliability Standard: CIP-004-3

Requirement: 4; 4.2

Region: NPCC

Issue: URE self-reported that it failed to rescind unescorted physical access to PSPs containing CCAs in a timely manner (per R4.2). An employee was moved to a new position that no longer afforded unescorted access, but the employee retained access rights for 11 days after the transfer. The notice to rescind access was not given in timely fashion to the appropriate staff, as the standard requires access to be revoked within seven calendar days.

Finding: NPCC found the issue posed a minimal risk to the reliability of the BPS since the employee moved from working within the PSP to the field. During the period in question, logs demonstrate the employee was receiving training for his new position did not attempt to access the PSPs. In addition, the employee had undergone a personnel risk assessment and had previously been briefed on the responsibilities of unescorted physical access to PSPs containing CCAs.

Unidentified Registered Entity 1 (URE1), Docket No. RC13-6-000 (February 28, 2013)

Reliability Standard: CIP-004-3

Requirement: 4/4.1

Region: NPCC

Issue: URE1 self-reported to NPCC that it had not updated its list of employees with authorized cyber access to Critical Cyber Assets (CCAs) within seven calendar days due to a lack of communication with a vendor. The relevant employee had voluntarily resigned from employment with the vendor, and the vendor immediately revoked the employee's cyber access to all of URE1's CCAs; however, the vendor did not alert URE1 for 32 days that the employee had resigned, and therefore, URE1's list was not updated until that time which was outside of the seven-day window.

Finding: The issue was deemed to pose minimal risk to BPS reliability and not serious or substantial risk. The risk to BPS operations was mitigated because the person at issue had undergone a PRA which was valid when he resigned. The person also had attended cyber-security training. No identification or access card has been assigned to the individual, and he did not have unescorted physical access to URE1's CCAs. A review of electronic access logs during the relevant time period showed the individual had not attempted to access any of URE1's CCAs after his employment ended.

Unidentified Registered Entity 2 (URE2), Docket No. RC13-6-000 (February 28, 2013)

Reliability Standard: CIP-004-3

Requirement: 4

Region: WECC

Issue: URE2 self-reported a compliance issue to WECC stating that a telecommunications agent with authorized unescorted physical access to CCAs inside a PSP at URE2's system operations control center had been terminated, but URE2 did not update the personnel access list for CCAs on time as required by CIP-004-3 R4.1. The person's access was revoked and his badge was collected upon termination.

Finding: The issue was deemed to pose minimal risk to BPS reliability and not serious or substantial risk. WECC found the risks to be limited based on the scope of the issue and other compensating measures afforded by URE2. Logical access to CCAs is immediately removed when an employee is terminated. Also, all employees having access to CCAs receive CIP training and undergo PRAs. In addition, the system control center is monitored at all times. URE2 updated the access list 11 days after the employee left his position.

Unidentified Registered Entity 3 (URE3), Docket No. RC13-6-000 (February 28, 2013)

Reliability Standard: CIP-004-3

Requirement: 4

Region: RFC, TRE, SPP RE

Issue: URE3 submitted to the three Regional Entities a self-report explaining four compliance issues. (1) a contractor who had authorized unescorted physical access to CCAs resigned, however, URE3 did not revoked the individual's access until 30 days later, but the requirement calls for a seven-day revocation window. (2) in SPP RE only, a building maintenance technician with PSP physical access rights resigned, but the person's access was not revoked until nine days later, two days later than the Reliability Standard requires. (3) an employee within an operations business unit had authorized cyber access to certain SCADA system CCAs but no longer needed the access. URE3 did not revoke the access until 36 days later, and not within the seven-day requirement. (4) an IT service desk employee had authorized cyber access to CCAs but no longer needed the access. URE3 did not revoke the access until 18 days later, and not within the seven-day requirement.

Finding: The issue was deemed to pose minimal risk to BPS reliability and not serious or substantial risk. Risk was mitigated due to the following: (1) internal controls discovered the issues within a short time frame; (2) access was revoked almost immediately upon URE3 discovering that access had not been already revoked; (3) three of the four instances involved less than one month of non-compliance and the fourth instance involved only 36 days; (4) none of the individuals involved were terminated for cause, and one simply no longer needed access to the assets; and (5) badges and access tokens were handed in at the time of resignation.

Unidentified Registered Entity 4 (URE4), Docket No. RC13-6-000 (February 28, 2013)

Reliability Standard: CIP-004-3

Requirement: 4

Region: WECC

Issue: URE4 self-reported a compliance issue to WECC when it found it had not revoked physical access to a single PSP containing CCAs within seven days for a person no longer requiring such access. URE3 revoked access within 10 days, but not seven, as required.

Finding: The issue was deemed to pose minimal risk to BPS reliability and not serious or substantial risk. WECC found the risk to be limited based on the scope of the issue and other compensating measures afforded by URE4. The issue was limited to a three-day period. The relevant individual had completed cyber security training and had a valid PRA on file. In addition, all of the CCAs are secured within an ESP inside a PSP, and access is controlled and monitored.

Unidentified Registered Entity 1 (NPCC_URE1), Docket No. RC13-9, May 30, 2013

Reliability Standard: CIP-004-3

Requirement: 2; 2.1

Region: NPCC

Issue: NPCC_URE1 self-reported an issue with CIP-004-3 R2.1 to NPCC when it found that its site security had erroneously processed a physical access request form granting an employee access to Critical Cyber Assets (CCAs). The form listed a date on which the employee had undertaken NPCC_URE1’s 2011 NERC Reliability Standards awareness training, even though the employee had not taken NPCC_URE1’s 2011 mandatory cyber security training, which is a prerequisite to granting unescorted physical access to CCAs. Upon discovering the error, the employee’s authorized physical access was immediately revoked.

Finding: NPCC determined that the issue posed a minimal risk to the reliability of the BPS because despite not having completed the 2011 mandatory cyber security training, the employee had completed this training in 2010 and was only granted access to a single PSP. The employee had also not entered the PSP during the eight-day period he was granted access.

Unidentified Registered Entity 6 (RFC_URE6), Docket No. RC13-9-000 (May 30, 2013)

Reliability Standard: CIP-004-3a

Requirement: R3

Region: RFC

Issue: RFC_URE6 self-reported that it granted cyber access to a Critical Cyber Asset to a vendor without a valid personnel risk assessment (PRA). During an Electronic Access Control and Monitoring System training program, an authorized RFC_URE6 employee logged into a shared account before turning navigation over to a vender, without a valid PRA, to lead a demonstration. The demonstration lasted an hour.

Finding: RFC found that this issue posed minimal, but not serious or substantial, risk BPS reliability. The individual was employed by a trusted vendor with is party to signed confidentiality and non-disclosure agreements with RFC_URE6. The employees attending the training had valid PRAs.

Unidentified Registered Entity 2 (WECC_URE2), Docket No. RC13-12-000 (December 31, 2012)

Reliability Standard: CIP-004-3

Requirement: 3; 3.2

Region: WECC

Issue: WECC_URE2 self-reported its failure to update an employee’s personnel risk assessment (PRA) for a single employee. The update was roughly 18 months late.

Finding: WECC found that this issue posed a minimal, but not a serious or substantial risk to BPS reliability, as the individual has a prior PRA and was in good standing and up-to-date on cyber security training.

Top