NERC FFT Reports: Reliability Standard CIP-005-1

Alert

27 min read

 

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-005-1

Requirement: R1

Region: SERC

Issue: Following a Self-Report, SERC determined FFT Entity failed to appropriately classify an asset as a non CCA within a defined ESP because personnel did not realize the asset was located on a network with CCAs that utilized a routable protocol.

Finding: SERC found that this issue constituted only a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS because the devise was within the PSP and was utilized to monitor the network performance and system logging.

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-005-1

Requirement: R1.4/1.6

Region: MRO

Issue: During a spot check, MRO discovered that FFT Entity did not properly document or sufficiently protect all of its non-critical CAs in its ESP (such as an intermediate anti-virus server that was moved in and out of the ESP for updates and a network switch that served as an access point to the ESP).

Finding: MRO found that this issue constituted only a minimal risk to BPS reliability since the relevant anti-virus server was configured as a hardened single purpose device and the relevant network switch was guarded by FFT Entity’s IT policy.

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-005-1

Requirement: R2/2.6

Region: RFC

Issue: FFT Entity self-reported that it did not timely submit one Technical Feasibility Exception (TFE) Report in compliance with CIP-005-1 R2/2.6.

Finding: RFC found that the issue constituted a minimal risk to BPS reliability. FFT Entity had compensating measures in place to protect the security of its system, including using two-factor authentication and firewall rules that minimize the exposure of the devices. After the TFE Report was submitted, FFT Entity also enacted additional security measures to further reduce any potential risks.

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-005-1

Requirement: R2/2.6

Region: RFC

Issue: FFT Entity self-reported that it did not timely submit 1 Technical Feasibility Exception (TFE) Report in compliance with CIP-005-1 R2/2.6.

Finding: RFC found that the issue constituted a minimal risk to BPS reliability. FFT Entity had compensating measures in place to protect the security of its system, including using two-factor authentication and firewall rules that minimize the exposure of the devices. After the TFE Report was submitted, FFT Entity also enacted additional security measures to further reduce any potential risks.

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-005-1

Requirement: R2/2.6

Region: RFC

Issue: FFT Entity self-reported that it did not timely submit 1 Technical Feasibility Exception (TFE) Report in compliance with CIP-005-1 R2/2.6.

Finding: RFC found that the issue constituted a minimal risk to BPS reliability. FFT Entity had compensating measures in place to protect the security of its system, including using two-factor authentication and firewall rules that minimize the exposure of the devices. After the TFE Report was submitted, FFT Entity also enacted additional security measures to further reduce any potential risks.

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-005-1

Requirement: R3

Region: MRO

Issue: FFT Entity self-reported that it did not timely establish a monitoring process (including security review and logging procedures) for one category of its CCA access devices.

Finding: MRO found that the issue constituted a minimal risk to BPS reliability since the personnel who had access to the devices had all been granted authorization and had received training and PRAs. In addition, authentication methods were in place.

Find, Fix and Track Entity, FERC Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-005-1

Requirement: R2/2.6

Region: MRO

Issue: FFT Entity submitted a Technical Feasibility Exception request eight months late reporting that LAN controllers for the physical access control system could not support the use of or installation of appropriate use banners as required by the Standard.

Finding: MRO found that, because of security measures in place for the LAN controllers, the late submission of the TFE request posed minimal risk to the reliability of the BPS. The LAN controllers are housed in defined PSPs and access is restricted. Plus, connections to the LAN controllers are logged in real-time.

Find, Fix and Track Entity, FERC Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-005-1

Requirement: R3/3.2

Region: MRO

Issue: FFT Entity failed to submit Technical Feasibility Exception (TFE) requests on time as required by the Standard. Certain CAs used for security of FFT Entity’s PSP cannot support security monitoring processes for alerting any attempts of unauthorized access. The TFE request was provided two months late.

Finding: Comparable security measures were in place to protect the Critical Assets such as location of the CAs in a PSP, to which access logs were reviewed. Further, the CAs are separated from the business network, SCADA system and the internet. Plus, the CAs are located in the data center and are secured through strong password use. Therefore, MRO found the late reports only posed a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS.

Find, Fix and Track Entity, FERC Docket No. RC12-8 (February 29, 2012)

Reliability Standard: CIP-005-1

Requirement: R3

Region: TRE

Issue: FFT Entity self-reported that it did not file the required TFEs, even though it was not technically feasible for its relays (that were evaluated as CCAs) to detect and issue alerts on unauthorized access to FFT Entity’s ESP.

Finding: TRE found that this issue constituted only a minimal risk to the BPS since the relevant devices were unable to support logging. In addition, FFT Entity limits access to the devices through keycard logging entry and employs video camera surveillance.

Find, Fix and Track Entity, Docket No. RC12-8 (February 29, 2012)

Reliability Standard: CIP-005-1

Requirement: R4

Region: NPCC

Issue: In the course of a joint compliance audit with another region, NPCC determined that FFT Entity violated CIP-005-1 R4 in completing its first formal cyber vulnerability assessment of its ESPs eleven months after the compliance date. A separate region found that an affiliate of FFT Entity also violated the same Standard, but NPCC did not view the separate violation as an aggravating factor because both issues arose from the same conduct.

Finding: This issue posed only a minimal risk to the reliability of the BPS because while FFT Entity did not complete the formal annual cyber vulnerability assessment by the required compliance date, it did complete most of the work required by CIP-005-1 R4.1 through R4.4, including continually reviewing and hardening its ESP firewalls.

Find, Fix and Track Entity, FERC Docket No. RC12-8 (February 29, 2012)

Reliability Standard: CIP-005-1

Requirement: R4

Region: RFC

Issue: During a compliance audit, RFC found that FFT Entity did not timely finish its formal cyber vulnerability assessment. FFT Entity finished its assessment 11 months late.

Finding: RFC found that this issue constituted only a minimal risk to the BPS since FFT Entity managed to complete most of its work by the deadline, including reviewing and hardening the ESP firewalls. In addition, although the same conduct was an issue for an affiliate in a separate region, RFC did not consider this to be an aggravating factor.

Find, Fix and Track Entity, FERC Docket No. RC12-8 (February 29, 2012)

Reliability Standard: CIP-005-1

Requirement: R5/5.1/5.3

Region: SPP

Issue: FFT Entity self-certified that it did not possess sufficient documentation showing that it had conducted an annual review of the required documents and procedures and that it had also not maintained its access logs for a minimum of 90 days as mandated.

Finding: SPP found that this issue constituted only a minimal risk to the BPS since FFT Entity had actually reviewed the required documents and procedures (even though outside of the required annual timeframe).

Find, Fix and Track, Unidentified Registered Entity, Docket No. RC12-10 (March 30, 2012)

Reliability Standard: CIP-005-1

Requirement: R2/2.6

Region: NPCC

Issue: URE self-reported that firewalls associated with three corporate ESPs were not displaying the correct use banner for interactive access attempts during a period of 17 months.

Finding: NPCC found the violation constituted a minimal risk to BPS reliability because URE has electronic and physical security controls in effect that limit access only to certain users.

Unidentified Registered Entity, Docket No. NP12-11 (April 30, 2012)

Reliability Standard: CIP-005-1

Requirement: R1; R1.1; R1.5

Region: FRCC

Issue: During a spot check, FRCC determined that URE failed to identify and document the ESPs and all access points to the perimeters in violation of R1. Specifically, it did not identify certain modems used to communicate with substations in violation of R1.1 and failed to maintain recovery plans for electronic access control and monitoring devices in violation of R1.5.

Finding: FRCC determined that the violation posed a minimal risk to BPS reliability because URE’s access points were well protected via their limited configuration and serial-only communication capabilities.

Unidentified Registered Entity, Docket No. NP12-11 (April 30, 2012)

Reliability Standard: CIP-005-1

Requirement: R1; R1.5

Region: MRO

Issue: During a Compliance Audit, MRO found that URE failed to implement and document technical and procedural controls for CAs used in the control and monitoring of the ESP. Specifically, password complexity for local administrative accounts was not subject to technical controls on local administrative accounts.

Finding: MRO determined that the violation posed a minimal risk to BPS reliability because all of the passwords at issue had procedural controls including a minimum of six characters, required combinations of alpha, numeric, and “special characters,” and were changed at least annually. URE mitigated the violation by implementing technical controls.

Unidentified Registered Entity, Docket No. NP12-11 (April 30, 2012)

Reliability Standard: CIP-005-1

Requirement: R1; R1.6

Region: FRCC

Issue: During a Compliance Audit, FRCC determined that URE failed to include a CA used to configure the intrusion detection system on its CA inventory list as an Electronic Access Control and Monitoring system (EACMs) for approximately one and a half years in violation of R1.6. URE stated that it did not understand that devices used to configure EACMs were considered EACMs that must be included on the CA inventory list.

Finding: FRCC determined that the violation posed a minimal risk to BPS reliability because the CA was within the ESP and therefore afforded the required CIP protection for the duration of the violation. The URE had a previous violation of CIP-005-1 but FRCC determined based on the dissimilar facts that the current violation did not represent a failure to mitigate a prior violation appropriately. URE mitigated the violation by including the CA on its CA inventory list.

Unidentified Registered Entity, Docket No. NP12-11 (April 30, 2012)

Reliability Standard: CIP-005-1

Requirement: R1; R5

Region: RFC

Issue: URE self-reported that it failed to include certain non-critical software components installed on CAs within an ESP on its documentation of CAs.

Finding: RFC determined that the violation posed a minimal risk to BPS reliability because the CAs on which the components were installed were identified as non-critical CAs and were protected by the ESP and URE’s security system and controls. URE mitigated the issue by finalizing its list of installed non-critical software components, documenting a formal process for control and maintenance of the components, and relocating applications that do not require ESP protection to outside of the ESP.

Unidentified Registered Entity, Docket No. NP12-11 (April 30, 2012)

Reliability Standard: CIP-005-1

Requirement: R2; R2.3

Region: NPCC

Issue: During a CIP Compliance Audit, NPCC found URE in violation of R2.3 because it could not demonstrate that it had a procedure for securing dial-up access to the ESPs for a period of approximately three years. This violation affected multiple affiliated entities.

Finding: NPCC determined that the violation posed a minimal risk to BPS reliability because other measures were in place to secure dial-up access to ESPs, including the use of authentication controls such as usernames and passwords, and providing a presentation detailing how to secure dial-up access to technicians responsible for installing the devices which are used to secure dial-up access. Moreover, URE does not allow dial-up access to its Energy Management System ESPs. The violation was mitigated with the creation of a procedure for securing dial-up access to ESPs.

Unidentified Registered Entity, Docket No. NP12-11 (April 30, 2012)

Reliability Standard: CIP-005-1

Requirement: R2; R2.6

Region: FRCC

Issue: URE self-reported that it failed to display identical appropriate use banners and document the content of such banners on all interactive attempts for all ESP access point devices per the requirements of its cyber security procedure.

Finding: FRCC determined that the violation posed a minimal risk to BPS reliability because URE had banners that provided appropriate notice even though they did not match exactly. URE mitigated the violation by updating the text on all of its banners.

Unidentified Registered Entity, Docket No. NP12-11 (April 30, 2012)

Reliability Standard: CIP-005-1

Requirement: R2.6

Region: MRO

Issue: URE self-reported a violation of R2.6 because it did not timely submit a Technical Feasibility Report stating that it was not technically feasible to display appropriate use banners on certain electronic access control devices used to authorize and log access to PSPs and ESPs.

Finding: MRO determined that the violation posed a minimal risk to BPS reliability because the devices at issue were protected by other measures, including door controllers, an intrusion protection system and multiple firewalls, and global and local passwords at electronic access points. URE mitigated the violation by submitting a TFE, which was accepted.

Unidentified Registered Entity, Docket No. RC12-12 (May 30, 2012)

Reliability Standard: CIP-005-1

Requirement: R1

Region: TRE

Issue: TRE found while conducting an audit that URE had not identified two switches it had installed as access points to its ESP. URE had controls in place to prevent any incoming transmissions and the switches transmitted outgoing traffic only, however, the switches should have been properly classified as ESP access points.

Finding: The issue was deemed to pose minimal risk to BPS reliability because the access point created by the switches installation was still protected by other security measures including firewalls, intrusion protection systems, and antivirus software. URE was found to have misunderstood NERC’s definition of the term.

Unidentified Registered Entity, Docket No. RC12-12 (May 30, 2012)

Reliability Standard: CIP-005-1

Requirement: R2; R2.5.3

Region: MRO

Issue: MRO found while conducting a spot check that URE did not undertake quarterly reviews of user access rights for access point devices for six quarters in violation of the quarterly review requirement of the Standard. Only two employees have access to the access point devices.

Finding: MRO found the issue posed minimal risk to BPS reliability because only two individuals had access to the devices in question and those individuals have responsibility for other CIP assets, and quarterly reviews had been performed on those other assets. URE has security measures in place to signal it in the event of any unauthorized ESP access attempt and the access point devices had been reviewed during URE’s annual vulnerability assessment. No cyber events occurred during the reportable time period.

Unidentified Registered Entity (URE), Docket No. RC12-13 (June 29, 2012)

Reliability Standard: CIP-005-1

Requirement: 1

Region: WECC

Issue: URE submitted a self-report stating that it had no existing list of individuals with access to two token servers connected to access control and monitoring of its ESP, and as such, URE could not show that it complied with the sub-requirements of other CIP Reliability Standards. CIP-005-1 R1.5 requires that all CAs used for access control and/or monitoring of the ESP shall have all protective measures specified in Standard CIP- 003-3; Standard CIP-004-3 Requirement R3; Standard CIP-005-3 Requirements R2 and R3; Standard CIP-006-3 Requirement R3; Standard CIP-007-3 Requirements R1 and R3 through R9; Standard CIP-008-3; and Standard CIP-009-3.

Finding: The issue was deemed to pose minimal risk to BPS reliability because even though the two token servers had not been afforded all the protection measures set forth in CIP-005-1 R1.5, the relevant devices had other acceptable security measures in place to assure their protection. In addition, the individuals having access to the devices had all received training and had up-to-date PRAs on file.

Unidentified Registered Entity (URE), Docket No. RC12-13 (June 29, 2012)

Reliability Standard: CIP-005-1

Requirement: 2

Region: WECC

Issue: While conducting an audit of CIP compliance, WECC found that URE had no default restriction to individual substation ESP access points as required by CIP-005-1 R2. It was also found that URE did not restrict traffic to certain ports and services on the substation ESP access points to all CAs within the ESP. However, URE provided WECC documentation to show that it does have appropriate access point controls to a larger ESP that encompasses the individual substation ESP access points.

Finding: The issue was deemed to pose minimal risk to BPS reliability because each substation had firewall protection in place and all traffic is controlled. URE has in place control lists that will not allow access by default.

Unidentified Registered Entity (URE), Docket No. RC12-13 (June 29, 2012)

Reliability Standard: CIP-005-1

Requirement: 2

Region: WECC

Issue: URE submitted a self-report stating that it had not ensured every access control device showed an appropriate use banner.

Finding: The issue was deemed to pose minimal risk to BPS reliability because all of URE’s CCAs inside its ESP showed an appropriate use banner upon access and were located in a PSP and an ESP and so CIP-005 and CIP-006 protections were in place. Also, the people having CCA access had all successfully completed CCA training and had up-to-date PRAs on file.

Unidentified Registered Entity (URE), Docket No. RC12-13 (June 29, 2012)

Reliability Standard: CIP-005-1

Requirement: 2

Region: WECC

Issue: While conducting an on-site CIP compliance audit, WECC found three electronic access control devices that had no appropriate use banners posted upon interactive access attempts to the devices.

Finding: The issue was deemed to pose minimal risk to BPS reliability because URE employed other security measures to the devices such as network segmentation within ESPs, and all CAs and CCAs are behind firewalls where access is restricted, logged and monitored. The devices in question are also password protected. In addition, all individuals having access to the relevant devices had completed cyber security training and had up-to-date PRAs on file.

Unidentified Registered Entity (URE), Docket No. RC12-13 (June 29, 2012)

Reliability Standard: CIP-005-1

Requirement: 3.1

Region: RFC

Issue: URE submitted a self-report disclosing that it found one dial-up accessible CCA inside an ESP at one of its substations for which URE had no process in place to monitor access to the dial-up device.

Finding: The violation was deemed by RFC to pose minimal risk to BPS reliability because the employees who could access the device had all undergone training, been granted proper authorizations and had up-to-date PRAs on file. Also, URE had identification and password protections in place to prevent unauthorized access to the device. RFC found that even though URE was not monitoring access logs to this particular device, it did create an access log for the relevant access point as of the compliance date.

Unidentified Registered Entity (URE), Docket No. RC12-16 (September 28, 2012)

Reliability Standard: CIP-005-1

Requirement: 2

Region: WECC

Issue: During a compliance audit, WECC found that URE was not displaying an appropriate use banner, as required, on access points to the ESP for interactive access prior to login. The appropriate use banner was only displayed after the user logged into the system, and not for all interactive access attempts as mandated.

Finding: WECC found that the issue constituted only a minimal risk to BPS reliability since URE had enacted strict access controls to the CCAs. URE had also implemented active monitoring and automatic alert mechanisms and had physically separated, through the use of firewalls, the CCAs from external access. In addition, URE did display the appropriate use banners on the majority of its electronic access devices.

Unidentified Registered Entity (URE), Docket No. RC12-16 (September 28, 2012)

Reliability Standard: CIP-005-1

Requirement: 3

Region: FRCC

Issue: URE self-reported that it had not properly implemented procedures to detect and issue alerts for unauthorized access to the ESP at one of its generation CAs. While URE had configured two access points devices to log traffic, it did not configure them to log all accepts.

Finding: FRCC found that the issue constituted only a minimal risk to BPS reliability since the access points were properly configured for logging and alerting of all denies and drops, which reduced the risk of unauthorized access. The access points also had strong two-factor authorization for all remote interactive access, and URE had installed intrusion detection systems on all its perimeter devices and inside network traffic.

Unidentified Registered Entity (URE), Docket No. RC12-16 (September 28, 2012)

Reliability Standard: CIP-005-1

Requirement: 4

Region: RFC

Issue: During a compliance audit, RFC found that URE could not produce detailed evidence in support of its summary report of its cyber vulnerability assessment. A third-party vendor conducted the cyber vulnerability assessment for URE, but deleted the supporting records.

Finding: RFC found that the issue constituted only a minimal risk to BPS reliability since URE had actually conducted a cyber vulnerability assessment and provided a summary of the results.

Unidentified FFT Entity, FERC Docket No. RC13-1 (October 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 1.5

Region: TRE

Issue: FFT Entity self-reported that two of its servers were located outside of an ESP (even though they were contained within a PSP), and it did not establish a patch management process for its other servers. In addition, one of FFT Entity's applications did not have an acceptable use banner in one instance and did not properly log user activity. Server access records were not being reviewed on an annual basis, as required, and FFT Entity had three shared accounts that did not properly identify and document individual users. In regards to another application, three shared accounts still had the default passwords that allowed access, with two of those accounts not having sufficiently complex passwords.

Finding: TRE found that the issue only constituted a minimal risk to BPS reliability since there is limited remote access to the two servers, and the default account can only be accessed locally by authorized personnel. The relevant systems are physically and electronically segregated from FFT Entity's SCADA and Distributed Control systems. The systems also run anti-virus scans, and no viruses have been detected.

Unidentified FFT Entity, FERC Docket No. RC13-1 (October 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 3.2

Region: TRE

Issue: FFT Entity self-reported that it did not file a Technical Feasibility Exception (TFE) for a device under the CIP-005-1 Reliability Standard, even though it had filed a TFE under a different Reliability Standard.

Finding: TRE found that the issue only constituted a minimal risk to BPS reliability since the relevant device was not a CCA or essential to the operation of any Cyber Asset. During the relevant time period, there was also no available method to gain access to the device, which was contained within a PSP and ESP. The device was also covered by the previously filed TFE.

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-3-000 (December 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 1; 1.6

Region: SPP

Issue: SPP conducted a Compliance Audit of the URE, during which it found that URE violated R1 and R 1.6 of CIP-005-1. URE failed to comply with R1 in that its documentation of the Electronic Security Perimeter (ESP) did not describe five firewalls located beyond the ESP whose management ports connected to a network segment inside the ESP. It also did not describe three host servers that controlled access between the GPS clocks and URE SCADA/energy management systems (EMS) as Electronic Access Control Systems (EACS)/ESP access points. URE failed to comply with R1.6 because its documentation of Critical Cyber Assets (CCAs), Protected Cyber Assets, Electronic Access Control and monitoring Systems, and Physical Access Control Systems lists did not correctly describe the active directory servers, the firewall management console, and the firewall as EACS.

Finding: SPP found that the issue posed a minimal risk to the reliability of the bulk power system because despite the failure to describe adequately the electronic access points to the ESPs and CAs used for controlling access and monitoring access points on URE's master lists, URE had the controls mandated by CIP-005-1 R.15 before October 1, 2000. SPP thus determined that all Cyber Assets and CCAs were adequately protected as mandated by CIP Standards and that the violation was a documentation issue and did not affect the actual protection of ESPs, CCAs, or Cyber Assets, used for controlling and monitoring access to URE's access points.

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-3-000 (December 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 2; 2.6

Region: RFC

Issue: URE self-reported a violation of R2 of CIP-005-1 to RFC when URE found that 16 firewalls, Cyber Assets located inside an Electronic Security Perimeter, displayed the correct use banner after logging in as opposed to before logging in; URE did not provide a Technical Feasibility Exception (TFE) for this violation.

Finding: RFC found the issue to pose a minimal risk to the reliability of the bulk power system because the fact that the use banner was displayed after logging in as opposed to before logging in didn't infringe upon the operation of firewalls. Furthermore, URE had other measures in place, as identified in the TFE, such as physically keeping all devices inside a controlled access Physical Security Perimeter, security logging for attempt to access without authorization, and alterations in configurations, for many years. URE also possesses a system that detects intrusion and monitors unordinary traffic. Finally, banners are correctly displayed before logging in and are displayed in a secure shell session after logging in and are required to be recognized before the session can proceed.

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-3-000 (December 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 3

Region: SPP

Issue: SPP conducted a Compliance Audit of URE and found a violation of R3 of CIP-005-1 in that URE did not monitor or log security breach attempts at all its access points to the Electronic Security Perimeters (ESPs) 24 hours a day, seven days a week. URE was using ConsoleWorks server to monitor and log access at access points to its ESP, which monitored and automatically reviewed logs for Virtual Private Network (VPN) access and access to the Cyber Assets inside the ESPs, which gave real-time alarms for failed logon attempts. However, URE did not manually review all logs when ConsoleWorks server is down due to maintenance issues.

Finding: SPP found that the issue posed a minimal risk to the reliability of the bulk power system because URE did use ConsoleWorks which monitored and logged access at its ESPs' access points twenty-four hours a day, seven days a week, only failing to do so during short periods when the ConsoleWorks server was down. Furthermore, access via electronic dial-up to ESPs and Cyber Assets is denied and access to firewalls was logged and monitored, and the Security Staff was notified when there were failed access attempts. SPP determined that URE had in place a comprehensive physical security system providing adequate protection to its Cyber Assets.

Unidentified Registered Entity 1 (URE1), Docket No. RC13-6-000 (February 28, 2013)

Reliability Standard: CIP-005-1

Requirement: 2

Region: SERC

Issue: URE1 submitted a self-report to SERC explaining a compliance issue with CIP-005-1 R2 because the firewall of one of its agents was incorrectly configured to the "any-any" access rule and had not been set to deny access by default. The firewall that formed the ESP had been installed by the agent before the mandatory compliance date of the Standards and had not been reconfigured since that date to ensure it met the CIP-005-1 requirements.

Finding: The issue was deemed to pose minimal risk to BPS reliability and not serious or substantial risk. URE1's agent had a corporate firewall that had the correct access setting which would have to be crossed to reach the ESP firewall. Only trained and screened employees were granted access through the corporate firewall, and the corporate firewall is outside the ESP firewall.

Unidentified Registered Entity 2 (URE2), Docket No. RC13-6-000 (February 28, 2013)

Reliability Standard: CIP-005-1

Requirement: 1/1.6

Region: RFC

Issue: While conducting a compliance audit, RFC found that URE2 had not done the following: synchronized all ESP-related documentation, documented all Cyber Assets, clearly marked all electronic access points to the ESP, or categorized Cyber Assets as Critical Cyber Assets or access points.

Finding: The issue was deemed to pose minimal risk to BPS reliability and not serious or substantial risk. The risk to BPS operations was mitigated by the fact that it was documentation related. RFC confirmed that URE2 was protecting all of its Cyber Assets within an ESP and PSP.

Unidentified Registered Entity 3 (RFC_URE3), Docket No. RC13-9, May 30, 2013

Reliability Standard: CIP-005-1

Requirement: 1; 1.4; 1.6

Region: RFC

Issue: RFC_URE3 self-reported an issue with CIP-005-1 R1 to RFC, when it found that it had neither identified nor protected certain non-critical Cyber Assets (non-essential devices associated with plant monitoring and printers or print servers) that were within the Electronic Security Perimeter (ESP). RFC_URE3 also found that it had not maintained documentation for certain Critical Cyber Assets (CCAs) and non-critical Cyber Assets (non-critical Cyber Assets associated with plant monitoring CCAs associated with plant monitoring, a GPS clock, and a printer).

Finding: RFC found that the issue posed a minimal risk to the reliability of the BPS because a firewall surrounding the non-critical Cyber Assets at issue denied general interactive access, and the entity’s parent company’s IT group monitored and alarmed the these firewalls for authorized and unauthorized access attempts. In addition, the non-critical Cyber Assets and CCAs at issue are located within generation plant Physical Security Perimeters (PSPs) that are accessible only by escorted individuals or individuals with valid personnel risk assessments and prior CIP training. Furthermore, the entity provided protective measures as required to the non-critical Cyber Assets (with the exception of CIP-003 R6, CIP-004, CIP-006, and CIP-008). One of the issues was also a documentation issue, and during the issue, the entity provided the required protections to the CCAs and non-critical Cyber Assets that it had not documented on its ESP network diagrams, and the CCAs were given the protections described in its TFE requests, which addressed CIP-007 requirements.

Unidentified Registered Entity 4 (TRE_URE4), Docket No. RC13-9-000 (May 30, 2013)

Reliability Standard: CIP-005-1

Requirement: R1

Region: Texas RE

Issue: Texas RE, during a compliance audit, found that TRE_URE4’s documentation misidentified the access point to its Electronic Security Perimeter (ESP), in one case and did not label the access point in another. The systems identified by TRE_URE4 did not go to the ESP perimeter, but its firewall.

Finding: Texas RE found that the issue posed a minimal, but not a serious or substantial, risk to BPS reliability. TRE_URE4 viewed the firewall controlling electronic access to the ESP as the de facto access point, even though it did not document it as an access point.

Unidentified Registered Entity 6 (TRE_URE6), Docket No. RC13-9-000 (May 30, 2013)

Reliability Standard: CIP-005-1

Requirement: R4.2, 4.3, 4.4

Region: Texas RE

Issue: TRE_URE6 reported that it could not access its diagnostic cyber vulnerability assessment (CVA) data as the data file was corrupted and non-recoverable. TRE_URE6 did attempt to recreate conclusions in its CVA assessment through internal requests for data. Though this process provided evidence that the CVA was done in accordance with CIP-005-1 R4.5, TRE_URE6 could not show that it reviewed ports and services required for operations, discovery of all access points to the Electronic Security Perimeter (ESP), and controls for default accounts, passwords, and network management community strings as required by these standards.

Finding: Texas RE found that this posed a minimal, but not a serious or substantial, risk to BPS reliability. TRE_URE6 did perform a CVA and improved security in multiple ways. It also showed that it took efforts to provide the missing evidence contained in the corrupted files.

Top