NERC FFT Reports: Reliability Standard CIP-006-1

Alert

19 min read

 

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-006-1

Requirement: R1

Region: MRO

Issue: FFT Entity self-reported that its physical security plan had not been approved by a senior manager or delegate as required.

Finding: MRO found that this issue constituted only a minimal risk to BPS reliability since it did not affect the development or implementation of the physical security plan.

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-006-1

Requirement: R1

Region: WECC

Issue: FFT Entity self-certified that, in one instance, an escort inside its PSP left an individual alone inside the PSP for 30 seconds in order to retrieve a package.

Finding: WECC found that this issue constituted only a minimal risk to BPS reliability since the relevant individual (a family member of the escort) was never far from the PSP escort (who is a long-term employee of FFT Entity in good standing). WECC also found that FFT Entity has a strong compliance culture.

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-006-1

Requirement: R1.1

Region: MRO

Issue: During a spot check, MRO discovered that FFT Entity had not located all of its CAs in a defined ESP within a PSP as required. FFT Entity’s Physical Security Plan did not contain a six-wall border for the PSP as there was an opening in the ceiling connecting the control center and administration buildings (which had the potential for the access controls to be bypassed).

Finding: MRO found that this issue constituted only a minimal risk to BPS reliability since the relevant facility is protected by three levels of physical security (including video monitoring) and two levels of credential check points. Even if someone was able to bypass the PSP access controls, the CCAs were still protected by additional access controls.

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-006-1

Requirement: R1 (2 violations)

Region: TRE

Issue: FFT Entity self-reported that, on two instances, it did not timely file Technical Feasibility Exception Reports for some of its card reader controllers since they did not use anti-virus software or other malicious software prevention tools.

Finding: TRE found that the issues constituted only a minimal risk to BPS reliability. Although the relevant card reader controllers did not have anti-virus software, they were located behind multiple layers of physical security protection (such as an outer layer of physical security, a CIP compliant card reader system, and a set of keyed locks).

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-006-1

Requirement: R1.8

Region: SPP

Issue: FFT Entity self-reported that it did not have PRAs for five of its technicians and one of its security contractors who had access to one of its servers (which is classified as a CA used to control and monitor access to FFT Entity’s PSPs).

Finding: SPP found that the issue constituted a minimal risk to BPS reliability. The relevant technicians were long-time employees who did not have any disciplinary actions taken against them and who had undergone the required cyber security training. In addition, FFT Entity considered the relevant contractor to be a trusted vendor who had already been vetted for employment. After the six missing PRAs were conducted, no problems were discovered.

Find, Fix, Track and Report, Docket No. RC12-2 (November 30, 2011)

Reliability Standard: CIP-006-1

Requirement: R1, R.1.1

Region: MRO

Issue: FFT Entity, as a Responsible Entity registered as a BA, GOP, GO, LSE, TOP and TO, did not have a completely enclosed PSP with a completely enclosed (“six-wall”) border as part of its physical security plan.

Finding: The issue posed a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS because the PSPs did have multiple layers of security and one of the PSPs is manned 24/7. Both facilities’ CAs have adequate electronic protective measures, and one PSP has at least ten security controls. Also, all paths have at least four security layers with at least three different security controls within those layers. At the other PSP, there are at least five security controls. Anyone attempting to gain access would have to go through at least four security layers before getting into the PSPs.

Find, Fix and Track Entity, FERC Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-006-1

Requirement: R1/1.1

Region: FRCC

Issue: FFT Entity failed to submit Technical Feasibility Exception (TFE) requests on time as required by the Standard. Three of FFT Entity’s PSPs were unable to comply with the perimeter requirements due to cost issues. FFT Entity submitted the three TFEs 113 days out of time. The TFEs reported that the PSPs have equal security measures.

Finding: FRCC found the late submission of the TFEs posed a minimal risk and not a serious or substantial risk to the reliability of the BPS. FFT Entity had in place acceptable security measures for the PSPs including use of mesh of bars to limit access, which is restricted, and also the PSPs are guarded at all times. The PSPs have controlled access that includes locked doors and alarmed card readers. In addition, the CAs are locked in cabinets and access is restricted.

Find, Fix and Track Entity, FERC Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-006-1

Requirement: R4.3

Region: Texas RE

Issue: By self-report, FFT Entity disclosed two instances of issue with CIP-006-1 R4.3. There was no procedure for manual logging controls for when personnel were given escorted access to PSPs.

Finding: In both instances, the issue did not present a significant risk, but posed a moderate risk to the bulk power system. In the first case, the employee who entered the transmission dispatch center’s PSP had completed a background check prior to the issue. In the second case, the IT contractor who entered the telecommunications room at the system operator building was escorted by an employee, had already completed both cyber security training and a background check, and been given other authorized physical access at the same system operator’s building

Find, Fix and Track Entity, FERC Docket No. RC12-8 (February 29, 2012)

Reliability Standard: CIP-006-1

Requirement: R1/1.1

Region: NPCC

Issue: NPCC found that FFT Entity did not have all of its CAs within an ESP that was also located within an identified PSP. A section of two network cables that is used to connect the CCA to the network switch was outside the PSP (as it ran through the ceiling of a conference room).

Finding: NPCC found that this issue constituted only a minimal risk to the BPS since the relevant network cables were not in a public area and were protected by numerous layers of physical security controls (such as fencing, card key access to the building, and exterior and interior camera monitoring). In addition, the building where the cables are housed is restricted to FFT Entity employees and escorted visitors. In addition, although the same conduct was an issue for an affiliate in a separate region, NPCC did not consider this to be an aggravating factor.

Find, Fix and Track Entity, FERC Docket No. RC12-8 (February 29, 2012)

Reliability Standard: CIP-006-1

Requirement: R1/1.1

Region: RFC

Issue: During a compliance audit, RFC found that FFT Entity did not keep all of its CCAs within an ESP that was contained in a PSP, as a section of two network cables used to the connect two CCAs to a network switch was outside of FFT Entity’s PSP.

Finding: RFC found that this issue constituted only a minimal risk to the BPS since the relevant network cables were not in a public area and were protected by numerous layers of physical security controls (such as fencing, card key access to the building, and exterior and interior camera monitoring). In addition, the building where the cables are housed is restricted to FFT Entity employees and escorted visitors. In addition, although the same conduct was an issue for an affiliate in a separate region, RFC did not consider this to be an aggravating factor.

Find, Fix and Track Entity, Docket No. RC12-8 (February 29, 2012)

Reliability Standard: CIP-006-1

Requirement: R1; R1.8

Region: NPCC

Issue: In the course of a joint compliance audit with another region, NPCC determined that FFT Entity violated CIP-006-1 R1.8 because FFT Entity, in violation of CIP-007-1 R8, completed its first formal cyber vulnerability assessment eleven months after the required compliance date. In turn, this is a violation of CIP-006-1 R1.8 because the Standard requires that CAs used in the access control and monitoring of the PSP be afforded the protections required by various CIP Standards, including a vulnerability assessment as required by CIP-007-1 R8. The other region found that an affiliate of FFT Entity also violated the same Standard, but NPCC did not view the separate violation as an aggravating factor because both issues arose from the same conduct.

Finding: This issue posed only a minimal risk to the reliability of the BPS because while FFT Entity did not complete the cyber vulnerability assessment by the required compliance date, it did demonstrate that elements of the vulnerability assessment were exercised and documented. Further, FFT Entity was not found to be out of compliance with other requirements of CIP-006-1 R1.8.

Find, Fix and Track Entity, FERC Docket No. RC12-8 (February 29, 2012)

Reliability Standard: CIP-006-1

Requirement: R1/1.8

Region: RFC

Issue: During a compliance audit, RFC found that FFT Entity did not timely complete its formal cyber vulnerability assessment. FFT Entity was 11 months late in completing its assessment.

Finding: RFC found that this issue constituted only a minimal risk to the BPS since FFT Entity was actually documenting and enacting elements of the vulnerability assessment before the assessment was due. In addition, although the same conduct was an issue for an affiliate in a separate region, RFC did not consider this to be an aggravating factor.

Find, Fix and Track, Unidentified Registered Entity, Docket No. RC12-10 (March 30, 2012)

Reliability Standard: CIP-006-1

Requirement: R1/1.1

Region: FRCC

Issue: URE self-reported that it had not maintained a “six-wall” perimeter for five PSPs and had not submitted Technical Feasibility Exception Reports as required. A review found that the access points in question were generally blocked and not easily accessible. URE was told that any opening larger than 96 square inches is considered an access point.

Finding: FRCC found the violation constituted a minimal risk to BPS reliability because all of the openings were obstructed by carpets, furniture or plant equipment making access difficult.

Unidentified Registered Entity, Docket No. NP12-11 (April 30, 2012)

Reliability Standard: CIP-006-1

Requirement: R1; R1.1

Region: NPCC

Issue: During a CIP Compliance Audit, NPCC determined URE violated R 1.1 because the “six-wall” border protecting its ESP and PSP was compromised by an area of the floor that was raised approximately eighteen inches.

Finding: NPCC determined that the violation posed a minimal risk to BPS reliability because several measures were in place that would reduce the ability for anyone to access the secure area through the eighteen inch gap. The perimeter of the secure area and the building housing the secure area are both protected by security-badge controls, and the entry to the facility is guarded. The access points to the secure area are also monitored by video surveillance. URE mitigated the violation by installing barriers in the raised floor thereby eliminating the gap.

Unidentified Registered Entity, Docket No. NP12-11 (April 30, 2012)

Reliability Standard: CIP-006-1

Requirement: R2

Region: RFC

Issue: URE self-reported that it failed to ensure certain CAs used to authorize or log access to the PSP received all applicable cyber security patches, which meant they were not afforded the protections of CIP-007-1 R3 and CIP-003-1 R6, as required by CIP-006-1 R2.

Finding: RFC determined that the violation posed a minimal risk to BPS reliability because the CAs at issue were properly patched six months prior to the self-report and had received some additional patches through a vendor, URE has an established change management program, and the CAs are protected by URE’s security system. URE mitigated the issue by documenting the implementation of identified patches and improving its patch management process.

Unidentified Registered Entity, Docket No. RC12-12 (May 30, 2012)

Reliability Standard: CIP-006-1

Requirement: R1; R1.1

Region: RFC

Issue: URE submitted a self-report disclosing that it had not enclosed two sections of cable outside of a PSP in conduit, as required.

Finding: RFC found the violation to pose minimal risk to BPS reliability because the two sections of cable are housed in the generating facility protected by perimeter fencing, surveillance cameras, and security guards. Only authorized individuals have access to the generating facility where the cables are found. The location of the cables in the ceiling reduced access as well as the fact that many other cables considered non-critical are alongside the relevant cables and are exactly the same kind and color as the critical cables leaving the subject cables hard to identify.

Unidentified Registered Entity (URE), Docket No. RC12-13 (June 29, 2012)

Reliability Standard: CIP-006-1

Requirement: 1/1.1, 3/3.1, 4/4.1

Region: MRO

Issue: While conducting a spot-check , MRO found the following: (R1) URE did not set up the required six-wall boundary for one of its server cabinets located in a supervisory control and data acquisition room. The server is in a defined PSP and requires isolation for security reasons; however, this particular server cabinet had no bottom and was not secured. (R2) URE is required to have recorded technical and procedural controls in place for all access points to the PSP on a 24/7 basis. A security cabinet used for securing URE’s physical access control system had two panels accessible by key but neither point was monitored (R3) or logged (R4).

Finding: The issues were deemed to pose minimal risk to BPS operations because the server cabinet was housed in a PSP but just needed to be bolted down. And, the PSP access points were sealed access doors to equipment cabinets inside a secured perimeter, and access was limited by only those individuals having proper credentials. The key to open the access doors was destroyed by URE when the doors were initially installed.

Unidentified Registered Entity (URE), Docket No. RC12-16 (September 28, 2012)

Reliability Standard: CIP-006-1

Requirement: 1/1.1

Region: FRCC

Issue: URE self-reported that there were gaps in the existing six-wall borders at the PSP at its primary energy control center and at the PSP at one of its generation plants. The PSP gap at the energy control center was behind the reception area in the visitors' lobby, which is staffed by a receptionist (or locked outside of normal business hours) and monitored by a video camera. The PSP gap at the generation plant was obstructed by insulation and other construction material.

Finding: FRCC found that the issue constituted only a minimal risk to BPS reliability since there was restricted access to both facilities and no easy way to access the openings. In addition, the gaps in the PSPs were not visible or identifiable, and the facilities had implemented monitoring and security controls for outside access to the facility.

Unidentified Registered Entity (URE), Docket No. RC12-16 (September 28, 2012)

Reliability Standard: CIP-006-1

Requirement: 1.2, 2, 3, 4

Region: NPCC

Issue: URE self-reported that two emergency exit-only doors on its PSP were not identified as physical access points, as required. In addition, the access control alarms for the two emergency exit-only doors were not properly configured to trigger upon opening and provide an alarm to the access control intrusion detection system for resolution and the unique determination of the emergency exit-only door usage to the centralized security operations center (1.2/3). Thus, URE was unable, for approximately 21 months, to implement and document the technical and procedural mechanisms for logging physical entry at these two emergency exit-only doors (4). URE was also not documenting and implementing the technical and procedural controls to continuously manage physical access at these two access points (2).

Finding: NPCC found that the issues constituted only a minimal risk to BPS reliability. URE's PSP is continuously manned by authorized personnel, and the emergency exit-only doors can only be opened from the outside with a special tool. The site is also regulated by the Maritime Transportation Security Act of 2002, which imposes strict physical security measures. In addition, URE provides annual and quarterly training for its site personnel on the recognition and reporting of suspicious activity.

Unidentified Registered Entity (URE), Docket No.RC12-16 (September 28, 2012)

Reliability Standard: CIP-006-1

Requirement: 6/6.1

Region: MRO

Issue: During a compliance audit, MRO determined that URE had not tested, on at least a three-year cycle, 46% of its physical security mechanisms. While URE had conducted comprehensive testing of its access and monitoring controls in 2010, it had not performed any testing prior to 2010.

Finding: MRO found that the issue constituted only a minimal risk to BPS reliability. The access points that were not tested until 2010 were located in the dispatch room, which is continuously staffed. According to the physical access control system logs, there were no problems with the access points before 2010. In addition, from 2010-2012, URE tested all of its access points at least annually.

Unidentified FFT Entity, FERC Docket No. RC13-1 (October 31, 2012)

Reliability Standard: CIP-006-1

Requirement: 1

Region: SPP

Issue: During a compliance audit, SPP determined that one of FFT Entity's employees did not follow the procedures in the Physical Security Plan, as required, in granting himself physical access to a PSP and the backup control center. The relevant PSP was recently part of one PSP that had split into two PSPs. While the employee did not have authorization to access the re-designated PSP, he previously had access (before the split) to the one PSP.

Finding: SPP found that the issue only constituted a minimal risk to BPS reliability since the relevant employee had authorized access to the one PSP prior to the re-designation. In addition, the employee, who had received the required training and had a PRA on file, was only in the control room for two minutes in order to test the security door contact.

Unidentified FFT Entity, FERC Docket No. RC13-1 (October 31, 2012)

Reliability Standard: CIP-006-1

Requirement: 1.8

Region: TRE

Issue: As a result of an annual cyber vulnerability assessment, FFT Entity self-reported that its system did not have all of the protective measures required by the Reliability Standard.

Finding: TRE found that the issue only constituted a minimal risk to BPS reliability since FFT Entity's badging servers are separate from its SCADA and Distributed Control systems. In addition, the devices were located within a PSP, which is subject to continuous monitoring and with access limited to only authorized personnel. No intrusion or critical activity occurred.

Unidentified FFT Entity, FERC Docket No. RC13-1 (October 31, 2012)

Reliability Standard: CIP-006-1

Requirement: 3

Region: SPP

Issue: During a compliance audit, SPP discovered a remediated issue as FFT Entity had not enacted the required technical controls for monitoring physical access at an access point between a control room PSP and a computer room PSP.

Finding: SPP found that the issue only constituted a minimal risk to BPS reliability since the relevant access point was safeguarded by a keyed lock which protected the control room from entry via the computer room. FFT Entity had also installed additional security measures (such as security guards, a barbed-wire fence, a magnetically locked access door and two steel doors that were alarmed) to protect the access point to the building that contained the two relevant PSPs.

Unidentified Registered Entity 1 (URE1), Docket No. RC13-6-000 (February 28, 2013)

Reliability Standard: CIP-006-1

Requirement: 1

Region: SERC

Issue: URE1 submitted a self-report to SERC explaining a compliance issue with CIP-006-1. URE1 found that every employee using a physical access control (PAC) system that monitors and controls physical access to PSPs and other secure areas not designated under the CIP Standards did not have a valid PRA on file. Initially, URE1 did not believe that employees and contractors managing non-CIP secure areas were required to have PRAs. Once URE1 became more familiar with the CIP requirements regarding PAC systems, it realized certain employees were, in fact, required to have a PRA.

Finding: The issue was deemed to pose minimal risk to BPS reliability and not serious or substantial risk. The PAC system was designed to keep non-CIP users from accessing the CIP designated PSPs, and the PAC system is not directly tied to the EMS.

Unidentified Registered Entity 1 (SPP_URE1), Docket No. RC13-9-000 (May 30, 2013)

Reliability Standard: CIP-006-1

Requirement: R3

Region: SPP RE

Issue: SPP RE determined, during a CIP Audit, that SPP_URE1 lacked the required documentation of its technical and procedural controls put in place to monitor physical access at all of its Physical Security Perimeters (PSPs) access points.

Finding: SPP RE found that this issue posed a minimal, but not a serious or substantial, risk to BPS reliability. Even though it did not keep the required documentation, URE1 adequately monitored physical access to its PSPs, through door alarms on forced and held door-related events, on door controller panel boxes that alerted whenever doors were opened, and through an access control system alarm that alerted unauthorized badge access.

Unidentified Registered Entity 2 (FRCC_URE2), Docket No. RC13-9, May 30, 2013

Reliability Standard: CIP-006-1

Requirement: 1; 1.1

Region: FRCC

Issue: Further to a Spot Check, FRCC determined that FRCC_URE2 had an issue with CIP-003-3 R2.2 because FRCC_URE2 had not ensured that all of its Cyber Assets were located within an identified Physical Security Perimeter (PSP). In particular, the ethernet wiring was not within a PSP, and physical access controls were not in place.

Finding: FRCC determined that the issue posed a minimal risk to the reliability of the BPS because the cabling was exposed for only a short length when it exited the buildings housing the PSPs and the buildings themselves were within a secured facility with physical access controls.

Unidentified Registered Entity 4 (WECC_URE4), Docket No. RC13-9-000 (December 31, 2013)

Reliability Standard: CIP-006-1

Requirement: 1; 1.8

Region: WECC

Issue: WECC_URE4 self-reported, following a WECC Compliance Audit, that it failed to afford its Cyber Assets required protective measures. This included (1) failure to change shared counts following personnel changes and (2) failure to have sufficiently complex and long passwords for Physical Access Control Systems (PACS).

Finding: WECC found that the issue posed a minimal, but not a serious or substantial, risk to BPS reliability. Once personnel changes occurred, logical and physical access to workstations and PSP were revoked. Passwords are managed by URE4’s active directory server, though it did not enforce sufficient complexity.

Unidentified Registered Entity 5 (TRE_URE5), Docket No. RC13-9-000 (May 30, 2013)

Reliability Standard: CIP-006-1

Requirement: R1

Region: Texas RE

Issue: Texas RE, following a compliance audit, determined that TRE_URE5 failed to obtain approval by its designated senior manager or delegate(s) for its physical security plan Version 2. The issue was not resolved for about one year and eight months.

Finding: Texas RE found that this issue posed a minimal, but not a serious or substantial risk to BPS reliability. The physical security plan had been reviewed by the delegated personnel annually but, due to a misinterpretation of the signature block, there was no indication that the plan had been approved or reviewed.

Top