NERC FFT Reports: Reliability Standard CIP-007-1

Alert

65 min read

 

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-007-1

Requirement: R2, R3

Region: SPP

Issue: FFT Entity self-reported that the configurations for the network devices responsible for CCAs communications had certain devices enabled that should have been disabled as they were not used for a necessary service (R2). FFT Entity also self-reported that it did not possess a properly documented procedure for network patch management for third-party applications installed on the CCAs (R3).

Finding: SPP found that these issues constituted only a minimal risk to BPS reliability. Regarding R2, the unnecessary ports and services were open only on routers (as opposed to CCAs within the ESP) and event logs did not list the relevant services as being activated. Regarding R3, this was a documentation issue as FFT Entity was conducting the patch management and updates.

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-007-1

Requirement: R4

Region: NPCC

Issue: Following a self-report, NPCC determined FFT Entity failed to follow administrative processes related to the submission of formal Technical Feasibility Exception (TFE) requests and as a result submitted fifteen late TFE requests.

Finding: NPCC found that this issue constituted only a minimal risk to bulk power system reliability because the compensating measures were in place prior to the date the TFEs should have been filed.

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-007-1

Requirement: R5

Region: WECC

Issue: During a spot check, WECC discovered that FFT Entity had not changed the shared passwords for the EMS administrative account within seven days, as required, following personnel changes of two employees who no longer needed access to the account.

Finding: WECC found that this issue constituted only a minimal risk to BPS reliability. FFT Entity revoked physical access to the facilities containing the EMS within one day of the personnel changes (and the relevant employees did not have remote cyber access rights). In addition, FFT Entity was continuously monitoring the logs and alerts, had physical controls in place, and performed personnel risk assessments and CIP training for its relevant personnel.

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-007-1

Requirement: R5.3

Region: SPP

Issue: FFT Entity self-reported that one of the passwords on its legacy SCADA system (which is classified as a CCA) did not satisfy all of the password requirements.

Finding: SPP found that this issue constituted only a minimal risk to BPS reliability since the user access passwords for the legacy SCADA system all satisfied the password requirements. In addition, FFT Entity employed an outside security service to monitor any unauthorized access attempts at the SCADA system.

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-007-1

Requirement: R5.1.1

Region: MRO

Issue: FFT Entity self-reported that one of its employees created a cyber access account (with access to critical facilities for 59 days) without receiving the required documented approval and authorization.

Finding: MRO found that the issue constituted a minimal risk to BPS reliability since the relevant employee (who had received a PRA and training) was authorized to have access and had received verbal approval. The access remained configured in the servers.

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-007-1

Requirement: R5 (2 violations), R4 (2 violations)

Region: TRE

Issue: FFT Entity self-reported that it did not timely file Technical Feasibility Exception (TFE) Reports for its card reader controllers since the card reader controllers were not able to enforce password requirements (R5). FFT Entity also self-reported, on two instances, that it did not timely file TFE Reports for its card reader controllers since they did not use anti-virus software or other malicious software prevention tools (R4).

Finding: TRE found that the issues constituted only a minimal risk to BPS reliability. In terms of the R5 issue, the relevant card reader controllers are not equipped to allow users to log into the devices and to grant system access (and the whole point of passwords is to prevent unauthorized system access). In terms of the R4 issues, the relevant card reader controllers do not have any operating systems installed and therefore anti-virus software cannot be loaded and viruses cannot infect the devices.

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-007-1

Requirement: R5, R4, R3

Region: RFC

Issue: FFT Entity self-reported that it did not timely submit 9 Technical Feasibility Exception (TFE) Reports in compliance with CIP-007-1 R5. FFT Entity also self-reported that it did not timely submit 3 TFE Reports in compliance with CIP-007-1 R4 and 3 TFE Reports in compliance with CIP-007-1 R3.

Finding: RFC found that the issues constituted a minimal risk to BPS reliability. FFT Entity had compensating measures in place to protect the security of its system, including numerous firewalls and other security controls (such as password requirements). FFT Entity also monitors system log files for unusual user activity, conducts background checks on users, performs vulnerability scans on the networks, monitors network traffic, and uses a network protocol for secure remote login. Users are also prevented from directly installing software on the system. The relevant systems were located within a PSP and ESP.

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-007-1

Requirement: R5, R4, R3

Region: RFC

Issue: FFT Entity self-reported that it did not timely submit 11 Technical Feasibility Exception (TFE) Reports in compliance with CIP-007-1 R5, 3 TFE Reports in compliance with CIP-007-1 R4, and 2 TFE Reports in compliance with CIP-007-1 R3.

Finding: RFC found that the issue constituted a minimal risk to BPS reliability. FFT Entity had compensating measures in place to protect the security of its system, including numerous firewalls and other security controls (such as password requirements). FFT Entity also monitors system log files for unusual user activity, conducts background checks on users, conducts vulnerability scans, monitors network traffic, and uses a network protocol for secure remote login. In addition, security measures function to prevent the system from connecting to the Internet and from having users directly install software on the system. The relevant systems are also located with a PSP and ESP.

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-007-1

Requirement: R5, R4, R3

Region: RFC

Issue: FFT Entity self-reported that it did not timely submit 18 Technical Feasibility Exception (TFE) Reports in compliance with CIP-007-1 R5. FFT Entity also self-reported that it did not timely submit 4 TFE Reports in compliance with CIP-007-1 R4 and 1 TFE Report in compliance with CIP-007-1 R3.

Finding: RFC found that the issues constituted a minimal risk to BPS reliability. FFT Entity had compensating measures in place to protect the security of its system, including numerous firewalls and other security controls (such as password requirements). FFT Entity also monitors system log files for unusual user activity, conducts background checks on users, performs vulnerability scans on the networks, monitors network traffic, and uses a network protocol for secure remote login. Users are also prevented from directly installing software on the system. The relevant systems were located within a PSP and ESP.

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-007-1

Requirement: R6, R5

Region: MRO

Issue: FFT Entity self-reported that it did not review for two months the security logs from its transmission management system (TMS) as required (R6). FFT Entity also self-reported that it did not possess an audit trail of shared account use for the TMS accounts and the substation network accounts (R5).

Finding: MRO found that the issues constituted a minimal risk to BPS reliability. In terms of R6, FFT Entity was continuously monitoring all of its CAs within the ESP for security events and alerts would be triggered if a security event was detected. In addition, a review of the relevant security logs showed no issues. In terms of R5, the personnel who had access to the shared accounts had all been granted authorization and had received training and PRAs. In addition, no incidents occurred during the relevant time period.

Find, Fix, Track and Report, Docket No. RC12-2 (November 30, 2011)

Reliability Standard: CIP-007-1

Requirement: R4

Region: NPCC

Issue: FFT Entity self-reported non-compliance with CIP-007-1 R4 because it did not submit Technical Feasibility Exception (TFE) requests on time as required by NERC procedures. There were 15 late TFE requests of which 14 were filed 45 days late. Each TFE was allowed by NPCC four days later.

Finding: NPCC found the issue posed minimal risk and did not pose a serious or substantial risk to the reliability of the BPS. FFT Entity’s system has intrusion prevention sensors at the network and host level, hardened operating systems, strong account management, logging for system configuration changes, and periodic vulnerability scans which are run on the relevant devices and which were in place long before the past due date for TFE request submittals to NPCC.

Find, Fix and Track Entity, Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-007-1

Requirement: R2/2.3

Region: FRCC

Issue: FFT Entity self-reported it did not submit Technical Feasibility Exception (TFE) requests in a timely manner and in accordance with NERC procedures. FFT Entity installed certain equipment on which it could not comply with requirements related to R2 and ports and services on devices. The TFEs were submitted 220 days after the safe harbor date.

Finding: FRCC found the issue posed a minimal and not serious or substantial risk to the reliability of the BPS, because this issue was caused by untimely submittals of the TFEs and comparable security controls protected the equipment. Further, FFT Entity’s network is protected by a firewall in its ESP and FFT Entity uses intrusion detection systems to protect its network.

Find, Fix and Track Entity, FERC Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-007-1

Requirement: R2/2.3

Region: FRCC

Issue: FFT Entity failed to provide Technical Feasibility Exception (TFE) requests in accordance with NERC procedures. FFT Entity uses two micro controllers that have comparable security measures as those required by the Standard but on which it is technically infeasible to disable unused ports and services as required by the Standard. The TFEs were submitted 188 days after the safe harbor date.

Finding: FRCC determined that submitting the TFEs late posed a minimal and not serious or substantial risk to the reliability of the BPS because comparable security measures were in place at the time of implementation of these Cyber Assets. Also, FFT Entity did use technical controls to safeguard the system. For example, controls such as network/VLAN separation and only allowing the required communication through the network were in place, and the network is protected by the firewall in a designated ESP. And, FFT Entity does use security systems that protect again intrusions and signal any malware signatures.

Find, Fix and Track Entity, FERC Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-007-1

Requirement: R2/2.3

Region: MRO

Issue: FFT Entity did not submit a Technical Feasibility Exception (TFE) request on time as required by the Standard. Several of FFT Entity’s CAs are unable to allow for disabling unused ports and services. Plus, because of the age of the system, it is not vendor-supported. The TFE request was provided two months late.

Finding: Comparable security measures are in place to protect the Critical Assets such as location of the CAs in a PSP. Further, the CAs are separated from the business network, SCADA system and the internet. Plus, the CAs are located in the data center and are secured through strong password use. Therefore, MRO found the late reports only posed a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS.

Find, Fix and Track Entity, FERC Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-007-1

Requirement: R2/2.3, R4

Region: MRO

Issue: FFT Entity did not submit on time (three months late) a Technical Feasibility Exception (TFE) request as required by the Standard. Two application servers used by the system are not able to disable unused ports and services. FFT Entity reports that doing so is not feasible and would create operational risk to the Energy Management System (EMS). FFT Entity has been working with an EMS vendor to create a list of all ports and services for the relevant CAs, but that list has not yet been made available (R2). Regarding R4, FFT Entity submitted a TFE approximately eight months late reporting that certain devices are LAN controllers for the access control system but are unable to support or use anti-virus or malware prevention tools. FFT Entity did have verification provided by the vendor that the subject equipment could not deploy anti-virus or malware prevention tools.

Finding: MRO found that late submissions of the TFEs posed a minimal risk to BPS reliability. MRO noted that the during the last EMS upgrade in 2008, the vendor only enabled ports and services needed for normal and security operations and the vendor undertook steps to ensure EMS security. Regarding the R4 issue, MRO found that the LAN controllers also had adequate security measures in place including, among others, the location of the LAN controllers in a PSP, restricted access to the LAN controllers, and all connections to the LAN are logged in real-time.

Find, Fix and Track Entity, FERC Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-007-1

Requirement: R2/2.3, R5/5.3

Region: MRO

Issue: FFT Entity did not submit Technical Feasibility Exception (TFE) requests on time as required by the Standard. Several of FFT Entity’s substation meters and card reader access controls have unused ports and services which cannot be disabled (R2). Also, a legacy Inter-Control Center Protocol (ICCP) application server’s software has embedded user accounts and passwords in the software that are unchangeable because the vendor no longer supports the system (R5). The TFEs were provided one year late.

Finding: MRO approved the late submitted TFEs and determined that the issues posed a minimal and not a serious or substantial risk to BPS reliability. MRO found FFT Entity had comparable measures in place that satisfied the intent of the Standard.

Find, Fix and Track Entity, Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-007-1

Requirement: R3, R4

Region: MRO

Issue: FFT Entity self-reported it did not submit Technical Feasibility Exception (TFE) requests in a timely manner and in accordance with NERC procedures. FFT Entity has certain computer equipment that is unable to support installing security patches or updates (R3) or using or running anti-virus or malware prevention tools (R4). The TFE submittals were two and seven months late (R3) and four and nine months late (R4).

Finding: MRO found the issue constituted a minimal risk to BPS reliability because the issue is administrative and was caused by untimely submittals of the TFEs and comparable security controls protected the equipment. Further, FFT Entity’s network is located in an ESP and PSP, and the devices at issue are secured by limited and monitored access.

Find, Fix and Track Entity, Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-007-1

Requirement: R4

Region: FRCC

Issue: FFT Entity self-reported it did not submit Technical Feasibility Exception (TFE) requests in a timely manner and in accordance with NERC procedures. FFT Entity installed certain equipment on which it could not install anti-malware, but protected the equipment with authenticity controls. The TFE submittals were 65 and 306 days after the safe harbor date.

Finding: FRCC found the issue posed a minimal and not serious or substantial risk to the reliability of the BPS, because this issue was caused by untimely submittals of the TFEs and comparable security controls protected the equipment. Further, FFT Entity’s network is protected by a firewall in its ESP.

Find, Fix and Track Entity, FERC Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-007-1

Requirement: R4

Region: FRCC

Issue: FFT Entity failed to submit Technical Feasibility Exception (TFE) requests on time (274 days late) as required by the Standard. Three of FFT Entity’s physical access control system microcontrollers did not have anti-malware installed because none is available.

Finding: FRCC found that late submission of the TFE posed a minimal and not serious or substantial risk to the reliability of the BPS because comparable security measures were in place at the time of implementation of the Cyber Assets. Also, FFT Entity did use technical controls to safeguard the system. For example, controls such as network separation and only allowing the required communication through the network were in place, and the network is protected by the firewall in a designated ESP.

Find, Fix and Track Entity, Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-007-1

Requirement: R4

Region: MRO

Issue: FFT Entity self-reported it did not submit Technical Feasibility Exception (TFE) request in a timely manner and in accordance with NERC procedures. FFT Entity uses anti-virus software on its non-Energy Management System (EMS) equipment housed in an ESP, but anti-virus protection was not installed on any communication front end device since the EMS vendor had no approved anti-virus product for the software being used on the system. The SCADA communication device would not allow virus scans to run while performing the real-time SCADA function. The TFE submittal was approximately ten months late.

Finding: MRO found the issue constituted a minimal risk to BPS reliability because the issue is administrative and was caused by untimely submittals of a TFE and during the relevant period, FFT Entity did not allow direct internet connections or email accounts on the EMS, plus on all EMS equipment, the autorun and autoplay tools were not operational.

Find, Fix and Track Entity, Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-007-1

Requirement: R4

Region: MRO

Issue: FFT Entity self-reported it did not submit a Technical Feasibility Exception (TFE) request in a timely manner and in accordance with NERC procedures. FFT Entity uses anti-virus software on its non-Energy Management System (EMS) equipment housed in an ESP, but anti-virus protection was not installed on any communication front end device since the EMS vendor had no approved anti-virus product for the software being used on the system. The SCADA communication device would not allow virus scans to run while performing the real-time SCADA function. The TFE submittal was approximately ten months late.

Finding: MRO found the issue constituted a minimal risk to BPS reliability because the issue is administrative and was caused by untimely submittals of the TFE and during the relevant period, FFT Entity did not allow direct internet connections or email accounts on the EMS, plus on all EMS equipment, the autorun and autoplay tools were not operational.

Find, Fix and Track Entity, Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-007-1

Requirement: R4

Region: MRO

Issue: FFT Entity self-reported it did not submit Technical Feasibility Exception (TFE) requests in a timely manner and in accordance with NERC procedures. The TFE request involves CAs unable to run anti-virus software or services. The specific equipment are network switches, fiber channel switches, data storage components, network security appliances and firewalls, terminal servers that provide serial-to-ethernet conversion, protocol converters, splitter panels used for sharing modem connections between front-end processors (FEPs), and a printer. Vendor documentation provided by FFT Entity shows that the devices do not use or run anti-virus software or other malware prevention tools. The TFE submittal was approximately four months late.

Finding: MRO found the issue constituted a minimal risk to BPS reliability because the issue is administrative and was caused by untimely submittals of a TFE request. MRO found the CAs involved have acceptable security protections.

Find, Fix and Track Entity, FERC Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-007-1

Requirement: R4, R4.1, R4.2

Region: NCEA (NERC Compliance Enforcement Authority)

Issue: FFT Entity self-reported that its products – printers - are unable to install software tools to prevent anti-virus or malicious software.

Finding: NCEA found that the issue constituted an unsubstantial risk to BPS reliability. All files, including software updates, are already scanned for anti-virus and anti-malware on other systems before even entering the ESP (Electronic Security Perimeter). Furthermore, when possible, FFT Entity compares software updates to the manufacturer’s (hash) files in order to verify them.

Find, Fix and Track Entity, FERC Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-007-1

Requirement: R4, R5/5.3

Region: MRO

Issue: FFT Entity did not submit Technical Feasibility Exception (TFE) requests on time as required by the Standard. Certain CAs that are network firewalls cannot support use or running of anti-virus or malware prevention tools; however, the manufacturer guarantees that the devices are not susceptible to malware or viruses. The TFE also included network routers, switches and telecommunications devices that also cannot support the use or running of anti-virus or malware prevention tools (R4). Those TFEs were submitted four months and fourteen months late. Regarding R5, certain network servers that run databases are connected with FFT Entity’s transmission management system (TMS) application and some of the administrative accounts used by the TMS application for accessing the database cannot be changed without impacting the application’s function (R5). That TFE was submitted approximately ten months late.

Finding: MRO determined that the issues posed a minimal and not a serious or substantial risk to BPS reliability. MRO found FFT Entity had comparable measures in place that satisfied the intent of the Standard such as protected access and login access control; protection by either a PSP with cyber lock control to purposely reduce and control log access to the CAs or an ESP with acceptable user ID and password controls; restricted access by “need to know” personnel; anti-virus and malware prevention tools being used on other CAs in the ESP when possible, among other measures.

Find, Fix and Track Entity, FERC Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-007-1

Requirement: R4, R6

Region: MRO

Issue: FFT Entity did not submit Technical Feasibility Exception (TFE) requests on time as required by the Standard. Several of FFT Entity’s physical access control systems cannot support anti-virus or malware prevention software (R4). As to R6, several of FFT Entity’s devices could not support automatic monitoring of cyber security events on the system. Plus, because of the age of the system, it is not vendor-supported so trying to install such software would adversely affect system operation. The TFE request was provided two months late.

Finding: Comparable security measures are in place to protect the Critical Assets such as location of the CAs in a PSP. Further, the CAs are separated from the business network, SCADA system and the internet. Plus, the CAs are located in the data center and are secured through strong password use. Lastly, any devices used for maintaining the system are scanned for viruses and malware prior to connecting to the CAs, and logs and system events are review annually. Therefore, MRO found the late reports only posed a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS.

Find, Fix and Track Entity, FERC Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-007-1

Requirement: R5/5.3

Region: FRCC

Issue: FFT Entity self-reported that it did not provide Technical Feasibility Exception (TFE) requests for ten firewalls in a timely fashion (397 days after installation) and in accordance with NERC procedures. The particular firewalls are unable to use password complexity required by the Standards. Although the firewalls do have acceptable passwords, they have no technical ability to enforce it.

Finding: FRCC determined the submission of the TFEs late posed a minimal risk and not a serious or substantial risk to the reliability of the BPS because even though the TFE request was submitted late, the firewalls are not on a public network and separate the general business traffic from the control center network. And the security detection system monitors all network traffic to the devices and the passwords that are used have technical complexity.

Find, Fix and Track Entity, FERC Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-007-1

Requirement: R5/5.3.2

Region: FRCC

Issue: FFT Entity self-reported it did not submit on time (188 days late) Technical Feasibility Exception (TFE) requests for 20 operating systems where it was not technically feasible to use a mix of alpha, numeric and "special" characters for passwords. However, the systems did use comparable security protections, but the TFEs were not provided before the safe harbor date for 20 of these systems.

Finding: FRCC determined that late submissions of the TFEs posed a minimal and not serious or substantial risk to the reliability of the BPS and that adequate security measures were in place at the time of implementation of these Cyber Assets. In addition, FFT Entity utilized other security controls such as network separation and manual controls set up to increase user knowledge on password requirements for network protection, and its network is protected by the firewall in a designated ESP. FFT Entity also implemented manual controls designed to increase user awareness for password compliance requirements, and had in place a password review schedule. And, in instances where passwords could not meet the CIP requirements for difficulty and length, the passwords were required to be as complex and long as possible.

Find, Fix and Track Entity, Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-007-1

Requirement: R5/5.3/5.3.2

Region: FRCC

Issue: FFT Entity self-reported it did not submit Technical Feasibility Exception (TFE) requests in a timely manner and in accordance with NERC procedures. FFT Entity installed certain equipment on which it could not comply with password requirements related to R5.3 and R5.3.2. The TFEs were submitted 37 to 306 days after the safe harbor date.

Finding: FRCC found the issue posed a minimal and not serious or substantial risk to the reliability of the BPS, because this issue was caused by untimely submittals of the TFEs and comparable password controls protected the equipment. Further, FFT Entity’s network is protected by a firewall in its ESP.

Find, Fix and Track Entity, FERC Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-007-1

Requirement: R5.3

Region: NCEA (NERC Compliance Enforcement Authority)

Issue: FFT Entity self-reported that, contrary to NERC standard requirements, a set of its products – printers - lack the function of Administrator account password controls.

Finding: This issue posed little risk to BPS reliability since access to these printers can only be obtained via a strictly controlled administrative network.

Find, Fix and Track Entity, FERC Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-007-1

Requirement: R6/6.3

Region: FRCC

Issue: FFT Entity failed to submit by the safe harbor date a Technical Feasibility Exception (TFE) request regarding a CPS clock source unable to meet the CIP-007-1 R6 security requirements due to technical limitations. FFT Entity reported that it has comparable security procedures in place but the TFE was submitted 113 days late.

Finding: FRCC found that late submission of the TFE posed a minimal and not serious or substantial risk to the reliability of the BPS because comparable security measures were in place at the time of implementation of the Cyber Assets. Also, FFT Entity did use technical controls to safeguard the system. For example, controls such as network/VLAN separation and only allowing the required communication through the network were in place, and the network is protected by the firewall in a designated ESP.

Find, Fix and Track Entity, Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-007-1

Requirement: R6/6.3

Region: FRCC

Issue: FFT Entity self-reported it did not submit Technical Feasibility Exception (TFE) requests in a timely manner and in accordance with the requirements of CIP-007-1. FFT Entity installed certain equipment on which it was not technically possible to meet the requirements of the Reliability Standard. The TFEs were submitted 408 days after the safe harbor date.

Finding: FRCC found the issue posed a minimal and not serious or substantial risk to the reliability of the BPS, because this issue was caused by untimely submittals of the TFEs and comparable security controls protected the equipment. Further, FFT Entity’s network is protected by a firewall in its ESP and FFT Entity uses intrusion detection systems to protect its network.

Find, Fix and Track Entity, Docket No. RC12-7-000 (January 31, 2012)

Reliability Standard: CIP-007-1

Requirement: R1

Region: MRO

Issue: FFT Entity self-reported a violation of CIP-007-1 R1 because it did not report test results showing whether initial testing of new CAs within the ESP adversely affected existing cyber security controls. More specifically, FFT Entity did not formally verify initial testing of the security configuration of the relay access devices, identified as CCAs, at the substations to ensure no adverse effects to existing security controls.

Finding: The issue posed only a minimal risk to BPS reliability because, at the time of their installation, the devices were commissioned with the same controls as other CCAs and field-tested to confirm their standard configuration.

Find, Fix and Track Entity, Docket No. RC12-7-000 (January 31, 2012)

Reliability Standard: CIP-007-1

Requirement: R1

Region: NCEA

Issue: NCEA determined that FFT Entity violated CIP-007-1 R1 because it failed to include in its methodology or assessment the CIP assets of other third-party entities that were performing tasks on its behalf. As such, because of different compliance schedules, there were gaps in time where these assets were not in compliance. Specifically, one third-party entity did not provide sufficient documentation proving the requirements listed in the Standard were met.

Finding: This issue posed only a moderate risk to the reliability of the BPS because NCEA determined that, despite the errors, the third-party entity was preparing for compliance with the CIP Standards as required by the Approved Implementation Plan. As such, there was no actual impact to reliability of the BPS as a result of this issue.

Find, Fix and Track Entity, Docket No. RC12-7-000 (January 31, 2012)

Reliability Standard: CIP-007-1

Requirement: R4

Region: WECC

Issue: WECC determined FFT Entity violated CIP-007-1 R4 because its control system did not meet the requirements of the Standard. FFT Entity submitted a Technical Feasibility Exception (TFE) asserting that the installation of anti-virus software caused the device to fail. Upon further investigation, FFT Entity amended its explanation to say that the anti-virus exacerbated a pre-existing memory leak that led to the failure. FFT Entity has since uninstalled the software.

Finding: The issue posed only a minimal risk to the reliability of the BPS because WECC accepted FFT Entity’s TFE assertion that it is technically infeasible for the entity to comply with the Standard. WECC also accepted the TFE because FFT Entity timely implemented two measures to mitigate risk. First, the device at issue is on a local area network configured to remove software that could make the server vulnerable to a virus. Second, the device is within both the PSP and ESP.

Find, Fix and Track Entity, Docket No. RC12-7-000 (January 31, 2012)

Reliability Standard: CIP-007-1

Requirement: R6

Region: WECC

Issue: WECC determined FFT Entity violated CIP-007-1 R6 because the security measures for its peripheral devices did not comply with the Standard. FFT Entity submitted a late Technical Feasibility Exception (TFE) arguing that these devices are incapable of employing security access monitoring.

Finding: This issue posed only a minimal risk to the reliability of the BPS because WECC determined that it is technically impossible for the peripheral devices to comply with the Standard. Additionally, WECC accepted the TFE because FFT Entity timely employed three measures to mitigate risk. First, FFT Entity implemented all available security measures the device could support, including strict requirements for passwords and disabling unused ports and services. Second, FFT Entity ensured that all neighboring networked devices capable of hosting all security features were monitored in order to provide periphery notice of any unusual or suspicious behavior. Third, FFT Entity diligently enforces its PSP boundaries to reduce the risk that the device would be physically compromised.

Find, Fix and Track Entity, FERC Docket No. RC12-8 (February 29, 2012)

Reliability Standard: CIP-007-1

Requirement: R2

Region: SPP

Issue: FFT Entity self-reported that its vulnerability assessment showed that it had ports and services that were enabled on various devices that were not essential to the normal or emergency operations of FFT Entity’s Cyber Assets.

Finding: SPP found that this issue constituted only a minimal risk to the BPS since the relevant ports and services did not present an obvious threat since they operated within FFT Entity’s ESP. After it conducted the vulnerability assessment, FFT Entity started justifying the enabled ports and services on its CAs. In addition, prior to the vulnerability assessment, FFT Entity enacted a program to monitor system activity and to notify the administrator in case of suspicious activity. FFT Entity had also installed anti-virus and anti-malware software on its CAs.

Find, Fix and Track Entity, FERC Docket No. RC12-8 (February 29, 2012)

Reliability Standard: CIP-007-1

Requirement: R4

Region: WECC

Issue: FFT Entity self-reported that it did not timely submit TFEs for 37 of its CAs within its ESP that lacked the capability to install malicious software prevention tools. The TFE requests were submitted 16-20 months after they were due.

Finding: WECC found that this issue constituted only a minimal risk to the BPS since the relevant devices were protected by FFT Entity’s PSP and ESP. In addition, the FFT Entity personnel that had access to the devices had all received PRAs and the required training.

Fix and Track Entity, Docket No. RC12-8 (February 29, 2012)

Reliability Standard: CIP-007-1

Requirement: R4; R4.2

Region: FRCC

Issue: FRCC determined FFT Entity violated CIP-007-1 R4 because FFT Entity could not sufficiently demonstrate that it submitted Technical Feasibility Exceptions (TFEs) for some of its devices. In a spot check, FRCC reviewed FFT Entity’s documents and concluded that FFT Entity failed to submit TFEs for 15% of relevant devices. In the absence of the TFEs, FFT Entity could not demonstrate that it documented a process for the update of anti-virus and malware prevention signatures.

Finding: FRCC determined this issue posed only a minimal risk to the reliability of the BPS because FFT Entity did submit TFEs for 85% of relevant devices. Additionally, comparable security measures were enabled for the complete set of devices and FFT Entity implemented a process for the update of anti-virus and malware prevention signatures.

Find, Fix and Track Entity, FERC Docket No. RC12-8 (February 29, 2012)

Reliability Standard: CIP-007-1

Requirement: R4, R6

Region: TRE

Issue: FFT Entity self-reported that it did not file TFEs, even though it was not technically feasible for its firewall service modules, relays, remote terminal units and switches to employ anti-virus and other malicious software prevention tools in order to protect against malware on all CAs within FFT Entity’s ESP (R4). FFT Entity also self-reported that it did not have proper documentation verifying that its CCA systems sent automated alerts about cyber security incidents to the relevant personnel at FFT Entity for review (R6).

Finding: TRE found that the issues constituted only a minimal risk to the BPS. In regards to R4, FFT Entity limits administrative access to the relevant devices and does not authorize connections with unknown Internet hosts and devices. In addition, the embedded devices cannot run any third-party devices (so malware would not be able to move from one embedded device to another embedded device). For R6, this is primarily a documentation issue as FFT Entity personnel were actually maintaining and reviewing logs of system events.

Find, Fix and Track Entity, FERC Docket No. RC12-8 (February 29, 2012)

Reliability Standard: CIP-007-1

Requirement: R5.1.2

Region: TRE

Issue: FFT Entity self-reported that while it was preparing to switch to a new generation management system (GMS), as part of ERCOT’s change to a Nodal Market, its legacy GMS was not tracking and logging the shared accounts running on it as required.

Finding: TRE found that the issue constituted only a minimal risk to the BPS as there was only a short period of non-compliance and FFT Entity tried to minimize any changes to its legacy GMS (and any changes made were tracked). In addition, each of FFT Entity’s generation facilities has a control room that monitors the real-time status of the plant. If the GMS sent out an alert about an anomaly, the generation facility would be removed from automatic voltage control until the problem is resolved. Furthermore all of FFT Entity’s virus definitions are up to-date and all of its employees with access rights have received background checks and training.

Find, Fix and Track Entity, Docket No. RC12-8 (February 29, 2012)

Reliability Standard: CIP-007-1

Requirement: R8

Region: NPCC

Issue: In the course of a joint compliance audit with another region, NPCC determined that FFT Entity violated CIP-007-1 R8 in completing its first formal cyber vulnerability assessment of all CAs within the ESP eleven months after the required compliance date. The other region found that an affiliate of FFT Entity also violated the same Standard, but NPCC did not view the separate violation as an aggravating factor because both issues arose from the same conduct.

Finding: This issue posed only a minimal risk to the reliability of the BPS because while FFT Entity did not complete the formal annual cyber vulnerability assessment by the required compliance date, it did complete most of the work required by CIP-007-1 R8.1 through R8.4. Most notably, FFT Entity reviewed and hardened its ESP firewalls and demonstrated behavior, such as approving purchase orders and statements of work, that vulnerability assessments were being exercised and documented before the compliance due date.

Find, Fix and Track Entity, FERC Docket No. RC12-8 (February 29, 2012)

Reliability Standard: CIP-007-1

Requirement: R8

Region: RFC

Issue: During a compliance audit, RFC found that FFT Entity did not timely finish its formal cyber vulnerability assessment. FFT Entity finished its assessment 11 months late.

Finding: RFC found that this issue constituted only a minimal risk to the BPS since FFT Entity managed to complete most of its work by the deadline, including reviewing and hardening the ESP firewalls. FFT Entity was documenting and enacting elements of the vulnerability assessment before the assessment was due. In addition, although the same conduct was an issue for an affiliate in a separate region, RFC did not consider this to be an aggravating factor.

Find, Fix and Track, Unidentified Registered Entity, Docket No. RC12-10 (March 30, 2012)

Reliability Standard: CIP-007-1

Requirement: R3

Region: NPCC

Issue: URE self-reported that for approximately two and half years it had not put in place its anti-virus update procedure for testing and installing anti-virus signatures on certain corporate and generating CAs.

Finding: NPCC found the violation constituted a minimal risk to BPS reliability because the signatures were released by reliable vendors and all were tested (other than those released on weekends) using days of test data. The weekend releases came after corporate system updates which limited any significant risk to the CCAs. The corporate CAs were dedicated for administration of physical access controllers, and the risk was minimal because any adverse impact to these systems due to a malware signature update could not have impacted the BPS control and monitoring function. Physical access controls would continue to operate effectively without the administrative workstations, which are utilized to modify and update configurations only.

Find, Fix and Track, Unidentified Registered Entity, Docket No. RC12-10 (March 30, 2012)

Reliability Standard: CIP-007-1

Requirement: R4/4.2

Region: FRCC

Issue: URE self-reported that its formal security patch management program did not include the relevant database associated with the energy management system for a seven-month period.

Finding: FRCC found the violation constituted a minimal risk to BPS reliability because URE was taking appropriate steps to analyze and review the patches at issue as required by the CIP Security Patch Management Program even though it was not included in URE’s program.

Unidentified Registered Entity, Docket No. NP12-11 (April 30, 2012)

Reliability Standard: CIP-007-1

Requirement: R3

Region: RFC

Issue: URE self-reported that it failed to consistently implement and document activities related the tracking, evaluating, testing, and installation of security patches for certain non-critical CAs within the ESP.

Finding: RFC determined that the violation posed a minimal risk to BPS reliability because none of the affected applications were considered CCAs, only one of the five applications was issued a security patch during the relevant time period, URE assessed and applied patches for 97.8% of the applications within its ESP, the affected CAs are protected by URE’s security system, and URE has an established change management program. URE mitigated the issue by documenting the implementation of identified patches and improving its patch management process.

Unidentified Registered Entity, Docket No. NP12-11 (April 30, 2012)

Reliability Standard: CIP-007-1

Requirement: R5

Region: FRCC

Issue: During a spot check, FRCC determined that URE failed to modify passwords of various network users in violation of R5 for approximately 2 years.

Finding: FRCC determined that the violation posed a minimal risk to BPS reliability because the network is continuously in a disabled state and access involves procedural controls that include unique security questions for each user. In addition, all of the network users at issue had a completed PRA on file and CIP training. The URE had a previous violation of CIP-007-1 but FRCC determined based on the dissimilar circumstances that the current violation did not represent a failure to mitigate a prior violation appropriately. URE mitigated the violation by updating its list of network users and associated passwords.

Unidentified Registered Entity, Docket No. NP12-11 (April 30, 2012)

Reliability Standard: CIP-007-1

Requirement: R6

Region: WECC

Issue: URE self-reported that it did not timely submit Technical Feasibility Exception reports for a total of 138 CCAs and 18 non-critical CAs located within 12 ESPs that were unable to implement automated tools or organizational process controls to monitor system events pursuant to R6.

Finding: WECC determined that the violation posed a minimal risk to BPS reliability because compensating measures were in place prior to the time the TFEs were due. These measures included an intrusion detection system to monitor network traffic and send automated alerts of suspicious traffic, all of the devises were located in ESPs and PSPs, and all personnel with access to the devices had a valid PRA and training. URE mitigated the issue by submitting the TFEs, which WECC accepted.

Unidentified Registered Entity, Docket No. RC12-12 (May 30, 2012)

Reliability Standard: CIP-007-1

Requirement: R5; R5.2.1; R5.3.2; R5.3.3

Region: TRE

Issue: While conducting an audit, URE was found to have issues with R5.2.1, R5.3.2 and R5.3.3. Regarding R5.2.1, URE had in place controls to monitor enabled shared accounts, however, it had not disabled shared administrator accounts on eight CAs that were put in service before the period of non-compliance, which was eight months. Regarding R5.3.2, URE had failed to file a Technical Feasibility Exception (TFE) regarding certain CAs that were incapable of complying with the password requirements found in the Standard. This issue lasted two years, until TRE accepted URE’s late-filed TFE. Regarding R5.3.3, none of UREs CAs used inside its ESP can support the technical controls for password expirations, however URE had not filed a TFE with TRE reporting the issue. This issue lasted two years, until TRE accepted URE’s late-filed TFE.

Finding: The issue was deemed to pose minimal risk to BPS reliability because URE had controls in place to manage its shared accounts and passwords. With respect to R5.2.1, any user using a shared account was required to manually record what they were doing and the date of such activity and that information was provided to a SCADA administrator. Regarding the other two subrequirements, URE’s staff had been trained on the password complexity requirements of R5.3.2, and passwords were changed in accordance with R5.3.3.

Unidentified Registered Entities 1-2 (UREs), Docket No. RC12-13 (June 29, 2012)

Reliability Standard: CIP-007-1

Requirement: 1.1

Region: RFC

Issue: Two UREs submitted identical self-reports disclosing that they had no documents or records showing that initial testing of relay devices, which are classified as CCAs and are located in UREs’ ESPs, confirmed no adverse effects on existing security controls of the security set-up of relay access devices.

Finding: The violation was deemed by RFC to pose minimal risk to BPS reliability because both UREs had performed the required testing; however, they did not document the results.

Unidentified Registered Entity (URE), Docket No. RC12-13 (June 29, 2012)

Reliability Standard: CIP-007-1

Requirement: 4

Region: WECC

Issue: URE submitted a self-report explaining that it had failed to install anti-virus software and malware prevention tools on certain devices due to the fact that it was not technologically feasible to install such tools on the devices. When addressing the self-report, URE submitted the required Technical Feasibility Exception (TFE) reports for the devices; however, WECC determined URE was not in compliance with the Reliability Standard for the late submission of the TFE reports.

Finding: The issue was deemed to pose minimal risk to BPS reliability because the relevant devices are located within an ESP and PSP, and the devices have no direct connection to the internet or email systems. All other devices in the ESP are protected with anti-virus software. The ESP is monitored 24/7 and logging of physical and cyber access to the devices is required and checked. It was also noted that the ESP has intrusion protection system sensors to monitor network traffic at the access points.

Unidentified Registered Entity (URE), Docket No. RC12-13 (June 29, 2012)

Reliability Standard: CIP-007-1

Requirement: 4

Region: WECC

Issue: URE submitted a self-certification that it had not installed anti-virus software and malware prevention tools on 12 human-machine interfaces (HMI) responsible for gas compressors, analyzers, and facilitate programmable logic controllers that manage blackstart generators. The HMIs are all classified as CCAs and use operating systems that do not support the installation of anti-virus and malware prevention tools.

Finding: The issue was deemed to pose minimal risk to BPS reliability because URE was able to show that the vendor of the HMIs confirmed that anti-virus and malware prevention tools would not be able to be installed on the devices. The devices, however, are located in an ESP, and all employees with access to those devices had undergone CIP training and had current PRAs on file.

Unidentified Registered Entities 1-3 (UREs), Docket No. RC12-13 (June 29, 2012)

Reliability Standard: CIP-007-1

Requirement: 5.2.3

Region: RFC

Issue: Three UREs submitted identical self-reports stating that each was in violation of CIP-007-1 R5.2.3 as none had kept an audit trail of account use for multiple shared accounts on their transmission management systems and shared accounts in substation networks. Each URE has a formal policy regarding account privileges and audit trails; however, the program that maintains the automated audit trails was not working properly so no audit trails were produced.

Finding: The violation was deemed by RFC to pose minimal risk to BPS reliability because at each URE only those individuals with current PRAs on file and having completed training had access to the shared accounts. No cyber security events occurred during the violation time period.

Unidentified Registered Entities 1-3 (URE), Docket No. RC12-13 (June 29, 2012)

Reliability Standard: CIP-007-1

Requirement: 6.5

Region: RFC

Issue: Three UREs submitted identical self-reports stating that none had documentation to show that security logs from each transmission management system were being reviewed for cyber security system events.

Finding: The violation was deemed by RFC to pose minimal risk to BPS reliability because UREs’ transmission management systems are adequately protected. Even though UREs were not reviewing the security logs for the transmission management system, the logs were available. UREs did eventually review the security logs and found no security threats.

Unidentified Registered Entity (URE), Docket No. RC12-14 (July 30, 2012)

Reliability Standard: CIP-007-1

Requirement: 4, 5

Region: WECC

Issue: URE submitted a self-report disclosing non-compliance with CIP-007-1 R4 as a result of it being unable to install anti-virus and malware software on 60 non-Cyber Assets and CCAs all housed in an ESP and its failure to submit the required Technical Feasibility Exception reports detailing the issue. Regarding R5, URE could not show that for eight devices in an ESP the password complexity requirements had been followed. The TFEs were eventually submitted to and approved by WECC.

Finding: The issue was deemed by WECC to pose minimal risk to BPS reliability because the TFEs were eventually submitted and approved by WECC. The relevant devices are all located in protected facilities and it was technically impossible to install the protections outlined in the Reliability Standard.

Unidentified Registered Entity (URE), Docket No. RC12-16 (September 28, 2012)

Reliability Standard: CIP-007-1

Requirement: 3, 4.1, 5.3, 6

Region: NPCC

Issue: URE self-reported that one of its devices was unable to receive a security patch (3). URE also self-reported that it had not installed anti-virus and anti-malware tools on the operating systems of five devices (4.1). In addition, one of URE's devices did not possess the necessary technical controls to satisfy the password requirements (5.3). URE also had two devices that were not capable of generating internal logs of system events (such as security and authentication-related incidents) (6). URE did not file any requests for Technical Feasibility Exceptions.

Finding: NPCC found that the issues constituted only a minimal risk to BPS reliability since the devices are located within a PSP and ESP and are not exposed to the internet or business networks. In addition, pursuant to URE's incident response plan, support personnel would be notified if a device was compromised. URE was granted Technical Feasibility Exceptions.

Unidentified Registered Entity (URE), Docket No. RC12-16 (September 28, 2012)

Reliability Standard: CIP-007-1

Requirement: 4

Region: WECC

Issue: URE self-reported that 64 of its firewalls and 361 of its routers and switches, within 50 ESPs, did not use anti-virus software or other malware prevention tools. Even though there were no anti-virus applications available for the operating systems associated with the CAs, URE did not timely file a request for a Technical Feasibility Exception.

Finding: WECC found that the issue constituted only a minimal risk to BPS reliability. URE's CAs are contained in an ESP and PSP, with electronic and physical access controlled and managed at all access points. In addition, a username and password is required to access all of the CAs and there is a passive triggering mechanism that monitors any changes. Furthermore, URE received a Technical Feasibility Exception.

Unidentified Registered Entity (URE), Docket No. RC12-16 (September 28, 2012)

Reliability Standard: CIP-007-1

Requirement: 4.1

Region: NPCC

Issue: During a compliance audit, NPCC determined that eight of URE's devices (at four substations) did not have the required anti-virus and malware prevention tools installed. The eight devices run on an operating system that does not support the installation of anti-virus and malware prevention tools, but URE did not submit Technical Feasibility Exception requests as required.

Finding: NPCC found that the issue constituted only a minimal risk to BPS reliability since URE's procedures limited employee electronic access. In addition, the devices were located within an ESP, which contained protections such as firewalls, device authentication and network security monitoring.

Unidentified Registered Entity (URE), Docket No. RC12-16 (September 28, 2012)

Reliability Standard: CIP-007-1

Requirement: 5/5.1

Region: FRCC

Issue: URE self-reported that for five of its CAs, they were pre-set to log in using a pre-configured account, allowing all users who had physical access to the system to have shared access (instead of individual user access according to the "need to know" concept, as required). URE also did not check that the user accounts for those five CAs were implemented as approved by the designated personnel.

Finding: FRCC found that the issue constituted only a minimal risk to BPS reliability since the CAs were contained within a PSP and were not accessible remotely from outside the ESP. All five CAs have user accounts and passwords, and only five authorized personnel had access to the PSPs where the CAs are located. Although URE had three prior violations and one prior remediated issue with this Reliability Standard, FRCC found that this issue does not involve recurring conduct since the prior instances involved a failure to timely file Technical Feasibility Exceptions, failure to change default settings on access control and monitoring equipment, and the lack of proper documentation on shared accounts for certain CAs.

Unidentified Registered Entity (URE), Docket No. RC12-16 (September 28, 2012)

Reliability Standard: CIP-007-1

Requirement: 5/5.1.2

Region: MRO

Issue: URE self-reported that it had not kept access activity event logs on Front End Processing (FEP) equipment used in controlling BPS remote terminal units, and therefore it had not implemented methods, processes, and procedures to generate logs with the needed detail to create historical audit trails of individual user account access activity for a minimum of 90 days for some of its CCAs.

Finding: MRO found that the issue constituted only a minimal risk to BPS reliability since less than 6% of URE's FEP devices were unable to generate logs and those devices were located within a PSP and ESP (which contained firewall rules and network traffic monitoring systems). In addition, URE's FEP devices do not control major BPS equipment as they are primarily used for distribution breakers, voltage regulators and capacitors.

Unidentified Registered Entity (URE), Docket No. RC12-16 (September 28, 2012)

Reliability Standard: CIP-007-1

Requirement: 5.3

Region: NPCC

Issue: URE self-reported that the passwords were not changed annually, as required, for 22 of the administrative and user accounts on the operating system on four of its CAs.

Finding: NPCC found that the issue constituted only a minimal risk to BPS reliability since the CAs are contained within an access control room and have no remote access.

Unidentified Registered Entity (URE), Docket No. RC12-16 (September 28, 2012)

Reliability Standard: CIP-007-1

Requirement: 6

Region: WECC

Issue: URE self-reported that while it did maintain logs on its backup control center backup server, it did not timely review those logs as mandated (since the logs were not being forwarded to the backup control center primary server). The backup control center backup server contained logs on system events associated with four CAs within the ESP. Thus, URE did not review the logs on these system events.

Finding: WECC found that the issues constituted only a minimal risk to BPS reliability. The issue was limited to only six devices in the backup server, which were generating and maintaining access and system events logs. Access to the devices was restricted to authorized personnel, and remote logical access was only available through the virtual private network (whose logs were consistently maintained and reviewed).

Unidentified FFT Entity, FERC Docket No. RC13-1 (October 31, 2012)

Reliability Standard: CIP-007-1

Requirement: 4

Region: WECC

Issue: FFT Entity self-reported, as a BA, GOP, GO, LSE, TOP, TO and TSP, that it did not install anti-virus software and other malicious software prevention tools on five of its CCA devices and that it had not filed a Technical Feasibility Exceptions to cover those devices.

Finding: WECC found that the issue only constituted a minimal risk to BPS reliability since the relevant CCA devices are only used as a communication link for managing serially connected devices, and an alarm would trigger if the devices lost connectivity. The CCA devices were also protected by a myriad of other measures. For example, both devices are contained within an ESP and PSP, with the access points being continuously monitored. Furthermore, only those ports and services necessary at the access points are enabled. FFT Entity filed Technical Feasibility Exceptions to cover the relevant CCA devices.

Unidentified FFT Entity, FERC Docket No. RC13-1 (October 31, 2012)

Reliability Standard: CIP-007-1

Requirement: 5.2

Region: TRE

Issue: FFT Entity self-reported that it was unable to identify all the computers in its Energy Management System (EMS) with shared accounts or those personnel who had access to one of the three shared accounts.

Finding: TRE found that the issue only constituted a minimal risk to BPS reliability since the EMS is contained within an ESP and PSP, which are only accessible to personnel who have been granted authorized unescorted access to the CCAs. In addition, the passwords for all of the shared account satisfied the requirements of the Reliability Standard.

Unidentified FFT Entity, FERC Docket No. RC13-1 (October 31, 2012)

Reliability Standard: CIP-007-1

Requirement: 5.3

Region: SPP

Issue: FFT Entity self-reported that 23 of its accounts that had access to FFT Entity's Energy Management System (EMS) did not have passwords that were sufficiently complex (as they did not contain a special character). FFT Entity also had not changed, on an annual basis, the passwords for three of its devices.

Finding: SPP found that the issue only constituted a minimal risk to BPS reliability since the relevant accounts were subject to continuous monitoring and their passwords satisfied the other requirements of the Reliability Standard. No unauthorized access occurred during the period of noncompliance.

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-2-000 (November 30, 2012)

Reliability Standard: CIP-007-1

Requirement: 8; 8.2; 8.3

Region: RFC

Issue: During an audit, RFC discovered that the third-party vendor URE contracted to conduct cyber vulnerability assessment of the Cyber Assets within the ESP had deleted detailed evidence related to the cyber vulnerability assessment (in noncompliance with R8). Consequently, URE produced a summary report from the vendor evidencing that it had performed a review verifying that only ports and services required for operations for Cyber Assets within the ESP were enabled (per R8.2), as well as reviewed the controls for default accounts (per R8.3). However, URE was unable to produce documentation to support the summary report.

Finding: RFC found the issue posed a minimal risk to the reliability of the BPS because the risk was mitigated by the fact that the third-party vendor, which was responsible for deleting the detailed evidence related to the cyber vulnerability assessment, was able to provide a summary report demonstrating compliance of the standard. URE's documentation was simply deemed inadequate to evidence the extent of URE's completed cyber vulnerability assessment.

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-3-000 (December 31, 2012)

Reliability Standard: CIP-007-1

Requirement: 4

Region: RFC

Issue: URE self-reported a violation of R4 of CIP-007-1 to RFC when it found that it failed to install antivirus software and malware prevention tools on its 18 printers and two time servers because of technical capability. URE did not provide a Technical Feasibility Exception (TFE) for the Cyber Assets, which reside in the Electronic Security Perimeters (ESPs).

Finding: RFC found that the issue posed a minimal risk to the reliability of the bulk power system because the printers are only accessible from the URE system and have no connection to the Internet. URE also used directory service security groups for the printers designed to curtail access without authorization. Time servers, similarly, have no connection to the Internet and are only used to synchronize local time; they are not visible from the corporate or outside networks. Furthermore, the URE had in place several procedures, identified in the TFE, including physically keeping all devices within a controlled access Physical Security Perimeter, controlling logical access via requiring membership to directory service group, controlling remote authentication via directory service protocol authentication, requiring complex passwords for all authentications, logging security access attempts, employing a system to detect intrusion and to monitor unordinary traffic, mandating local administrative passwords to satisfy or exceed the NERC CIP password complexity requirements, overseeing all servers and workstations to be based on a specific operating system with proper antivirus.

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-3-000 (December 31, 2012)

Reliability Standard: CIP-007-1

Requirement: 5; 5.3

Region: RFC

Issue: URE self-reported a violation of R5 of CIP-007-1 to RFC when it found that 18 printers and two time servers' passwords did not, as mandated, have at least six characters, a combination of alpha, numeric, and "special" characters, and renewed at a minimum annually, due to technical feasibility. URE did not provide a Technical Feasibility Exception (TFE) for these Cyber Assets in the Electronic Security Perimeter (ESP).

Finding: RFC found that this issue posed a minimal risk to the reliability of the bulk power system because the printers are only accessible from the URE system and have no connection to the internet. The time servers also have no connection to the Internet and are only used to synchronize the correct time with the local control system, and remain invisible to the corporate or outside networks. Furthermore, URE has been employing several measures, as identified in the TFE, such as physical storing of printers inside a controlled access Physical Security Perimeter (PSP), using controls to ensure satisfying manual password requirements, controlling remote logical access by directory service authentication, logging security breach attempts, using a system to detect intrusion and to monitor unordinary traffic, for several years. For the servers, URE has been physically storing them in an access controlled PSP, enabling only those ports and services necessary for normal functioning of the device, security logging, making sure that the passwords will satisfy the standards of URE's cyber-security policy by notifying three individuals in charge of controlling the passwords.

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-3-000 (December 31, 2012)

Reliability Standard: CIP-007-1

Requirement: 6

Region: SPP

Issue: SPP conducted a Compliance Audit of URE during which URE was found in violation of R6 of CIP-007-1, in that URE had not used automated or organizational tools to monitor its system for cyber-security issues. URE had been monitoring and logging access at its Electronic Security Perimeter (ESP) access points via ConsoleWorks server, to alert personnel and to automatically review logs for Virtual Private Network (VPN) access and ESPs' Cyber Assets' access. However, URE failed to be alerted of cyber-security issues or manually reviewed cyber-security system logs when ConsoleWorks server was down for maintenance issues.

Finding: SPP found that the issue posed a minimal risk to the reliability of the bulk power system since URE did use ConsoleWorks which monitored and logged access at its ESPs' access points twenty-four hours a day, seven days a week, only failing to do so during short periods when the ConsoleWorks server was down. Furthermore, URE protected Cyber Assets and CCAs while ConsoleWorks was down, by using card swipes for sensitive areas, locking drawers, using video surveillance, using a password and lockout system, and physically reviewing personnel cyber access.

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-3-000 (December 31, 2012)

Reliability Standard: CIP-007-1

Requirement: 6; 6.1

Region: RFC

Issue: URE self-reported a violation of R6 of CIP-007-1 to RFC for failing to employ automated tools or organizational process controls to oversee cyber-security related events due to the lack of technical feasibility. URE did not provide a Technical Feasibility Exception (TFE) for the Cyber Assets inside the Electronic Security Perimeter (ESP).

Finding: RFC found that the issue posed a minimal risk to the reliability of the bulk power system because the printers are only accessible from the URE system and have no connection to the Internet. Furthermore, URE uses directory service security groups designed to curtail unauthorized access. The time servers, similarly, do not have connection to the Internet, are not visible from external networks or the corporate network, and are only utilized to synchronize time with the local control system network. URE also uses antivirus on the time servers as well as uses the ESP to curtail access to the printers and timeservers, uses security logging and monitors for unauthorized attempts to access or to alter configurations, and uses a system to detect intrusion and monitors unordinary traffic.

Unidentified Registered Entity 1 (URE1), Docket No. RC13-6-000 (February 28, 2013)

Reliability Standard: CIP-007-1

Requirement: 1, 2

Region: SERC

Issue: URE1 submitted a self-report to SERC explaining a compliance issue with CIP-007-1, R1 and R2. Regarding R1, URE1 reported that existing test procedures were only focused on application and functionality testing rather than having exact instructions for testing cyber security controls. Regarding R2, when URE1 conducted an initial compliance review using its procedure for identifying ports and services that would be considered CCAs , it found that it had not documented operator workstations as CAs within its ESP.

Finding: The issue was deemed to pose minimal risk to BPS reliability and not serious or substantial risk. Regarding R1, the initial design of URE1's cyber security controls ensured that only documented and allowed traffic from outside the ESP was allowed into the ESP. Regarding R2, the missing workstations were used only by operators in the PSP and ESP and had no outside access. Also, the workstations were protected by anti-virus and up-to-date security and were monitored in real-time by intrusion detection controls.

Unidentified Registered Entity 1 (URE1), Docket No. RC13-6-000 (February 28, 2013)

Reliability Standard: CIP-007-1

Requirement: 5/5.2.2

Region: SPP RE

Issue: While conducting a CIP compliance audit, SPP RE found URE1 had a compliance issue with CIP-007-1 because its list containing names of those having access to shared accounts was incomplete.

Finding: The issue was deemed to pose minimal risk to BPS reliability and not serious or substantial risk. URE1 had only missed documenting employees with access to a shared local account for one database default account, and the local account only had historical EMS data stored. All other individuals were properly identified. In addition, the relevant individuals had valid PRAs on file.

Unidentified Registered Entity 2 (URE2), Docket No. RC13-6-000 (February 28, 2013)

Reliability Standard: CIP-007-1

Requirement: 1/1.3

Region: RFC

Issue: While conducting a compliance audit, RFC found that URE2 had not completely documented all test results for every change request.

Finding: The issue was deemed to pose minimal risk to BPS reliability and not serious or substantial risk. The risk to BPS operations was mitigated because it was a documentation issue. Although URE2 had not documented all test results, it could show that each step required for change requests had been successfully completed.

Unidentified Registered Entity 2 (URE2), Docket No. RC13-6-000 (February 28, 2013)

Reliability Standard: CIP-007-1

Requirement: 3

Region: RFC

Issue: While conducting a compliance audit, RFC found that URE2 had no documentation showing that security patches and security upgrades had been assessed within 30 days of availability. In addition, URE2 could not provide documentation showing what compensating measures it had taken to lessen risk exposure for uninstalled patches.

Finding: The issue was deemed to pose minimal risk to BPS reliability and not serious or substantial risk. The risk to BPS operations was mitigated because it was related to a lack of documentation. URE2 was able to show that its Cyber Assets were up to date with current security patches even though it had no documents to show that the security patches and security upgrades had been assessed within 30 days of availability.

Unidentified Registered Entity 2 (URE2), Docket No. RC13-6-000 (February 28, 2013)

Reliability Standard: CIP-007-1

Requirement: 6; 6.5

Region: RFC

Issue: While conducting a compliance audit RFC found that URE2 had no documentation to show that it reviewed system event logs.

Finding: The issue was deemed to pose minimal risk to BPS reliability and not serious or substantial risk. The risk to BPS operations was mitigated because the issue was a documentation error. URE2 had system event logs but no documentation to show that the logs had been reviewed. Also, URE2's network is a closed network with no Internet access. And, any potential risk to the BPS from an event at URE2 will generate an alert at the access point.

Unidentified Registered Entity 2 (NPCC_URE2), Docket No. RC13-9, May 30, 2013

Reliability Standard: CIP-002-1

Requirement: 3

Region: NPCC

Issue: NPCC_URE2 self-reported an issue with CIP-002-1 R3 to NPCC when NPCC_URE2 found that after adding new devices within an Electronic Security Perimeter (ESP), it had not updated its list of Critical Cyber Assets (CCAs). In particular, NPCC_URE2 converted remote network terminal units (NTUs) from serial communication protocol to an internet protocol (IP) routable protocol, and added a network switch to the communication path over a 4-month period. While NPCC_URE2 added the NTUs to the CCA inventory, the network switches were not added.

Finding: NPCC found that the issue posed a minimal risk to the reliability of the BPS because the network switches at issue were located behind a firewall appliance that is an electronic access point for the substation ESP, and NPCC_URE2’s IT engineer who maintains all of the network switches treated the devices as if they were CCAs.

Unidentified Registered Entity 3 (NPCC_URE3), Docket No. RC13-9, May 30, 2013

Reliability Standard: CIP-007-1

Requirement: 3, 4

Region: NPCC

Issue: NPCC_URE3 self-reported issues with CIP-007-1 R3 and R4 to NPCC when NPCC_URE3 failed to submit Technical Feasibility Exception (TFE) requests for: (a) the operating systems on a number of its Cyber Asset devices that were missing anti-virus and anti-malware tools, and (b) a number of personal computers on which NPCC_URE3 was unable to implement a security patch management program.

Finding: NPCC found that the issues posed minimal risk to the reliability of the BPS because the devices at issue are located within both a Physical Security Perimeter and an Electronic Security Perimeter and if a device is compromised, support personnel will be notified to take action through the incident response plan, and the facility IT contact will interface with the corporate cyber incident response team. In addition, the devices are not exposed to un-trusted networks through network isolation.

Unidentified Registered Entity 4 (NPCC_URE4), Docket No. RC13-9, May 30, 2013

Reliability Standard: CIP-007-1

Requirement: 4, 6

Region: NPCC

Issue: NPCC_URE4 self-reported issues with CIP-007-1 R4 and R6 to NPCC when NPCC_URE4 failed to submit Technical Feasibility Exception (TFE) requests for: (a) a number of devices with operating systems that lacked anti-virus and anti-malware tools, and (b) a number of devices that were incapable of generating internal logs of system events including security and authentication-related incidents.

Finding: NPCC found that the issues posed minimal risk to the reliability of the BPS because the devices at issue are located within both a Physical Security Perimeter and an Electronic Security Perimeter, and if a device is compromised, support personnel will be notified to take action through the incident response plan, and the facility IT contact will interface with the corporate cyber incident response team. In addition, the devices are not exposed to untrusted networks through network isolation.

Unidentified Registered Entity 4 (NPCC_URE4), Docket No. RC13-9, May 30, 2013

Reliability Standard: CIP-007-1

Requirement: 5; 5.3

Region: NPCC

Issue: Further to a Compliance Audit, NPCC determined that NPCC_URE4 had an issue with CIP-007-1 R5.3 after finding that NPCC_URE4 had failed to submit Technical Feasibility Exception (TFE) requests for a number of devices that did not have technical controls for password length, character complexity, or password change frequency.

Finding: NPCC found that the issue posed a minimal risk to the reliability of the BPS because the devices at issue are located within both a Physical Security Perimeter and an Electronic Security Perimeter. In addition, only personnel vetted through risk assessments and training have access to these devices, and the proprietary machine language for instructions inhibits plug-in and control by hackers.

Unidentified Registered Entity 5 (WECC_URE5), Docket No. RC13-9-000 (May 30, 2013)

Reliability Standard: CIP-007-1

Requirement: 2; 2.3

Region: WECC

Issue: WECC_URE5 self-report that it found Cyber Assets that could feasibility comply with standard CIP-007-1 R2.3 (requiring an entity to disable unused ports and services), but that it failed to file a TFE.

Finding: The devices were still secured against misuse or attack by a number of compensating measures that included 24 hour monitoring of system events by a security information and event management (SIEM) appliance and malicious software prevention tools on all Cyber Assets associated with these devices within the ESP and PAC systems. WECC_URE5 did submitted TFEs for these Cyber Assets, which were approved though filed late.

Unidentified Registered Entity 5 (WECC_URE5), Docket No. RC13-9-000 (December 31, 2013)

Reliability Standard: CIP-007-1

Requirement: 3; 3.2

Region: WECC

Issue: WECC_URE5 self-reported that it found Cyber Assets that could feasibility comply with standard CIP-007-1 R3.2, but that it failed to file a TFE.

Finding: The devices were still secured against misuse or attack by a number of compensating measures that included 24 hour monitoring of system events by a security information and event management (SIEM) appliance and malicious software prevention tools on all Cyber Assets associated with these devices within the ESP and PAC systems. WECC_URE5 did submitted TFEs for these Cyber Assets, which were approved though filed late.

Unidentified Registered Entity 5 (WECC_URE5), Docket No. RC13-9-000 (December 31, 2013)

Reliability Standard: CIP-007-1

Requirement: 4

Region: WECC

Issue: WECC_URE5 self-reported that it found Cyber Assets for which compliance with CIP-007-1 R4 was not technically feasible, because it was infeasible to install on these devices antivirus and anti-malware solutions, but it failed to file a TFE.

Finding: The devices were still secured against misuse or attack by a number of compensating measures that included 24 hour monitoring of system events by a security information and event management (SIEM) appliance and malicious software prevention tools on all Cyber Assets associated with these devices within the ESP and PAC systems. WECC_URE5 did submitted TFEs for these Cyber Assets, which were approved though filed late.

Unidentified Registered Entity 5 (NPCC_URE5), Docket No. RC13-9, May 30, 2013

Reliability Standard: CIP-007-1

Requirement: 6

Region: NPCC

Issue: NPCC_URE5 self-reported an issue with CIP-007-1 R6 to NPCC when NPCC_URE5 found that it had not submitted Technical Feasibility Exception (TFE) requests for a number of devices that were not capable of generating internal logs of system events including security and authentication-related incidents.

Finding: NPCC found that the issue posed a minimal risk to the reliability of the BPS because the devices at issue are located within a Physical Security Perimeter and an Electronic Security Perimeter, and in the event a device is compromised, the incident response plan ensures that support personnel will be notified to take action and the facility IT contacts will interface with the corporate cyber incident response team. In addition, the devices are not exposed to untrusted networks through network isolation.

Unidentified Registered Entity 5 (WECC_URE5), Docket No. RC13-9-000 (December 31, 2013)

Reliability Standard: CIP-007-1

Requirement: 6

Region: WECC

Issue: WECC_URE5 self-reported that it found Cyber Assets for which compliance with CIP-007-1 R6 (requiring the implementation of automated tools or organizational process controls to monitor system events that are related to cybersecurity) was not technically feasible, but WECC_URE5 failed to file associated Technical Feasibility Exceptions (TFE).

Finding: The devices were still secured against misuse or attack by a number of compensating measures that included 24 hour monitoring of system events by a security information and event management (SIEM) appliance and malicious software prevention tools on all Cyber Assets associated with these devices within the ESP and PAC systems. WECC_URE5 did submitted TFEs for these Cyber Assets, which were approved though filed late.

Unidentified Registered Entity 4 (SPP_URE4), Docket No. RC13-9-000 (May 30, 2013)

Reliability Standard: CIP-007-1

Requirement: R6; R6.1

Region: SPP RE

Issue: SPP RE determined, during a CIP Compliance Audit, that SPP_URE4, in monitoring system events relating to cyber security of the Cyber Assets within its Electronic Security Perimeter (ESP), failed to implement automated tools or organizational process controls. URE4 uses supervisory control and data acquisition (SCADA) network switches to track system events that may affect cyber security, but 21.4% of the switches were not set up to deliver automated log messages to its server.

Finding: SPP RE found that the issue posed a minimal, but not a serious or substantial, risk to BPS reliability. The switches involved were not Critical Cyber Assets, but were housed inside a physical security perimeter. The switches connect to the control center and back up control center switches which were properly logging security events. Thus the system would still alert to cyber security events involving the three switches in violation. Further, SPP_URE4 monitored the ESP network for suspicious activity through utilization of an intrusion detection system that compiled reports for the security management station.

Unidentified Registered Entity 5 (WECC_URE5), Docket No. RC13-9-000 (May 30, 2013)

Reliability Standard: CIP-007-1

Requirement: R5; R5.3; R5.3.2; R5.3.3

Region: WECC

Issue: WECC_URE5 self-reported that it found Cyber Assets for which compliance with CIP-007-1 R5, requiring the use of strong passwords, was not technically feasible, but WECC_URE5 failed to file a TFE.

Finding: The devices were still secured against misuse or attack by a number of compensating measures that included 24 hour monitoring of system events by a security information and event management (SIEM) appliance and malicious software prevention tools on all Cyber Assets associated with these devices within the ESP and PAC systems. WECC_URE5 did submitted TFEs for these Cyber Assets, which were approved though filed late.

Unidentified Registered Entity 6 (TRE_URE6), Docket No. RC13-9-000 (May 30, 2013)

Reliability Standard: CIP-007-1

Requirement: R8.2, R8.3

Region: Texas RE

Issue: TRE_URE6 self-reported that it could not access its diagnostic cyber vulnerability assessment (CVA) data as the data file was corrupted and non-recoverable. TRE_URE6 did attempt to recreate conclusions in its CVA assessment through internal requests for data. Though this process provided evidence that the CVA was done in accordance with CIP-005-1 R4.5, TRE_URE6 could not show that it reviewed ports and services required for operations, all access points to the Electronic Security Perimeter (ESP), and controls for default accounts, passwords, and network management community strings as required by these standards.

Finding: Texas RE found that this posed a minimal, but not a serious or substantial, risk to BPS reliability. TRE_URE6 did perform a CVA and improved security in multiple ways. It also produced evidence that it took efforts to provide the missing evidence contained in the corrupted files.

Unidentified Registered Entity 7(TRE_URE7), Docket No. RC13-9-000 (May 30, 2013)

Reliability Standard: CIP-007-1

Requirement: R6; R6.4; R6.5

Region: Texas RE

Issue: TRE_URE7 self-reported that it failed to retain logs for 43 Cyber Assets within the Electronic Security Perimeter (ESP) for 90 days. Some of its devices, TRE_URE7 discovered, did collect logs, but without all events required by company procedure. The issue persisted for roughly two and a half years.

Finding: Texas RE found that this issue posed a minimal, but not a serious or substantial, risk to BPS reliability. Firewalls and intrusion system created alerts which were investigated, even though the logs were not maintained.

Top