Find, Fix, Track and Report, Docket No. RC12-2 (November 30, 2011)
Reliability Standard: CIP-008-1
Requirement: R1
Region: RFC
Issue: RFC determined that FFT Entity had an issue with CIP-008-1 R1.2 by failing to include the roles and responsibilities of its response teams within Emergency Procedure Version 1. Additionally, RFC determined that the entity had an issue with CIP-008-1, R1.5 by failing to include a provision within Emergency Procedure 2 requiring, at minimum, an annual review.
Finding: RFC determined that this issue posed a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS which was mitigated by the fact that this was a documentation error. FFT Entity had a procedure in place that provided roles and responsibilities in the event of Cyber Security Incidents; however, FFT Entity mistakenly referenced the incorrect procedure in its Emergency Procedure Version 1. FFT Entity defined roles and responsibilities of response teams when it updated Emergency Procedure Version 1, almost a year before RFC’s Spot Check and, while FFT Entity’s Emergency Procedure Version 2 called for periodic, rather than annual, review of the plan, FFT Entity reported that the periodic review of Emergency Procedure Version 2 would include an annual review.
Find, Fix and Track Entity, Docket No. RC12-7-000 (January 31, 2012)
Reliability Standard: CIP-008-1
Requirement: R1
Region: NCEA
Issue: NCEA determined that FFT Entity violated CIP-008-1 R1 because it failed to include in its methodology or assessment the CIP assets of other third-party entities that were performing tasks on its behalf. As such, because of different compliance schedules, there were gaps in time where these assets were not in compliance. The third parties violated the Standard in two ways. First, third parties failed to indicate which procedures were used to characterize and classify events as Cyber Security Incidents. Second, third parties failed to have a procedure to ensure that FFT Entity’s Cyber Security Incident response plan was tested at least annually.
Finding: This issue posed only a moderate risk to the reliability of the BPS because NCEA determined that, despite the errors, the third-party entities were preparing for compliance with the CIP Standards as required by the Approved Implementation Plan. As such, there was no actual impact to reliability of the BPS as a result of this issue.
Find, Fix and Track Entity, Docket No. RC12-7-000 (January 31, 2012)
Reliability Standard: CIP-008-1
Requirement: R1/1.4
Region: FRCC
Issue: During a spot check, FRCC found FFT Entity did not properly maintain a Cyber Security Incident Response Plan (CSIRP) as required by CIP-008-1 R1.4. FFT Entity failed to meet the requirements of the Standard because it did not designate a process to update the CSIRP within 90 calendar days of any changes.
Finding: FRCC found that FFT Entity’s failure to properly maintain its CSIRP only constituted minimal risk to BPS reliability. FRCC took this position because the issue was discovered early in the compliance period and it was corrected within six months of the compliance date. During this relevant period, no changes were made that would have impacted FFT Entity’s CSIRP. Additionally, when the problem was discovered, FFT Entity resolved the issue promptly.
