NERC FFT Reports: Reliability Standard CIP-009-1

Alert

5 min read

 

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-009-1

Requirement: R4

Region: WECC

Issue: FFT Entity self-reported that it did not fully document in its recovery plan the procedures for backing up and storing information on certain devices needed to successfully restore CCAs.

Finding: WECC found that this issue constituted only a minimal risk to BPS reliability since this was primarily a documentation issue as FFT Entity had appropriately backed up the relevant devices. WECC also found that FFT Entity has a strong compliance culture.

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-009-1

Requirement: R2

Region: SPP

Issue: Through a spot check, SPP determined that FFT Entity did not timely perform an exercise of its Critical Cyber Asset Recovery Plan in 2008.

Finding: SPP found that the issue constituted only a minimal risk to BPS reliability since FFT Entity did have a Critical Cyber Asset Recovery Plan in place and no events occurred that would have triggered the recovery plan. In addition, FFT Entity’s support staff had undergone training on the CIP Reliability Standards and would be prepared to undertake the appropriate recovery steps in response to a wide range of incidents.

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-009-1

Requirement: R4

Region: NPCC

Issue: During a compliance audit, NPCC determined that FFT Entity’s disaster recovery procedures did not include a process for backing up and storing information needed to successfully restore the CCAs.

Finding: NPCC found that the issue constituted a minimal risk to BPS reliability since FFT Entity was able to demonstrate that it was actually backing up and storing the information needed to successfully restore the CCAs.

Find, Fix, Track and Report, Docket No. RC12-2 (November 30, 2011)

Reliability Standard: CIP-009-1

Requirement: R4

Region: MRO

Issue: FFT Entity’s recovery plan for CCAs did not provide backup records of network switches classified as CCAs for the calendar year prior to a spot check. FFT Entity’s backup system only keeps previous switch configurations for a limited time until they are “rolled off” after a certain number of new configuration versions are backed up. Further, FFT Entity’s backup program only saves the data for 90 days once it has been removed from the actual server. FFT Entity was able to show that its backup system was performing as expected throughout the time period covered by the spot check, however, the backup system as designed was unable to show that a backup was performed on a specific date and time.

Finding: The issue posed only a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS because all of the appropriate backups of information required to restore FFT Entity’s CCAs were being performed, even though documentation was inadequate.

Find, Fix and Track Entity, Docket No. RC12-7-000 (January 31, 2012)

Reliability Standard: CIP-009-1

Requirement: R1

Region: NCEA

Issue: NCEA determined that FFT Entity violated CIP-009-1 R1 because it failed to include in its methodology or assessment the CIP assets of other third-party entities that were performing tasks on its behalf. As such, because of different compliance schedules, there were gaps in time where these assets were not in compliance. FFT Entity’s third parties violated the Standard because one failed to adequately support compliance with the Standard and another failed to specify the appropriate response to situations of varying duration and severity.

Finding: This issue posed only a moderate risk to the reliability of the BPS because NCEA determined that, despite the errors, the third-party entities were preparing for compliance with the CIP Standards as required by the Approved Implementation Plan. As such, there was no actual impact to reliability of the BPS as a result of this issue.

Find, Fix and Track Entity, Docket No. RC12-7-000 (January 31, 2012)

Reliability Standard: CIP-009-1

Requirement: R2

Region: NCEA

Issue: NCEA determined FFT Entity violated CIP-009-1 R2 because it did not include in its methodology or assessment the CIP assets of third-party entities that were performing tasks on its behalf. As such, because of different compliance schedules, there were gaps in time where these assets were not in compliance. Specifically, two third parties failed to meet the requirements of the Standard. The first third party failed to provide evidence that indicated how sample test reports led to the recovery of CCAs. The other third party’s test results did not address CCA recovery, thereby rendering its annual exercise invalid.

Finding: This issue posed only a moderate risk to the reliability of the BPS because NCEA determined that, despite the errors, the third-party entities were preparing for compliance with the CIP Standards as required by the Approved Implementation Plan. As such, there was no actual impact to the reliability of the BPS as a result of these issues.

Find, Fix and Track Entity, Docket No. RC12-8 (February 29, 2012)

Reliability Standard: CIP-009-1

Requirement: R4

Region: NPCC

Issue: FFT Entity self-reported a violation of CIP-009-1 R4 because it did not document a process for backing up and storing information necessary to restore CCAs in its disaster recovery procedure. FFT Entity’s cyber security policy is a single corporate document that is relied upon by affiliated entities for compliance with CIP-009-1.

Finding: This issue posed only a minimal risk to the reliability of the BPS because even though there was no policy in place requiring FFT Entity to back up and store information necessary to successfully restore CCAs, FFT Entity did backup and maintain such information. NPCC noted that FFT Entity violated the Standard previously, but determined the instant remediated issue arose from the same conduct and, consequently, should not be viewed as an aggravating factor.

Unidentified Registered Entity (URE), Docket No. RC12-13 (June 29, 2012)

Reliability Standard: CIP-009-1

Requirement: 4

Region: FRCC

Issue: While conducting a CIP Compliance Audit, FRCC found that URE could not show that it had processes and procedures in place in its CCA recovery plans for the backup and storage of information for energy management system workstations, network switches and firewalls.

Finding: The violation was deemed to pose minimal risk to BPS reliability because URE could show that all required data had been backed up and was available in the event of a system restoration.

Top