Issue: WECC_URE3 self-reported that it did not implement required protective measures for a single Cyber Asset. The Cyber Asset lacked automated tools or organizational process controls to monitor system events. WECC_URE3 failed to timely file a technical feasibility exception (TFE) request.
Finding: WECC found that this issue posed a minimal, but not a serious or substantial risk to BPS reliability. The violation only impacted a single Cyber Asset that was located within an Electronic Security Perimeter that monitored system events and controlled electronic access.
Issue: Following a compliance audit, WECC found that for one year WECC_URE4 could not show that it changed its passwords for its admin/shared/services accounts.
Finding: WECC found that this issue posed a minimal, but not a serious or substantial, risk to BPS reliability, as there was no access to the accounts outside of a PSP or ESP. Only authorized personnel could gain access.