Docstoc

Case Notes - NERC

Document Sample
Case Notes - NERC Powered By Docstoc
					The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                  FACTS                                             POTENTIAL RISK                                                   MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  8/30/2012      VAR-002-1.1a               R3.1           The change of the Power System Stabilizer (PSS) status     Failure to notify a Transmission Operator of a    1. For immediate mitigation, the entity reported its generator unit out of service to the TOP
                                                           for a generating unit was not reported within 30 minutes   status or capability change on a Reactive Power   thus providing the TOP with the status change as required by VAR-002-1 R3.1.
                                                           of the PSS tripping out of service as required by VAR-     source could affect reliable operation of the     2. The entity and its parent corporate entity also undertook the following corrective and
                                                           002-1 R3.1. There was no audible or clearly visible        Interconnection.                                  preventive activities as a part of the mitigation plan:
                                                           alarm to alert the control room operators of the change                                                      i. Provided audible and clearly visible PSS status change alarms in the generator unit control
                                                           of status of the PSS. This was a key contributor to the                                                      room. This activity provided immediate PSS status changes to the control room operators.
                                                           delayed reporting.                                                                                           This activity required software programming and logic changes, and was completed prior to
                                                                                                                                                                        the replacement PSS being placed into service.
                                                           The entity received an inquiry from its Transmission                                                         ii. Replaced the defective PSS on the generator unit at the first available unit outage.
                                                           Operator (TOP) at 3:06 p.m., requesting information                                                          iii. For all of the corporate entity’s generating units equipped with a PSS, the corporate entity
                                                           pertaining to the Power System Stabilizer (PSS) status                                                       provided visible and audible PSS status change alarms in the unit control rooms.
                                                           on one of its generation unit. The following morning, at                                                     iv. To prevent future similar occurrences, the corporate entity conducted a technical review of
                                                           approximately 7:35 a.m., plant personnel realized that                                                       visible and audible AVR alarms on all its generating units. Alarm logic was revised as needed
                                                           the PSS on a generating unit appeared to not be in                                                           to provide consistent AVR status alarms to unit operators. The corporate entity owns
                                                           service, even though the control switch for this device,                                                     combustion turbine generating units with technology that does not support audible AVR status
                                                           on the boiler-turbine-generator (BTG) board, was in the                                                      alarms in the control rooms. The entity utilized visible alarms that require operator action to
                                                           "On" position. This status was reported to the entity’s                                                      resolve the alarm.
                                                           parent corporate entity. The corporate entity                                                                v. The corporate entity reviewed and reinforced AVR and PSS compliance and reliability
                                                           subsequently notified the TOP, via phone call at 7:55                                                        reporting requirements with applicable plant personnel at all its generating units.
                                                           a.m. that same day that the generating unit PSS was out                                                      vi. The corporate entity reviewed and revised the annual compliance training documents to
                                                           of service. Upon investigation by the entity, it was                                                         expand the details for compliance and reporting obligations relating to PSS and AVR.
                                                           discovered that a diagnostic light for the PSS was off                                                       vii. The corporate entity reviewed and modified as necessary unit startup procedures to
                                                           and was noticed by an entity employee 4 days                                                                 include an operator verification of the unit's AVR and PSS status at all its generating units.
                                                           previously. The employee who noticed the indication is                                                       viii. Refresher training completed.
                                                           not in the plant operations department and was not
                                                           familiar with the NERC Standard and TOP protocol
                                                           requirements to report these status changes within 30
                                                           minutes of the status change. The entity’s current plant
                                                           personnel that were in operations have attended
                                                           mandatory training pertaining to NERC compliance
                                                           requirements and reporting.




                                                                                                                                      Page 1                                                                                                                    Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                   FACTS                                               POTENTIAL RISK                                                      MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  8/30/2012      BAL-005-0.1b                R12           After a substation reconfiguration, and the substation   Failure to properly calculate ACE may result in           The entity performed the following actions: (1) reconfigured its SCADA comparison tool to
                                                           was energized, it was observed that a line that was no   improper balancing of resources.                          enhance the alarming capabilities such that, when the difference between actual flow and
                                                           longer an active Tie Line still received non-zero MW                                                               estimated flow is greater than 50 MW, the comparison tool will alarm operators who will also
                                                           value into the entity’s SCADA system. The system tools                                                             observe the difference values changing to yellow font. When the value between actual flow
                                                           had been configured to alarm operators only when the                                                               and estimated flow is greater than 100 MW, the comparison tool will alarm operators who will
                                                           difference between Tie Line modeled and actual flow                                                                also observe the values changing to red font; (2) modified the Daily Reliability Coordination
                                                           data reached 100 MW, but a calculated flow difference                                                              Report to enhance visibility of any updated in-service dates for tie-lines for Real-Time
                                                           of greater than 100 MW never occurred. The Balancing                                                               Operations personnel. This modification to the report created a separate section of the report
                                                           Authority (BA) operators identified the flow discrepancy                                                           for tie lines with tier 1 BAs, which results in any modifications to those tie lines being more
                                                           one week after the reconfiguration, and requested that                                                             prominently displayed within the report; (3) modified shift turnover processes to include a
                                                           the Reliability Coordinator verify actual flow. The                                                                requirement that BA operators review the Daily Reliability Coordination Report for any status
                                                           entity included all Tie Line flows with Adjacent BA                                                                changes to the tie line listing at the beginning of each shift turnover. This required the BA
                                                           Areas in the Area Control Error (ACE) calculation rather                                                           operators to check the report at shift turnover to provide increased awareness of tie line
                                                           than all of the applicable lines and failed to achieve                                                             modifications, which will allow operators to more quickly identify changes to tie line
                                                           balancing of resources and demand.                                                                                 configuration; (4) performed a comprehensive review of tie line flow inputs into the ACE
                                                                                                                                                                              calculation; and (5) developed an external training session focused on current process for
                                                                                                                                                                              Inter-Control Center Communications Protocol (ICCP) Object Identifier mapping.

  8/30/2012        CIP-002-1            R1.2.1; R1.2.3     The entity failed to include adequate evaluation criteria Failure to develop evaluation criteria may result in     The entity revised its RBAM and defined criteria for the identification of Critical Cyber
                                                           for the assessment of control centers and generation       a failure to identify Critical Assets.                  Assets (CCAs) to ensure adequate evaluation criteria for the assessment of control centers and
                                                           resources in its risk-based assessment methodology                                                                 generation resources. The entity revised its single document into two documents, a CCA
                                                           (RBAM). Specifically, the entity did not represent a                                                               Methodology and a Critical Asset Methodology, in order to achieve more transparency during
                                                           standalone methodology for control centers and                                                                     the RBAM process. To prevent future risk to the bulk power system, the entity implemented a
                                                           generation resources and failed to define the criteria and                                                         more robust RBAM which will be evaluated annually, contains more defined criteria for the
                                                           steps it follows to identify these Critical Assets.                                                                identification of CCAs and is more clearly delineated from the results.

  8/30/2012        CIP-002-1                 R3            The entity failed to develop a list of associated Critical    Failure to list CCAs may result in a loss of         The entity revised its CCA assessment procedure to clarify that “associated with” does not
                                                           Cyber Assets (CCAs) essential to the operation of             enhanced security protections required by the        necessarily mean “physically co-located with” a Critical Asset. The entity executed this
                                                           Critical Assets. The entity’s former procedure: (1)           standard. This may lead to a failure to restore or   revised procedure for its next annual RBAM. During this (and subsequent) CIP-002 R3
                                                           included a location-centric definition of “associated”        control CCAs.                                        assessments, the entity will document evidence of a comprehensive inventory of Cyber Assets
                                                           rather than relying on the Cyber Asset’s function; and                                                             that were evaluated during the process, resulting in the final list of CCAs
                                                           (2) did not indicate that Cyber Assets outside Electronic
                                                           Security Perimeters or located at remote sites were
                                                           considered/evaluated.
  8/30/2012        CIP-003-1              R3; R3.3         The entity failed to annually review, approve and             Failure to document risks and compensating           The entity performed the following actions: (1) reviewed all documented exceptions to
                                                           document existing authorized exceptions to the cyber          actions may have presented the possibility that      determine if they are still necessary. If the existing exceptions were still valid, the entity
                                                           security policy to ensure the exceptions are still required   vulnerabilities were not mitigated, which may        documented them as required. This documentation included an explanation as to why the
                                                           and valid. The entity could not provide evidence that         have left Critical Cyber Assets exposed.             exception was necessary and included detail for compensating measures that were in place to
                                                           exceptions from 2008 were closed out prior to                                                                      mitigate risk; and (2) presented the documented exceptions to the senior manager for his
                                                           subsequent annual reviews.                                                                                         review and approval. The approval was documented by his signature on each exception form.
                                                                                                                                                                              If there were no exceptions, an attestation letter was signed by the senior manager stating there
                                                                                                                                                                              were no exceptions.
                                                                                                                                                                              To prevent future risk to the bulk power system, the entity implemented an annual
                                                                                                                                                                              documentation review process that requires all Standard Owners to review and modify, if
                                                                                                                                                                              necessary, all documentation that supports compliance with their Standard(s).


                                                                                                                                          Page 2                                                                                                                      Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                   FACTS                                               POTENTIAL RISK                                                         MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  8/30/2012       CIP-003-1                  R4            The entity failed to label its recovery plans and Critical Failure to identify and protect security                   The entity performed the following actions: (1) conducted a comprehensive CIP review to
                                                           Asset lists according to its energy information security   configuration information may have placed at risk          validate document inventories; (2) updated the energy information security classifications
                                                           classifications policy. Specifically, a procedure          Cyber Assets and the bulk power system.                    policy; (3) trained personnel on the procedure; and (24) marked the documents in accordance
                                                           document shared with an adjoining entity included a                                                                   with its energy information security classifications policy; and (5) created its annual
                                                           confidential shared password, but the document itself                                                                 assessment review process report to address outstanding identified issues. As a result of the
                                                           was not marked “confidential” per the entity’s policy for                                                             annual review process, 18 documents were identified as not being properly marked
                                                           properly marking confidential information. While the                                                                  “confidential.”
                                                           document itself was not marked properly, the file name
                                                           of the document did include the word “confidential.”


  8/30/2012        CIP-003-1                 R5            The entity failed to review at least annually the access     Failure to review access privileges may have             The entity performed the following actions: (1) reviewed and updated the existing CCA access
                                                           privileges to protected information to confirm that          exposed sensitive information related to Critical        control program to ensure the process for completing the annual review of access privileges
                                                           access privileges are correct and that they correspond       Cyber Assets (CCA).                                      was adequately detailed; and (2) reviewed the access privileges to protected information as
                                                           with its functional needs and appropriate personnel roles                                                             required in CIP-003-3 R5.2. To prevent future risk to the bulk power system, the entity
                                                           and responsibilities. The entity misunderstood the level                                                              participated in a peer review at a neighboring entity and identified some process
                                                           of documentation required to demonstrate completion of                                                                improvements to its access control program.
                                                           an annual review of access privileges, for a two-year
                                                           period.
  8/30/2012        CIP-003-2                 R5            It was discovered that evidence submitted at a Spot          Failure to implement an information protection           The entity performed the following actions: (1) the CIP access control program was revised to
                                                           Check was not appropriately marked confidential. This        program may have exposed sensitive information           include the CIP-003 R5 requirements necessary to secure and protect CIP information
                                                           prompted a broader review of CIP-003 R4 and a                related to CCAs.                                         repositories including shared drives, SharePoint sites and some shared folders; (2) all CIP
                                                           comprehensive re-design of the entity’s information                                                                   information repository owners and administrative support staff were trained on the newly
                                                           protection program. As a result of completing the                                                                     revised CIP access control program; (3) each repository owner and administrative support
                                                           Mitigation Plan milestones for R4, it was determined                                                                  staff documented the process and procedures for controlling access to their respective
                                                           that the entity failed to implement its program for                                                                   repository or security group; (4) each repository owner and administrative support staff
                                                           managing access to protected Critical Cyber Asset                                                                     reviewed the user access privileges for their respective repository or security group to confirm
                                                           (CCA) information because a number of electronic file                                                                 that they are correct and that they correspond with the appropriate business need to know. For
                                                           locations (repositories) that stored protected information                                                            any individual that no longer requires access, access was removed; and (5) CIP information
                                                           did not have all the necessary access controls required                                                               repositories that store CIP protected information were identified as well as the repository
                                                           by R5.                                                                                                                owners. The repository owners, titles and name of the repository for which they approve
                                                                                                                                                                                 access was added to the designated approver personnel list.

  8/30/2012        CIP-004-1                 R3            The entity failed to demonstrate that all personnel having   Failure to conduct a PRA could lead to improperly        The entity performed the following actions: (1) performed a comprehensive review of all
                                                           authorized cyber or authorized unescorted physical           vetting the identity and criminal history of             personnel receiving PRAs for personnel having authorized cyber or authorized unescorted
                                                           access were subject to identity verification in a            personnel managing Critical Cyber Assets (CCAs)          physical access to CCAs; (2) conducted full or partial PRAs on personnel found to have
                                                           documented personnel risk assessment (PRA), as               that could result in malicious access to these assets.   discrepancies with the comprehensive review; (3) performed training for Human Resources
                                                           required. In addition, the entity’s PRA process                                                                       personnel initiating to ensure proper steps are followed when initiating PRAs; and (4) updated
                                                           documentation included verification of past address                                                                   the personnel risk management documents to include verification of completion of the PRA
                                                           based on name and date of birth which was deemed                                                                      for all personnel having authorized cyber or authorized unescorted physical access to CCAs.
                                                           inadequate, because it failed to include a positive
                                                           verification of identity. The entity later received a
                                                           vendor attestation that its verification process did
                                                           include positive verification of identity based on Social
                                                           Security number.


                                                                                                                                         Page 3                                                                                                                         Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                   FACTS                                              POTENTIAL RISK                                                   MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  8/30/2012       CIP-004-1                  R4            The entity failed to review the list of its personnel who    Undocumented access to operating system and        The entity performed the following actions: (1) identified missing devices and associated
                                                           have such access to Critical Cyber Assets (CCAs)             database user accounts may have presented the      accounts on the quarterly access review reports; (2) updated the quarterly access review
                                                           quarterly. Two employees that administer access points       risk of unauthorized access to those systems as    reports to include omitted information; and (3) conducted the quarterly access review and
                                                           were included in quarterly review reports as having          well as eliminated the ability to investigate      verified that objectives were met.
                                                           authorized access, but were not listed by specific device.   unauthorized access events and prevent future
                                                            It was determined that security appliances, access point    events.
                                                           devices and associated local administrator accounts were
                                                           inadvertently omitted from the quarterly access review
                                                           documents that address cyber access to Critical Assets
                                                           and CCAs.

  8/30/2012        CIP-004-1                 R4            The entity failed to maintain a list of personnel with       Undocumented access to operating system and        The entity revised its existing documentation to assign and review electronic access rights
                                                           authorized cyber or authorized unescorted physical           database user accounts may have presented the      including quarterly reviews of Active Directory accounts and Active Directory group
                                                           access to Critical Cyber Assets (CCAs), including their      risk of unauthorized access to those systems as    privileges. This update also included defining existing Active Directory groups, the associated
                                                           specific electronic and physical access rights to CCAs.      well as eliminated the ability to investigate      Active Directory group privileges and a formal process for verifying this information. In
                                                           The root cause of the violation was differing                unauthorized access events and prevent future      addition, as part of the documentation update process, the entity verified existing Active
                                                           interpretations of the level of detail required for          events.                                            Directory group privileges and membership to ensure that they are accurate and appropriate.
                                                           evidence of compliance. The entity’s documentation
                                                           was not sufficient to demonstrate that a list was
                                                           maintained that documents individuals’ specific
                                                           electronic and physical access rights, nor demonstrate
                                                           that quarterly reviews were sufficient to verify the
                                                           appropriateness of individuals’ physical and cyber
                                                           access privileges.
  8/30/2012        CIP-005-1                R1.5           The entity failed to afford the measures in CIP-007-3 R5     Failure to implement technical controls may result The entity implemented technical controls for firewall passwords for length, complexity and
                                                           for Cyber Assets used in the control and monitoring of       in weak passwords.                                 annual change.
                                                           the Electronic Security Perimeter. Specifically, the
                                                           entity failed to implement and document technical and
                                                           procedural controls as required by CIP-007-3 R5. For
                                                           certain firewalls, password complexity for local
                                                           administrative accounts were subject only to procedural
                                                           control. The entity asserted that the passwords met the
                                                           CIP-007 password requirements for length, complexity
                                                           and annual change through procedural controls. While
                                                           these devices are capable of enforcing password
                                                           complexity via technical means, these technical controls
                                                           were not enabled, and no Technical Feasibility
                                                           Exception (TFE) request was submitted.




                                                                                                                                         Page 4                                                                                                                  Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                   FACTS                                              POTENTIAL RISK                                                    MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  8/30/2012       CIP-005-1                  R2            The entity failed to conduct CIP-004 R4 reviews of           Failure to conduct reviews of physical and cyber   The entity performed the following actions: (1) identified missing devices and associated
                                                           physical and cyber access as required by CIP-005-1           access may result in an unauthorized breach.       accounts on the quarterly access review reports; (2) updated the quarterly access review
                                                           R2.5.3. Two employees that administer access points                                                             reports to include omitted information; and (3) conducted the quarterly access review and
                                                           were included in quarterly review reports as having                                                             verified that objectives were met.
                                                           authorized access, but were not listed by specific device.
                                                            It was determined that security appliances, access point
                                                           devices and associated local administrator accounts were
                                                           inadvertently omitted from the quarterly access review
                                                           documents that address cyber access to Critical Assets
                                                           and CCAs.
  8/30/2012        CIP-005-1                 R5            The entity failed to follow its substation change control    Failure to review documents and procedures may     The entity performed the following actions: (1) interviewed subject matter experts (SMEs) for
                                                           process to ensure all Critical Cyber Assets (CCAs) were      result in inadequate protection of Cyber Assets.   each standard and requirement within each affected business unit; (2) determined whether any
                                                           identified and all documentation updated within the                                                             violations have occurred or whether processes are sufficiently robust to sustain compliance;
                                                           required 90 day period. Specifically, a number of                                                               (3) updated operating company compliance processes and procedures for CIP-002 through
                                                           decommissioned CCAs were not properly removed from                                                              CIP-009; (4) conducted a second round of SME interviews and evidence reviews based on
                                                           the inventory list in a timely manner.                                                                          updated processes and procedures to confirm proper implementation and related
                                                                                                                                                                           documentation of the updated processes and procedures (5) implemented the current internal
                                                                                                                                                                           change control process for changes to substation CCAs that were identified as not having
                                                                                                                                                                           followed the process; (6) created a substation change control checklist that meets the
                                                                                                                                                                           requirements of the internal change control process and is intended to provide evidence that
                                                                                                                                                                           steps required by the process were taken; (7) conducted a review of the current internal change
                                                                                                                                                                           control process and implemented a revised process that would confirm change control as part
                                                                                                                                                                           of the commissioning or decommissioning process in order to ensure CIP compliance before
                                                                                                                                                                           relevant devices are placed in service or removed; (8) developed and delivered training on the
                                                                                                                                                                           internal substation CCA change control process to all employees that have the potential to
                                                                                                                                                                           initiate a change to Cyber Assets in substations; and (9) conducted an on-site inventory of
                                                                                                                                                                           Cyber Assets at all substations identified as Critical Assets to ensure that all changes to Cyber
                                                                                                                                                                           Assets have been captured.
  8/30/2012        CIP-006-1                 R1            The entity failed to provide a completely enclosed (“six- Failure to plan and secure all Cyber Assets may       The entity performed the following actions: (1) implemented additional security measures to
                                                           wall”) border as part of an identified Physical Security  have led to inadequate protection of Cyber Assets.    reinforce security awareness and physical access controls; (2) sent a heightened awareness
                                                           Perimeter (PSP). While planning construction of a new                                                           message to affected personnel; (3) configured main external entrances to building for 24x7
                                                           backup control center, personnel noticed gaps in the                                                            authentication; (4) conducted a comprehensive review of the PSPs to assess compliance with
                                                           perimeter above the ceiling tiles that did not extend                                                           the requirements of CIP-006-3 R1.1, and acceptable opening dimensions as defined in CAN-
                                                           completely to the solid ceiling. The gaps were                                                                  0031; and (5) closed identified gaps in the PSP and installed restrictions in ductwork that
                                                           discovered when areas were exposed to work on the                                                               traverse the perimeter boundaries.
                                                           HVAC systems. This discovery led to a review of all
                                                           perimeters and the identification of a number of
                                                           openings that did not meet the acceptable opening
                                                           dimensions.




                                                                                                                                        Page 5                                                                                                                     Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                   FACTS                                             POTENTIAL RISK                                                      MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  8/30/2012       CIP-006-3c                 R2            The entity failed to afford the protective measures         Failing to document organizational processes and     The entity performed the following actions: (1) revised the subject procedure to address
                                                           specified in Standard CIP-007-3. Specifically, the entity   technical and procedural mechanisms for              modifications of shared Energy Management System (EMS) account access passwords in the
                                                           failed to adequately review and retain Windows security     monitoring security events for Cyber Assets may      event of a change of assignment; (2) changed EMS shared account passwords; (3) designed a
                                                           event logs for a specific class of Cyber Assets used in     have led to inadequate protection of Cyber Assets.   manual log review process; (4) reviewed security logs; (5) and trained personnel on the new
                                                           the access control and monitoring of the substation                                                              manual log review process.
                                                           Electronic Security Perimeters (ESPs).

  8/30/2012        CIP-006-3c                R7            The entity failed to retain physical access logs for at     Failure to track access may result in unauthorized   The entity worked with its software vendor and recovered most of its access logs, and
                                                           least ninety calendar days as required by CIP-006-3c R7. individuals gaining access to Cyber Assets.             reconfigured the system to preclude any subsequent data loss. These steps include
                                                            A problem with the physical access control system’s file                                                        modifications and enhancements for the backup configuration, replacement of network
                                                           backup process resulted in corrupt data files for 75 hours                                                       interface cards on the servers and increased system monitoring. The backup log frequency
                                                           of physical access logs of the 90 calendar day retention                                                         was changed from once every 24 hours to every 2 hours, and multiple backups of the log files
                                                           period. Further investigation revealed that the root                                                             are now housed at different locations.
                                                           cause was a conflict between the replication application
                                                           and the automatic backup recovery system. All but 5
                                                           hours was able to be recovered, resulting in the violation.


  8/30/2012        CIP-007-3                 R3            The entity failed to document the assessment of Adobe        Out of date security patches may have allowed for   Upon discovering that an application was not running the latest security patch, the system
                                                           Reader security patches and security upgrades for            unauthorized electronic access to Critical Cyber    administrator immediately proceeded to download, assess, test and install the security patch on
                                                           applicability within thirty calendar days of availability of Assets.                                             the application. The system administrator then checked and confirmed that all applications
                                                           the patches or upgrades. It was installed 13 days after                                                          installed on Energy Management System (EMS) Cyber Assets residing within the Electronic
                                                           the thirty day timeframe. The root cause analysis                                                                Security Perimeter (ESP) were running the latest security patch releases. EMS revised its
                                                           identified poor communications and process weakness                                                              security patch management monitoring and assessment process for non-Microsoft applications
                                                           for non-Microsoft applications. The non-Microsoft                                                                residing within the ESP as follows: (1) confirmed that correct EMS contact information is
                                                           vendors each have a different notification system and                                                            contained in all associated vendor patch release notification systems; and (2) revised the EMS
                                                           patch upgrade or release schedule that requires a manual                                                         security patch management procedure for non-Microsoft applications to require personnel to
                                                           download and assessment of the patches. When the                                                                 check with each vendor for security patch releases every 30 calendar days. Additionally, the
                                                           system administrator responsible for these activities left                                                       entity added a list of the applications and their respective vendors to the procedure.
                                                           employment, there was a gap in the reassignment of
                                                           these activities.


  8/30/2012        CIP-007-3                 R3            The entity failed to document the assessment of security Out of date security patches may result in              For the discovered patch release, the entity’s subject matter expert (SME) immediately
                                                           patches and security upgrades for applicability within     unauthorized electronic access to Critical Cyber      assessed existing security patches for applicability. No installations were necessary, as the
                                                           thirty calendar days of availability of the patches or     Assets.                                               patch was not applicable to the entity's systems. The entity has adjusted its security patch
                                                           upgrades. The security patch notification process, at the                                                        process procedure to be less reliant on vendor notifications and includes a proactive approach
                                                           time of the violation, was heavily reliant on contact from                                                       to the discovery of the release of security patches, by requiring the SMEs to visit the vendor or
                                                           the vendor via email notifications. The entity did not                                                           manufacturer website on a monthly website.
                                                           receive notifications from the vendor for a three month
                                                           period when it discovered that a patch had been released
                                                           by the vendor.




                                                                                                                                       Page 6                                                                                                                       Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                   FACTS                                             POTENTIAL RISK                                                      MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  8/30/2012       CIP-007-3                  R3            The entity failed to document the assessment of security    Out of date security patches may result in            The entity performed the following actions: (1) verified that more than one system
                                                           patches and security upgrades for applicability within      unauthorized electronic access to Critical Cyber      administrator receives email alerts and has access to vendor technical support, security patches
                                                           thirty calendar days of availability of the patches or      Assets.                                               and upgrades for all Cyber Assets whose security patching or upgrading process relies on
                                                           upgrades. In this case, the email alert was sent by the                                                           email alerts; (2) reviewed the current software version on the devices and compared it against
                                                           software vendor and received, but the entity’s system                                                             all security patches and upgrades that were available; (3) developed an action plan to install
                                                           administrator inadvertently overlooked the email alert.                                                           any required security patches or upgrades that were not previously installed; (4) executed any
                                                           This violation was discovered at the entity’s first newly                                                         security patches or upgrades that were determined to be required in the assessment described
                                                           instituted monthly security patch and upgrade review                                                              above; and (5) formalized monthly security patches and upgrade meetings as an additional
                                                           meeting that goes over the available patches and                                                                  layer of review for discovering, assessing, applying and tracking security patches and security
                                                           upgrades for Cyber Assets.                                                                                        upgrades.

  8/30/2012        CIP-007-1                 R5            The entity failed to implement a password policy that       Failure to ensure password changes could weaken       The entity performed the following tasks: (1) set password complexity to meet the
                                                           conforms to the requirements of CIP-007 R5.3. The           security, therefore increasing the risk of an         requirements of CIP-007-3 R5.3.2; (2) revised the cyber security policy to reflect specific
                                                           entity relied only on Microsoft’s standard password         unauthorized individual gaining access to sensitive   password complexity requirements of CIP-007-3 R5.3.2; (3) disabled defunct accounts that
                                                           complexity and had certain devices that were not            information.                                          were overlooked in the access reviews; (4) researched use of Microsoft custom password
                                                           technically capable of enforcing the required password                                                            filters to supplement the Active Directory default password complexity; (5) documented and
                                                           complexity controls.                                                                                              submitted Technical Feasibility Exception (TFE) requests for devices with technical
                                                                                                                                                                             limitations that do not support enforcement of the password control requirements of R5.3; (6)
                                                                                                                                                                             revised the cyber security training program to emphasize specific password complexity
                                                                                                                                                                             requirements of CIP-007-3 R5.3.2; and (7) completed resetting of local account passwords to
                                                                                                                                                                             ensure they meet the requirements of CIP-007-3 R5.3.

  8/30/2012        PRC-005-1                 R1            The entity did not include a summary of the maintenance Failure to include a summary may result in an             The entity adopted a single unified Protection System maintenance and testing program for all
                                                           and testing procedures in its maintenance and testing      inconsistent application of maintenance and            of its facilities which included a summary of maintenance and testing procedures. Having a
                                                           program for Protection Systems that affect the reliability testing procedures.                                    unified program document helps prevent future risk to the BPS, because it helps the entity
                                                           of the bulk power system (BPS). The entity has control                                                            better track changes, oversee and provide clarity to maintenance and testing requirements.
                                                           over two related facilities, and all three organizations
                                                           had individual programs that were deficient.

  8/30/2012        PRC-008-0                 R2            The entity failed to provide evidence of Under              The entity could not ensure that its UFLS devices     The entity performed the following actions: (1) trained staff involved with UFLS substation
                                                           Frequency Load Shedding (UFLS) maintenance and              were functioning properly.                            equipment testing and maintenance; (2) corrected document issues by completing specific
                                                           testing, based on its documented UFLS program.                                                                    gravity test at substations; (3) completed a comprehensive review of all UFLS substations to
                                                           Specific gravity test results for batteries were not                                                              verify testing and maintenance has been completed; (4) trained staff on any gaps or issues
                                                           documented at several substations.                                                                                found in the testing; and (5) performed testing on devices with missing records.




                                                                                                                                        Page 7                                                                                                                      Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                   FACTS                                              POTENTIAL RISK                                                       MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  8/30/2012      VAR-002-1.1b                R1            The entity failed to operate each generator connected to     Failure to operate in the correct mode may result     The entity performed the following actions: (1) notified its TOP that the unit was only able to
                                                           the interconnected transmission system in the automatic      in unreliable operation of the Interconnection.       control to an Mvar set point when the AVR was in service; (2) conducted an extent of
                                                           voltage control mode (automatic voltage regulator                                                                  conditions review of all generators to ensure voltage was being controlled at all times during
                                                           (AVR) in service and controlling voltage) and did not                                                              unit operation. The information reviewed included operational data, functional descriptions in
                                                           notify its Transmission Operator (TOP). The entity                                                                 operating manuals, control logic and consultation with original equipment manufacturers; (3)
                                                           discovered that the unit was operating by design (control                                                          notified the TOP as other gas turbines were identified in having a similar Mvar control mode
                                                           logic) in a constant Mvar control mode of the AVR since                                                            through some period of operation; (4) modified the control logic to support voltage control of
                                                           its installation. An additional review of all generator                                                            the generator when the AVR is in service as the primary mode of operation; and (5) verified
                                                           units identified additional instances where Mvar control                                                           with its TOP the status and capabilities of the AVR controls for each unit interconnected with
                                                           mode of the AVR was used during shutdown sequences                                                                 the TOP.
                                                           at three units.
  8/30/2012      VAR-002-1.1b               R3.1           The entity failed to notify its associated Transmission      Failure to notify the TOP may result in unreliable    The entity performed the following actions: (1) enabled the automatic voltage control; (2)
                                                           Operator (TOP) within 30 minutes of a status or              operation of the Interconnection.                     confirmed that auto-enable of automatic voltage control following a control system restart is in
                                                           capability change on the automatic voltage regulator                                                               place at the facility; (3) programmed voltage control alarms at all facilities to provide a clear
                                                           (AVR) and the expected duration of the change in status                                                            and consistent message when voltage control is not functioning properly; and (4) installed and
                                                           or capability. Following restoration of a wind farm to                                                             tested alarming to provide notification of voltage control not in automatic controlling voltage.
                                                           service, the automatic voltage control feature was not                                                             With the alarming of voltage control status via the SCADA system, the TOP will have current
                                                           restored to operation at the time the wind turbine                                                                 information on voltage control status and can take needed corrective actions or initiate
                                                           generators were put in service. The AVR was on;                                                                    notifications so that system voltage control is maintained. These alarms provide TOP
                                                           however, it was not enabled (controlling the voltage).                                                             notification automatically of the entity’s voltage control status changes which helps prevent
                                                                                                                                                                              future risk to the bulk power system.

   1/5/2012        CIP-007-1                 R6            In this instance, the entity failed to implement security    Failure to implement security controls to monitor     The entity stated all the Cyber Assets in scope did resume logging and took the following
                                                           monitoring for 5,037 Cyber Assets. Of these, the entity      cyber security system events, could allow             actions:
                                                           stated it was technically infeasible to implement security   unauthorized access to the Cyber Assets to go         1. Updated its existing process for identification and remediation of systems that stop
                                                           monitoring for 4,419 Cyber Assets. However, the entity       unnoticed and unchecked, potentially allowing         monitoring as a result of system or other operational issues. While the entity had a process in
                                                           had not filed a Technical Feasibility Exception (TFE)        malicious access to these assets. Such access may     place at the time of the noncompliance that included identification and notification of
                                                           for these devices. For the rest of the (618) Cyber Assets,   then be used to cause harm to Critical Cyber          problems, the process needed to be updated to clarify requirements and timelines for
                                                           it was technically feasible to implement a security          Assets essential to the operation of the bulk power   notification and documentation.
                                                           solution. These Cyber Assets comprised of relays,            system (BPS), thereby potentially negatively          2. Completed and submitted TFEs Part A for relays, controllers, printers and the remote
                                                           controllers and printers. These Cyber Assets are used in     impacting the BPS.                                    intelligent gateway (RIG) appliances where logging and automated monitoring is not
                                                           generation and transmission functions.                                                                             technically feasible. Four separate TFEs were submitted, one for each device type.
                                                           The entity stated that the root cause was a lack of                                                                3. The managed security service provider (MSSP) contracted by the entity completed on-
                                                           understanding of requirements and human error.                                                                     boarding of network switch parsers which supports full monitoring and analysis of all network
                                                           Specifically, some Cyber Assets were not configured to                                                             devices.
                                                           log security events because personnel incorrectly                                                                  4. Completed and submitted TFE Part B for the four TFEs submitted in milestone #2 once
                                                           assumed that anti-virus and host intrusion software did                                                            notification of acceptance of the TFE Part As was received from the regional entity.
                                                           not require security logging. In addition, some Cyber                                                              5. Completed an assessment (including testing and selection) of logging/monitoring options
                                                           Assets were not on the Cyber Asset list.                                                                           for workstations within its Operational Data Network (ODN).
                                                                                                                                                                              6. Completed implementation of the logging/monitoring solution identified in milestone #5.




                                                                                                                                         Page 8                                                                                                                       Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                    FACTS                                               POTENTIAL RISK                                                       MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  1/5/2012        CIP-007-3                  R3            Scope 1: In this instance, the entity failed to assess,        Failure to assess security patches could result in    In summary, the entity took the following actions:
                                                           implement, and document patches, per its security patch        vulnerabilities remaining unaddressed for             1. Applied all the missed patches.
                                                           management procedure. These patches were installed on          extended periods of time. This increases the risk     2. Filed Technical Feasibility Exceptions (TFEs) for devices that cannot be patched.
                                                           all 17 of the entity's Cyber Assets located within 2           of a successful cyber attack against Critical Cyber   3. Updated patch assessment procedures to include procedure for tracking patch availability
                                                           firewall ESPs but hardware and software conflicts              Assets essential to the operation of the bulk power   and manual procedure.
                                                           between the automated system and the control system            system.                                               4. Trained employees on the updated procedures.
                                                           equipment, made the update system inoperable. While
                                                           this issue was being resolved, the control equipment
                                                           patching updates were expected to be loaded manually,
                                                           however this was not completed or documented as
                                                           required. These assets were used for controlling its
                                                           generating station.
                                                           Scope 2: The entity failed to assess and install security
                                                           patches for Cyber Assets within an ESP. The Cyber
                                                           Assets in scope are media converters and are located in
                                                           control rooms in the main site power station.

                                                                               The entity stated the root cause for
                                                           these deficiencies include an old plant with historically
                                                           non-integrated piecemeal systems, a lack of
                                                           comprehensive historical knowledge of the plant
                                                           systems, inadequate configuration of some of these
                                                           devices for updating or data collection at the onset of the
                                                           program, and incomplete assessment and documentation
                                                           to support compliance.
   1/5/2012        CIP-007-3                 R3            In this instance, the entity failed to document the            Failure to assess and implement security patches      The entity took the following steps:
                                                           assessment and implementation of security patches for          could result in vulnerabilities remaining             1. Completed the inventory of software whose patches need to be assessed.
                                                           293 Cyber Assets located in Critical Asset substations,        unaddressed for extended periods of time. This        2. Selected a consultant and a software tool to manage the patch assessment process.
                                                           the energy management system (EMS) control area and            increases the risk of a successful cyber attack       3. Revised the patch management process based on the software tool and feedback from the
                                                           the EMS backup control area. The entity misinterpreted         against Critical Cyber Assets essential to the        consultant.
                                                           CIP-007 R3.1. The entity thought documenting the               operation of the bulk power system.                   4. Trained EMS, IT and physical security personnel on the updated patch management process.
                                                           assessment of security patches and security upgrades for                                                             5. Conducted patch assessment for list of items compiled in step #1. Installation of patches
                                                           applicability within thirty calendar days of availability of                                                         will not be done during the mitigation plan. After assessment, if there is a decision to install a
                                                           the patches or upgrades applied only to operating system                                                             patch, the entity will prepare a plan to install the patch.
                                                           and firmware security patches, not application patches.
                                                           The entity also did not realize that some vendors did not
                                                           send out notification of its patches and that the entity
                                                           would have to check the vendors website to find and
                                                           assess the patches.




                                                                                                                                           Page 9                                                                                                                       Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                   FACTS                                             POTENTIAL RISK                                                       MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  1/5/2012        CIP-007-3                  R4            Scope 1: In this instance, the entity was not               Failure to update anti-virus and malware              1. Applied all the missed signatures to Cyber Assets.
                                                           implementing anti-virus and malware prevention              prevention signatures could allow existing and/or     2. Installed anti-virus and malware prevention tools to Cyber Assets.
                                                           "signatures" to 7 (out of 17 total) of the entity's Cyber   new malicious software, originating from a            3. Filed Technical Feasibility Exceptions (TFEs) for devices for which anti-virus and malware
                                                           Assets. These Cyber Assets are located within five          security patch, service pack, vendor release,         prevention tool cannot be installed.
                                                           Electronic Security Perimeters (ESPs) but hardware and      application or database update etc., to be            4. Updated anti-virus and malware procedures to include procedure for tracking signature
                                                           software conflicts between the automated system and the     introduced to the Cyber Assets thereby exposing       availability, testing and manual installation procedure (in case the automatic notification fails).
                                                           control system equipment, made the update system            cyber security vulnerabilities into the Critical      5. Trained employees on the updated procedures.
                                                           inoperable. While this issue was being resolved, the        Cyber Assets essential to the operation of the bulk
                                                           control equipment anti-virus updates were expected to       power system (BPS). If exposed, such
                                                           be loaded manually, however this was not completed or       vulnerabilities could negatively impact the normal
                                                           documented as required. These assets are used to            operation of the BPS.
                                                           control the entity's remote turbines.

                                                           Scope 2: The entity failed to implement anti-virus and
                                                           malware prevention tools to all 17 Cyber Assets within
                                                           the entity's ESPs. These Cyber Assets are used to
                                                           control its generation station.

                                                           The entity stated the root causes for these deficiencies
                                                           include an old plant with historically non-integrated
                                                           piecemeal systems, a lack of comprehensive historical
                                                           knowledge of the plant systems, inadequate
                                                           configuration of some of these devices for updating or
                                                           data collection at the onset of the program, and
                                                           incomplete documentation to support compliance.




                                                                                                                                       Page 10                                                                                                                         Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                   FACTS                                               POTENTIAL RISK                                                       MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  1/5/2012        CIP-007-3                  R6            Configuration errors occurred when a security event           Failure to implement controls to monitor security     1. The entity corrected the configuration change that caused the logging issue on the 23 assets.
                                                           monitoring (SEM) service account was changed from a           status events could allow unauthorized access to      2. The entity configured an alert on the SEM solution such that non-responsive systems are
                                                           domain administrative account to one with fewer               the Cyber Assets to go unnoticed and unchecked,       escalated to task triage for further investigation.
                                                           privileges. The SEM service account is used to collect        potentially allowing malicious access to these        3. The entity updated the test plan for SEM solution to perform 100% asset scope validation
                                                           Windows authentication logs for Windows-based                 assets. In addition, such access may then be used     when authentication changes associated for log collection happen.
                                                           Critical Cyber Assets and Cyber Assets. In this instance,     to cause harm to Critical Cyber Assets essential to
                                                           for 23 Cyber Assets (4 Critical Cyber Assets and 19 non-      the operation of the bulk power system (BPS),
                                                           Critical Cyber Assets), the entity failed to maintain logs    thereby potentially negatively impacting the BPS.
                                                           of security events for a minimum of ninety days. As a
                                                           result, these 23 devices lost the ability to monitor
                                                           security status events and alert for detected Cyber
                                                           Security Incidents. The devices in scope are located in
                                                           the system and backup control center. The entity stated
                                                           the root cause was a lack of extensive test plans and a
                                                           configuration change was made to the service accounts
                                                           to make them non-interactive in an effort to improve the
                                                           security posture. The SEM team tested a sample set
                                                           instead of ensuring all the collectors were collecting logs
                                                           from all devices. As a result, the 23 devices did not get
                                                           tested and led to failure to log security status events.
                                                           Gaps in logging occurred, ranging from 45 minutes to 15
                                                           days.
   3/7/2011         BAL-002                  R4            After a disturbance involving generation totaling 1,400       Not recovering the Area Control Error within 15        1. The entity increased the system-wide Ten-Minute Reserve (“reserve bias” by 10%) to
                                                           MW, the entity did not recover its Area Control Error         minutes may have required that the entity carry       110% of the first contingency loss. 2. The entity increased the minimum Ten-Minute
                                                           within 15 minutes.                                            additional reserves.                                  Spinning Reserve requirement from 25% to 50% of the first contingency. 3. The entity
                                                                                                                                                                               required the control room system operators to maintain a mix of Shared Activation of
                                                                                                                                                                               Reserves (assistance from external Balancing Authorities) and other reserves, assuming a non-
                                                                                                                                                                               performance factor (the amount of reserves called on in addition to the source loss assuming
                                                                                                                                                                               less than 100% performance of requested resources) of at least 140% of first contingency loss.
                                                                                                                                                                                4. The entity assessed the performance of generation resources during the event (potential
                                                                                                                                                                               changes to operating practices). 5. The entity modified the key software display by providing
                                                                                                                                                                               the control room system operator with additional tools to view which market participant
                                                                                                                                                                               generation units have not acknowledged electronic dispatch signals. 6. The entity modified
                                                                                                                                                                               internal system operating procedures by making clear that security-constrained economic
                                                                                                                                                                               dispatch solution should not be executed during an Area Control Error recovery period. 7.
                                                                                                                                                                               The entity conducted operator training. The entity included the procedure changes discussed
                                                                                                                                                                               above in training modules. A PowerPoint presentation was posted as a streaming video on the
                                                                                                                                                                               internal employee training site.




                                                                                                                                         Page 11                                                                                                                      Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                    FACTS                                                POTENTIAL RISK                                                       MITIGATION ACTION TAKEN
 Posted Date     STANDARD
 12/30/2010       CIP-001-1                  R1            The entity lacked procedures for the recognition of and Personnel may not have been prepared for                      The entity updated its procedures for sabotage recognition. In addition, the entity's system
                                                           for making operating personnel aware of sabotage events potential sabotage events.                                    operations trainer put together a PowerPoint presentation containing this information, and
                                                           on its facilities and multi-site sabotage affecting larger                                                            presented it to the system operators. The sabotage awareness PowerPoint presentation was
                                                           portions of the Interconnection.                                                                                      posted as a streaming video on the internal employee training site. A section was added to the
                                                                                                                                                                                 entity's employee handbook outlining sabotage recognition and reporting. Additionally, an
                                                                                                                                                                                 internal article was published outlining the need for sabotage recognition and reporting and
                                                                                                                                                                                 making employees aware of the changes to the handbook as well as the availability of the
                                                                                                                                                                                 PowerPoint training materials on the internal site.

   3/7/2011        CIP-002-1               R2; R4          The entity developed a list of Critical Cyber Assets but       Failing to review the list of Critical Assets may      The entity reviewed its current risk-based methodology for identifying Critical Assets. As a
                                                           the list was not reviewed and updated annually as              have resulted in a failure to identify and protect     result of this meeting, a new "null list" of Critical Assets and Critical Cyber Assets was
                                                           required. The entity did not have a signed and dated           new or modified Critical Cyber Assets. Failure to      created. A memorandum of record was signed by senior management approving the new "null
                                                           record of the senior manager or delegate’s annual              approve the Critical Cyber Assets list may have        list" of Critical Assets and Critical Cyber Assets. An electronic calendar containing due dates
                                                           approval of the list of Critical Assets, even if such lists    resulted in a lack of management awareness and         for all reliability council related filings, reviews, and approvals was created and maintained at
                                                           were null.                                                     failure to allocate resources to secure the Critical   the senior management level of the company to ensure that they occur on a timely basis. The
                                                                                                                          Cyber Assets.                                          due dates for filings, reviews and approvals are discussed at all semimonthly staff meetings.

  7/15/2011        CIP-002-1                 R3            When the entity developed a list of Critical Assets and        Failure to list consoles as Critical Cyber Assets   The entity updated the Critical Cyber Asset list to include the systems.
                                                           Critical Cyber Assets, it did not include operator             did not afford those consoles the enhanced
                                                           consoles essential to the operation of the control center      security protections required by the standard. This
                                                           as Critical Cyber Assets. The entity asserted that the         may have lead to a failure to restore or control
                                                           consoles were not Critical Cyber Assets because of             Critical Cyber Assets.
                                                           redundancy and available spares, while acknowledging
                                                           that a subset of the available consoles was required in
                                                           order to perform the reliability functions. Redundancy
                                                           was not considered an acceptable reason for not
                                                           declaring a Critical Cyber Asset where it otherwise
                                                           would be, because if an entity has one such Critical
                                                           Cyber Asset and it is essential, then the fact that there is
                                                           more than one Critical Cyber Asset with the same
                                                           functionality does not change the fact that the function
                                                           being performed is essential and thus the workstations
                                                           are essential regardless of how many exist.


  6/16/2011        CIP-002-1                R3.1           The entity failed to identify certain workstations as          Without proper identification, a Critical Cyber        The entity 1) removed remote access to the energy management system (EMS) control
                                                           Critical Cyber Assets.                                         Asset may not receive the appropriate levels of        functions from workstations not defined as Critical Cyber Assets; 2) established Physical
                                                                                                                          protection.                                            Security Perimeters and Electronic Security Perimeters for all locations where monitoring and
                                                                                                                                                                                 control function of the EMS is allowed; and 3) identified the workstations as Critical Cyber
                                                                                                                                                                                 Assets.




                                                                                                                                           Page 12                                                                                                                       Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                   FACTS                                               POTENTIAL RISK                                                     MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  3/1/2011        CIP-002-1                 R3.2           The entity removed certain assets from its list of Critical   Without its proper identification, a Critical Cyber The entity amended its list of Critical Cyber Assets to include the Assets that had been
                                                           Cyber Assets because it did not believe these assets met      Asset may not have received the appropriate levels removed.
                                                           the criteria for a Critical Cyber Asset. The entity           of protection.
                                                           reasoned that the functionality of these assets could
                                                           easily be replaced with a variety of other available
                                                           assets. It was later determined that these assets were
                                                           essential to the operation of another Critical Asset and
                                                           therefore were Critical Cyber Assets regardless of the
                                                           availability of backups.
  7/15/2011        CIP-002-3                R3.2           The entity inadvertently excluded several Critical Cyber      Without proper identification, a Critical Cyber     The entity revised its list of Critical Cyber Assets and Cyber Assets to include those that were
                                                           Assets and Cyber Assets from its list of Critical Cyber       Asset may not receive the appropriate levels of     originally excluded and has centralized the list designation process in order to maintain a
                                                           and Cyber Assets. Specifically, several Cyber Assets          protection.                                         single control document.
                                                           that used a routable protocol within a control center
                                                           were not included on the list.
  12/1/2011         CIP-003                  R6            The entity discovered three issues:                           Lack of consistent documentation and tracking      The entity 1) assessed the status of Cyber Assets relative to available security patches and
                                                           1) Assessments of certain security patches were not           could lead to missed or misapplied patches, which evaluated the status of patch implementation; 2) developed a team to revise the security patch
                                                           documented consistently and documentation was not             in turn could weaken the security of Cyber Assets. management process; 3) identified and modified dependent processes; 4) revised all
                                                           consistent relative to adequate detail and/or required                                                           applicable policies and procedures; 5) trained affected employees; 6) tested and installed any
                                                           time period; 2) implementation or a determination of                                                             and all new software; 7) assessed whether installed software components can be relocated
                                                           non-implementation of certain security patches was not                                                           outside the Electronic Security Perimeter; and 8) completed the relocation.
                                                           documented consistently and documentation was not
                                                           consistent relative to adequate detail; and 3) gaps in the
                                                           monitoring for, or tracking of, security patches for a
                                                           limited number of applications were identified.

                                                           Further, during its review of the above issues, the entity
                                                           evaluated the effectiveness of its communications and
                                                           training regarding security patch management enterprise-
                                                           wide. The results of this survey indicated that its
                                                           training and communications regarding security patch
                                                           management was not sufficiently detailed to ensure
                                                           consistent comprehension of applicable requirements
                                                           and consistent detail relative to documentation
                                                           associated with security patch management.

                                                           The entity failed to consistently document and track
                                                           security patch assessments and applications pursuant to
                                                           its established and documented change control and
                                                           configuration management process policy and
                                                           procedure, as required by R6.




                                                                                                                                         Page 13                                                                                                                     Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                   FACTS                                             POTENTIAL RISK                                                        MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  3/1/2011        CIP-003-1                  R1            The entity’s CIP security policy referred to in a general Failing to address all requirements of CIP-002           The entity revised its CIP cyber security policy to include language to specifically address
                                                           manner but did not specifically address each requirement through CIP-009 may have resulted in Critical             each of the requirements of CIP-002 through CIP-009.
                                                           of CIP-002-1 through CIP-009-1.                              Cyber Assets not having all protections afforded
                                                                                                                        them by the Standards.
  4/20/2011        CIP-003-1               R1; R4          In three instances the entity did not implement its          Failure to implement a protection program or          After discovering the passwords had not been changed, personnel developed an technical
                                                           Information Protection Program for identifying,              change passwords may have resulted in an              alternative using a “dumb” terminal to overcome the incompatibility between security
                                                           classifying, and protecting information associated with      unauthorized individual gaining access to sensitive   software, and changed all user account passwords. The entity also: ensured all individuals
                                                           Critical Cyber Assets as the program was designed.           information pertaining to Critical Cyber Assets       received required training; conducted a review of a secure e-mail users guide and made
                                                           First, due to software incompatibility, the entity failed to Failure to provide cyber security training may        revisions to its e-mail encryption process; and developed and distributed awareness regarding
                                                           change passwords every sixty days in accordance with         have resulted in the employee lacking awareness       encrypted e-mail and password change requirements.
                                                           its Logical Access Control Procedure. Second, an             of procedures and requirements. Finally, failure to
                                                           employee had prolonged access to Critical Cyber Access properly encrypt messages may result in a risk to
                                                           without training on cyber security. Finally, an employee the confidentiality of information.
                                                           sent two email messages that were not encrypted, even
                                                           though they were designated to be encrypted.

   3/7/2011        CIP-003-1                 R2            The entity failed to identify the senior manager with      Failure to identify the senior manager may have         The entity took the following actions: 1. developed a Board policy addressing regulatory
                                                           overall responsibility for leading and managing the        resulted in a lack of management buy-in and             compliance responsibilities; 2. specifically assigned responsibilities within a formal Reliability
                                                           entity’s implementation of, and adherence to, Standards    allocation of resources to secure Critical Cyber        Standard compliance program document; and 3. required annual reviews of compliance
                                                           CIP-002 through CIP-009 by name, title, business           Assets. Accountability for ensuring compliance          responsibilities.
                                                           phone, business address, and date of designation.          with the CIP standards may not have been clear if
                                                                                                                      the single senior manager was not properly
                                                                                                                      identified.
  7/15/2011        CIP-003-1                 R3            The entity could not provide evidence that the cyber       Failure to document risks and compensating              The exception list had one exception still required. The exception form was written to include
                                                           security policy documentation of exceptions included       actions may have presented the possibility that         compensating measures, which was reviewed and approved by the authorized senior manager.
                                                           compensating measures and a statement accepting risk. vulnerabilities were not mitigated, which may
                                                           Additionally, the entity could not provide evidence for at have left Critical Cyber Assets exposed. Failure
                                                           least one exception that it had been reviewed and          to change passwords may have allowed for stale or
                                                           reapproved by the authorized senior manager even           compromised passwords to be used for
                                                           though the condition requiring the exception still         unauthorized access to Critical Cyber Assets.
                                                           existed. The policy in question required a quarterly
                                                           password change and the password for one of the servers
                                                           subject to the policy could not be changed.




                                                                                                                                       Page 14                                                                                                                         Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                   FACTS                                              POTENTIAL RISK                                                      MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  4/20/2011       CIP-003-1                  R4            The entity did not identify and information such as          Failure to identify and protect security          1. The entity updated the list of Critical Cyber Assets protected information to ensure all
                                                           system configurations, system rule sets, critical security   configuration information may have placed at risk system security configuration information was identified, classified and protected from
                                                           settings, etc. However, the entity identified and            Cyber Assets and the bulk power system.           unauthorized access. The comprehensive list of all critical energy infrastructure information
                                                           protected network topology or similar diagrams, floor                                                          included configuration information with references to where the critical energy infrastructure
                                                           plans of computing centers that contain Critical Cyber                                                         information was located. 2. The entity modified the existing policy to document the
                                                           Assets, equipment layouts of Critical Cyber Assets,                                                            identification, classification and protection of all Critical Cyber Assets protected information.
                                                           disaster recovery plans and incident response plans.                                                           The policy identified how personnel were granted access to this information. The policy
                                                                                                                                                                          included a change management process for incorporating new Critical Cyber Assets
                                                                                                                                                                          information or changes to existing Critical Cyber Assets information. 3. The entity trained
                                                                                                                                                                          affected employees on the policy to ensure Critical Cyber Assets information is identified,
                                                                                                                                                                          classified and protected as required by the standard.

  4/29/2011        CIP-003-1                 R4            The entity discovered that a network folder designated to Unnecessary exposure of a CIP-confidential              The entity determined that the exposure was the result of the lack of a formal process and
                                                           contain CIP-confidential information was inadvertently network folder may have jeopardized sensitive              training concerning how to create folders on shared drives with restricted access rights. Thus,
                                                           configured to allow any entity employee read-only         information pertaining to Critical Cyber Assets.        the entity: 1) limited access controls to the exposed folder; 2) implemented a process to assure
                                                           access to the information contained in that folder.                                                               all necessary access controls are managed by its IT department; 3) conducted a root cause
                                                                                                                                                                             analysis of the events surrounding the access to folders; and 4) developed training on the
                                                                                                                                                                             enhanced process for creation of and changes to confidential files.

  7/15/2011        CIP-003-1                 R4            The entity did not employ the information classification     Failure to use the information classification        The entity 1) developed and documented an information protection program as required; 2)
                                                           program on documentation that should be protected            program on documentation that should be              trained appropriate staff on the program; 3) implemented the program to identify, classify, and
                                                           under this program based on the sensitivity of the           protected may have presented the risk of sensitive   protect information associated with Critical Cyber Assets; and 4) implemented security and
                                                           Critical Cyber Asset information nor has its staff been      documents being exposed to unauthorized access       permission management for protected information.
                                                           trained on the information protection program. The           and viewing.
                                                           entity indicated that the program was outlined in the
                                                           previous cyber security plan, but was not being executed.

  4/20/2011        CIP-003-1                 R5            The entity failed to implement an information protection Failure to implement an information protection           The entity developed and documented an information protection program as required by CIP-
                                                           program in a timely manner.                              program may have exposed sensitive information           003 R4. The entity trained appropriate staff on the program. As part of the program, the
                                                                                                                    related to Critical Cyber Assets.                        entity began implementation to identify, classify, and protect information associated with
                                                                                                                                                                             Critical Cyber Assets. The entity implemented security and permission management for
                                                                                                                                                                             protected information.
  4/20/2011        CIP-003-1                 R6            The entity did not have a formal change control policy       Failure to have a formal change control policy       1. The entity continued to utilize a spreadsheet to document all changes to the Critical Cyber
                                                           for all Critical Cyber Assets hardware, software, and        may have resulted in exposing Cyber Assets to        Assets environment. The spreadsheet contained such information as change name, date, brief
                                                           security configurations. However, the entity applied a       vulnerability when making modifications to           description, hardware and software affected and reference to testing results (where
                                                           change control program for its software environment.         hardware, software, or security configurations.      applicable). 2. The entity documented a process and supporting policy for a new change
                                                                                                                                                                             control methodology considering different types of infrastructure and types of changes (i.e. ,
                                                                                                                                                                             emergency, low risk, levels of approvals, patches, etc.) for Critical Cyber Assets.
                                                                                                                                                                             Consideration was placed on testing requirements in CIP-007 R1. 3. The entity developed
                                                                                                                                                                             applicable templates, forms, and change systems utilized to support the change control
                                                                                                                                                                             process. 4. The entity trained affected employees on the supporting process and policy to
                                                                                                                                                                             ensure Critical Cyber Asset information is identified, classified and protected as required by
                                                                                                                                                                             the standard.



                                                                                                                                        Page 15                                                                                                                     Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                   FACTS                                              POTENTIAL RISK                                                       MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  12/1/2011        CIP-004                   R2            An employee who had not completed CIP training was           Granting individuals access to areas for which        The entity 1) revised its process for granting physical access to require the central alarm
                                                           granted access to one Physical Security Perimeter (PSP).     they have not received the appropriate training       station supervisor to approve and implement all access requests; 2) provided training on the
                                                            The employee was granted access for 22 hours before         could increase the risk of unintentional harm to      revised procedure; and 3) updated its electronic process for granting physical access to force
                                                           security recognized the error. The cause of the              Critical Cyber Assets or Cyber Assets.                verification of completion of the required training.
                                                           unauthorized access was determined to be human error
                                                           by the PSP owner and an agent, who failed to follow the
                                                           established process for granting physical access to
                                                           Critical Cyber Assets.

  12/1/2011         CIP-004               R4; R4.2         The entity failed to revoke a contractor’s electronic        Failure to maintain accurate access lists increases   The entity 1) immediately revoked the contractor’s electronic access upon discovery; 2) issued
                                                           access to Critical Cyber Assets within seven days of the     the risk of an unauthorized individual gaining        communication to relevant staff on employee termination procedures; and 3) instituted
                                                           contractor resigning his/her position. The entity’s policy   access to, and potentially damaging or sabotaging     quarterly manager reminders of responsibilities for termination of employees or contractors
                                                           requires that the manager make the appropriate               Critical Cyber Assets.                                with NERC CIP access.
                                                           notifications when an employee or contractor is
                                                           terminated so that access would be revoked. In this
                                                           case, the manager ensured to collect all means for the
                                                           contractor to gain access (employee ID card, secure ID,
                                                           computer), but failed to make the appropriate
                                                           notification within the proper timeframe.
  2/15/2011        CIP-004-1                 R2            During an internal review, the entity discovered that        Personnel may not be familiar with policies,          All of the personnel granted authorized cyber access and unescorted physical access to the
                                                           some of its personnel were granted authorized cyber          access controls, and procedures for operating the     Critical Cyber Assets completed the required training. Additionally, the entity purchased a
                                                           access and unescorted physical access to Critical Cyber      Critical Cyber Assets.                                Reliability Standards compliance tracking software application that will automatically send all
                                                           Assets even though they did not complete the required                                                              entity personnel granted authorized cyber and unescorted physical access to Critical Cyber
                                                           training.                                                                                                          Assets an e-mail notification on an annual basis reminding them to complete the required
                                                                                                                                                                              training. A response is required and the entity’s compliance manager has access to all training
                                                                                                                                                                              records for verification.
   3/1/2011        CIP-004-1                 R2            The entity lacked evidence to confirm that annual            Personnel may not have been familiar with             The entity provided training for all personnel with access to its Critical Cyber Assets. A
                                                           training was provided to contractor personnel.               policies, access controls, and procedures for         training booklet was developed and sent to all vendors with access to the Critical Cyber Assets.
                                                                                                                        operating the Critical Cyber Assets.
   3/7/2011        CIP-004-1                 R2            The entity did not train an employee within 90 days of       The employee may not have been aware of proper        All requests for access were routed through the entity's human resources department for
                                                           being granted access to Critical Cyber Assets.               use of Critical Cyber Assets and related              confirmation that a personnel risk assessment and cyber security training had been performed
                                                                                                                        information in accordance with the entity's           prior to the access request being processed. The new process for granting access is automated
                                                                                                                        policies.                                             and removes the need for the training coordinator to manually keep track of individuals
                                                                                                                                                                              needing training prior to access being granted. All documentation and procedures were
                                                                                                                                                                              modified to reflect this change.




                                                                                                                                        Page 16                                                                                                                      Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                   FACTS                                             POTENTIAL RISK                                                      MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  3/7/2011        CIP-004-1                  R2            The entity's training records for calendar year 2008 had    Personnel may not have been aware of proper use The entity revoked access to Critical Cyber Assets areas for anyone that did not have an
                                                           employees listed on the entity's Critical Cyber Assets      of Critical Cyber Assets and related information in updated personal risk assessment (within the last seven years) or Critical Cyber Assets training
                                                           access list without documentation of required annual        accordance with the entity's policies.              within the past year. Additionally, the entity: 1. Consolidated all access lists and created only
                                                           cyber security training for calendar year 2008.                                                                 one Critical Cyber Assets access list that is now maintained by the compliance department; 2.
                                                                                                                                                                           Verified Critical Cyber Assets training documentation for each person on the master Critical
                                                                                                                                                                           Cyber Assets access list. If Critical Cyber Assets documentation did not exist or was not in
                                                                                                                                                                           the form necessary to meet the requirements set forth in the standard, then that employee’s
                                                                                                                                                                           access was revoked; 3. Created a procedure for granting access to Critical Cyber Assets areas.
                                                                                                                                                                           The procedure requires the compliance department to review all requests to ensure a proper
                                                                                                                                                                           personal risk assessment is available and the Critical Cyber Assets training has been
                                                                                                                                                                           completed and properly documented; 4. Required that at a minimum of once per quarter, staff
                                                                                                                                                                           in the compliance department reviews each Critical Cyber Assets access list to ensure that no
                                                                                                                                                                           employee without a current personal risk assessment and Critical Cyber Assets training has
                                                                                                                                                                           access.

   3/7/2011        CIP-004-1               R2; R3          The entity was unable to provide evidence that annual       Lack of CIP training may result in inadequate        1. The entity reviewed all individuals with authorized cyber access and unescorted physical
                                                           retraining had been completed by 20 of its 582 staff with   awareness of the requirements for treatment of       access to Critical Cyber Assets. 2. The entity verified that all individuals with authorized
                                                           authorized cyber access or unescorted physical access to    Critical Cyber Assets and inadequate protection of   cyber access and unescorted physical access to Critical Cyber Assets have received the
                                                           Critical Cyber Assets.                                      Critical Cyber Assets.                               required training. 3. The entity provided training to 20 personnel lacking the retraining (or
                                                                                                                                                                            lacking the necessary evidence of retraining). 4. All Human Resources Facility Managers
                                                                                                                                                                            were provided a copy of their site status, showing who had been trained, last training date, and
                                                                                                                                                                            next retraining date. These lists are reviewed weekly. 5. The entity instituted a system to
                                                                                                                                                                            capture all training records, and anyone who was trained without using the system was
                                                                                                                                                                            captured using a manual sign-in sheet which is closely monitored by the Human Resources
                                                                                                                                                                            staff. 6. The entity reviewed and revised procedures to ensure that necessary training was
                                                                                                                                                                            taken for continuing access and to prevent redundant training. 7. The entity communicated
                                                                                                                                                                            training procedure changes and the quality of training evidence expected to all training
                                                                                                                                                                            representatives. 8. The entity automated the existing manual physical access request process
                                                                                                                                                                            into an application to monitor and track required training records. The entity provided
                                                                                                                                                                            training to relevant representatives.

  2/15/2011        CIP-004-1             R2; R3; R4        The entity failed to provide documentation evidencing    Unauthorized individuals may have gained access         The entity created a physical folder for each individual who has unescorted physical access
                                                           that all personnel with authorized cyber or authorized   to the Critical Cyber Assets.                           and/or authorized electronic access to Critical Cyber Assets. These folders contain all
                                                           unescorted physical access to Critical Cyber Assets have                                                         evidence of receipt of NERC CIP awareness training prior to authorizing the individual’s
                                                           had personnel risk assessments (PRAs), training, and are                                                         cyber or unescorted physical access to a Critical Cyber Asset. Personnel verified that the
                                                           detailed on an access list.                                                                                      information in the security file folders matched the information in the physical and electronic
                                                                                                                                                                            access lists and the CIP personnel list. The entity also implemented a new policy that ensures
                                                                                                                                                                            the expiration date for an individual’s proximity card for physical access to Critical Cyber
                                                                                                                                                                            Assets will be the earlier of: the expiration of the individual’s CIP awareness training or the
                                                                                                                                                                            expiration of the individual’s PRA. This ensures that no individual will have unescorted
                                                                                                                                                                            physical access to a Critical Cyber Asset facility without (1) authorization, (2) an up-to-date
                                                                                                                                                                            PRA, and (3) annual CIP awareness training.




                                                                                                                                       Page 17                                                                                                                     Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                   FACTS                                             POTENTIAL RISK                                                      MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  2/15/2011       CIP-004-1                  R3            The entity performed an internal review and discovered      Unauthorized individuals may have gained access      The entity completed personnel risk assessments on all employees having authorized cyber or
                                                           that some of the personnel granted unescorted physical      to the Critical Cyber Assets.                        authorized unescorted physical access to Critical Cyber Assets and established an automated
                                                           access to our Critical Cyber Assets did not have a                                                               system of notification prior to when personnel are required to have a new PRA performed.
                                                           personnel risk assessment.
   3/1/2011        CIP-004-1                 R3            Several of the entity’s personnel lacked personnel risk     Unauthorized individuals may have gained access      The access list was recreated from source data (i.e. , login IDs for electronic access and card
                                                           assessments.                                                to the Critical Cyber Assets.                        reader data for physical data) to ensure the list was complete. This list was audited to verify
                                                                                                                                                                            that all individuals with access had completed training and the personnel risk assessment.
                                                                                                                                                                            Where either training or personnel risk assessments had not been completed, access was
                                                                                                                                                                            removed pending completion. Finally, processes to ensure compliance with the requirements
                                                                                                                                                                            of CIP-004 relating to training, personnel risk assessments, timely removal of access, and
                                                                                                                                                                            maintenance of the master access list were revised to minimize the risk of recurrence.

   3/7/2011        CIP-004-1                 R3            The entity did not have documentation verifying current     Missing personnel risk assessments may have          The entity revoked access to Critical Cyber Assets areas for anyone that did not have an
                                                           personnel risk assessments for thirteen employees that      allowed otherwise unqualified individuals access     updated personal risk assessment (within the last seven years) or Critical Cyber Assets training
                                                           had access to Critical Cyber Assets areas.                  to Critical Cyber Assets.                            within the past year. Additionally, the entity: 1. Consolidated all access lists and created only
                                                                                                                                                                            one Critical Cyber Assets access list that is now maintained by the newly formed compliance
                                                                                                                                                                            department; 2. Verified Critical Cyber Assets training documentation for each person on the
                                                                                                                                                                            master Critical Cyber Assets access list. If Critical Cyber Assets documentation did not exist
                                                                                                                                                                            or was not in the form necessary to meet the requirements set forth in the standard, then that
                                                                                                                                                                            employee’s access was revoked; 3. Created a procedure for granting access to Critical Cyber
                                                                                                                                                                            Assets areas. The procedure requires the compliance department to review all requests to
                                                                                                                                                                            ensure a proper personal risk assessment is available and the Critical Cyber Assets training has
                                                                                                                                                                            been completed and properly documented; 4. Required that at a minimum of once per quarter,
                                                                                                                                                                            staff in the compliance department reviews each Critical Cyber Assets access list to ensure
                                                                                                                                                                            that no employee without a current personal risk assessment and Critical Cyber Assets training
                                                                                                                                                                            has access.

  7/15/2011        CIP-004-1                 R3            In a random sampling of personnel risk assessment           Failure to complete personnel risk assessments for Background investigations were completed before unescorted physical access or electronic
                                                           records for personnel with access to Critical Cyber         those with access to Critical Cyber Assets may not access to a Critical Cyber Asset was given to an individual. The entity put in place a
                                                           Assets, the entity did not conduct the required             have ensured that those persons are qualified to   workflow to verify the progress of each person through the background investigation process.
                                                           assessment for four individuals within thirty days of       access the Critical Cyber Assets networks.         The workflow required the entity’s security department to inform the requesting person of
                                                           being granted access, as required by its documented                                                            completion of each step of the process. This also ensured that no one was inadvertently
                                                           personnel risk assessment program.                                                                             omitted from having the background investigation done.
   3/7/2011        CIP-004-1                 R4            Upon two instances of a position transfer, the entity did   Personnel no longer authorized for access may      As an interim measure, the entity's personnel department manually generated e-mail
                                                           not revoke authorized unescorted physical access to         have been able to access Critical Cyber Assets. In notification to the security department, informing it of any lateral transfer of any consultants
                                                           Critical Cyber Assets within seven calendar days for        addition, unauthorized personnel may have          so that the security department can revoke access and update the access list in a timely
                                                           personnel who no longer required such access. The           utilized these credentials to gain entry without   manner. The entity's security department retrained its employees and implemented a
                                                           entity failed to update its list of personnel with          raising suspicion.                                 procedure in which security department employees cross-check the work from the prior day on
                                                           authorized unescorted physical access to Critical Cyber                                                        access matters to ensure that access profiles are properly modified. This also ensured that the
                                                           Assets within seven calendar days of a change of                                                               access list is properly updated. The entity's IT group made necessary changes in the software
                                                           personnel with such access.                                                                                    utilized by the personnel department so that it also triggers a notification to the security
                                                                                                                                                                          department for a lateral transfer of a consultant. This mitigation plan eliminated the need for
                                                                                                                                                                          the manual notification (discussed in first paragraph above) implemented as an interim
                                                                                                                                                                          measure.


                                                                                                                                       Page 18                                                                                                                      Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                   FACTS                                          POTENTIAL RISK                                                 MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  3/7/2011        CIP-004-1                  R4            Due to human error, an employee was inadvertently         Unauthorized personnel may have gained access   The security department revised its procedures such that the security department employees
                                                           added access to the unescorted physical access list for   to Critical Cyber Assets.                       cross-check work from prior days on access matters at least every seven calendar days,
                                                           eight days.                                                                                               including granting new access. The appropriate security personnel were trained on the revised
                                                                                                                                                                     procedure. The cross-check verified that all access changes made are accurate and
                                                                                                                                                                     appropriate.
   3/7/2011        CIP-004-1                 R4            The security department personnel did not follow        Personnel no longer authorized for access may     The security department developed and implemented a new process for succinctly checking
                                                           procedure to follow up or escalate an unanswered e-mail have been able to enter a Physical Security       and approving every step for granting access. This new process also clearly defines the steps
                                                           notification relating to access removal.                Perimeter.                                        to follow up with supervisors upon receiving an employee’s transfer notification. The
                                                                                                                                                                     appropriate security personnel have been retrained on the new process. The new process
                                                                                                                                                                     requires security personnel to take a definite action at every step.

   3/7/2011        CIP-004-1                 R4            A supervisor did not collect a badge of a terminated      Personnel no longer authorized for access may   The security department developed an advisory for supervisors to review access lists of their
                                                           consultant, nor did the supervisor file termination       have been able to enter a Physical Security     employees and consultants on at least a quarterly basis. It emphasized the importance of
                                                           paperwork in a timely manner. Supervisors did not file    Perimeter.                                      timely completion of paper work for any job status changes (transfer and termination) and of
                                                           paper work for terminated consultants in a timely                                                         collecting badges upon termination. Accompanying the advisory was a list of employees with
                                                           manner.                                                                                                   unescorted access. The advisory was intended to prevent late filing of paper work by
                                                                                                                                                                     supervisors and to aid the timely collection of badges from terminated employees and
                                                                                                                                                                     consultants.
   3/7/2011        CIP-004-1                 R4            Due to human error, an employee's unescorted physical Personnel no longer authorized for access may       The security department revised a computerized process to include identification of time-
                                                           access was not removed within seven calendar days after have been able to enter a Physical Security       sensitive workflows. The security department personnel were instructed to select the
                                                           the security department was notified.                   Perimeter.                                        appropriate due date when creating assignments for time-sensitive workflow notifications.
                                                                                                                                                                     This process was intended to prevent human errors in removing access for time sensitive
                                                                                                                                                                     workflows.
   3/7/2011        CIP-004-1                 R4            An isolated software issue prevented workflow             Personnel no longer authorized for access may   The information technology department implemented the policy of producing an automated
                                                           notifications for a transferred employee. Due to human    have been able to enter a Physical Security     report of all personnel changes from the previous day. The security department employees
                                                           error in the information technology department, time-     Perimeter.                                      reviewed the report at least every seven calendar days and verified that notifications of the
                                                           sensitive workflow notifications were not received, and                                                   corresponding access changes were received. The appropriate security personnel were trained
                                                           an employee's unescorted physical access was not                                                          on this new process. This process was intended to prevent human errors and isolated software
                                                           removed within seven calendar days.                                                                       problems blocking access from being removed within seven days.

   3/7/2011        CIP-004-1                 R4            Due to human error in the information technology        Unauthorized personnel may have been given        The information technology department employees produced an automated report of all card
                                                           department (coding change in the card access system) an access to Critical Cyber Assets.                  access system changes from the previous day. All changes are reviewed at least every seven
                                                           employee was inadvertently granted access adding the                                                      calendar days by security department personnel to ensure that any card access system changes
                                                           employee to the unescorted physical access list.                                                          from previous days, including granting access, removing access, and coding changes are
                                                                                                                                                                     accurate and appropriate. The appropriate security personnel were trained on reviewing the
                                                                                                                                                                     automated report.
   3/7/2011        CIP-004-1                 R4            Due to inaccurate status information in a software        Personnel no longer authorized for access may   The information technology department produced an automated report of all active card
                                                           application, the access list was not updated within seven have been able to enter a Physical Security     access system badge holders with protected access that have non-active accounts in software
                                                           calendar days after the termination of a consultant.      Perimeter.                                      application. This report was reviewed at least every seven calendar days by the security
                                                                                                                                                                     department personnel to verify that all active badge holders have active accounts in software
                                                                                                                                                                     application. The appropriate security personnel were trained on reviewing the automated
                                                                                                                                                                     report.




                                                                                                                                    Page 19                                                                                                               Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                   FACTS                                              POTENTIAL RISK                                                    MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  3/7/2011        CIP-004-1                  R4            A supervisor did not respond to a supervisor advisory        Personnel no longer authorized for access may      The information technology department created a computer based training to clarify the
                                                           (Protected Area Access Advisory).                            have been able to enter a Physical Security        importance of responding to the supervisor advisory in a timely manner. The information
                                                                                                                        Perimeter.                                         technology department reviews, revises and administers the computer based training at least
                                                                                                                                                                           annually. This computer based training informed the supervisors of their responsibility
                                                                                                                                                                           through formal training.
   3/7/2011        CIP-004-1                 R4            The entity did not properly maintain its list of personnel   Unauthorized vendor personnel may have been         The entity thoroughly reviewed its current procedure and methods for updating its list of
                                                           with authorized cyber or authorized unescorted physical      given access to Critical Cyber Assets.             personnel with authorized cyber and authorized unescorted physical access to Critical Cyber
                                                           access to Critical Cyber Assets (specifically the entity’s                                                      Assets and added the list of contractors that had been omitted from the previous method the
                                                           service vendors with authorized cyber access to Critical                                                        entity used for updating and maintaining its list of personnel with authorized cyber and
                                                           Cyber Assets, including their specific electronic and                                                           authorized unescorted physical access to Critical Cyber Assets.
                                                           physical access rights to Critical Cyber Assets).

  7/15/2011        CIP-004-1                 R4            The entity did not adequately maintain list(s) of            Undocumented access to operating system and        The entity added columns to its spreadsheet used to track personnel and training and included
                                                           personnel with authorized cyber or authorized                database user accounts may have presented the      a column describing access to all Critical Cyber Assets including key software. The entity
                                                           unescorted physical access to Critical Cyber Assets. The     risk of unauthorized access to those systems and   requested its vendor to verify the status of personnel on the access list. The entity received
                                                           entity maintained records of personnel with electronic       the inability to investigate unauthorized access   confirmation from the vendor that the list is still accurate and relevant. The entity also
                                                           access to networking and communications devices and          events and prevent future events.                  requested, and received, a letter from its vendor stating that it would notify the entity within
                                                           key software displays, with access rights. However,                                                             twenty-four hours of employee termination for cause, or within seven days for personnel who
                                                           access was not documented for operating system or                                                               no longer require access to the entity’s Critical Cyber Assets.
                                                           database user accounts. Additionally, while the
                                                           documented access was being reviewed quarterly for
                                                           employees, the continued need for access by key
                                                           software vendor support personnel was not confirmed
                                                           with the vendor.

  2/15/2011        CIP-004-2                 R4            The entity failed to revoke access for one individual who Unauthorized individuals had access to the            The entity disabled the ID badge/card key and reviewed the requirement regarding physical
                                                           had authorized unescorted physical access to Critical       Critical Cyber Assets.                              access to facilities. The entity initiated a new process requiring weekly reports of guards
                                                           Cyber Assets. The entity’s contractor failed to follow                                                          assigned to Critical Cyber Asset areas and the entity will conduct a training session with the
                                                           the entity’s established procedure for contractor to notify                                                     contractor management team on the importance of NERC CIP requirements.
                                                           the entity within seven calendar days if a guard’s
                                                           authorized unescorted physical access to Critical Cyber
                                                           Assets was no longer needed. The entity’s procedures
                                                           required notification even if the guard could be recalled
                                                           under the contingency agreement. In this case, the
                                                           guard’s physical access to Critical Cyber Assets was not
                                                           revoked within seven calendar days.




                                                                                                                                        Page 20                                                                                                                    Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                    FACTS                                              POTENTIAL RISK                                                      MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  9/13/2011       CIP-004-3                  R3            One individual with only physical access to the entity’s      Failure to conduct a PRA could lead to improperly    1) The entity removed physical access to CCA sites for the identified individual.
                                                           Physical Security Perimeter (PSP) did not have an             vetting the identity and criminal history of         2) Each entry of the spreadsheet containing PRA information was reviewed to ensure there
                                                           updated personnel risk assessment (PRA) within the 7-         personnel managing Critical Cyber Assets (CCAs)      were no errors for other authorized individuals.
                                                           year timeframe required by the standard. The entity           that could result in malicious access to these       3) The PRA process was reviewed including an evaluation of the root causes.
                                                           stated there were 169 total personnel with access to this     assets. Such access may then be used to cause        4) Changes to the PRA review process that were identified and implemented included:
                                                           PSP and it contains a server and workstation that were a      harm to CCAs essential to the operation of the       a) The information stored in the spreadsheet was converted into an Access database
                                                           part of its SCADA system. The SCADA system is used            bulk power system (BPS), thereby potentially         application. This database application includes PRA, security awareness training and CCA
                                                           to control and acquire data for the entity's generators and   negatively impacting the BPS.                        access data for each applicable individual.
                                                           substations. There was a 13-month gap in completing                                                                b) All appropriate parties participated in instructor-led training sessions on the new database
                                                           the identified individual’s PRA due to an error in                                                                 application.
                                                           entering the previous PRA completion date from an                                                                  c) The entity requested all historical PRA information from its vendor and then imported it
                                                           external vendor’s website to an internal spreadsheet used                                                          into the new database. An ongoing monthly extract of PRA information is scheduled with the
                                                           by the security department. During the entity’s PRA                                                                vendor.
                                                           process review and root cause evaluation, two process                                                              d) A database report was created that identifies all PRAs due within the next year.
                                                           weaknesses were identified: the manual nature of the                                                               e) Quarterly monitoring activities conducted by the entity’s security department are now
                                                           data transfer process and the reliance on just one                                                                 reviewed by the IT compliance department.
                                                           individual to conduct the data integrity reviews.                                                                  f) A user guide was created for the database application.


  6/16/2011        CIP-004-3                R3.2           The entity was calculating the interval for completing        Using an individual’s hire date does not ensure the The entity 1) completed all necessary seven-year PRAs; 2) completed a review of all
                                                           seven-year personal risk assessments (PRAs) based on          individual is current with his/her PRA.             individuals with a PRA report; 3) updated its personnel tracking system to reflect last date of
                                                           an individual’s hire date, rather than the date of his/her                                                        PRA as opposed to hire date; 4) updated its documentation to reflect process improvements;
                                                           last PRA.                                                                                                         5) completed a reconciliation to determine that all personnel (including contractors) are in the
                                                                                                                                                                             personnel tracking system; 6) developed and administered training; and 7) utilized an outside
                                                                                                                                                                             consultant to perform an independent review of its processes.




                                                                                                                                         Page 21                                                                                                                     Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                  FACTS                                            POTENTIAL RISK                                                     MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  12/1/2011        CIP-005                R1; R1.6         The entity discovered several devices that had console    By failing to include specific devices within an     The entity 1) conducted a system-wide scan to identify and correct any erroneous
                                                           routers connected to their management ports that were     ESP, a Critical Cyber Asset may not receive the      configurations; 2) evaluated options to automate the process to detect misconfigurations; 3)
                                                           not located within an Electronic Security Perimeter       appropriate levels of protection.                    increased issue awareness to appropriate staff; 4) tested and piloted alternatives; and 5)
                                                           (ESP). The console routers were not located within an                                                          implemented an automated solution for detection.
                                                           ESP. The devices discovered consisted of two Critical
                                                           Cyber Asset firewalls and three Cyber Assets used in the
                                                           access control and monitoring of ESPs. The console
                                                           routers constituted an access point to the ESP but were
                                                           not documented per the requirements in CIP-005 R1.6.
                                                           In addition, the entity discovered Cyber Assets were
                                                           installed within substation ESPs without being identified
                                                           as Critical Cyber Assets or as non-Critical Cyber Assets
                                                           within the ESP. Some of the devices were not
                                                           previously identified because of incorrectly configured
                                                           router settings. The IP configurations were correct such
                                                           that the devices were within the ESP, however, without
                                                           the proper router setting, they could not communicate
                                                           outside the ESP and were, therefore, not recognized.
                                                           Other devices were discovered with duplicate IP
                                                           addresses, where only one of the duplicate devices was
                                                           identified.

   3/7/2011        CIP-005-1                 R2            The entity failed to implement and document the           Without properly documented and implemented         1. The entity configured, validated and documented that all Electronic Security Perimeter
                                                           organizational processes and technical and procedural     processes, there may have been a loss of control of access point devices denied access by default and that the appropriate access controls were
                                                           mechanisms for control of electronic access at all        access to the Electronic Security Perimeter(s).     specifically defined. 2. The entity configured, validated and documented that all unnecessary
                                                           electronic access points to the Electronic Security                                                           ports and services for all Electronic Security Perimeter access points were disabled. Only
                                                           Perimeter(s).                                                                                                 ports and services that were necessary for operations and the monitoring of Cyber Assets with
                                                                                                                                                                         an Electronic Security Perimeter were enabled. Guidance was provided regarding the
                                                                                                                                                                         applicable procedures. 3. The entity configured, validated and documented that any dial-up
                                                                                                                                                                         access into the Electronic Security Perimeter met the applicable requirements. 4. The entity
                                                                                                                                                                         configured, validated and documented that all interactive access to Electronic Security
                                                                                                                                                                         Perimeters originating from external sources (non-Electronic Security Perimeters) was
                                                                                                                                                                         protected via authentication that supported strong procedural and technical controls (i.e. , tow
                                                                                                                                                                         factor authentications). The validation and documentation listed any approved Technical
                                                                                                                                                                         Feasibility Exceptions, where applicable. 5. The entity validated that an approved and
                                                                                                                                                                         documented process existed supporting access requests into the Electronic Security Perimeter
                                                                                                                                                                         for: a. Any dial-up access into the Electronic Security Perimeter; b. Any persistent connection
                                                                                                                                                                         into the Electronic Security Perimeter; c. Any remote access to the Electronic Security
                                                                                                                                                                         Perimeter (supporting interactive remote access); and d. Any administrative access to the
                                                                                                                                                                         Electronic Security Perimeter access points or into the network devices associated with the
                                                                                                                                                                         access control or electronic monitoring capability. 6. The entity adopted, implemented
                                                                                                                                                                         validated and documented that an “appropriate use banner” was in place for all network layer
                                                                                                                                                                         access into the Electronic Security Perimeter. The banners must have been displayed for all
                                                                                                                                                                         the Electronic Security Perimeter access points identified above.




                                                                                                                                     Page 22                                                                                                                     Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                   FACTS                                              POTENTIAL RISK                                                      MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  3/7/2011        CIP-005-1                  R3            The entity failed to implement and document an               Failure to develop a logging and monitoring          1. The entity configured, validated, and documented that an electronic monitoring capability
                                                           electronic or manual process(es) for monitoring and          program for unauthorized access attempts to          was implemented for monitoring and logging for all access into the Electronic Security
                                                           logging access at access points to the Electronic Security   Cyber Assets may have placed Critical Cyber          Perimeter. The entity identified any approved Technical Feasibility Exception that was
                                                           Perimeter(s) twenty-four hours a day, seven days a week.     Assets and the bulk power system at risk.            applicable. 2. The entity implemented and documented the electronic monitoring capabilities
                                                                                                                                                                             for dial-up accessible Critical Cyber Assets that utilized non-routable protocols. 3. The entity
                                                                                                                                                                             configured, validated and documented the security monitoring capability by detecting
                                                                                                                                                                             unauthorized access and unauthorized attempts at access to the Electronic Security Perimeter
                                                                                                                                                                             based on access points identified in Step 1 above. 4. The entity established and validated the
                                                                                                                                                                             documented procedure that ensured the timely and periodic review and analysis of electronic
                                                                                                                                                                             access logs for unauthorized access and unauthorized access attempts to the Electronic
                                                                                                                                                                             Security Perimeter.
  4/20/2011        CIP-005-1                 R3            The entity did not implement or document a formal            Failure to document or implement a formal            The entity obtained firewalls, tested and implemented firewalls, hardened firewall
                                                           process for monitoring and logging access at access          process for logging access points at Electronic      configurations, and verified monitoring and logging functions.
                                                           points at its Electronic Security Perimeters. The entity     Security Perimeters may have lead to unauthorized
                                                           was unable to fully monitor, detect and alert for attempts   access to the Electronic Security Perimeter.
                                                           at or actual unauthorized access to its defined access       Failure to monitor, detect, and alert attempts or
                                                           points. The devices defined as access points were            breaches to defined access points may have lead to
                                                           configured to log security related events to a central       unfettered access to Critical Cyber Assets.
                                                           logging tool, but the logs were not easily retrieved and
                                                           therefore not all relevant historical logs were available
                                                           for review.
   3/7/2011        CIP-005-1                 R4            The entity did not perform a cyber vulnerability             Undocumented vulnerability assessments may not       1. The entity reviewed previous internal control reviews and security test and evaluations to
                                                           assessment of the electronic access points to the            have proven that assessments occurred and may        identify the type, scope, and test results for any assets that are now identified as Critical Cyber
                                                           Electronic Security Perimeter(s) at least annually.          not have shown identification and mitigation of      Assets that may assist in the development of test procedures (Step 2, below). The entity also
                                                                                                                        vulnerabilities. This may have placed Cyber          identified vulnerabilities, testing for minimal ports and services (may be identified as “least
                                                                                                                        Assets and the bulk power system at risk.            configuration” as part of configuration management testing). 2. The entity developed and
                                                                                                                                                                             adopted CIP vulnerability assessment procedures, which address: a. The data to be collected
                                                                                                                                                                             about each electronic access point, including: Dates of the Assessment, Named individual(s)
                                                                                                                                                                             conducting the Assessment, Scope to the Assessments (supported by the current network
                                                                                                                                                                             diagrams), Description of the testing environment (Test System, sub-system or operational
                                                                                                                                                                             system), Assessment or Test procedures for each requirement (See the appropriate sections
                                                                                                                                                                             below), Plan for reporting test results such as: informal or formal out-briefs, completion of a
                                                                                                                                                                             Vulnerability Assessment Report, and submission of the Vulnerability Assessment Report. b.
                                                                                                                                                                             The discovery of all access points to the Electronic Security Perimeter. c. The hardening of all
                                                                                                                                                                             ports and services at access points, as applicable. Guidance was provided regarding the
                                                                                                                                                                             applicable procedures. d. The review of all default accounts to ensure proper account controls
                                                                                                                                                                             are in place. 3. The entity developed, executed and documented the results of the execution of
                                                                                                                                                                             the test procedures for each identified (and discovered) Electronic Security Perimeter access
                                                                                                                                                                             point. Documentation for testing activities and results included the type of test (observation,
                                                                                                                                                                             review or test), the results (compliant or non-compliant), and the identification of any non-
                                                                                                                                                                             compliance (including justification to a Technical Feasibility Exception or supported by a
                                                                                                                                                                             mitigation plan). 4. The entity prepared a mitigation plan addressing the correction of
                                                                                                                                                                             vulnerabilities identified during Step 2, above. 5. The entity evaluated and validated
                                                                                                                                                                             compliance.



                                                                                                                                       Page 23                                                                                                                         Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                 FACTS                                             POTENTIAL RISK                                                      MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  4/20/2011       CIP-005-1                  R4            R4.2: Vulnerability assessments had been performed, but   Failure to have a formal process in place to review   The entity developed and reviewed its formal process document for vulnerability assessments.
                                                           the entity did not have a formal process in place to      vulnerability assessment reports may have led to      The entity performed an annual vulnerability assessment of the access points of its Electronic
                                                           review the generated reports. R4.3: The entity            the reports not being reviewed. Failure to perform    Security Perimeters and developed an action plan to remediate any vulnerabilities found. The
                                                           performed vulnerability assessments, but did not          discovery of all access points in a vulnerability     entity implemented the action plan and documented the status of action plans as well as
                                                           perform an automated discovery of all access points to    assessment may have presented the risk that some      remediation results. The entity also purchased new software for an additional layer of
                                                           its defined Electronic Security Perimeters. Some          Critical Cyber Assets were not assessed or that       protection for its access points.
                                                           devices were restricted to the number of sockets          normal operations were interrupted during
                                                           available to respond to requests and discovery tools.     assessment. Failure to generate reports for errors
                                                           This may have caused denial-of-service to these devices   may have lead to vulnerabilities in the Critical
                                                           and may have interrupted normal operations. R4.4:         Cyber Assets not being addressed and mitigated.
                                                           Vulnerability assessment was set up to use common         Failure to execute remedial measures was a failure
                                                           default community strings as well as default accounts     to address vulnerabilities.
                                                           with no passwords. However, had a failure occurred
                                                           while using any of these community strings or default
                                                           accounts, it would not have generated any errors.
                                                           Additionally, the report would not have shown data or
                                                           account information either. R4.5: Vulnerability
                                                           assessment included a remediation plan. However, no
                                                           process was in place to execute the remediation plans
                                                           primarily due to the time involved.




                                                                                                                                     Page 24                                                                                                                     Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                   FACTS                                               POTENTIAL RISK                                                     MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  9/13/2011       CIP-005-1                  R4            The entity failed to conduct a cyber vulnerability            Failure to conduct a cyber vulnerability             1) The entity completed a cyber vulnerability assessment that satisfied R4 including:
                                                           assessment for all electronic access points to the            assessment of all Cyber Assets could allow cyber     documenting the assessment; reviewing the appropriate ports for each Cyber Asset within the
                                                           Electronic Security Perimeter (ESP). In addition, the         vulnerabilities in such assets to go unchecked and   ESP; reviewing firewall configuration files; reviewing all firewall rules in the configuration
                                                           assessment lacked a review to verify that only ports and      undetected. Subsequently, such vulnerabilities       files; performing a physical walk-down of all Cyber Assets within the ESPs and comparing
                                                           services required for operations at these access points       could be exploited by malicious access, thereby      them to drawings and previous assessments; and reviewing configuration files to determine
                                                           are enabled, as required by R4.2, and a review of             providing an attack vector for launching cyber       network management community strings were correctly controlled.
                                                           controls for default accounts, passwords, and network         attacks against Critical Cyber Assets essential to   2) The entity identified unnecessary firewall rules and removed them prior to the completion
                                                           management community strings, as required by R4.4.            the operation of the bulk power system (BPS),        of an energy management system (EMS) upgrade.
                                                           During the entity’s cyber vulnerability assessment            thereby disrupting the operation of the BPS.         3) The entity updated all procedural documents to improve the process for completing and
                                                           process review and root cause evaluation, four                                                                     documenting cyber vulnerability assessments.
                                                           contributing factors were identified:                                                                              4) The entity trained all appropriate personnel on the new processes.
                                                           1) The entity relied on previously defined scopes of                                                               5) The entity used the new processes to perform assessments on new access points installed as
                                                           work for the assessments and incorrectly assumed that                                                              part of the EMS upgrade.
                                                           the standard vulnerability assessments used prior to the                                                           6) The entity installed the upgrade including new firewalls.
                                                           enactment of NERC CIP Reliability Standards would
                                                           cover the relevant CIP requirements.
                                                           2) There was inadequate communication between the
                                                           entity’s business areas and the external vendor
                                                           performing the cyber vulnerability assessment.
                                                           3) There was a lack of understanding (training) in the
                                                           entity’s business areas to understand the gap between a
                                                           standard vulnerability assessment and the review needed
                                                           to link the results of the assessment to actual
                                                           requirements for the operation of Cyber Assets.
                                                           4) The entity identified improvements needed for its
                                                           cyber vulnerability assessment form including sections
                                                           for documentation, review clarification and action plans
                                                           to mitigate identified vulnerabilities.


  2/15/2011        CIP-005-2                 R1            An employee of the entity that was performing the escort      Unauthorized personnel may have gained access        The entity revoked access to the escort until the proper performance risk assessment could be
                                                           function did not have a valid performance risk                to Critical Cyber Assets.                            performed. The entity will include employee identification numbers in performance risk
                                                           assessment because the PRA had been inadvertently                                                                  assessment tracking documentation to avoid future name confusion.
                                                           performed on another employee with the same name.
                                                           The entity immediately revoked access until the proper
                                                           PRA could be performed.
 12/30/2010        CIP-005-2                R1.4           The entity failed to identify three devices as non-critical   Failing to properly identify all Cyber Assets may The entity disconnected all three devices from the network and completed a comprehensive
                                                           Cyber Assets within a defined Electronic Security             have led to inadequate protection of Cyber Assets. review of Electronic Security Perimeters and Physical Security Perimeters.
                                                           Perimeter.




                                                                                                                                         Page 25                                                                                                                    Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                   FACTS                                              POTENTIAL RISK                                                      MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  7/15/2011       CIP-005-2                 R1.5           Cyber Assets used in the access and/or control of the       Failure to document testing of Cyber Assets used      The entity defined four distinct categories used to identify the test environment for each
                                                           Electronic Security Perimeter (ESP) shall be afforded       in the sustainability of the ESP may have resulted    Critical Asset and documented the test procedure. Further, the entity implemented a new,
                                                           protective measures as specified in certain CIP             in security control oversight and inability to        more specific procedure to address this requirement. The new procedure ensured that a
                                                           standards, including CIP-007-1 R1.2. Specifically,          investigate and track cyber security events.          formal test procedure would be used and that all testing of applicable Critical Assets was
                                                           testing procedures for Cyber Assets used in access                                                                performed in a manner that reflected the production environment and was documented.
                                                           control and/ or monitoring of the ESP were not
                                                           documented. Although the entity tested devices that
                                                           monitored, protected, or had access control for the ESP,
                                                           there was little or no documentation such that the entity
                                                           could demonstrate “auditable compliance.” The entity
                                                           could demonstrate that it was “compliant.”
  4/29/2011        CIP-005-3                R2.4           The entity discovered that a remote desktop protocol     Allowing remote access without authentication        The entity developed and provided alternate access procedures. These procedures require
                                                           allowed user access from outside the Electronic Security may have increased the risk of an unauthorized       operator authentication and eliminate the need for the firewall rule that allowed
                                                           Perimeter to a Critical Cyber Asset located within the   individual gaining access to a Critical Cyber Asset. unauthenticated remote access to the original device.
                                                           Electronic Security Perimeter without ensuring
                                                           authenticity of the user accessing the device.

  4/20/2011        CIP-005-3                R3.2           While conducting an internal review, the entity             Failure to detect and alert for attempted or actual   The following corrective actions were taken: 1) The three internal firewalls separating the
                                                           discovered that the logging and alerting for unauthorized   unauthorized access to the Electronic Security        entity network (comprising the Electronic Security Perimeter) were reconfigured. The system
                                                           access attempts had not been fully enabled on the           Perimeter may have compromised Critical Cyber         was reconfigured to do the following: A. Send alerts to administrators around the clock. B.
                                                           interior firewalls. Firewall access was configured for      Assets.                                               Log and alert each denied IP address attempt to access the access points. C. Log and alert
                                                           only one workstation internet protocol (IP) address from                                                          failed and successful user logon requests to the access points. D. Log and alert each IP attack
                                                           the entity’s network. The workstation was configured                                                              to the access points such as denial of TCP/IP spoofs. E. Log each denied access to an Access
                                                           without a default gateway to ensure that it was not                                                               Control List. F. Alert each access denied by an Access Control List to the entity network. 2)
                                                           accessible from outside the firewall subnet. While                                                                A test was conducted to ensure that all the configured controls are working as required. 3) All
                                                           logging was enabled for attempts to connect to the                                                                logs are now retained for a rolling 365 days. Alerts are retained for a minimum of 90 days.
                                                           firewalls from other IP addresses, logging and alerting
                                                           were not configured for unsuccessful attempts to
                                                           authenticate user ID and passwords.

  7/15/2011         CIP-006               R1; R1.4         The entity had three instances where a contract             Granting individuals access to areas for which        The entity 1) revised its security procedures to include additional verification steps prior to
                                                           employee was temporarily granted access to areas for        they are not authorized could increase the risk of    temporary Critical Cyber Asset access badge distribution; 2) ensured all site security
                                                           which he/she did not have the appropriate security          unintentional or intentional harm to Critical Cyber   personnel reviewed and signed-off on the revised procedures; 3) disciplined the at fault
                                                           clearance. This represented an inappropriate use of         Assets or Cyber Assets.                               contract employee; and 4) reviewed all temporary badge issuance and usage for the facility at
                                                           physical access control to Critical Cyber Assets.                                                                 which the incidents occurred.




                                                                                                                                       Page 26                                                                                                                      Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                   FACTS                                             POTENTIAL RISK                                                   MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  2/15/2011       CIP-006-1                  R1            The entity’s access control system that controls and     An unauthorized individual may have gained          The entity conducted a detailed investigation to determine steps to bring the Cyber Asset into
                                                           monitors physical access to the Physical Security        access to the Cyber Assets.                         strict compliance. It reviewed accounts and disabled manufacturer and default guest accounts.
                                                           Perimeter (PSP) for the data center and control room                                                          In addition, the entity reviewed logs and confirmed that they were retained for 90 days, and
                                                           PSPs was not afforded certain of the protective measures                                                     filed a technical feasibility exception (TFE) for ongoing manual review of logs, and installed
                                                           required by Reliability Standard CIP-006-1 R1.8.                                                             appropriate use banner on the server. It reviewed and documented ports, services and
                                                                                                                                                                        compensating measures. A TFE was filed for ports and services due to the age of the system
                                                                                                                                                                        and the entity confirmed that Anti-Virus could not be installed on the server. A TFE also was
                                                                                                                                                                        filed for malware and the entity confirmed that security patches were not installed on the
                                                                                                                                                                        server due to the age of the application and mitigation measures that were in place. A TFE
                                                                                                                                                                        was filed per NERC Compliance Process Bulletin #2010-001. The entity filed another TFE to
                                                                                                                                                                        document the compensating measures in place for manual review of account log in lieu of
                                                                                                                                                                        automated alerts. It ordered and installed backup equipment, completed full backup for
                                                                                                                                                                        covered assets, and completed third party vulnerability assessment (covered Cyber Assets
                                                                                                                                                                        were included).
  4/29/2011        CIP-006-1                R1.1           The entity discovered certain Critical Cyber Assets were Lack of a secure six-wall border may have           The entity contacted and obtained quotes from appropriate vendors to install the additional
                                                           not located in a secure six-wall border.                 allowed for a greater chance of unauthorized        security hardware and cabling. The entity installed and tested all equipment. Card Readers
                                                                                                                    access to Critical Cyber Assets.                    and cameras were also added to each access point.
  4/29/2011        CIP-006-1                R1.2           The entity discovered a previously unidentified entry    An unidentified access point may have allowed for The entity: 1) secured the entry point; and 2) performed a walk down of all Physical Security
                                                           point through its Physical Security Perimeter to a       easier, unsecured access to a Critical Cyber Asset. Perimeters to determine if any other unsecured entry points to Physical Security Perimeters
                                                           Critical Cyber Asset.                                                                                        existed.
  4/20/2011        CIP-006-1                R1.6           An entity employee without unescorted access followed Failing to adhere to procedures regarding              The entity i) distributed a flyer to all personnel with approved unescorted access privileges
                                                           an employee with unescorted access into a secure area    escorting of unauthorized personnel around          reminding them of the procedures to follow when escorting visitors; ii) installed door signs
                                                           without the authorized individual's knowledge.           Critical Cyber Assets may have compromised the that are clearly visible at each applicable access door stating for employees to be aware of
                                                                                                                    Physical Security Perimeter and allowed easier      individuals behind them when entering secure areas; and iii) required all corporate IT
                                                                                                                    unauthorized access to Critical Cyber Assets.       personnel to complete the entity’s cyber security training program.

   3/1/2011        CIP-006-1              R1.6; R4         On three occasions, the entity failed to follow its internal Failing to adhere to procedures regarding        The entity 1) completed detailed incident investigations; 2) checked the facilities for possible
                                                           procedures for escorting and logging access to Critical      escorting and logging access to Critical Cyber   damage or compromise to CIP assets; 3) had management communicate directly with all
                                                           Cyber Assets.                                                Assets may have compromised the Physical         involved parties regarding the incident and expectations for future performance; 4) had
                                                                                                                        Security Perimeter and may have allowed          management communicate directly with all staff with access to CIP facilities regarding access
                                                                                                                        unauthorized access to Critical Cyber Assets.    procedures; and 5) the CEO communicated by memorandum to all company staff regarding
                                                                                                                                                                         the need for heightened awareness of NERC compliance requirements.

   3/7/2011        CIP-006-1             R2; R3; R4        The entity failed to implement its documented              Failure to secure access points undergoing         Upon discovery, the entity immediately secured the access point and filed the appropriate
                                                           operational and procedural controls to manage physical     construction may have allowed unauthorized         internal reports. Patrols and monitoring of the area were increased, and a temporary alarm
                                                           access at all access points to the Physical Security       personnel unescorted access into a Physical        was installed to provide monitoring and logging of all access. The area was then placed under
                                                           Perimeter around the clock. The implementation failure     Security Perimeter without detection.              constant human observation by a cleared entity employee until the work was completed. The
                                                           occurred when the locking mechanism at one of the                                                             entity changed its job-site turn-over procedure to clarify where responsibility is placed for
                                                           access points to the entity’s defined Physical Security                                                       ensuring correct re-commissioning of a site post completion. In addition, the entity updated
                                                           Perimeters was disabled during maintenance activities.                                                        the applicable physical access control procedures to highlight continuous visitor escort and
                                                                                                                                                                         logging requirements. The changes to procedures required all personnel performing
                                                                                                                                                                         maintenance on doors to the Physical Security Perimeter to be retrained. In addition, language
                                                                                                                                                                         defining progressive disciplinary actions for failure to observe requirements was incorporated
                                                                                                                                                                         into the Physical Security Plan.



                                                                                                                                       Page 27                                                                                                                   Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                   FACTS                                               POTENTIAL RISK                                                      MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  2/15/2011       CIP-006-2                  R2            The entity found that certain protective measures were        Failing to document organizational processes and The entity reviewed past logs for any signs of cyber security incidents related to these Cyber
                                                           not being applied to nine Cyber Assets (three of which        technical and procedural mechanisms for            Assets and incorporated these devices into the procedure used for monitoring security events
                                                           are used for monitoring access to the Physical Security       monitoring security events for Cyber Assets may on other Cyber Assets.
                                                           Perimeter and six of which are used for monitoring            have led to inadequate protection of Cyber Assets.
                                                           access to the Physical Security Perimeter). The entity
                                                           did not have proper documentation of organizational
                                                           processes and technical and procedural mechanisms for
                                                           monitoring security events.

  9/13/2011        CIP-006-2                 R5            One or more unauthorized access attempts to the               Failure to monitor physical access at all access     1) The entity reconfigured its access control monitoring system software.
                                                           Physical Security Perimeter (PSP) were not reviewed           points to the PSP(s) could allow unauthorized        2) The entity refined its system configuration change management process and procedures to
                                                           immediately and handled in accordance with the                access to the PSP to go unnoticed and unchecked,     strictly adhere to CIP-006.
                                                           procedures specified in CIP-008. After reviewing its          potentially allowing malicious access to Cyber       3) The entity performed log assessments on the entity’s CCAs at the identified location.
                                                           alarm logs at an identified location, the entity              Assets. Such access may then be used to cause        4) The entity’s corporate-wide task force (whose mission is to respond to all information
                                                           determined that an alarm positioned at a PSP access           harm to Critical Cyber Assets (CCAs) essential to    security threats to any incidents at the entity’s computing systems) evaluated the security of
                                                           point was activated on two occasions, and the                 the operation of the bulk power system (BPS),        the CCAs at the identified location and found no issues with the CCAs in that area.
                                                           appropriate personnel were not made aware of the alarm        thereby potentially negatively impacting the BPS.    5) The entity modified its test and maintenance documentation to include annual testing.
                                                           being triggered. A software misconfiguration in the                                                                6) The entity performed test and maintenance activities at all its locations.
                                                           entity’s access control monitoring system was found to
                                                           be the root cause of the issue.
  2/15/2011        CIP-006-3                 R2            The entity installed a new Physical Access Control            Failing to properly test and update documentation    The entity retroactively applied its complete Change Management Process to the new Cyber
                                                           System panel without following its Change Control and         relating to new Cyber Assets may have led to         Asset and completed the required documentation update. It also performed a complete new
                                                           Configuration Management Process. As a result of not          inadequate protection of Cyber Assets.               Cyber Asset security controls test. The entity also modified its Change Management
                                                           following the process, the entity failed to comply with                                                            processes to require additional steps and safeguards for changes in the Physical Access
                                                           testing procedures and documentation update within                                                                 Control System. Additional training was provided to groups responsible for such changes.
                                                           thirty days of the installation.
  6/16/2011        CIP-006-3                R2.2           The entity did not have the protective measures specified     Without proper identification, an access control     The entity 1) conducted interviews with its network engineer to establish a course of action to
                                                           in the standard for Cyber Assets because it failed to         and monitoring device may not receive the            implement the mitigation plan; 2) applied all required security protections; 3) updated all
                                                           identify certain devices as access control and monitoring     appropriate levels of protection.                    relevant documentation; and 4) communicated all updates to relevant staff.
                                                           devices.
  7/15/2011        CIP-006-3c                R5            The entity had one instance where it failed to monitor        Failure to monitor access points twenty-four hours   The entity 1) developed a quarterly review process to ensure all maintained information is
                                                           two physical access points twenty-four hours a day,           a day, seven days a week allows for easier           accurate; 2) established a new controls process regarding changes to Critical Cyber Asset
                                                           seven days a week. After two door alarms were                 unauthorized physical access and therefore           equipment; 3) trained all applicable staff on NERC requirements; and 4) implemented
                                                           identified to be faulty and in the process of getting         increases the risk of sabotage.                      additional programming to allow for direct link access to all applicable cameras and playback
                                                           repaired, the entity failed to monitor the access points by                                                        in all door alarms.
                                                           security camera for approximately 12 hours.




                                                                                                                                         Page 28                                                                                                                     Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                    FACTS                                                POTENTIAL RISK                                                       MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  12/1/2011       CIP-006-3c                 R6            On a number of occasions, the entity failed to accurately      Failure to maintain accurate access logs increases     The entity 1) modified its security operations center script and issues management process to
                                                           log escorted access to its Physical Security Perimeters        the risk of an unauthorized individual gaining         emphasize the need of escorts to report every visitor to the security operations center; 2)
                                                           (PSPs) using one or more of the logging methods                access to, and potentially damaging or sabotaging      improved awareness and communicated visitor logging process among the impacted business
                                                           required by R6.                                                Critical Cyber Assets.                                 units; 3) increased the use of calling the security operations center for logging help to ensure
                                                                                                                                                                                 accuracy; 4) clarified its policies and procedures to include that visitors must log each entry
                                                           Causes of the various visitor logging issues were                                                                     and exit into and out of the PSP; 5) increased employee education and training through
                                                           determined to be as follows:                                                                                          holding presentations, publishing articles and sending targeted guidance emails; and 6)
                                                           1) multiple entry / exit interpretation – prior to receiving                                                          developed standardized paper log sheets.
                                                           guidance from auditors that logs must be recorded for
                                                           each and every passage over the thresholds of PSP
                                                           access points, the entity interpreted it as acceptable to
                                                           capture the initial entry and final exit of the day in the
                                                           visitor logs; 2) lack of awareness or attention –
                                                           insufficient awareness of and/or attention to the entity’s
                                                           internal policies and procedures; and 3) insufficient
                                                           quality control of logging records – illegible and
                                                           insufficiently completed paper logs were not reviewed in
                                                           a timely enough manner to be resolved accurately.

   3/1/2011         CIP-007                  R1            The entity provided insufficient evidence that it had          If cyber security controls were adversely affected     The entity created better documentation of its testing of Critical Cyber Assets, including check
                                                           tested a significant software change to its Critical Cyber     due to a significant change to the entity’s Critical   lists to show that tests were performed both before and after changes were made.
                                                           Assets.                                                        Cyber Assets, the Critical Cyber Assets may have
                                                                                                                          been compromised.
  7/15/2011         CIP-007                  R2            Although the entity shut down unused ports on the              Enabled unused ports and services increases the        The entity 1) performed interviews with its network engineer to establish a course of action to
                                                           firewalls, it failed to disable certain unused ports and       risk for an unauthorized individual with               implement the mitigation plan; 2) determined all ports and services that were not disabled; 3)
                                                           services on each Cyber Asset within the Electronic             potentially malicious intent to gain access to         disabled all unused ports and services; 4) updated all relevant documentation; and 5)
                                                           Security Perimeter (ESP).                                      Cyber Assets.                                          communicated updates to relevant staff. The entity also implemented several other security
                                                                                                                                                                                 solutions designed to minimize overall cyber security and physical security risk, including but
                                                                                                                                                                                 not limited to: intrusion detection, anti-virus, security logging and access control (cyber and
                                                                                                                                                                                 physical).
  12/1/2011         CIP-007                R2; R5          The entity discovered a managed network switch located         Enabled unused ports and services, as well as          The entity deleted the applicable community string from the configuration of the switch,
                                                           within an Electronic Security Perimeter that had ports         inadequate password requirements increases the         therefore disabling it. The entity also set a complex user password.
                                                           and services that were neither disabled nor required for       risk for an unauthorized individual with
                                                           normal or emergency operations. The switch also did            potentially malicious intent to gain access to
                                                           not meet the password requirements stated in R5.               Cyber Assets.

  12/1/2011         CIP-007               R4; R4.2         The entity failed to test signature files prior to             Inadequate testing could lead to insufficient          The entity 1) interviewed its network engineer to better understand how to implement the
                                                           installation on its Cyber Assets within the Electronic         security or malfunctions.                              mitigation plan; 2) determined the required test environment to test signature files prior to
                                                           Security Perimeter.                                                                                                   installation of equipment in the Electronic Security Perimeter; 3) built the test environment;
                                                                                                                                                                                 and 4) updated all relevant documents and communicated the updates to relevant staff.




                                                                                                                                           Page 29                                                                                                                       Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                   FACTS                                             POTENTIAL RISK                                                     MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  12/1/2011        CIP-007                   R5            The entity failed to ensure its passwords expired and      Failure to ensure password changes could weaken     The entity 1) interviewed its network engineer to better understand how to implement the
                                                           were changed every 90 days in accordance within the        security, therefore increasing the risk of an       mitigation plan; 2) updated its password management process to align with R5; 3) scheduled
                                                           entity's internal password management program.             unauthorized individual gaining access to sensitive password changes on all in-scope Cyber Assets; 4) updated all relevant documentation; and 5)
                                                                                                                      information.                                        communicated all updates to relevant staff engaged in managing Cyber Assets within the
                                                                                                                                                                          Electronic Security Perimeter.
  7/15/2011         CIP-007                 R5.3.3         The entity failed to change a password, at least annually, Failure to reset account passwords could weaken The entity 1) reset the password; 2) updated the appropriate manual tracking documentation
                                                           on one server as required by the standard.                 security, therefore increasing the risk of an       with the account information; and 3) implemented an automated process to detect/track
                                                                                                                      unauthorized individual gaining access to sensitive accounts and manage the majority of the password resets.
                                                                                                                      information.
  2/15/2011        CIP-007-1                 R1            The entity did not provide evidence that it had created    Significant changes may have adversely affected     The entity revised its cyber security test procedures to include all Critical Cyber Assets, and
                                                           implemented, maintained and documented test                existing cyber security controls.                   then implemented the new test procedures.
                                                           procedures and test results for all Critical Cyber Assets
                                                           within the Electronic Security Perimeter.
   3/1/2011        CIP-007-1                 R1            The entity did not follow its test procedures nor did it   Significant changes may have adversely affected     The entity provided updates covering CIP policy and procedure requirements, applicability
                                                           ensure that significant changes to Critical Cyber Assets existing cyber security controls.                     and access. The entity also provided training webinars covering pertinent CIP topics and
                                                           had not adversely affected certain software or its                                                             increased management emphasis and communications clarifying the requirement of strict
                                                           operation.                                                                                                     adherence to CIP policies and procedures.
  7/15/2011        CIP-007-1                 R1            The entity did not ensure that new Cyber Assets and        Failure to test key software systems for            The entity implemented processes to test patches on its work stations. The entity purchased
                                                           significant changes to existing Cyber Assets within the    compliance may not have ensured that those          new equipment in order to implement a new system to test patches prior to their application to
                                                           Electronic Security Perimeter (ESP) did not adversely      systems were fully protected. Failure to test       the production system and create reports for all patches that are tested. In addition, the entity
                                                           affect existing cyber security controls because it did not laptops or other hardware that migrate between      purchased dedicated laptop PCs to be used only within the ESP.
                                                           have evidence of compliant testing performed by its key protected ESP and open networks, as new Cyber
                                                           software vendor. The vendor provided a description of Assets may not have ensured that the hardware
                                                           the patch management process where the vendor tests        was not importing compromised or malicious
                                                           the application of patches against the current release     program or code into the protected ESP connected
                                                           standard (baseline) system. In the course of examining to Critical Cyber Assets.
                                                           evidence of compliance, it was also determined that the
                                                           entity staff regularly transferred one or more laptop PCs
                                                           between the protected networks within the ESP and
                                                           external networks without performing the required “new
                                                           Critical Cyber Asset” testing. While the laptop PC
                                                           might not have been “new” in a traditional sense, the PC
                                                           must be treated as a new Critical Cyber Asset whenever
                                                           it is connected to a protected network after being
                                                           connected to any external network outside of an ESP.




                                                                                                                                      Page 30                                                                                                                     Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                  FACTS                                            POTENTIAL RISK                                                    MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  7/15/2011       CIP-007-1                  R1            The entity did not have a compliant cyber security         Failure to test patches before implementation may   At the recommendation of auditors, the entity re-assessed whether the system should be
                                                           testing program for Cyber Assets within the Electronic     have presented the risk that patches would cause    located within the ESP. As a result of this assessment, the entity determined it was
                                                           Security Perimeter (ESP). The entity's key software        failure of Cyber Assets.                            unnecessary to have the system in the ESP. Accordingly, the entity moved the system out of
                                                           system was so old that its operating system was no                                                             the ESP, thereby fully mitigating this potential violation.
                                                           longer supported and the entity did not subscribe to
                                                           annual maintenance of the key software system. As a
                                                           result, there were no available patches for the key
                                                           software system that would be subject to the testing
                                                           program. Updates to the key software system were
                                                           limited to database changes that were not subject to this
                                                           standard. The substation automation system that also
                                                           resided within ESP was of recent enough vintage that
                                                           security patches were available for both the operating
                                                           system and the application. As the substation
                                                           automation system was essentially a non-customized
                                                           implementation of the vendor's product, the entity had
                                                           relied upon the application vendor to perform testing of
                                                           the operating system and application patches. The
                                                           vendor tested its base application software for
                                                           compatibility with the operating system patches. While
                                                           this testing confirmed the operability of the application
                                                           with the patches applied, this testing did not verify that
                                                           the applied patches did not adversely affect existing
                                                           cyber security controls as required by the standard. The
                                                           entity did not conduct any further testing before applying
                                                           the patches and relied upon system monitoring to
                                                           identify post-implementation issues.




                                                                                                                                     Page 31                                                                                                                 Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                  FACTS                                              POTENTIAL RISK                                                         MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  4/20/2011       CIP-007-1                  R2            The entity had baseline documents but had no formal        Failure to review baseline documents resulted in a        The entity performed vulnerability assessments and ran port scans on workstations to develop
                                                           process for reviewing them. No firewalls were enabled      failure to ensure their continued integrity. The          a baseline and compare the baselines to scans after system changes. The entity also replaced
                                                           in the system environment release. Production              absence of firewalls could have resulted in               the referenced access points which were switches with firewalls and hardened the
                                                           workstations were not scanned for vulnerabilities. The     unauthorized access to Critical Cyber Assets.             configuration of those firewalls to only allow the required ports and services as well as
                                                           vendor of the system environment had no documentation      Adding firewalls to production system could have          approved hosts. These firewalls were installed as access point to the Electronic Security
                                                           as to which ports and services needed to be enabled for    caused failure of system. Failure to ensure               Perimeters protecting the Cyber Assets within the Electronic Security Perimeter. The entity
                                                           normal or emergency operations. The entity had no test     properly designated ports and services are                also installed new software into the firewalls which provided further threat protection. The
                                                           environment to safely determine which ports and            disabled could have lead to port or services failure      software’s intrusion prevention capabilities greatly enhance firewall protection by blocking
                                                           services could be disabled. The entity tested firewall     or unauthorized access to Critical Cyber Assets.          threats and network attacks, including worms, Trojans, viruses, and attacks against operating
                                                           implementation for non-critical servers as well as         No test environment for firewall additions could          system and application vulnerabilities. The entity also received approval to purchase further
                                                           workstations, but did not implement them. Adding           have resulted in total or partial failure of real time    software to provide advanced protections to Critical Cyber Assets within its Electronic
                                                           firewalls to the production system could have caused       Critical Cyber Assets.                                    Security Perimeters. The entity has also purchased a quality assurance system for the new
                                                           failure of the system. Access point devices located                                                                  software system to provide a test environment to determine a baseline for ports and services
                                                           within the defined Electronic Security Perimeter were                                                                within the system environment. The entity worked with the vendor to bring that quality
                                                           not configured to allow only the ports and services                                                                  assurance system on-line. The entity also managed and maintained the integrity of the
                                                           required for operations and monitoring. While access                                                                 configurations of its firewalls.
                                                           control lists were in use, they were not specific to the
                                                           required ports and services.

  4/20/2011        CIP-007-1                 R2            Although the entity’s ports and services had been          Undocumented port configurations may result               1. The entity reviewed all ports and services configurations for correctness. 2. The entity
                                                           documented for all devices of a certain brand, other       with incorrect configurations and port                    documented baseline configurations of all ports and services including comments on the use of
                                                           Electronic Security Perimeter open ports and services      vulnerability, port failure, or port inaccessibility in   such ports and services for all Critical Cyber Assets within the Electronic Security Perimeter
                                                           for network devices had not been documented Also, the      certain situations.                                       (i.e. , firewall, routers, servers). The entity identified considerations if different ports and
                                                           entity had only enabled ports and services required for                                                              services are utilized during emergency situations.
                                                           operations but had not documented all of the
                                                           configurations for those ports and services.
   3/7/2011        CIP-007-1                 R3            The entity did not document the assessment of all          Out of date security patches may have allowed for The entity updated the patching application with the configuration parameters provided by the
                                                           security patches and security upgrades for applicability   unauthorized electronic access to and potential   technical support of the vendor patching application. The patching application was modified
                                                           within thirty calendar days of available patches or        compromise of Critical Cyber Assets.              that same day and then the automatic assessment process performed as intended. The entity
                                                           upgrades.                                                                                                    took the following steps to ensure that patches are assessed within thirty calendar days: 1) The
                                                                                                                                                                        entity retained personnel from the patching application vendor to be on site to ensure the
                                                                                                                                                                        patching application matches all security patches to each Critical Cyber Asset server; and 2)
                                                                                                                                                                        The entity’s personnel performed a manual process to confirm the automated system had
                                                                                                                                                                        retrieved and matched the appropriate security patches.




                                                                                                                                       Page 32                                                                                                                         Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                   FACTS                                              POTENTIAL RISK                                                       MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  4/20/2011       CIP-007-1                  R3            The registered entity evaluated security patches to         Failure to maintain a documented security patch          1. The entity developed a security patch management policy to identify and review all
                                                           determine if they should be installed and documented        management program may have compromised                  applicable security patches for all devices (i.e. , firewall, router, operating system,
                                                           installation of a security patch, but the company did not   software essential to the viability of Critical Cyber    applications, etc.) for all Critical Cyber Assets within the Electronic Security Perimeter within
                                                           document the rationale for patches not selected for         Assets.                                                  thirty days of their release. The policy included requirements for documenting rationale and
                                                           installation. The registered entity did not have a                                                                   compensating measures for any patches not installed. 2. The entity created a defined template
                                                           documented security patch management program.                                                                        and used it where each new patch was reviewed for consideration. When it has been decided
                                                                                                                                                                                that the patch should not be installed, justification and other risk mitigation activities
                                                                                                                                                                                implemented have been documented and included where applicable. 3. The implementation
                                                                                                                                                                                of reviewed patches followed the defined templates and forms. The entity changed systems to
                                                                                                                                                                                be utilized to support the change control process as identified in mitigation CIP-003 R6. 4.
                                                                                                                                                                                The entity trained all affected employees on the patch management policy to ensure the policy
                                                                                                                                                                                was followed.
  7/15/2011        CIP-007-1                 R4            The entity did not appropriately use anti-virus software    Failure to test anti-virus software before               The entity configured the anti-virus platform to distribute anti-virus signatures to a small
                                                           and other malicious software (malware) prevention           introduction may have resulted in the antivirus          subset of non-critical computers within the key software environment for testing prior to
                                                           tools, which included 1) not performing any testing of      software negatively affecting functioning                deploying updates to critical production systems, similar to the patch management process.
                                                           anti-virus signature files prior to rolling them out onto   programs which support bulk power system                 Once verifying and documenting that no issues were introduced, the signature files were then
                                                           critical systems within production; 2) not having           reliability. Failure to list assets that have anti-virus deployed to the remaining systems. These steps were documented within the existing logs to
                                                           documentation outlining which assets have anti-virus        software may have jeopardized programs needing track when updates are ready for release. The entity created a document containing a list of
                                                           software installed; and 3) not monitoring the anti-virus    the software and prevented controlled testing of         Critical Cyber Assets which do not have anti-virus software installed and an explanation of
                                                           management console for virus alerts.                        the software before blind introduction. Failure to why an anti-virus solution could not be implemented. The devices addressed include printers
                                                                                                                       monitor anti-virus software for alerts may have          and network devices. The entity configured the anti-virus platform to automatically alert key
                                                                                                                       resulted in delayed reaction to potential threats to software engineers for anti-virus events. Key software engineers will also review the
                                                                                                                       Cyber Assets within the Electronic Security              management console on a daily basis to ensure that no anti-virus events have occurred.
                                                                                                                       Perimeter(s).
  4/20/2011        CIP-007-1                 R5            The entity’s system logs were not capturing data on all     Failure to log individual user access activity to        1. The entity developed a comprehensive baseline list of all personnel who had been granted
                                                           network devices to create historical audit trails of        network devices assets may have placed Cyber             access to Critical Cyber Assets. The entity identified access at the network, application,
                                                           individual user account access activity (R5.1.2). The       Assets and the bulk power system at risk. Failure database, and device level for each user. Moreover, the entity identified access at the
                                                           entity had not performed an annual review of access         to review access privileges may have resulted in         privilege level assigned to users. 2. The entity developed a comprehensive list of all shared,
                                                           privileges within the past year (5.1.3). Although access    unauthorized persons gaining access to network           default or generic accounts for all Critical Cyber Assets devices and a list of users who had
                                                           to shared or generic accounts is limited to appropriate     devices or controls. Failure to maintain a list of       been granted access to them. 3. The entity developed a process where new shared accounts
                                                           personnel, the entity did not maintain a list of persons    persons with access to shared or generic accounts created or deleted are reflected in the comprehensive list. 4. The entity developed a process
                                                           with access to shared or generic accounts (5.2.3).          may have resulted in unauthorized persons gaining to perform an annual review of these lists for ongoing pertinence. 5. The entity developed a
                                                                                                                       access to those accounts.                                process to ensure all security related logging of information is maintained for a time period to
                                                                                                                                                                                meet the requirements. 6. The entity updated the applicable policies to include detailed
                                                                                                                                                                                information to support how account management is implemented (i.e. , technical and
                                                                                                                                                                                procedural controls that enforce access authentication of, and accountability for, all user
                                                                                                                                                                                activity).




                                                                                                                                        Page 33                                                                                                                         Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                   FACTS                                              POTENTIAL RISK                                                       MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  4/20/2011       CIP-007-1                  R6            Although logging was performed on select equipment,         Failure to have a program that logs, monitors,         1. The entity performed a feasibility assessment for an automated tool to enable security
                                                           the entity had not created a program to log, monitor,       identifies, reviews, and reacts to security events     logging and monitoring. 2. The entity created a process for logging security events for access
                                                           identify, review and react to security events on all        related to Cyber Assets may have hindered an           points to the key software through an automated tool or process. These access points include
                                                           Critical Cyber Assets, where technically feasible, within   entity’s ability to respond to critical security       firewalls, routers, switches, operating systems, key software workstations, applications, and
                                                           the key software network.                                   events.                                                databases where applicable. 3. The entity developed an updated policy for monitoring the
                                                                                                                                                                              security events through an automated tool or process. The procedure includes a defined
                                                                                                                                                                              schedule for how often logs are reviewed. The procedure also details requirements for
                                                                                                                                                                              retention of electronic access logs (maintained and easily retrievable for at least 90 days and
                                                                                                                                                                              for at least 3 years for security related incidents.) 4. The entity trained all affected employees
                                                                                                                                                                              on the updated policy.
  4/20/2011        CIP-007-1                R6.1           The entity did not ensure that all Critical Cyber Assets    Failure to ensure that automated tools and process     The entity purchased and installed new software. The software will be used to pro-actively
                                                           within the Electronic Security Perimeter implemented        controls were in place for all Critical Cyber Assets   monitor and alert on events in the key software environment. The entity also set up the new
                                                           automated tools or organizational process controls to       within the Electronic Security Perimeter may have      software in the test environment so that testing of various configuration changes to the new
                                                           monitor system events related to cyber security. The        placed those assets, and the bulk power system, at     software can be made without impacting the production key software.
                                                           entity did not implement and document the                   risk.
                                                           organizational processes and technical and procedural
                                                           mechanisms for monitoring for security events on all
                                                           Critical Cyber Assets within the Electronic Security
                                                           Perimeter.
  4/20/2011        CIP-007-1                 R8            Vulnerability assessments were performed but the entity     Failure to run vulnerability assessments due to        The entity developed and reviewed its formal process document for vulnerability assessments.
                                                           did not have a formal process in place to review the        performance degradation may have resulted in           The entity performed an annual vulnerability assessment of all Critical Cyber Assets within
                                                           generated reports nor did it perform automated              inaccurate or incomplete assessments. Incomplete       the Electronic Security Perimeter and developed an action plan to remediate any
                                                           discovery of all access points to its defined Electronic    assessments may not have elucidated existing           vulnerabilities found. The entity implemented the action plan and documented the status of
                                                           Security Perimeters. Vulnerability assessments were set     vulnerabilities which required mitigation.             action plans as well as remediation results. The entity also introduced a dedicated
                                                           up to use common default community strings (public,                                                                vulnerability scanning for devices located within the Electronic Security Perimeter.
                                                           private), as well as default accounts (administrator,
                                                           guest) with no passwords; however, a failure while using
                                                           any of these community strings or default accounts did
                                                           not generate any errors. The reports therefore did not
                                                           show data or account information. Although
                                                           vulnerability assessments included remediation plans, no
                                                           processes were in place to execute the remediation plans.


  4/20/2011        CIP-007-1                 R8            Although the registered entity performed vulnerability      Failure to perform complete vulnerability              The entity developed a procedure which includes the scope and process for completing a
                                                           assessments, it had not developed a procedure to            assessments may have led to a failure to identify      vulnerability assessment. The procedure included the scope of the assessment, the steps
                                                           describe the scope of the vulnerability assessment, the     systems or components at risk. Failure to mitigate     required for completing the assessment, the process for documenting results, and the process
                                                           steps utilized in performing the scan, the process for      known vulnerabilities may have placed Cyber            for mitigating vulnerabilities. In addition, the procedure included a list of all security aspects
                                                           documenting the results, and the process remediation of     Assets and the bulk power system at risk.              which were reviewed as part of the assessment (i.e. , controls for default accounts, passwords,
                                                           any issues that are identified. As a result, there was a                                                           and network management community strings, etc.). The entity also developed a template to be
                                                           lack of evidence that the entity reviewed the default                                                              used to support the mitigation process for vulnerability assessments. The template included
                                                           accounts, passwords, and community-strings inside the                                                              the vulnerability identified, the applicability including why it was or was not identified, the
                                                           Electronic Security Perimeter.                                                                                     mitigation steps performed and the date mitigated. The entity scheduled and performed a
                                                                                                                                                                              vulnerability assessment per the procedures developed.



                                                                                                                                        Page 34                                                                                                                        Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                   FACTS                                               POTENTIAL RISK                                                       MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  4/20/2011       CIP-007-1                  R9            The entity failed to review and update all of the             Undocumented modifications may have led to the        The entity developed a procedure to review documents and procedures referenced in CIP-007
                                                           documentation specified in CIP-007 at least annually.         inability, on the part of the entity, to assess       at least annually; changes resulting from the review are documented within at least 90 calendar
                                                           Specifically, modifications to systems and controls may       vulnerabilities to Cyber Assets.                      days.
                                                           not have been documented.
  6/16/2011        CIP-007-2                R8.2           Although a cyber vulnerability assessment was                 Without proper documentation, it is difficult to      The entity 1) convened a working group to address the issue; 2) developed a cyber
                                                           performed, the entity was unable to provide sufficient        ensure only the appropriate ports and services are    vulnerability assessment template for reporting; 3) verified only ports and services required
                                                           evidence that a review was performed to verify that only      enabled. This could increase the risk that ports      for operations were enabled; and 4) performed a cyber vulnerability analysis scan and
                                                           ports and services required for operation were enabled.       and services remain enabled that should not be.       reviewed the results of the scan with the ports and services report.

 12/30/2010        CIP-007-2a               R3.1           On two occasions, security patches for certain cyber     Out of date security patches may have allowed for The security patches in question were assessed and individuals responsible for assessing the
                                                           security software became available but were not assessed unauthorized electronic access to Critical Cyber  patches were counseled on the need to carefully review the sources for security patches to
                                                           for applicability to Cyber Assets within 30 days.        Assets.                                           ensure available patches are not overlooked.

  6/16/2011        CIP-007-3                 R5            The entity had certain servers and workstations that          The inability to change, remove, or disable           The entity 1) created a document with a plan to upgrade software in order to meet NERC
                                                           utilized default accounts that could not be renamed,          account names and password could weaken               compliance requirements for default accounts and passwords; 2) signed an agreement with a
                                                           removed, or disabled. R5.2: In addition, passwords            security, therefore increasing the risk of an         vendor for the upgrade on the system; 3) validated the functionality of the upgraded software
                                                           could not be changed and accessed shared accounts that        unauthorized individual gaining access to sensitive   in a non-production environment; 4) upgraded the software during a scheduled outage; and 5)
                                                           require implementing a management use policy.                 information.                                          validated the functionality of the upgraded software in a production environment.

   3/1/2011         CIP-008                 R1.6           The entity did not provide sufficient evidence that its   If an entity’s Cyber Security Incident response           The entity developed a test reporting form for capturing results from an exercise of the Cyber
                                                           Cyber Security Incident response plan was tested at least plan was not actually tested, the plan may have           Security Incident response plan. The form includes check boxes to indicate when each step of
                                                           annually.                                                 proven to be ineffective in a real-time emergency.        the plan is completed and fields for entry of participants, inclusion of notes as steps are
                                                                                                                                                                               completed, and a summary and review for lessons learned and recommendations for
                                                                                                                                                                               improvement of the plan.
   3/1/2011        CIP-008-1                 R1            The entity’s Cyber Security Incident response plan did        Without a process to characterize and classify        The entity updated its Cyber Incident response plan to include text adequately describing the
                                                           not include an adequate procedure to characterize and         events as reportable, some reportable Cyber           procedure to characterize and classify events as reportable Cyber Security Incidents. The
                                                           classify events as reportable Cyber Security Incidents.       Security Incidents may have been incorrectly          entity also included a process for updating the plan of any changes within the interval defined
                                                           In addition, the plan did not include a process for           reported or not reported at all. In addition,         by the Standard.
                                                           updating the plan of any changes within the defined           without a designated time frame, the plan may not
                                                           interval.                                                     have been updated with any changes.
  12/1/2011         CIP-009                  R1            The entity’s disaster recovery plan for Critical Cyber        If an entity’s recovery plan for Critical Cyber   The entity revised its recovery plan to include all Critical Cyber Assets, the roles and
                                                           Assets failed to: 1) include all Critical Cyber Assets; 2)    Assets is not clearly defined, the plan may prove responsibilities of responders and to address the required actions in response to events or
                                                           specify actions required in response to events or             to be ineffective in a real-time emergency.       conditions of varying duration and severity that would activate the recovery plan.
                                                           conditions of varying duration and severity that would
                                                           activate the recovery plan; and 3) did not define the roles
                                                           and responsibilities of responders. The required
                                                           information existed in several other documents, but was
                                                           not consolidated in the single recovery plan document.

   3/1/2011         CIP-009                  R2            The entity did not provide sufficient evidence that its       If an entity’s recovery plan for Critical Cyber       The entity developed a test reporting form for capturing results from an exercise of the
                                                           recovery plan for Critical Cyber Assets was used when         Assets was not actually tested, the Plan may have     recovery plan for Critical Cyber Assets.
                                                           the entity performed its annual exercise for recovery of      proven to be ineffective in a real-time emergency.
                                                           Critical Cyber Assets.



                                                                                                                                         Page 35                                                                                                                      Revised on August 30, 2012
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
 It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                RELIABILITY           REQUIREMENT                                  FACTS                                             POTENTIAL RISK                                                       MITIGATION ACTION TAKEN
 Posted Date     STANDARD
  7/15/2011       CIP-009-1                  R5            In reviewing the system testing processes used by the        Failure to test backup tapes may have presented  The entity followed its developed backup procedure and documentation process and files were
                                                           entity and its key software vendor, it was determined that the risk that system information was not backed up successfully recovered from backup tapes.
                                                           the backup tapes essential to the restoration of a failed or and Critical Cyber Assets could not be restored.
                                                           compromised Critical Cyber Asset were not tested at
                                                           least annually as required. Entity personnel stated that
                                                           the Critical Cyber Assets were backed up daily using a
                                                           combination of full and incremental tape backups but the
                                                           backup tapes were not tested nor restored to verify that
                                                           all essential information had been backed up.

  2/15/2011        IRO-001-1                 R8            Registered Generator Operator failed to comply with        The SPS activation caused the plant to trip offline   This entity had appropriate procedures in place to follow directives by the Reliability
                                                           clear and concise electronic instructions and subsequent   completely, causing generation to quickly reduce      Coordinator, so mitigation included personnel training. The entity provided additional
                                                           verbal instructions from the Reliability Coordinator to    below the desired generation level. If the SPS had    training to its operators regarding procedures to be followed when it receives electronic or
                                                           reduce and limit plant generation to keep the Special      not correctly activated, generation would not have    verbal instructions from the Reliability Coordinator, including transmitting the instructions to
                                                           Protection System (SPS) from activating. The entity        been reduced and the transmission line may have       the generation facility personnel.
                                                           failed to reduce generation and the SPS activated,         been overloaded.
                                                           causing the plant to trip offline.




                                                                                                                                      Page 36                                                                                                                       Revised on August 30, 2012
Page 37   Revised on August 30, 2012
Page 38   Revised on August 30, 2012
Page 39   Revised on August 30, 2012
Page 40   Revised on August 30, 2012
Page 41   Revised on August 30, 2012
Page 42   Revised on August 30, 2012
Page 43   Revised on August 30, 2012
Page 44   Revised on August 30, 2012
Page 45   Revised on August 30, 2012
Page 46   Revised on August 30, 2012
Page 47   Revised on August 30, 2012
Page 48   Revised on August 30, 2012
Page 49   Revised on August 30, 2012
Page 50   Revised on August 30, 2012
Page 51   Revised on August 30, 2012
Page 52   Revised on August 30, 2012
Page 53   Revised on August 30, 2012
Page 54   Revised on August 30, 2012
Page 55   Revised on August 30, 2012
Page 56   Revised on August 30, 2012
Page 57   Revised on August 30, 2012
Page 58   Revised on August 30, 2012
Page 59   Revised on August 30, 2012
Page 60   Revised on August 30, 2012
Page 61   Revised on August 30, 2012
Page 62   Revised on August 30, 2012
Page 63   Revised on August 30, 2012
Page 64   Revised on August 30, 2012
Page 65   Revised on August 30, 2012
Page 66   Revised on August 30, 2012
Page 67   Revised on August 30, 2012
Page 68   Revised on August 30, 2012
Page 69   Revised on August 30, 2012
Page 70   Revised on August 30, 2012
Page 71   Revised on August 30, 2012
Page 72   Revised on August 30, 2012

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:10/24/2012
language:English
pages:72