Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Sheet1 - NERC

VIEWS: 21 PAGES: 20

									The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                 RELIABILITY          REQUIREMENT                                    FACTS                                                        RISK                                                          MITIGATION ACTION TAKEN
 Posted Date      STANDARD
  7/15/2011        CIP-002-3                R3.2           The entity inadvertently excluded several Critical Cyber        Without proper identification, a Critical Cyber        The entity revised its list of Critical Cyber Assets and Cyber Assets to include those that were
                                                           Assets and Cyber Assets from its list of Critical Cyber         Asset may not receive the appropriate levels of        originally excluded and has centralized the list designation process in order to maintain a
                                                           and Cyber Assets. Specifically, several Cyber Assets that       protection.                                            single control document.
                                                           used a routable protocol within a control center were not
                                                           included on the list.
  7/15/2011         CIP-007                  R2            Although the entity shut down unused ports on the          Enabled unused ports and services increases the      The entity 1) performed interviews with its network engineer to establish a course of action to
                                                           firewalls, it failed to disable certain unused ports and   risk for an unauthorized individual with potentially implement the mitigation plan; 2) determined all ports and services that were not disabled; 3)
                                                           services on each Cyber Asset within the Electronic         malicious intent to gain access to Cyber Assets.     disabled all unused ports and services; 4) updated all relevant documentation; and 5)
                                                           Security Perimeter (ESP).                                                                                       communicated updates to relevant staff. The entity also implemented several other security
                                                                                                                                                                           solutions designed to minimize overall cyber security and physical security risk, including but
                                                                                                                                                                           not limited to: intrusion detection, anti-virus, security logging and access control (cyber and
                                                                                                                                                                           physical).
  7/15/2011        CIP-006-3c                R5            The entity had one instance where it failed to monitor     Failure to monitor access points twenty-four hours The entity 1) developed a quarterly review process to ensure all maintained information is
                                                           two physical access points twenty-four hours a day, seven a day, seven days a week allows for easier            accurate; 2) established a new controls process regarding changes to Critical Cyber Asset
                                                           days a week. After two door alarms were identified to be unauthorized physical access and therefore             equipment; 3) trained all applicable staff on NERC requirements; and 4) implemented
                                                           faulty and in the process of getting repaired, the entity  increases the risk of sabotage.                      additional programming to allow for direct link access to all applicable cameras and playback
                                                           failed to monitor the access points by security camera for                                                      in all door alarms.
                                                           approximately 12 hours.
  7/15/2011         CIP-007                 R5.3.3         The entity failed to change a password, at least annually, Failure to reset account passwords could weaken             The entity 1) reset the password; 2) updated the appropriate manual tracking documentation
                                                           on one server as required by the standard.                 security, therefore increasing the risk of an               with the account information; and 3) implemented an automated process to detect/track
                                                                                                                      unauthorized individual gaining access to sensitive         accounts and manage the majority of the password resets.
                                                                                                                      information.
  7/15/2011         CIP-006               R1; R1.4         The entity had three instances where a contract employee Granting individuals access to areas for which they           The entity 1) revised its security procedures to include additional verification steps prior to
                                                           was temporarily granted access to areas for which he/she are not authorized could increase the risk of                 temporary Critical Cyber Asset access badge distribution; 2) ensured all site security personnel
                                                           did not have the appropriate security clearance. This      unintentional or intentional harm to Critical Cyber         reviewed and signed-off on the revised procedures; 3) disciplined the at fault contract
                                                           represented an inappropriate use of physical access        Assets or Cyber Assets.                                     employee; and 4) reviewed all temporary badge issuance and usage for the facility at which the
                                                           control to Critical Cyber Assets.                                                                                      incidents occurred.
  7/15/2011        CIP-007-1                 R4            The entity did not appropriately use anti-virus software        Failure to test anti-virus software before             The entity configured the anti-virus platform to distribute anti-virus signatures to a small subset
                                                           and other malicious software (malware) prevention tools,        introduction may have resulted in the antivirus        of non-critical computers within the key software environment for testing prior to deploying
                                                           which included 1) not performing any testing of anti-           software negatively affecting functioning programs     updates to critical production systems, similar to the patch management process. Once
                                                           virus signature files prior to rolling them out onto critical   which support bulk power system reliability.           verifying and documenting that no issues were introduced, the signature files were then
                                                           systems within production; 2) not having documentation          Failure to list assets that have anti-virus software   deployed to the remaining systems. These steps were documented within the existing logs to
                                                           outlining which assets have anti-virus software installed;      may have jeopardized programs needing the              track when updates are ready for release. The entity created a document containing a list of
                                                           and 3) not monitoring the anti-virus management console         software and prevented controlled testing of the       Critical Cyber Assets which do not have anti-virus software installed and an explanation of
                                                           for virus alerts.                                               software before blind introduction. Failure to         why an anti-virus solution could not be implemented. The devices addressed include printers
                                                                                                                           monitor anti-virus software for alerts may have        and network devices. The entity configured the anti-virus platform to automatically alert key
                                                                                                                           resulted in delayed reaction to potential threats to   software engineers for anti-virus events. Key software engineers will also review the
                                                                                                                           Cyber Assets within the Electronic Security            management console on a daily basis to ensure that no anti-virus events have occurred.
                                                                                                                           Perimeter(s).




                                                                                                                                   Page 1                                                                                                                             Revised on July 15, 2011
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                 RELIABILITY          REQUIREMENT                                   FACTS                                                       RISK                                                          MITIGATION ACTION TAKEN
 Posted Date      STANDARD
  7/15/2011        CIP-009-1                 R5            In reviewing the system testing processes used by the        Failure to test backup tapes may have presented the The entity followed its developed backup procedure and documentation process and files were
                                                           entity and its key software vendor, it was determined that risk that system information was not backed up and successfully recovered from backup tapes.
                                                           the backup tapes essential to the restoration of a failed or Critical Cyber Assets could not be restored.
                                                           compromised Critical Cyber Asset were not tested at
                                                           least annually as required. Entity personnel stated that
                                                           the Critical Cyber Assets were backed up daily using a
                                                           combination of full and incremental tape backups but the
                                                           backup tapes were not tested nor restored to verify that
                                                           all essential information had been backed up.

  7/15/2011        CIP-007-1                 R1            The entity did not ensure that new Cyber Assets and           Failure to test key software systems for compliance    The entity implemented processes to test patches on its work stations. The entity purchased
                                                           significant changes to existing Cyber Assets within the       may not have ensured that those systems were fully     new equipment in order to implement a new system to test patches prior to their application to
                                                           Electronic Security Perimeter (ESP) did not adversely         protected. Failure to test laptops or other hardware   the production system and create reports for all patches that are tested. In addition, the entity
                                                           affect existing cyber security controls because it did not    that migrate between protected ESP and open            purchased dedicated laptop PCs to be used only within the ESP.
                                                           have evidence of compliant testing performed by its key       networks, as new Cyber Assets may not have
                                                           software vendor. The vendor provided a description of         ensured that the hardware was not importing
                                                           the patch management process where the vendor tests the       compromised or malicious program or code into
                                                           application of patches against the current release standard   the protected ESP connected to Critical Cyber
                                                           (baseline) system. In the course of examining evidence        Assets.
                                                           of compliance, it was also determined that the entity staff
                                                           regularly transferred one or more laptop PCs between the
                                                           protected networks within the ESP and external networks
                                                           without performing the required “new Critical Cyber
                                                           Asset” testing. While the laptop PC might not have been
                                                           “new” in a traditional sense, the PC must be treated as a
                                                           new Critical Cyber Asset whenever it is connected to a
                                                           protected network after being connected to any external
                                                           network outside of an ESP.


  7/15/2011        CIP-004-1                 R4            The entity did not adequately maintain list(s) of             Undocumented access to operating system and            The entity added columns to its spreadsheet used to track personnel and training and included a
                                                           personnel with authorized cyber or authorized unescorted      database user accounts may have presented the risk     column describing access to all Critical Cyber Assets including key software. The entity
                                                           physical access to Critical Cyber Assets. The entity          of unauthorized access to those systems and the        requested its vendor to verify the status of personnel on the access list. The entity received
                                                           maintained records of personnel with electronic access to     inability to investigate unauthorized access events    confirmation from the vendor that the list is still accurate and relevant. The entity also
                                                           networking and communications devices and key                 and prevent future events.                             requested, and received, a letter from its vendor stating that it would notify the entity within
                                                           software displays, with access rights. However, access                                                               twenty-four hours of employee termination for cause, or within seven days for personnel who
                                                           was not documented for operating system or database                                                                  no longer require access to the entity’s Critical Cyber Assets.
                                                           user accounts. Additionally, while the documented access
                                                           was being reviewed quarterly for employees, the
                                                           continued need for access by key software vendor
                                                           support personnel was not confirmed with the vendor.




                                                                                                                                 Page 2                                                                                                                            Revised on July 15, 2011
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                 RELIABILITY          REQUIREMENT                                   FACTS                                                        RISK                                                         MITIGATION ACTION TAKEN
 Posted Date      STANDARD
  7/15/2011        CIP-004-1                 R3            In a random sampling of personnel risk assessment              Failure to complete personnel risk assessments for   Background investigations were completed before unescorted physical access or electronic
                                                           records for personnel with access to Critical Cyber            those with access to Critical Cyber Assets may not   access to a Critical Cyber Asset was given to an individual. The entity put in place a workflow
                                                           Assets, the entity did not conduct the required assessment     have ensured that those persons are qualified to     to verify the progress of each person through the background investigation process. The
                                                           for four individuals within thirty days of being granted       access the Critical Cyber Assets networks.           workflow required the entity’s security department to inform the requesting person of
                                                           access, as required by its documented personnel risk                                                                completion of each step of the process. This also ensured that no one was inadvertently
                                                           assessment program.                                                                                                 omitted from having the background investigation done.
  7/15/2011        CIP-003-1                 R3            The entity could not provide evidence that the cyber           Failure to document risks and compensating           The exception list had one exception still required. The exception form was written to include
                                                           security policy documentation of exceptions included           actions may have presented the possibility that      compensating measures, which was reviewed and approved by the authorized senior manager.
                                                           compensating measures and a statement accepting risk.          vulnerabilities were not mitigated, which may have
                                                           Additionally, the entity could not provide evidence for at     left Critical Cyber Assets exposed. Failure to
                                                           least one exception that it had been reviewed and              change passwords may have allowed for stale or
                                                           reapproved by the authorized senior manager even               compromised passwords to be used for
                                                           though the condition requiring the exception still existed.    unauthorized access to Critical Cyber Assets.
                                                           The policy in question required a quarterly password
                                                           change and the password for one of the servers subject to
                                                           the policy could not be changed.

  7/15/2011        CIP-002-1                 R3            When the entity developed a list of Critical Assets and        Failure to list consoles as Critical Cyber Assets did The entity updated the Critical Cyber Asset list to include the systems.
                                                           Critical Cyber Assets, it did not include operator             not afford those consoles the enhanced security
                                                           consoles essential to the operation of the control center as   protections required by the standard. This may
                                                           Critical Cyber Assets. The entity asserted that the            have lead to a failure to restore or control Critical
                                                           consoles were not Critical Cyber Assets because of             Cyber Assets.
                                                           redundancy and available spares, while acknowledging
                                                           that a subset of the available consoles was required in
                                                           order to perform the reliability functions. Redundancy
                                                           was not considered an acceptable reason for not
                                                           declaring a Critical Cyber Asset where it otherwise
                                                           would be, because if an entity has one such Critical
                                                           Cyber Asset and it is essential, then the fact that there is
                                                           more than one Critical Cyber Asset with the same
                                                           functionality does not change the fact that the function
                                                           being performed is essential and thus the workstations
                                                           are essential regardless of how many exist.


  7/15/2011        CIP-003-1                 R4            The entity did not employ the information classification       Failure to use the information classification        The entity 1) developed and documented an information protection program as required; 2)
                                                           program on documentation that should be protected              program on documentation that should be              trained appropriate staff on the program; 3) implemented the program to identify, classify, and
                                                           under this program based on the sensitivity of the Critical    protected may have presented the risk of sensitive   protect information associated with Critical Cyber Assets; and 4) implemented security and
                                                           Cyber Asset information nor has its staff been trained on      documents being exposed to unauthorized access       permission management for protected information.
                                                           the information protection program. The entity indicated       and viewing.
                                                           that the program was outlined in the previous cyber
                                                           security plan, but was not being executed.




                                                                                                                                  Page 3                                                                                                                        Revised on July 15, 2011
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                 RELIABILITY          REQUIREMENT                                   FACTS                                                     RISK                                                        MITIGATION ACTION TAKEN
 Posted Date      STANDARD
  7/15/2011        CIP-005-2                R1.5           Cyber Assets used in the access and/or control of the        Failure to document testing of Cyber Assets used     The entity defined four distinct categories used to identify the test environment for each
                                                           Electronic Security Perimeter (ESP) shall be afforded        in the sustainability of the ESP may have resulted   Critical Asset and documented the test procedure. Further, the entity implemented a new,
                                                           protective measures as specified in certain CIP standards,   in security control oversight and inability to       more specific procedure to address this requirement. The new procedure ensured that a formal
                                                           including CIP-007-1 R1.2. Specifically, testing              investigate and track cyber security events.         test procedure would be used and that all testing of applicable Critical Assets was performed in
                                                           procedures for Cyber Assets used in access control and/                                                           a manner that reflected the production environment and was documented.
                                                           or monitoring of the ESP were not documented.
                                                           Although the entity tested devices that monitored,
                                                           protected, or had access control for the ESP, there was
                                                           little or no documentation such that the entity could
                                                           demonstrate “auditable compliance.” The entity could
                                                           demonstrate that it was “compliant.”

  7/15/2011        CIP-007-1                 R1            The entity did not have a compliant cyber security testing Failure to test patches before implementation may      At the recommendation of auditors, the entity re-assessed whether the system should be located
                                                           program for Cyber Assets within the Electronic Security have presented the risk that patches would cause          within the ESP. As a result of this assessment, the entity determined it was unnecessary to
                                                           Perimeter (ESP). The entity's key software system was failure of Cyber Assets.                                    have the system in the ESP. Accordingly, the entity moved the system out of the ESP, thereby
                                                           so old that its operating system was no longer supported                                                          fully mitigating this potential violation.
                                                           and the entity did not subscribe to annual maintenance of
                                                           the key software system. As a result, there were no
                                                           available patches for the key software system that would
                                                           be subject to the testing program. Updates to the key
                                                           software system were limited to database changes that
                                                           were not subject to this standard. The substation
                                                           automation system that also resided within ESP was of
                                                           recent enough vintage that security patches were
                                                           available for both the operating system and the
                                                           application. As the substation automation system was
                                                           essentially a non-customized implementation of the
                                                           vendor's product, the entity had relied upon the
                                                           application vendor to perform testing of the operating
                                                           system and application patches. The vendor tested its
                                                           base application software for compatibility with the
                                                           operating system patches. While this testing confirmed
                                                           the operability of the application with the patches
                                                           applied, this testing did not verify that the applied
                                                           patches did not adversely affect existing cyber security
                                                           controls as required by the standard. The entity did not
                                                           conduct any further testing before applying the patches
                                                           and relied upon system monitoring to identify post-
                                                           implementation issues.

  6/16/2011        CIP-002-1                R3.1           The entity failed to identify certain workstations as        Without proper identification, a Critical Cyber      The entity 1) removed remote access to the energy management system (EMS) control
                                                           Critical Cyber Assets.                                       Asset may not receive the appropriate levels of      functions from workstations not defined as Critical Cyber Assets; 2) established Physical
                                                                                                                        protection.                                          Security Perimeters and Electronic Security Perimeters for all locations where monitoring and
                                                                                                                                                                             control function of the EMS is allowed; and 3) identified the workstations as Critical Cyber
                                                                                                                                                                             Assets.


                                                                                                                                Page 4                                                                                                                        Revised on July 15, 2011
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                 RELIABILITY          REQUIREMENT                                   FACTS                                                     RISK                                                          MITIGATION ACTION TAKEN
 Posted Date      STANDARD
  6/16/2011        CIP-004-3                R3.2           The entity was calculating the interval for completing       Using an individual’s hire date does not ensure the   The entity 1) completed all necessary seven-year PRAs; 2) completed a review of all
                                                           seven-year personal risk assessments (PRAs) based on an individual is current with his/her PRA.                    individuals with a PRA report; 3) updated its personnel tracking system to reflect last date of
                                                           individual’s hire date, rather than the date of his/her last                                                       PRA as opposed to hire date; 4) updated its documentation to reflect process improvements; 5)
                                                           PRA.                                                                                                               completed a reconciliation to determine that all personnel (including contractors) are in the
                                                                                                                                                                              personnel tracking system; 6) developed and administered training; and 7) utilized an outside
                                                                                                                                                                              consultant to perform an independent review of its processes.

  6/16/2011        CIP-006-3                R2.2           The entity did not have the protective measures specified   Without proper identification, an access control       The entity 1) conducted interviews with its network engineer to establish a course of action to
                                                           in the standard for Cyber Assets because it failed to       and monitoring device may not receive the              implement the mitigation plan; 2) applied all required security protections; 3) updated all
                                                           identify certain devices as access control and monitoring   appropriate levels of protection.                      relevant documentation; and 4) communicated all updates to relevant staff.
                                                           devices.
  6/16/2011        CIP-007-3                 R5            The entity had certain servers and workstations that        The inability to change, remove, or disable account    The entity 1) created a document with a plan to upgrade software in order to meet NERC
                                                           utilized default accounts that could not be renamed,        names and password could weaken security,              compliance requirements for default accounts and passwords; 2) signed an agreement with a
                                                           removed, or disabled. R5.2: In addition, passwords          therefore increasing the risk of an unauthorized       vendor for the upgrade on the system; 3) validated the functionality of the upgraded software
                                                           could not be changed and accessed shared accounts that      individual gaining access to sensitive information.    in a non-production environment; 4) upgraded the software during a scheduled outage; and 5)
                                                           require implementing a management use policy.                                                                      validated the functionality of the upgraded software in a production environment.

  6/16/2011        CIP-007-2                R8.2           Although a cyber vulnerability assessment was               Without proper documentation, it is difficult to       The entity 1) convened a working group to address the issue; 2) developed a cyber
                                                           performed, the entity was unable to provide sufficient      ensure only the appropriate ports and services are     vulnerability assessment template for reporting; 3) verified only ports and services required for
                                                           evidence that a review was performed to verify that only    enabled. This could increase the risk that ports and   operations were enabled; and 4) performed a cyber vulnerability analysis scan and reviewed
                                                           ports and services required for operation were enabled.     services remain enabled that should not be.            the results of the scan with the ports and services report.

   3/7/2011         BAL-002                  R4            After a disturbance involving generation totaling 1,400     Not recovering the Area Control Error within 15         1. The entity increased the system-wide Ten-Minute Reserve (“reserve bias” by 10%) to 110%
                                                           MW, the entity did not recover its Area Control Error       minutes may have required that the entity carry        of the first contingency loss. 2. The entity increased the minimum Ten-Minute Spinning
                                                           within 15 minutes.                                          additional reserves.                                   Reserve requirement from 25% to 50% of the first contingency. 3. The entity required the
                                                                                                                                                                              Control Room system operators to maintain a mix of Shared Activation of Reserves (assistance
                                                                                                                                                                              from external Balancing Authorities) and other reserves, assuming a non-performance factor
                                                                                                                                                                              (the amount of reserves called on in addition to the source loss assuming less than 100%
                                                                                                                                                                              performance of requested resources) of at least 140% of first contingency loss. 4. The entity
                                                                                                                                                                              assessed the performance of generation resources during the event (potential changes to
                                                                                                                                                                              operating practices). 5. The entity modified the key software display by providing the Control
                                                                                                                                                                              Room System Operator with additional tools to view which Market Participant Generation
                                                                                                                                                                              units have not acknowledged electronic dispatch signals. 6. The entity modified internal
                                                                                                                                                                              system operating procedures by making clear that security-constrained economic dispatch
                                                                                                                                                                              solution should not be executed during an Area Control Error recovery period. 7. The entity
                                                                                                                                                                              conducted operator training. The entity included the procedure changes discussed above in
                                                                                                                                                                              training modules. A PowerPoint presentation was posted as a streaming video on the internal
                                                                                                                                                                              employee training site.




                                                                                                                               Page 5                                                                                                                           Revised on July 15, 2011
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                 RELIABILITY          REQUIREMENT                                   FACTS                                                        RISK                                                          MITIGATION ACTION TAKEN
 Posted Date      STANDARD
 12/30/2010        CIP-001-1                 R1            The entity lacked procedures for the recognition of and Personnel may not have been prepared for                      The entity updated its procedures for sabotage recognition. In addition, the entity's System
                                                           for making operating personnel aware of sabotage events potential sabotage events.                                    Operations Trainer put together a PowerPoint presentation containing this information, and
                                                           on its facilities and multi-site sabotage affecting larger                                                            presented it to the System Operators. The Sabotage Awareness PowerPoint presentation was
                                                           portions of the Interconnection.                                                                                      posted as a streaming video on the internal employee training site. A section was added to the
                                                                                                                                                                                 entity's Employee Handbook outlining Sabotage Recognition and Reporting. Additionally, an
                                                                                                                                                                                 internal article was published outlining the need for Sabotage Recognition and Reporting and
                                                                                                                                                                                 making employees aware of the changes to the handbook as well as the availability of the
                                                                                                                                                                                 PowerPoint training materials on the internal site.

   3/1/2011        CIP-002-1                R3.2           The entity removed certain assets from its list of Critical    Without its proper identification, a Critical Cyber The entity amended its list of Critical Cyber Assets to include the Assets that had been
                                                           Cyber Assets because it did not believe these assets met       Asset may not have received the appropriate levels removed.
                                                           the criteria for a Critical Cyber Asset. The entity            of protection.
                                                           reasoned that the functionality of these assets could easily
                                                           be replaced with a variety of other available assets. It
                                                           was later determined that these assets were essential to
                                                           the operation of another Critical Asset and therefore were
                                                           Critical Cyber Assets regardless of the availability of
                                                           backups.
   3/7/2011        CIP-002-1               R2; R4          The entity developed a list of Critical Cyber Assets but       Failing to review the list of Critical Assets may      The entity reviewed its current risk-based methodology for identifying Critical Assets. As a
                                                           the list was not reviewed and updated annually as              have resulted in a failure to identify and protect     result of this meeting, a new "null list" of Critical Assets and Critical Cyber Assets was
                                                           required. The entity did not have a signed and dated           new or modified Critical Cyber Assets. Failure to      created. A memorandum of record was signed by senior management approving the new "null
                                                           record of the senior manager or delegate’s annual              approve the Critical Cyber Assets list may have        list" of Critical Assets and Critical Cyber Assets. An electronic calendar containing due dates
                                                           approval of the list of Critical Assets, even if such lists    resulted in a lack of management awareness and         for all reliability council related filings, reviews, and approvals was created and maintained at
                                                           were null.                                                     failure to allocate resources to secure the Critical   the senior management level of the company to ensure that they occur on a timely basis. The
                                                                                                                          Cyber Assets.                                          due dates for filings, reviews and approvals are discussed at all semimonthly staff meetings.

   3/1/2011        CIP-003-1                 R1            The entity’s CIP Security Policy referred to in a general Failing to address all requirements of CIP-002              The entity revised its CIP Cyber Security policy to include language to specifically address
                                                           manner but did not specifically address each requirement through CIP-009 may have resulted in Critical                each of the requirements of CIP-002 through CIP-009.
                                                           of CIP-002-1 through CIP-009-1.                           Cyber Assets not having all protections afforded
                                                                                                                     them by the Standards.
   3/7/2011        CIP-003-1                 R2            The entity failed to identify the senior manager with     Failure to identify the senior manager may have             The entity took the following actions: 1. developed a Board Policy addressing regulatory
                                                           overall responsibility for leading and managing the       resulted in a lack of management buy-in and                 compliance responsibilities; 2. specifically assigned responsibilities within a formal Reliability
                                                           entity’s implementation of, and adherence to, Standards allocation of resources to secure Critical Cyber              Standard Compliance Program document; and 3. required annual reviews of compliance
                                                           CIP-002 through CIP-009 by name, title, business phone, Assets. Accountability for ensuring compliance                responsibilities.
                                                           business address, and date of designation.                with the CIP standards may not have been clear if
                                                                                                                     the single senior manager was not properly
                                                                                                                     identified.
  4/29/2011        CIP-003-1                 R4            The entity discovered that a network folder designated to Unnecessary exposure of a CIP-confidential                  The entity determined that the exposure was the result of the lack of a formal process and
                                                           contain CIP-confidential information was inadvertently network folder may have jeopardized sensitive                  training concerning how to create folders on shared drives with restricted access rights. Thus,
                                                           configured to allow any entity employee read-only access information pertaining to Critical Cyber Assets.             the entity: 1) limited access controls to the exposed folder; 2) implemented a process to assure
                                                           to the information contained in that folder.                                                                          all necessary access controls are managed by its IT department; 3) conducted a root cause
                                                                                                                                                                                 analysis of the events surrounding the access to folders; and 4) developed training on the
                                                                                                                                                                                 enhanced process for creation of and changes to confidential files.




                                                                                                                                  Page 6                                                                                                                            Revised on July 15, 2011
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                 RELIABILITY          REQUIREMENT                                   FACTS                                                       RISK                                                         MITIGATION ACTION TAKEN
 Posted Date      STANDARD
  4/20/2011        CIP-003-1               R1; R4          In three instances the entity did not implement its            Failure to implement a protection program or          After discovering the passwords had not been changed, personnel developed an technical
                                                           Information Protection Program for identifying,                change passwords may have resulted in an              alternative using a “dumb” terminal to overcome the incompatibility between security
                                                           classifying, and protecting information associated with        unauthorized individual gaining access to sensitive   software, and changed all user account passwords. The entity also: ensured all individuals
                                                           Critical Cyber Assets as the program was designed.             information pertaining to Critical Cyber Assets       received required training; conducted a review of a secure e-mail users guide and made
                                                           First, due to software incompatibility, the entity failed to   Failure to provide cyber security training may have   revisions to its e-mail encryption process; and developed and distributed awareness regarding
                                                           change passwords every sixty days in accordance with its       resulted in the employee lacking awareness of         encrypted e-mail and password change requirements.
                                                           Logical Access Control Procedure. Second, an employee          procedures and requirements. Finally, failure to
                                                           had prolonged access to Critical Cyber Access without          properly encrypt messages may result in a risk to
                                                           training on cyber security. Finally, an employee sent two      the confidentiality of information.
                                                           e-mail messages that were not encrypted, even though
                                                           they were designated to be encrypted.

  4/20/2011        CIP-003-1                 R4            The entity did not identify and information such as            Failure to identify and protect security          1. The entity updated the list of Critical Cyber Assets protected information to ensure all
                                                           system configurations, system rule sets, critical security     configuration information may have placed at risk system security configuration information was identified, classified and protected from
                                                           settings, etc. However, the entity identified and              Cyber Assets and the bulk power system.           unauthorized access. The comprehensive list of all critical energy infrastructure information
                                                           protected network topology or similar diagrams, floor                                                            included configuration information with references to where the critical energy infrastructure
                                                           plans of computing centers that contain Critical Cyber                                                           information was located. 2. The entity modified the existing policy to document the
                                                           Assets, equipment layouts of Critical Cyber Assets,                                                              identification, classification and protection of all Critical Cyber Assets protected information.
                                                           disaster recovery plans and incident response plans.                                                             The policy identified how personnel were granted access to this information. The policy
                                                                                                                                                                            included a change management process for incorporating new Critical Cyber Assets
                                                                                                                                                                            information or changes to existing Critical Cyber Assets information. 3. The entity trained
                                                                                                                                                                            affected employees on the policy to ensure Critical Cyber Assets information is identified,
                                                                                                                                                                            classified and protected as required by the standard.

  4/20/2011        CIP-003-1                 R5            The entity failed to implement an information protection Failure to implement an information protection           The entity developed and documented an information protection program as required by CIP-
                                                           program in a timely manner.                              program may have exposed sensitive information           003 R4. The entity trained appropriate staff on the program. As part of the program, the entity
                                                                                                                    related to Critical Cyber Assets.                        began implementation to identify, classify, and protect information associated with Critical
                                                                                                                                                                             Cyber Assets. The entity implemented security and permission management for protected
                                                                                                                                                                             information.
  4/20/2011        CIP-003-1                 R6            The entity did not have a formal change control policy         Failure to have a formal change control policy may 1. The entity continued to utilize a spreadsheet to document all changes to the Critical Cyber
                                                           for all Critical Cyber Assets hardware, software, and          have resulted in exposing Cyber Assets to          Assets environment. The spreadsheet contained such information as change name, date, brief
                                                           security configurations. However, the entity applied a         vulnerability when making modifications to         description, hardware and software affected and reference to testing results (where applicable).
                                                           change control program for its software environment.           hardware, software, or security configurations.    2. The entity documented a process and supporting policy for a new change control
                                                                                                                                                                             methodology considering different types of infrastructure and types of changes (i.e.
                                                                                                                                                                             emergency, low risk, levels of approvals, patches, etc) for Critical Cyber Assets.
                                                                                                                                                                             Consideration was placed on testing requirements in CIP-007, R1. 3. The entity developed
                                                                                                                                                                             applicable templates, forms, and change systems utilized to support the change control process.
                                                                                                                                                                             4. The entity trained affected employees on the supporting process and policy to ensure
                                                                                                                                                                             Critical Cyber Asset information is identified, classified and protected as required by the
                                                                                                                                                                             standard.
   3/7/2011        CIP-004-1                 R2            The entity did not train an employee within 90 days of         The employee may not have been aware of proper All requests for access were routed through the entity's human resources department for
                                                           being granted access to Critical Cyber Assets.                 use of Critical Cyber Assets and related           confirmation that a personnel risk assessment and cyber security training had been performed
                                                                                                                          information in accordance with the entity's        prior to the access request being processed. The new process for granting access is automated
                                                                                                                          policies.                                          and removes the need for the training coordinator to manually keep track of individuals
                                                                                                                                                                             needing training prior to access being granted. All documentation and procedures were
                                                                                                                                                                             modified to reflect this change.


                                                                                                                                  Page 7                                                                                                                        Revised on July 15, 2011
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                 RELIABILITY          REQUIREMENT                                   FACTS                                                   RISK                                                         MITIGATION ACTION TAKEN
 Posted Date      STANDARD
  3/7/2011         CIP-004-1                 R2            The entity's training records for calendar year 2008 had   Personnel may not have been aware of proper use The entity revoked access to Critical Cyber Assets areas for anyone that did not have an
                                                           employees listed on the entity's Critical Cyber Assets     of Critical Cyber Assets and related information in updated personal risk assessment (within the last seven years) or Critical Cyber Assets training
                                                           access list without documentation of required annual       accordance with the entity's policies.              within the past year. Additionally, the entity: 1. Consolidated all access lists and created only
                                                           cyber security training for calendar year 2008.                                                                one Critical Cyber Assets access list that is now maintained by the compliance department; 2.
                                                                                                                                                                          Verified Critical Cyber Assets training documentation for each person on the master Critical
                                                                                                                                                                          Cyber Assets access list. If Critical Cyber Assets documentation did not exist or was not in the
                                                                                                                                                                          form necessary to meet the requirements set forth in the standard, then that employee’s access
                                                                                                                                                                          was revoked; 3. Created a procedure for granting access to Critical Cyber Assets areas. The
                                                                                                                                                                          procedure requires the Compliance Department to review all requests to ensure a proper
                                                                                                                                                                          personal risk assessment is available and the Critical Cyber Assets training has been completed
                                                                                                                                                                          and properly documented; 4. Required that at a minimum of once per quarter, staff in the
                                                                                                                                                                          Compliance Department reviews each Critical Cyber Assets access list to ensure that no
                                                                                                                                                                          employee without a current personal risk assessment and Critical Cyber Assets training has
                                                                                                                                                                          access.

   3/1/2011        CIP-004-1                 R2            The entity lacked evidence to confirm that annual          Personnel may not have been familiar with             The entity provided training for all personnel with access to its Critical Cyber Assets. A
                                                           training was provided to contractor personnel.             policies, access controls, and procedures for         training booklet was developed and sent to all vendors with access to the Critical Cyber Assets.
                                                                                                                      operating the Critical Cyber Assets.
  2/15/2011        CIP-004-1                 R2            During an internal review, the entity discovered that      Personnel may not be familiar with policies, access All of the personnel granted authorized cyber access and unescorted physical access to the
                                                           some of its personnel were granted authorized cyber        controls, and procedures for operating the Critical Critical Cyber Assets completed the required training. Additionally, the entity purchased a
                                                           access and unescorted physical access to Critical Cyber    Cyber Assets.                                       Reliability Standards Compliance Tracking software application that will automatically send
                                                           Assets even though they did not complete the required                                                          all entity personnel granted authorized cyber and unescorted physical access to Critical Cyber
                                                           training.                                                                                                      Assets an e-mail notification on an annual basis reminding them to complete the required
                                                                                                                                                                          training. A response is required and the entity’s Compliance Manager has access to all training
                                                                                                                                                                          records for verification.
   3/7/2011        CIP-004-1                 R3            The entity did not have documentation verifying current    Missing personnel risk assessments may have         The entity revoked access to Critical Cyber Assets areas for anyone that did not have an
                                                           personnel risk assessments for thirteen employees that     allowed otherwise unqualified individuals access to updated personal risk assessment (within the last seven years) or Critical Cyber Assets training
                                                           had access to Critical Cyber Assets areas.                 Critical Cyber Assets.                              within the past year. Additionally, the entity: 1. Consolidated all access lists and created only
                                                                                                                                                                          one Critical Cyber Assets access list that is now maintained by the newly formed Compliance
                                                                                                                                                                          Department; 2. Verified Critical Cyber Assets training documentation for each person on the
                                                                                                                                                                          master Critical Cyber Assets access list. If Critical Cyber Assets documentation did not exist
                                                                                                                                                                          or was not in the form necessary to meet the requirements set forth in the standard, then that
                                                                                                                                                                          employee’s access was revoked; 3. Created a procedure for granting access to Critical Cyber
                                                                                                                                                                          Assets areas. The procedure requires the Compliance Department to review all requests to
                                                                                                                                                                          ensure a proper personal risk assessment is available and the Critical Cyber Assets training has
                                                                                                                                                                          been completed and properly documented; 4. Required that at a minimum of once per quarter,
                                                                                                                                                                          staff in the Compliance Department reviews each Critical Cyber Assets access list to ensure
                                                                                                                                                                          that no employee without a current personal risk assessment and Critical Cyber Assets training
                                                                                                                                                                          has access.




                                                                                                                              Page 8                                                                                                                         Revised on July 15, 2011
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                 RELIABILITY          REQUIREMENT                                    FACTS                                                       RISK                                                         MITIGATION ACTION TAKEN
 Posted Date      STANDARD
  3/1/2011         CIP-004-1                 R3            Several of the entity’s personnel lacked personnel risk         Unauthorized individuals may have gained access      The access list was recreated from source data (i.e., login IDs for electronic access and card
                                                           assessments.                                                    to the Critical Cyber Assets.                        reader data for physical data) to ensure the list was complete. This list was audited to verify
                                                                                                                                                                                that all individuals with access had completed training and the personnel risk assessment.
                                                                                                                                                                                Where either training or personnel risk assessments had not been completed, access was
                                                                                                                                                                                removed pending completion. Finally, processes to ensure compliance with the requirements
                                                                                                                                                                                of CIP-004 relating to training, personnel risk assessments, timely removal of access, and
                                                                                                                                                                                maintenance of the master access list were revised to minimize the risk of reoccurrence.

  2/15/2011        CIP-004-1                 R3            The entity performed an internal review and discovered          Unauthorized individuals may have gained access      The entity completed personnel risk assessments on all employees having authorized cyber or
                                                           that some of the personnel granted unescorted physical          to the Critical Cyber Assets.                        authorized unescorted physical access to Critical Cyber Assets and established an automated
                                                           access to our Critical Cyber Assets did not have a                                                                   system of notification prior to when personnel are required to have a new PRA performed.
                                                           personnel risk assessment.
   3/7/2011        CIP-004-1                 R4            Upon two instances of a position transfer, the entity did       Personnel no longer authorized for access may        As an interim measure, the entity's personnel department manually generated e-mail
                                                           not revoke authorized unescorted physical access to             have been able to access Critical Cyber Assets. In   notification to the security department, informing it of any lateral transfer of any consultants so
                                                           Critical Cyber Assets within seven calendar days for            addition, unauthorized personnel may have utilized   that the security department can revoke access and update the access list in a timely manner.
                                                           personnel who no longer required such access. The               these credentials to gain entry without raising      The entity's security department retrained its employees and implemented a procedure in which
                                                           entity failed to update its list of personnel with authorized   suspicion.                                           security department employees cross-check the work from the prior day on access matters to
                                                           unescorted physical access to Critical Cyber Assets                                                                  ensure that access profiles are properly modified. This also ensured that the access list is
                                                           within seven calendar days of a change of personnel with                                                             properly updated. The entity's IT group made necessary changes in the software utilized by the
                                                           such access.                                                                                                         personnel department so that it also triggers a notification to the security department for a
                                                                                                                                                                                lateral transfer of a consultant. This mitigation plan eliminated the need for the manual
                                                                                                                                                                                notification (discussed in first paragraph above) implemented as an interim measure.

   3/7/2011        CIP-004-1                 R4            Due to human error, an employee was inadvertently       Unauthorized personnel may have gained access to The security department revised its procedures such that the security department employees
                                                           added access to the unescorted physical access list for Critical Cyber Assets.                           cross-check work from prior days on access matters at least every seven calendar days,
                                                           eight days.                                                                                              including granting new access. The appropriate security personnel were trained on the revised
                                                                                                                                                                    procedure. The cross-check verified that all access changes made are accurate and
                                                                                                                                                                    appropriate.
   3/7/2011        CIP-004-1                 R4            The security department personnel did not follow        Personnel no longer authorized for access may    The security department developed and implemented a new process for succinctly checking
                                                           procedure to follow up or escalate an unanswered e-mail have been able to enter a Physical Security      and approving every step for granting access. This new process also clearly defines the steps
                                                           notification relating to access removal.                Perimeter.                                       to follow up with supervisors upon receiving an employee’s transfer notification. The
                                                                                                                                                                    appropriate security personnel have been retrained on the new process. The new process
                                                                                                                                                                    requires security personnel to take a definite action at every step.

   3/7/2011        CIP-004-1                 R4            A supervisor did not collect a badge of a terminated            Personnel no longer authorized for access may        The security department developed an advisory for supervisors to review access lists of their
                                                           consultant, nor did the supervisor file termination             have been able to enter a Physical Security          employees and consultants on at least a quarterly basis. It emphasized the importance of
                                                           paperwork in a timely manner. Supervisors did not file          Perimeter.                                           timely completion of paper work for any job status changes (transfer and termination) and of
                                                           paper work for terminated consultants in a timely                                                                    collecting badges upon termination. Accompanying the advisory was a list of employees with
                                                           manner.                                                                                                              unescorted access. The advisory was intended to prevent late filing of paper work by
                                                                                                                                                                                supervisors and to aid the timely collection of badges from terminated employees and
                                                                                                                                                                                consultants.
   3/7/2011        CIP-004-1                 R4            Due to human error, an employee's unescorted physical Personnel no longer authorized for access may                  The security department revised a computerized process to include identification of time-
                                                           access was not removed within seven calendar days after have been able to enter a Physical Security                  sensitive workflows. The security department personnel were instructed to select the
                                                           the security department was notified.                   Perimeter.                                                   appropriate due date when creating assignments for time-sensitive workflow notifications.
                                                                                                                                                                                This process was intended to prevent human errors in removing access for time sensitive
                                                                                                                                                                                workflows.


                                                                                                                                  Page 9                                                                                                                            Revised on July 15, 2011
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                 RELIABILITY          REQUIREMENT                                   FACTS                                                    RISK                                                    MITIGATION ACTION TAKEN
 Posted Date      STANDARD
  3/7/2011         CIP-004-1                 R4            An isolated software issue prevented workflow                Personnel no longer authorized for access may   The information technology department implemented the policy of producing an automated
                                                           notifications for a transferred employee. Due to human       have been able to enter a Physical Security     report of all personnel changes from the previous day. The security department employees
                                                           error in the information technology department, time-        Perimeter.                                      reviewed the report at least every seven calendar days and verified that notifications of the
                                                           sensitive workflow notifications were not received, and                                                      corresponding access changes were received. The appropriate security personnel were trained
                                                           an employee's unescorted physical access was not                                                             on this new process. This process was intended to prevent human errors and isolated software
                                                           removed within seven calendar days.                                                                          problems blocking access from being removed within seven days.

   3/7/2011        CIP-004-1                 R4            Due to human error in the information technology        Unauthorized personnel may have been given           The information technology department employees produced an automated report of all card
                                                           department (coding change in the card access system) an access to Critical Cyber Assets.                     access system changes from the previous day. All changes are reviewed at least every seven
                                                           employee was inadvertently granted access adding the                                                         calendar days by security department personnel to ensure that any card access system changes
                                                           employee to the unescorted physical access list.                                                             from previous days, including granting access, removing access, and coding changes are
                                                                                                                                                                        accurate and appropriate. The appropriate security personnel were trained on reviewing the
                                                                                                                                                                        automated report.
   3/7/2011        CIP-004-1                 R4            Due to inaccurate status information in a software        Personnel no longer authorized for access may      The information technology department produced an automated report of all active card access
                                                           application, the access list was not updated within seven have been able to enter a Physical Security        system badge holders with protected access that have non-active accounts in software
                                                           calendar days after the termination of a consultant.      Perimeter.                                         application. This report was reviewed at least every seven calendar days by the security
                                                                                                                                                                        department personnel to verify that all active badge holders have active accounts in software
                                                                                                                                                                        application. The appropriate security personnel were trained on reviewing the automated
                                                                                                                                                                        report.
   3/7/2011        CIP-004-1                 R4            A supervisor did not respond to a supervisor advisory        Personnel no longer authorized for access may   The information technology department created a computer based training to clarify the
                                                           (Protected Area Access Advisory).                            have been able to enter a Physical Security     importance of responding to the supervisor advisory in a timely manner. The information
                                                                                                                        Perimeter.                                      technology department reviews, revises and administers the computer based training at least
                                                                                                                                                                        annually. This computer based training informed the supervisors of their responsibility
                                                                                                                                                                        through formal training.
   3/7/2011        CIP-004-1                 R4            The entity did not properly maintain its list of personnel   Unauthorized vendor personnel may have been      The entity thoroughly reviewed its current procedure and methods for updating its list of
                                                           with authorized cyber or authorized unescorted physical      given access to Critical Cyber Assets.          personnel with authorized cyber and authorized unescorted physical access to Critical Cyber
                                                           access to Critical Cyber Assets (specifically the entity’s                                                   Assets and added the list of contractors that had been omitted from the previous method the
                                                           service vendors with authorized cyber access to Critical                                                     entity used for updating and maintaining its list of personnel with authorized cyber and
                                                           Cyber Assets, including their specific electronic and                                                        authorized unescorted physical access to Critical Cyber Assets.
                                                           physical access rights to Critical Cyber Assets).




                                                                                                                               Page 10                                                                                                                 Revised on July 15, 2011
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                 RELIABILITY          REQUIREMENT                                  FACTS                                                     RISK                                                         MITIGATION ACTION TAKEN
 Posted Date      STANDARD
  3/7/2011         CIP-004-1               R2; R3          The entity was unable to provide evidence that annual       Lack of CIP training may result in inadequate        1. The entity reviewed all individuals with authorized cyber access and unescorted physical
                                                           retraining had been completed by 20 of its 582 staff with   awareness of the requirements for treatment of       access to Critical Cyber Assets. 2. The entity verified that all individuals with authorized
                                                           authorized cyber access or unescorted physical access to    Critical Cyber Assets and inadequate protection of   cyber access and unescorted physical access to Critical Cyber Assets have received the
                                                           Critical Cyber Assets.                                      Critical Cyber Assets.                               required training. 3. The entity provided training to 20 personnel lacking the retraining (or
                                                                                                                                                                            lacking the necessary evidence of retraining). 4. All Human Resources Facility Managers were
                                                                                                                                                                            provided a copy of their site status, showing who had been trained, last training date, and next
                                                                                                                                                                            retraining date. These lists are reviewed weekly. 5. The entity instituted a system to capture
                                                                                                                                                                            all training records, and anyone who was trained without using the system was captured using a
                                                                                                                                                                            manual sign-in sheet which is closely monitored by the Human Resources staff. 6. The entity
                                                                                                                                                                            reviewed and revised procedures to ensure that necessary training was taken for continuing
                                                                                                                                                                            access and to prevent redundant training. 7. The entity communicated training procedure
                                                                                                                                                                            changes and the quality of training evidence expected to all training representatives. 8. The
                                                                                                                                                                            entity automated the existing manual physical access request process into an application to
                                                                                                                                                                            monitor and track required training records. The entity provided training to relevant
                                                                                                                                                                            representatives.

  2/15/2011        CIP-004-1             R2; R3; R4        The entity failed to provide documentation evidencing    Unauthorized individuals may have gained access         The entity created a physical folder for each individual who has unescorted physical access
                                                           that all personnel with authorized cyber or authorized   to the Critical Cyber Assets.                           and/or authorized electronic access to Critical Cyber Assets. These folders contain all
                                                           unescorted physical access to Critical Cyber Assets have                                                         evidence of receipt of NERC CIP Awareness Training prior to authorizing the individual’s
                                                           had personnel risk assessments (PRAs), training, and are                                                         cyber or unescorted physical access to a Critical Cyber Asset. Personnel verified that the
                                                           detailed on an access list.                                                                                      information in the Security file folders matched the information in the physical and electronic
                                                                                                                                                                            access lists and the CIP Personnel List. The entity also implemented a new policy that ensures
                                                                                                                                                                            the expiration date for an individual’s proximity card for physical access to Critical Cyber
                                                                                                                                                                            Assets will be the earlier of: the expiration of the individual’s CIP Awareness Training or the
                                                                                                                                                                            expiration of the individual’s PRA. This ensures that no individual will have unescorted
                                                                                                                                                                            physical access to a Critical Cyber Asset facility without (1) authorization, (2) an up-to-date
                                                                                                                                                                            PRA, and (3) annual CIP Awareness Training.

  2/15/2011        CIP-004-2                 R4            The entity failed to revoke access for one individual who Unauthorized individuals had access to the Critical    The entity disabled the ID badge/card key and reviewed the requirement regarding physical
                                                           had authorized unescorted physical access to Critical       Cyber Assets.                                        access to facilities. The entity initiated a new process requiring weekly reports of guards
                                                           Cyber Assets. The entity’s contractor failed to follow the                                                       assigned to Critical Cyber Asset areas and the entity will conduct a training session with the
                                                           entity’s established procedure for contractor to notify the                                                      Contractor Management Team on the importance of NERC CIP requirements.
                                                           entity within seven calendar days if a guard’s authorized
                                                           unescorted physical access to Critical Cyber Assets was
                                                           no longer needed. The entity’s procedures required
                                                           notification even if the guard could be recalled under the
                                                           contingency agreement. In this case, the guard’s physical
                                                           access to Critical Cyber Assets was not revoked within
                                                           seven calendar days.




                                                                                                                              Page 11                                                                                                                         Revised on July 15, 2011
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                 RELIABILITY          REQUIREMENT                                   FACTS                                                     RISK                                                        MITIGATION ACTION TAKEN
 Posted Date      STANDARD
  3/7/2011         CIP-005-1                 R2            The entity failed to implement and document the              Without properly documented and implemented         1. The entity configured, validated and documented that all Electronic Security Perimeter
                                                           organizational processes and technical and procedural        processes, there may have been a loss of control of access point devices denied access by default and that the appropriate access controls were
                                                           mechanisms for control of electronic access at all           access to the Electronic Security Perimeter(s).     specifically defined. 2. The entity configured, validated and documented that all unnecessary
                                                           electronic access points to the Electronic Security                                                              ports and services for all Electronic Security Perimeter access points were disabled. Only ports
                                                           Perimeter(s).                                                                                                    and services that were necessary for operations and the monitoring of Cyber Assets with an
                                                                                                                                                                            Electronic Security Perimeter were enabled. Guidance was provided regarding the applicable
                                                                                                                                                                            procedures. 3. The entity configured, validated and documented that any dial-up access into
                                                                                                                                                                            the Electronic Security Perimeter met the applicable requirements. 4. The entity configured,
                                                                                                                                                                            validated and documented that all interactive access to Electronic Security Perimeters
                                                                                                                                                                            originating from external sources (non-Electronic Security Perimeters) was protected via
                                                                                                                                                                            authentication that supported strong procedural and technical controls (i.e. tow factor
                                                                                                                                                                            authentications). The validation and documentation listed any approved Technical Feasibility
                                                                                                                                                                            Exceptions, where applicable. 5. The entity validated that an approved and documented
                                                                                                                                                                            process existed supporting access requests into the Electronic Security Perimeter for: a. Any
                                                                                                                                                                            dial-up access into the Electronic Security Perimeter; b. Any persistent connection into the
                                                                                                                                                                            Electronic Security Perimeter; c. Any remote access to the Electronic Security Perimeter
                                                                                                                                                                            (supporting interactive remote access); and d. Any administrative access to the Electronic
                                                                                                                                                                            Security Perimeter access points or into the network devices associated with the access control
                                                                                                                                                                            or electronic monitoring capability. 6. The entity adopted, implemented validated and
                                                                                                                                                                            documented that an “appropriate use banner” was in place for all network layer access into the
                                                                                                                                                                            Electronic Security Perimeter. The banners must have been displayed for all the Electronic
                                                                                                                                                                            Security Perimeter access points identified above.


   3/7/2011        CIP-005-1                 R3            The entity failed to implement and document an               Failure to develop a logging and monitoring         1. The entity configured, validated, and documented that an electronic monitoring capability
                                                           electronic or manual process(es) for monitoring and          program for unauthorized access attempts to Cyber   was implemented for monitoring and logging for all access into the Electronic Security
                                                           logging access at access points to the Electronic Security   Assets may have placed at risk Critical Cyber       Perimeter. The entity identified any approved Technical Feasibility Exception that was
                                                           Perimeter(s) twenty-four hours a day, seven days a week.     Assets and the bulk power system at risk.           applicable. 2. The entity implemented and documented the electronic monitoring capabilities
                                                                                                                                                                            for dial-up accessible Critical Cyber Assets that utilized non-routable protocols. 3. The entity
                                                                                                                                                                            configured, validated and documented the security monitoring capability by detecting
                                                                                                                                                                            unauthorized access and unauthorized attempts at access to the Electronic Security Perimeter
                                                                                                                                                                            based on access points identified in Step 1 above. 4. The entity established and validated the
                                                                                                                                                                            documented procedure that ensured the timely and periodic review and analysis of electronic
                                                                                                                                                                            access logs for unauthorized access and unauthorized access attempts to the Electronic
                                                                                                                                                                            Security Perimeter.




                                                                                                                               Page 12                                                                                                                        Revised on July 15, 2011
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                 RELIABILITY          REQUIREMENT                                   FACTS                                                     RISK                                                       MITIGATION ACTION TAKEN
 Posted Date      STANDARD
  3/7/2011         CIP-005-1                 R4            The entity did not perform a cyber vulnerability             Undocumented vulnerability assessments may not     1. The entity reviewed previous internal control reviews and security test and evaluations to
                                                           assessment of the electronic access points to the            have proven that assessments occurred and may      identify the type, scope, and test results for any assets that are now identified as Critical Cyber
                                                           Electronic Security Perimeter(s) at least annually.          not have shown identification and mitigation of    Assets that may assist in the development of test procedures (Step 2, below). The entity also
                                                                                                                        vulnerabilities. This may have placed Cyber        identified vulnerabilities, testing for minimal ports and services (may be identified as “least
                                                                                                                        Assets and the bulk power system at risk.          configuration” as part of configuration management testing). 2. The entity developed and
                                                                                                                                                                           adopted CIP vulnerability assessment procedures, which address: a. The data to be collected
                                                                                                                                                                           about each electronic access point, including: Dates of the Assessment, Named individual(s)
                                                                                                                                                                           conducting the Assessment, Scope to the Assessments (supported by the current network
                                                                                                                                                                           diagrams), Description of the testing environment (Test System, sub-system or operational
                                                                                                                                                                           system), Assessment or Test procedures for each requirement (See the appropriate sections
                                                                                                                                                                           below), Plan for reporting test results such as: informal or formal out-briefs, completion of a
                                                                                                                                                                           Vulnerability Assessment Report, and submission of the Vulnerability Assessment Report. b.
                                                                                                                                                                           The discovery of all access points to the Electronic Security Perimeter. c. The hardening of all
                                                                                                                                                                           ports and services at access points, as applicable. Guidance was provided regarding the
                                                                                                                                                                           applicable procedures. d. The review of all default accounts to ensure proper account controls
                                                                                                                                                                           are in place. 3. The entity developed, executed and documented the results of the execution of
                                                                                                                                                                           the test procedures for each identified (and discovered) Electronic Security Perimeter access
                                                                                                                                                                           point. Documentation for testing activities and results included the type of test (observation,
                                                                                                                                                                           review or test), the results (compliant or non-compliant), and the identification of any non-
                                                                                                                                                                           compliance (including justification to a Technical Feasibility Exception or supported by a
                                                                                                                                                                           mitigation plan). 4. The entity prepared a mitigation plan addressing the correction of
                                                                                                                                                                           vulnerabilities identified during Step 2, above. 5. The entity evaluated and validated
                                                                                                                                                                           compliance.

  4/20/2011        CIP-005-1                 R3            The entity did not implement or document a formal            Failure to document or implement a formal process The entity obtained firewalls, tested and implemented firewalls, hardened firewall
                                                           process for monitoring and logging access at access          for logging access points at Electronic Security   configurations, and verified monitoring and logging functions.
                                                           points at its Electronic Security Perimeters. The entity     Perimeters may have lead to unauthorized access
                                                           was unable to fully monitor, detect and alert for attempts   to the Electronic Security Perimeter. Failure to
                                                           at or actual unauthorized access to its defined access       monitor, detect, and alert attempts or breaches to
                                                           points. The devices defined as access points were            defined access points may have lead to unfettered
                                                           configured to log security related events to a central       access to Critical Cyber Assets.
                                                           logging tool, but the logs were not easily retrieved and
                                                           therefore not all relevant historical logs were available
                                                           for review.




                                                                                                                               Page 13                                                                                                                         Revised on July 15, 2011
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                 RELIABILITY          REQUIREMENT                                   FACTS                                                      RISK                                                         MITIGATION ACTION TAKEN
 Posted Date      STANDARD
  4/20/2011        CIP-005-1                 R4            R4.2: Vulnerability assessments had been performed, but       Failure to have a formal process in place to review   The entity developed and reviewed its formal process document for vulnerability assessments.
                                                           the entity did not have a formal process in place to          Vulnerability Assessment Reports may have led to      The entity performed an annual vulnerability assessment of the access points of its Electronic
                                                           review the generated reports. R4.3: The entity performed      the reports not being reviewed. Failure to perform    Security Perimeters and developed an action plan to remediate any vulnerabilities found. The
                                                           vulnerability assessments, but did not perform an             discovery of all access points in a vulnerability     entity implemented the action plan and documented the status of action plans as well as
                                                           automated discovery of all access points to its defined       assessment may have presented the risk that some      remediation results. The entity also purchased new software for an additional layer of
                                                           Electronic Security Perimeters. Some devices were             Critical Cyber Assets were not assessed or that       protection for its access points.
                                                           restricted to the number of sockets available to respond      normal operations were interrupted during
                                                           to requests and discovery tools. This may have caused         assessment. Failure to generate reports for errors
                                                           denial-of-service to these devices and may have               may have lead to vulnerabilities in the Critical
                                                           interrupted normal operations. R4.4: Vulnerability            Cyber Assets not being addressed and mitigated.
                                                           assessment was set up to use common default community         Failure to execute remedial measures was a failure
                                                           strings as well as default accounts with no passwords.        to address vulnerabilities.
                                                           However, had a failure occurred while using any of these
                                                           community strings or default accounts, it would not have
                                                           generated any errors. Additionally, the report would not
                                                           have shown data or account information either. R4.5:
                                                           Vulnerability assessment included a remediation plan.
                                                           However, no process was in place to execute the
                                                           remediation plans primarily due to the time involved.

  2/15/2011        CIP-005-2                 R1            An employee of the entity that was performing the escort      Unauthorized personnel may have gained access to The entity revoked access to the escort until the proper Performance Risk Assessment could be
                                                           function did not have a valid Performance Risk                Critical Cyber Assets.                           performed. The entity will include employee identification numbers in Performance Risk
                                                           Assessment because the PRA had been inadvertently                                                              Assessment tracking documentation to avoid future name confusion.
                                                           performed on another employee with the same name.
                                                           The entity immediately revoked access until the proper
                                                           PRA could be performed.
 12/30/2010        CIP-005-2                R1.4           The entity failed to identify three devices as non-critical   Failing to properly identify all Cyber Assets may The entity disconnected all three devices from the network and completed a comprehensive
                                                           Cyber Assets within a defined Electronic Security             have led to inadequate protection of Cyber Assets. review of Electronic Security Perimeters and Physical Security Perimeters.
                                                           Perimeter.
  4/29/2011        CIP-005-3                R2.4           The entity discovered that a remote desktop protocol          Allowing remote access without authentication        The entity developed and provided alternate access procedures. These procedures require
                                                           allowed user access from outside the Electronic Security      may have increased the risk of an unauthorized       operator authentication and eliminate the need for the firewall rule that allowed
                                                           Perimeter to a Critical Cyber Asset located within the        individual gaining access to a Critical Cyber Asset. unauthenticated remote access to the original device.
                                                           Electronic Security Perimeter without ensuring
                                                           authenticity of the user accessing the device.




                                                                                                                                Page 14                                                                                                                        Revised on July 15, 2011
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                 RELIABILITY          REQUIREMENT                                   FACTS                                                      RISK                                                         MITIGATION ACTION TAKEN
 Posted Date      STANDARD
  4/20/2011        CIP-005-3                R3.2           While conducting an internal review, the entity              Failure to detect and alert for attempted or actual   The following corrective actions were taken: 1) The three internal firewalls separating the
                                                           discovered that the logging and alerting for unauthorized    unauthorized access to the Electronic Security        entity network (comprising the Electronic Security Perimeter) were reconfigured. The system
                                                           access attempts had not been fully enabled on the interior   Perimeter may have compromised Critical Cyber         was reconfigured to do the following: A. Send alerts to administrators around the clock. B. Log
                                                           firewalls. Firewall access was configured for only one       Assets.                                               and alert each denied IP address attempt to access the access points. C. Log and alert failed
                                                           workstation internet protocol (IP) address from the                                                                and successful user logon requests to the access points. D. Log and alert each IP attack to the
                                                           entity’s network. The workstation was configured                                                                   access points such as denial of TCP/IP spoofs. E. Log each denied access to an Access Control
                                                           without a default gateway to ensure that it was not                                                                List. F. Alert each access denied by an Access Control List to the entity network. 2) A test was
                                                           accessible from outside the firewall subnet. While                                                                 conducted to ensure that all the configured controls are working as required. 3) All logs are
                                                           logging was enabled for attempts to connect to the                                                                 now retained for a rolling 365 days. Alerts are retained for a minimum of 90 days.
                                                           firewalls from other IP addresses, logging and alerting
                                                           were not configured for unsuccessful attempts to
                                                           authenticate user ID and passwords.

  2/15/2011        CIP-006-1                 R1            The entity’s access control system that controls and     An unauthorized individual may have gained                The entity conducted a detailed investigation to determine steps to bring the Cyber Asset into
                                                           monitors physical access to the Physical Security        access to the Cyber Assets.                               strict compliance. It reviewed accounts and disabled manufacturer and default guest accounts.
                                                           Perimeter (PSP) for the Data Center and Control Room                                                               In addition, the entity reviewed logs and confirmed that they were retained for 90 days, and
                                                           PSPs was not afforded certain of the protective measures                                                           filed a technical feasibility exception (TFE) for ongoing manual review of logs, and installed
                                                           required by Reliability Standard CIP-006-1, R1.8.                                                                  appropriate use banner on the server. It reviewed and documented ports, services and
                                                                                                                                                                              compensating measures. A TFE was filed for ports and services due to the age of the system
                                                                                                                                                                              and the entity confirmed that Anti-Virus could not be installed on the server. A TFE also was
                                                                                                                                                                              filed for malware and the entity confirmed that security patches were not installed on the server
                                                                                                                                                                              due to the age of the application and mitigation measures that were in place. A TFE was filed
                                                                                                                                                                              per NERC Compliance Process Bulletin #2010-001. The entity filed another TFE to document
                                                                                                                                                                              the compensating measures in place for manual review of account log in lieu of automated
                                                                                                                                                                              alerts. It ordered and installed backup equipment, completed full backup for covered assets,
                                                                                                                                                                              and completed third party vulnerability assessment (covered Cyber Assets were included).

  4/29/2011        CIP-006-1                R1.1           The entity discovered certain Critical Cyber Assets were Lack of a secure six-wall border may have allowed         The entity contacted and obtained quotes from appropriate vendors to install the additional
                                                           not located in a secure six-wall border.                    for a greater chance of unauthorized access to         security hardware and cabling. The entity installed and tested all equipment. Card Readers and
                                                                                                                       Critical Cyber Assets.                                 cameras were also added to each access point.
  4/29/2011        CIP-006-1                R1.2           The entity discovered a previously unidentified entry       An unidentified access point may have allowed for      The entity: 1) secured the entry point; and 2) performed a walk down of all Physical Security
                                                           point through its Physical Security Perimeter to a Critical easier, unsecured access to a Critical Cyber Asset.    Perimeters to determine if any other unsecured entry points to Physical Security Perimeters
                                                           Cyber Asset.                                                                                                       existed.
  4/20/2011        CIP-006-1                R1.6           An entity employee without unescorted access followed Failing to adhere to procedures regarding escorting          The entity i) distributed a flyer to all personnel with approved unescorted access privileges
                                                           an employee with unescorted access into a secure area       of unauthorized personnel around Critical Cyber        reminding them of the procedures to follow when escorting visitors; ii) installed door signs that
                                                           without the authorized individual's knowledge.              Assets may have compromised the Physical               are clearly visible at each applicable access door stating for employees to be aware of
                                                                                                                       Security Perimeter and allowed easier                  individuals behind them when entering secure areas; and iii) required all corporate IT
                                                                                                                       unauthorized access to Critical Cyber Assets.          personnel to complete the entity’s cyber security training program.




                                                                                                                               Page 15                                                                                                                          Revised on July 15, 2011
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                 RELIABILITY          REQUIREMENT                                   FACTS                                                      RISK                                                          MITIGATION ACTION TAKEN
 Posted Date      STANDARD
  3/7/2011         CIP-006-1             R2; R3; R4        The entity failed to implement its documented                Failure to secure access points undergoing             Upon discovery, the entity immediately secured the access point and filed the appropriate
                                                           operational and procedural controls to manage physical       construction may have allowed unauthorized             internal reports. Patrols and monitoring of the area were increased, and a temporary alarm was
                                                           access at all access points to the Physical Security         personnel unescorted access into a Physical            installed to provide monitoring and logging of all access. The area was then placed under
                                                           Perimeter around the clock. The implementation failure       Security Perimeter without detection.                  constant human observation by a cleared entity employee until the work was completed. The
                                                           occurred when the locking mechanism at one of the                                                                   entity changed its job-site turn-over procedure to clarify where responsibility is placed for
                                                           access points to the entity’s defined Physical Security                                                             ensuring correct re-commissioning of a site post completion. In addition, the entity updated
                                                           Perimeters was disabled during maintenance activities.                                                              the applicable physical access control procedures to highlight continuous visitor escort and
                                                                                                                                                                               logging requirements. The changes to procedures required all personnel performing
                                                                                                                                                                               maintenance on doors to the Physical Security Perimeter to be retrained. In addition, language
                                                                                                                                                                               defining progressive disciplinary actions for failure to observe requirements was incorporated
                                                                                                                                                                               into the Physical Security Plan.

   3/1/2011        CIP-006-1              R1.6; R4         On three occasions, the entity failed to follow its internal Failing to adhere to procedures regarding escorting    The entity 1) completed detailed incident investigations; 2) checked the facilities for possible
                                                           procedures for escorting and logging access to Critical      and logging access to Critical Cyber Assets may        damage or compromise to CIP assets; 3) had management communicate directly with all
                                                           Cyber Assets.                                                have compromised the Physical Security Perimeter       involved parties regarding the incident and expectations for future performance; 4) had
                                                                                                                        and may have allowed unauthorized access to            management communicate directly with all staff with access to CIP facilities regarding access
                                                                                                                        Critical Cyber Assets.                                 procedures; and 5) the CEO communicated by memorandum to all company staff regarding the
                                                                                                                                                                               need for heightened awareness of NERC compliance requirements.

  2/15/2011        CIP-006-2                 R2            The entity found that certain protective measures were       Failing to document organizational processes and The entity reviewed past logs for any signs of cyber security incidents related to these Cyber
                                                           not being applied to nine Cyber Assets (three of which       technical and procedural mechanisms for            Assets and incorporated these devices into the procedure used for monitoring security events
                                                           are used for monitoring access to the Physical Security      monitoring security events for Cyber Assets may on other Cyber Assets.
                                                           Perimeter and six of which are used for monitoring           have led to inadequate protection of Cyber Assets.
                                                           access to the Physical Security Perimeter). The entity did
                                                           not have proper documentation of organizational
                                                           processes and technical and procedural mechanisms for
                                                           monitoring security events.

  2/15/2011        CIP-006-3                 R2            The entity installed a new Physical Access Control           Failing to properly test and update documentation      The entity retroactively applied its complete Change Management Process to the new Cyber
                                                           System panel without following its Change Control and        relating to new Cyber Assets may have led to           Asset and completed the required documentation update. It also performed a complete new
                                                           Configuration Management Process. As a result of not         inadequate protection of Cyber Assets.                 Cyber Asset security controls test. The entity also modified its Change Management processes
                                                           following the process, the entity failed to comply with                                                             to require additional steps and safeguards for changes in the Physical Access Control System.
                                                           testing procedures and documentation update within                                                                  Additional training was provided to groups responsible for such changes.
                                                           thirty days of the installation.
   3/1/2011         CIP-007                  R1            The entity provided insufficient evidence that it had        If cyber security controls were adversely affected     The entity created better documentation of its testing of Critical Cyber Assets, including check
                                                           tested a significant software change to its Critical Cyber   due to a significant change to the entity’s Critical   lists to show that tests were performed both before and after changes were made.
                                                           Assets.                                                      Cyber Assets, the Critical Cyber Assets may have
                                                                                                                        been compromised.
   3/1/2011        CIP-007-1                 R1            The entity did not follow its test procedures nor did it     Significant changes may have adversely affected        The entity provided updates covering CIP policy and procedure requirements, applicability and
                                                           ensure that significant changes to Critical Cyber Assets     existing cyber security controls.                      access. The entity also provided training webinars covering pertinent CIP topics and increased
                                                           had not adversely affected certain software or its                                                                  management emphasis and communications clarifying the requirement of strict adherence to
                                                           operation.                                                                                                          CIP policies and procedures.
  2/15/2011        CIP-007-1                 R1            The entity did not provide evidence that it had created      Significant changes may have adversely affected        The entity revised its cyber security test procedures to include all Critical Cyber Assets, and
                                                           implemented, maintained and documented test                  existing cyber security controls.                      then implemented the new test procedures.
                                                           procedures and test results for all Critical Cyber Assets
                                                           within the Electronic Security Perimeter.


                                                                                                                               Page 16                                                                                                                           Revised on July 15, 2011
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                 RELIABILITY          REQUIREMENT                                   FACTS                                                    RISK                                                         MITIGATION ACTION TAKEN
 Posted Date      STANDARD
  3/7/2011         CIP-007-1                 R3            The entity did not document the assessment of all           Out of date security patches may have allowed for The entity updated the patching application with the configuration parameters provided by the
                                                           security patches and security upgrades for applicability    unauthorized electronic access to and potential   technical support of the vendor patching application. The patching application was modified
                                                           within thirty calendar days of available patches or         compromise of Critical Cyber Assets.              that same day and then the automatic assessment process performed as intended. The entity
                                                           upgrades.                                                                                                     took the following steps to ensure that patches are assessed within thirty calendar days: 1) The
                                                                                                                                                                         entity retained personnel from the patching application vendor to be on site to ensure the
                                                                                                                                                                         patching application matches all security patches to each Critical Cyber Asset server; and 2)
                                                                                                                                                                         The entity’s personnel performed a manual process to confirm the automated system had
                                                                                                                                                                         retrieved and matched the appropriate security patches.

  4/20/2011        CIP-007-1                 R2            The entity had baseline documents but had no formal         Failure to review baseline documents resulted in a    The entity performed vulnerability assessments and ran port scans on workstations to develop a
                                                           process for reviewing them. No firewalls were enabled       failure to ensure their continued integrity. The      baseline and compare the baselines to scans after system changes. The entity also replaced the
                                                           in the system environment release. Production               absence of firewalls could have resulted in           referenced access points which were switches with firewalls and hardened the configuration of
                                                           workstations were not scanned for vulnerabilities. The      unauthorized access to Critical Cyber Assets.         those firewalls to only allow the required ports and services as well as approved hosts. These
                                                           vendor of the system environment had no documentation       Adding firewalls to production system could have      firewalls were installed as access point to our Electronic Security Perimeters protecting the
                                                           as to which ports and services needed to be enabled for     caused failure of system. Failure to ensure           cyber assets within the Electronic Security Perimeter. The entity also installed new software
                                                           normal or emergency operations. The entity had no test      properly designated ports and services are disabled   into the firewalls which provided further threat protection. The software’s intrusion prevention
                                                           environment to safely determine which ports and services    could have lead to port or services failure or        capabilities greatly enhance firewall protection by blocking threats and network attacks,
                                                           could be disabled. The entity tested firewall               unauthorized access to Critical Cyber Assets. No      including worms, Trojans, viruses, and attacks against operating system and application
                                                           implementation for non-critical servers as well as          test environment for firewall additions could have    vulnerabilities. The entity also received approval to purchase further software to provide
                                                           workstations, but did not implement them. Adding            resulted in total or partial failure of real time     advanced protections to our Critical Cyber Assets within its Electronic Security Perimeters.
                                                           firewalls to the production system could have caused        Critical Cyber Assets.                                The entity has also purchased a quality assurance system for the new software system to
                                                           failure of the system. Access point devices located                                                               provide a test environment to determine a baseline for ports and services within the system
                                                           within the defined Electronic Security Perimeter were not                                                         environment. The entity worked with the vendor to bring that quality assurance system on-
                                                           configured to allow only the ports and services required                                                          line. The entity also managed and maintained the integrity of the configurations of its
                                                           for operations and monitoring. While access control lists                                                         firewalls.
                                                           were in use, they were not specific to the required ports
                                                           and services.

  4/20/2011        CIP-007-1                 R2            Although the entity’s ports and services had been           Undocumented port configurations may result with      1. The entity reviewed all ports and services configurations for correctness. 2. The entity
                                                           documented for all devices of a certain brand, other        incorrect configurations and port vulnerability,      documented baseline configurations of all ports and services including comments on the use of
                                                           Electronic Security Perimeter open ports and services for   port failure, or port inaccessibility in certain      such ports and services for all Critical Cyber Assets within the Electronic Security Perimeter
                                                           network devices had not been documented Also, the           situations.                                           (i.e. firewall, routers, servers). The entity identified considerations if different ports and
                                                           entity had only enabled ports and services required for                                                           services are utilized during emergency situations.
                                                           operations but had not documented all of the
                                                           configurations for those ports and services.




                                                                                                                              Page 17                                                                                                                         Revised on July 15, 2011
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                 RELIABILITY          REQUIREMENT                                   FACTS                                                     RISK                                                           MITIGATION ACTION TAKEN
 Posted Date      STANDARD
  4/20/2011        CIP-007-1                 R3            The registered entity evaluated security patches to         Failure to maintain a documented security patch    1. The entity developed a security patch management policy to identify and review all
                                                           determine if they should be installed and documented        management program may have compromised            applicable security patches for all devices (i.e. firewall, router, operating system, applications,
                                                           installation of a security patch, but the company did not                                                      etc.) for all Critical Cyber Assets within the Electronic Security Perimeter within thirty days of
                                                                                                                       software essential to the viability of Critical Cyber
                                                           document the rationale for patches not selected for         Assets.                                            their release. The policy included requirements for documenting rationale and compensating
                                                           installation. The registered entity did not have a                                                             measures for any patches not installed. 2. The entity created a defined template and used it
                                                           documented security patch management program.                                                                  where each new patch was reviewed for consideration. When it has been decided that the
                                                                                                                                                                          patch should not be installed, justification and other risk mitigation activities implemented
                                                                                                                                                                          have been documented and included where applicable. 3. The implementation of reviewed
                                                                                                                                                                          patches followed the defined templates and forms. The entity changed systems to be utilized to
                                                                                                                                                                          support the change control process as identified in mitigation CIP-003 R6. 4. The entity
                                                                                                                                                                          trained all affected employees on the patch management policy to ensure the policy was
                                                                                                                                                                          followed.
  4/20/2011        CIP-007-1                 R5            The entity’s system logs were not capturing data on all     Failure to log individual user access activity to  1. The entity developed a comprehensive baseline list of all personnel who had been granted
                                                           network devices to create historical audit trails of        network devices assets may have placed Cyber       access to Critical Cyber Assets. The entity identified access at the network, application,
                                                           individual user account access activity (R5.1.2). The       Assets and the bulk power system at risk. Failure database, and device level for each user. Moreover, the entity identified access at the privilege
                                                           entity had not performed an annual review of access         to review access privileges may have resulted in   level assigned to users. 2. The entity developed a comprehensive list of all shared, default or
                                                           privileges within the past year (5.1.3). Although access    unauthorized persons gaining access to network     generic accounts for all Critical Cyber Assets devices and a list of users who had been granted
                                                           to shared or generic accounts is limited to appropriate     devices or controls. Failure to maintain a list of access to them. 3. The entity developed a process where new shared accounts created or
                                                           personnel, the entity did not maintain a list of persons    persons with access to shared or generic accounts deleted are reflected in the comprehensive list. 4. The entity developed a process to perform
                                                           with access to shared or generic accounts (5.2.3).          may have resulted in unauthorized persons gaining an annual review of these lists for ongoing pertinence. 5. The entity developed a process to
                                                                                                                       access to those accounts.                          ensure all security related logging of information is maintained for a time period to meet the
                                                                                                                                                                          requirements. 6. The entity updated the applicable policies to include detailed information to
                                                                                                                                                                          support how account management is implemented (i.e. technical and procedural controls that
                                                                                                                                                                          enforce access authentication of, and accountability for, all user activity).

  4/20/2011        CIP-007-1                 R6            Although logging was performed on select equipment,         Failure to have a program that logs, monitors,          1. The entity performed a feasibility assessment for an automated tool to enable security
                                                           the entity had not created a program to log, monitor,       identifies, reviews, and reacts to security events      logging and monitoring. 2. The entity created a process for logging security events for access
                                                           identify, review and react to security events on all        related to Cyber Assets may have hindered an            points to the key software through an automated tool or process. These access points include
                                                           Critical Cyber Assets, where technically feasible, within   entity’s ability to respond to critical security        firewalls, routers, switches, operating systems, key software workstations, applications, and
                                                           the key software network.                                   events.                                                 databases where applicable. 3. The entity developed an updated policy for monitoring the
                                                                                                                                                                               security events through an automated tool or process. The procedure includes a defined
                                                                                                                                                                               schedule for how often logs are reviewed. The procedure also details requirements for
                                                                                                                                                                               retention of electronic access logs (maintained and easily retrievable for at least 90 days and
                                                                                                                                                                               for at least 3 years for security related incidents.) 4. The entity trained all affected employees
                                                                                                                                                                               on the updated policy.
  4/20/2011        CIP-007-1                R6.1           The entity did not ensure that all Critical Cyber Assets    Failure to ensure that automated tools and process      The entity purchased and installed new software. The software will be used to pro-actively
                                                           within the Electronic Security Perimeter implemented        controls were in place for all Critical Cyber Assets    monitor and alert on events in the key software environment. The entity also set up the new
                                                           automated tools or organizational process controls to       within the Electronic Security Perimeter may have       software in the test environment so that testing of various configuration changes to the new
                                                           monitor system events related to cyber security. The        placed those assets, and the bulk power system, at      software can be made without impacting the production key software.
                                                           entity did not implement and document the                   risk.
                                                           organizational processes and technical and procedural
                                                           mechanisms for monitoring for security events on all
                                                           Critical Cyber Assets within the Electronic Security
                                                           Perimeter.


                                                                                                                              Page 18                                                                                                                              Revised on July 15, 2011
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                 RELIABILITY          REQUIREMENT                                    FACTS                                                       RISK                                                         MITIGATION ACTION TAKEN
 Posted Date      STANDARD
  4/20/2011        CIP-007-1                 R8            Vulnerability assessments were performed but the entity         Failure to run vulnerability assessments due to      The entity developed and reviewed its formal process document for vulnerability assessments.
                                                           did not have a formal process in place to review the            performance degradation may have resulted in         The entity performed an annual vulnerability assessment of all Critical Cyber Assets within the
                                                           generated reports nor did it perform automated discovery        inaccurate or incomplete assessments. Incomplete     Electronic Security Perimeter and developed an action plan to remediate any vulnerabilities
                                                           of all access points to its defined Electronic Security         assessments may not have elucidated existing         found. The entity implemented the action plan and documented the status of action plans as
                                                           Perimeters. Vulnerability assessments were set up to use        vulnerabilities which required mitigation.           well as remediation results. The entity also introduced a dedicated vulnerability scanning for
                                                           common default community strings (public, private), as                                                               devices located within the Electronic Security Perimeter.
                                                           well as default accounts (administrator, guest) with no
                                                           passwords; however, a failure while using any of these
                                                           community strings or default accounts did not generate
                                                           any errors. The reports therefore did not show data or
                                                           account information. Although vulnerability assessments
                                                           included remediation plans, no processes were in place to
                                                           execute the remediation plans.


  4/20/2011        CIP-007-1                 R9            The entity failed to review and update all of the               Undocumented modifications may have led to the       The entity developed a procedure to review documents and procedures referenced in CIP-007
                                                           documentation specified in CIP-007 at least annually.           inability, on the part of the entity, to assess      at least annually; changes resulting from the review are documented within at least 90 calendar
                                                           Specifically, modifications to systems and controls may         vulnerabilities to cyber assets.                     days.
                                                           not have been documented.
  4/20/2011        CIP-007-1                 R8            Although the registered entity performed vulnerability          Failure to perform complete vulnerability            The entity developed a procedure which includes the scope and process for completing a
                                                           assessments, it had not developed a procedure to describe       assessments may have led to a failure to identify    vulnerability assessment. The procedure included the scope of the assessment, the steps
                                                           the scope of the vulnerability assessment, the steps            systems or components at risk. Failure to mitigate   required for completing the assessment, the process for documenting results, and the process
                                                           utilized in performing the scan, the process for                known vulnerabilities may have placed cyber          for mitigating vulnerabilities. In addition, the procedure included a list of all security aspects
                                                           documenting the results, and the process remediation of         assets and the bulk power system at risk.            which were reviewed as part of the assessment (i.e. controls for default accounts, passwords,
                                                           any issues that are identified. As a result, there was a lack                                                        and network management community strings, etc). The entity also developed a template to be
                                                           of evidence that the entity reviewed the default accounts,                                                           used to support the mitigation process for vulnerability assessments. The template included
                                                           passwords, and community-strings inside the Electronic                                                               the vulnerability identified, the applicability including why it was or was not identified, the
                                                           Security Perimeter.                                                                                                  mitigation steps performed and the date mitigated. The entity scheduled and performed a
                                                                                                                                                                                vulnerability assessment per the procedures developed.

 12/30/2010        CIP-007-2a               R3.1           On two occasions, security patches for certain cyber     Out of date security patches may have allowed for The security patches in question were assessed and individuals responsible for assessing the
                                                           security software became available but were not assessed unauthorized electronic access to Critical Cyber  patches were counseled on the need to carefully review the sources for security patches to
                                                           for applicability to Cyber Assets within 30 days.        Assets.                                           ensure available patches are not overlooked.

   3/1/2011         CIP-008                 R1.6           The entity did not provide sufficient evidence that its   If an entity’s Cyber Security Incident Response       The entity developed a test reporting form for capturing results from an exercise of the Cyber
                                                           Cyber Security Incident response plan was tested at least Plan was not actually tested, the Plan may have       Security Incident Response Plan. The form includes check boxes to indicate when each step of
                                                           annually.                                                 proven to be ineffective in a real-time emergency.    the plan is completed and fields for entry of participants, inclusion of notes as steps are
                                                                                                                                                                           completed, and a summary and review for lessons learned and recommendations for
                                                                                                                                                                           improvement of the plan.
   3/1/2011        CIP-008-1                 R1            The entity’s Cyber Security Incident Response Plan did Without a process to characterize and classify           The entity updated its Cyber Incident Response Plan to include text adequately describing the
                                                           not include an adequate procedure to characterize and      events as reportable, some reportable Cyber          procedure to characterize and classify events as reportable Cyber Security Incidents. The
                                                           classify events as reportable Cyber Security Incidents. In Security Incidents may have been incorrectly         entity also included a process for updating the Plan of any changes within the interval defined
                                                           addition, the Plan did not include a process for updating reported or not reported at all. In addition, without by the Standard.
                                                           the Plan of any changes within the defined interval.       a designated time frame, the Plan may not have
                                                                                                                      been updated with any changes.


                                                                                                                                  Page 19                                                                                                                           Revised on July 15, 2011
The Case Notes are based, in whole or in part, on information contained in mitigation plans that have been accepted by Regional Entities and approved by NERC. This document is designed to convey compliance guidance from NERC’s various activities.
It is not intended to establish new requirements under NERC’s Reliability Standards or to modify the requirements in any existing NERC Reliability Standard. Compliance will continue to be assessed based on language in the NERC Reliability
Standards as they may be amended from time to time. This document is not intended to define the exclusive method an entity must use to comply with a particular standard or requirement, or foreclose a registered entity’s demonstration by alternative
means that it has complied with the language and intent of the standard or requirement, taking into account the facts and circumstances of a particular registered entity. Implementation of information in these Case Notes is not a substitute for
compliance with requirements in NERC’s Reliability Standards.


                 RELIABILITY          REQUIREMENT                                  FACTS                                                    RISK                                                          MITIGATION ACTION TAKEN
 Posted Date      STANDARD
  3/1/2011          CIP-009                  R2            The entity did not provide sufficient evidence that its    If an entity’s recovery plan for Critical Cyber       The entity developed a test reporting form for capturing results from an exercise of the
                                                           recovery plan for Critical Cyber Assets was used when      Assets was not actually tested, the Plan may have     recovery plan for Critical Cyber Assets.
                                                           the entity performed its annual exercise for recovery of   proven to be ineffective in a real-time emergency.
                                                           Critical Cyber Assets.
  2/15/2011        IRO-001-1                 R8            Registered Generator Operator failed to comply with        The SPS activation caused the plant to trip offline   This entity had appropriate procedures in place to follow directives by the Reliability
                                                           clear and concise electronic instructions and subsequent   completely, causing generation to quickly reduce      Coordinator, so mitigation included personnel training. The entity provided additional training
                                                           verbal instructions from the Reliability Coordinator to    below the desired generation level. If the SPS had    to its operators regarding procedures to be followed when it receives electronic or verbal
                                                           reduce and limit plant generation to keep the Special      not correctly activated, generation would not have    instructions from the Reliability Coordinator, including transmitting the instructions to the
                                                           Protection System (SPS) from activating. The entity        been reduced and the transmission line may have       generation facility personnel.
                                                           failed to reduce generation and the SPS activated,         been overloaded.
                                                           causing the plant to trip offline.




                                                                                                                             Page 20                                                                                                                          Revised on July 15, 2011

								
To top