1. Scope & Purpose
Purpose: This Access Control Matrix documents all user accounts, system access rights, privileged accounts, shared/generic accounts, and third-party access arrangements for MVEC. It supports evaluation of the C2M2 ACCESS domain (Identity & Access Management) at MIL 1–3 and maps known gaps against NERC CIP-007-6 and NIST SP 800-53 AC controls.
Scope: All MVEC information systems including corporate IT (Active Directory-equivalent local accounts), operational technology (SCADA/HMI, AMI head-end, RTUs), and third-party remote access pathways. Contractor and vendor accounts are included. Physical access controls are out of scope for this report.
2. IAM Summary
22
Total Accounts
12
Named User Accounts
5
Privileged Accounts
Shared/Generic Accts
2
Service Accounts
3
Third-Party Accounts
0%
MFA Coverage
Critical Finding: MVEC has zero MFA deployment across all systems. No centralized identity provider (Active Directory, LDAP, SSO) exists. Accounts are managed locally on each system with no unified provisioning or de-provisioning workflow.
3. User Account Inventory
Note: All accounts are local OS/application accounts. No enterprise directory (AD/LDAP) is in use. Password policies are applied per-system with no central enforcement. Account provisioning/de-provisioning is manual and undocumented.
| Account ID | Full Name | Role / Title | Department | Account Type | MFA | Last PW Change | Status | Notes |
|---|---|---|---|---|---|---|---|---|
| harmon.d | Dale Harmon | General Manager | Executive | Privileged | None | 2024-01-15 | Active | Full admin on Corp LAN; local admin on SCADA workstation |
| fulton.r | Randy Fulton | Operations Manager | Operations | Privileged | None | 2024-03-10 | Active | Read/Write SCADA; approves switching orders |
| albright.c | Carol Albright | Office Manager / Billing | Finance | Standard | None | 2024-02-28 | Active | CIS billing full access; QuickBooks admin |
| bynum.t | Terry Bynum | Lead Lineman | Field Ops | Standard | None | 2023-11-05 | Active | SCADA read-only; GIS read; tablet field access |
| westfall.m | Mark Westfall | Lineman / Crew Lead | Field Ops | Standard | None | 2023-09-18 | Active | GIS read; tablet field access; no SCADA |
| dobrowski.k | Kurt Dobrowski | IT / OT Admin | IT | Privileged | None | 2024-06-01 | Active | Local admin on all servers; SCADA full admin; primary IT contact |
| zumpf.b | Barbara Zumpf | Customer Service Rep | Customer Svc | Standard | None | 2024-01-22 | Active | CIS read/write; M365 standard; no OT access |
| pryor.j | Jim Pryor | Staking Tech / Engineer | Engineering | Standard | None | 2023-12-10 | Active | GIS full access; AutoCAD; no OT access |
| techpath.admin | TechPath MSP (shared) | Managed IT Admin | Vendor | Privileged | None | Unknown | Active | Always-on VPN; local admin on all IT servers; shared credential |
| techpath.help | TechPath MSP (helpdesk) | Managed IT Helpdesk | Vendor | Standard | None | Unknown | Active | M365 support access; shared credential among TechPath staff |
| ge.scada | GE Grid Solutions (VPN) | SCADA Vendor Support | Vendor | Privileged | None | Unknown | Active | Dedicated site-to-site VPN; SCADA maintenance access; no MFA; always-on |
| nisc.portal | NISC (billing SaaS) | Billing System Vendor | Vendor | Service | None | 2022-05-10 | Active | API service account for CIS ↔ NISC portal sync |
4. System Access Rights Matrix
Legend:
ADMIN full administrative access |
R/W read & write |
R/O read only |
— no access
| Account | Corp LAN / File Server | M365 / Email | CIS (Billing) | GIS / AutoCAD | SCADA / HMI | AMI Head-End | QuickBooks | NISC Portal | Buckeye EMS |
|---|---|---|---|---|---|---|---|---|---|
| harmon.d | ADMIN | R/W | R/W | R/O | R/W | R/O | R/W | R/W | R/O |
| fulton.r | R/W | R/W | R/O | R/W | R/W | R/W | — | — | R/W |
| albright.c | R/W | R/W | ADMIN | — | — | — | ADMIN | R/W | — |
| bynum.t | R/W | R/W | — | R/O | R/O | — | — | — | — |
| westfall.m | R/W | R/W | — | R/O | — | — | — | — | — |
| dobrowski.k | ADMIN | R/W | ADMIN | ADMIN | ADMIN | ADMIN | R/W | R/W | R/W |
| zumpf.b | R/W | R/W | R/W | — | — | — | — | R/O | — |
| pryor.j | R/W | R/W | — | ADMIN | — | — | — | — | — |
| techpath.admin | ADMIN | ADMIN | ADMIN | ADMIN | — | — | — | — | — |
| techpath.help | R/O | ADMIN | — | — | — | — | — | — | — |
| ge.scada | — | — | — | — | ADMIN | — | — | — | — |
| nisc.portal | — | — | R/W | — | — | — | — | ADMIN | — |
5. Privileged Accounts Register
Finding: No Privileged Access Management (PAM) tool is deployed. Privileged accounts share the same login pathway as standard users with no additional authentication step. Session recording of privileged activity does not exist.
| Account | Name / Entity | Systems with Admin | MFA | Dedicated Admin Acct | Session Recorded | Review Frequency | Risk |
|---|---|---|---|---|---|---|---|
| harmon.d | Dale Harmon | Corp LAN, M365, CIS, SCADA | None | No | No | Annual | HIGH |
| fulton.r | Randy Fulton | SCADA/HMI, AMI, Buckeye EMS | None | No | No | Annual | HIGH |
| dobrowski.k | Kurt Dobrowski | All IT servers, SCADA, AMI, GIS, CIS | None | No | No | Annual | CRITICAL |
| techpath.admin | TechPath MSP (shared) | All IT servers, M365, CIS, GIS | None | Yes (vendor) | No | None / Unknown | CRITICAL |
| ge.scada | GE Grid Solutions | SCADA/HMI (full admin) | None | Yes (vendor) | No | None / Unknown | CRITICAL |
6. Shared & Generic Accounts
Critical Finding: Multiple shared accounts exist with no individual accountability. The SCADA_ADMIN account is the most critical — it is the primary operational account used for SCADA/HMI control actions and is shared among multiple operators. This account cannot be attributed to any individual user action in logs.
| Account ID | System(s) | Purpose | Users with Access | Password Changed | Justification on File | Risk | Recommended Action |
|---|---|---|---|---|---|---|---|
| SCADA_ADMIN | GE e-terra SCADA/HMI, SRV-002 | Primary SCADA operational account; used for all HMI control actions | harmon.d, fulton.r, dobrowski.k, ge.scada vendor | Never (factory) | No | CRITICAL | Immediate: create individual named accounts; disable shared account |
| techpath.admin | All IT servers, CIS, GIS, M365 | MSP managed IT administration — shared by all TechPath technicians | Multiple TechPath staff (count unknown) | Unknown — never confirmed changed | No formal MOU | CRITICAL | Require named accounts per technician; implement MOU; enable logging |
| techpath.help | M365, Corp LAN (read) | Helpdesk support — shared by TechPath helpdesk staff | Multiple TechPath helpdesk staff | Unknown | No formal MOU | HIGH | Require named accounts; scope access per ticket/session |
7. Service Accounts
| Account ID | System | Purpose | Credential Mgmt | Least Privilege | Review Status | Notes |
|---|---|---|---|---|---|---|
| nisc.portal | CIS ↔ NISC SaaS Portal | API sync: billing data between on-prem CIS and NISC hosted portal | Hardcoded in config | Partial | Not reviewed since deployment (2022) | Credential stored in plaintext config file on SRV-003; password last changed 2022-05-10 |
| ami.svc | AMI Head-End (SRV-004) ↔ SCADA | Automated data exchange between AMI head-end and SCADA historian | Hardcoded in app | No — excess rights | Never reviewed | Account has SCADA R/W access despite only needing read for meter data push; excess privilege |
8. Third-Party & Vendor Remote Access
Finding: Both vendor remote access connections are always-on (no just-in-time access). Neither connection requires MFA. Access is not monitored in real time and no session recording is in place for either vendor.
| Vendor | Connection Method | Always-On? | MFA | Systems Accessed | Access Level | Documented MOU/MSA | Session Logging | Risk |
|---|---|---|---|---|---|---|---|---|
| TechPath Solutions (MSP) | IPSec VPN (site-to-site) to Corp LAN (192.168.1.0/24) | YES — 24/7 | None | All IT servers, M365, CIS, GIS | ADMIN | No formal MSA | None | CRITICAL |
| GE Grid Solutions (SCADA OEM) | Dedicated site-to-site VPN directly to OT LAN (10.0.10.0/24) | YES — 24/7 | None | SCADA/HMI (SRV-002, OT-001) | ADMIN | Basic SLA only | None | CRITICAL |
| Buckeye Rural Electric (RTO tie) | Dedicated fiber + SCADA EMS link | Operational only | None | Buckeye EMS portal (read-only telemetry export) | R/O | ICA on file | EMS logs only | MEDIUM |
9. OT Device Credential Status
Critical Finding: Multiple OT/ICS devices retain factory default credentials. The SEL-351 relay at substation SS-02 (Oak Hill) has confirmed default username/password. The GE e-terra SCADA platform uses a shared SCADA_ADMIN account with a factory-set password. DNP3 SAv5 authentication is not implemented on any RTU or relay.
| Asset ID | Device | Location | Default Creds Changed | MFA Available | Protocol Auth | Local Admin Account | Risk |
|---|---|---|---|---|---|---|---|
| OT-001 | GE e-terra SCADA Server | Coshocton HQ | Partial (SCADA_ADMIN shared) | No | Proprietary (no SAv5) | SCADA_ADMIN (shared) | CRITICAL |
| OT-002 | GE D20MX RTU | SS-01 (Coshocton) | Yes | No | DNP3 (no SAv5) | rtu.admin (local) | HIGH |
| OT-003 | GE D20MX RTU | SS-02 (Oak Hill) | Unknown | No | DNP3 (no SAv5) | rtu.admin (local) | HIGH |
| OT-004 | SEL-2414 Substation Controller | SS-01 (Coshocton) | Yes | No | DNP3 (no SAv5) | SEL local account | HIGH |
| OT-005 | SEL-351 Protective Relay | SS-01 (Coshocton) | Yes | No | None (serial) | SEL local account | MEDIUM |
| OT-006 | SEL-351 Protective Relay | SS-02 (Oak Hill) | NO — DEFAULT PASSWORD | No | None (serial) | SEL default "OTTER" | CRITICAL |
| OT-008 | Landis+Gyr AMI Head-End v8.2 | Coshocton HQ | Yes | No | RF mesh (proprietary) | ami.admin (local) | HIGH |
10. Access Control Gaps & Findings
| # | Finding | Severity | C2M2 Domain / Practice | Affected Systems | Gap Description | Recommended Remediation | Target MIL |
|---|---|---|---|---|---|---|---|
| ACM-01 | No MFA on any system | CRITICAL | ACCESS: ACM-1c, ACM-2a | All systems | Zero multi-factor authentication deployed across all 12 accounts and 9 systems. Remote access (VPN) has no second factor. | Deploy MFA starting with privileged accounts and remote access; use Microsoft Authenticator or TOTP tokens; enforce at VPN gateway | MIL 2 → MIL 3 |
| ACM-02 | Shared SCADA_ADMIN account — no individual accountability | CRITICAL | ACCESS: ACM-1a, ACM-1b; SITUATE: SA-2b | SCADA/HMI (OT-001, SRV-002) | Primary SCADA operational account is shared by 3 MVEC staff and GE vendor. No individual attribution in audit logs. Factory password never changed. | Create individual named SCADA accounts; disable SCADA_ADMIN; implement role-based SCADA access; change all factory passwords immediately | MIL 0 → MIL 2 |
| ACM-03 | No centralized identity management (no AD/LDAP/SSO) | CRITICAL | ACCESS: ACM-1a, ACM-2c, ACM-3a | All systems | Each system manages accounts locally. No central provisioning, de-provisioning, or policy enforcement. Terminated employee access cannot be reliably revoked across all systems simultaneously. | Deploy Microsoft Entra ID (Azure AD) or on-prem AD with group policy; integrate all systems; automate provisioning/de-provisioning via HR triggers | MIL 1 → MIL 3 |
| ACM-04 | Always-on third-party VPN with admin access — no JIT | CRITICAL | ACCESS: ACM-1e, ACM-2d; THIRD-PARTIES: TM-1a | TechPath VPN, GE Grid VPN | Both vendor VPNs are permanently active with admin-level credentials. No just-in-time (JIT) access, no session approval workflow, and no session recording. | Implement JIT VPN access with ticket-based approval; require MFA for all vendor sessions; deploy privileged access workstation (PAW) for vendor use; record all sessions | MIL 0 → MIL 3 |
| ACM-05 | Default factory credentials on SEL-351 relay (OT-006) at SS-02 | CRITICAL | ACCESS: ACM-1a; ARCH: AM-1b | OT-006 (SEL-351, Oak Hill) | SEL-351 at Oak Hill substation retains factory default password "OTTER". Device is accessible via the OT network segment. | Immediately change to a strong unique password per MVEC password policy; document in credential vault; verify SS-01 relay (OT-005) password as well | MIL 0 → MIL 1 |
| ACM-06 | No PAM tool — no privileged session management | HIGH | ACCESS: ACM-2a, ACM-2b, ACM-3b | All systems with privileged accounts | No Privileged Access Management (PAM) tool deployed. Privileged sessions are not recorded, no time-based check-out of credentials, no automatic credential rotation. | Deploy PAM solution (CyberArk, BeyondTrust, or Delinea); vault all privileged credentials; enable session recording for all admin sessions | MIL 1 → MIL 3 |
| ACM-07 | No formal access review process | HIGH | ACCESS: ACM-2c, ACM-3c | All systems | No documented periodic access review (recertification). Access accumulates over time. No evidence that terminated/transferred employee accounts are reviewed and revoked consistently. | Implement quarterly access recertification; document and track account lifecycle; assign account owner for each system; create off-boarding checklist | MIL 1 → MIL 2 |
| ACM-08 | DNP3 SAv5 not implemented on any RTU or relay | HIGH | ACCESS: ACM-1d; ARCH: AM-1b | OT-002, OT-003 (RTUs), OT-004, OT-005, OT-006 (relays) | DNP3 Secure Authentication version 5 (SAv5) is not configured on any field device. SCADA polling traffic is unauthenticated and susceptible to spoofing or replay attacks. | Upgrade GE D20MX firmware to support SAv5; configure SAv5 on all DNP3 devices; test with GE Grid Solutions; include in next maintenance window | MIL 1 → MIL 2 |
| ACM-09 | Service account credentials hardcoded / plaintext in config files | MEDIUM | ACCESS: ACM-1b, ACM-2a | SRV-003, SRV-004 (service accounts) | The nisc.portal and ami.svc service account credentials are stored in plaintext configuration files. The nisc.portal password was last changed in 2022 and has never been rotated. | Migrate credentials to a secrets manager or encrypted vault; enable automatic credential rotation; audit all config files for hardcoded passwords | MIL 1 → MIL 2 |
| ACM-10 | ami.svc service account has excess SCADA privileges | MEDIUM | ACCESS: ACM-1c (Least Privilege) | SRV-004 (AMI), SCADA | The AMI-to-SCADA service account has read/write SCADA access despite only requiring read access for meter data forwarding. Violates least-privilege principle. | Create a dedicated read-only SCADA API account for AMI data push; revoke write permissions from ami.svc; document access justification | MIL 1 → MIL 2 |
11. C2M2 ACCESS Domain — Current MIL Assessment
C2M2 ACCESS Domain (Identity & Access Management): Evaluates practices for managing identities and access to technology assets, information, and operational environments. MIL 1 = performed, MIL 2 = managed (policy-driven), MIL 3 = optimized (continuously improved).
| Practice ID | Practice Description | Current MIL | Evidence / Notes | Target MIL |
|---|---|---|---|---|
| ACM-1a | Identify and authenticate users, devices, and other assets prior to granting access | MIL 1 (Partial) | Local accounts exist but shared accounts and default creds undermine authentication integrity | MIL 2 |
| ACM-1b | Manage identities and credentials for authorized users, devices, and services | MIL 0 | No central identity provider; no credential management policy; hardcoded service account passwords | MIL 2 |
| ACM-1c | Authorize access based on least privilege and separation of duties | MIL 0 | No formal RBAC; users accumulate access; dobrowski.k is de-facto superuser for all systems | MIL 2 |
| ACM-1d | Protect access control information | MIL 1 (Partial) | System-level access lists exist but are not centrally documented or protected | MIL 2 |
| ACM-1e | Manage remote access | MIL 0 | Always-on vendor VPNs with no MFA, JIT, or session monitoring | MIL 3 |
| ACM-2a | Manage access control policies and procedures | MIL 0 | No formal access control policy document exists at MVEC | MIL 2 |
| ACM-2b | Manage privileged access and accounts | MIL 0 | No PAM; privileged accounts use same login as standard; no session recording | MIL 2 |
| ACM-2c | Review and update access rights periodically | MIL 0 | No access review process; no documented recertification cadence | MIL 2 |
| ACM-2d | Manage access for third-party entities | MIL 0 | No formal MOU for TechPath; no JIT access; no vendor session logging | MIL 3 |
| ACM-3a | Automate and enforce access control mechanisms | MIL 0 | All access management is manual; no automated enforcement or provisioning | MIL 3 |
| ACM-3b | Continuously monitor access activity | MIL 0 | No SIEM; no centralized log collection; no behavioral monitoring of access patterns | MIL 3 |
| ACM-3c | Improve access management using lessons learned | MIL 0 | No process to capture lessons learned from access incidents or near-misses | MIL 3 |
Overall ACCESS Domain MIL Rating: MIL 0 / MIL 1 (Performed — Partial)
MVEC demonstrates MIL 0 on 8 of 12 ACCESS practices. The two MIL 1 (partial) ratings reflect that basic authentication mechanisms exist in some form, but are not consistently applied, documented, or managed. No MIL 2 practices are fully satisfied. This represents the highest-risk domain finding in the MVEC C2M2 assessment.
MVEC demonstrates MIL 0 on 8 of 12 ACCESS practices. The two MIL 1 (partial) ratings reflect that basic authentication mechanisms exist in some form, but are not consistently applied, documented, or managed. No MIL 2 practices are fully satisfied. This represents the highest-risk domain finding in the MVEC C2M2 assessment.
12. Remediation Roadmap
| Priority | Action | Findings Addressed | Estimated Effort | Cost Estimate | Target Completion | Owner |
|---|---|---|---|---|---|---|
| Immediate | Change SEL-351 (OT-006) default password at SS-02 | ACM-05 | 2 hours (on-site field work) | $0 (staff time) | Within 48 hours | K. Dobrowski / R. Fulton |
| Immediate | Create individual SCADA accounts; disable SCADA_ADMIN shared account | ACM-02 | 1 day | $0 | Within 1 week | K. Dobrowski + GE Grid Solutions |
| Short-Term (30 days) | Enable MFA on all privileged accounts and remote VPN access | ACM-01, ACM-04 | 3–5 days | $500–$2,000/yr (TOTP tokens or Authenticator app) | 30 days | TechPath MSP + K. Dobrowski |
| Short-Term (30 days) | Implement JIT/ticketed access for vendor VPNs; disable always-on connections | ACM-04 | 2–3 days | $0 (policy + firewall config) | 30 days | K. Dobrowski + TechPath |
| Medium-Term (90 days) | Deploy Microsoft Entra ID (Azure AD) for centralized identity management | ACM-03, ACM-06, ACM-07 | 2–4 weeks | $2,400–$6,000/yr (M365 licensing) | 90 days | TechPath MSP |
| Medium-Term (90 days) | Implement formal access review (quarterly recertification) process | ACM-07 | 3–5 days (policy + tooling) | $0 (process; leverage AD if deployed) | 90 days | D. Harmon + K. Dobrowski |
| Medium-Term (90 days) | Migrate service account credentials to encrypted vault; rotate passwords | ACM-09, ACM-10 | 2 days | $0–$500 (open-source vault or AD Managed Service Accounts) | 90 days | K. Dobrowski + TechPath |
| Long-Term (180 days) | Implement DNP3 SAv5 on all RTUs and protective relays | ACM-08 | 2–4 weeks (firmware + commissioning) | $5,000–$15,000 (GE firmware upgrade + commissioning) | 180 days | GE Grid Solutions + R. Fulton |
| Long-Term (180+ days) | Deploy PAM solution for privileged account management and session recording | ACM-06 | 4–8 weeks | $8,000–$20,000/yr (e.g., BeyondTrust or CyberArk Workforce Identity) | 180 days | TechPath MSP + D. Harmon (approval) |