🗂️

⚡ C2M2 Audit Report | ASSET Domain

Asset Inventory & Categorization Report

Muskingum Valley Electric Cooperative (MVEC) — Coshocton County, Ohio | Prepared for C2M2 v2.1 Self-Evaluation Exercise

NIST FIPS-199 NIST SP 800-60 C2M2 ASSET Domain Current MIL: 1 (Partial) Exercise Document — Fictional Data

Document Title

Organization

Muskingum Valley Electric Cooperative

System Name

MVEC IT/OT Environment

Prepared By

TechPath Solutions LLC (MSP)

Reviewed By

David Harmon, General Manager

Report Date

March 28, 2026

Version

1.0 — Initial Draft

Classification

SENSITIVE — Exercise Use Only

Section 1 — Scope & Purpose

📋

Report Scope, Purpose & Methodology

SCOPE ▼

Purpose This Asset Inventory and Categorization Report documents all information technology (IT) and operational technology (OT) assets within the MVEC system boundary. Assets are categorized using NIST FIPS-199 impact levels (Confidentiality / Integrity / Availability) to establish the overall system security categorization. This report supports the C2M2 ASSET domain self-evaluation and serves as the foundation for risk management, access control, and vulnerability management activities.

Inventory Methodology

Activity	Method	Date	Performed By
IT Hardware Discovery	TechPath RMM Agent (ConnectWise Automate) + manual walkthrough	Nov 2023	TechPath Solutions
OT/ICS Asset Walk-down	Physical inspection of substations and main office	Nov 2023	Kyle Zumpf, SCADA Tech
Software Discovery	Manual survey; no automated software inventory tool deployed	Nov 2023	TechPath Solutions
Cloud/SaaS Review	Interview with department managers	Dec 2023	David Harmon, GM
Categorization Review	FIPS-199 impact analysis by asset owner	Jan 2024	TechPath Solutions

FIPS-199 Impact Level Definitions

Level	Confidentiality	Integrity	Availability
LOW	Limited adverse effect	Limited adverse effect	Minor disruption <8 hrs
MOD	Serious adverse effect	Serious adverse effect	Significant disruption 8–72 hrs
HIGH	Severe/catastrophic effect	Severe/catastrophic effect	Extended disruption >72 hrs

Inventory Completeness Warning This inventory was compiled from a single site visit in November 2023 and has not been formally validated by MVEC management. Shadow IT and undocumented assets are likely. No automated discovery tool was used for OT assets.

Section 2 — Asset Count & Categorization Summary

📊

Categorization Summary

SUMMARY ▼

Total Assets

HIGH Impact

MODERATE Impact

LOW Impact

OT / ICS Assets

Servers

Applications / SaaS

End-of-Life Assets

System Overall Security Categorization: HIGH Applying FIPS-199 "high watermark" principle — the overall system categorization is HIGH because multiple assets (SCADA server, AMI head-end, accounting server) carry HIGH availability or integrity impact ratings. Loss of the SCADA system could result in inability to monitor and control the distribution grid serving ~38,200 customers.

Section 3 — IT Hardware Assets

🖥️

IT Hardware Asset Inventory

IT HARDWARE ▼

Servers

Asset ID	Hostname	Make / Model	OS / Version	Function	Location	Owner	C	I	A	Overall	Status
SRV-001	MVEC-FILESRV	Dell PowerEdge R440	Windows Server 2019 (21H2)	Primary file server; VMware host for SRV-005, SRV-006; departmental shared drives	Server Room, Main Office	TechPath Solutions	MOD	MOD	MOD	MODERATE	Partially Patched (~6 mo lag)
SRV-002	MVEC-SCADA01	HP ProLiant DL360 G9	Windows Server 2016 (EOL)	GE e-terra Habitat v2.8 SCADA application server; HMI host; operational historian	Server Room, Main Office	Randy Fulton / TechPath	MOD	HIGH	HIGH	HIGH	Critical Patch Lag (18+ mo); GE e-terra EOL 2021
SRV-003	MVEC-ACCTG	Dell OptiPlex 9020 (repurposed)	Windows Server 2012 R2 (EOS Jan 2023)	QuickBooks Enterprise 22.0 server; payroll, AP/AR, general ledger	Finance Office, Main Office	Gene Westfall	HIGH	HIGH	MOD	HIGH	EOL OS — No patches since Jan 2023
SRV-004	MVEC-AMI-HE	Dell PowerEdge R340	Windows Server 2019	Landis+Gyr Gridstream Command Center v8.2; AMI head-end; 14,620 smart meters	Server Room, Main Office	Randy Fulton	MOD	MOD	HIGH	HIGH	Partially Patched; L+G app v8.2 (current v9.1)
SRV-005	MVEC-CIS	Virtual (VMware on SRV-001)	Windows Server 2019	Milsoft CIS — customer billing, outage mgmt, work orders; 14,620 customer records	Logical (hosted on SRV-001)	Carol Bynum	HIGH	MOD	HIGH	HIGH	Partially Patched
SRV-006	MVEC-GIS	Virtual (VMware on SRV-001)	Windows Server 2019	ESRI ArcGIS Server; distribution system GIS model; infrastructure mapping	Logical (hosted on SRV-001)	Teresa Albright	LOW	MOD	MOD	MODERATE	Partially Patched

Workstations, Laptops & Mobile Devices

Asset Type	Count	OS / Version	Primary Users	AV / Protection	Encryption	C	I	A	Overall	Notes
Desktop PC	6	Windows 11 Pro	Management, Finance, Engineering	Windows Defender (not centrally managed)	Not enabled	MOD	MOD	LOW	MODERATE	No AD domain; local accounts only
Desktop PC	7	Windows 10 Pro (mixed builds)	Customer Service, Admin, Operations	Windows Defender (not centrally managed)	Not enabled	MOD	MOD	LOW	MODERATE	2 units running Win 10 21H2 (EOL)
SCADA HMI Workstation	2	Windows 10 LTSC 2019	Kyle Zumpf, Randy Fulton (OT network)	AV DISABLED (vendor recommendation)	Not enabled	LOW	HIGH	HIGH	HIGH	Dedicated SCADA HMI; OT network only; no internet
Laptop	4	Windows 11 Pro	Engineering, Operations Mgr, GM (remote work)	Windows Defender	BitLocker on 2 of 4 only	MOD	MOD	LOW	MODERATE	All take work data offsite; BYOD risk; no MDM
iPad Tablet	3	iOS 17	Field engineering, line superintendent	N/A (iOS)	iOS default encryption	MOD	LOW	LOW	LOW	Personal Apple IDs used; no MDM; access ESRI Field Maps
Smartphone (BYOD)	9	Mixed iOS / Android	Line crew leads, all managers	N/A	Device default	MOD	LOW	LOW	LOW	M365 email access; no MDM; BYOD — no formal policy

Network Infrastructure

Asset ID	Device	Make / Model	Function	Firmware	C	I	A	Overall	Status
NET-001	Perimeter Firewall	Fortinet FortiGate 60E	WAN perimeter firewall; NAT; stateful inspection for corporate LAN	FortiOS 7.0.12 (1 minor version behind)	MOD	HIGH	HIGH	HIGH	Functional; IPS signatures not enabled; rules last reviewed 2022
NET-002	VPN Appliance	Cisco ASA 5505	Remote access VPN for TechPath MSP and GE Grid Solutions SCADA support	ASA 9.2(4)25 (End-of-Support 2017)	HIGH	HIGH	MOD	HIGH	EOL — End-of-Support; no security patches available
NET-003	Corporate LAN Switch	Cisco Catalyst 2960-X	Core switching for corporate LAN (192.168.1.0/24); also trunks to OT switch	IOS 15.2(7)E8	LOW	MOD	HIGH	HIGH	No VLANs configured; flat network; trunk to OT
NET-004	OT/SCADA LAN Switch	Cisco Catalyst 2960	SCADA network switching (10.0.10.0/24); connects SCADA server, AMI, HMI workstations	IOS 15.2(4)E10	LOW	HIGH	HIGH	HIGH	Layer-3 route to Corp LAN exists — no OT firewall
NET-005	Wi-Fi Access Points (×2)	Netgear WAC104	Wireless LAN — SSID: MVEC-Staff and MVEC-Guest; main office building	Firmware V2.1.7 (home-grade device)	MOD	MOD	LOW	MODERATE	Guest SSID not isolated from Corp LAN at switch level

Section 4 — Operational Technology (OT) / ICS Assets

⚡

OT / ICS / SCADA Asset Inventory

OT / ICS ▼

OT Asset Inventory — Limited Confidence The OT asset list below was compiled during a single walk-down in November 2023. No automated OT discovery tool (e.g., Claroty, Dragos, Nozomi) has been deployed. Field device firmware versions were obtained from visual inspection and operator interviews. Actual installed versions may differ.

Asset ID	Device / System	Vendor / Model	Location	Protocol	Function	Firmware	C	I	A	Overall	Cyber Notes
OT-001	SCADA Application Server	GE e-terra Habitat v2.8	Main Office (SRV-002)	DNP3, Modbus, IEC 61968	Supervisory control, data acquisition, HMI, operational historian	EOL — Vendor support ended 2021	MOD	HIGH	HIGH	HIGH	No upgrade budget; shared admin account "SCADA_ADMIN"
OT-002	RTU — Coshocton SS-01	GE D20MX RTU	SS-01, Coshocton	DNP3 over fiber	Breaker status, voltage, current telemetry to SCADA; limited control	Firmware v3.04 (current v3.06 — 2 versions behind)	LOW	HIGH	HIGH	HIGH	DNP3 SAv5 authentication not enabled
OT-003	RTU — Warsaw SS-02	GE D20MX RTU	SS-02, Warsaw	DNP3 over fiber	Same as OT-002	Firmware v3.04 (2 versions behind)	LOW	HIGH	HIGH	HIGH	DNP3 SAv5 not enabled; no encryption on fiber link
OT-004	RTU — Newcomerstown SS-03	SEL-2414 RTU	SS-03, Newcomerstown	DNP3 / 900 MHz radio	Monitoring only — no remote control capability	Current	LOW	MOD	MOD	MODERATE	Radio link unencrypted and unauthenticated
OT-005	Protective Relays — SS-01 (×3)	SEL-351 Feeder Protection Relay	SS-01, Coshocton	Serial (EIA-232) to RTU	Overcurrent and ground fault protection for 3 distribution feeders	Firmware R114-V2 (current R117-V1 — 1 version behind)	LOW	HIGH	HIGH	HIGH	No direct Ethernet; default passwords not yet changed on SS-01 relays
OT-006	Protective Relays — SS-02 (×3)	SEL-351 Feeder Protection Relay	SS-02, Warsaw	Serial (EIA-232) to RTU	Same as OT-005	Firmware R114-V2	LOW	HIGH	HIGH	HIGH	Default vendor passwords confirmed in use
OT-007	Automated Recloser Controllers (×12)	S&C Electric IntelliRupter PulseCloser	Various field locations across service territory	DNP3 / 900 MHz radio	Automated fault isolation and service restoration on 12 distribution feeders	Mixed — 4 of 12 current; 8 of 12 behind 1–2 versions	LOW	HIGH	HIGH	HIGH	900 MHz radio — no encryption; older units use unencrypted protocol
OT-008	AMI Head-End System	Landis+Gyr Gridstream Command Center v8.2	Main Office (SRV-004)	RF Mesh (2.4 GHz), HTTPS	Smart meter data collection, demand response, remote connect/disconnect for 14,620 meters	v8.2 (current is v9.1 — 1 major version behind)	MOD	MOD	HIGH	HIGH	RF mesh spans entire service territory; remote disconnect capability = HIGH availability risk
OT-009	Power Quality Monitor	Dranetz HDPQ Xplorer (×1)	SS-01, Coshocton (permanent install)	USB export (no network)	Voltage sag/swell, flicker monitoring; data exported manually via USB	Current	LOW	LOW	LOW	LOW	Air-gapped (USB only); low cyber risk

Section 5 — Software & Application Inventory

💾

Software, Applications & SaaS Services

SOFTWARE ▼

App ID	Application	Vendor	Version	Function	Hosting	Data Classification	Auth / MFA	C	I	A	Overall
APP-001	GE e-terra Habitat	GE Grid Solutions	v2.8 (EOL)	SCADA / EMS / DMS — supervisory control of distribution grid	On-premise (SRV-002)	OT Operational — SENSITIVE	Shared account; no MFA	MOD	HIGH	HIGH	HIGH
APP-002	Milsoft Utility Solutions (CIS)	Milsoft	Current	Customer Information System — billing, outage management, work orders	On-premise (SRV-005)	PII / Customer Data — CONFIDENTIAL	Individual accounts; no MFA	HIGH	MOD	HIGH	HIGH
APP-003	Milsoft WindMil	Milsoft	2023	Distribution system planning and modeling; power flow analysis	Desktop (2 engineering PCs)	Engineering — INTERNAL	Windows login only; no MFA	LOW	MOD	LOW	LOW
APP-004	ESRI ArcGIS Server	Esri	10.9.1	GIS — distribution system geographic model; infrastructure mapping	On-premise (SRV-006)	Infrastructure Mapping — SENSITIVE	Windows auth; no MFA	MOD	MOD	MOD	MODERATE
APP-005	Landis+Gyr Command Center	Landis+Gyr	v8.2 (current v9.1)	AMI meter data management; demand response; remote connect/disconnect	On-premise (SRV-004)	OT Operational — SENSITIVE	Local accounts; no MFA	MOD	MOD	HIGH	HIGH
APP-006	QuickBooks Enterprise 22.0	Intuit	22.0 (outdated)	Accounting, payroll, accounts payable/receivable, general ledger	On-premise (SRV-003, EOL OS)	Financial — CONFIDENTIAL	Local QB accounts; no MFA	HIGH	HIGH	MOD	HIGH
APP-007	Microsoft 365 (E1 license)	Microsoft	Exchange Online / Teams / OneDrive	Email, collaboration, cloud file storage for all 34 employees	Cloud SaaS (Microsoft)	Business Communications — INTERNAL	Password only — MFA NOT enforced	MOD	MOD	MOD	MODERATE
APP-008	Buckeye Power EMS Data Link	Buckeye Power / OSIsoft PI	N/A	Wholesale energy metering data exchange; generation scheduling interface	Vendor-hosted; IPsec VPN to Buckeye Power	OT Metering — SENSITIVE	Shared service account (no individual auth)	MOD	HIGH	HIGH	HIGH
APP-009	AutoCAD LT 2022	Autodesk	2022	Electrical/civil engineering drawings; substation layout plans	Desktop (engineering PCs); Autodesk cloud license	Engineering — INTERNAL	Autodesk cloud login	LOW	MOD	LOW	LOW
APP-010	NISC SmartHub	NISC	Current (NISC-managed)	Customer self-service portal — bill pay, outage reporting, account management	Cloud SaaS (NISC-hosted)	PII / Customer Data — CONFIDENTIAL	Customer-facing; admin access password only (no MFA)	HIGH	MOD	MOD	MODERATE

Section 6 — Data Asset Classification

🗄️

Data Assets & Classification

DATA ▼

No Formal Data Classification Policy MVEC has no formal data classification policy. The classifications below reflect the assessed sensitivity of each data type based on potential impact of unauthorized disclosure or modification. A formal data classification policy is a gap in the ASSET and PROGRAM domains.

Data Asset	Classification	Description	System(s)	Volume / Records	Retention	Storage Location	C	I	A	Regulatory Obligation
Customer Account & Billing Records	CONFIDENTIAL	Names, addresses, account numbers, energy usage, payment history	Milsoft CIS (SRV-005), NISC SmartHub	14,620 active accounts	7 years (per Ohio utility regulations)	On-premise + NISC cloud	HIGH	MOD	HIGH	Ohio PUC, potential CPNI
Financial Records (AP/AR/Payroll)	CONFIDENTIAL	Bank accounts, vendor invoices, employee payroll, general ledger	QuickBooks Enterprise (SRV-003)	34 employee payroll records; full GL history	7 years	On-premise only; tape backup offsite (GM's home)	HIGH	HIGH	MOD	IRS, GAAP, Ohio DOT
OT / SCADA Operational Data	SENSITIVE	Real-time telemetry, breaker status, control commands, operational historian	GE e-terra SCADA (SRV-002), RTUs (OT-002 to OT-004)	Real-time + 90-day historian	90 days historian; real-time operational	On-premise only (no backup of SCADA historian)	MOD	HIGH	HIGH	NERC CIP Low Impact (CIP-003-8)
AMI Meter Data	SENSITIVE	15-minute interval consumption data; remote connect/disconnect command log	Landis+Gyr Command Center (SRV-004); L+G cloud	14,620 smart meters × 15-min intervals	13 months on-premise; longer in L+G cloud	On-premise + Landis+Gyr cloud	MOD	MOD	HIGH	Ohio PUC smart meter data rules
Distribution Infrastructure GIS Data	SENSITIVE	Pole locations, underground cable routes, substation layouts, critical infrastructure mapping	ESRI ArcGIS Server (SRV-006)	Full service territory — 1,140 sq mi	Current; historical versions in AutoCAD drawings	On-premise; some in AutoCAD files on engineering PCs	MOD	MOD	MOD	None specific; CISA critical infrastructure guidance
Employee HR & Personnel Records	CONFIDENTIAL	SSNs, home addresses, performance reviews, medical/benefits data	Shared file server (SRV-001) — HR folder; paper files	34 employees + former employees	7 years post-termination	File server + paper (HR office)	HIGH	MOD	LOW	Ohio PIIA, ADA, FLSA
IT System Credentials & Configurations	RESTRICTED	Server admin passwords, VPN PSKs, network device configs, SCADA credentials	Various — many stored informally (sticky notes, shared documents)	~20 system accounts	Current; no formal credential vault	No PAM; informal — major gap	HIGH	HIGH	HIGH	NERC CIP CIP-003-8

Section 7 — End-of-Life / End-of-Support Asset Register

⚠️

End-of-Life & End-of-Support Asset Register

EOL RISK ▼

Critical Finding — Multiple EOL Assets in Production MVEC is operating three systems past vendor end-of-support and two OS versions with no security patches available. These represent the highest cyber risk in the asset inventory. EOL systems cannot be patched when new vulnerabilities are discovered.

Asset ID	Asset Name	EOL Date	Risk	Compensating Controls	Remediation Plan	Target Date
SRV-003	Windows Server 2012 R2 (MVEC-ACCTG)	Oct 14, 2023	CRITICAL	Network firewall provides perimeter protection; no direct internet access; access limited to 2 users	Upgrade to Windows Server 2022; migrate QuickBooks to newer host or SaaS	No funding allocated — TBD
OT-001	GE e-terra Habitat v2.8 (SCADA)	Dec 31, 2021	CRITICAL	Air-gap from internet (partial — VPN access exists); no external connections to SCADA network except VPN	Replace with modern SCADA/DMS platform (e.g., Survalent, OSIsoft PI, or NISC SmartGrid)	No budget allocated; 3–5 year capital plan needed
NET-002	Cisco ASA 5505 VPN Appliance	Aug 31, 2017	CRITICAL	Firewall upstream (FortiGate); limited inbound rules; PSK not shared broadly	Replace with Fortinet FortiGate SSL-VPN or equivalent; implement MFA for all remote access	Priority — within 6 months; ~$3,000–5,000 estimated
Endpoints (×2)	Windows 10 Version 21H2 (EOL May 2022)	May 10, 2022	HIGH	Windows Defender running; no direct internet browsing on these units	Windows 10 in-place upgrade to 22H2 or Windows 11; no hardware replacement needed	Within 30 days; no cost (license included)