1. Scope & Purpose
Purpose: This Maintenance Report documents the current state of maintenance activities for all MVEC IT and OT assets, including patch management, firmware updates, vendor support status, scheduled maintenance windows, and end-of-life/end-of-support (EOL/EOS) exposure. It supports evaluation of C2M2 ASSET domain practices ACM-1d and ACM-3 (asset maintenance) and ARCH domain practices CAM-1 and CAM-2.
Scope: All production IT systems (servers, endpoints, network devices) and OT/ICS assets (SCADA/HMI, RTUs, protective relays, AMI head-end, automated reclosers). Laboratory, test, and spare equipment are out of scope. Maintenance of physical facilities and vehicles is out of scope.
Key Risk: MVEC currently operates two EOL/unsupported systems in production — the GE e-terra SCADA platform (EOL 2021) and Windows Server 2012 R2 (EOL October 2023). Neither system is receiving security patches. No formal patch management program exists for IT or OT.
2. Maintenance Summary
47
Total Assets In-Scope
12
Overdue Maintenance
2
EOL — No Vendor Support
3
EOS — Limited Support
0
Formal Patch Program
4
Active Vendor SLAs
Maintenance Program Status: MVEC has no documented patch management policy or formal maintenance schedule. IT maintenance is largely reactive and delegated to TechPath MSP under a monthly SLA. OT maintenance is performed on an ad-hoc basis during planned outages. No change management process exists for firmware updates.
3. Server & IT Infrastructure Maintenance
| Asset ID | Hostname | OS / Firmware | Last Patched | Patch Status | Vendor Support | Maintainer | Notes |
|---|---|---|---|---|---|---|---|
| SRV-001 | FILESRV | Windows Server 2019 Standard | Feb 2025 | Current | Supported (2029) | TechPath MSP | Auto Windows Update; monthly review |
| SRV-002 | SCADA01 | Windows Server 2016 (SCADA host) | Sep 2024 | 6 Months Behind | Supported (2027) | GE Grid Solutions | CRITICAL: Patching requires GE approval & scheduled outage; no patch window defined for 2025 |
| SRV-003 | ACCTG | Windows Server 2012 R2 EOL | Oct 2023 | 17+ Months Behind | EOL — No Patches | TechPath MSP | CRITICAL: No security patches available post-EOL; holds NISC billing data (HIGH confidentiality) |
| SRV-004 | AMI-HE | Ubuntu 20.04 LTS + Landis+Gyr v8.2 | Jan 2025 | Current | Supported (2025) | Landis+Gyr / TechPath | LTS end Apr 2025; upgrade to 22.04 LTS planned Q3 2025 |
| SRV-005 | CIS | Windows Server 2019 + NISC iVUE | Feb 2025 | Current | Supported (2029) | NISC / TechPath | NISC manages application updates on contract schedule |
| SRV-006 | GIS | Windows Server 2019 + ESRI ArcGIS | Feb 2025 | Current | Supported (2029) | TechPath MSP | ArcGIS license renewal due June 2025 |
4. Endpoint Maintenance
| Group / Asset | Count | OS | Avg Patch Age | Status | Antivirus | Managed By |
|---|---|---|---|---|---|---|
| Office Workstations | 14 | Windows 10 Pro (22H2) | ~30 days | Mostly Current | Microsoft Defender (managed) | TechPath MSP (RMM) |
| Field Laptops | 6 | Windows 10 Pro (21H2) | ~90 days | Irregular | Microsoft Defender (unmanaged) | Individual users — no RMM agent |
| SCADA Engineering WS | 2 | Windows 10 LTSC 2019 | 180 days | Deferred | None — vendor prohibition | GE Grid Solutions guidance |
| HMI Consoles (OT zone) | 2 | Windows 7 Embedded EOL 2020 | Never | EOL — Unsupported | None | No patch path; hardware-locked to GE platform |
| Network Printer / MFP | 3 | Embedded firmware | Unknown | Unknown | N/A | Not included in current maintenance program |
5. Network Device Maintenance
| Asset ID | Device | Model / Firmware | Last Updated | Status | Vendor Support | Notes |
|---|---|---|---|---|---|---|
| NET-001 | Perimeter Firewall | Cisco ASA 5506-X / 9.16(4) | Aug 2024 | 7 Months Behind | EoSW Mar 2025 | ASA 5506-X reached End of SW Maintenance March 2025; IOS 9.18 available but untested |
| NET-002 | Core LAN Switch | Cisco Catalyst 2960-X / 15.2(7)E9 | Dec 2024 | Current | EoL Jan 2027 | Nearing EoL; replacement budgeted for FY 2026 |
| NET-003 | OT Network Switch | Hirschmann RS20 / HiOS 8.0 | Mar 2023 | 24 Months Behind | Supported | HiOS 9.x available; OT change window required; no planned window |
| NET-004 | Corp Wi-Fi AP (×4) | Ubiquiti UniFi AP-AC-Pro / 6.5.54 | Jan 2025 | Current | Supported | Auto-update via UniFi controller; TechPath managed |
| NET-005 | VPN Concentrator | Cisco ASA 5506-X (VPN module) / 9.16(4) | Aug 2024 | 7 Months Behind | EoSW Mar 2025 | Same device as NET-001; TechPath VPN tunnel for remote access |
6. OT/ICS Asset Maintenance
OT Maintenance Policy Gap: MVEC has no documented OT maintenance policy or firmware management procedure. OT device changes are made informally during planned outages by GE Grid Solutions field technicians or by MVEC's SCADA Engineer (Dobrowski). No change management tickets or maintenance logs are maintained.
| Asset ID | Asset / Description | Vendor | Firmware / Version | Last Maintenance | Vendor Support | Maintenance Status | Notes |
|---|---|---|---|---|---|---|---|
| OT-001 | SCADA Platform (e-terra) | GE Grid Solutions | v3.2.1 EOL 2021 | Jun 2022 | No Support | EOL — No Patches | CRITICAL: GE ended support 2021; no security patches available; migration cost est. $380K–$520K; no budget approved |
| OT-002 | RTU — Main Substation | GE Grid Solutions | D20MX FW 2.12 | Apr 2023 | Limited | Overdue (23 mo) | FW 2.17 available; requires GE on-site or VPN session; no window scheduled |
| OT-003 | RTU — Sub-Substation | GE Grid Solutions | D20MX FW 2.12 | Apr 2023 | Limited | Overdue (23 mo) | Same as OT-002; treated as identical unit for maintenance purposes |
| OT-004 | Master Clock (SEL-2414) | SEL | FW R302-V1 | Nov 2024 | Supported | Current | Annual firmware review per SEL application guide |
| OT-005 | Protective Relay — SS-01 | SEL | SEL-351 FW R510 | Jan 2024 | Supported | Current | Passwords changed from default on SS-01; annual relay testing performed |
| OT-006 | Protective Relay — SS-02 | SEL | SEL-351 FW R510 | Mar 2023 | Supported | Overdue (24 mo) | CRITICAL: Confirmed default factory password still active; annual relay test also overdue |
| OT-007 | Automated Reclosers (×12) | S&C Electric | IntelliRupter v4.1 | Various 2023–2024 | Supported | Mostly Current | S&C field technicians perform firmware updates during scheduled outages; 3 units still on v3.9 |
| OT-008 | AMI Head-End (Landis+Gyr) | Landis+Gyr | Gridstream AIM v8.2 | Jan 2025 | Supported | Current | Under active support contract; quarterly update calls with Landis+Gyr TAC |
| OT-009 | Power Quality Analyzer | Dranetz | HDPQ v3.4 | Oct 2024 | Supported | Current | Air-gapped; standalone unit; no network connectivity |
7. Vendor Maintenance Agreements & SLAs
| Vendor | Systems Covered | Contract Type | Response SLA | Expiration | Status | Notes |
|---|---|---|---|---|---|---|
| TechPath Solutions | All IT (servers, endpoints, network, M365) | Managed Services (MSP) | 4-hr remote / 8-hr on-site | Dec 31, 2025 | Active | Monthly flat-fee; covers patching, monitoring, helpdesk; OT explicitly excluded |
| GE Grid Solutions | SCADA (e-terra), RTUs (D20MX) | T&M (no active support contract) | Best-effort; no SLA | N/A | No SLA | Support contract lapsed 2022; GE e-terra EOL prevents new support agreement; hourly billing for field work |
| NISC | iVUE CIS / billing platform | Software Maintenance & Support | 24-hr critical / 5-day standard | Sep 30, 2025 | Active | Annual renewal; includes quarterly application updates and hosted training |
| Landis+Gyr | Gridstream AMI Head-End (SRV-004) | Software Support & Maintenance | Next business day | Mar 31, 2026 | Active | Includes firmware updates and Gridstream Connect portal access |
| SEL (Schweitzer Engineering) | SEL-351 Relays, SEL-2414 Clock | Per-incident (no annual contract) | Per-incident | N/A | Per Incident | SEL firmware and manuals freely available; no subscription required; MVEC self-maintains |
| Cisco SmartNet | ASA 5506-X, Catalyst 2960-X | SmartNet (expired) | N/A — expired | Expired Jun 2023 | Expired | No active TAC support; TAC access and IOS updates unavailable without renewal |
8. Scheduled Maintenance Calendar (2025)
Gap: MVEC has no formal annual maintenance calendar. The schedule below reflects known vendor-scheduled activities and items identified during this assessment. No change management or maintenance window policy is documented.
| Target Date | Asset(s) | Activity | Maintainer | Outage Required | Status |
|---|---|---|---|---|---|
| Q1 2025 (overdue) | SRV-002 (SCADA01) | Windows Server 2016 cumulative patches | GE Grid Solutions + IT | Yes — planned outage | Overdue |
| Apr 2025 | SRV-004 (AMI-HE) | Ubuntu OS upgrade 20.04 → 22.04 LTS | Landis+Gyr / TechPath | Yes — 2–4 hr window | Scheduled |
| Q2 2025 | SRV-003 (ACCTG) | OS migration: Win 2012 R2 → Win 2022 | TechPath MSP | Yes — weekend window | Pending Approval |
| Q2 2025 | OT-006 (SEL-351 SS-02) | Default password remediation + annual relay test | MVEC SCADA Eng. | No | Pending — CRITICAL |
| Q2 2025 | NET-003 (OT Switch) | HiOS firmware update 8.0 → 9.x | TechPath + MVEC OT | Yes — brief OT outage | Pending Window |
| Q3 2025 | OT-002, OT-003 (D20MX RTUs) | RTU firmware update FW 2.12 → 2.17 | GE Grid Solutions | Yes — substation outage | Tentative |
| Q3 2025 | OT-007 (3× IntelliRupter v3.9) | Firmware update v3.9 → v4.1 | S&C Electric | Yes — line sectionalizing | Scheduled (S&C) |
| Q4 2025 | NET-001/NET-005 (ASA) | Evaluate firewall replacement (Cisco Firepower or Fortinet) | TechPath MSP | Yes — outage | Pending Budget |
9. End-of-Life / End-of-Support Asset Register
| Asset ID | Asset | EOL / EOS Date | Severity | Compensating Control | Migration Plan | Est. Cost |
|---|---|---|---|---|---|---|
| OT-001 | GE e-terra SCADA platform | Dec 2021 | Critical | Network isolation (partial); no patches available | No approved plan; options analysis in FY 2026 budget request | $380K–$520K |
| SRV-003 | Windows Server 2012 R2 | Oct 2023 | Critical | Firewall ACL; no direct internet access; backups current | OS migration to Win 2022 — Q2 2025 pending board approval | $4,200 (TechPath est.) |
| Endpoints ×2 | Windows 7 Embedded (HMI consoles) | Jan 2020 | High | OT network isolation; no internet access; physical access controls | Hardware replacement required with SCADA platform migration | Bundled in SCADA migration cost |
| NET-001/005 | Cisco ASA 5506-X (SW Maintenance) | Mar 2025 | Medium | Current IOS version has no known critical CVEs; monitored | Replacement firewall evaluation Q4 2025 | $8,000–$15,000 |
| NET-002 | Cisco Catalyst 2960-X | Jan 2027 | Medium | Currently supported; monitoring EoL approach | Replacement budgeted FY 2026 | $6,500–$9,000 |
10. Maintenance Findings & Gaps
| Finding ID | Description | Severity | Affected Assets | C2M2 Practice | Status |
|---|---|---|---|---|---|
| MNT-01 | GE e-terra SCADA platform is EOL with no available security patches and no approved migration plan | Critical | OT-001, SRV-002 (host) | ACM-1d, ARCH-CAM-1 | Open |
| MNT-02 | Windows Server 2012 R2 (ACCTG) is EOL; hosts HIGH-confidentiality billing data; 17+ months behind on patches | Critical | SRV-003 | ACM-1d | Remediation Q2 2025 |
| MNT-03 | No documented patch management policy or procedure for IT or OT systems | Critical | All systems | ACM-3, PROGRAM-1 | Open — Policy gap |
| MNT-04 | HMI consoles running Windows 7 Embedded (EOL 2020); no patch path without full SCADA platform replacement | High | HMI-001, HMI-002 | ACM-1d, ARCH-CAM-1 | Open — Blocked on SCADA migration |
| MNT-05 | SCADA01 (SRV-002) is 6+ months behind on cumulative patches; GE approval delays prevent timely patching | High | SRV-002 | ACM-1d | Patch window TBD Q1/Q2 2025 |
| MNT-06 | Cisco SmartNet contracts expired June 2023; no TAC access or IOS update rights for ASA or Catalyst | High | NET-001, NET-002, NET-005 | ACM-1d | Renewal or replacement Q4 2025 |
| MNT-07 | 6 field laptops not enrolled in RMM tool; patch compliance unknown; no AV management | High | Field laptops ×6 | ACM-1, ACM-2 | Open |
| MNT-08 | OT network switch (Hirschmann RS20) firmware 24 months behind; no OT change window defined | Medium | NET-003 | ACM-1d | Planned Q2 2025 |
| MNT-09 | GE D20MX RTU firmware 23 months behind; FW 2.17 available but no window scheduled | Medium | OT-002, OT-003 | ACM-1d | Tentative Q3 2025 |
| MNT-10 | No maintenance records or change logs maintained for OT devices; audit trail unavailable | Medium | All OT assets | ACM-3, SITUATE-SA-2 | Open — Process gap |
11. C2M2 Asset Management (ACM) — Maintenance Practices Assessment
| Practice ID | Practice Description | MIL Rating | Rationale |
|---|---|---|---|
| ACM-1a | Establish and maintain an asset inventory | MIL 1 | Informal inventory exists; not formally maintained or reviewed on schedule |
| ACM-1b | Prioritize assets based on criticality | MIL 1 | SCADA recognized as critical informally; no documented criticality tiering |
| ACM-1d | Manage asset vulnerabilities through patching / upgrades | MIL 0 | No patch management program; two EOL systems in production; multiple overdue updates |
| ACM-2a | Establish configuration baselines for assets | MIL 0 | No documented configuration baselines for IT or OT assets |
| ACM-3a | Implement a configuration management process | MIL 0 | No change management process; OT changes made informally; no maintenance logs |
| ACM-3b | Address identified vulnerabilities | MIL 1 | Some remediation actions are being planned (SRV-003 migration, relay passwords) |
Overall Maintenance MIL Rating: MIL 0 / MIL 1 boundary. MVEC demonstrates ad-hoc awareness of maintenance needs but lacks the documented policies, procedures, and program management infrastructure to achieve consistent MIL 1 (Performed) across ACM practices related to maintenance. The absence of a patch management program is the primary gap.
12. Remediation Roadmap
| Priority | Action | Owner | Target Date | Est. Cost | MIL Impact |
|---|---|---|---|---|---|
| P1 — Immediate | Remediate default passwords on SEL-351 relay at SS-02 (MNT-03 related) | MVEC SCADA Eng. (Dobrowski) | Within 30 days | $0 (staff time) | ACM-1d ↑ |
| P1 — 30 Days | Document and publish a Patch Management Policy covering IT and OT systems | IT Manager (Harmon) + TechPath | Apr 2025 | ~$2,000 (consulting) | ACM-3a, PROGRAM ↑ |
| P1 — 60 Days | Enroll field laptops in TechPath RMM; enforce patch and AV baseline | TechPath MSP | May 2025 | Included in MSP contract | ACM-1, ACM-2 ↑ |
| P2 — 90 Days | Complete OS migration SRV-003 (Win 2012 R2 → Win 2022) | TechPath MSP | Jun 2025 | $4,200 | ACM-1d ↑ |
| P2 — 90 Days | Schedule and execute SCADA01 (SRV-002) patch window with GE Grid Solutions | IT Mgr + GE Grid | Jun 2025 | ~$3,000 (GE T&M) | ACM-1d ↑ |
| P2 — 120 Days | Update OT network switch (NET-003) firmware; define recurring OT change window policy | TechPath + MVEC OT | Jul 2025 | $1,500 (labor) | ACM-1d, ACM-3 ↑ |
| P3 — 180 Days | Renew or replace Cisco SmartNet / ASA hardware; evaluate next-gen firewall | IT Mgr + TechPath | Sep 2025 | $8,000–$15,000 | ACM-1d ↑ |
| P3 — 180 Days | Implement OT maintenance log / change register in ticketing system | MVEC SCADA Eng. | Sep 2025 | $0 (process change) | ACM-3, SITUATE ↑ |
| Long-Term | Commission SCADA platform replacement study (e-terra EOL) and begin board budget process | GM (Bynum) + Board | FY 2026 | $380K–$520K | OT-001 EOL remediation |