METROPOLITAN EDISON COMPANY - Pennsylvania Public Utility ...

FirstEnergy management stated that refresher courses are updated and madeavailable annually for all employees that have access to cyber assets. The process fordelivering the training is as follows:• An initial email is sent informing the individual of the mandatory training, alongwith a deadline date.• A reminder email is sent after one week to individuals that have notcompleted the training.• An email is sent after two weeks to managers/supervisors containing a list ofindividuals that have not completed the training.• An email is sent from the Director of Corporate Security to the individualdirectors of any personnel that have not completed the training after fourweeks.The training is provided through the FirstEnergy portal to all employees and contractorswho have access to any FirstEnergy cyber assets. This allows all individuals access tothe training on a continuous basis. It also acts as a reference should they have anyquestions concerning the training or cyber security.However, summary statistical data that was provided by the FE-PA Companiesshows that not all employees are completing this annual training. See Exhibit IX-6summary of CBT training statistics. Less than 80% of all FE-PA operating companyemployees with access to cyber assets completed cyber security training from 2007 to2009.Refresher training on cyber security should be conducted annually in order tokeep the workforce well educated about security threats and vulnerabilities that cyberassets are exposed to and any changes in policies and procedures. FirstEnergy did notprovide any particular reason as to why its employees that have access to cyber assetsdid not complete CBT training from 2007 to 2009. Moreover, the Audit Staff is notcertain whether FirstEnergy’s method of tracking the CBT statistics is appropriate. Inparticular, when reviewing the data in Exhibit IX-6 it is not clear whether the 16% ofMet-Ed employees that did not complete CBT related to security awareness andprocedures in 2007 were a part of the 79% that completed the similar training in 2008 orsimilarly in 2009 and so on. FirstEnergy should strive to track the number of employeesthat did not complete CBT, the reason for not doing so and expedite the training ofthese employees in future years. By not maintaining and reporting this information,there could be a possibility that employees which have access to cyber assets neverreceive CBT related to security awareness and procedures and are not identified; evenif the training data seems to indicate most employees have received training andperiodic update/refresher training.Information technology has progressed markedly in recent years and with thisadvancement in technology the security risks to the cyber infrastructure have alsoincreased considerably. It is imperative for companies, especially one such as anelectric distribution utility that maintains thousands of confidential customer records, tobe aware of the potential dangers of cyber security threats and vulnerabilities. It iscrucial for the workforce to know and learn how FirstEnergy protects its cyber assets- 60 -