NERC Case Notes: Reliability Standard CIP-005-3

Alert

26 min read

 

Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)

Reliability Standard: CIP-005-3

Requirement: R1.5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self certified that it did not have all protective measures in place for CAs used for access control and monitoring of ESPs. Also, URE had not documented 24 security patch assessments for those CAs. Upon review, URE found that because the implementation of the security patches was not documented, 15 upgrades made available during the period could not be installed due to memory limitation and the existing compensating measures were not documented. Finally, URE did not identify five individuals with access to the shared firewall accounts used in the access control of the Control Center, backup Control Center, and the facilities although it was noted that the shared firewall accounts were changed as soon as the issue was discovered.

Finding: WECC found the violations constituted a moderate risk to BPS reliability which was mitigated because the relevant devices were housed within ESPs and PSPs and had CIP protections as well as Intrusion Detection and Prevention systems in place at the ESPs. WECC considered URE’s and its affiliates’ violation history when determining the appropriate penalty.

Penalty: $27,900 (aggregate for 2 penalties)

FERC Order: Issued March 30, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-25 (April 30, 2012)

Reliability Standard: CIP-005-3

Requirement: R1.4, R2.2

Violation Risk Factor: Medium (R1.4, R2.2)

Violation Severity Level: Severe (R1.4, R2.2)

Region: RFC

Issue: During a compliance audit, RFC found that while URE had a list that contained both CCAs and non-critical Cyber Assets within the ESP, it did not specify which of the assets were the non-critical Cyber Assets, as required. (R1.4) RFC also determined that URE did not enable only the required ports and services for the routers interconnecting four discrete ESPs and that it did not have the proper documentation on the configuration of the ports and services on the routers.

Finding: RFC found that the CIP-005-3 R1.4 violation constituted only a minimal risk to BPS reliability and the CIP-005-3 R2.2 violation constituted a moderate risk to BPS reliability. For R1.4, URE was also maintaining a separate list of non-critical Cyber Assets. URE protected the non-critical Cyber Assets within the ESP as CCAs, thereby providing the non-critical Cyber Assets with a higher level of protection than required. In terms of R2.2, each of the routers is only configured to allow communication with specific peers defined in the router’s configuration mappings. There are also access control lists in place governing traffic origination and destination, with a configuration to deny all traffic that does not meet a predefined access list parameter. Furthermore, all of the assets were located within a secured PSP and only a limited number of individuals, all of whom had received cyber security training and had a valid PRA on file, had access to the PSP. In approving the settlement agreement, the NERC BOTCC considered certain of URE’s violations to be proof of broad deficiencies in URE’s compliance program (even though other aspects of the compliance program were evaluated as mitigating factors); some of the violations were self-reported (even though only partial credit was granted for certain self-reports that occurred right before the compliance audit); URE was cooperative during the enforcement process and promptly submitted effective mitigation plans; and these violations were URE’s first violations of the relevant Reliability Standard.

Penalty: $115,000 (aggregate for 17 violations)

FERC Order: Issued April 30, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-25 (April 30, 2012)

Reliability Standard: CIP-005-3

Requirement: R3.2, R4.2

Violation Risk Factor: Medium (R3.2, R4.2)

Violation Severity Level: Severe (R3.2, R4.2)

Region: RFC

Issue: During a compliance audit, RFC determined that URE did not have sufficient procedures in place to monitor electronic access to the ESP. Although URE had enacted logging for repeated unsuccessful login attempts, URE had not properly documented or implemented procedures to alert designated response personnel of unauthorized access attempts (or actual unauthorized access) to the ESP. (R3.2) RFC also found that URE did not include in its cyber vulnerability assessment of the electronic access points to the ESP a review of whether only ports and services required for operations at the electronic access points were enabled. (R4.2)

Finding: RFC found that the CIP-005-3 R3.2 and R4.2 violations constituted a moderate risk to BPS reliability. URE did have logging in place, even though URE had not established the appropriate alerts. URE also reviewed the logs manually and did not find any unauthorized access attempts. In addition, all of the relevant assets were located within a secured ESP and PSP and only a limited number of individuals, all of whom had received cyber security training and had a valid PRA on file, had access. Therefore, there was a decreased chance that an individual without authorization rights would try to access the ESP. In approving the settlement agreement, the NERC BOTCC considered certain of URE’s violations to be proof of broad deficiencies in URE’s compliance program (even though other aspects of the compliance program were evaluated as mitigating factors); some of the violations were self-reported (even though only partial credit was granted for certain self-reports that occurred right before the compliance audit); URE was cooperative during the enforcement process and promptly submitted effective mitigation plans; and these violations were URE’s first violations of the relevant Reliability Standard.

Penalty: $115,000 (aggregate for 17 violations)

FERC Order: Issued April 30, 2012 (no further review)

Unidentified Registered Entity, Docket No. NP12-26-000 (April 30, 2012)

Reliability Standard: CIP-005-3

Requirement: R5

Violation Risk Factor: Lower (R5/5.1)

Violation Severity Level: Moderate

Region: WECC

Issue: URE self-certified an issue with the CIP-005-3 Reliability Standard because it had not reviewed documentation with respect to the following: establishing and maintaining ESPs; system monitoring for Cyber Security events; user account access activities; and manually retrieving system account logs.

Finding: WECC found the violation constituted a minimal risk to BPS reliability because no changes had been made to the relevant CIP procedures, and all CCAs are housed in ESPs and PSPs with CIP protections in place. In determining the appropriate penalty, RFC considered certain aspects of URE’s internal compliance program as a mitigating fact.

Penalty: $17,300 (aggregate for 2 violations)

FERC Order: Order issued May 30, 2012 (no further review)

Unidentified Registered Entities (UREs), Docket No. NP13-17-000 (December 31, 2012)

Reliability Standard: CIP-005-3

Requirement: 1/1.5 (3 violations)

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: The UREs, which are three entities that operate from the same control room and share the same energy management system, self-reported that they did not provide three Cyber Assets used in the access control and monitoring of ESPs the required protective measures. For example, the UREs did not possess the required documentation showing that only the necessary ports and services were enabled or that the required assessment and implementation of security patches was performed.

Finding: RFC found that the violation constituted a moderate risk to BPS reliability since, by not having the required protective measures in place, the UREs increased the risk of cyber intrusions into CCAs that are located outside an established ESP. But, the UREs do not utilize any of the relevant systems to operate and control Critical Assets. For the additional ports and services that were enabled, those ports and services were only open for communications with other trusted corporate networks (that were further protected with additional measures such as firewalls). The protective measures represented a defense-in-depth strategy that guarded the transmission management system. The UREs neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that the violations were self-reported and that these were the UREs first violations of the relevant Reliability Standards. The UREs were cooperative during the enforcement process and did not conceal the violations. The UREs’ compliance program was also evaluated as mitigating factor.

Total Penalty: $80,000 (aggregate for 21 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entities (UREs), Docket No. NP13-17 (December 31, 2012)

Reliability Standard: CIP-005-3

Requirement: 2 (3 violations)

Violation Risk Factor: Medium (2, 2.2), Lower (2.6)

Violation Severity Level: Severe (2, 2.2, 2.6)

Region: RFC

Issue: The UREs, which are three entities that operate from the same control room and share the same energy management system, self-reported that they did not install electronic access controls at all electronic access points to the ESP (2). For example, the UREs were unable to show that they had only enabled those ports and services required for the operations and monitoring of Cyber Assets at the access points to the ESP (2.2). The UREs also did not appropriately document the content of the appropriate use banner (2.6).

Finding: RFC found that the violations constituted a moderate risk, while NERC found that violations only constituted a minimal risk to BPS reliability. For the additional ports and services that URE enabled, those ports and services were only open for communications with other trusted corporate networks (that were further protected with additional measures such as firewalls). The protective measures represented a defense-in-depth strategy that guarded URE’s transmission management system. Also, the UREs were using their appropriate use banner during logon. The UREs neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that the violations were self-reported and that these were the UREs first violations of the relevant Reliability Standards. The UREs were cooperative during the enforcement process and did not conceal the violations. The UREs’ compliance program was also evaluated as mitigating factor.

Total Penalty: $80,000 (aggregate for 21 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-005-2; CIP-005-3

Requirement: R4.3; R4.4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: Further to a Compliance Audit, RFC determined that URE violated R4 when it failed to include evidence showing that it had conducted an assessment to identify all access points to the Electronic Security Perimeter (ESP), and failed to provide evidence that it had reviewed or controls for default accounts, passwords, and network management community strings in its cyber vulnerability assessment.

Finding: RFC determined that the R4 violation posed a moderate risk to the reliability of the BPS, which was mitigated because during the violation period, the company had employed an intrusion prevention system that included logging, alerting and constant monitoring of all access points to the ESP and had thus protected the access points. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to pay a penalty and to undertake other mitigation measures to come into compliance with R4.
RFC considered URE's ICP a mitigating factor in making its penalty determination. The violation began when the company failed to include a review of all access points to the ESP or controls for default accounts, passwords and network management community strings in its cyber vulnerability assessment. The violation ended when the company completed its assessment including the requirements of the Standard. URE neither admits nor denies the R4 violation.

Penalty: $40,000 (aggregate for 8 violations)

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity (URE), FERC Docket No. NP13-45 (July 31, 2013)

Reliability Standard: CIP-005-3

Requirement: 3

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that it was non-compliant with CIP-005-3 R3 when it discovered that the logging and monitoring at an ESP access point had ben disabled for approximately 40 days.

Finding: The violation was deemed to pose a minimal, but not serious or substantial, risk to BPS reliability, which was mitigated because the CCAs within the ESP were located in a PSP and had CIP-006 protections. URE and WECC reached a settlement whereby URE agreed/stipulated to the facts of the violations and agreed to pay a penalty of $198,000. In determining the appropriate penalty, WECC considered URE’s internal compliance program as a mitigating factor. The violations were self-reported. URE cooperated during the enforcement investigation, and WECC found no evidence that URE tried to or intended to conceal a violation. URE’s violation history was not found to be an aggravating factor in the penalty determination.

Total Penalty: $198,000 (aggregate for ten violations)

FERC Order: Issued August 30, 2013 (no further review)

Unidentified Registered Entities, FERC Docket No. NP13-47 (July 31, 2013)

Reliability Standard: CIP-005-3

Requirement: 1.1, 1.4, 1.5

Violation Risk Factor: Medium (1.1, 1.4, 1.5)

Violation Severity Level: Severe (1.1, 1.4, 1.5)

Region: RFC and SERC

Issue: SERC and RFC determined that URE1 and URE2 (collectively, URE) did not identify and document devices in its intrusion detection and prevention system that communicate to a sensor and certain network switches that are configured to switch traffic to multiple virtual local area networks as access points to the ESPs (1.1). URE also found that it had a server in its control center that was a non-critical Cyber Asset, which was not appropriately identified and protected (1.4). In addition, URE had not identified all of its electronic access control and monitoring (EACM) devices as required and provided them with all of the required protective measures (1.5).

Finding: SERC and RFC found that the CIP-005-3 R1.1 and 1.5 violations constituted a moderate risk to BPS reliability. In regards to R1.1, an unidentified access point to an ESP can be used by unauthorized personnel to garner information about internal ESP traffic and potentially allow unauthorized access into the ESP. But, the risk to the BPS was mitigated since the network switches are configured to separate the ESP networks from the non-ESP networks, which reduces the chances of unauthorized traffic entering the ESP through the network switches. In addition, URE had measures in place to protect and restrict access to the ESP and all the devices were located within a PSP. In terms of R1.5, the violation increased the chance that URE’s CCAs would be compromised by allowing a cyber intrusion to occur on CCAs located outside an established ESP. But, the ECAM devices were protected by certain of URE’s cyber security policies and procedures, and the people accessing those devices had received cyber security training and had PRAs on file. SERC and RFC determined that the CIP-005-3 R1.4 violation only constituted a minimal risk to BPS reliability as URE had conducted testing on the device prior to its introduction into the ESP and that once within the ESP, it performed patching for antivirus signatures and monitored the device for security events. URE also restricted access to the ESP and had other protective measures in place. All the devices were also located within a PSP. URE admitted the violations. In approving the settlement agreement, NERC BOTCC evaluated as aggravating factors URE’s compliance history and the fact that URE did not promptly prepare mitigation plans to remediate many of the violations. But, URE did self-report some of the violations and was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (even though URE only received partial mitigating credit as most of URE’s violations resulted from a lack of execution and coordination of programs). URE committed to perform certain actions that went above and beyond the compliance requirements. The CIP-002-3 R3 violations presented a serious and substantial risk to BPS reliability, whereas the other violations did not present a serious or substantial risk to BPS reliability.

Total Penalty: $350,000, $175,000 for each URE (aggregate for 62 violations)

FERC Order: Issued August 30, 2013 (no further review)

Unidentified Registered Entities, FERC Docket No. NP13-47 (July 31, 2013)

Reliability Standard: CIP-005-3

Requirement: 2 (2 violations – RFC and SERC)

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC and SERC

Issue: SERC and RFC determined that as URE1 and URE2 (collectively, URE) had firewall rules with broad destinations and excessive port ranges, URE had not enabled only those ports and services at electronic access points to the ESP that are required for the operations and monitoring of Cyber Assets within the ESP. In addition, the firewall rules at two of URE2’s sites and a control center permitted interactive access traffic to enter the ESP without authentication of the remote access architecture.

Finding: SERC and RFC found that the CIP-005-3 R2 violation constituted a moderate risk to BPS reliability as ESP access points with too broad configurations may allow additional and unauthorized traffic into or out of the ESP and increases the chance of disruption to CCA operations. But, URE’s firewall rules denied access by default and there were specific user account requirements in place for Cyber Assets within the ESP, which decreased the risk of unauthorized access. The devices were also protected by site physical security and located within a PSP. URE admitted the violations. In approving the settlement agreement, NERC BOTCC evaluated as aggravating factors URE’s compliance history and the fact that URE did not promptly prepare mitigation plans to remediate many of the violations. But, URE did self-report some of the violations and was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (even though URE only received partial mitigating credit as most of URE’s violations resulted from a lack of execution and coordination of programs). URE committed to perform certain actions that went above and beyond the compliance requirements. The CIP-002-3 R3 violations presented a serious and substantial risk to BPS reliability, whereas the other violations did not present a serious or substantial risk to BPS reliability.

Total Penalty: $350,000, $175,000 for each URE (aggregate for 62 violations)

FERC Order: Issued August 30, 2013 (no further review)

Unidentified Registered Entities, FERC Docket No. NP13-47 (July 31, 2013)

Reliability Standard: CIP-005-3

Requirement: 5

Violation Risk Factor: Lower

Violation Severity Level: Lower

Region: RFC and SERC

Issue: RFC determined that URE1 only retained the electronic access log for one of its Cyber Assets for 86 days (instead of 90 days as required). URE1 also did not properly review, on an annual basis, one ESP document at one of its facilities, as required.

Finding: SERC and RFC found that the CIP-005-3 R5 violation only constituted a minimal risk to BPS reliability. The electronic access logs were available for most of the required time and no changes were made to the ESP document during the prior year. URE admitted the violations. In approving the settlement agreement, NERC BOTCC evaluated as aggravating factors URE’s compliance history and the fact that URE did not promptly prepare mitigation plans to remediate many of the violations. But, URE did self-report some of the violations and was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (even though URE only received partial mitigating credit as most of URE’s violations resulted from a lack of execution and coordination of programs). URE committed to perform certain actions that went above and beyond the compliance requirements. The CIP-002-3 R3 violations presented a serious and substantial risk to BPS reliability, whereas the other violations did not present a serious or substantial risk to BPS reliability.

Total Penalty: $350,000, $175,000 for each URE (aggregate for 62 violations)

FERC Order: Issued August 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-30 (January 30, 2014)

Reliability Standard: CIP-005-3

Requirement: 4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: RFC determined that URE’s cyber vulnerability assessment (CVA) procedures did not contain adequate documentation regarding the identification of the CVA process, the review to verify that only those ports and services required for operations at access points to the ESP and for Cyber Assets within the ESP are enabled, the discovery of all ESP access points, the review of default account controls, passwords and network management community strings, and the results of the CVA and the action plan to remediate or mitigate identified vulnerabilities. URE also did not review the controls for network community strings for two years.

Finding: RFC found that the CIP-005-3 R4 violation constituted a moderate risk to BPS reliability since an inadequate CVA increases the risk of URE’s assets being compromised. In addition, the violation lasted for over two years, prolonging URE’s exposure to the risk. But, this violation was primarily a documentation issue as URE was actually conducting the CVAs and was able to provide supporting details on those assessments. URE also configured all of its access points’ network management community strings to be read-only and did not use default values (either public or private). Furthermore, the network management community strings were only accessible by specific internal Cyber Assets. URE neither admits nor denies the violations. In approving the settlement agreement, NERC BOTCC considered URE’s Reliability Standards violation history, which was evaluated as an aggravating factor. But, most of the violations were self-reported and URE did have an internal compliance program in place, which was viewed as a mitigating factor. In addition, URE agreed to perform reliability enhancement activities that were considered above-and-beyond what was required for compliance with the Reliability Standard. URE was also cooperative during the enforcement process and did not conceal the violations. The violations did not constitute a serious or substantial risk to BPS reliability, even though in the aggregate, the violations were found to present an increased risk to URE’s Cyber Assets and to be indicative of programmatic failure.

Total Penalty: $75,000 (aggregate for 13 violations)

FERC Order: Issued February 28, 2014 (no further review)

Unidentified Registered Entity (URE), FERC Docket No. NP14-37 (March 31, 2014)

Reliability Standard: CIP-005-3

Requirement: 1, 5

Violation Risk Factor: Medium (1); Lower (5)

Violation Severity Level: Severe (both)

Region: WECC

Issue: While conducting an on-site compliance audit of URE that included facility site tours, WECC’s Audit Team found that URE had not properly identified 60 assets that should have been identified as access control and monitoring devices. The Audit Team noted that URE had only considered access points as access control and monitoring devices, but URE had not considered the assets that control or log access to its ESPs as access control and monitoring devices. As such, those devices were not given all the protections established in the CIP Reliability Standards (R1). Regarding the violation of R5, the Audit Team found URE had a discrepancy in a network drawing. In particular, a network switch was identified on the drawing but was no longer located within the ESP. URE reported to the Audit Staff that the network switch had been deployed to a new ESP. URE was found to have violated CIP-005-3 R5.2 for failing to update its documentation to reflect the redeployed CCAs within 90 calendar days of the change.

Finding: WECC determined the R1 violation posed a moderate risk to BPS reliability, but did not pose a serious or substantial risk. In particular, URE had not provided 27 available protections to 60 assets associated with access points and access control and monitoring of URE’s ESPs. Risk was mitigated, however, because all of the Cyber Assets are within a PSP and ESP thereby protected by alarms in the event of physical and electronic access. Also, URE’s system is set up so that traffic is segregated by firewalls and access is limited to only those individuals with current PRAs on file and cyber security training. WECC determined the R5 violation posed a minimal risk to BPS reliability, but not a serious or substantial risk. Despite that URE had not updated the ESP network drawing when the network switch was removed, the existing documentation was correct for URE’s remaining ESPs. In approving the settlement agreement, WECC considered that although the violation of CIP-006-1 R1 is URE’s third violation of that Reliability Standard, the current violation is distinct because it relates to a separate sub-requirement, and therefore WECC determined it was not recurring conduct and aggravation was not warranted for the instant violation. Also, the CIP-007-1 R1 violation is URE’s fourth violation of that Reliability Standard, however, the prior violations were concurrent with the instant violations, and therefore WECC did not consider them as an aggravating factor in the penalty determination. However, the CIP-007-1 R2 violation was URE’s second violation of that Reliability Standard, which WECC determined was an aggravating factor in the penalty determination. URE has a compliance program in place which was given mitigating credit, and URE was cooperative during the compliance enforcement process. There was no evidence of any attempt or intent to conceal a violation, and the violations did not pose a serious or substantial risk to BPS reliability. No other mitigating or aggravating factors or extenuating circumstances affecting the assessed penalty were noted.

Total Penalty: $465,000 (aggregate for 8 violations)

FERC Order: Issued April 30, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-39-000 (April 30, 2014)

Reliability Standard: CIP-005-3

Requirement: R4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that, as a result of insufficient coordination among its business teams, its annual cyber vulnerability assessment (CVA) did not cover 12 electronic access points (comprising routers and firewalls).

Finding: WECC found that the violation constituted only a minimal risk to BPS reliability since URE did perform a CVA on all other access points. In addition, the ESPs were protected by an intrusion detection system and all traffic to and from the ESPs first go through firewalls that restrict, monitor and provide alerts regarding malicious activity. The devices at issue are also housed within physical secure areas with restricted access. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, URE’s compliance history was viewed as an aggravating factor. But, as mitigating considerations, URE self-reported three of the violations, pursued voluntary corrective actions to remedy the violations and had a compliance program in place. URE was cooperative during the enforcement process and did not conceal the violations. The violations were also not intentional.

Total Penalty: $155,000 (aggregate for 9 violations)

FERC Order: Issued May 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-46-000 (July 31, 2014)

Reliability Standard: CIP-005-3

Requirement: R2.1/R2.2 (4 violations – one for URE1, URE4, URE5 and URE6)

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE1, URE4, URE5 and URE6 self-reported that, as a result of a network redesign, certain of their access control devices no longer denied access by default nor did they independently restrict access to the associated ESP as required.

Finding: RFC determined that these violations constituted only a minimal risk to BPS reliability. The specified URE Companies had numerous access control measures and layered intrusion prevention defenses (such as firewalls, malicious software prevention and encryption) in place to limit the risk of external threats. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC found that all but two of the violations constituted only a minimal risk to BPS reliability and did not represent any systemic failure (the other two violations posed a moderate risk). However, these violations constituted the URE Companies’ fifth violation of CIP-004 and the second violation of CIP-007, which was considered to be an aggravating factor (although not a substantial aggravating factor). However, the URE Companies were awarded significant mitigating credit for substantial and voluntary improvements to their compliance programs, as demonstrated in subsequent CIP compliance audits. The majority of the violations were also self-reported. The URE Companies cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $50,000 (aggregate for 35 violations)

FERC Order: Issued August 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-6-000 (October 30, 2014)

Reliability Standard: CIP-005-3

Requirement: R5/R5.2

Violation Risk Factor: Lower

Violation Severity Level: Lower

Region: Texas RE

Issue: URE self-reported that it did not update its network documentation within the required 90 days when it moved two Critical Assets from one ESP to another. When the URE updated the documentation, it contained errors.

Finding: Texas RE determined that the violation constituted only a minimal risk to the BPS reliability as the Critical Assets that were relocated were only a small percentage of URE's total Critical Assets and they were protected by URE's ESPs, which had firewalls and an intrusion protection system that was monitored and sent real time alerts for any unfamiliar communication. URE provided further protection to its Cyber Assets in the form of group user authentication; shared account and infrastructure reviews; employee training; cyber incident detection; and ESP/PSP access authentication. In addition, the devices were located in a physically secure facility that was continuously monitored. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the following factors: the URE had an internal compliance program in place; the URE self-reported several of the violations and none posed a serious or substantial risk to the BPS reliability; the URE executed actions beyond those necessary to ensure compliance with the Standard and continues to make several enhancements as part of its self-assessment program; and the URE did not conceal or attempt to conceal the violations. Further, Texas RE did not consider URE's compliance history to be an aggravating factor, and URE was cooperative throughout the duration of the enforcement.

Penalty: $106,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity 1, FERC Docket No. NP15-26-000 (April 30, 2015)

Reliability Standard: CIP-005-3

Requirement: R5

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: URE1 self-reported that an ESP diagram was not updated in its records within the 90-day period, as required under CIP-005.

Finding: ReliabilityFirst found that the violation posed only a minimal, but not a serious or substantial risk, to BPS reliability. The severity of the violation was decreased because the issue only related to changes of the ESP diagram and appeared to be a unique incident. The UREs neither admitted nor denied the violations. In approving the settlement between ReliabilityFirst and five UREs in total, the NERC considered the UREs’ prior violations and the minimal to moderate risk posed by the current violations. As mitigating factors, the NERC found that among the UREs subject to the settlement agreement, individual URES had: (1) implemented pre-violation internal compliance programs, (2) self-reported violations, (3) cooperated throughout the enforcement process, (4) not attempted or intended to conceal the violations, (5) made significant progress in post-violation compliance. ReliabilityFirst found that no penalty was necessary since the violations posed minimal risks, the UREs demonstrated improvements in compliance, and the UREs that had prior violations were fully sanctioned for those violations in an FERC-approved settlement. URE1’s mitigation plan obliged URE, among other things, to update its ESP diagram and its procedure governing the review of CIP Cyber Asset information.

Penalty: $0 (aggregate for 22 violations)

FERC Order: The NERC did not further review the settlement and the settlement entered into effect on May 29th, 2015.

Top