NERC Case Notes: Reliability Standard CIP-005-3a

Alert

35 min read

 

Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-005-3a

Requirement: R1; R1.5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported a violation of R1 after discovering that it had failed to assess available patches pertaining to three servers employed as authentication devices, three RSA SecurID two factor authentication appliances, and four firewalls access points, all of which were located in the company's control centers and used for access, control and monitoring (ACM)

Finding: WECC determined that the R1 violation posed a minimal risk to the reliability of the BPS because Physical Security Perimeters protected the relevant network devices from unauthorized physical access, authorized access to the devices is restricted to only five people all of whom completed Personnel Risk Assessments and CIP training, and the company controlled, logged and monitored all electronic access. Furthermore, the company met 24 of the 25 CIP requirements for these devices. WECC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to pay a penalty and to undertake other mitigation measures to come into compliance with R1.

WECC considered URE's ICP a mitigating factor in making its penalty determination. The violation began when the company should have begun assessing the devices in scope for available patches and ended when the company completed its mitigation plan. URE does not contest the R1 violation.

Penalty: $10,000

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-005-3a

Requirement: R5

Violation Risk Factor: Lower

Violation Severity Level: Lower

Region: RFC

Issue: URE self-reported a violation of R5 when it found that the two security monitoring tools used for network devices had been receiving more activity logs than anticipated, and as a result, had overwritten some of the security logs to make space for new log messages. This meant that only 81 days of logs were recorded on 12 access points to the ESPs, 14 Cyber Assets within the ESP, and 2 Cyber Assets used in access control and/or monitoring of the ESPs.

Finding: RFC determined that the R5 violation posed a minimal risk to the reliability of the BPS because the company was only 9 days of logs short of the standard for two months, the logs had been alerting property, the company had monitored the logs daily during the violation, and the company was quick to respond to the violation. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to undertake other mitigation measures to come into compliance with R5.

RFC considered URE's ICP a mitigating factor in making its penalty determination, and applied a mitigating credit because the company had self-reported the violation. The violation began when the company did not retain security logs for 90 calendar days and ended when the company adjusted its monitoring tools to retain 90 calendar days of logs. URE admits the R5 violation.

Penalty: $0

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-28-000 (March 27, 2013)

Reliability Standard: CIP-005-3a

Requirement: R2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC, TRE, SPP RE

Issue: While conducting a regional compliance audit, the Regional Entities found a violation of R2 because URE did not maintain a baseline record of ports and services required for operations and for monitoring Cyber Assets within the ESP, and thus, in its annual review of such ports and services, it could not determine a history of modifications to verify their configurations. URE could not provide evidence that only those required ports and services had been enabled, and it failed to maintain a document identifying the content of all its required appropriate use banners.

Finding: The violation was deemed to pose a minimal risk to BPS reliability, which was mitigated because during URE’s annual review of each Cyber Asset, subject matter experts look for unneeded ports, or anomalous entries, and URE documents the results of such reviews. In addition, although URE failed to document the content of its appropriate use banners, it implemented appropriate use banners on all its access control devices. In determining the appropriate penalty and approving the settlement agreement, the Regional Entities considered certain aspects of URE’s internal compliance program as a mitigating factor. In addition, some of the violations were self-reported by URE. URE cooperated during the enforcement process and did not attempt to conceal any of the violations. The violations did not pose a serious or substantial threat to BPS reliability. Finally, URE’s violation history was considered an aggravating factor.

Total Penalty: $90,000 (aggregate for 36 violations)

FERC Order: Issued April 26, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-28-000 (March 27, 2013)

Reliability Standard: CIP-005-3a

Requirement: R4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC, TRE, SPP RE

Issue: While conducting a regional compliance audit, the Regional Entities found a violation of R2 when URE was unable to provide a list of ports and services that are required for operations of the electronic access points to the ESPs and when its Cyber Vulnerability Assessment failed to discover all access points to its ESP.

Finding: The violation was deemed to pose a moderate risk to BPS reliability, which was mitigated by URE’s annual review of each Cyber Asset in which subject matter experts look for unneeded ports, or anomalous entries, and URE documents the results of such reviews. In addition, URE’s annual discovery scan identified all Cyber Assets connected to a network within the ESP, even if it did not identify all possible access points to the ESP. In determining the appropriate penalty and approving the settlement agreement, the Regional Entities considered certain aspects of URE’s internal compliance program as a mitigating factor. In addition, some of the violations were self-reported by URE. URE cooperated during the enforcement process and did not attempt to conceal any of the violations. The violations did not pose a serious or substantial threat to BPS reliability. Finally, URE’s violation history was considered an aggravating factor.

Total Penalty: $90,000 (aggregate for 36 violations)

FERC Order: Issued April 26, 2013 (no further review)

Unidentified Registered Entities, FERC Docket No. NP13-47 (July 31, 2013)

Reliability Standard: CIP-005-3a

Requirement: 3, 4 (2 violations – RFC and SERC)

Violation Risk Factor: Medium (3, 4)

Violation Severity Level: Severe (3, 4)

Region: RFC and SERC

Issue: URE1 did not monitor access at its ESP access points 24 hours a day, seven days a week as it had an outage (for 91 minutes) on its intrusion detection system while it conducted system maintenance and did not have a mechanism in place to perform monitoring during the outage. In addition, URE1 was not properly aggregating logs for a month from one of its routers at one of its ESP access points (3). URE2’s annual cyber vulnerability assessments of the electronic access points to the ESP did not timely include a complete review of URE2’s routers to ensure that only ports and services required for operations at access points were enabled. In addition, URE1’s annual cyber vulnerability assessments of the electronic access points to the ESP did not timely include 13 firewalls and 10 routers. URE1 and URE2 (collectively, URE) also did not perform the required review of used firewall rules or conduct a review of all of the ports in the year. (4)

Finding: SERC and RFC found that the CIP-005-3a R3 and R4 violations constituted a moderate risk to BPS reliability. In regards to the R3 violation, without the appropriate continuous monitoring procedures in place at the ESP access points, there was an increased risk of individuals gaining unauthorized access to an entity’s ESP and there being no record of such intrusion. But, URE1 did have other monitoring measures in place (such as logging all access points to the ESP) during the outage of the intrusion detection system. URE1 also alerted the affected telecommunication groups, server support groups, and system operations coordinators to immediately report any suspicious activity. In terms of the R4 violations, it increased the chances for individuals to be able to exploit vulnerabilities in URE’s ESP access points and gain unauthorized access to CCAs within the ESP. But, the routers in questions had received the required protections. The devices were also protected by site physical security and were located within a PSP. URE admitted the violations. In approving the settlement agreement, NERC BOTCC evaluated as aggravating factors URE’s compliance history and the fact that URE did not promptly prepare mitigation plans to remediate many of the violations. But, URE did self-report some of the violations and was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (even though URE only received partial mitigating credit as most of URE’s violations resulted from a lack of execution and coordination of programs). URE committed to perform certain actions that went above and beyond the compliance requirements. The CIP-002-3 R3 violations presented a serious and substantial risk to BPS reliability, whereas the other violations did not present a serious or substantial risk to BPS reliability.

Total Penalty: $350,000, $175,000 for each URE (aggregate for 62 violations)

FERC Order: Issued August 30, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP14-17-000 (December 30, 2013)

Reliability Standard: CIP-005-3a

Requirement: 2.4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-certified that it was in violation of the requirements of CIP-005-3a R2 because it found that users on devices in its Energy Management System ESP could use shell, virtual network computing, or remote desktop to receive a remote login to devices in URE’s Generation Management System ESP. The remote login only required a user to provide a name and password to access the system. WECC determined that identification by only a user name and password does not meet the procedural and technical controls in place to ensure only allowed parties may access URE’s system.

Finding: This violation was deemed by WECC to pose a minimal risk to BPS reliability, but not serious or substantial risk. Although URE could not absolutely identify the individuals with external interactive access to the GMS ESP, all the devices relevant to this violation were located in a secured PSP. Also, URE monitors outside access of its system. In determining the appropriate penalty, WECC considered that URE had two previous violations of CIP-002 R3, which was an aggravating factor; but URE has a compliance program in place that was given mitigating credit. URE followed all compliance orders; was cooperative during the enforcement process; and did not attempt to or intend to conceal a violation.

Total Penalty: $144,000 (aggregate for two violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-18 (December 30, 2013)

Reliability Standard: CIP-005-3a

Requirement: 2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: URE self-reported that it did not establish sufficient procedural and technical control to establish the authenticity of parties seeking to gain entry to ESP access points. For example, URE modified its firewall rules to facilitate the deployment of new servers, which inadvertently allowed a web browser from a corporate workstation to access a non-critical Cyber Asset inside an ESP. In addition, when testing secondary authentication methods, six of URE’s virtual workstations on a subnet outside an ESP were able to access Cyber Assets inside an ESP, bypassing primary remote access authentication.

Finding: SERC found that the CIP-005-3a R2 violation constituted a moderate risk to BPS reliability since the lack of adequate procedural or technical controls on the ESP access points increased the risk of unauthorized access to the ESP and the CCAs being compromised. But, the only personnel who gained access were certain URE IT support administrators, all of whom had current PRAs on file and had authorized access to CCAs on a need to know basis. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a partial mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. None of the violations constituted a serious or substantial risk to BPS reliability. In addition, URE engaged in physical security measures that SERC determined to be above-and-beyond what was required.

Total Penalty: $110,000 (aggregate for 15 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-18 (December 30, 2013)

Reliability Standard: CIP-005-3a

Requirement: 5

Violation Risk Factor: Lower

Violation Severity Level: Lower

Region: SERC

Issue: URE self-reported that it did not maintain the required electronic access logs for at least 90 days as required, as URE decommissioned a switch that was used as a dial-up ESP access point and inadvertently deleted five days of logs (which had not yet been manually reviewed). URE also did not timely update an ESP diagram after it removed a network printer.

Finding: SERC found that the CIP-005-3a R5 violation constituted only a minimal risk to BPS reliability. Only five days of logs were missing for one switch, and the relevant switch had additional protective measures in place. In addition, the printer at issue was a non-Critical Cyber Assets and was no longer located in URE’s ESP. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a partial mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. None of the violations constituted a serious or substantial risk to BPS reliability. In addition, URE engaged in physical security measures that SERC determined to be above-and-beyond what was required.

Total Penalty: $110,000 (aggregate for 15 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-20 (December 30, 2013)

Reliability Standard: CIP-005-3a

Requirement: 3

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: URE self-reported that during a scheduled network outage, URE did not perform the required logging and monitoring for approximately 28 hours.

Finding: SERC found that the CIP-005-3a R3 violation constituted a moderate risk to BPS reliability since the lack of continuous monitoring of the ESP increased the risk that URE would fail to detect unauthorized access attempts to the ESP and that its CCAs would be compromised. But, the violation only lasted for 28 hours and URE requires multiple layers of authentication in order to gain access to the ESP. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. Certain of the violations constituted a serious or substantial risk to BPS reliability. URE also engaged in mitigating measures that SERC determined to be above-and-beyond what was required.

Total Penalty: $198,000 (aggregate for 21 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-30 (January 30, 2014)

Reliability Standard: CIP-005-3a

Requirement: 3.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE self-reported that its process syslog collector was not running on the electronic security manager and, as a result of a stoppage of the process parse text collector, there were three gaps in logging of over 10 hours on certain electronic access control and monitoring devices.

Finding: RFC found that the CIP-005-3a R3.2 violation constituted a moderate risk to BPS reliability as the missing logs increased the risk of there being undetected and unauthorized access to URE’s system. But, the missing logs were only from a limited number of devices. In addition, no cyber security events occurred on URE’s monitored equipment. URE neither admits nor denies the violations. In approving the settlement agreement, NERC BOTCC considered URE’s Reliability Standards violation history, which was evaluated as an aggravating factor. But, most of the violations were self-reported and URE did have an internal compliance program in place, which was viewed as a mitigating factor. In addition, URE agreed to perform reliability enhancement activities that were considered above-and-beyond what was required for compliance with the Reliability Standard. URE was also cooperative during the enforcement process and did not conceal the violations. The violations did not constitute a serious or substantial risk to BPS reliability, even though in the aggregate, the violations were found to present an increased risk to URE’s Cyber Assets and to be indicative of programmatic failure.

Total Penalty: $75,000 (aggregate for 13 violations)

FERC Order: Issued February 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-46-000 (July 31, 2014)

Reliability Standard: CIP-005-3a

Requirement: R1/R1.5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: During a compliance audit, RFC found that URE7 did not change a default administrator account name on a checkpoint firewall before the firewall went into service.

Finding: RFC determined that the violation constituted a moderate risk to BPS reliability as having default account information on a firewall (which may be publicly available) could result in the URE Companies’ systems being vulnerable to compromise. However, the URE Parent Company utilizes a layered defense-in-depth system, which provided several additional defenses against unauthorized access (e.g. physical perimeter defense, network defense, application defenses and data and resource defenses). The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC found that all but two of the violations constituted only a minimal risk to BPS reliability and did not represent any systemic failure (the other two violations posed a moderate risk). However, these violations constituted the URE Companies’ fifth violation of CIP-004 and the second violation of CIP-007, which was considered to be an aggravating factor (although not a substantial aggravating factor). However, the UREs were awarded significant mitigating credit for substantial and voluntary improvements to their compliance programs, as demonstrated in subsequent CIP compliance audits. The majority of the violations were also self-reported. The URE Companies cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $50,000 (aggregate for 35 violations)

FERC Order: Issued August 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-46-000 (July 31, 2014)

Reliability Standard: CIP-005-3a

Requirement: R3/R3.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: During a compliance audit, RFC found that URE7 failed to alert responsible personnel regarding access attempts or actual unauthorized access to its ESP. Instead, URE7’s alerts were limited to failed logins and local account creation.

Finding: RFC determined this violation constituted only a minimal risk to BPS reliability as URE7 was continuously monitoring and logging system events that occurred on Cyber Assets with the ESP. URE7’s firewalls were also properly filtering and denying unauthorized access attempts to its ESP. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC found that all but two of the violations constituted only a minimal risk to BPS reliability and did not represent any systemic failure (the other two violations posed a moderate risk). However, these violations constituted the URE Companies’ fifth violation of CIP-004 and the second violation of CIP-007, which was considered to be an aggravating factor (although not a substantial aggravating factor). However, the URE Companies were awarded significant mitigating credit for substantial and voluntary improvements to their compliance programs, as demonstrated in subsequent CIP compliance audits. The majority of the violations were also self-reported. The URE Companies cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $50,000 (aggregate for 35 violations)

FERC Order: Issued August 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-5-000 (October 30, 2014)

Reliability Standard: CIP-005-3a

Requirement: R5 (5.1 and 5.2)

Violation Risk Factor: Lower

Violation Severity Level: Lower

Region: SPP RE

Issue: During a compliance audit SPP RE determined that URE’s documentation had not been updated with the associated processes and configurations for a newly implemented jump box and URE did not update its ESP network diagram within 90 days of removing a virtual private network (VPN).

Finding: SPP RE determined that the violation constituted only a minimal risk to the BPS reliability as URE restricts remote access to only one jump box that is administered by a small number of staff. In addition, the VPN as issue impacted only network documentation not the diagram. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had previously violated six of the standards, which SPP RE considered an aggravating factor. However, URE did have a compliance program in place and it received mitigating credit for self-reporting three of the violations. Moreover, URE agreed to additional corrective actions including: restructuring its CIP compliance program; hiring an additional system administrator; conducting a one day compliance workshop with SPP RE staff; and implementing an asset management system to further secure its EMS. URE was cooperative throughout the enforcement process and did not conceal or attempt to conceal the violations.

Penalty: $45,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-10-000 (November 25, 2014)

Reliability Standard: CIP-005-3a

Requirement: R1/R1.5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that its Cyber Assets used for controlling and monitoring access to its ESP were not afforded all the required protections. URE failed to document the assessment of 47 security patches for 38 electronic access control and monitoring devices (EACMs) within 30 days of availability by two of its firewall vendors.

Finding: WECC determined that the violation posed only a minimal risk to the BPS reliability as URE utilized several methods for blocking unauthorized access to its CCA. User access was logged and monitored at all times and network traffic to and from access points to URE's ESP was sent to a centralized server, which issued alarms for unknown activity to personnel, who could then block unauthorized access. Unknown activity was further identified through URE's host-based intrusion detection system and antivirus tools which signaled alerts for unknown activity. In response to the alerts, security personnel could stop communications to URE's CCA at the access points thereby preventing any outside intrusion. Access points at the ESP were protected by redundancy, which would allow URE quick recovery in the event of a security breach. Unidentified traffic or failures would have been detected by access point activity logs that issued alerts and triggered appropriate recovery procedures. URE also had trained security personnel responsible for analyzing and responding to traffic and activity on access points to its ESP. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations and self-reported the CIP-005-3a R1 violation. None of the violations posed a serious or substantial threat to the BPS reliability with two violations posing only a minimal threat and the remaining two posing a moderate threat. However, WECC did consider URE's compliance history an aggravating factor. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.

Penalty: $150,000 (aggregate for 4 violations)

FERC Order: Pending

Unidentified Registered Entity, FERC Docket No. NP15-10-000 (November 25, 2014)

Reliability Standard: CIP-005-3a

Requirement: R1/R1.5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that its Cyber Assets used for controlling and monitoring access to its ESP were not afforded all the required protections. URE failed to document the assessment of 47 security patches for 38 electronic access control and monitoring devices (EACMs) within 30 days of availability by two of its firewall vendors.

Finding: WECC determined that the violation posed only a minimal risk to the BPS reliability as URE utilized several methods for blocking unauthorized access to its CCA. User access was logged and monitored at all times and network traffic to and from access points to URE's ESP was sent to a centralized server, which issued alarms for unknown activity to personnel, who could then block unauthorized access. Unknown activity was further identified through URE's host-based intrusion detection system and antivirus tools which signaled alerts for unknown activity. In response to the alerts, security personnel could stop communications to URE's CCA at the access points thereby preventing any outside intrusion. Access points at the ESP were also protected by redundancy, which would allow URE to quickly recover data in the event of a security breach. Unidentified traffic or failures would have been detected by access point activity logs that issued alerts and triggered appropriate recovery procedures. URE also had trained security personnel responsible for analyzing and responding to traffic and activity on access points to its ESP. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations and self-reported the CIP-005-3a R1 violation. None of the violations posed a serious or substantial threat to the BPS reliability with two violations posing only a minimal threat and the remaining two posing a moderate threat. However, WECC did consider URE's compliance history an aggravating factor. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.

Penalty: $150,000 (aggregate for 4 violations)

FERC Order: Pending

Unidentified Registered Entities (UREs), FERC Docket No. NP15-15-000 (December 30, 2014)

Reliability Standard: CIP-005-3a

Requirement: R3

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: URE1 self-reported that a firewall analyst failed to fully configure the logging command when implementing electronic statements for allowing host machines to communicate with a field data concentrator within an ESP which resulted in a lack of access logging for 8% of the security policies for that access point.

Finding: SERC determined that the violation posed only a minimal risk to the BPS reliability as the lack of logging access increased the risk that URE1 would not be able to detect, analyze or respond to unauthorized access across its ESP. However the violation involved only one access point and affected only 8% of those security policies, which were designed according to URE1's procedures that restricted access to authorized personnel. Furthermore a virtual private network encrypted all traffic from the host device. The UREs neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs history of violations an aggravating factor. However, the UREs did have an internal compliance program in place, which SERC considered a mitigating factor. While URE1 self-reported a violation, the UREs did not received mitigating credit since it was reported after it received a compliance audit notice. While three of the violations posed a serious or substantial risk to the BPS reliability, the majority of them (18) posed only a minimal or moderate risk. URE agreed to additional mitigating actions including: adding additional staff (including converting contractors to full-time); conducting human performance training at a cost of $50,000; installing firewall analyzer software at a cost of $485,000; and additional mitigating factors for five of the violations. The UREs were cooperative throughout the enforcement process and there was no evidence that they concealed the violations.

Penalty: $120,000 (aggregate for 21 violations)

FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.

Unidentified Registered Entity (UREs), FERC Docket No. NP15-17-000 (December 30, 2014)

Reliability Standard: CIP-005-3a

Requirement: R4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: During a compliance audit WECC found that the configuration information of a dial-up modem used by a third party vendor to conduct URE's CVA was omitted from URE's annual CVA. In addition for two years, URE did not document the status of its action plan for mediating vulnerabilities for four access points found during its CVA.

Finding: WECC determined that the violation posed only a minimal risk to the BPS reliability as URE proactively prevents malicious cyber-attacks through a defense in-depth architecture that includes: physical and logical cybersecurity controls; special locks, closed circuit television and other physical security mechanisms; firewalls; vulnerability scanning tools; and internal cybersecurity controls. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered URE's prior violation history as an aggravating factor. However, WECC gave URE mitigating credit for its compliance program and agreeing to perform voluntary corrective actions. WECC also determined that all violations posed only a minimal, but not a moderate, serious or substantial risk to the reliability of the BPS. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.

Penalty: $120,000 (aggregate for 13 violations)

FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.

Unidentified Registered Entity 2 (FRCC_URE2), FERC Docket No. NP15-29-000 (May 28, 2015)

Reliability Standard: CIP-005-3a

Requirement: R1.5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: FRCC

Issue: FRCC_URE2 self-reported that during its cyber vulnerability assessment (CVA) process, it scanned ports on electronic access control and monitoring (EACM) Cyber Assets but failed to timely assess the scans' results against established baselines. FRCC_URE2 also self-reported that before commissioning two EACMs, it had failed to change three default passwords.

Finding: FRCC found that this violation posed a moderate, but not a serious or substantial, risk to BPS reliability because unauthorized ports and services could have been left open, putting EACMs at risk. However, during mitigation activities for an earlier violation, FRCC_URE2 had fully reviewed its ports and services, access to the default accounts required a two-factor authorization into the Electronic Security Perimeter (ESP), and ESPs and Physical Security Perimeters protected the EACMs. To mitigate the violation, FRCC_URE2 (1) updated the process and clarified timeframes for assessing ports and services, (2) reviewed the relevant ports and services, (3) changed the relevant passwords, and (4) informed appropriate employees of the requirements for securing default accounts.

Penalty: $50,000 (aggregate for 6 violations)

FERC Order: FERC approved the settlement on June 26th, 2015.

Unidentified Registered Entity 2 (FRCC_URE2), FERC Docket No. NP15-29-000 (May 28, 2015)

Reliability Standard: CIP-005-3a

Requirement: R4.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: FRCC

Issue: FRCC_URE2 self-reported that during its cyber vulnerability assessment (CVA) process, it scanned ports on access point Cyber Assets but failed to timely assess the scans' results against established baselines. FRCC_URE2 also self-reported that during the CVA, it failed to review the ports and services rule set through the firewall.

Finding: FRCC found that this violation posed a moderate, but not a serious or substantial, risk to BPS reliability because unauthorized ports and services could have been left open, putting Cyber Assets at risk. However, during mitigation activities for an earlier violation, FRCC_URE2 had fully reviewed its ports and services rule sets, and Physical Security Perimeters protected the access points at issue. To mitigate the violation, FRCC_URE2 (1) updated the process and clarified timeframes for assessing ports and services and (2) reviewed ports and services through the firewall and at the access points.

Penalty: $50,000 (aggregate for 6 violations)

FERC Order: FERC approved the settlement on June 26th, 2015.

Unidentified Registered Entity 1 (SERC_URE1), FERC Docket No. NP18-25-000 (August 30, 2018)

NERC Violation ID: SERC2016015535

Reliability Standard: CIP-005-3a

Requirement: R2, R2.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC Reliability Corporation (SERC)

Issue: During an internal review for an upcoming audit, SERC_URE1 discovered inadequate firewall rules in place at four generation management system (GMS) sites, allowing electronic access to physical access controllers via unauthorized ports and services.SERC_URE1 disabled the firewall ports following its discovery of the violation. A year and eight months prior, after implementing new Physical Access Control System (PACS) devices at four GMS sites, SERC_URE1 incorrectly implemented access control policies on ESP access points at each site. SERC_URE1 did not close all unneeded ports and services upon completing the installation of the new PACS devices and documented three of the unneeded open ports and services as closed. SERC_URE1 determined the root cause of this violation to be prior successes in enabling certain ports and services, despite not conforming with SERC_URE1’s firewall management procedures, led personnel to do so again.

Finding: SERC found the violation constituted a moderate risk and did not pose a serious or substantial risk to bulk power system (BPS) reliability. By its failure to ensure that only authorized ports and services were open on access points for the ESPs protecting PACS devices, SERC_URE1 may have allowed a person with malicious intent to manipulate or disable the PACS devices and compromise a Physical Security Perimeter. However, SERC_URE1 employs data center firewalls that prohibit access to the unauthorized ports and services that were open at the ESPs protecting the PAC devices. Moreover, SERC_URE1 has active monitoring and logging deployed on all access points and PACS devices and did not identify any issues. The duration of the violation started when SERC_URE1 initiated a change that opened unneeded ports and services on the firewalls and ended when SERC_URE1 disabled those ports and services.SERC considered SERC_URE1’s compliance program as a neutral factor and did not deem its compliance history as an aggravating factor because the prior violation involved a different sub-requirement that was unrelated to this violation. To mitigate the violation, SERC_URE1 implemented emergency changes to remove access on the subject firewall policies, provided interim guidance to the team regarding the application and review of firewall policies, updated its ESP and security zone commissioning procedure, and provided training to reiterate the importance of human performance tools such as procedure usage.

Penalty: $95,000

FERC Order: Issued August 30, 2018 (no further review)

Unidentified Registered Entity 1 (WECC_URE1) and Unidentified Registered Entity 2 (WECC_URE2), FERC Docket No. NP18-2-000

Please search for this docket no. here ››

Registered Entity (Name Redacted), FERC Docket No. NP19-10-000

Please search for this docket no. here ››

NP18-14-000: Unidentified Registered Entity

Please search for this docket no. here ››

NP18-22-000: Unidentified Registered Entity (URE)

Reliability Standard: CIP-005-3a

Requirement: R1

Violation ID: WECC2015015218

Method of Discovery: Compliance Audit

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: The URE failed to accurately identify and document all electronic access points to the Electronic Security Perimeters (ESPs) as required. Instead, the URE used layer 2 switches to segment ESP networks from untrusted non-ESP virtual local area networks, creating a mixed-trust environment with possible access to Critical Cyber Assets within the ESP, establishing external routable connectivity into the ESP without going through an identified Electronic Access Point.

Finding: WECC determined this violation posed a serious risk to the reliability and security of the bulk power system (BPS).  Not properly verifying access permissions into the ESP increased the likelihood of an unauthorized user gaining access to URE facilities, which could have resulted in the misoperation of Bulk Electric System elements. The URE had no controls in place to ensure an unauthorized user did not have access to the layer 2 devices, or appropriate controls in place to identify when an unauthorized user attempted to gain, or successfully gained, access to ESP assets. However, the URE admitted to the violation, was cooperative throughout the enforcement profess, and there was no evidence of any attempt by the URE to conceal the violation nor evidence of intent to do so.

Duration: 6.5 years

Penalty: $0

FERC Order: Issued August 30, 2018 (no further review)

NP20-6-000: Unidentified Registered Entity 1 (URE-1)

Method of Discovery: Self-Report

Violation ID Standard Requirement VRF/VSL Violation Start Date Violation End Date
RFC2017018305 CIP-005-3a R2 Medium/Severe 9 Sept 2014 3 Nov 2017
RFC2016-16353 CIP-007-3a R2 Medium/Severe 24 Apr 2013 30 Sept 2017
RFC2017-18475 CIP-010-2 R1 Medium/Severe 26 Apr 2017 18 Jul 2017
RFC2018019404 CIP-010-2 R2 Medium/Severe 24 May 2017 20 Feb 2018

Region: RFC

Issue: URE-1 violated CIP-005-3a during three separate instances of installing an application on a Bulk Electric System (BES) Cyber Asset (BCA) without use of certain technical and procedural mechanisms for control of electronic access at all electronic access points. The protected system was reachable directly from the corporate user network without required network-level security controls or an Intermediate System. URE-1 violated CIP-007-3a when it documented overly broad IP address port ranges. The entity did not make a sufficient determination to ensure that only those ports that were necessary were enabled, and therefore its documentation and baselines in its monitoring tool were overly broad in that they authorized an overly broad port range. In many instances, the unnecessary ports that were authorized were applicable to systems which run the entity's most critical systems, including the energy management system. Additionally, in one instance, URE-1 did not identify an unauthorized port for a phone system that was deemed necessary because it could not be disabled.

URE-1 violated CIP-010-2 R1 when an analyst installed an unauthorized application in his personal home directory on an Electronic Access Control or Monitoring System (EACMS) Intermediate System, which qualifies as an unauthorized port. The analyst continued to use the application even after security review teams expressed concern and offered alternative applications. CIP-010-2 R2 was violated in two incidents: in the first incident, URE-1 did not monitor a baseline configuration for four CIP-scoped assets at least once every 35 calendar days as required.  When four firewalls classified as Electronic Access Control or Monitoring Systems (EACMS) were placed into service, the firewalls were not added to URE-1's baseline monitoring tool and were not monitored for baseline changes for several months, when an entity analyst detected the violation while seeking evidence for the entity's internal controls testing. In the second incident, the entity did not monitor two Protected Cyber Assets (PCAs) at least once every 35 days for changes to the baseline configuration as required When URE-1 performed an upgrade on two PCAs which caused some of the baseline elements to return an error in the entity's monitoring tool because several elements of the upgrade failed, the change was "auto‐promoted" meaning it was deemed acceptable and not investigated further. Several months later, an analyst discovered the issue on one asset and immediately remediated it and ran a report a few days later to see if other assets were affected, discovering the second adversely affected asset.

Finding: All violations posed a moderate and not a substantial or serious risk to the reliability of the bulk power system (BPS): 

1. The CIP-005-3a affected system did not grant access to any critical real time application, and users cannot leverage that system as a means to jump onto any other application in the same subnet. URE-1 was monitoring for failed authentication attempts, performed annual cyber vulnerability assessments, and scanned the assets quarterly. 

2. Despite the CIP-007-3a violation, URE-1 implemented defense-in-depth measures that were in place at the time of the violation, including only enabling necessary ports during the period of noncompliance, requiring subject matter expert confirmation of any newly detected service running on a CIP-scoped asset, employing all of the CIP-005 protections to the Electronic Security Perimeters (ESPs) containing the assets in question, including the use of two-factor authentication for Interactive Remote Access sessions, and the assets were protected behind a designated Electronic Access Point (EAP), employing network segmentation to limit the scope of what systems could be reached from any local network, as well as the security monitoring requirements per CIP-007, including the detection of unauthorized login attempts, and employing stringent access management, authorizing a very limited number of users for administration and Interactive Remote Access to the EAPs, resulting in an overall restricted ability of an adversary to gain access to an intermediate system and move laterally into one of the assets within an ESP and to evade detection using a service on one of the assets.

3. The application at the center of the CIP-010-2 R1 violation only accepted connections from clients after the client logged into a VPN with two-factor authentication. Thus, there was low likelihood that someone could successfully access the application and potentially compromise the bulk power system. However, the risk is still moderate because the entity failed to test the application prior to installation. Additionally, although the entity quickly identified the unauthorized application, the entity failed to ensure that the application was removed, and the unauthorized application remained installed for 83 days. This slow corrective action extended the period of time that there was an increased risk of compromise on the system.

4. Though CIP-010-2 R2 was violated, all other CIP controls were in place for the affected assets in the second incident, including logs and anti-virus protection which would alert the entity to a threat caused by the failure to monitor the firewalls. Minimizing the risk in the first incident, in order to reach the firewalls from an administration perspective required two-factor authentication and the use of an Intermediate Device; further all BCAs and PCAs behind the firewalls were also afforded all protections as defined by the NERC CIP Standards. However, the first incident had a duration of more than 7 months before it was discovered by the entity's internal controls.

Penalty: $115,000

FERC Order: Issued December 30, 2019 (no further review)

NP19-4-000: Unidentified Registered Entity

Please search for this docket no. here ››

Top