NERC Case Notes: Reliability Standard CIP-005-5

Alert

18 min read

Unidentified Registered Entity 1 (NPCC_URE1), FERC Docket No. NP20-3-000 (October 31, 2019)

NERC Violation ID: NPCC2018019849

Reliability Standard: CIP-005-5

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: Northeast Power Coordinating Council, Inc. (NPCC)

Issue: Following a compliance audit, NPCC determined that an unidentified entity failed to identify the reason for granting inbound and outbound access permissions on Electronic Access Points (EAP) for one Medium Impact Bulk Electric System (BES) Cyber System. Specifically, several firewall rules within two (2) Medium Impact Electronic Access Control and/or Monitoring Systems (EACMS) that provide EAP to Medium Impact BES Cyber Systems either had unknown reasons or were firewall rules that were no longer necessary. The root causes of this violation was a lack of regular review and an undue reliance on a single person, who was responsible for the review of firewall rules.

Finding: NPCC found the violation constituted a moderate risk and did not pose a serious or substantial risk to the reliability of the bulk power system. Although unnecessary EAP rules and unknown active firewall rules can provide paths to the Electronic Security Perimeter (ESP), the firewall did have rules to restrict access to and from the ESP. The duration of the violation was from July 1, 2016 when the entity failed to identify the reason for granting inbound and outbound access permissions and ended on June 6, 2018 when the entity identified the reason for granting the access permissions and updated its firewall rules. NPCC considered the internal compliance program and determined that it was a neutral factor. Additionally, NPCC considered the entity’s compliance history and determined there were no relevant instances of noncompliance. Following the violation, the entity, to mitigate the violation, reviewed and updated its firewall rules and initiated a process to review vulnerability action plans quarterly, which includes additional staffing.

Penalty: $84,000

FERC Order: October 31, 2019

Unidentified Registered Entity 1 (NPCC_URE1), FERC Docket No. NP20-3-000 (October 31, 2019)

NERC Violation ID: NPCC2018019848

Reliability Standard: CIP-005-5

Requirement: R2

Violation Risk Factor: Medium

Violation Severity Level: Moderate

Region: Northeast Power Coordinating Council, Inc. (NPCC)

Issue: During a compliance audit, NPCC determined that an unidentified entity failed to utilize an Intermediate System such that the Cyber Asset initiating Interactive Remote Access did not directly access the entity’s Medium Impact Bulk Electric System (BES) Cyber Assets. The root cause of this violation was misinterpretation of both the standard and the recommended solutions provided by NERC.

Finding: NPCC found the violation constituted a moderate risk and did not pose a serious or substantial risk to the reliability of the bulk power system. Although a failure to utilize an Intermediate System can lead to attacks on and unauthorized access to the entity’s Medium Impact BES Cyber Systems, no harm occurred as a result of this violation. The duration of the violation was November 18, 2016 when the entity failed to utilize the Intermediate System and ended on June 7, 2018 when the entity disabled the interactive remote access. NPCC deemed the entity’s internal compliance program to be a neutral factor in the penalty determination and after reviewing the entity’s compliance history, found that there were no relevant instances of noncompliance. To mitigate the violation, the entity disabled Virtual Private Network connections and designed and implemented a new Interactive Remote Access solution as an alternate system.

Penalty: $84,000

FERC Order: October 31, 2019

Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP19-15-000 (July 31, 2019)

NERC Violation ID: WECC2017017885

Reliability Standard: CIP-005-5

Requirement: R2, P2.3

Violation Risk Factor: Medium

Violation Severity Level: Moderate

Region: Western Electricity Coordinating Council (WECC)

Issue: In a June 30, 2017 Self-Report, an unidentified entity reported that while performing an internal controls assessment in February 2017, it discovered that Information Technology (IT) cybersecurity personnel were using a legacy intermediate device (ID) for Interactive Remote Access (IRA), which did not require multi-factor authentication to remotely access Protected Cyber Assets (PCAs) within various ESPs for High Impact BES Cyber Systems (HIBICS) and Medium Impact BES Cyber Systems (MIBCS). IT cybersecurity personnel had been instructed to utilize the new IRA system, rather than the legacy ID. However, because the entity had not removed the firewall rules that allowed remote access to the various ESPS through the use of the legacy ID, IT cybersecurity personnel continued to use the legacy ID Internet Protocol (IP) to connect to the various ESPs. The root causes of the violation were inadequate internal controls and follow up. Specifically, the entity did not have controls in place to ensure that personnel were using the appropriate and authorized IRA system and that firewall were rules were such that they prevented access to the legacy device.

Finding: WECC found the violation constituted a moderate risk and did not pose a serious or substantial risk to bulk power system reliability. While the entity failed to require multi-factor authentication of all IRA sessions to access HIBCS and MIBCS, it had strong internal controls that lowered the likelihood of a malicious actor gaining access. The violation began on July 1, 2016 when the Reliability Standard and Requirement became mandatory and enforceable and ended on April 4, 2017 when the entity removed the firewall access rules from the source IP that allowed connection to the various ESPs. WECC considered the internal compliance program to be a neutral factor in the penalty determination. Additionally, WECC determined that the entity’s compliance history to be an aggravating factor in the penalty determination. However, the entity did not did not receive mitigating credit for cooperation or self-reporting since the entity did not quickly address the violations, determine the facts, or timely report the mitigation, evident by the 362 days it took for the entity to submit a Self-Report. To mitigate the violation, the entity, among other things, removed user access to the ESPs from the unauthorized ID, developed new rules to improve firewall management and tracking, validated connectivity, and implemented training.

Penalty: $80,000

FERC Order: July 31, 2019 (no further review)

Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP19-15-000 (July 31, 2019)

NERC Violation ID: WECC2018019006

Reliability Standard: CIP-005-5

Requirement: R1, P1.3

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: Western Electricity Coordinating Council (WECC)

Issue: An unidentified entity submitted a Self-Report on January 19, 2018 noting that on April 3, 2017, while working on Transient Cyber Asset Access Control Lists (ACLs), the entity discovered that there were missing reasons for granting Electronic Access Points (EAPs) to the Electronic Security Perimeters (ESPs) of different Medium Impact BES Cyber Systems (MIBCS) at switching stations. On the same day it discovered the violation, the entity remedied it by adding the appropriate reasons for granting access to the ACLs on the ESP and saving the EAP configurations. The root cause of the violation was a lack of written communication. Although the task to review all ACLs and ensure the reason for granting access was properly documented, it was not part of the entity’s CIP Version 5 transaction project plan.

Finding: WECC found the violation constituted a minimal risk and did not pose a serious or substantial risk to bulk power system (BPS) reliability. WECC noted that although the entity failed to include the reason for granting inbound and outbound access, the violation was a documentation issue rather than technical in nature. Furthermore, the entity had implemented strong controls including “hub and spoke” technology, which increased the security posture and provided defense in depth. The violation began on July 1, 2016 when the Reliability Standard and Requirement became mandatory and enforceable and ended on April 3, 2017 when the entity properly documented the reason for granting access within each ACL rule on the EAPs in scope. WECC considered the internal compliance program to be mitigating factor in the penalty determination, and although it did not receive a mitigating credit for self-reporting the violation, it did receive a mitigating credit for admitting to the violation. Additionally, WECC determined that the entity’s compliance history should not serve as a basis for aggravating the penalty because it involved distinct conduct. However, the entity did not did not receive mitigating credit for cooperation or self-reporting since the entity did not quickly address the violations, determine the facts, or timely report the mitigation, evident by the 362 days it took for the entity to submit a Self-Report. WECC also applied mitigating credit for above and beyond improvements, including a System-Wide Transmission Protection Standardization and Upgrade Project, which was not undertaken as the result of a mitigation plan, but as a result of the entity’s systematic corrective action planning program. To mitigate the violation, the entity, among other things, added reasons to each of the EAPs and saved the two EAP configurations, created a Security Interest and Event Management policy test, updated the Reliability Standard’s procedure documents to include peer review of ACLs, and sent an email to applicable personnel to notify them of the new peer review process.

Penalty: $74,000

FERC Order: July 31, 2019 (no further review)

Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP19-15-000 (July 31, 2019)

NERC Violation ID: WECC2017016941

Reliability Standard: CIP-005-5

Requirement: R1, P1.5

Violation Risk Factor: Medium

Violation Severity Level: High

Region: Western Electricity Coordinating Council (WECC)

Issue: On July 7, 2016, an unidentified entity, through an automated alert from the management console, discovered that there was a configuration issue with Cyber Asset pairs that were classified as Electronic Access Points (EAPs), and configured in high availability fail-over configuration mode. Specifically, a critical configuration setting was missed in the Intrusion Detection System (IDS) module for each of the EAPs pairs. While all IDS modules had been configured as of July 1, 2016 except for a single configuration setting, because of the missing setting, the EAPs did not have a method for detecting known or suspected malicious communications for both inbound and outbound communications. After the entity submitted a Self-Report on February 6, 2017, WECC determined that the entity failed to have one or more methods for detecting known or suspected malicious communications for both inbound and outbound communications. The root cause of the violation was inadequate controls for verifying configuration settings.

Finding: WECC found the violation constituted a moderate risk and did not pose a serious or substantial risk to bulk power system (BPS) reliability. Although the entity did not have adequate methods for detecting malicious communications, it had strong controls in place including a Security Information and Event Management (SIEM) and multiple monitoring systems and methods. The violation began on July 1, 2016 when the Reliability Standard and Requirement became mandatory and enforceable and ended on July 14, 2016 when malicious communication detection was reestablished. WECC considered the internal compliance program to be mitigating factor in the penalty determination, and noted that it demonstrates a strong culture of compliance with a focus on improving the reliability and security of the BPS. Additionally, WECC determined that the entity’s compliance history should not serve as a basis for aggravating the penalty because it involved distinct conduct. While the entity received mitigating credit for admitting to the violation and received mitigating credit for improvements that it made on its system, it did not receive mitigating credit for self-reporting. To mitigate the violation, the entity, among other things, added missing IDS module configuration to the EAP pairs, created a SIEM policy test, provided training, and upgraded the software level on the affected EAPs active/standby pairs.

Penalty: $74,000

FERC Order: July 31, 2019 (no further review)

Registered Entity (Name Redacted), FERC Docket No. NP20-15-000

Please search for this docket no. here ››

Registered Entity (Name Redacted), FERC Docket No. NP20-21-000

Region: Western Electricity Coordinating Council (WECC)
Skip to main content Toolbar items Manage Administration menu Tools Content Structure Configuration People Reports Vertical orientation jmonjardin Subscription active (expires 2023/12/29) Rebuild Cache Primary tabs (active tab) Breadcrumb Home jam test draft page 2 Title Content (active tab) Images and Files Related Content Search Settings CONTENT Publication Date Date 07/08/2021 Publication Type Subtitle About text formats Pre-Subtitle About text formats This field is currently being used only for 2020 Global Citizenship and Annual Reviews. Body (Edit summary)

Violation ID

Standard

Requirement

VRF/VSL

Discovery Method

Start Date

End Date

WECC2017017186

CIP-005-5

R2

Medium/ Moderate

Self-Report 3/1/2017

7/1/2016

5/8/2018

WECC2017017078

CIP-005-5

R2

Medium/ Moderate

Self-Report 2/22/2017

7/1/2016

5/15/2018

WECC2017018458

CIP-007-6

R2

High/ Severe

Self-Report 10/5/2017

7/1/2016

5/13/2019

Issue: WECC determined that the Entity violated the above standards as follows:

CIP-005-5 (R2) was violated as the Entity wasn't utilizing an Intermediate System such that Cyber Assets initiating Interactive Remote Access (IRA) did not directly access any Cyber Assets within the Electronic Security Perimeters. 

CIP-005-5 (R2) was also violated when WECC determined that the Entity did not require multi-factor authentication for all IRA sessions.

CIP-007-6 (R2) was violated as WECC found that the Entity did not (1) have an accurate and complete patch source list; (2) complete patch evaluations every 35 days; (3) within 35 calendar days of the evaluation completion, apply the applicable patches or create a dated mitigation plan; and (4) have procedures established and administered to ensure that mitigation plans were completed within the specified timeframe.

Finding: WECC found as follows:

CIP-005-5 (R2) – This violation posed a moderate risk to the reliability of the bulk power system (BPS) and was attributed to the entity's monitoring of activities not identifying problems. Specifically, the compliance requirements were not clearly understood nor were they validated for completeness.

CIP-005-5 (R2) – This violation posed a serious and substantial risk to the BPS's reliability and was attributed to the risks associated with a change not adequately being reviewed/assessed. Specifically, implementation of its multi-factor authentication [details redacted] did not take any failure potentials or new provisioning situations into consideration, and no provisions for alternative methods for accomplishing multi-factor authentication were provided.

CIP-007-6 (R2) - This violation posed a serious and substantial risk to the BPS's reliability and was attributed to the Entity underestimating the resources and effort required to establish and operate a compliant security patch program under the new requirements for CIP Version 5. Contributing causes also included the complexity of the Entity's environment and the fact that the patch program focused on the high impact software to the detriment of the overall program.

In its assessment of the penalty, WECC also considered that (a) the Entity was cooperative throughout the enforcement process; (b) the Entity self-reported the violations in a timely manner; (c) the Entity's prior compliance history of the standards violated (this was an aggravating factor).

Penalty: No penalty

FERC Order: Issued September 30, 2020 (no further review)

Registered Entity (Name Redacted), FERC Docket No. NP19-10-000

Please search for this docket no. here ››

NP19-4-000: Unidentified Registered Entity

Please search for this docket no. here ››

NP19-11-000: Unidentified Registered Entity

Please search for this docket no. here ››

NP18-6-000: Unidentified Registered Entity

Region: SERC

NERC Violation ID Standard Requirement VRF/VSL Discovery Method Duration
SERC2017016972 CIP-005-5 R1, 1.2, 1.3 Medium/Severe Self-Report  Ten months
SERC2016016040 CIP-007-6 R1, 1.1 Medium/Severe Self-Report  Fifteen months
SERC2016016500 CIP-007-6 R2, 2.2 Medium/Moderate Self-Report  Three weeks
SERC2016016501 CIP-007-6 R4, 4,2 Medium/High Self-Report  Two weeks
SERC2016015881 CIP007-6 R4, 4,2 Medium/High Self-Report  One week
SERC2016015880 CIP-007-6 R5, 5.7 Medium/Severe Self-Report  Three months
SERC2016015879 CIP-007-6 R3, 3.1 Medium/Severe Self-Report  One week
SERC2016015882 CIP-010-2 R1, 1.1, 1.2, 1.3., 1.4 Medium/Severe Self-Report  Two months

Further, the URE did not implement a documented process to develop baseline configurations for 45 of its Cyber Assets, in violation of CIP-010-2, and it did not route two connections between an identified BES Cyber Asset and a Cyber Asset located outside of the Electronic Security Perimeter (ESP) through an identified Electronic Access Point (EAP), and therefore did not apply appropriate inbound and outbound access permissions, in violation of CIP-005-5.

Issues: The URE self-reported several violations of CIP-007-6. The URE failed to (1) deploy methods to deter, detect, or prevent malicious code on three Protected Cyber Assets (PCAs) associated with Medium Impact Bulk Electric System  (BES) Cyber Systems; (2) limit the number of unsuccessful authentication attempts nor generate alerts after a threshold of unsuccessful authentication attempts, where technically feasible, for 18 Cyber Assets that included Medium Impact (BES) Cyber Systems at control centers and associated Physical Access Control Systems (PACS) and PCAs and did not submit a Technical Feasibility Exception (TFE) documenting compensating measures where such action was not technically feasible; (3) implement a process to generate security event alerts, per Cyber Asset or Bulk Electric System (BES) Cyber System capability, for 64 Cyber Assets; (4) generate alerts for security events, specifically for detected failure of event logging, for 64 Cyber Assets; (5) evaluate security patches at least once every 35 calendar days for 34 Cyber Assets; and (6)

Finding: The violations posed minimal or moderate risk to the reliability of the Bulk Power System (BPS). The violations were mostly of short duration, and affected only a small percentage of the Cyber Assets associated with the Medium Impact BES Cyber Systems, and each involved perform system backups or configuration management that would have forestalled any real time, immediate operational threats to the BPS if compromised. Further, the layered defense-in-depth solutions used by the URE were substantially protective, including physical access controls and restrictions, intrusion detection systems, segmented network topology using virtual local area networks, physical port locks, and disabled optical drives. Additionally, all assets are secured in a physical security perimeter with limited access.

Penalty: $33,000

FERC Order: Issued January 31, 2018 (no further review) 

NP20-6-000: Unidentified Registered Entity 3 (URE-3)

Method of Discovery: Self-Report

Violation ID Standard Requirement VRF/VSL Violation Start Date Violation End Date
WECC2017017507 CIP-005-5 R1 (1.1) Medium/Severe 1 Jul 2016 25 Jul 2017
WECC2017017631 CIP-007-6 R1 (1.1) Medium/High 1 Jul 2016 17 May 2017
WECC2017017632 CIP-007-6 R2 (2.1) Medium/Moderate 1 Jul 2016 9 May 2017
WECC2017017633 CIP-007-6 R5 (5.1-5.7) Medium/Severe 1 Jul 2016 15 Feb 2019
WECC2017017634 CIP-010-2 R1 (1.1, 1.2, 1.13) Medium/Moderate 1 Jul 2016 18 May 2017
WECC2017018364 CIP-006-6 R1 (1.5) Medium/Severe 1 Jul 2016 Redacted
WECC2017017911 CIP-007-6 R2 (2.3) Medium/Severe 1 Oct 2016 9 May 2017
WECC2018018977 CIP-007-6 R2 (2.3) Medium/Severe 29 Sept 2017 2 Jan 2018
WECC2018019483 CIP-007-6 R2 (2.2) Medium/Lower 31 Jan 2018 1 Feb 2018
WECC2017018365 CIP-007-6 R4 (4.2, 4.2.2) Medium/High 1 Jul 2016 Redacted

Region: WECC

Issue:

CIP-005-5, CIP-007-6, CIP-010-2

URE-2 failed to complete the placement of a certain system within the Electronic Security Perimeter (ESP) classified as a BES Cyber Asset (BCA) associated with a Medium Impact BES Cyber System (MIBCS). The BCA was located within a Physical Security Perimeter (PSP). After reviewing all relevant information, WECC determined the entity failed to (a) place the BCA connected to a network via a routable protocol, within a defined ESP as required by CIP-005-5, (b)(i) enable only logical network accessible ports on the BCA that have been determined to be needed by the entity, (ii) identify a source or sources that the entity tracks for the release of cyber security firmware patches applicable to the BCA, (iii) have method(s) to enforce authentication of interactive user access, identify and inventory all known enabled default or other generic account types, identify individuals who have authorized access to shared accounts, change known default passwords, enforce the required password length and complexity, enforce password changes at least once every 15 calendar months; and limit the number of unsuccessful authentication attempts or generate alerts after a threshold of unsuccessful authentication attempts where technically feasible on the BCA, as required by CIP-007-6, and (c)(i) develop baseline configurations for the BCA firmware and a port (ii) develop a baseline configuration for EACMS that included any logical network accessible ports, (iii) authorize and document changes that deviated from the existing baseline configuration for EACMS and PACS, and (iv) update the baseline configuration for EACMS and PACS as necessary within 30 calendar days of completing a change that deviated from the existing baseline configuration.

Further, URE-3 violated 007-6 related to their updating and evaluation of security patches: first, URE-3 was unable to install a certain security patch on the EACMS without interrupting service to its distribution Supervisory Control and Data Acquisition system. However, the entity did not create a dated mitigation plan within 35 calendar days of the evaluation completion as required; second, the installation of a different required security patch was overlooked, and no timely action was taken until a mitigation plan was created 84 days later, and third,  URE-3 evaluated a security patch as applicable to BCAs which was outside of the 35 calendar day window from the previous evaluation and was again delayed in applying the security patch and went beyond the 35 calendar days since the evaluation completion. URE-3 also did not complete required evaluations within once every 35 calendar days, and failed to generate event logging for certain BCAs, EACMSs, and PACs associated with MIBCS.

CIP-006-6

For three PSPs controlling access to MIBCSs, the entity was unable to demonstrate that (i) it was monitoring for unauthorized access through a physical access point into each PSP as required, and (ii) alarms or alerts in response to detected unauthorized access through a physical access point into each PSP were issued to the personnel identified in the BES Cyber Security Incident response plan within 15 minutes of detection as required.

Finding: These violations posed a minimal risk to the reliability of the BPS. Though a large number of Cyber Assets and violations were involved, URE-3 had implemented managed policy rules for monitoring the BCA, and it was in a network segment that limited permissions to communicate with other parts of the entity's network, preventing the BCA from being accessed from other network segments unless a specific rule was created to allow that communication path. To control physical access, it was located within a PSP. There were no relevant instances of noncompliance in URE-3's history.

Penalty: $0

FERC Order: Issued December 30, 2019 (no further review)

NP19-4-000: Unidentified Registered Entity

Please search for this docket no. here ››

Top