SPP-1, FERC Docket No. NP11-104-000 (February 1, 2011)
Reliability Standard: CIP-006-1
Requirement: R4
Violation Risk Factor: Lower
Violation Severity Level: High
Region: SPP
Issue: During a Spot Check, SPP found that an Unidentified Registered Entity (URE-SPP1) was non-compliant with CIP-006-1 R4 because its method of manually logging physical access was not designed to accurately reflect the time a person entered a specific access point to the physical security perimeter, contrary to its Cyber Security Policy. Specifically, URE-SSP1's Cyber Security Policy stated that a logbook would be kept at the access points to all Critical Assets that have Critical Cyber Assets, and visitors will sign in and out at each such asset. The Spot Check Team only signed in once at the main entrance into URE-SPP1's primary operations center. The Spot Check Team was not asked to sign in again, even though they were given an escorted tour of URE-SPP1's control center and telecomm rooms eleven hours later. Therefore, they concluded URE-SPP1's manual physical access logging system was inadequate.
Finding: SPP determined that the violation posed a minimal risk to the reliability of the bulk power system because URE-SPP1 had in place a physical security program for manually logging entry to its physical security perimeters that identified individuals, recorded their sign-in time and the specific access points the person would enter, and provided for an escort for entry into access points within the physical security perimeter. The only violation was URE-SPP1's failure to capture the precise time a person entered individual access points to the physical security perimeter.
Penalty: $700
FERC Order: Issued March 3, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-21-000 (November 5, 2010)
Reliability Standard: CIP-006-1
Requirement: R3.1
Violation Risk Factor: Medium
Violation Severity Level: Moderate
Region: RFC
Issue: In August 2009, the Unidentified Registered Entity (URE) self-reported that it had not verified that the alarm systems on two (out of 19) physical security perimeter points would immediately notify the responsible personnel when a door, gate or window was opened without authorization.
Finding: RFC and the URE entered into a settlement agreement to resolve all outstanding issues, whereby the URE agreed to pay a penalty of $8,000 and to undertake other mitigation measures to resolve multiple violations. RFC found that the violation of CIP-006-1 did not pose a serious or substantial risk to bulk power system reliability since the relevant alarms were actually functional and would have logged any unauthorized access into the alarm system (and the security settings on the server would prevent an unauthorized person from logging onto the server). The duration of the violation was from July 1, 2009 through July 21, 2009. In deciding on the penalty amount, RFC considered the fact that the violations were the URE’s first violations of the relevant Reliability Standard; the violations were self-reported; the URE was cooperative during the enforcement process and did not attempt to conceal the violations; the URE has a compliance program in place; and there were no additional mitigating or aggravating factors.
Penalty: $8,000 (aggregate for multiple violations)
FERC Order: Issued December 3, 2010 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-98-000 (January 31, 2011)
Reliability Standard: CIP-006-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: Lower
Region: WECC
Issue: The Unidentified Registered Entity (URE) self-reported a violation of CIP-006-1 R1 after discovering its Physical Security Plan had not been approved by the URE's senior manager or delegate(s) per CIP-006-1 R1.
Finding: The violation did not pose a serious or substantial threat to reliability of the bulk power system, but it did pose a moderate risk because the URE was still revising parts of its Physical Security Plan, including sections addressing parts of CIP-006-1 R1, and therefore the draft sections were neither approved nor implemented. The NERC BOTCC determined this was the URE's first occurrence of this type of violation, the URE had a compliance program in place at the time of the violation, the URE was cooperative, and there was no evidence of an attempt or intent to conceal the violation.
Penalty: $5,000 (aggregated for multiple violations)
FERC Order: Issued March 2, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-133-000 (February 28, 2011)
Reliability Standard: CIP-006-1
Requirement: R1
Violation Risk Factor: Lower
Violation Severity Level: Lower
Region: MRO
Issue: The entity self-reported that it had permitted cyber access to its access control system database by people who had not received the required training and a personnel risk assessment pursuant to CIP-004 R3. The entity discovered the violation while preparing to make the six-month password change on its access control system server required by R1 of CIP-006-1. Duration of violation was July 1, 2009 through December 8, 2009.
Finding: MRO determined that this violation posed minimal risk to reliability of the bulk power system because no unauthorized changes to the access control database had occurred, other controls in place made it highly unlikely that any such changes could have occurred, and the inclusion of the relevant individuals was an inadvertent, automatic addition by the Microsoft operating system used.
Penalty: $0
FERC Order: Issued March 25, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-133-000 (February 28, 2011)
Reliability Standard: CIP-006-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: Lower
Region: SPP
Issue: The entity self-reported that during an internal compliance review of its CIP Physical Security Compliance Policy, it found that the location of two network switches located within its electronic security perimeter should have been classified as residing within its identified physical security perimeter but had not been so classified. Duration of violation was July 1, 2009 through September 14, 2009.
Finding: SPP determined that the violation posed a minimal risk to the reliability of the bulk power system because the equipment was within a secure wiring closet that included a six-wall border, access was restricted by a card reader and monitored, and a surveillance camera was in use. Moreover, there was no evidence of any unauthorized access attempts as a result of the violation.
Penalty: $0
FERC Order: Issued March 25, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-145-000 (March 30, 2011)
Reliability Standard: CIP-006-1
Requirement: R1
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: WECC
Issue: During a spot check, WECC found that the Unidentified Registered Entity’s (URE) recovery plan for Cyber Assets did not properly provide protective measures for the Cyber Assets used in the access control and monitoring of the Physical Security Perimeter, determining that the URE had not been annually exercising its recovery plans for Cyber Assets that are used for access control and monitoring of the Physical Security Perimeter.
Finding: WECC and the URE entered into a settlement agreement to resolve multiple violations, whereby the URE agreed to pay a penalty of $13,000 and to undertake other mitigation measures. WECC found that the violation did not constitute a serious or substantial risk to bulk power system reliability since the URE did actually have a recovery plan in place for the applicable Cyber Assets. But, the failure to annually exercise the relevant Cyber Asset recovery plans could lead to an increased risk of unauthorized access to the Physical Security Perimeters. The duration of the violation was from July 1, 2009 through November 20, 2009. In determining the penalty amount, NERC considered the fact that these were the URE’s first violations of the relevant Reliability Standards; the URE was cooperative during the enforcement process and did not attempt to conceal the violations; and there were no additional mitigating or aggravating factors.
Penalty: $13,000 (aggregate for 3 violations)
FERC Order: Issued April 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-149-000 (March 30, 2011)
Reliability Standard: CIP-006-1
Requirement: R1, R4
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: RFC
Issue: In September 2009, the Unidentified Registered Entity (URE) informed RFC that, on September 9 and September 15, 2009, it had not properly followed the procedures for providing escorted access within the Physical Security Perimeter for personnel who were not authorized to have unescorted access (R1.6). In addition, the URE notified RFC that it had not properly logged physical access to the Physical Security Perimeter that occurred on September 15, 2009 (R4).
Finding: RFC and the URE entered into a settlement agreement to resolve the violations, whereby the URE agreed to pay a penalty of $20,000 and to undertake other mitigation measures. RFC found that the violations had a moderate impact on the bulk power system. But, in the instance on September 19, a security guard was continuously monitoring the HVAC service technician at the back-up Transmission Control Center and therefore was able to verify that no damage or sabotage occurred. In the instance on September 15, a service technician had improper opportunity to access a SCADA telecommunication hub facility. The technician used an emergency exit to leave a secured room, which set off an alarm and prompted the URE’s security to investigate the incident. The URE also inspected the facility and systems after the relevant instances. The duration of the violations was on September 2, 2009 and September 15, 2009 (for R1.6) and on September 15, 2009 (for R4). In determining the penalty amount, NERC considered the fact that the violations were self-reported; the URE was cooperative during the enforcement process and did not attempt to conceal the violations; the URE had a compliance program in place (which was evaluated as a mitigating factor); and there were no additional mitigating or aggravating factors.
Penalty: $20,000 (aggregated for 2 violations)
FERC Order: Issued April 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-150-000 (March 30, 2011)
Reliability Standard: CIP-006-1
Requirement: R1
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: MRO
Issue: URE self-reported that its access control system for physical access to the Physical Security Perimeter for its data center and control room was not provided the following protective measures as required by the Standard: no appropriate use banner was installed; automated alerting was not available and a Technical Feasibility Exception (TFE) had not been submitted; between July 1, 2009 and March 18, 2010, the ninety day log review of user account access activity had not been completed; ports and services were not reviewed and disabled and a TFE had not been submitted; security patches were not applied and a TFE not submitted; Anti-Virus had not been installed and no TFE submitted; default administrative accounts were not removed until March 19, 2010; and the system configuration had not been backed up. Duration of violation was July 1, 2009, when the Standard became enforceable against URE, through April 10, 2010.
Finding: MRO Enforcement determined that the violation did not pose a serious or substantial risk to the bulk power system because the cyber assets involved only communicate with the card reader system and are wholly insolated from the URE’s corporate network, SCADA system and the internet. Further, the NERC BOTCC concluded the penalty appropriate because this was URE’s first violation of the Standards involved, URE self-reported the violation, and URE was cooperative during the investigation.
Penalty: $0
FERC Order: Issued April 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-156-000 (March 30, 2011)
Reliability Standard: CIP-006-1
Requirement: R2, R3 and R4
Violation Risk Factor: Medium for R2 and R3; Lower for R4
Violation Severity Level: N/A
Region: SERC
Issue: URE self-reported that during normal security rounds on September 11, 2009, security personnel discovered a disabled lock on an access point to one of the Physical Security Perimeters, reported the disabled lock internally and repaired it. Duration of violation was from 1:00am through 10:00am on September 11, 2009, when the lock was disabled.
Finding: SERC Enforcement determined that the violation did not pose a serious or substantial risk to the bulk power system because security devices and the security perimeter for the controlled-access area preceding the affected area remained operational and served as a barrier to unauthorized entry, and the violation lasted only about nine hours and was promptly fixed. Further, the NERC BOTCC concluded the penalty appropriate because this was URE’s first violation of the Standards involved, URE self-reported the violation, URE had a compliance program at the time of the violations that SERC determined to be a mitigating factor, and URE was cooperative during the investigation.
Penalty: $12,500 (aggregated for 3 violations)
FERC Order: Issued April 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-161-000 (March 30, 2011)
Reliability Standard: CIP-006-1
Requirement: R1/1.8
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: WECC
Issue: An Unidentified Registered Entity (“URE”) self-reported a violation of R1/1.8 after purchasing a facility. WECC determined that the URE violated R1 because it did not have a Physical Security Plan in place that met all the requirements of R1.8.
Finding: WECC Enforcement determined the violation posed a moderate risk, but not a serious or substantial risk, because although URE’s access control and monitoring devices were vulnerable to internal users, they were protected from external users. Moreover, the systems were protected by other measures. The NERC BOTCC considered the following factors: URE self-reported the violations; URE was cooperative; URE had a compliance procedure in place, which WECC considered a mitigating factor; there was not evidence of any attempt or intent to conceal the violations; and there were no other mitigating or aggravating factors.
Penalty: $35,000 (aggregated for 8 violations)
FERC Order: Issued April 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-166-000 (April 29, 2011)
Reliability Standard: CIP-006-1
Requirement: R1/1.8
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: SPP
Issue: Unidentified Registered Entity (URE) failed to afford all of the protective measures required to its card access “badge” system that controls physical access to the Physical Security Perimeter.
Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a settlement agreement which included a penalty in the amount of $50,000 for this and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: the violation constituted URE’s first violation of the subject Reliability Standard; URE self-reported some of the violations; URE cooperated during the compliance enforcement process; URE did not attempt to conceal a violation or intend to do so; the violation did not create a serious or substantial risk to the bulk power system; and there were no other mitigating or aggravating factors or extenuating circumstances.
Penalty: $50,000 (aggregate for 14 violations)
FERC Order: Issued May 27, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-174-000 (April 29, 2011)
Reliability Standard: CIP-006-1
Requirement: R1
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: RFC
Issue: The Unidentified Registered Entity (“URE”) self-reported a violation of R1/1.8 because it did not apply the protective measures to security patches installed on security guard workstations that were part of the URE’s Cyber Security Assets.
Finding: RFC determined that the violations posed a moderate risk to the reliability of the bulk power system because the workstations at issue were connected to and protected by systems on URE’s corporate network. The NERC BOTCC determined this was the URE’s first occurrence of a violation of the subject Reliability Standard, the URE was cooperative; the URE had a compliance program, which RFC considered a mitigating factor; there was no evidence of any attempt or intent to conceal a violation; and there were no other mitigating or aggravating factors.
Penalty: $15,000 (aggregated for 3 violations)
FERC Order: Issued May 27, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-175-000 (April 29, 2011)
Reliability Standard: CIP-006-1
Requirement: R1
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: WECC
Issue: The Unidentified Registered Entity (URE) submitted a self-certification stating that its badge management system for physical access control and monitoring concerning its Physical Security Perimeter did not include all of the required protective measures. The badge management system lacked anti-virus protection.
Finding: WECC and the URE entered into a settlement agreement to resolve multiple violations, whereby the URE agreed to pay a penalty of $32,000 and to undertake other mitigation measures. WECC found that the violations of CIP-006-1 constituted a moderate risk to bulk power system reliability since a weakness in the badge management system could lead to unauthorized access by an attacker to an unstaffed transmission substation. But, the URE’s control centers were manned 24 hours a day, and the URE employed in-house security personnel and other physical security controls, which served as additional security controls in addition to the badge management system. The duration of the CIP-006-1 violation was from July 1, 2009 through December 30, 2009. In approving the settlement agreement and the penalty determination, NERC considered the fact that the violations were the URE’s first violations of the relevant Reliability Standards; some of the violations were self-reported; the URE was cooperative during the enforcement process and did not conceal the violations; the URE had a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.
Penalty: $32,000 (aggregate for 6 violations)
FERC Order: Issued May 27, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-181-000 (April 29, 2011)
Reliability Standard: CIP-006-1
Requirement: R1.4
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: NPCC
Issue: Unidentified Registered Entity (URE) self-reported that it did not have a “visitor pass management, response to loss, and prohibition of inappropriate use of physical access controls” procedure in violation of R1.4. This was determined after a contractor’s access badge allowing unescorted Physical Security Perimeter access to a substation control house classified as a Critical Asset was lost and not deactivated for over a month.
Finding: The violation posed minimal risk, but did not pose a serious or substantial risk, to the reliability of the bulk power system because there was no attempt to use the lost badge, and access would require a key as well as the badge.
Penalty: $7,500 (aggregated for 4 violations)
FERC Order: Issued May 27, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-181-000 (April 29, 2011)
Reliability Standard: CIP-006-1
Requirement: R3, R4
Violation Risk Factor: Medium (R3), Lower (R4)
Violation Severity Level: Moderate
Region: FRCC
Issue: Unidentified Registered Entity (“URE”) failed to implement and document the technical and procedural controls for continuous monitoring of physical access at all access points of the Physical Security Perimeter (PSP) and the mechanisms for logging physical entry at its backup control center.
Finding: The violations posed minimal risk but did not pose a serious or substantial risk to the reliability of the bulk power system, because the PSP was within a controlled area and access was restricted to authorized personnel.
Penalty: $23,000 (aggregated for 11 violations)
FERC Order: Issued May 27, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-184-000 (May 26, 2011)
Reliability Standard: CIP-006-1
Requirement: R1, R3
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: RFC
Issue: Unidentified Registered Entity (URE) did not have a physical security plan in place that addressed all elements of CIP-006-1 R1. URE failed to maintain: (i) documented processes to identify all access points through each Physical Security Perimeter (PSP) in accordance with CIP-006-1 R1.2; (ii) documented processes and procedures to monitor physical access to the perimeters in accordance with CIP-006-1 R1.3; (iii) documented procedures for the appropriate use of physical access controls, including response to loss and prohibition of inappropriate use of physical access controls in accordance with CIP-006-1 R1.4; (iv) documented procedures for reviewing access authorization requests and revocation of access authorization in accordance with CIP-006-1 R1.5; and (v) documented processes for updating the physical security plan within 90 calendar days of any physical security system redesign or reconfiguration as required by CIP-006-1 R1.7. URE also failed to afford all the protective measures specified in CIP-003, CIP-004 R3, CIP-005 R2 and R3, CIP-006 R2 and R3, CIP-007, CIP-008 and CIP-009 to Cyber Assets used in the access control and monitoring of the PSP in accordance with CIP-006-1 R1.8. In addition, URE did not ensure that physical security plan provisions were reviewed at least annually as required by CIP-006-1 R1.9.
Finding: The NERC Board of Trustees Compliance Committee (BOTCC) approved a settlement agreement which included a penalty of $70,000 for these and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: additional, non-related violations of other Reliability Standards were either self reported or discovered during a compliance audit; URE has an Internal Compliance Program which seeks to ensure compliance with all applicable Reliability Standards; URE agreed to take actions that exceed those actions that would be expected to achieve and maintain baseline compliance.
Penalty: $70,000 (aggregate for 26 violations)
FERC Order: Issued September 9, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-204-000 (June 29, 2011)
Reliability Standard: CIP-006-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: WECC
Issue: A Registered Entity self-certified that its Cyber Security Plan did not adequately address all of the requirements contained in the Reliability Standard, as the Registered Entity did not: (a) develop processes to verify and document that its Cyber Assets within an Electronic Security Perimeter (ESP) were also in an identified Physical Security Perimeter (PSP), (b) establish processes for the identification of all access points to the PSP or establish measures for controlling entry at these access points, (c) develop protocols for monitoring access at the access points to each perimeter, (d) establish procedures governing the appropriate use of physical access controls, (e) develop protocols to update the physical security plan, (f) establish processes concerning access control and monitoring of the PSP, and (g) develop plans for performing an annual review of the physical security plan.
Finding: WECC and the Registered Entity entered into a settlement agreement to resolve multiple violations, whereby the Registered Entity agreed to pay a penalty of $37,500 and to undertake other mitigation measures. WECC found that the CIP-006-1 violation constituted a moderate risk to bulk power system reliability since the Registered Entity’s failure to draft plans to protect and monitor the access points to its Cyber Assets could have potentially compromised the operations or physical integrity of the Registered Entity’s Cyber Assets (which could have had a potential widespread effect on the bulk power system). The Registered Entity did have a Cyber Security Plan, even though it did not meet the requirements of the Reliability Standard. The duration of the CIP-006-1 violation was from July 1, 2009 through April 9, 2010. In approving the settlement agreement, NERC found that the Registered Entity was cooperative during the enforcement proceeding and did not conceal the violations; there was a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.
Penalty: $37,500 (aggregate for 4 violations)
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entities 1 and 2, FERC Docket No. NP11-206-000 (June 29, 2011)
Reliability Standard: CIP-006-1
Requirement: R2/2.3, R2/2.1, R2 (4 violations)
Violation Risk Factor: Medium (for all violations)
Violation Severity Level: N/A (for all violations)
Region: NPCC
Issue: Registered Entity 1 self-reported that it had provided a contractor, who did not possess authorized physical access to its Critical Cyber Assets (CCAs), with an access route to its facility that was not in accordance with its security perimeter (R2/2.3). In addition, Registered Entity 1 self-reported that even though it installed a key card reader on its rooms with CCAs, it had not taken the necessary steps to prevent unauthorized communications company employees who previously had been issued keys for the relevant rooms from gaining access (R2/2/1). Also, since Registered Entity 1 did not disable the prior locking mechanism in those rooms with CCAs, it was unable to prevent access by three security guards (that did not have unescorted physical access rights to the CCAs but had previously been issued keys to the relevant rooms) who were escorting a contractor (R2, 1 violation). Registered Entity 2 self-reported that certain of its employees and one contractor employee had used previously issued keys to access a substation control house physical security perimeter, instead of the required card key they were supposed to use (R2, 3 violations).
Finding: NPCC and the Registered Entities’ parent company entered into a settlement agreement to resolve multiple violations, whereby the Registered Entities’ parent company agreed to pay a penalty of $80,000 and to undertake other mitigation measures. The duration of the CIP-006-1 R2/2.3 violation was on July 27, 2009 and the R2/2.1 violation was on August 12, 2009. The duration of the CIP-006-1 R2 violations was from August 19, 2009 through November 9, 2009 (two violations), from February 20, 2010 through February 22, 2010 (one violation), and from December 2, 2009 through December 4, 2009 (one violation). NPCC found that the violations of CIP-006-1 by Registered Entity 1 only constituted a minimal risk to bulk power system reliability since the relevant contractor personnel who gained access were approved by Registered Entity 1 to conduct the needed work. NPCC found that the violations of CIP-006-1 by Registered Entity 2 also only constituted a minimal risk to bulk power system reliability since an alarm was tripped every time an inappropriate key was used and these instances were addressed by security. In approving the settlement agreement, NERC found that these violations were the Registered Entities’ parent company’s first violations of the relevant Reliability Standards; the violations were self-reported; the Registered Entities’ parent company was cooperative during the enforcement proceeding and did not conceal the violations; and there were no additional aggravating or mitigating factors.
Penalty: $80,000 (aggregate for 21 violations)
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-218-000 (June 29, 2011)
Reliability Standard: CIP-006-1
Requirement: R2, R4
Violation Risk Factor: Medium (R2), Lower (R4)
Violation Severity Level: N/A
Region: WECC
Issue: The Registered Entity self-reported that it had not properly enacted operational and procedural physical access controls to manage, 24 hours a day and seven days a week, an access point to its Physical Security Perimeter as a result of two instances when an authorized employee propped open a door for a several minutes (R2). In addition, the Registered Entity self-reported that it was not properly following its visitor access procedures as there were instances where janitorial staff and service vendors did not sign in as required (making it impossible for the Registered Entity to be able to identify those specific individuals and their access time) (R4).
Finding: WECC and the Registered Entity entered into a settlement agreement to resolve multiple violations, whereby the Registered Entity agreed to pay a penalty of $130,000 and to undertake other mitigation measures. WECC found that the CIP-006-1 R2 violation constituted a moderate risk to bulk power system reliability. But, an alarm was triggered when the door was open for too long, which the Registered Entity’s security staff responded to (including by inspecting the surrounding area by the door). In regards to the CIP-006-1 R4 violation, WECC found that it constituted only a minimal risk to bulk power system reliability since the improper use of the physical access logs only happened for one day and the janitorial staff and service vendor personnel only spent limited time in the areas with Critical Cyber Assets (where they were monitored by the Registered Entity’s authorized personnel). The CIP-006-1 R2 violation occurred on July 9, 2009 and the CIP-006-1 R4 violation occurred on July 1, 2009. In approving the settlement agreement, NERC found that there were three instances of noncompliance with Regional Reliability Standard PRC-STD-005-1 WR1 (which was evaluated as an aggravating factor); some of the violations were self-reported; the Registered Entity was cooperative during the enforcement process and did not conceal the violations; the Registered Entity had a compliance program in place (which was evaluated as a mitigating factor); the penalties for the violations of Reliability Standards EOP-001-0 R6 and EOP-005-1 R2 were aggregated since both penalties were based on a single act of noncompliance; the penalties for the violations of Reliability Standards PRC-STD-005-1 WR1 and VAR-STD-002b-1 WR1 were based on the respective Sanction Tables; and there were no additional aggravating or mitigating factors.
Penalty: $130,000 (aggregate for 27 violations)
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-226-000 (July 28, 2011)
Reliability Standard: CIP-006-1
Requirement: R1.2, R3
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: RFC
Issue: Unidentified Registered Entity (URE) did not identify or control an access point to its Physical Security Perimeter (PSP) for a control room as required by its physical security plan in violation of R1.2. In addition, URE reported that a breaker house contained a workstation and a cabinet (previously identified as PSPs) that house Critical Cyber Assets (CCAs) but did not have continuous monitoring or the technical or procedural controls in place for monitoring access at all access points to the workstation or cabinet in violation of R3.
Finding: RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to pay a penalty of $85,000, and to undertake other mitigation measures. RFC determined that the violations did not pose a serious or substantial risk to the reliability of the bulk power system because the both the cabinet and workstation were locked and required key logging, and despite that the building access system is a cyber asset used to access control and monitoring of the PSP, it is separate from the networks supporting the bulk power system, mitigating the risk to the bulk power system. In approving the penalty amount, NERC found that the violations involving CIP-006 were repeat violations indicating that URE has repeatedly failed to ensure the physical security of its CCAs, which was evaluated as an aggravating factor when determining the penalty; the violations were self-reported; the URE was cooperative during the enforcement process and did not conceal the violations; the URE had a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.
Penalty: $85,000 (aggregate for 12 violations)
FERC Order: Issued August 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-226-000 (July 28, 2011)
Reliability Standard: CIP-006-1 and CIP-006-2
Requirement: R1.8 (CIP-006-1); R2.2 (CIP-006-2)
Violation Risk Factor: Lower
Violation Severity Level: N/A (R1.8); Lower (R2.2)
Region: RFC
Issue: Unidentified Registered Entity (URE) self-reported that seven individuals with access to certain cyber assets did not have complete or current Personnel Risk Assessments. All were database administrations and had access to data related to URE’s building access system , which is a cyber assets. The building access system provides access control and monitoring of Physical Security Perimeters (PSP) by restricting access to the PSPs to authorized individuals only and logs authorized or attempted unauthorized access. As such, URE is required to ensure that building access system is protected as required by CIP-004 R3..
Finding: RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to pay a penalty of $85,000, and to undertake other mitigation measures. RFC determined that the violations did not pose a serious or substantial risk to the reliability of the bulk power system because the building access system is separate from the networks that support the bulk power system. Further, the completed personnel risk assessments had no identified issues. In approving the penalty amount, NERC found that the violations involving CIP-006 were repeat violations indicating that URE has repeatedly failed to ensure the physical security of its CCAs, which was evaluated as an aggravating factor when determining the penalty; the violations were self-reported; the URE was cooperative during the enforcement process and did not conceal the violations; the URE had a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.
Penalty: $85,000 (aggregate for 12 violations)
FERC Order: Issued August 29, 2011 (no further review)
Unidentified Registered Entity 2, FERC Docket No. NP11-228-000 (June 30, 2011)
Reliability Standard: CIP-006-1
Requirement: R3.1/R3.2
Violation Risk Factor: Medium
Violation Severity Level: High
Region: SPP
Issue: The Registered Entity self-reported that the hardware and software of its electronic access control system was unable to send alarm regarding unauthorized access attempts to the Backup Control Center (BUCC) and Backup Server Room (BUSR) to the Energy Management System. In addition, the Registered Entity self-reported that it was not using human observation to monitor the access point to the BUCC as specified in its Physical Security Plan.
Finding: SPP found that the violations constituted only a minimal risk to bulk power system reliability. Regarding R3.1, the electronic access system was properly controlling and logging access to the BUCC and BUSR. Regarding R3.2, SPP found that the lack of human observation was limited to one morning hour during the week. Records showed that there were no unauthorized access attempts were during the violation. The duration of the violation was from July 1, 2009 through October 1, 2009.
Penalty: $0
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-230-000, July 28, 2011
Reliability Standard: CIP-006-1
Requirement: R1.1
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: RFC
Issue: Following a self-report, RFC determined that Unidentified Registered Entity (URE) did not take measures to ensure that certain Critical Cyber Assets were within a Physical Security Perimeter (PSP).
Finding: RFC assessed an $18,000 penalty for this and other Reliability Standards violations. RFC determined that the violation of R1.1 did not pose a serious or substantial risk to the reliability of the bulk power system (BPS) because the PSP at issue was associated with one of URE’s smallest generators and only 8 people had access, all of whom had completed CIP training and personnel risk assessments. In approving the settlement between URE and RFC, the NERC BOTCC considered the following factors: the violation did not constitute a repeat violation; URE was cooperative; URE self reported the violations; URE had a compliance program in place; there was no evidence of an attempt or intent to conceal the violation; RFC determined the violation did not pose a serious or substantial risk to the BPS; there were no other aggravating or mitigating factors.
Penalty: $18,000 (aggregated for multiple violations)
FERC Order: Issued August 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-233-000 (July 28, 2011)
Reliability Standard: CIP-006-1
Requirement: R3
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: WECC
Issue: Following a Self-Certification and a subsequent Self-Report, WECC determined the Unidentified Registered Entity (URE) did not take measures to monitor Physical Security Perimeter access points with respect to its Backup Control Center and Protection system cabinets.
Finding: WECC assessed a $70,000 penalty for this and other Reliability Standards violations. WECC determined that the violation posed a minimal risk to the reliability of the bulk power system (BPS) because 13 access points to the backup facility did not have alarming capabilities in the event of an unauthorized access attempt. The violation did not pose a serious or substantial risk to the reliability of the BPS because access was controlled and logged, and the backup facility was in URE’s corporate building, which had its own security controls. In approving the settlement between URE and WECC, the NERC BOTCC considered the following factors: the violation did not constitute a repeat violation; URE was cooperative; URE self reported one of the violations; URE received partial self-reporting credit for the CIP-006-1 violation because the Self Report was submitted after the Self-Certification period, and did not receive any credit for self-reporting the CIP-007-1 violations because the Self-Reports were submitted during the Self-Certification period; URE had a compliance program in place; there was no evidence of an attempt or intent to conceal the violation; WECC determined the violation did not pose a serious or substantial risk to the BPS; there were no other aggravating or mitigating factors.
Penalty: $70,000 (aggregated for multiple violations)
FERC Order: Issued August 29, 2011 (no further review)
Unidentified Registered Entities, FERC Docket No. NP11-237-000 (July 28, 2011)
Reliability Standard: CIP-006-1 and CIP-006-2
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: N/A for CIP-006-1, High for CIP-006-2
Region: ReliabilityFirst
Issue: Unidentified Registered Entities 1, 2 and 3 (URE 1, URE 2 and URE 3) self-reported that a consultant had performed a mock audit and found numerous violations of the CIP Standards in their shared Electronic Security Perimeter (ESP). In particular, URE 1 and URE 2 self-reported that they failed to ensure that all Cyber Assets within an ESP also reside within a Physical Security Perimeter (PSP) in violation of R1.1. In addition, on two occasions URE 1 and URE 2 failed to continuously escort two contract workers requiring escorted physical access to the PSP to finish work within the PSP in violation of R1. Duration of violation was January 1, 2010 through December 23, 2010 (for R1.1) and for R1, the duration of violation consisted of the two dates upon which the workers did not receive continuous escort (June 18, 2010 and July 21, 2010).
Finding: ReliabilityFirst determined that the violations did not pose a serious or substantial risk to the reliability of the bulk power system because the communications assets associated with the relevant access points were physically protected even if they did not all reside in a PSP. In addition, the two visiting workers posed a low risk because they both had or were in the process of receiving a Personnel Risk Assessment and one was in the process of completing cyber security training. However, it noted that it found an aggravating factor in that some of the violations constituted repetitive conduct attributable to the same compliance program. The NERC BOTCC also considered that the UREs self-reported the violations; the UREs were cooperative during the investigation; the UREs had a compliance program at the time of the violation; there was no evidence that the UREs attempted to conceal a violation; and URE 1 and URE 2 promptly prepared, drafted and submitted its mitigation plan for the violations of CIP-006-1 such that ReliabilityFirst assessed a zero dollar penalty for those violations.
Penalty: $180,000 (aggregate for 4 violations)
FERC Order: Issued August 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-247-000 (July 28, 2011)
Reliability Standard: CIP-006-1
Requirement: R5 (2 violations), R3
Violation Risk Factor: Lower (both R5 violations), Medium (R3)
Violation Severity Level: N/A
Region: RFC
Issue: The Unidentified Registered Entity self-reported that, as a result of technical problems and network connectivity issues with an access card reader that controlled the access to its physical security perimeters (PSPs) at its corporate headquarters, it had not retained its physical access logs from March 8, 2010 through March 31, 2010 as required (R5 – 1 violation). RFC also found that the Unidentified Registered Entity did not properly retain its access logs since it did not distinguish between access to a floor with Critical Cyber Assets (CCAs) and access to four other floors from a freight elevator (R5 – 1 violation). In addition, RFC found that the Unidentified Registered Entity was not continuously monitoring access, as required, to its locked racks that secured the data communications cables that went from the electric System Operations Center to the floor which hosted the CCAs (R3).
Finding: RFC and the Unidentified Registered Entity entered into a settlement agreement to resolve multiple violations, whereby the Unidentified Registered Entity agreed to pay a penalty of $15,000 and to undertake other mitigation measures. RFC found that the CIP-006-1 violations did not constitute a serious or substantial risk to bulk power system reliability. In terms of the failed card reader, the card reader was still able to restrict access to the PSP, and the Unidentified Registered Entity has a video monitoring and recording system to visually identify those individuals who accessed the PSP. In regards to the floors accessible via the freight elevator, only authorized individuals (who had received proper training and background checks) had access to those floors. In addition, besides gaining physical access, an individual still needs to possess valid credentials to log onto the CCAs. In terms of the System Operations Center, it was subject to restricted access and was monitored by operators 24 hours a day. The duration of the CIP-006-1 violations was from March 6, 2010 through March 31, 2010 (R5 – 1 violation), from January 1, 2010 through April 30, 2010 (R5 – 1 violation), and from January 1, 2010 through September 15, 2010 (R3). In approving the settlement agreement, NERC found that these were the Unidentified Registered Entity’s first violations of the relevant Reliability Standards; the violations were self-reported; the Unidentified Registered Entity was cooperative during the enforcement process and did not conceal the violations; the Unidentified Registered Entity had a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.
Penalty: $15,000 (aggregate for 5 violations)
FERC Order: Issued August 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-249-000 (July 28, 2011)
Reliability Standard: CIP-006-1
Requirement: R1.1
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: WECC
Issue: WECC found that the Unidentified Registered Entity had not properly implemented a Physical Security Plan which verified that all of the Unidentified Registered Entity’s Critical Cyber Assets (CCAs) were contained within a Physical Security Perimeter (PSP).
Finding: WECC and the Unidentified Registered Entity entered into a settlement agreement to resolve multiple violations, whereby the Unidentified Registered Entity agreed to pay a penalty of $18,000 and to undertake other mitigation measures. WECC found that the CIP-006-1 violation did not constitute a serious or substantial risk to bulk power system reliability since the CCAs were monitored by on-site security personnel and were equipped with badge readers. The duration of the CIP-006-1 violation was from January 1, 2010 through March 30, 2010. In approving the settlement agreement, NERC found that these were the Unidentified Registered Entity’s first violation of the relevant Reliability Standards; the violation was self-reported; the Unidentified Registered Entity was cooperative during the enforcement process and did not conceal the violation; the Unidentified Registered Entity had a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.
Penalty: $18,000 (aggregate for 9 violations)
FERC Order: Issued August 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-250-000 (July 28, 2011)
Reliability Standard: CIP-006-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: WECC
Issue: The Unidentified Registered Entity self-reported that it had not properly listed a secured and monitored doorway as a Physical Security Perimeter (PSP) access point, as required. In addition, WECC found that the Unidentified Registered Entity’s Physical Security Plan did not adequately document and enact certain organizational processes, as well as technical and procedural mechanisms, for monitoring security events. The Unidentified Registered Entity’s security monitoring controls did not produce alerts (either automated or manual) when Cyber Security Incidents were detected and the Unidentified Registered Entity was not properly reviewing logs (and maintaining records of its review) of system events related to cyber security as required.
Finding: The Unidentified Registered Entity agreed to pay a penalty of $12,600 and to undertake other mitigation measures. WECC found that the CIP-006-1 violation constituted only a minimal risk to bulk power system reliability since there were on-site security measures at unidentified access points to the PSP. The relevant access point was permanently locked and also blocked by a large bookcase. In terms of the Physical Security Plan, the violation did not lead to any unauthorized physical or cyber access to the cyber assets, which were located in an Electronic Security Perimeter and physically secured. The duration of the CIP-006-1 violation was from July 1, 2009 through October 22, 2010. In approving the penalty amount, NERC found that these were the Unidentified Registered Entity’s first violations of the relevant Reliability Standards; the violations were self-reported; the Unidentified Registered Entity was cooperative during the enforcement process and did not conceal the violations; the Unidentified Registered Entity had a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.
Penalty: $12,600 (aggregate for 9 violations)
FERC Order: Issued August 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-251-000 (July 28, 2011)
Reliability Standard: CIP-006-1
Requirement: R1.1
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: WECC
Issue: WECC found that five of the Unidentified Registered Entity’s Critical Cyber Assets (CCAs), which were within an Electronic Security Perimeter, were not located within an identified Physical Security Perimeter as required.
Finding: WECC and the Unidentified Registered Entity entered into a settlement agreement to resolve the violation, whereby the Unidentified Registered Entity agreed to pay a penalty of $7,000 and to undertake other mitigation measures. WECC found that the violation constituted only a minimal risk to bulk power system reliability since the relevant CCAs were still contained within a secured physical area, including being within a building that had access control and monitoring. The duration of the violation was from December 31, 2009 through September 21, 2010. In approving the settlement agreement, NERC found that this was the Unidentified Registered Entity’s first violation of this Reliability Standard; the Unidentified Registered Entity was cooperative during the enforcement process and did not conceal the violation; the Unidentified Registered Entity had a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.
Penalty: $7,000
FERC Order: Issued August 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-253-000 (July 29, 2011)
Reliability Standard: CIP-006-1
Requirement: R1.1
Violation Risk Factor: Medium
Violation Severity Level: High
Region: FRCC
Issue: FRCC_URE1 self-reported that its proprietary fiber network was not located within an identified Physical Security Perimeter, as required, and that it did not submit any technical feasibility exceptions nor implement any alternative measures to control physical access to its Cyber Assets.
Finding: FRCC found that the violation constituted only a minimal risk to bulk power system reliability since the relevant fiber network, and all the data on it, was privately owned by FRCC_URE1. In addition, there were circuit monitors in place that were intended to detect any physical intrusions on the fiber network.
Penalty: $14,000 (aggregate for multiple violations)
FERC Order: Issued August 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-261-000 (August 31, 2011)
Reliability Standard: CIP-006-1
Requirement: R1; R2
Violation Risk Factor: Medium
Violation Severity Level: Moderate (R1); High (R2)
Region: RFC
Issue: Following a Self-Report, RFC determined that the Unidentified Registered Entity (URE) failed to identify an opening in a ceiling wall as an access point to a Physical Security Perimeter (PSP) in violation of R1 and failed to correctly implement physical access controls by inadvertently leaving two doors to the PSP unlocked for 56 and 83 hours, respectively, in violation of R2.
Finding: SPP determined that the violations did not pose a serious or substantial risk to the reliability of the bulk power system because other control systems were in place to limit access to the PSP. To access the PSP, an individual would have to pass through other badge-controlled access points. The ceiling opening was less accessible because it was located above a false ceiling and was not visible. In addition, security staff monitors the PSP on a 24/7 basis. In approving the settlement agreement, NERC found this was not URE’s first violation of the subject Reliability Standards, URE self-reported seven of the eight violations; RFC considered it an aggravating factor that it discovered one of the violations in a Compliance Spot Check; URE was cooperative; URE had a compliance program, which RFC considered to be a mitigating factor; RFC determined URE’s parent company operated the CIP compliance program and therefore should investigate and review all Self-Reports and violations of the URE; there was no evidence of an intent or attempt to conceal a violation; and there were no other mitigating or aggravating factors.
Penalty: $70,000 (aggregate for 8 violations)
FERC Order: Issued September 30, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-266-000 (August 31, 2011)
Reliability Standard: CIP-006-1
Requirement: R1.6
Violation Risk Factor: Medium
Violation Severity Level: Lower
Region: NPCC
Issue: NPCC_URE2 self-reported that it did not possess adequate documentation showing that the four Access Control Systems that controlled the physical access to its Physical Security Perimeter were given the required protective measures.
Finding: NPCC found that the violation constituted a minimal risk to bulk power system reliability since NPCC_URE2 was restricting electronic and physical access to the relevant systems and had only granted access to those individuals who had a functional need for access. There also were no unauthorized access attempts. The duration of the violation was from January 1, 2010 through April 30, 2011.
Penalty: $6,000 (aggregate for 4 violations)
FERC Order: Issued September 30, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-266-000 (August 31, 2011)
Reliability Standard: CIP-006-1
Requirement: R1.6
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SPP
Issue: SPP_URE1 self-reported that one of its backup transmission control center operators impermissibly granted unescorted access to a security guard and HVAC technician into SPP_URE1's backup transmission control center inside the Physical Security Perimeter.
Finding: SPP found that the violation did not constitute a serious or substantial risk to bulk power system reliability since the HVAC technician was actually hired to conduct maintenance on SPP_URE1's HVAC system (which included both CIP and non-CIP areas). The HVAC technician was always accompanied by the security guard, who even though he did not have unescorted access rights, had undergone training and had received a clear background check. In addition, both the security guard and the HVAC technician signed in at the logbook. The violation occurred on September 9, 2009.
Penalty: $6,000 (aggregate for 4 violations)
FERC Order: Issued September 30, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-266-000 (August 31, 2011)
Reliability Standard: CIP-006-1
Requirement: R1.8
Violation Risk Factor: Lower
Violation Severity Level: Lower
Region: FRCC
Issue: FRCC_URE1 self-reported that certain of its employees who did not have personnel risk assessments on file were able to access non-cyber asset applications through a system that contained both cyber and non-cyber assets. FRCC found that all of the employees who had access to the system, which should have been classified as a physical access control system, should have received personnel risk assessments.
Finding: FRCC found that the violation did not constitute a serious or substantial risk to bulk power system reliability since the relevant system was in a controlled Physical Security Perimeter. In addition, the employees who had not received a personnel risk assessment did not have the ability to control physical access to FRCC_URE1's Critical Cyber Assets infrastructure. The duration of the violation was from July 1, 2009 through January 7, 2010.
Penalty: $38,000 (aggregate for 11 violations)
FERC Order: Issued September 30, 2011 (no further review)
Unidentified Registered Entity, Docket No. NP11-270-000 (September 30, 2011)
Reliability Standard: CIP-006-1
Requirement: R1/1.4/1.7
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: RFC
Issue: During a compliance audit, RFC found that RFC_URE1’s physical security plan did not address, as required, response to loss and the prohibition on the inappropriate use of the physical access controls. In addition, RFC_URE1’s physical security plan did not contain the requirement that it be updated within 30 days of any physical security design or configuration change.
Finding: RFC found that the violation posed a moderate risk to bulk power system reliability since RFC_URE1 was actually training its employees on responding to loss and the prohibition on the inappropriate use of the physical access controls and addressed these topics in another of its documents. In addition, while RFC_URE1 only specified that updates to its physical security plan must be made within 90 days, RFC_URE1 did not need to make any upgrades to its physical security plan during the course of the violation. In addition, there was a compliance program in place (which was evaluated as a mitigating factor).
Penalty: $30,000 (aggregate for 6 violations)
FERC Order: Issued October 28, 2011 (no further review)
Unidentified Registered Entity, Docket No. NP11-270-000 (September 30, 2011)
Reliability Standard: CIP-006-1
Requirement: R1, R6
Violation Risk Factor: Medium (R1, R6)
Violation Severity Level: Moderate (R1, R6)
Region: WECC
Issue: WECC_URE2 self-reported that it did not assess the available security patches for a server used for controlling access at three of its Physical Security Perimeters (PSP) and had not reviewed the system events logs for that server (R1). In addition, WECC_URE2 self-certified that it had not conducted baseline testing on its physical security systems for three of its PSPs (which consists of a server, workstations, card readers and door readers) (R6).
Finding: WECC found that the CIP-006-1 R1 violation only constituted a minimal risk to bulk power system reliability since the relevant server was located in a facility that was actively monitored for unauthorized physical and electronic access. WECC found that the CIP-006-1 R6 violation constituted a moderate risk to bulk power system reliability since WECC_URE2 did not properly implement a maintenance and testing program for the physical security systems for three of its PSPs for the primary control center, backup control center and a data center, which could have led to unauthorized access to the PSPs. The PSPs did have physical and electronic access logging and were continuously subject to monitoring. WECC_URE2 had a compliance program in place when the violations occurred (which was evaluated as a mitigating factor).
Penalty: $20,400 (aggregate for 3 violations)
FERC Order: Issued October 28, 2011 (no further review)
Unidentified Registered Entity, Docket No. NP11-270-000 (September 30, 2011)
Reliability Standard: CIP-006-1
Requirement: R2
Violation Risk Factor: Medium
Violation Severity Level: High
Region: RFC
Issue: RFC_URE5 self-reported that one of its employees with authorized unescorted physical access to a Physical Security Perimeter (PSP) did not appropriately manage a PSP access point in three instances (for a combined total of 15 minutes). During those three instances, the employee left a door securing the PSP ajar in order to provide access to maintenance men and then left the area (thereby failing to monitor the PSP access point).
Finding: RFC found that the violation constituted a moderate risk to bulk power system reliability. The relevant PSP access point had multiple layers of protection, including video surveillance, which allowed RFC_URE5 to monitor any unauthorized access attempts. No unauthorized access attempts were made during the violation. In addition, RFC_URE5 had a documented physical security plan on which the relevant employee had received training. RFC_URE5’s parent company had a compliance program in place and there was no evidence that the entire holding company system was involved (which RFC evaluated as mitigating factors). RFC did, however, view the repetitive nature of the violations as an aggravating factor.
Penalty: $30,000 (aggregate for 3 violations)
FERC Order: Issued October 28, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-2 (October 31, 2011)
Reliability Standard: CIP-006-1
Requirement: R2
Violation Risk Factor: Medium
Violation Severity Level: High
Region: FRCC
Issue: URE self-reported that it had not fully implemented the proper operational and procedural controls at the access points to six of its PSPs at one of its facilities. The URE had lost one key for its restricted keyway and did not place restricted keyways, as it was supposed to, on certain doors.
Finding: FRCC found that the violation constituted a moderate risk to BPS reliability. The relevant assets could not be remotely accessed and were contained within a secured facility with armed guards. In addition, four of the PSPs were unsecured for 26 days and two of the PSPs were unsecured for 45 days. URE had a compliance program in place, but it was only evaluated as a neutral factor.
Penalty: $55,000 (aggregate for 11 violations)
FERC Order: Issued November 30, 2011 (no further review).
Unidentified Registered Entity, FERC Docket No. NP12-3 (November 30, 2011)
Reliability Standard: CIP-006-1
Requirement: R1.6/1.8
Violation Risk Factor: Lower (R1.8), Medium (R1.6)
Violation Severity Level: Severe (R1.6/1.8)
Region: WECC
Issue: URE self-reported (right before its self-certifications were due) that its system (which was composed of a server and several workstations connected to the corporate LAN network) did not have the proper applications or technical functions needed to ensure that its CAs for access control and monitoring of its PSPs had the required protective measures. The system was used for access control, monitoring the PSP, and managing card readers (R1.8). URE also self-reported that it had improperly granted one of its air conditioning specialists unescorted physical access to its PSP (R1.6).
Finding: WECC found that the CIP-006-1 violation constituted a moderate risk to BPS reliability. But, the main server for URE’s access control and monitoring assets had an additional layer of protection since it was located in room that required card reader access. Furthermore, the building with the main server was also protected by card reader access. In approving the settlement agreement, the NERC BOTCC evaluated the following mitigating factors: URE’s PRC violations were self-reported; URE had a compliance program in place; URE was cooperative during the enforcement process and did not conceal the violations; and the violations did not constitute a serious or substantial risk to BPS reliability. But, NERC BOTCC considered URE’s violation history as an aggravating factor.
Penalty: $125,000 (aggregate for 5 violations)
FERC Order: Issued December 30, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-4-000 (November 30, 2011)
Reliability Standard: CIP-006-1
Requirement: R2
Violation Risk Factor: Medium
Violation Severity Level: Not provided
Region: WECC
Issue: During an audit, WECC determined that URE could not demonstrate that it performed a PRA for all personnel with corporate network access and therefore could not show that it applied the required protective measures to its host workstations. In addition, URE did not restrict ports and services on the host workstations.
Finding: WECC determined that the violation posed a minimal and not serious or substantial risk to the reliability of the BPS because URE’s strong physical security controls significantly reduced the attack vector on its devices. Duration of the violation was from the date the Standard became enforceable through January 27, 2011. WECC and the NERC BOTCC took into consideration the following mitigating factors: URE self-reported certain of the violations (though not the CIP-006-1 violations), URE had an internal compliance program in place at the time of the violations, and URE’s compliance history.
Penalty: $160,000 (aggregate for 16 violations of 6 CIP standards)
FERC Order: Issued December 30, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-10 (December 30, 2011)
Reliability Standard: CIP-006-1
Requirement: R1/1.8
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that it did not have CAs provisioning physical access control and monitoring (PACM) to its PSPs in violation of CIP-006-1 R1 R1.8. URE1 did not identify two CAs as CAs provisioning access control and monitoring. URE also did not have the protective measures set forth under CIP-005-1 R2, CIP-007-1 R2, R3, R5 and R8, and CIP-009-1 R5 to three CAs. Finally, URE did not have two protective measures (CIP-008-1 R8 and CIP-009-1 R5) on nine CAs provisioning access control and monitoring.
Finding: The violation constituted a minimal risk to BPS reliability due to the small scope of the violation and URE’s PACM network is physically and electronically isolated and any access is restricted.
Penalty: $5,600
FERC Order: Issued January 27, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-11 (January 31, 2011)
Reliability Standard: CIP-006-1
Requirement: R2
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: WECC
Issue: URE self-reported that it had improperly reinstated CCA physical access rights to a retiring employee. As a result of a problem with the access cards, one of URE’s physical security vendors reset the access privileges for all of URE’s personnel to expire at the same time (which was after the retirement date of the relevant employee). Therefore, the retired employee improperly had authorization to enter the PSP 10 days after his last day at work.
Finding: WECC found that the CIP-006-1 violation constituted only a minimal risk to the BPS since the retiring employee, a long-time employee, had received cyber security training and had a current PRA on file with URE. In addition, the relevant employee did not enter the PSP after his access should have been revoked. URE also had additional operational and procedural controls. In determining the penalty amount, the NERC BOTCC evaluated URE’s violation history; some of the violations were self-reported; URE was cooperative during the enforcement process and did not conceal the violations; URE has a compliance program in place (which was evaluated as a mitigating factor); the violations did not constitute a serious or substantial risk to BPS reliability; and there were no additional aggravating or mitigating factors.
Penalty: $135,000 (aggregate for 20 violations)
FERC Order: Issued March 1, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-12 (January 30, 2011)
Reliability Standard: CIP-006-1
Requirement: R1/1.8
Violation Risk Factor: Lower
Violation Severity Level: Moderate
Region: WECC
Issue: URE was not in compliance with CIP-006-1 R1.8 because it did not test its CCAs to make sure that new or significantly changed CAs would not adversely affect existing cyber security controls. Also, URE was not evaluating, testing, and installing security patches as prescribed by CIP-007-1 R3. URE also did not did not have the protective measures specified in CIP-006-2 R2.
Finding: The violation constituted a moderate risk to BPS reliability because URE’s CAs did have the protections set forth under CIP-006-1 R1; however, not ensuring CAs responsible for access control and/or monitoring of the ESP are protected through the testing requirements set forth in CIP-007-1 R1 and R3 could allow for unauthorized access to these CAs which, in turn, leaves the possibility of allowing cyber attacks against CCAs required for BPS reliable operation. However, URE’s CAs had protection under CIP-006-1 R1. URE’s self-report was not given credit in terms of assessing the penalty because it was submitted during a self-certification process.
WECC found it appropriate to assess one penalty for URE’s violations of CIP-005-1 R1.5, CIP-006-1 R1.8 and CIP-007-1 R3. Not providing the protections in CIP-007-1 to its Cyber Assets is a single incidence of noncompliance that resulted in violations of CIP-005-1 R1.5 and CIP-006-1 R1.8. Therefore, the penalty assessed for CIP-007-1 R3 is a single penalty for the aggregate of the related violations
Penalty: $55,000 (aggregate for 12 penalties)
FERC Order: Issued March 1, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-12 (January 30, 2012)
Reliability Standard: CIP-006-1 (the violation involves later versions of this standard--CIP-006-2 R2.2 and CIP-006-3 R2.2)
Requirement: R1.8
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: In the course of a self-certification, URE self-reported a violation of CIP-006-1 R1 in that it failed to ensure that CAs used in the Access Control and Monitoring (ACM) of the PSPs received all the required protections. In response to the report, WECC performed an on-site audit and confirmed URE’s assessment. Specifically, WECC held URE violated CIP-006-1 R1.8 because it failed to protect CAs in the ACM of the PSPs in the following three ways:
First, in violation of CIP-005 R3, five switches that serve as electronic access points to seven physical ACM controllers were not configured to send syslogs to URE’s syslog server. Consequently, designated personnel could not receive alerts generated from these controllers.
Second, in violation of CIP-007 R3, URE failed to properly document two assessments: 1) URE did not document the applicability of a security patch for three ACM devices within thirty days of the patch becoming available; 2) URE failed to document the assessment of security patches for sixteen switches located in the ESP for five devices used in the ACM of the ESPs.
Third, in violation of CIP-009 R4 and R5, URE failed to document in its Recovery Plan the backup and restore procedures for seven physical ACM control panels. These features of the Recovery Plan are used to store access control authentication data for the card readers. While URE annually tested to ensure that essential recovery information was stored on backup media, it did not comply with documentation requirements.
Finding: These violations posed only a moderate risk to the reliability of the BPS because the risk was mitigated by three factors. First, only personnel with proper training and Personnel Risk Assessments had access to the devices in question. Second, URE’s server was located within secured rooms inside a PSP, and secured by a firewall equipped with anti-virus and malware protection tools.
Penalty: $45,000 (aggregate for 7 penalties)
FERC Order: Issued February 29, 2012 (no further review)
Unidentified Registered Entity, Docket No. NP12-17 (February 29, 2012)
Reliability Standard: CIP-006-1
Requirement: R1.1
Violation Risk Factor: Medium
Violation Severity Level: High
Region: SPP
Issue: Following a Self-Report, SPP determined URE violated R1.1 because it had approximately 60 feet of network cable connecting its two PSPs that was not protected by conduit or alternate means to control physical access to CCAs within the PSPs.
Finding: SPP determined that the violation posed a minimal risk, but did not pose a serious or substantial risk, to the reliability of the BPS. The cable at issue was hidden above ceiling tiles, was not distinguishable, and measures were in place to prevent sensitive information to be transported to an outside laptop. The location of the cable was also protected by two layers of security and any attempt to access the cable would likely have triggered an immediate investigation by security personnel.
Penalty: $40,000 (aggregate for 14 violations)
FERC Order: Issued March 30, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)
Reliability Standard: CIP-006-1
Requirement: R1.8
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self certified that access and control monitoring (ACM) assets that authorize and/or log access to the PSP were excluded from some of the CIP protections. The relevant assets were responsible for access control and monitoring of PSPs containing CCAs. WECC Enforcement reviewed URE’s self-certification and determined that URE was in violation of CIP-006-1 R1.8 from the date it was required to be compliant with this Standard until a Mitigation Plan was completed. The failure to have all protections to CAs used in access control and monitoring is a violation of CIP-006-1 R1.8.
Finding: WECC found the violation constituted a minimal risk to BPS reliability. Not having all CIP protective measures to the CAs left them open to the possibility of manipulation. Unauthorized access could allow for harm to CCAs necessary to BPS operations. URE uses Intrusion Detection and Prevention systems which mitigate any possible risk. Also, URE uses centralized logging, security event correlation, and incident response on a 24/7 basis. Lastly, URE has a reporting system in place which monitors the CAs and gives reports on the security of the CAs, including open ports, services, and vulnerabilities of the software housed on the CAs. WECC considered URE’s and its affiliates’ violation history when determining the appropriate penalty.
Penalty: $27,900 (aggregate for 2 penalties)
FERC Order: Issued March 30, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)
Reliability Standard: CIP-006-1
Requirement: R2/2.2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: ReliabilityFirst
Issue: In preparation for a compliance audit, URE self-reported its finding that it had not correctly implemented its CIP-006 compliance program in all instances. In particular, URE did not implement all of the protective measures specified in CIP-006-1 R2.2 to two personal computers that could control access to PSPs. URE was not aware the computers had the ability to control access to PSPs, and therefore, the protective measures specified in ClP-005 R2 and R3 and ClP-007 were not applied to those personal computers. ReliabilityFirst found that URE violated ClP-006-1 R2.2 by failing to afford the protective measures specified in ClP-003, CIP-004 R3, ClP-005 R2 and R3, ClP-006 R4 and R5; ClP-007, ClP-008, and CIP-009 to two CAs that are able to allow PSP access.
Finding: ReliabilityFirst found the violation constituted a moderate risk to BPS reliability which was mitigated because the two computers were located within secure PSPs and on secure network segments, preventing unauthorized physical access. Also, one of the computers was in the main guard facility, which is staffed at all times. ReliabilityFirst considered URE’s compliance program as a mitigating factor in determining the appropriate penalty.
Penalty: $65,000 (aggregate for 6 penalties)
FERC Order: Issued March 30, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)
Reliability Standard: CIP-006-1
Requirement: R2/2.2; R5
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: ReliabilityFirst
Issue: In preparation for a compliance audit, URE self-reported its finding that it had not correctly implemented its CIP-006 compliance program in all instances. In particular, URE did not implement all of the protective measures specified in CIP-006-1 R2.2 to two personal computers that could control access to PSPs. URE was not aware the computers had the ability to control access to PSPs, and therefore, the protective measures specified in ClP-005 R2 and R3 and ClP-007 were not applied to those personal computers. Regarding R5, URE did not maintain complete documentation for all physical security alarms to show that it was aware of and responded to any unauthorized access attempts as required. ReliabilityFirst found that URE violated ClP-006-1 R2.2 by failing to afford the protective measures specified in ClP-003, CIP-004 R3, ClP-005 R2 and R3, ClP-006 R4 and R5; ClP-007, ClP-008, and CIP-009 to two CAs that are able to allow PSP access. ReliabilityFirst determined that URE violated ClP-006-1 R5 by failing to document and implement the technical and procedural controls for monitoring physical access at all access points to the PSPs at all times.
Finding: ReliabilityFirst found the violations constituted a moderate risk to BPS reliability which was mitigated because, for R2, the two computers were located within secure PSPs and on secure network segments, preventing unauthorized physical access. Also, one of the computers was in the main guard facility, which is staffed at all times. Regarding R5, URE’s corporate security procedures cover actions to be taken for any alarms sounded due to unauthorized access attempts, and URE had evidence that each alarm had been acknowledged by security personnel. ReliabilityFirst considered URE’s compliance program as a mitigating factor in determining the appropriate penalty.
Penalty: $65,000 (aggregate for 6 penalties)
FERC Order: Issued March 30, 2012 (no further review)
Unidentified Registered Entity, Docket No. NP12-22-000 (March 30, 2012)
Reliability Standard: CIP-006-1
Requirement: R3
Violation Risk Factor: Medium
Violation Severity Level: Lower
Region: WECC
Issue: In advance of a semi-annual CIP self-certification process, URE self reported a violation of CIP-006-1, which was corrected and URE self-certified compliance with the CIP standards days later. In particular, URE did not have in place controls to monitor access as an access point to a PSP. The PSP had card readers for access, but the system did not monitor access 24/7 as required by CIPL-006-1 R3 nor did it sound any alarm in the instance of unauthorized PSP access.
Finding: It was determined that the violation posed a minimal risk to BPS reliability because URE had security and monitoring measures in place to protect its PSP, including only allowing access through a point that had 24/7 monitoring. URE was given mitigating credit for trying to disclose noncompliance before the time period URE was required to comply with the Reliability Standards and prior to receiving notice to self-certify.
Penalty: $8,000 (aggregate for 2 penalties)
FERC Order: Issued April 30, 2012 (no further review)
Unidentified Registered Entity, Docket No. NP12-26-000 (April 30, 2012)
Reliability Standard: CIP-006-1
Requirement: R1/1.8
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: NPCC
Issue: URE self-reported that, while conducting an internal CIP audit review, it found CAs related to the physical access control system had not been identified or included on its CCAs list. As such, the physical access control system was not afforded all the protective measures under R1.8.
Finding: The violation was determined to pose minimal risk to BPS reliability because all relevant devices were located within a defined ESP and PSP and additional security controls were in place, such as account management, strict firewall access control, and event logging and network intrusion detection. In determining the appropriate penalty, NPCC considered URE’s internal compliance program in effect during the violation period to be a mitigating factor. NPCC considered that URE’s Mitigation Plan was not completed on time, but NPCC did not adjust the penalty figure because URE was finishing related work under a separate Mitigation Plan that was on a different completion schedule and NPCC was aware of the revised timeframe.
Penalty: $25,000 (aggregate for 4 violations)
FERC Order: Order issued May 30, 2012 (no further review)
Unidentified Registered Entities, Docket No. NP12-26-000 (April 30, 2012)
Reliability Standard: CIP-006-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SPP/RFC/TRE (Regions)
Issue: URE filed self-reports to the three Regions discussing a violation of CIP-006-1 on four separate occasions. The first violation occurred when a postal employee with authorized physical access to UREs’ operations PSP entered the area to deliver mail. Unbeknownst to the postal employee, a visitor followed him into the restricted area in search of a meeting the visitor was to attend. Staff at URE noticed the visitor wandering around and escorted the individual to his destination. The visitor was unescorted for approximately three minutes. The second occurrence happened when an IT support technician signed in and escorted a vendor technician to UREs’ data center, but the IT tech was the only person manning the mainframe desk so he left the vendor to return to his post. After a shift change, another employee noticed the vendor working unescorted and remained with the vendor until the work was complete. Video showed the vendor never approached or tried to access the ESP CA devices. The third instance involved an employee who believed he had authorized physical access to the telecom room entering the area to check the fire extinguisher. The individual had been granted access to other CCAs inside the same facility, but the telecom room access had not yet been approved. The individual had his card and fingerprint checked at the access door, which opened when he attempted to enter. That triggered a “forced door” alarm to security. Ultimately, it was determined the individual did not have access to the telecom room and he was asked to leave immediately, which he did. Further research found the door lock was not working correctly leaving the door not fully secured. URE manned the door until the door lock was repaired. The fourth instance involved unauthorized access to the data center during a fire alarm test. An employee involved in the fire alarm test walked past a security guard into the data center to check the fire alarms believing he had authorized access, first, because he had requested access to the area and, second, because he had authorized unescorted physical access for another PSP. URE found that the security guard did not follow procedures to stop all individuals entering restricted areas prior to checking their access rights.
Finding: The Regions found the violations constituted a moderate risk to BPS reliability. Regarding the first violation, the visitor was quickly noticed and escorted to the appropriate destination. The visitor never approached the area of the operations generation dispatch workstations which are continuously manned and also have biometric keyboard locks in the event a station becomes unmanned. Regarding the second violation, although the IT technician was alone in the data center, video confirmed the individual was never near the ESP CA devices. Further, password security measures would have prevented the technician from accessing the CA devices. Regarding the third violation, the relevant person was a trusted employee who had authorized unescorted physical to other CCAs in the same facility, a PRA on file, and received cyber security training. Also, the individual received the required access credentials one month after the incident. Lastly, regarding the fourth violation, the relevant person was a trusted employee who had authorized unescorted physical to other CCAs in the same facility, a PRA on file, and received cyber security training. As well, the individual had unescorted physical access to the PSP. The individual was in the restricted area for less than one minute. In determining the appropriate penalty, the Regions considered certain aspects of UREs’ compliance program as a mitigating fact.
Penalty: $27,000 (aggregate for 6 violations (2 in each region))
FERC Order: Order issued May 30, 2012 (no further review)
Unidentified Registered Entity (URE), FERC Docket No. NP12-27 (May 30, 2012)
Reliability Standard: CIP-006-1
Requirement: R1.1
Violation Risk Factor: Medium
Violation Severity Level: Moderate
Region: MRO
Issue: During a spot check, MRO observed that URE’s Physical Security Plan was not properly maintained and that not all in-scope identified Physical Security Perimeters (PSPs) incorporated a completely enclosed six-wall border (per R1.1). MRO discovered several inconsistencies in the version of the Physical Security Plan in place at the time of the spot check. The document text did not accurately reflect the actual implementation controls, nor was it internally consistent with other portions of the content. MRO also found that this version of the Physical Security Plan contained errors with regard to multiple control centers.
Finding: MRO determined that the violation posed a minimal risk to the reliability of the bulk power system (BPS) because there were mechanisms in place to monitor and limit access to Critical Cyber Assets (CCAs) and the ESP, despite an unprotected opening in a six-wall perimeter that allowed direct access. The building is staffed and partially surrounded by a security fence, while the entire facility is protected by card readers. The URE addressed the issue concerning a six-wall border enclosure and reviewed and updated inconsistencies in Physical Security Plan, such as where equipment, logs, and boundaries are located.
Penalty: $12,000 (aggregate for 9 violations)
FERC Order: Issued June 29, 2012 (no further review)
Unidentified Registered Entity (URE), FERC Docket No. NP12-27 (May 30, 2012)
Reliability Standard: CIP-006-1
Requirement: R1; R1.8
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported a violation of R1.8 because it failed to afford all security measures to Cyber Assets used in access control and monitoring of the Physical Security Perimeter (PSP), pursuant to R1.8. WECC Subject Matter Experts (SMEs) reviewed the self-report and found that URE failed to identify 11 individuals with access to shared user accounts to Cyber Assets used in PSP access control and monitoring. WECC determined that URE’s failure to implement protective measures prescribed to Cyber Assets involved in PSP access control and monitoring (under CIP-007-1 R5), constituted a violation of R1.8.
Finding: WECC determined this violation posed a minimal risk to the reliability of the bulk power system (BPS) because risks were mitigated by the compensating measures in place during the violation period. The individuals in question had completed training and personnel risk assessments (per CIP-004), and electronic access to devices using shared accounts was logged and monitored. URE compiled a list of all shared accounts and the individuals with access to the accounts (per R5.2.2), as well as documented and implemented a new process designed to minimize and manage the scope and acceptable use of administrator, shared, and other generic account privileges. The process includes provisions for the removal, disabling, or renaming of such accounts where possible. For such accounts that must remain enabled, passwords shall be changed prior to putting any system in service. Additionally, URE’s process includes a policy for managing the use of such accounts to limit access to only those with authorization, audit the trail of account use, and secure accounts in the event of personnel changes.
Penalty: $15,600 (aggregate for 3 violations)
FERC Order: Issued June 29, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-36-000 (June 30, 2012)
Reliability Standard: CIP-006-1
Requirement: R1/1.8
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: URE self-certified a violation of CIP-006-1 R1.8 because it did not ensure that CAs used in access control and monitoring of the PSP were provided all security measures as set forth in the CIP Reliability Standard. WECC’s review of URE’s self-certification determined that URE had not recorded its assessment of certain kinds of security patches/upgrades for CAs within 30 days of availability when outfitting its PSP access control and monitoring system, pursuant to CIP-007-1 R3. URE was in violation of CIP-006-1 R1.8 by not recording security patch assessments.
Finding: WECC deemed the violation to pose minimal risk to BPS reliability which was mitigated by the following reasons. URE did properly assess and document a certain kind of security patch/upgrade. URE had assessed and implemented all other kinds of security patches and upgrades; however, it did not document those assessments. In addition, the CCAs and CAs were protected inside PSPs and ESPs. All access to PSPs is restricted and documented and PSPs are protected by security guards. Any individual having access to CAs and CCAs would have had to complete a PRA and cyber security training. Finally, the devices inside the ESPs are protected by anti-virus software and malware prevention devices. URE did not contest WECC’s findings. In determining the appropriate penalty, WECC considered URE’s internal compliance program as a mitigating factor.
Penalty: $12,500 (aggregate for 3 violations)
FERC Order: Issued July 27, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-36-000 (June 30, 2012)
Reliability Standard: CIP-006-1
Requirement: R1.8
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: Upon finding that WECC was beginning the semi-annual CIP Self-Certification process, URE submitted to WECC that it was “Substantially Compliant” with CIP-006-1 R1.8 and submitted a self-report stating that it had not provided all of the CIP protective measures to its PSP access control and/or monitoring system. In particular, URE has one server which was not provided with the same security controls for PSP electronic access as found on URE’s other critical systems. WECC found that URE had not provided the protective measures under the CIP Reliability Standards as follows: CIP-005 R3.2: URE has no security monitoring process established for detecting and alerting URE to attempts at or actual unauthorized access. CIP-007 R1: the particular server is obsolete, and its vendor suggested URE make no changes or updates to the server; therefore, URE had no existing testing procedures in place to confirm any changes made would not adversely affect existing cyber security controls. CIP-007 R2: no list of ports and services was created for the server. CIP-007 R4: URE did not update anti-virus or malware prevention tools due to the vendor’s recommendation to make no changes to the server. CIP-007 R5: URE did not follow the Account Management procedures set forth in the Standard. CIP-007 R6: URE was not manually or electronically monitoring events on the server. CIP-007 R8: no cyber vulnerability assessment was undertaken on the server due to the vendor’s recommendation to make no changes to the server. These failures led to the violation of CIP-006-1 R1.8 due to URE’s failing to have all CIP protective measures in place for the relevant server used for PSP access control and monitoring.
Finding: The violation was deemed to pose moderate risk to BPS reliability because URE’s failure to provide all CIP protective measures to every CA responsible for access control and monitoring leaves those assets at risk for cyber attacks within the PSP not being noticed or responded to. Access to the CAs could then be further abused for the purpose of disrupting BPS operations. WECC found the violation did not represent serious or substantial risk to BPS reliability because all employees with access to the relevant device had current PRAs on file and had received CIP training. Any access could be checked through Windows Active Directory. The server is contained in a PSP having firewall logs to its ESP, and all firewall logs were reviewed daily during the week. Alerts to failed logins or unusual traffic were automated and set up to be sent to URE security personnel. In determining the appropriate penalty, WECC gave mitigating credit for URE’s internal compliance program, but no self-report credit was given since URE reported the violations during the Self-Certification submission process. URE agreed/stipulated to WECC’s findings.
Penalty: $67,500 (aggregate for 9 violations)
FERC Order: Issued July 27, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-36-000 (June 30, 2012)
Reliability Standard: CIP-006-1
Requirement: R3, R4
Violation Risk Factor: Medium (R3); Lower (R4)
Violation Severity Level: High (R3, R4)
Region: TRE
Issue: URE submitted a self-report stating that it had not used all technical and procedural controls for monitoring physical access to all access points to the PSP on a 24/7 basis or by other means as set forth in CIP-006-1. URE did have the procedures documented, but it did not follow those procedures for monitoring at one fire exit door. The door did have video monitoring but it had been installed four months past the compliance date, but URE could not show that the video was reviewed 24/7. A URE manager was reviewing the videos, but not on a consistent, 24/7, basis. The videos were reviewed as required beginning almost nine months after the required date. Prior to that, surveillance was undertaken by humans, but not 24/7. (R3). URE further self-reported that it had not used its written technical and procedural tools for logging physical entry through every access point to the PSP by one of the methods set forth in CIP-006-1 R4. The access through the one fire door to the PSP had not been logged for 10 months until the video surveillance camera installation mentioned above was completed and in service. URE does not believe the fire door exit should be considered an access point.
Finding: The violation was deemed by TRE to pose moderate risk to BPS reliability because the fire door was the emergency door to the back up control center and opened from the inside and also had a crash bar for added security. Only those with rights to the PSP could access to the door. RFC stated that because the door was not properly alarmed, an individual in the control center computer room could open the door allowing an unauthorized person to enter the PSP. Although video surveillance tapes were eventually reviewed by a URE manager, the manager was not reviewing the tapes on a timely 24/7 basis. URE staff reported that the tapes are manually cycled across large computer monitors for security personnel review. The R4 violation also was deemed to pose a moderate risk to BPS reliability because the relevant door had a crash bar and could only be opened from inside of the computer room. In addition, only authorized employees were allowed in the PSP. In determining the appropriate penalty, TRE found URE’s internal compliance program as a mitigating factor, and it considered "above and beyond" mitigating measures as well. URE neither admitted nor denied TRE’s findings.
Penalty: $8,000 (aggregate for two violations)
FERC Order: Issued July 27, 2012 (no further review)
Unidentified Registered Entity, Docket No. NP12-37 (July 31, 2012)
Reliability Standard: CIP-006-1
Requirement: 2
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: WECC
Issue: An Unidentified Registered Entity (URE) self-reported that it was in violation of R2 because one of its janitors possessed a key that was used to access a CCA even though the janitor was not authorized to access the CCA.
Finding: WECC determined that the violation posed a moderate risk, but did not pose a serious or substantial risk, to the reliability of the BPS. The risk posed by the failure to implement operational and procedural controls to manage physical access to the PSP was mitigated because URE’s CCAs have multiple redundant security systems that would prevent further access by the janitor.
Penalty: $134,350 (aggregate for 10 violations among 4 UREs)
FERC Order: Issued August 30, 2012 (no further review)
Unidentified Registered Entity, Docket No. NP12-37 (July 31, 2012)
Reliability Standard: CIP-006-1
Requirement: 2
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: WECC
Issue: An Unidentified Registered Entity (URE) self-reported that it was in violation of R2 because an internal review revealed over 100 individuals had unauthorized access to a backup site for URE’s generation management system, which is a CCA. One of the individuals was a janitor with a key to the PSP; the other individuals were erroneously granted access by a secondary database used by the URE’s physical card access system.
Finding: WECC determined that the violation posed a moderate risk, but did not pose a serious or substantial risk, to the reliability of the BPS. The risk posed by the failure to properly manage physical access to the operations center was mitigated because the unauthorized personnel only had physical access to the CCAs, and the CCAs had redundant security systems including 24x7 physical and electronic monitoring and logging, anti-virus and anti-malware, and selectively enabled ports and services.
Penalty: $134,350 (aggregate for 10 violations among 4 UREs)
FERC Order: Issued August 30, 2012 (no further review)
Unidentified Registered Entity, Docket No. NP12-37 (July 31, 2012)
Reliability Standard: CIP-006-1
Requirement: 3
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: WECC
Issue: An Unidentified Registered Entity (URE) self-reported that it was in violation of R3 because it had not implemented appropriate responses to access control alarms. Specifically, URE discovered that employees failed to appropriately respond to 73% of identified alarm events.
Finding: WECC determined that the violation posed a minimal risk, but did not pose a serious or substantial risk, to the reliability of the BPS. The risk was mitigated because URE’s CCAs have multiple redundant security systems that would prevent access. Moreover, all of the individuals that gained unauthorized access to CCAs were employees, and although the alarms were not properly addressed, they were monitored.
Penalty: $134,350 (aggregate for 10 violations among 4 UREs)
FERC Order: Issued August 30, 2012 (no further review)
Unidentified Registered Entity, Docket No. NP12-37 (July 31, 2012)
Reliability Standard: CIP-006-1
Requirement: 4
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: WECC
Issue: An Unidentified Registered Entity (URE) self-reported that it was in violation of R4 because in less than 50 instances over a ten-month period access logs generated by some access points on URE’s PSP were insufficient to identify the person that gained access.
Finding: WECC determined that the violation posed a moderate risk, but did not pose a serious or substantial risk, to the reliability of the BPS. The risk posed by the failure to properly log physical access to the PSP was mitigated because URE’s CCAs have multiple redundant security systems that would prevent further access.
Penalty: $134,350 (aggregate for 10 violations among 4 UREs)
FERC Order: Issued August 30, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-40 (July 31, 2012)
Reliability Standard: CIP-006-1
Requirement: R1/1.8
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that it did not have sufficient protective measures for CAs used in the access control and monitoring of three PSPs as the default accounts on nine physical assets control panels were not disabled when they were installed, as required.
Finding: WECC found that the violation only constituted a minimal risk to BPS reliability since URE’s physical access control panels were located within PSPs with no direct external physical or cyber assets. In addition, each panel only had one active default account. URE’s compliance program was evaluated as a mitigating factor and URE also received cooperation credit for self-reporting the violation (which was made in anticipation of an upcoming audit).
Penalty: $7,500
FERC Order: Issued August 30, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-40 (July 31, 2012)
Reliability Standard: CIP-006-1
Requirement: R1.1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that it did not place five of its CCAs within a PSP as required.
Finding: WECC found that the violation only constituted a minimal risk to BPS reliability since the relevant CCAs were located within a secured generation project and had limited access to the site, which was being monitored and controlled by URE. The violation also involved a limited number of CCAs. URE’s compliance program was evaluated as a mitigating factor. In determining the penalty amount, WECC also considered URE’s compliance history.
Penalty: $15,000 (aggregate for 4 violations)
FERC Order: Issued August 30, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-40 (July 31, 2012)
Reliability Standard: CIP-006-1
Requirement: R1.8
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that one of its employees was able to log onto a physical access control system located in an ESP without using the required two-factor authorization. Instead, the relevant employee used a tunneling protocol for authentication between the ESP and a directory server. Thus, URE did not apply the required protective measures for the access control and monitoring of one server on the PSP.
Finding: WECC found that the violation only constituted a minimal risk to BPS reliability since the relevant server was located in an ESP and PSP. In addition, the relevant employee, who had received CIP training and had a PRA on file, was authorized to access the server. Also, all of the devices within the ESP had anti-virus protection and the devices were password protected. URE had continuous electronic monitoring of the ESP and fewer than five of URE’s personnel had access. URE’s compliance program was evaluated as a mitigating factor. URE’s compliance history was also considered.
Penalty: $39,000 (aggregate for 3 violations)
FERC Order: Issued August 30, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-45-000 (September 28, 2012)
Reliability Standard: CIP-006-1
Requirement: 6
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: FRCC
Issue: During a Compliance Spot-Check, FRCC found that URE violated R6 because it did not have a maintenance and testing program that ensured all of the covered physical security systems functioned properly.
Finding: FRCC determined that the violation posed a moderate risk to the reliability of the BPS because it could result in failure of physical security controls. The risk was mitigated, however, because URE's vendors maintained and tested all defective systems upon notification. Moreover, all systems were tested upon implementation; URE just could not produce documentation of the tests. Other factors FRCC considered were that three of the violations were credited with being self-reported, one violation is a repeat violation, URE cooperated, there was no indication or evidence that URE attempted to conceal the violations, URE's compliance program was a neutral factor, and there were no other mitigating or aggravating factors.
Penalty: $150,000 (aggregate for 12 violations)
FERC Order: Issued October 26, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-47-000 (September 28, 2012)
Reliability Standard: CIP-006-1
Requirement: 1.8
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: RFC
Issue: URE self-reported a violation of CIP-006-1 R1.8 due to its failure to implement testing of the signatures on certain Cyber Assets when it tested and installed a new anti-virus product. Also, URE had not implemented a testing schedule for signature updates for its Cyber Assets that authorize and/or log access to the PSP, as required by CIP-007-1 R4. As such, RFC found that URE was in violation of CIP-006-1 R1.8, which requires that URE afford all protective measures of CIP-007-1 R4 to all Cyber Assets within its ESPs.
Finding: The violation was deemed by RFC to pose moderate risk to BPS reliability which was mitigated by the following. First, URE does have a process for the update of anti-virus and malware prevention signatures that addressed testing and installing the signatures. Second, URE installed the required signatures according to that process on all of its Cyber Assets. Third, no adverse functionality of any Cyber Asset related to URE's failure to perform signature testing occurred while the violation was ongoing. In determining the appropriate penalty, RFC considered certain aspects of URE's internal compliance program as a mitigating factor. In addition, further mitigating factors included that URE self-reported the violations and URE's cooperation during the enforcement process. URE also promptly submitted a Mitigation Plan to remediate the violation. URE agreed to RFC's findings.
Penalty: $12,000 (aggregate for four violations)
FERC Order: Issued October 26, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-47-000 (September 28, 2012)
Reliability Standard: CIP-006-1
Requirement: 1/1.1/1.8
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE was found to be in violation of CIP-006-1 R1 because URE did not ensure that its Physical Security Perimeter (PSP) at its backup control center was completely enclosed in a "six-wall" border. Also, URE could not show that it had performed testing procedures, applied security patches, deployed anti-virus and malware tools, or had created recovery plans for PSP access control and monitoring devices.
Finding: The violation was deemed to pose minimal risk to BPS reliability because the PSP resides in an area of controlled access and so the ability of unauthorized personnel gaining access to the PSP is limited. The relevant PSP resides within an operator controlled access area having protective measures prescribed by the Standard. URE had physical access controls, monitored physical access, logged physical access, retained access logs, and had a maintenance and testing program. In determining the appropriate penalty, URE was given mitigating credit for its internal compliance program.
Penalty: $65,000 (for 11 violations)
FERC Order: Issued October 26, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-47-000 (September 28, 2012)
Reliability Standard: CIP-006-1
Requirement: 1/1.8
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: TRE
Issue: URE submitted a self-report explaining that it had not identified two firewalls as access points to CAs that authorize or log access to PSPs, and therefore, URE was not monitoring the two firewalls as required by CIP-005-1 R3.
Finding: The violation was deemed by TRE to pose minimal risk to BPS reliability because the firewalls are responsible for badging system protection and no alerts would be reported for potential attacks of the badging system as the BPS would not be directly affected by any such attack. Failing to monitor the two access points was mitigated by the many layers of security installed on URE's system.
Penalty: $0 (for 12 violations)
FERC Order: Issued October 26, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-47-000 (September 28, 2012)
Reliability Standard: CIP-006-1
Requirement: 3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE was found to be in violation of CIP-006-1 R3 because it failed to have procedural controls in place for monitoring physical access at all points on its Physical Security Perimeter (PSP). WECC found that URE's PSP access control and monitoring devices provided no visual or audible alerts when the facility is accessed, and URE's transmission operators were unable to visually verify entry through the PSP until the person was on the transmission operating floor. URE also had no alarms to give immediate notification or human observation responsible for controlling physical access as prescribed in CIP-006-1 R3.
Finding: The violation was deemed to pose minimal risk to BPS reliability because operators were responsible for operation of the system and tracking physical access. Operations staff was given the needed equipment to visually inspect incoming individuals thereby providing some security against unauthorized people entering the PSP. In determining the appropriate penalty, URE's internal compliance program was considered a mitigating factor.
Penalty: $65,000 (for 11 violations)
FERC Order: Issued October 26, 2012 (no further review)
Unidentified Registered Entity, Docket No. NP13-1 (October 31, 2012)
Reliability Standard: CIP-006-1
Requirement: 1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: Following a self-report, WECC determined URE violated R1 because it failed to ensure that CAs that are part of its ESP access control and monitoring systems were afforded protections of CIP-003 R6 and CIP-007 R2, R3, and R8, as required by the Standard.
Finding: WECC determined that the violation posed a minimal risk to the reliability of the BPS because the applicable PSPs were protected by intrusion detection and protection systems and there were no alerts from these systems, or any attacks on the PSP for the duration of the violation. In approving the Settlement Agreement between WECC and URE, NERC BOTCC considered the following: URE's violation history, 11 of the 12 violations were self-reported, URE was cooperative, URE had a compliance program in place at the time of the violation, which was considered a mitigating factor, and there was no evidence of any attempt or intent to conceal a violation, nor that the violation was intentional.
Penalty: $200,000 (aggregate for 12 violations)
FERC Order: Issued November 29, 2012 (no further review)
Reliability Standard: CIP-006-1
Requirement: 1 (three violations, one for each URE)
Violation Risk Factor: Medium (1)
Violation Severity Level: Severe (1)
Region: RFC
Issue: URE1 self-reported that it had not properly provided escorted access within the PSP for personnel without authorized access, as there were several log book entries that did not contain the time of the visitors' entries and exits or the name of the escort. URE2 and URE3's log books also did not contain all of the information required by the Reliability Standard. In addition, URE1, URE2 and URE3 did not include in its physical security plan all of the information mandated by the Reliability Standard. Furthermore, URE1, URE2 and URE3 did not provide the required protective measures for 30 control panel devices and 14 devices used in the access control and monitoring of the PSPs.
Finding: RFC found that the CIP-006-1 R1 violations constituted a moderate risk to BPS reliability since they increased the risk that someone would be able to physically access Cyber Assets that were not properly protected. But, the UREs stated that visitors inside a PSP were escorted at all times and the CCAs within the PSP were protected by security controls. In regards to the physical security plans, the UREs had other documents that contained all of the required information. The PSP diagrams, which were updated when changes were made to the PSP, were stored in a secure location and were only available to people who needed to them. For the control panel devices, the application itself had the required CIP protections and the servers did have protective measures in place. The UREs also had procedures in place to protect information from unauthorized physical and electronic access and to limit ports and services. In addition, the Cyber Assets used in the access control and monitoring of the PSPs had other protective measures in place and were being monitored by the UREs' security monitoring process. Furthermore, the access control panels are hardened single-purposes devices (with port scans being the only cyber security testing available). In approving the settlement agreement, the NERC BOTCC found that, in the aggregate, the violations constituted a serious or substantial risk to BPS reliability because of the potential for compromised integrity of the CCAs. UREs did not have a culture of compliance for the CIP Reliability Standards and they were not familiar with their CIP processes and procedures (especially as compliance was divided between six executives, leading to inconsistent application of the compliance process and reduced ownership responsibility). But, the UREs were cooperative during the enforcement process, including working with RFC to remedy the violations and enacting measure, in collaboration with RFC, to foster an improved compliance program and to undertake compliance initiatives (which were evaluated as a mitigating factor). In addition, some of the violations were repeat violations and some of the violations were self-reported.
Penalty: $725,000 (aggregate for 73 violations)
FERC Order: Issued November 29, 2012 (no further review)
Unidentified Registered Entity (URE), FERC Docket No. NP13-11 (December 31, 2012)
Reliability Standard: CIP-006-1
Requirement: 1.1/1.8
Violation Risk Factor: Medium
Violation Severity Level: Lower
Region: SPP
Issue: URE self-reported that it did not have an adequate six-wall boundary at the PSPs at its primary control center since it had improperly used a raised floor and dropped ceiling to establish the boundary. URE also did not enclose within a proper PSP the network data cables between two PSPs (1.1). In addition, URE’s Critical Assets recovery plan did not sufficiently address recovery plans for access control and monitoring of physical control systems as required. URE also had not listed all of its Cyber Assets used for physical access control and monitoring in its master CIP device list, meaning that those assets did not receive all of the required protective measures (1.8).
Finding: SPP found that the violation constituted only a minimal risk to BPS reliability. The primary control center and the data cabling in the backup transmission operations center were located in controlled access facilities that were protected by security guards and potential access points were obscured from view. URE also had implemented measures to detect any suspicious traffic between the servers and the associated workstations. In addition, while the workstations used for physical access control and monitoring were not on the master CIP device list or in the recovery plan, the core asset in the physical access control scheme (the physical security server) was designated as a CCA and would have been readily recoverable if the recovery plan had to be initiated. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE’s violation history (which was considered as an aggravating factor for some of the violations), URE’s internal compliance program (which was not viewed as a mitigating factor) and the fact that some of the violations were self-reported. URE was cooperative during the enforcement process and did not conceal the violations.
Total Penalty: $107,000 (aggregate for 16 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)
Reliability Standard: CIP-006-1
Requirement: 1.8
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: FRCC
Issue: URE1 self-reported a violation of R1 when it discovered that it had not identified workstations configured for security badging (which included a device used to access the physical access control server and monitor physical access control activities) as physical access control systems.
Finding: FRCC determined that the R1 violation posed a moderate risk to the reliability of the BPS because the company had hardened systems that were maintained with updated security patches. In addition, the systems had malware protection, were only accessible to required personnel, and were located in the security control center that is continuously manned. FRCC considered URE1’s ICP a mitigating factor in making its penalty determination. The violation began when the standard became mandatory and enforceable for URE1 and ended when the company completed its mitigation plan. URE1 neither admitted nor denied the violation.
Total Penalty: $33,000 (aggregate for 8 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)
Reliability Standard: CIP-006-1
Requirement: 1.8
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: RFC
Issue: URE1 self-reported a violation of R1 after discovering that some of its physical access control and monitoring (PACM) devices had not been included in the entity’s annual cyber vulnerability assessment (Assessment).
Finding: RFC determined that the R1.8 violation posed a moderate risk to the reliability of the BPS because the entity had an intrusion detection system in place during the violation and maintained 90-day logs which covered operating system audit logs, application logs, system logs, virtual PC security events, system alerts, and anti-virus and malware detection alerts. RFC considered some aspects of URE1’s ICP, as well as the fact that the entity self-reported the violation and the entity’s commitment to compliance and reliability to be mitigating factors in making its penalty determination. The violation began when the standard became mandatory and enforceable to the entity and ended when the entity performed an interim Assessment on its PACM devices. URE1 neither admitted nor denied the violation.
Total Penalty: $10,000 (aggregate for 6 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-18 (December 31, 2012)
Reliability Standard: CIP-006-1
Requirement: 1.1/1.8
Violation Risk Factor: Medium (1.1), Lower (1.8)
Violation Severity Level: Severe
Region: SPP
Issue: URE self-reported that it had not established a proper enclosed, "six-wall" boundary (as it improperly relied on a raised floor and dropped ceiling) for two of its PSP. The network data cables connecting two of URE's PSPs were not contained in a "six-wall" boundary (and URE had not developed alternate measures or requested a Technical Feasibility Exception). SPP also found that one of URE's routers used to support URE's Energy Management System was contained in an ESP – but not a PSP. In addition, URE's recovery plans for its Cyber Assets did not address, as required, recovery plans for its access control and monitoring of physical control systems. URE also had not reviewed the server logs for its Physical Access Control System database and had not identified all Cyber Assets used for the physical access and control monitoring in its master CIP device list.
Finding: SPP found that the CIP-006-1 R1.1/1.8 violations only constituted a minimal risk to BPS reliability. The PSPs at URE's primary control center and the backup transmission operations center, which are located in a controlled access facility that was obscured from view, are continuously monitored. URE had also enacted measures to detect suspicious traffic passing between the servers and the associated workstations. In addition, the physical security server, which is the core asset in URE's physical access control scheme, was properly designated as a CCA, was part of the master CIP device list and incorporated into the URE recovery plan. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE's Internal Compliance Program (even though the compliance program was not viewed as a mitigating factor) and its violation history (which was viewed as an aggravating factor for some of the violations). NERC BOTCC also considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations.
Penalty: $153,000 (aggregate for 16 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-19 (December 31, 2012)
Reliability Standard: CIP-006-1
Requirement: 1
Violation Risk Factor: Medium (1/1.1/1.2/1.3/1.4/1.5/1.6), Lower (1.7/1.8)
Violation Severity Level: Severe
Region: SERC
Issue: URE self-reported that in numerous instances, escorted visitors in its PSPs became separated from their assigned escorts. URE also self-reported that it did not have all of its PSP drawings included as part of its physical security plan, as required, when the Reliability Standard went into effect and did not update its PSP drawings within 30 days of a physical security system redesign or reconfiguration. URE also had an inaccurate PSP drawing of one of its operations centers. During a spot check, SERC also found multiple PSPs that did not have an enclosed six-wall border, as required, or properly documented alternate measures when a complete enclosure was not physically possible. In addition, URE did not properly classify its security access controller system as part of its physical access control system and therefore did not provide its security access controller system the required cyber security protections.
Finding: SERC found that the CIP-006-1 R1 violations constituted a serious and substantial risk to BPS reliability. SERC found that URE did not properly maintain its physical security plan and did not have a complete plan that included all of URE's Cyber Assets within an ESP and PSP and did not timely identify all physical access points to each PSP. The many PSPs without an enclosed six-wall border and the errors in the PSP drawing as well as the unescorted access of visitors negatively impacted URE's ability to protect its CCAs, which increased the risk of URE's CCAs compromised or rendered inoperable. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (which SERC evaluated as a mitigating factor). SERC determined that over half of the violations constituted a serious or substantial risk to BPS reliability. URE was unprepared, compliance-wise, when the CIP requirements became mandatory and enforceable. As URE had problems identifying CCAs, Cyber Assets and access points, URE was not providing the mandated protections to all of the required devices, thereby greatly increasing the risk of CCAs becoming comprised or rendered inoperable and causing a loss of monitoring or control of the BPS. SERC found that URE's CIP program failure constituted a serious risk to BPS reliability as URE's CIP procedures were not sufficiently detailed and its personnel had a general lack of awareness about the CIP procedures (including a dependence on manual processes).
Penalty: $950,000 (aggregate for 24 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-19 (December 31, 2012)
Reliability Standard: CIP-006-1
Requirement: 3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SERC
Issue: URE self-reported that its door controller security system, which was responsible for controlling and monitor physical access to URE's PSPs, stopped working, and thus its personnel would not be notified of unauthorized physical access attempts. It also had 11 exterior windows in a PSP, four PSP doors and an exterior PSP window that were not being monitored for physical access attempts, as well as a malfunctioning PSP door at an operation center. URE also did not have the required documentation showing that it promptly reviewed all unauthorized physical access attempts and alerts at all of its PSPs. In addition, on two occasions resulting from a lost in connectivity of the master access control server, its PSP access control system did not provide an automated alert regarding potential unauthorized access attempts.
Finding: SERC found that the CIP-006-1 R3 violations constituted a serious and substantial risk to BPS reliability. SERC found that URE was not continuously monitoring physical access at all PSP access points and was not promptly reviewing all unauthorized physical access alerts as required, which could have permitted unauthorized access to the CCAs. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (which SERC evaluated as a mitigating factor). SERC determined that over half of the violations constituted a serious or substantial risk to BPS reliability. URE was unprepared, compliance-wise, when the CIP requirements became mandatory and enforceable. As URE had problems identifying CCAs, Cyber Assets and access points, URE was not providing the mandated protections to all of the required devices, thereby greatly increasing the risk of CCAs becoming comprised or rendered inoperable and causing a loss of monitoring or control of the BPS. SERC found that URE's CIP program failure constituted a serious risk to BPS reliability as URE's CIP procedures were not sufficiently detailed and its personnel had a general lack of awareness about the CIP procedures (including a dependence on manual processes).
Penalty: $950,000 (aggregate for 24 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-19 (December 31, 2012)
Reliability Standard: CIP-006-1
Requirement: 4
Violation Risk Factor: Medium
Violation Severity Level: Lower
Region: SERC
Issue: URE self-reported that, for four months, it granted unescorted access to two janitors for four months to a PSP without having them log their access as required. In another instance, URE was unable to uniquely identify an individual's physical access, as required, when one employee, who left his keycard at home, used another employee's keycard to gain re-entry into a PSP.
Finding: SERC found that the CIP-006-1 R4 violations only constituted a minimal risk to BPS reliability. There were no CCAs present in the area where the janitors worked and the site was under continuous surveillance. In the other instance, both employees, who had valid PRAs on file and had under undergone cyber security training, had been granted authorized PSP access. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (which SERC evaluated as a mitigating factor). SERC determined that over half of the violations constituted a serious or substantial risk to BPS reliability. URE was unprepared, compliance-wise, when the CIP requirements became mandatory and enforceable. As URE had problems identifying CCAs, Cyber Assets and access points, URE was not providing the mandated protections to all of the required devices, thereby greatly increasing the risk of CCAs becoming comprised or rendered inoperable and causing a loss of monitoring or control of the BPS. SERC found that URE's CIP program failure constituted a serious risk to BPS reliability as URE's CIP procedures were not sufficiently detailed and its personnel had a general lack of awareness about the CIP procedures (including a dependence on manual processes).
Penalty: $950,000 (aggregate for 24 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-19 (December 31, 2012)
Reliability Standard: CIP-006-1
Requirement: 5
Violation Risk Factor: Lower
Violation Severity Level: Moderate
Region: SERC
Issue: URE self-reported that one of its operations center did not have electronic PSP access logs for around one month, as its logging service stopped logging physical access and URE did not archive the logs.
Finding: SERC found that the CIP-006-1 R5 violation only constituted a minimal risk to BPS reliability. The operations center is continuously monitored by four cameras and no cyber security incident occurred during the relevant time period. URE also had manual copies of the visitors' logs, which could be used to investigate security incidents. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (which SERC evaluated as a mitigating factor). SERC determined that over half of the violations constituted a serious or substantial risk to BPS reliability. URE was unprepared, compliance-wise, when the CIP requirements became mandatory and enforceable. As URE had problems identifying CCAs, Cyber Assets and access points, URE was not providing the mandated protections to all of the required devices, thereby greatly increasing the risk of CCAs becoming comprised or rendered inoperable and causing a loss of monitoring or control of the BPS. SERC found that URE's CIP program failure constituted a serious risk to BPS reliability as URE's CIP procedures were not sufficiently detailed and its personnel had a general lack of awareness about the CIP procedures (including a dependence on manual processes).
Penalty: $950,000 (aggregate for 24 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-19 (December 31, 2012)
Reliability Standard: CIP-006-1
Requirement: 6
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SERC
Issue: SERC found that while URE did develop a maintenance and testing program to ensure that its physical security systems functions properly, it did not conduct the initial maintenance and testing before the Reliability Standard came into effect as required (6).
Finding: SERC found that the CIP-006-1 R6 violation constituted a serious and substantial risk to BPS reliability since the delayed testing and maintenance increased the risk of URE having an unidentified problem that went undetected. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (which SERC evaluated as a mitigating factor). SERC determined that over half of the violations constituted a serious or substantial risk to BPS reliability. URE was unprepared, compliance-wise, when the CIP requirements became mandatory and enforceable. As URE had problems identifying CCAs, Cyber Assets and access points, URE was not providing the mandated protections to all of the required devices, thereby greatly increasing the risk of CCAs becoming comprised or rendered inoperable and causing a loss of monitoring or control of the BPS. SERC found that URE's CIP program failure constituted a serious risk to BPS reliability as URE's CIP procedures were not sufficiently detailed and its personnel had a general lack of awareness about the CIP procedures (including a dependence on manual processes).
Penalty: $950,000 (aggregate for 24 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-22 (January 31, 2012)
Reliability Standard: CIP-006-1
Requirement: 1.8
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: WECC
Issue: URE self-reported that it did not apply the required protective standards (including measures regarding access controls, monitoring electronic access and system management) to one of the servers in its computer room.
Finding: WECC found that the CIP-006-1 R1.8 violation only constituted a minimal risk to BPS reliability. URE had other physical security controls in place that significantly reduced the risks to the server. In approving the settlement agreement, the NERC BOTCC considered as mitigating factors URE's internal compliance program, including the continuous improvements in URE's compliance culture and URE's enactment of all applicable compliance directives. URE was also cooperative during the enforcement process and did not conceal any violations. In regards to the CIP violations, URE undertook voluntary corrective actions and self-reported the violations within a week of WECC's compliance audit. WECC evaluated as an aggravating factor a previous violation of PRC-005-1 R1 by one of URE's affiliate. But, URE had no reoccurring violations or relevant negative compliance history.
Penalty: $115,000 (aggregate for 6 violations)
FERC Order: Issued March 1, 2013 (no further review)
Unidentified Registered Entities 1, 2 and 3, Docket No. NP13-24 (February 28, 2012)
Reliability Standard: CIP-006-1
Requirement: 1.6
Violation Risk Factor: Medium
Violation Severity Level: Moderate
Region: WECC
Issue: URE2 self-certified that on five instances it had not ensured that visitors to its PSPs were escorted at all times as required. In four instances, the visitors were only left unattended for approximately 5-10 minutes. In the fifth instance, an employee with authorized unescorted access to a PSP borrowed the access card of another employee with the same access rights, which was against URE2's procedures.
Finding: WECC found that URE2's CIP-006-1 R1.6 violation constituted a minimal risk to BPS reliability since the unescorted access only occurred on one CCA within a PSP used in URE2's management system. The CCA was protected by electronic access, logging and monitoring controls and was staffed by at least three operators. URE2 also had alarms installed that would provide alerts if the generation management threshold was misconfigured. The UREs stipulated to the facts of the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs' compliance history and that the UREs had followed all applicable compliance directives. UREs' compliance program was also evaluated as a mitigating factor, as well as the fact that the UREs undertook voluntary corrective actions to remediate some of the violations. Some of the violations were also self-reported, and the UREs were cooperative during the enforcement process and did not conceal any of the violations. None of the violations constituted a serious or substantial risk to BPS reliability.
Penalty: $151,500 (aggregate for 9 violations)
FERC Order: Issued March 29, 2013 (no further review)
Unidentified Registered Entities 1, 2 and 3, Docket No. NP13-24 (February 28, 2012)
Reliability Standard: CIP-006-1
Requirement: 3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE2 self-reported that, as a result of an unintentional change made by the operator to the alarm systems which prevented alarm events from being displayed on security monitors, the alarms at one of the access points to a PSP were not being monitored or reviewed as required. Because of the improper configuration, URE2's security personnel were unable to immediately review two alarm events that occurred.
Finding: WECC found that URE2's CIP-006-1 R3 violation constituted a moderate risk to BPS reliability since URE2's failure to continuously monitor physical access to its PSPs could have permitted unauthorized access to go undetected and cause harm to the CCAs. But, the CCA was protected by electronic access, logging and monitoring controls and was staffed by at least three operators. URE2 also had alarms installed that would provide alerts if the generation management threshold was misconfigured. The UREs stipulated to the facts of the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs' compliance history and that the UREs had followed all applicable compliance directives. UREs' compliance program was also evaluated as a mitigating factor, as well as the fact that the UREs undertook voluntary corrective actions to remediate some of the violations. Some of the violations were also self-reported, and the UREs were cooperative during the enforcement process and did not conceal any of the violations. None of the violations constituted a serious or substantial risk to BPS reliability.
Penalty: $151,500 (aggregate for 9 violations)
FERC Order: Issued March 29, 2013 (no further review)
Unidentified Registered Entities 1, 2 and 3, Docket No. NP13-24 (February 28, 2012)
Reliability Standard: CIP-006-1
Requirement: 3.1
Violation Risk Factor: Medium
Violation Severity Level: High
Region: WECC
Issue: URE1 self-reported that it had not installed proper alarms, as required, for five of its card readers that controlled access to three of its PSPs. Four of the card readers, which controlled access to the blackstart human machine interface PSPs, were incorrectly configured. The other card reader, for the air compressor PSP, was unplugged from its power source. In addition, there were four instances where URE1 had not properly implemented the controls for monitoring its PSPs. Two of the instances involved not having the required controls in place to monitor physical access and two involved failures to re-arm card readers upon exit.
Finding: WECC found that URE1's CIP-006-1 R3.1 violation constituted a moderate risk to BPS reliability since URE1's failure to continuously monitor access to its PSPs could have allowed unauthorized access to the PSPs to go undetected. But, URE1 was continuously logging physical access, as well as continuously logging and monitoring electronic access, to its PSPs and ESPs. In addition, a username and password was required to access the CCAs; card readers were in place at the blackstart human machine interface PSPs; and key access, confined to a limited number of authorized personnel, was required for the air compressor PSP. The UREs stipulated to the facts of the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs' compliance history and that the UREs had followed all applicable compliance directives. UREs' compliance program was also evaluated as a mitigating factor, as well as the fact that the UREs undertook voluntary corrective actions to remediate some of the violations. Some of the violations were also self-reported, and the UREs were cooperative during the enforcement process and did not conceal any of the violations. None of the violations constituted a serious or substantial risk to BPS reliability.
Penalty: $151,500 (aggregate for 9 violations)
FERC Order: Issued March 29, 2013 (no further review)
Unidentified Registered Entities 1, 2 and 3, Docket No. NP13-24 (February 28, 2012)
Reliability Standard: CIP-006-1
Requirement: 4
Violation Risk Factor: Lower
Violation Severity Level: High
Region: WECC
Issue: URE2 self-reported that, as a result of a software misconfiguration, alarms from the PSP were not being sent to the central alarm station, and therefore, alerts did not appear on the security monitors, which caused there to be inaccurate logging of the employees who accessed the PSP using only hard keys.
Finding: WECC found that URE2's CIP-006-1 R4 violation constituted a minimal risk to BPS reliability since the relevant access point only protected one CCA that was used in the management system. The CCA was protected by electronic access, logging and monitoring controls. URE2 also had alarms installed that would provide alerts to the operators if the generation management threshold was misconfigured. The UREs stipulated to the facts of the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs' compliance history and that the UREs had followed all applicable compliance directives. UREs' compliance program was also evaluated as a mitigating factor, as well as the fact that the UREs undertook voluntary corrective actions to remediate some of the violations. Some of the violations were also self-reported, and the UREs were cooperative during the enforcement process and did not conceal any of the violations. None of the violations constituted a serious or substantial risk to BPS reliability.
Penalty: $151,500 (aggregate for 9 violations)
FERC Order: Issued March 29, 2013 (no further review)
Unidentified Registered Entity 1 (MRO_URE1), Docket No. NP13-27, February 28, 2013
Reliability Standard: CIP-006-1
Requirement: 1/1.8
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: MRO
Issue: MRO_URE1 self-reported a violation of R1 after discovering that it had not given two of its CAs that authorize and/or log access to PSPs certain required protective measures as required by R1. Specifically, in regards to both assets, the company did not have a documented process for change control and configuration management for adding, modifying, replacing or removing CCA hardware or software, nor had it enabled only required ports and services. The company had further failed to document cyber security test results in certain instances of significant changes to existing CAs, and also failed to document security patch assessments and compensating measures to mitigate risk exposure. Additionally, the company had not maintained audit trails of the account use of a shared account, changed user account passwords on an annual basis or reviewed logs of system events related to cyber security. Lastly, MRO_URE1 did not include a review of required ports and services in its network vulnerability assessment. There were a number of additional violations pertaining to each of the assets individually.
Finding: MRO determined that the R1 violation posed a moderate risk to the reliability of the BPS because although the company's failure to implement operational and procedural controls to manage access to PSPs could allow unauthorized and unnoticed access to the CAs, the ports and services at issue were only open to trusted MRO_URE1 corporate networks that were equipped with numerous other security protocols. In addition, there were no cyber security incidents during the violation period. MRO entered a notice of confirmed violation and MRO_URE1 agreed to pay a penalty and to undertake other mitigation measures to come into compliance with R1. MRO considered MRO_URE1's ICP a mitigating factor in making its penalty determination. The violation began when the Standard became mandatory and enforceable to MRO_URE1 and ended when the company completed its mitigation plan. MRO_URE1 admits the R1 violation.
Penalty: $10,000 (aggregate for 5 violations)
FERC Order: Issued March 29, 2013 (no further review)
Unidentified Registered Entity 1 (SPP RE_URE1), Docket No. NP13-27, February 28, 2013
Reliability Standard: CIP-006-1
Requirement: 1/1.8
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SPP RE
Issue: SPP RE_URE1 self-reported a violation of R1 when it discovered that its physical access control (PAC) system had not been provided with all required protective measures under R1.8. The company was unable to produce required documentation pertaining to the PAC system, nor did the company document change control and configuration management activities for changes to its PAC system.
Finding: SPP RE determined that the R1 violation posed a minimal risk to the reliability of the BPS because the PAC application was hosted on a server that was physically within the company's control center PSP to which only authorized personnel had physical access. The PAC system itself was further protected by the corporate firewall for which logs were collected and analyzed. In addition, PRAs and training had been provided to all users with login credentials to the PAC server. SPP RE and SPP RE_URE1 entered into a settlement agreement whereby SPP RE_URE1 agreed to pay a penalty and to undertake other mitigation measures to come into compliance with R1. SPP RE considered SPP RE_URE1's ICP a neutral factor in making its penalty determination. The violation began when the Standard became mandatory and enforceable to SPP RE_URE1 and ended upon completion of the mitigation plan. SPP RE_URE1 neither admits nor denies the R1 violation.
Penalty: $8,000 (aggregate for 3 violations)
FERC Order: Issued March 29, 2013 (no further review)
Unidentified Registered Entity 1 (WECC_URE1), Docket No. NP13-27, February 28, 2013
Reliability Standard: CIP-006-1
Requirement: 1/1.8
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: WECC_URE1 self-reported a violation of R1 after the company failed to provide all protective measures required by R1.8 to 15 CCAs that were used in the access control and/or monitoring of 23 PSPs. The company further noted that updates and patches to third-party software on 21 CCAs that were used to authenticate access rights, control access, and log access attempts to PSPs during server outages had not been assessed or documented.
Finding: WECC determined that the R1 violation posed a minimal risk to the reliability of the BPS. WECC found that the risk was mitigated by the PSP in which all devices were secured and by the personnel risk assessments and training required of all personnel with access to the devices. The risk was further mitigated because a subset of the CCAs were provided protections of 18 requirements under R1.8, and the remaining devices had no internet connectivity and were equipped with security measures that detect and mitigate exposure and propagation of malware. WECC and WECC_URE1 entered into a settlement agreement whereby WECC_URE1 agreed to undertake other mitigation measures to come into compliance with R1. WECC considered the company's ICP a mitigating factor in making its penalty determination. The violation began when the Standard became mandatory and enforceable for WECC_URE1 and ended when the company completed its mitigation plan. WECC_URE1 agrees/stipulates to the R1 violation.
Penalty: $35,000 (aggregate for 2 violations)
FERC Order: Issued March 29, 2013 (no further review)
Unidentified Registered Entities 1, 2 and 3 (UREs), Docket No. NP13-30-000 (March 27, 2013)
Reliability Standard: CIP-006-1
Requirement: 1.1, 1.2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: RFC
Issue: While conducting a compliance audit, RFC found that URE 1, URE 2, and URE 3 failed to comply in four ways with CIP-006-1. First, the UREs failed to ensure that the Cyber Assets within the ESP reside within an identified PSP, for instance, by not maintaining a six-wall border between the maintenance hall and an adjacent conference room. Second, where a six-wall barrier was not feasible, the UREs failed to deploy and document alternative measures to control physical access to the CCAs. This included a Cyber Asset (a cable) located within an ESP but found outside a defined PSP. Third, the UREs failed to control physical access to radio signals used to communicate between the CCAs and the control house. Fourth, the UREs failed to identify physical access points through each PSP and measure to control entry at those access points in their physical security plan.
Finding: RFC found that these violations posed a moderate risk to BPS reliability because of the increased likelihood for physical access to CCAs, but that the violations did not pose a serious or substantial risk. RFC found that the risks were mitigated because (1) all of the access points to the control center PSPs were properly secured through an access control system, and (2) there were multiple layers of protection in place for the ESPs, including the use of an identifiable router at each substation that segregated the CCAs from non-critical items to which workers required access. Finally, the UREs had documented the access points to the PSPs, though they failed to include or reference changes in their physical security plan. In determining the appropriate penalty and approving the settlement agreement, RFC considered UREs’ internal compliance program (ICP) as a mitigating factor, and in addition, the UREs committed to improve their existing ICP, which RFC afforded significant mitigating credit. None of the violations posed serious or substantial risk to BPS reliability. However, UREs’ violation history was considered an aggravating factor.
Total Penalty: $120,000 (aggregate for 24 violations)
FERC Order: Issued April 26, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-006-1
Requirement: 1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: RFC
Issue: URE self-reported that it had not applied application-based patches (only operating system patches) to its Cyber Assets that authorize and/or log access to the PSP.
Finding: RFC found that the violation constituted a moderate risk to BPS reliability since it increased the risk of known vulnerabilities infiltrating network traffic into the ESP that could have been prevented by the mandated security patches and upgrades. But, URE’s Cyber Assets that authorize and/or log access to the PSP have updated anti-virus protection in place and are contained in an isolated, firewall-protected network that is monitored by an intrusion detection system. The logging activities on these systems are further monitored by an enterprise security information and event management solution. URE’s compliance program was evaluated as a mitigating factor. URE admitted the violation.
Total Penalty: $0
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-006-1
Requirement: 1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: MRO
Issue: URE self-reported that its Physical Security Plan was not approved by a senior manager as mandated by its corporate CIP cyber security policy. URE also discovered three places where it did not have a required six-wall PSP.
Finding: MRO found that the violation constituted a moderate risk to BPS reliability. 150 individuals had physical access to one of the PSPs, but an additional 676 people had access to the building that housed the PSP. But, the facility was continuously staffed and monitored for unauthorized access. At the other facility, only one of the two rooms was continuously staffed. The facility had motion detectors, which are an alternative measure for non-continuous six-wall barriers (even though the motion detectors were not properly documented). In addition, the Physical Security Plan was being reviewed and updated on an annual basis. URE’s internal compliance program was viewed as a mitigating factor. URE admitted the violation.
Total Penalty: $15,000
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-006-1
Requirement: 1/1.1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: MRO
Issue: URE self-reported that its PSP was not completely contained within a “six-wall” border as required (as there were openings above the dropped ceilings where the solid surface wall did not extend completely to the solid surface ceiling) and that it did not implement any alternative measures.
Finding: MRO found that the violation constituted a moderate risk to BPS reliability since there were large gaps in the “six wall” border and the violation persisted for two and a half years. In addition, not all of the personnel who had had access to the secured building that contained the PSP also had authorization rights to the PSP. But, the building was continuously staffed. URE admitted the violation.
Total Penalty: $10,000 (aggregate for 3 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-006-1
Requirement: 1/1.8
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that it did not provide all of the required protections to certain of its Cyber Assets (i.e., its application server and database server) used in the access control and monitoring of its PSPs.
Finding: WECC found that the violation constituted a moderate risk to BPS reliability since the lack of full protection for the Cyber Assets could reduce URE’s ability to monitor and control access to its PSP. But, the relevant devices were contained in a physically secure facility that was continuously manned and monitored. In addition, multi-factor authentication is required for all electronic access to the devices. There are also logs of all traffic entering the ESPs. URE’s compliance program was evaluated as a mitigating factor. URE stipulated to the violation.
Total Penalty: $53,000 (aggregate for 13 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-006-1
Requirement: 1/1.8
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that it did not provide all of the required protections to certain of its Cyber Assets (i.e., its application server and database server) used in the access control and monitoring of its PSPs.
Finding: WECC found that the violation constituted a moderate risk to BPS reliability since the lack of full protection for the Cyber Assets could reduce URE’s ability to monitor and control access to its PSP. But, the relevant devices were contained in a physically secure facility that was continuously manned and monitored. In addition, multi-factor authentication is required for all electronic access to the devices. There are also logs of all traffic entering the ESPs. URE’s compliance program was evaluated as a mitigating factor. URE stipulated to the violation.
Total Penalty: $58,000 (aggregate for 14 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-34 (May 30, 2013)
Reliability Standard: CIP-006-1
Requirement: 1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: TRE
Issue: During a compliance audit, TRE determined that URE's parent company's physical security policy and NERC-CIP-006 policy were not approved by a senior manager or delegate and were not subject to an annual review, as required. Also, URE's policy on PSP updates was not amended in accordance with the changes in the Reliability Standard.
Finding: TRE found that the CIP-006-1 R1 violation constituted a moderate risk to BPS reliability. But, the substance of URE's physical security plan complied with the Reliability Standard. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact the violations were URE's first violations of the relevant Reliability Standards and that none of the violations constituted a serious or substantial risk to BPS reliability. URE had a compliance program in place, but it was only evaluated as a neutral factor. URE was also cooperative during the enforcement process and did not conceal the violations.
Total Penalty: $137,000 (aggregate for 24 violations)
FERC Order: Issued June 28, 2013 (no further review)
Unidentified Registered Entity, Docket No. NP13-36, May 30, 2013
Reliability Standard: CIP-006-1
Requirement: 1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: Texas RE
Issue: During a compliance audit, Texas RE found that the physical security policy in use by URE had not been approved by a senior manager or delegate. URE was unable to show that its physical security plan was being yearly review. And, URE did not update the plan with respect to PSP updates in accordance with the stated time requirements.
Finding: The violation was deemed to pose a moderate risk to BPS reliability, but not a serious or substantial risk. Risk was mitigated because although the plan had not been approved or reviewed as required, it was in use during the relevant time period. In determining the appropriate penalty, Texas RE considered URE’s internal compliance program as a neutral factor. The violations were the first by URE and URE cooperated during the enforcement process. Texas RE determined URE did not attempt (or intend) to conceal any violations.
Total Penalty: $137,000 (aggregate for 24 violations)
FERC Order: Issued June 28, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-38-000 (May 30, 2013)
Reliability Standard: CIP-006-1
Requirement: 1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self-certified that two PSPs at URE’s generating station did not satisfy the requirements to be a “six-wall” border, as there were three holes in the distributed control system shop PSP and a breach in an unsecured door in the control room PSP. URE also did not properly secure three devices providing PSP access control at URE’s generating station (two control panels in the control centers and a workstation for managing access control and monitoring for the PSPs). URE also did not establish a visitor control program as required.
Finding: WECC found that the CIP-006-1 violation constituted only a minimal risk to BPS reliability. The access points at issue were equipped with alarming and monitoring equipment. In addition, the control center and generating station are subject to continuous remote monitoring and protected by layered physical security. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact that some of the violations were self-reported and that URE engaged in voluntary corrective action to remediate the violations. URE also had an internal compliance program in place (which was evaluated as a mitigating factor). URE was cooperative during the enforcement process, did not conceal the violations and implemented the applicable WECC compliance directives. But, URE did have prior violations of the Reliability Standards (which was evaluated as an aggravating factor). None of the violations constituted a serious or substantial risk to BPS reliability.
Total Penalty: $291,000 (aggregate for 17 violations)
FERC Order: Issued June 28, 2013 (no further review)
Unidentified Registered Entity 1 (URE1), Docket No. NP13-39-000 (May 30, 2013)
Reliability Standard: CIP-006-1
Requirement: 1; 1.8
Violation Risk Factor: Lower
Violation Severity Level: High
Region: ReliabilityFirst Corporation (RFC)
Issue: URE1 self-reported that, while undergoing a vendor evaluation of its CIP program, it was found not to have given all CIP protections to all devices classified as Cyber Assets used in the access control and/or monitoring of its PSP, particularly specific operator workstations for badge creation and provisioning, user access rights management, monitoring alarms related to the PSP, and remote control of lock mechanisms.
Finding: The violation was deemed to pose a moderate risk to BPS reliability, but not a serious or substantial risk. RFC found the unprotected workstations provide opportunity for unauthorized PSP access; however, risk was mitigated because the workstations are located in buildings with controlled, monitored access. Individuals accessing the workstations had completed PRAs on file and cyber security training. In addition, the workstations themselves have some CIP protections. In determining the appropriate penalty, RFC considered URE’s ICP to be a mitigating factor. Mitigating credit was also given because URE self-reported the issues.
Total Penalty: $0 (for 2 violations)
FERC Order: Issued June 28, 2013 (no further review)
Unidentified Registered Entity 1 (URE1), Docket No. NP13-39-000 (May 30, 2013)
Reliability Standard: CIP-006-1
Requirement: 1.8
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: While conducting a Compliance Audit, WECC found URE1 to be non-compliant with CIP-006-1 R1.8 because it was not complying with password rules to include changing annually and complexity requirements.
Finding: The violation was deemed to pose a minimal risk to BPS reliability, but not a serious or substantial risk which was mitigated because URE1 has 24/7 logging and monitoring of physical and electronic access in place at all facilities, including the facility involved in this violation. In determining the appropriate penalty, WECC gave mitigating credit for URE1’s ICP.
Total Penalty: $62,500 (aggregate for seven violations)
FERC Order: Issued June 28, 2013 (no further review)
Unidentified Registered Entity 1 (URE1), Docket No. NP13-39-000 (May 30, 2013)
Reliability Standard: CIP-006-1
Requirement: 3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: While conducting a compliance audit, URE was found to be in violation of CIP-006-1 R3 by its failure to have alarms 24/7 at all physical access points to its PSP to alert to the unauthorized opening of a door, gate, or window and provide immediate notification to responsible parties.
Finding: The violation was deemed to pose a moderate risk to BPS reliability, but not a serious or substantial risk due to the fact that unauthorized individuals could access URE1’s PSP without detection; however, the risk was mitigated because URE1 has 24/7 logging and monitoring of physical and electronic access in place at all facilities, including the facility involved in this violation. In determining the appropriate penalty, WECC gave mitigating credit for URE1’s ICP.
Total Penalty: $62,500 (aggregate for seven violations)
FERC Order: Issued June 28, 2013 (no further review)
Unidentified Registered Entity 3 (URE3), Docket No. NP13-39-000 (May 30, 2013)
Reliability Standard: CIP-006-1
Requirement: 1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SERC
Issue: URE3 submitted a self-report stating it had not conducted an annual cyber vulnerability assessment (CVA) of its Physical Access Control Systems (PACS) devices.
Finding: The violation was deemed to pose a minimal risk to BPS reliability, but not a serious or substantial risk because the PACS were on a separate interface that limited user access and disabled all external internet connectivity. URE3 had an independent door access system that protected access to the building which contained identified PSPs and was in a secured area. URE3’s internal review determined that the PACS devices were provided all other protective measures required by CIP-006-1 R1.8. Also, URE3 did not identify any PACS device vulnerabilities in its CVA. In determining the appropriate penalty, SERC considered URE3’s ICP as a mitigating factor.
Total Penalty: $5,000 (aggregate for two violations)
FERC Order: Issued June 28, 2013 (no further review)
Unidentified Registered Entity 1 (URE1), Docket No. NP13-41-000 (June 27, 2013)
Reliability Standard: CIP-006-1
Requirement: 1, 1.8
Violation Risk Factor: Medium
Violation Severity Level: Moderate
Region: NPCC
Issue: URE1 self-certified a violation of CIP-006-1 R1due to its failure to employ all the security measures for Cyber Assets used in the access control and monitoring of a Physical Security Perimeter (PSP). URE1 manages a generation site with Critical Cyber Assets (CCAs) which are vital to the functioning of one of its Critical Assets. The firewalls required to protect the PSP, pursuant to CIP-005 R2, were not configured appropriately to detect and generate alerts on any possible attempts for unauthorized access. Additionally, the access logs were not reviewed or assessed for attempts at, or actual, unauthorized access at least every 90 calendar days.
Finding: The violation was deemed to pose a minimal risk to BPS reliability, but not a serious or substantial risk. Although these firewalls were not correctly configured to detect and create alerts in the case of unauthorized access, the entity’s centralized electronic security and control systems detected and notified on security events based on application interface accounts as well as information from firewall traffic. NPCC did not identify any cyber security instances during the time of potential violation. Additionally, URE1 requires personnel meet the requirements prescribed in CIP-004 R3 and R4 in order to attain unescorted physical and approved cyber access. The generation site is also manned twenty-four hours a day, seven days a week. In determining the appropriate penalty, NPCC considered URE1’s ICP as a mitigating factor.
Total Penalty: $7,000 (aggregate for 2 violations)
FERC Order: Issued August 26, 2013 (no further review)
Unidentified Registered Entity (URE), FERC Docket No. NP13-45 (July 31, 2013)
Reliability Standard: CIP-006-1
Requirement: 1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that it was non-compliant with CIP-006-1 R1 when it discovered during an internal compliance audit that eight PSPs at two facilities did not have the required six-walled protection.
Finding: The violation was deemed to pose a minimal, but not serious or substantial, risk to BPS reliability, which was mitigated because URE had other physical security measures in place, and the PSPs were in facilities with restricted and monitored physical access. Facility access was logged and limited to individuals who needed access and who had PRAs on file and had been trained in cybersecurity. URE’s security personnel who monitor the PSP access points 24/7 would have been alerted to any unauthorized access. URE and WECC reached a settlement whereby URE agreed/stipulated to the facts of the violations and agreed to pay a penalty of $198,000. In determining the appropriate penalty, WECC considered URE’s internal compliance program as a mitigating factor. The violations were self-reported. URE cooperated during the enforcement investigation, and WECC found no evidence that URE tried to or intended to conceal a violation. URE’s violation history was not found to be an aggravating factor in the penalty determination.
Total Penalty: $198,000 (aggregate for ten violations)
FERC Order: Issued August 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-55 (September 30, 2013)
Reliability Standard: CIP-006-1
Requirement: 1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: Unidentified Registered Entity (URE) self-reported that it did not provide all of the required protective measures for six of its Cyber Assets used in the access control and monitoring of the PSPs. For example, URE did not have configuration management processes, security status monitoring, test procedures or test environment, patch management processes or documented recovery plans for these devices.
Finding: WECC found that the violation constituted a moderate risk to BPS reliability since it increased the risk that those six Cyber Assets would be manipulated. But, all logical access attempts were actively monitored and logged. The six Cyber Assets were also protected by a secure network with restrictive firewalls and contained in secured rooms with limited access. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact that certain of the violation were self-reported and that URE had a compliance program in place when the violations occurred. URE’s prior violations of the Reliability Standards were not considered as an aggravating factor, as they were not similar to the instant violations and did not implicate broader corporate issues. URE was also cooperative during the enforcement process and did not conceal the violations. The violations did not present a serious or substantial risk to BPS reliability.
Total Penalty: $150,000 (aggregate for 16 violations)
FERC Order: Issued October 30, 3013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-55 (September 30, 2013)
Reliability Standard: CIP-006-1
Requirement: 6
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: Unidentified Registered Entity (URE) self-reported that it did not properly document its maintenance and testing program and did not perform the required maintenance and testing on its physical security systems for six devices used in the physical access control and monitoring of its PSPs.
Finding: WECC found that the violation constituted a moderate risk to BPS reliability since it increased the risk that URE’s physical security system would malfunction and cause unauthorized access to the PSPs to go unmonitored and unchecked. But, URE’s CCAs and devices used in the physical access control and monitoring are subject to continuous electronic monitoring and logging and are located within a restrictive network. The CCAs and devices are also protected by antivirus and malware prevention tools and are backed up on a weekly basis. URE also had documentation of the ports and services enabled on those devices. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact that certain of the violation were self-reported and that URE had a compliance program in place when the violations occurred. URE’s prior violations of the Reliability Standards were not considered as an aggravating factor, as they were not similar to the instant violations and did not implicate broader corporate issues. URE was also cooperative during the enforcement process and did not conceal the violations. The violations did not present a serious or substantial risk to BPS reliability.
Total Penalty: $150,000 (aggregate for 16 violations)
FERC Order: Issued October 30, 3013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-18 (December 30, 2013)
Reliability Standard: CIP-006-1
Requirement: 1
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SERC
Issue: In advance of a compliance audit, URE self-reported that it did not properly identify seven card access controllers as physical access control systems (PACS) and therefore did not provide them with the required protective measures. URE also did not enact electronic access point rules that restricted tariff to ports and services required for operations and monitoring of the PACS. URE also did not have sufficiently complex passwords on certain of its local accounts and shared accounts for one business unit.
Finding: SERC found that the CIP-006-1 R1 violation constituted a moderate risk to BPS reliability since it increased the risk that someone would gain unauthorized access to the PACS and harm the CCAs. But, URE’s CCAs were protected by intrusion detection and prevention systems that monitor for malicious activity. In addition, URE had implemented procedural controls for business unit passwords. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a partial mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. None of the violations constituted a serious or substantial risk to BPS reliability. In addition, URE engaged in physical security measures that SERC determined to be above-and-beyond what was required.
Total Penalty: $110,000 (aggregate for 15 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-18 (December 30, 2013)
Reliability Standard: CIP-006-1
Requirement: 3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SERC
Issue: During a compliance audit, SERC found that URE did not sufficiently document and implement the technical and procedural controls for continuously monitoring physical access to the PSP. Under URE’s monitoring procedures, the physical access control systems (PACS) were not configured to send email alerts to the URE personnel responsible for immediately reviewing and responding to alarms regarding unauthorized or invalid badge swipes. In addition, a PSP door to one of URE’s operations center did not trigger an alarm when forced open. URE’s personnel also did not immediately notice and respond to a held-door alarm. And after URE performed maintenance on a door to the PSP, URE inadvertently did not reactive the automated alarm email notifications for four days and thus was unable to immediately respond to alarms during that period.
Finding: SERC found that the CIP-006-1 R3 violation constituted a moderate risk to BPS reliability as failure to promptly respond to alarms increases the risk of unauthorized physical access to CCAs. But, all of URE’s Critical Assets are protected by established PSPs, with all of the physical access point secured by mechanical and/or electric locks. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a partial mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. None of the violations constituted a serious or substantial risk to BPS reliability. In addition, URE engaged in physical security measures that SERC determined to be above-and-beyond what was required.
Total Penalty: $110,000 (aggregate for 15 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-19-000 (December 30, 2013)
Reliability Standard: CIP-006-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: During a compliance audit, WECC determined that URE did not provide its PSP physical access control and monitoring (PACM) devices with the required protective measures as required.
Finding: WECC determined that the violation constituted only a minimal risk to BPS reliability. URE’s physical access control system functions as a stand-alone system separate from the ESPs containing Cyber Assets or CCAs and as a result, any electronic access to URE’s PACM devices would not pose a risk to URE’s Cyber Assets or CCAs within the ESPs. Moreover, URE’s PACM devices are equipped with a backup and recovery process and are contained within a layered security perimeter. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, this was URE’s second violation of CIP-004-3 R4, which was viewed as an aggravating factor. URE cooperated throughout the enforcement process and did not conceal the violations. URE also committed to engage in additional actions to mitigate the violations and ensure future compliance.
Penalty: $185,000 (aggregate for 11 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-19-000 (December 30, 2013)
Reliability Standard: CIP-006-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: During a compliance audit, WECC determined that URE did not provide its PSP physical access control and monitoring (PACM) devices with the required protective measures as required.
Finding: WECC determined that the violation constituted only a minimal risk to BPS reliability. URE’s physical access control system functions as a stand-alone system separate from the ESPs containing Cyber Assets or CCAs and as a result, any electronic access to URE’s PACM devices would not pose a risk to URE’s Cyber Assets or CCAs within the ESPs. Moreover, URE’s PACM devices are equipped with a backup and recovery process and are contained within a layered security perimeter. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, this was URE’s second violation of CIP-004-3 R4, which was viewed as an aggravating factor. URE cooperated throughout the enforcement process and did not conceal the violations. URE also committed to engage in additional actions to mitigate the violations and ensure future compliance.
Total Penalty: $185,000 (aggregate for 11 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-20 (December 30, 2013)
Reliability Standard: CIP-006-1
Requirement: 1
Violation Risk Factor: Medium
Violation Severity Level: High
Region: SERC
Issue: URE self-reported that it did not identify or provide all of the required protective measures for numerous devices that made up its Physical Access Control Systems (PACS). In addition, URE’s PACS recovery plan did not contain the required device-specific language or adequately address events of varying durations and levels of severity. URE did not have a proper six-wall boundary in certain of its PSPs (as it had walls that did not reach the ceiling) and URE did not enact alternative measures. There were also instances where URE did not provide continuous escorted access to contractors in the PSP. URE also did not appropriately manage and secure 10 shared accounts as it did not update the passwords as required. Furthermore, URE, on certain occasions, did not properly follow its documented visitor control program procedures and did not conduct the required annual review and update of its physical security plan.
Finding: SERC found that the CIP-006-1 R1 violation constituted a moderate risk to BPS reliability since inadequate protection of the PACS devices increases the risk of unauthorized individuals being able to gain access to URE’s CCAs and rendering them inoperable. But, URE had implemented other measures to monitor and limit access to the CCAs, including having physical security personnel, closed circuit television and card readers. In addition, the gaps in the PSPs were not easily accessible. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. Certain of the violations constituted a serious or substantial risk to BPS reliability. URE also engaged in mitigating measures that SERC determined to be above-and-beyond what was required.
Total Penalty: $198,000 (aggregate for 21 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-20 (December 30, 2013)
Reliability Standard: CIP-006-1
Requirement: 2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SERC
Issue: URE self-reported that it had not been issuing physical access cards to its personnel pursuant to its internal physical security policy. URE did not maintain an accurate inventory of the encode numbers that were previously assigned to personnel that no longer required physical access to secured areas, which led to URE reissuing encode numbers to personnel other than the personnel that the encode number was initially associated with.
Finding: SERC found that the CIP-006-1 R2 violation constituted a serious or substantial risk to BPS reliability since it increased the risk that unauthorized malicious personnel would be able to gain physical access to URE’s CCAs and Cyber Assets and render them inoperable. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. Certain of the violations constituted a serious or substantial risk to BPS reliability. URE also engaged in mitigating measures that SERC determined to be above-and-beyond what was required.
Total Penalty: $198,000 (aggregate for 21 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-20 (December 30, 2013)
Reliability Standard: CIP-006-1
Requirement: 3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SERC
Issue: In response to a compliance audit, URE self-reported that, as a result of a malfunction, one of the doors to the PSP was not sending the required “door ajar” alarm to the Physical Access Control Systems (PACS). In addition, during scheduled network maintenance in which URE’s corporate security control center lost communications with the devices monitoring the physical access points at two PSPs, a security officer failed to respond to an alarm notification and did not dispatch personnel to the impacted physical access point as directed by the alarm. Thus, two of URE’s PSPs were not being monitored as required for approximately five hours. URE did not fully implement the required technical and procedural controls for continuously monitoring the access points to the PSPs.
Finding: SERC found that the CIP-006-1 R3 violation constituted only a minimal risk to BPS reliability since URE’s PSPs were continuously staffed by security officers and access was restricted by card readers and locks. The door with the faulty alarm remained secure and access to the PSPs was controlled when the security officer failed to respond to the alarm. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. Certain of the violations constituted a serious or substantial risk to BPS reliability. URE also engaged in mitigating measures that SERC determined to be above-and-beyond what was required.
Total Penalty: $198,000 (aggregate for 21 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity (URE), FERC Docket No. NP14-29 (January 30, 2014)
Reliability Standard: CIP-006-1
Requirement: 1/1.1/1.2/1.3/1.4/1.5/1.6/1.7/1.8/1.9
Violation Risk Factor: Medium (1/1.1/1.2/1.3/1.4/1.5/1.6), Lower (1.7/1.8/1.9)
Violation Severity Level: Severe (1/1.1/1.2/1.3/1.4/1.5/1.6)
Region: WECC
Issue: URE self-certified that it had CCAs (openly accessible human machine interfaces with touch screen monitors that allow for local control of equipment) on the exterior wall of PSPs, and thus, it did not provide a completely enclosed six-wall border for eight CCAs.
Finding: WECC found that the CIP-006-1 violation constituted only a minimal risk to BPS reliability as the CCAs were subject to continuous physical and electronic monitoring. The alarms on the human machine interfaces would be triggered if the devices were compromised and restrictive operating systems are installed on the human machine interfaces that limit physical access at the face of the devices. URE neither admits nor denies the violations. In approving the settlement agreement, NERC BOTCC considered the fact that URE had prior violations of the Reliability Standards, which were evaluated as aggravating factors. But, URE did have an internal compliance program in place, which was viewed as a mitigating factor. URE also provided WECC with a narrative on its compliance-related improvements. URE was cooperative during the enforcement process and did not conceal the violations. The violations only posed a minimal or moderate risk to BPS reliability.
Total Penalty: $109,000 (aggregate for 5 violations)
FERC Order: Issued February 28, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-30 (January 30, 2014)
Reliability Standard: CIP-006-1
Requirement: 1/1.1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: RFC
Issue: URE self-reported that, at one of its generating facilities, it had a five-foot by 18-inch opening in the required six-wall border above the suspended ceiling of a PSP. In addition, for one ESP at a generating station with assets in multiple PSPs, the wiring connecting the Cyber Assets in discrete PSPs was not protected by a conduit or other six-wall boundary as required.
Finding: RFC found that the CIP-006-1 R1 violation constituted only a minimal risk to BPS reliability. The gap in the PSP would only allow access to a hallway where no CCAs are located and an individual would need access to an additional door (protected by a card reader) in order to access the CCAs. In terms of the wiring, URE later submitted a Technical Feasibility Exception and the assets and wiring are located in a restricted access site that is continuously monitored. URE neither admits nor denies the violations. In approving the settlement agreement, NERC BOTCC considered URE’s Reliability Standards violation history, which was evaluated as an aggravating factor. But, most of the violations were self-reported and URE did have an internal compliance program in place, which was viewed as a mitigating factor. In addition, URE agreed to perform reliability enhancement activities that were considered above-and-beyond what was required for compliance with the Reliability Standard. URE was also cooperative during the enforcement process and did not conceal the violations. The violations did not constitute a serious or substantial risk to BPS reliability, even though in the aggregate, the violations were found to present an increased risk to URE’s Cyber Assets and to be indicative of programmatic failure.
Total Penalty: $75,000 (aggregate for 13 violations)
FERC Order: Issued February 28, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-30 (January 30, 2014)
Reliability Standard: CIP-006-1
Requirement: 2/2.2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: RFC
Issue: URE self-reported that since it did not identify its physical access control system (PACS) intelligent controllers as Cyber Assets that authorize and/or log access to the PSP, it did not provide the PACS with all of the required protective measures. URE also did not install the required logging and monitoring software agent on two servers that are Cyber Assets that authorize and/or log access to the PSP. As the logs were being overwritten in less than 24 hours, URE could not review the logs manually and did not retain the logs for the required 90 days.
Finding: RFC found that the CIP-006-1 R2 violation constituted a moderate risk to BPS reliability. The failure to protect the system intelligent controllers increased the risk that the administrative workstation would be compromised, while the failure to protect the servers increased the risk of an incident going undetected. The duration of the violation also prolonged URE’s exposure to the risk. But, the PACS had additional network-based monitoring systems (such as the intrusion detection system and the PACS network access point firewalls) that log network activity and produce logs for the security information and event management system. Both servers also had the required malware prevention software. URE neither admits nor denies the violations. In approving the settlement agreement, NERC BOTCC considered URE’s Reliability Standards violation history, which was evaluated as an aggravating factor. But, most of the violations were self-reported and URE did have an internal compliance program in place, which was viewed as a mitigating factor. In addition, URE agreed to perform reliability enhancement activities that were considered above-and-beyond what was required for compliance with the Reliability Standard. URE was also cooperative during the enforcement process and did not conceal the violations. The violations did not constitute a serious or substantial risk to BPS reliability, even though in the aggregate, the violations were found to present an increased risk to URE’s Cyber Assets and to be indicative of programmatic failure.
Total Penalty: $75,000 (aggregate for 13 violations)
FERC Order: Issued February 28, 2014 (no further review)
Unidentified Registered Entity (URE), FERC Docket No. NP14-37 (March 31, 2014)
Reliability Standard: CIP-006-1
Requirement: 1, 2, 3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: While conducting an on-site compliance audit of URE that included facility site tours, WECC’s Audit Team found that URE had not identified all access points through each PSP and failed to ensure devices used in the physical access control and monitoring of PSPs were protected per CIP-006-1 R1. In particular, WECC’s Audit Team found seven instances at four PSPs where all access points to the PSPs were not documented. The Audit Team also found that URE was not classifying workstations and control panels that have the ability to grant and revoke access to PSPs as devices used in the access control and monitoring of PSPs. URE was unable to show that the devices were provided the CIP-006-1 R1.8 protections. In sum, regarding the violation of sub-requirement R1.2, URE failed to identify seven PSP access points and failed to ensure 118 Cyber Assets used in the access control and monitoring of PSPs were afforded the protections specified in CIP-006-1 R1.8. Regarding the violation of R2, WECC’s Audit Team found an unlocked access point (two metal plates) next for a fire escape hatch in the ceiling. Although the plates were alarmed upon opening, URE had no operational or procedural controls in place to manage physical access, as required by CIP-006-1 R2. Lastly, the Audit Team found that four access points (doors) at two PSPs had no technical controls for monitoring physical access at all times (R3).
Finding: WECC determined the R1 and R3 violations posed a moderate risk to BPS reliability, but did not pose a serious or substantial risk. URE did not provide all protections to 118 Cyber Assets and did not identify all access points to four PSPs. For this violation, risk was mitigated because the Cyber Assets are physically located in the PSP which they were protecting and the Cyber Assets were protected by physical and electronic monitoring and alarming. Regarding R3, the physical access at the four access points to two PSPs had not been monitored for approximately four years leaving open the possibility that unauthorized access to the CCAs. Regarding the violation of R2, WECC found the violation posed a minimal, but not serious or substantial risk to BPS reliability. Even though the access point had not been identified and afforded operational controls, the access point was alarmed in the event the metal coverings were removed. Plus, the particular substation is surrounded by a six-foot-high chain link fence having three-strand barbed wire along the top. The fence has intrusion detection devices as well. Personnel with physical access all had PRAs on file and had attended cyber security training. In approving the settlement agreement, WECC considered that although the violation of CIP-006-1 R1 is URE’s third violation of that Reliability Standard, the current violation is distinct because it relates to a separate sub-requirement, and therefore WECC determined it was not recurring conduct and aggravation was not warranted for the instant violation. Also, the CIP-007-1 R1 violation is URE’s fourth violation of that Reliability Standard, however, the prior violations were concurrent with the instant violations, and therefore WECC did not consider them as an aggravating factor in the penalty determination. However, the CIP-007-1 R2 violation was URE’s second violation of that Reliability Standard, which WECC determined was an aggravating factor in the penalty determination. URE has a compliance program in place which was given mitigating credit, and URE was cooperative during the compliance enforcement process. There was no evidence of any attempt or intent to conceal a violation, and the violations did not pose a serious or substantial risk to BPS reliability. No other mitigating or aggravating factors or extenuating circumstances affecting the assessed penalty were noted.
Total Penalty: $465,000 (aggregate for 8 violations)
FERC Order: Issued April 30, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)
Reliability Standard: CIP-006-1 Requirements: R1
Violation Risk Factor: Medium Violation Security Level: Severe
Region: SERC
Issue: During a compliance spot check, SERC determined that URE had two PSP access points that were undefined, undocumented and without certain documented control measures and that URE’s physical security plan incorrectly identified a PSP boundary wall.
Finding: SERC determined that the violation constituted a moderate risk to BPS reliability as it increased the risk that URE’s PSP access points would be inadequately protected and the PSPs would not be sufficiently secure. But, URE did implement certain protections, such as monitoring physical access with guards and cameras and securing the facility through access controls and card readers. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.
Total Penalty: $250,000 (aggregate for 27 violations)
FERC Order: Issued June 27, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)
Reliability Standard: CIP-006-1 Requirements: R1
Violation Risk Factor: Medium Violation Security Level: Severe
Region: SERC
Issue: URE self-reported that it had two non-secured windows at two different sites that it did not identify as PSP access points as required.
Finding: SERC determined that the violation constituted a moderate risk to BPS reliability since unidentified access points impeded URE’s ability to ensure a secure PSP. But, URE uses guards and cameras to monitor all physical access to its PSPs. In addition, one of the windows had glass breakage detectors and the other window is located three stories above the generating units and therefore is difficult to access. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceeds the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.
Total Penalty: $250,000 (aggregate for 27 violations)
FERC Order: Issued June 27, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)
Reliability Standard: CIP-006-1 Requirements: R1/R1.1
Violation Risk Factor: Medium Violation Security Level: Severe
Region: SERC
Issue: URE self-reported that it did not file a Technical Feasibility Exception regarding the alternate measures it employed (when it was unable to establish a six-wall physical border) to protect certain network cabling.
Finding: SERC determined that the violation constituted only a minimal risk to BPS reliability as URE did have physical security controls in place to monitor the network cabling. The network cabling was also enclosed in a metal conduit or a cable tray and was above the ceiling in a location out of plain sight. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that URE agreed to implement physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.
Total Penalty: $250,000 (aggregate for 27 violations)
FERC Order: Issued June 27, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)
Reliability Standard: CIP-006-1 Requirements: R1/R1.8
Violation Risk Factor: Medium Violation Security Level: Severe
Region: SERC
Issue: URE self-reported a system upgrade delay to its physical access control system (PACS) and its failure to maintain an adequate physical security plan that provided the Cyber Assets used in its PSP access control and monitoring with the required protective measures. For example, URE granted electronic access to two PACS administrators without having PRAs on file, did not timely change the system control and account password, enabled additional ports and services beyond those required for normal and emergency operations, and did not perform the annual test of the physical security system disaster recovery plan.
Finding: SERC determined that the violation constituted a moderate risk to BPS since lack of adequate protection for URE’s access control and monitoring Cyber Assets could result in the devices becoming vulnerable and increases the risk of unauthorized access to URE’s CCAs. However, the URE administrators with improper access to the PACS had undergone preliminary screenings (including criminal background checks) and remain in good standing with URE. In addition, the passwords at issue satisfied the length requirement and a Technical Feasibility Exception was submitted for the complexity requirements. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.
Total Penalty: $250,000 (aggregate for 27 violations)
FERC Order: Issued June 27, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)
Reliability Standard: CIP-006-1 Requirements: R4
Violation Risk Factor: Lower Violation Security Level: Severe
Region: SERC
Issue: URE self-reported that it did not have a manual, or other acceptable log, to properly record the use of an equipment elevator that functions as a PSP access points. Over the course of the violation, seventy individuals had access to the area.
Finding: SERC determined that the violation constituted a moderate risk to BPS reliability as it increased the risk that unauthorized individuals could have gained unescorted access to the PSP without URE’s knowledge. However, there are alarms that are triggered, and sent to the URE monitoring and notification center, when the equipment elevator is used. When the elevator is not in use, the only way to gain access to the elevator is through a PSP. An armed response team is also always available at the PSP location. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.
Total Penalty: $250,000 (aggregate for 27 violations)
FERC Order: Issued June 27, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-45-000 (July 31, 2014)
Reliability Standard: CIP-006-1
Requirement: R1/R1.8
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: During a compliance audit, WECC found that URE did not provide all the required protective measures for 14 of its physical access control system (PACS) devices (comprised of workstations, server and door controllers). Of those 14 devices, URE failed to file Technical Feasibility Exceptions (TFEs) for 6 door controllers that were unable to technically support security logging.
Finding: WECC determined the violation constituted only a minimal risk to the BPS reliability. URE’s PACS are physically located in a protected facility, with physical and electronic monitoring, and the workstations and server are protected by URE’s corporate firewall that restricted, monitored and alerted for suspicious activity. In regards to the door controllers, they did not have the technical ability to grant access to individuals with malicious intent. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history to be an aggravating factor. However, none of the violations posed a serious or substantial risk to BPS reliability. In addition, URE had an internal compliance program in place, which was viewed as a mitigating factor. One of the violations was also self-reported. URE cooperated throughout the enforcement process and did not conceal the violations.
Total Penalty: $180,000 (aggregate for 7 violations)
FERC Order: Issued August 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP15-5-000 (October 30, 2014)
Reliability Standard: CIP-006-1
Requirement: R1 (1.1 and 1.3)
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SPP RE
Issue: URE self-reported that it had incorrectly designated two centers as one ESP when those centers did not share a physical secure perimeter (PSP). The URE also did not provide an alternate physical control measure for the fiber optic circuit that connected the services where a completely enclosed border could not be provided for the circuit. In addition, URE did not identify a set of double doors as an access point to its PSP and did not apply the required processes and procedures for a PSP access point.
Finding: SPP RE determined that the violation constituted only a minimal risk to the BPS reliability as URE independently owned and controlled the fiber circuit at issue. In addition, URE had personnel at the facility at all times and the double doors at issue were monitored by video cameras and only used to move heavy equipment. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had previously violated six of the standards, which SPP RE considered an aggravating factor. However, URE did have a compliance program in place and it received mitigating credit for self-reporting three of the violations. Moreover, URE agreed to additional corrective actions including: restructuring its CIP compliance program; hiring an additional system administrator; conducting a one day compliance workshop with SPP RE staff; and implementing an asset management system to further secure its EMS. URE was cooperative throughout the enforcement process and did not conceal or attempt to conceal the violations.
Penalty: $45,000 (aggregate for 20 violations)
FERC Order: Issued November 28, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP15-5-000 (October 30, 2014)
Reliability Standard: CIP-006-1
Requirement: R1/R1.8
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SPP RE
Issue: URE self-reported that it did not (1) enable only ports and services that were required for normal operations; (2) employ a security patch management system; (3) implement preventative malicious software; (4) implement complex password requirements; and (4) implement security status monitoring. Furthermore, URE did not request Technical Feasibility Exceptions (TFEs) for the controls it was incapable of providing.
Finding: SPP RE determined that the violation constituted only a minimal risk to the BPS reliability since URE did provide the all the protections that were technically feasible. While URE did not apply the required protective measures to the controls, it did provide them to the server that managed the controllers. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had previously violated six of the standards, which SPP RE considered an aggravating factor. However, URE did have a compliance program in place and it received mitigating credit for self-reporting three of the violations. Moreover, URE agreed to additional corrective actions including: restructuring its CIP compliance program; hiring an additional system administrator; conducting a one day compliance workshop with SPP RE staff; and implementing an asset management system to further secure its EMS. URE was cooperative throughout the enforcement process and did not conceal or attempt to conceal the violations.
Penalty: $45,000 (aggregate for 20 violations)
FERC Order: Issued November 28, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP15-6-000 (October 30, 2014)
Reliability Standard: CIP-006-1
Requirement: R3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: Texas RE
Issue: URE self-reported it was not monitoring access to a door to one of the URE's PSPs. The URE did not immediately review access to the PSP because the door was not included on the list provided to URE's security monitoring contractor.
Finding: Texas RE found that the violation constituted only a minimal risk to the BPS reliability as the door resided in a secure facility that was staffed at all times and access was restricted utilizing a card reader that was managed by an access management and logging system. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the following factors: the URE had an internal compliance program in place; the URE self-reported several of the violations and none posed a serious or substantial risk to the BPS reliability; the URE executed actions beyond those necessary to ensure compliance with the Standard and continues to make several enhancements as part of its self-assessment program; and the URE did not conceal or attempt to conceal the violations. Further, Texas RE did not consider URE's compliance history to be an aggravating factor, and URE was cooperative throughout the duration of the enforcement.
Penalty: $106,000 (aggregate for 20 violations)
FERC Order: Issued November 28, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP15-9-000 (November 25, 2014)
Reliability Standard: CIP-006-1
Requirement: R1/R1.2/R1.3/R1.7
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: MRO, SPP RE and WECC
Issue: During a compliance audit MRO determined that URE1 failed to ensure that all Cyber Assets within the ESP were also in an enclosed PSP as URE had several Physical Security Perimeters that did not provide a completely enclosed six-wall border around its Cyber Assets within its ESP. Specifically, one wall had an opening over a set of double doors and another did not have a continuous wall around a mechanical room. In addition, URE1 failed to update its physical security plan within 30 days, as required, after relocating an access point and card reader which altered the PSP boundary.
Finding: MRO determined that the violation posed only a minimal risk to the BPS reliability as the PSP was located in a secure building with security guards, cameras and non-CIP card readers. Within four months URE1 promptly updated its PSP configuration and the exposed areas of the PSP were relatively minor and partially blocked by conduit, wiring and ductwork. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations for five of the Standards posed a serious or substantial risk to the BPS reliability. However, several of the violations were self-reported and the remainder of the violations posed only a minimal threat to BPS reliability. The UREs had a compliance program in place and their compliance history was not considered an aggravating factor by MRO. Furthermore, the UREs committed to spending $205,000 to retain a consultant to identify untapped opportunities in their CIP management controls for the current and future CIP versions and they received significant mitigating credit for their commitment to their corporate compliance program. The URE Companies were cooperative throughout the duration of the enforcement and none concealed the violations.
Penalty: $150,000 (aggregate for 19 violations)
FERC Order: Pending
Unidentified Registered Entity, FERC Docket No. NP15-9-000 (November 25, 2014)
Reliability Standard: CIP-006-1
Requirement: R1/R1.8 (3 violations – one for each URE Company)
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: MRO, SPP RE and WECC
Issue: URE1, URE2 and URE3 (collectively UREs) self-reported to MRO, SPP RE and WECC respectively, that Cyber Assets used to control and monitor access to PSPs had non-Microsoft patches that were not assessed and shared accounts on the Cyber Assets were not afforded the required access controls and procedures. The UREs were also unable to confirm that they performed annual reviews of user accounts, maintained a list of users, annually changed passwords or retained an audit trail for shared accounts on the Cyber Assets. In addition, the UREs failed to follow their CIP change control and configuration management process when making several changes to PSP devices.
Finding: MRO determined that the violation posed a serious or substantial risk to the BPS reliability since UREs' inadequate protections increased the risk of unauthorized access to multiple BPS facilities. A large number of UREs' accounts were unnecessary or had incorrect privileges and two-thirds of UREs shared accounts warranted removal and the other third required corrective action. The UREs also failed to review access logs, maintain sufficient logs, and had an insufficient understanding of the software basis for their PSP devices or methods for patching the systems. Additionally, the UREs failed to assess almost 25% of applications on its PSP devices that could be patched. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations for five of the Standards posed a serious or substantial risk to the BPS reliability. However, several of the violations were self-reported and the remainder of the violations posed only a minimal threat to BPS reliability. The UREs had a compliance program in place and their compliance history was not considered an aggravating factor by MRO. Furthermore, the UREs committed to spending $205,000 to retain a consultant to identify untapped opportunities in their CIP management controls for the current and future CIP versions and they received significant mitigating credit for their commitment to their corporate compliance program. The URE Companies were cooperative throughout the duration of the enforcement and none concealed the violations.
Penalty: $150,000 (aggregate for 19 violations)
FERC Order: Pending
Unidentified Registered Entity, FERC Docket No. NP15-9-000 (November 25, 2014)
Reliability Standard: CIP-006-1
Requirement: R1/R1.8 (3 violations – one for each URE Company)
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: MRO, SPP RE and WECC
Issue: URE1, URE2 and URE3 (collectively UREs) self-reported to MRO, SPP RE and WECC respectively, that their change control and configuration management process was not followed when a physical security vendor made a change to their physical access control system. UREs' physical security vendor also made changes to their physical access control system without first testing it to verify it would not adversely affect existing cybersecurity controls. UREs also failed to test updates to two servers associated with the change. In addition, the UREs did not document the mapping of database user roles to security groups and they failed to assign passwords to the roles.
Finding: MRO determined that the violation posed a serious or substantial risk to the BPS reliability as the UREs work within several BPS systems and the systems at issued provided access to all of UREs' CCAs. Multiple security groups associated with UREs' physical security system were affected by the inadequately protected database user roles. In addition, two of UREs' accounts had full access to the database associated with installation and configuration modification of UREs' physical access control system. While one of the accounts unintentionally had the ability to make modifications for a year; the effects of one change would have been inconsequential. The third party personnel at issue had valid PRAs and completed cybersecurity training. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations for five of the Standards posed a serious or substantial risk to the BPS reliability. However, several of the violations were self-reported and the remainder of the violations posed only a minimal threat to BPS reliability. The UREs had a compliance program in place and their compliance history was not considered an aggravating factor by MRO. Furthermore, the UREs committed to spending $205,000 to retain a consultant to identify untapped opportunities in their CIP management controls for the current and future CIP versions and they received significant mitigating credit for their commitment to their corporate compliance program. The URE Companies were cooperative throughout the duration of the enforcement and none concealed the violations.
Penalty: $150,000 (aggregate for 19 violations)
FERC Order: Pending
Unidentified Registered Entity, FERC Docket No. NP15-9-000 (November 25, 2014)
Reliability Standard: CIP-006-1
Requirement: R1/R1.8 (3 violations – one for URE Company)
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: MRO, SPP RE and WECC
Issue: During a joint compliance audit, SPP RE and WECC determined that URE2 and URE3 could not prove that had provided certain workstations all the required protections because they were not properly identified as physical access control system assets. In addition, URE3 had physical access control system panel devices with open ports and services that were not required for normal or emergency operations. MRO also determined that in a rush to thwart the risk of malware on their corporate network, the UREs deployed anti-virus signature files in their physical access control system that had been tested in their vendor's environment, but not UREs'.
Finding: MRO determined that the violation posed a moderate risk to the BPS reliability as the unprotected physical access control system increased the risk that someone could gain access to UREs' CCA or disable the access control panel devices. In addition, the UREs' ability to control and monitor their physical access control system could have been limited due to the installation of antivirus signature files that were tested in the vendor's, but not UREs' environment. However, the UREs had measures in place that reduced the risk. The workstations at issue were protected with current antivirus software, were subject to UREs' enterprise patch management software program and resided in a secure area with controlled and restricted access. Furthermore, had the workstations failed, physical access would still have been controlled through card readers located in a door panel utilizing a local database and existing access rights would have remained active until the system was restored. UREs' back-up systems were configured to assure alarms would continue working, and UREs' PSPs would still be protected by personnel stationed at them at all times. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations for five of the Standards posed a serious or substantial risk to the BPS reliability. However, several of the violations were self-reported and the remainder of the violations posed only a minimal threat to BPS reliability. The UREs had a compliance program in place and their compliance history was not considered an aggravating factor by MRO. Furthermore, the UREs committed to spending $205,000 to retain a consultant to identify untapped opportunities in their CIP management controls for the current and future CIP versions and they received significant mitigating credit for their commitment to their corporate compliance program. The URE Companies were cooperative throughout the duration of the enforcement and none concealed the violations.
Penalty: $150,000 (aggregate for 19 violations)
FERC Order: Pending
Unidentified Registered Entities (UREs), FERC Docket No. NP15-15-000 (December 30, 2014)
Reliability Standard: CIP-006-1
Requirement: R1.1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SERC
Issue: URE1 self-reported that it was in violation of CIP-006-1 for not providing a six foot enclosed wall around a PSP or providing and documenting alternate means to protect physical access to it. URE1 also reported two openings larger than 96 square inches above false ceilings at two PSPs and network wiring that that was not enclosed by a six foot border and in two instances URE1 did not provide alternative means to block access to the wiring.
Finding: SERC determined that the violation posed a minimal risk to the BPS reliability as there was an increased risk that someone could gain access to URE1's CCA or disrupt communication on ESP wiring due to the lack of an enclosed six foot border around PSP locations and network wiring. However, one opening was located in a restricted area with corporate access controls access and 24/7 staffing and could have only been reached by rappelling 30 feet above the ground in plain view of staff and operators at the facility. The other openings were also in an access controlled facility with 24/7 staffing and were not only 30 and 20 feet above ground, but also were concealed behind a false ceiling. In addition, the exposed wiring would also have been difficult to access without detection since it was located above a false ceiling or below a raised floor in a secure facility with security personnel 24/7. The UREs neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs history of violations an aggravating factor. However, the UREs did have an internal compliance program in place, which SERC considered a mitigating factor. While URE1 self-reported a violation, the UREs did not received mitigating credit since it was reported after it received a compliance audit notice. While three of the violations posed a serious or substantial risk to the BPS reliability, the majority of them (18) posed only a minimal or moderate risk. URE agreed to additional mitigating actions including: adding additional staff (including converting contractors to full-time); conducting human performance training at a cost of $50,000; installing firewall analyzer software at a cost of $485,000; and additional mitigating factors for five of the violations. The UREs were cooperative throughout the enforcement process and there was no evidence that they concealed the violations.
Penalty: $120,000 (aggregate for 21 violations)
FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.
Unidentified Registered Entities (UREs), FERC Docket No. NP15-15-000 (December 30, 2014)
Reliability Standard: CIP-006-1
Requirement: R1.8
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SERC
Issue: URE1 self-reported that it was in violation of CIP-006-1 for failing to provide the required protections to Cyber Assets used for Physical Access Controls Systems for PSPs. URE1 did not conduct testing to cybersecurity controls prior to making significant changes in 74 incidents. In 22 cases URE1 only tested that the devices still functioned and not changes to existing cybersecurity controls. In 17 cases testing did not include the cybersecurity control portion. In 28 cases failover PACS were not identified as PACS so cybersecurity controls were not tested. And there were 7 instances where URE1 failed to document testing had occurred. URE1 also failed to asses a security patch for a PACS primary database server and a standby server within 30 days of availability. Due to confusion of who was responsible for an account, URE1 also failed to provide the protective measures required of CIP-007-1 to a shared account used for managing and reviewing access to its PSPs. Lastly, URE1 did not follow its change management procedures when implementing several patches to all its PACS production servers that control its PSPs.
Finding: SERC determined that the violation posed a serious or substantial risk to the BPS reliability as failure to follow its physical security protection program URE1 increased the risk of unauthorized access to its PSP, which could have resulted in corruption of its Critical Cyber Assets. URE1's insufficient testing of cybersecurity controls after significant changes were made to Cyber Assets used for its PACS could have resulted in vulnerable security controls that could have been altered to access, corrupt or destruct its PACS allowing access to CCAs. However, in the event that the PACS database malfunctioned, the local memory on the readers would have continued to restrict access. URE1's failure to test a database server patch could have resulted in unauthorized access to or disabling of the PACS database servers. But all PSPs had video surveillance, the main PSP was staffed 24/7 and door readers and control panels would have remained operable had the PACS database servers become disabled. URE1's lack of control of a shared account could have allowed someone to gain access to log information. But access would have been limited to read only preventing an intruder from altering permissions or components and a two-factor authentication was required to access the PACS system. Additionally, while URE1 did not follow its change management procedures, the patches had previously been tested and approved on its corporate network, were in place less than 14 days and demonstrated no negative effects when tested and deployed on non-critical systems. The UREs neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs history of violations an aggravating factor. However, the UREs did have an internal compliance program in place, which SERC considered a mitigating factor. While URE1 self-reported a violation, the UREs did not received mitigating credit since it was reported after it received a compliance audit notice. While three of the violations posed a serious or substantial risk to the BPS reliability, the majority of them (18) posed only a minimal or moderate risk. URE agreed to additional mitigating actions including: adding additional staff (including converting contractors to full-time); conducting human performance training at a cost of $50,000; installing firewall analyzer software at a cost of $485,000; and additional mitigating factors for five of the violations. The UREs were cooperative throughout the enforcement process and there was no evidence that they concealed the violations.
Penalty: $120,000 (aggregate for 21 violations)
FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.
Unidentified Registered Entities (UREs), FERC Docket No. NP15-15-000 (December 30, 2014)
Reliability Standard: CIP-006-1
Requirement: R1.8
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SERC
Issue: URE2 self-reported that it was in violation of CIP-006-1 because it failed to test cybersecurity controls for significant changes to Cyber Assets used for Physical Access Control Systems (PACS) for PSPs before deploying them into production. In 64 incidents, URE2 did not test cybersecurity controls. URE2 only tested functionality of the devices in 22 cases; did not conduct the cybersecurity controls testing portion of its plan in 9 cases; failed to test cybersecurity controls on failover PACs because they were not identified as PACs in 28 cases; and did not document the testing in 5 cases. URE2 also failed to assess a security patch for a PACS primary database server and a standby server within 30 days of availability. In addition, protective measures required by CIP-007-1 were not provided for a shared account used in managing and reviewing access to URE2's PSP because it was not clear who was responsible for the account.
Finding: SERC determined that the violation posed a serious or substantial risk to the BPS reliability as failure to follow its physical security protection program URE2 increased the risk of unauthorized access to its PSP, which could have resulted in corruption of its Critical Cyber Assets. URE2's insufficient testing of cybersecurity controls after significant changes were made to Cyber Assets used for its PACS could have resulted in vulnerable security controls that could have been altered to access, corrupt or destruct its PACS allowing access to CCAs. However, in the event that the PACS database malfunctioned, the local memory on the readers would have continued to restrict access. URE2's failure to test a database server patch could have resulted in unauthorized access to or disabling of the PACS database servers. But all PSPs had video surveillance, the main PSP was staffed 24/7 and door readers and control panels would have remained operable had the PACS database servers become disabled. URE2's lack of control of a shared account could have allowed someone to gain access to log information. But access would have been limited to read only preventing an intruder from altering permissions or components and a two-factor authentication was required to access the PACS system. The UREs neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs history of violations an aggravating factor. However, the UREs did have an internal compliance program in place, which SERC considered a mitigating factor. While URE1 self-reported a violation, the UREs did not received mitigating credit since it was reported after it received a compliance audit notice. While three of the violations posed a serious or substantial risk to the BPS reliability, the majority of them (18) posed only a minimal or moderate risk. URE agreed to additional mitigating actions including: adding additional staff (including converting contractors to full-time); conducting human performance training at a cost of $50,000; installing firewall analyzer software at a cost of $485,000; and additional mitigating factors for five of the violations. The UREs were cooperative throughout the enforcement process and there was no evidence that they concealed the violations.
Penalty: $120,000 (aggregate for 21 violations)
FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.
Unidentified Registered Entities (UREs), FERC Docket No. NP15-15-000 (December 30, 2014)
Reliability Standard: CIP-006-1
Requirement: R3 (two violations – one for each URE Company)
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SERC
Issue: The UREs self-reported that they did not require Critical Asset owners to physically observe, monitor and control access of authorized or unauthorized personnel for PSP access points during planned or unplanned PACS or communication outages. URE1 had 365 unplanned outages lasting between 15 minutes and 3 hours; 22 communication outages lasting between 3 to 6 hours; 26 communication outages lasting between6 and 24 hours and 3 communication outages lasting more than 24 hours. URE2 had 84 unplanned communication outages lasting between 15 minutes and 3 hours; 13 unplanned communication outages lasting between 3 to six hours; 10 unplanned communication outages lasting between 6 and 24 hours; and 3 unplanned communication outages lasting more than 24 hours. Both URE1 and URE2's unplanned outages were caused by technical issues from service providers or weather events. Together the UREs had 13 planned PACS server outages lasting between 15 minutes and 3 hours. Security documented planned outages as order tickets and unplanned outages were entered as communication errors in a log. There was also a call log which security documented all calls to the Critical Asset owners. The UREs' ambiguous definition of "immediate review" combined with their failure to stress the immediate need for personnel to monitor access points during an outage; resulted in their inability to prove physical monitoring had occurred.
Finding: SERC determined that the violation posed a moderate risk to the BPS reliability as there was an increased risk that someone could gain unauthorized access to its PSPs due to a lack of human monitoring during planned and unplanned outages. However, facility managers were contacted during the outages and all outages were logged. The CCA within the PSPs were protected by an intrusion detection system that triggered alarms for any unauthorized access attempts. UREs neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs history of violations an aggravating factor. However, the UREs did have an internal compliance program in place, which SERC considered a mitigating factor. While URE1 self-reported a violation, the UREs did not received mitigating credit since it was reported after it received a compliance audit notice. While three of the violations posed a serious or substantial risk to the BPS reliability, the majority of them (18) posed only a minimal or moderate risk. URE agreed to additional mitigating actions including: adding additional staff (including converting contractors to full-time); conducting human performance training at a cost of $50,000; installing firewall analyzer software at a cost of $485,000; and additional mitigating factors for five of the violations. The UREs were cooperative throughout the enforcement process and there was no evidence that they concealed the violations.
Penalty: $120,000 (aggregate for 21 violations)
FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.
Unidentified Registered Entity (UREs), FERC Docket No. NP15-17-000 (December 30, 2014)
Reliability Standard: CIP-006-1
Requirement: R1/R1.8
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: When WECC met with URE to discuss self-certifications for CIP-009 R1 and CIP-009 R4, URE conveyed that 10 devices, including workstations, servers, controllers and switches, used for the physical access control and monitoring of two PSPs should have been included in the violations reported in the self-certification.
Finding: WECC determined that the violation posed only a minimal risk to the BPS reliability as the devices were kept in an ESP whereby access was restricted, monitored and logged. Furthermore, redundancy on the devices ensured that URE's network infrastructure would not be negatively affected in the case of a failure. In the event that a device experienced failure or disruption, URE had maintenance agreements with vendors, who were required to notify URE and recover the devices within eight hours of the incident. Additionally, URE regularly recorded backup tapes and had procedures in place for backing up and restoring Windows devices. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered URE's prior violation history as an aggravating factor. However, WECC gave URE mitigating credit for its compliance program and agreeing to perform voluntary corrective actions. WECC also determined that all violations posed only a minimal, but not a moderate, serious or substantial risk to the reliability of the BPS. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.
Penalty: $120,000 (aggregate for 13 violations)
FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.
Unidentified Registered Entity (UREs), FERC Docket No. NP15-20-000 (February 26, 2015)
Reliability Standard: CIP-006-1
Requirement: R3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SERC
Issue: During a compliance audit SERC found that URE did not have adequate controls for monitoring unauthorized access attempts to its PSP as the alarm system it used to monitor access attempts did not immediately notify personnel when an attempt was made. URE was further in violation for having a PSP that was not configured to respond when doors were forced opened.
Finding: SERC found that the violation constituted a moderate risk to the BPS reliability as there was an increased risk that someone could access URE’s CCA by forcing open an access door to the PSP that did not have an alarm that would immediately notify personnel of the event. However, during the time of the violation URE did have a written process for monitoring physical access to its PSP. Also mitigating the risk was the fact that all access points of all of URE’s PSPs are monitored by closed circuit television and URE’s first PSP is continuously monitored by personnel with a valid PRA, who have also completed cybersecurity training. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered URE’s past history of violations an aggravating factor. However, URE did have a compliance program in place, which SERC considered a mitigating factor. Eleven of the violations were self-reported by URE, two of which were reported after receiving a notice of an upcoming compliance audit. However one violation, while self-reported, did pose a serious or substantial risk to the BPS reliability. URE was cooperative throughout the enforcement period and did not attempt to conceal any of the violations. There were no other mitigating or aggravating factors associated with URE’s violations.
Penalty: $70,000 (aggregate for 12 violations)
FERC Order: Pending
Unidentified Registered Entity, FERC Docket No. NP15-24-000 (April 30, 2015)
Reliability Standard: CIP-006-1
Requirement: R1.8
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: ReliabilityFirst
Issue: During its compliance audit, ReliabilityFirst found that URE did not provide adequate protective measures to its Cyber Assets and PACs that authorize and/or log access to the Physical Security Perimeter (PSP). Namely, the protective measures include: cyber security test procedures (R1.3), ports and services processes (R2.1 and R2.2), security patch management (R3.2), account management (R5.1.2, R5.2.1, and R5.2.3), security status monitoring (R6.1), and CVAs (R8.1, R8.2, and R8.3).
Finding: ReliabilityFirst found that the violation posed a serious or substantial risk, because the Cyber Assets could be compromised, allowing for unauthorized access to the CCAs and PSPs. Even though the PACs did not exist within the ECS ESP, they remained within the URE network. The severity of the violation was increased because URE had no compensating measures in place and the violation lasted for a prolonged period of time. URE neither admitted nor denied the violations. In approving the settlement, the NERC considered URE's compliance history and the serious risk of all but one of the violations as aggravating factors. As mitigating factors, the NERC considered URE's (1) pre-violation compliance program, (2) self-reporting of four violations, (3) cooperation throughout the enforcement process, (5) lack of attempts or intentions to conceal the violations, (4) commitment to a comprehensive mitigation plan, (5) improvements in CIP compliance and permission for future ReliabilityFirst spot checks, (6) allowance of on-site risk management and compliance implementation reviews. URE's mitigation plan obliged URE to ensure that all PACs are included in its CIP-006-3 R2.2 procedures.
Penalty: $150,000 (aggregate for 18 violations)
FERC Order: Issued May 29, 2015 (no further review)
Unidentified Registered Entities 1 and 2, FERC Docket No. NP15-26-000 (April 30, 2015)
Reliability Standard: CIP-006-1
Requirement: R1.1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: ReliabilityFirst
Issue: During a compliance audit ReliabilityFirst found that URE1’s facility drawing did not properly reflect the PSP and that the wiring between two PSPs was not completely enclosed. ReliabilityFirst also found that URE2’s wiring was not completely enclosed and two areas with Cyber Assets were not identified as PSPs.
Finding: ReliabilityFirst found that the violation posed only a minimal, but not a serious or substantial risk, to BPS reliability. The severity of the violation was decreased because the affected locations were within corporate security boundaries and were thus less vulnerable to outsider attacks. Furthermore, each occurrence was a unique incident and was quickly mitigated upon discovery. The UREs neither admitted nor denied the violations. In approving the settlement between ReliabilityFirst and five UREs in total, the NERC considered the UREs’ prior violations and the minimal to moderate risk posed by the current violations. As mitigating factors, the NERC found that among the UREs subject to the settlement agreement, individual URES had: (1) implemented pre-violation internal compliance programs, (2) self-reported violations, (3) cooperated throughout the enforcement process, (4) not attempted or intended to conceal the violations, (5) made significant progress in post-violation compliance. ReliabilityFirst found that no penalty was necessary since the violations posed minimal risks, the UREs demonstrated improvements in compliance, and the UREs that had prior violations were fully sanctioned for those violations in an FERC-approved settlement. URE1’s mitigation plan included, among other things, revising the facility drawing to show that one PSP encompassed the entire floor. URE2’s mitigation plan included installing conduit around the wiring between two PSPs.
Penalty: $0 (aggregate for 22 violations)
FERC Order: The NERC did not further review the settlement and the settlement entered into effect on May 29th, 2015.
Unidentified Registered Entities 1 and 2, FERC Docket No. NP15-26-000 (April 30, 2015)
Reliability Standard: CIP-006-1
Requirement: R1.1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: ReliabilityFirst
Issue: During a compliance audit ReliabilityFirst found that URE1’s facility drawing did not properly reflect the PSP and that the wiring between two PSPs was not completely enclosed. ReliabilityFirst also found that URE2’s wiring was not completely enclosed and two areas with Cyber Assets were not identified as PSPs.
Finding: ReliabilityFirst found that the violation posed only a minimal, but not a serious or substantial risk, to BPS reliability. The severity of the violation was decreased because the affected locations were within corporate security boundaries and were thus less vulnerable to outsider attacks. Furthermore, each occurrence was a unique incident and was quickly mitigated upon discovery. The UREs neither admitted nor denied the violations. In approving the settlement between ReliabilityFirst and five UREs in total, the NERC considered the UREs’ prior violations and the minimal to moderate risk posed by the current violations. As mitigating factors, the NERC found that among the UREs subject to the settlement agreement, individual URES had: (1) implemented pre-violation internal compliance programs, (2) self-reported violations, (3) cooperated throughout the enforcement process, (4) not attempted or intended to conceal the violations, (5) made significant progress in post-violation compliance. ReliabilityFirst found that no penalty was necessary since the violations posed minimal risks, the UREs demonstrated improvements in compliance, and the UREs that had prior violations were fully sanctioned for those violations in an FERC-approved settlement. URE1’s mitigation plan included, among other things, revising the facility drawing to show that one PSP encompassed the entire floor. URE2’s mitigation plan included installing conduit around the wiring between two PSPs.
Penalty: $0 (aggregate for 22 violations)
FERC Order: The NERC did not further review the settlement and the settlement entered into effect on May 29th, 2015.
Unidentified Registered Entity 1, FERC Docket No. NP15-26-000 (April 30, 2015)
Reliability Standard: CIP-006-1
Requirement: R1.8
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: ReliabilityFirst
Issue: During a compliance audit, ReliabilityFirst found that URE1 used two terminal servers as workstations for its PACS; however, the terminals were not identified as PACS and were not given CIP-006 protections. ReliabilityFirst found that URE1 did not record and effectuate the controls to manage constant physical access to the PSPs.
Finding: ReliabilityFirst found that the violation posed only a minimal, but not a serious or substantial risk, to BPS reliability. The severity of the violation was decreased because the terminal servers could not authorize or log to the PSPs and the servers were located within the PSP so that they were protected under CIP-006 R1.8. The UREs neither admitted nor denied the violations. In approving the settlement between ReliabilityFirst and five UREs in total, the NERC considered the UREs’ prior violations and the minimal to moderate risk posed by the current violations. As mitigating factors, the NERC found that among the UREs subject to the settlement agreement, individual URES had: (1) implemented pre-violation internal compliance programs, (2) self-reported violations, (3) cooperated throughout the enforcement process, (4) not attempted or intended to conceal the violations, (5) made significant progress in post-violation compliance. ReliabilityFirst found that no penalty was necessary since the violations posed minimal risks, the UREs demonstrated improvements in compliance, and the UREs that had prior violations were fully sanctioned for those violations in an FERC-approved settlement. URE1’s mitigation plan obliged URE1 to ensure that the two terminal servers meet all CIP requirements.
Penalty: $0 (aggregate for 22 violations)
FERC Order: The NERC did not further review the settlement and the settlement entered into effect on May 29th, 2015.
Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP15-28-000 (April 30, 2015)
Reliability Standard: CIP-006-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: WECC_URE1 self-reported that it failed to apply required protective measures to Cyber Assets which were used in the "access control and monitoring of the Physical Security Perimeter (PSP)." This failure occurred because WECC_UER1 did not recognize that certain control panels which authorized or logged access to PSPs required the protective measures specified in CIP-006-1 R1.8.
Finding: WECC found that this issue posed a minimal, but not a serious or substantial, risk to BPS reliability. Deficiencies in the protections of these control panels could have allowed unauthorized personnel to gain logical and physical access to Critical Cyber Assets. However, WECC_URE1 had many measures in place to prevent unauthorized access to the control panels, including tamper detection alarms and secured buildings requiring keycards for entry. WECC viewed WECC_URE1’s internal compliance program as a mitigating factor in the determination of the penalty. In order to further mitigate this violation, WECC_URE1 (1) added keycard door controllers which controlled access to the control panels to its list of Cyber Assets controlled by CIP, (2) included the devices in CIP security assessments and programs, (3) tested alarms, and (4) filed a Technical Feasibility Exception with WECC for the keycard door controllers stating that they cannot support antivirus/antimalware software.
Penalty: $30,000 (aggregate for 2 violations)
FERC Order: FERC approved the settlement on May 29, 2015.
Region: Western Electricity Coordinating Council (WECC)
Skip to main content Toolbar items Manage Administration menu Tools Content Structure Configuration People Reports Vertical orientation jmonjardin Subscription active (expires 2023/12/29) Rebuild Cache Primary tabs (active tab) Breadcrumb Home jam test draft page 2 Title Content (active tab) Images and Files Related Content Search Settings CONTENT Publication Date Date 07/08/2021 Publication Type Subtitle About text formats Pre-Subtitle About text formats This field is currently being used only for 2020 Global Citizenship and Annual Reviews. Body (Edit summary)
Violation ID |
Standard |
Requirement |
VRF/VSL |
Discovery Method |
Start Date |
End Date |
WECC201002165 |
CIP-006-1 |
R1 |
Medium/ Severe |
Self-Certification |
When standard became mandatory and enforceable on WECC_URE1 |
When WECC_URE1 finished transitioning to CIP Version 5 |
WECC2014014941 |
CIP-005-3a |
R1 |
Medium/ Severe |
Self-Report |
When server was de-commissioned and data to recover the affected assets was no longer readily available |
When WECC_URE2 implemented changes to its settings so that configurations are written to a remote server when the configuration is altered, and performed manual backups on firewalls to servers, which are themselves backed up |
WECC2015014926 |
CIP-006-3c |
R2 |
Medium/ Severe |
Self-Report |
When WECC_URE2 first failed to implement various protective measures required by CIP-006 R2.2 |
Mitigation plan completion |
Issue: The following violations occurred with respect to WECC_URE1 and WECC_URE2:
WECC_URE1 - WECC_URE1 violated CIP-006-1 (R1) when it failed to create and maintain a Physical Security Plan, approved by a senior manager or delegate. Additionally, WECC_URE1 violated CIP-006-3 (R1.4) when a security guard clicked the wrong checkbox in the physical access management system and gave the contractor in scope inadvertent access to a Physical Security Perimeter (PSP).
WECC_URE2 - WECC_URE2 violated CIP-005-3 (R1.5) when it failed to test backup media to ensure information essential to recovery is available, as specified in CIP-009-3 R5, and required by CIP-005-3 (R1.5) for Cyber Assets used in the access control and/or monitoring of the Electronic Security Perimeter (ESP). This issue affected 12 Cyber Assets and was caused by a lack of proper settings and procedures for the affected routers and switches. The data to successfully recover the affected assets was stored on a server that had been decommissioned and the data was stored in an irretrievable format.
Additionally, WECC_URE2 violated CIP-006-3c (R2.2) when it failed to implement the protective measures specified in CIP-007-3 R5 and R6, needed to prevent unauthorized physical access to 1 PSP. WECC_URE2 discovered that an employee, who was unauthorized to grant access, was granting unauthorized personnel physical access to a PSP using other users' Physical Access Control System (PACS) credentials to make the change. This occurred because the accounts weren't properly managed and the monitoring was insufficient to timely discover the unauthorized activity. The cause of this issue was that the field controllers were not identified as being a PACS elements so they were not captured under the CIP management functions. Staff turnover and unclear roles and responsibilities between personnel groups led to this misidentification.
Finding: As to the violation by WECC_URE1, WECC found that the violation posed a moderate risk to the reliability of the bulk power system (BPS). Failing to create and maintain a Physical Security Plan could allow Cyber Assets within that PSP to go unprotected, unmonitored, or unchecked. This could allow unauthorized physical access to Critical Cyber Assets (CCAs) within that PSP, which could be used to affect the operation of the BPS. As compensating measures, WECC_URE1 had security in place several years prior to the beginning of this violation at all WECC_URE1 projects. All security plans included significant attention to securing the powerhouses. Further, WECC_URE1 had standard operating procedures and processes that were compliant with other regulations at the time of the violation. In its assessment of penalty, WECC also considered WECC_URE1's compliance history and determined there were no relevant instances of noncompliance.
As to the violations by WECC_URE2, WECC found that the violations posed only a moderate risk to the BPS's reliability. In case of the CIP-005-3 violation, a failure to annually test backup media for Cyber Assets used in the access control and/or monitoring of the ESP could lead to recovery plans that are ineffective. Alternatively, WECC_URE2 may be forced to restore outdated information from a known good backup image in order to resume normal operations. As to the CIP-006-3c (R2.2) violation, a failure to control access to restricted areas, such as a PSP, could result in unauthorized access by adversaries, who could ultimately gain access to protected BPS Cyber Assets. In its determination of penalty, WECC did not give credit for WECC_URE2's Internal Compliance Program (ICP). Although WECC_URE2 had a documented ICP, WECC determined that, due to the length of the violation, WECC_URE2's ICP failed, in this instance, to adequately detect the violation in a timely manner.
Penalty: No penalty
FERC Order: Issued November 30, 2017 (no further review)
NP18-9-000: Unidentified Registered Entity (WECC_URE1), Unidentified Registered Entity (WECC_URE3) Unidentified Registered Entity (WECC_URE4)