NERC Case Notes: Reliability Standard CIP-006-3c

Alert

67 min read

 

Unidentified Registered Entity, FERC Docket No. NP11-226-000 (July 28, 2011)

Reliability Standard: CIP-006-3c

Requirement: R4, R5, R6

Violation Risk Factor: Medium (R4, R5); Lower (R6)

Violation Severity Level: High (R4, R5, R6)

Region: RFC

Issue: Unidentified Registered Entity (URE) granted physical access to a room containing Critical Cyber Assets (CCAs) on two days to two contractors; however, the individual escorting the contractors to the room was not present at all times during those two days thus leaving the contractors with unescorted physical access to the room with the CCAs. URE did not use its operational and procedural controls to manage or monitor physical access at all access points to the Physical Security Perimeters (PSPs) at all times in violation of R4 and R5. URE further did not use its operational and procedural controls for logging physical entry at all access points to the PSP in violation of R6.

Finding: RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to pay a penalty of $85,000, and to undertake other mitigation measures. RFC determined that the violations did not pose a serious or substantial risk to the reliability of the bulk power system (BPS) because the room at issue contains CCS that control only the two units and the second unit was undergoing a maintenance outage and was not operating. Also, the companies providing contracted services have had a successful, long-standing relationship with URE. In approving the penalty amount, NERC found that the violations involving CIP-006 were repeat violations leading to a finding that URE has repeatedly failed to ensure the physical security of its CCAs, which was evaluated as an aggravating factor when determining the penalty; the violations were self-reported; the URE was cooperative during the enforcement process and did not conceal the violations; the URE had a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.

Penalty: $85,000 (aggregate for 12 violations)

FERC Order: Issued August 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-2 (October 31, 2011)

Reliability Standard: CIP-006-3c

Requirement: R5, R1, R6

Violation Risk Factor: Medium (R5, R1), Lower (R6)

Violation Severity Level: Severe (R5, R1, R6)

Region: RFC

Issue: URE self-reported that alarms on two doors to a PSP containing CCAs had not functioned properly for a day as a result of a system failure (R5). URE also self-reported that, in three instances, its security staff granted a higher level of CCA access to two employees than was approved by URE’s site management, which resulted in a failure to implement URE’s physical security plan at its generating facility (R1). In addition, URE self-reported that as part of its physical security plan it did not properly document the specific individuals, and their access times, who visited the generating facility (R6).

Finding: RFC found that the violations of R5 and R6 constituted a moderate risk to BPS reliability. In terms of the R5 violation, the two relevant doors are emergency exit only doors that cannot be opened from the outside. One of the doors opens into the part of the building that contains the system control room, but the system control room was being monitored during the course of the violation. The other door was outside the main working area and was essentially sealed as a result of ongoing maintenance. And although this area was not visually monitored during the violation, opening the sealed door would have created a lot of noise, which would have alerted the system control operator. In terms of the R6 violation, all of the URE’s CCA access points had alarms to prevent unauthorized access, as well as door held and door-forced situations. RFC found that the violation of R1 only constituted a minimal risk to BPS reliability since the relevant employees had received a PRA and the required cyber security training and they did not access any assets or areas that they were not supposed to. Certain parts of URE’s compliance program were evaluated as a partial mitigating factor.

Penalty: $35,000 (aggregate for 5 violations)

FERC Order: Issued November 30, 2011 (no further review).

Unidentified Registered Entity, FERC Docket No. NP12-2 (October 31, 2011)

Reliability Standard: CIP-006-3c

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE self-reported that it had not properly followed its visitor pass management control program and that it failed to document the entry and exit of two visitors, include the date and time of their visit, to the PSP and to continuously escort them within the PSP.

Finding: RFC found that the violation constituted a moderate risk to BPS reliability. The violation only involved two maintenance employees of URE, who had physical access to the plant site, and who did not alter any of the equipment settings inside the PSP. In addition, one employee, who had been employed by URE for 30 years, had received CIP training and the other employee had received a background check when he was hired. Certain parts of URE’s compliance program were evaluated as mitigating factors.

Penalty: $5,000

FERC Order: Issued November 30, 2011 (no further review).

Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)

Reliability Standard: CIP-006-3c

Requirement: R1/1.6

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE self-reported in preparation for a compliance audit that it did not properly maintain visitor logs for its PSPs, as required. URE did have electronic logs of entry/exit of authorized personnel, but no documentation of visitors, although company policies were in place to ensure security of the PSPs. RFC found that URE was in violation of the Standard by not having a visitor control program in place in its physical security plan.

Finding: RFC found the violation constituted a moderate risk to BPS reliability because, even though URE had no procedure in place for logging visitors to the PSP, all employees and contractors were trained on visitor control and monitoring while in PSP boundaries. No visitors posed any security risks and all were escorted by authorized personnel. ReliabilityFirst considered URE’s compliance program as a mitigating factor in determining the appropriate penalty.

Penalty: $65,000 (aggregate for 6 penalties)

FERC Order: Issued March 30, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-25 (April 30, 2012)

Reliability Standard: CIP-006-3

Requirement: R1.1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE self-reported that it did not file a Technical Feasibility Exception in order to use an alternate method of six-wall protection where the ESP extends between PSPs for its network configuration. URE also reported that two of its network switches (CAs within an ESP) did not actually reside in the PSP, as previously reported.

Finding: RFC found that the CIP-006-3 violation constituted a moderate risk to BPS reliability. But, URE controls physical access, through various access and monitoring methods, to the sites where the relevant network switches are located. URE also encrypts the network traffic between the PSPs within each ESP and the two relevant network switches were hidden in a locked room next to the PSP. In approving the settlement agreement, the NERC BOTCC considered certain of URE’s violations to be proof of broad deficiencies in URE’s compliance program (even though other aspects of the compliance program were evaluated as mitigating factors); some of the violations were self-reported (even though only partial credit was granted for certain self-reports that occurred right before the compliance audit); URE was cooperative during the enforcement process and promptly submitted effective mitigation plans; and these violations were URE’s first violations of the relevant Reliability Standard.

Penalty: $115,000 (aggregate for 17 violations)

FERC Order: Issued April 30, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-29 (May 30, 2012)

Reliability Standard: CIP-006-3c

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that on three occasions over a two-month period, one of its employees had gained unescorted access into a PSP. The relevant employee, who was responding to service calls at the substation control building, used another employee’s access card since his access card had been deactivated as a result of outstanding CIP training requirements. During those three instances, he did not receive an escort nor did he document his entry and exit times, against URE’s established visitor escort procedure. Based on these instances, WECC found that URE had not verified the appropriate use of physical access control (such as visitor pass management, response to loss and prohibiting inappropriate use of physical access controls).

Finding: WECC found that the CIP-006-3c violation constituted only a minimal risk to BPS reliability since the relevant employee had received prior CIP training (even though it was expired) and had a PRA on file. In addition, visitor access to the substation is continuously monitored by URE’s security center and the CCAs at the substation require a security token for access. In approving the settlement agreement, the NERC considered as mitigating factors that the violations were self-reported; URE had an internal compliance program in place that was reviewed by WECC; URE was cooperative during the process and did not conceal the violation; URE completed all applicable compliance directives; the violations were not intentional; and this was URE’s first violation of CIP-006-3c. But, this was URE’s second violation of one of the Reliability Standards, which WECC viewed as an aggravating factor.

Penalty: $162,200 (aggregate for 2 violations)

FERC Order: Order issued June 29, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-006-3c

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE self-reported a violation of R1 after discovering that, while it had logged visitor access to a facility, it had failed to properly log visitor access to individual physical security perimeters (PSPs) within the facility. Additionally, two employees (Employees 1 and 2) without proper authorization had obtained unescorted physical access to the PSP for 3 minutes.

Finding: RFC determined that the R1 violation posed a minimal risk to the reliability of the BPS because despite not having logged access to the PSPs at issue, the company had logged visitor access to the facility overall, and all visitors were properly escorted while inside the PSPs during the violation period. Furthermore, Employees 1 and 2 had fulfilled the underlying requirements for unescorted access to the PSPs prior to the violation, and when their unauthorized access to the PSP triggered a security alarm, they were promptly escorted out of the PSP by security personnel. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to undertake other mitigation measures to come into compliance with R1.
RFC considered URE's ICP a mitigating factor in making its penalty determination, and applied a mitigating credit because the company had self-reported six of the violations covered by the settlement agreement. The violation began when the company did not properly log access to the PSPs at issue, and when it did not continuously escort a contractor while inside the PSP. It ended when the company updated its access logs to record access to the PSPs, and when the company removed the unauthorized personnel from the PSPS. URE neither admits nor denies the R1 violation.

Penalty: $0 (for an aggregate of 12 violations)

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-006-3c

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE self-reported a violation of R1 after discovering that on one occasion, it had failed to continuously escort a contractor inside a physical security perimeter (PSP) that contained two Critical Cyber Assets, and when the company further failed to log the contractor's access to the PSP.

Finding: RFC determined that the R1 violation posed a minimal risk to the reliability of the BPS because the contractor at issue had completed a personnel risk assessment which revealed no criminal or identity issues, and the contractor's escort remained in the contractor's proximity while the contractor was in the PSP and periodically observed the contractor during the violation period. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to undertake other mitigation measures to come into compliance with R1.
RFC considered URE's ICP a mitigating factor in making its penalty determination, and applied a mitigating credit because the company had self-reported six of the violations covered by the settlement agreement. URE neither admits nor denies the R1 violation.

Penalty: $0 (for an aggregate of 12 violations)

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-006-3c

Requirement: R2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE self-reported a violation of R2 when, as a promised part of a mitigation plan for a previous violation of R5 regarding a malfunctioning badge access system, the company failed to afford the required protections to a net controller. The company had agreed to protect net controllers as Cyber Assets that authorize or log access to the Physical Security Perimeter. Net controllers are physical devices that are part of the badge access system that controls access to the IT data center and electric system operations center racks therein. One of the net controllers was not protected as a Cyber Asset.

Finding: RFC determined that the R2 violation posed a moderate risk to the reliability of the BPS. The risk was mitigated because the company had provided the protections of a variety of other CIP reliability standards for the net controller. In addition, the net controller's physical location was within the IT data-center, which was staffed 24-hours per day, to which access was restricted through required access badges and a biometric man trap. The company also provided video surveillance of the electric system operations center racks in the IT data center, and monitored and logged all access to CCAs within the racks. The racks themselves also had magnetic locks and a badge access system, and a firewall (access to which was limited to specific IT associates with background checks) that provided continuous electronic protection for the net controller, and that separates the net controller from the general network. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to undertake other mitigation measures to come into compliance with R2.
RFC considered URE's ICP a mitigating factor in making its penalty determination, and applied a mitigating credit because the company had self-reported the violation. The violation began when the company installed new devices and ended when the company configured all missed devices to send security and event logs to the log monitoring system. URE admits the R2 violation.

Penalty: $0

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-006-3c

Requirement: R2.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE self-certified a violation of R2 when the company found that it had failed to outfit its remote security system panels (Panels) with protective measures that authorize and/or log access to physical security perimeters (PSPs).

Finding: RFC determined that the R2 violation posed a moderate risk to the reliability of the BPS because the company had outfitted the panels with protective measures required of other CIP standards and the panels were located within the PSPs during the violation period. The company also kept the Panels in locked or key carded cabinets with tamper alarms, and limited access to those cabinets to CIP qualified personnel. The company also monitored the Panels' operational status in its systems network operations center. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to undertake other mitigation measures to come into compliance with R2.
RFC considered URE's ICP a mitigating factor in making its penalty determination, and applied a mitigating credit because the company had self-reported the violation. The violation began when the Standard became mandatory and enforceable to the company and ended when the company afforded its Panels with all of the protective measures required by CIP-006-3c R2.2. URE neither admits nor denies the R2 violation.

Penalty: $0 (for an aggregate of 12 violations)

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity 3 (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-006-3c

Requirement: R2.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE self-certified a violation of R2 when the company found that it had failed to outfit its remote security system panels (Panels) with protective measures that authorize and/or log access to physical security perimeters (PSPs).

Finding: RFC determined that the R2 violation posed a moderate risk to the reliability of the BPS because the company had outfitted the panels with protective measures required of other CIP standards and the panels were located within the PSPs during the violation period. The company also kept the Panels in locked or key carded cabninets with tamper alarms, and limited access to those cabinets to CIP qualified personnel. The company also monitored the Panels' operational status in its systems network operations center. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to undertake other mitigation measures to come into compliance with R2.
RFC considered URE's ICP a mitigating factor in making its penalty determination, and applied a mitigating credit because the company had self-reported the violation. The violation began when the Standard became mandatory and enforceable to the company and ended when the company afforded its Panels with all of the protective measures required by CIP-006-3c R2.2. URE neither admits nor denies the R2 violation.

Penalty: $0 (for an aggregate of 12 violations)

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity 4 (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-006-3c

Requirement: R2.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE self-certified a violation of R2 when the company found that it had failed to outfit its remote security system panels (Panels) with protective measures that authorize and/or log access to physical security perimeters (PSPs).

Finding: RFC determined that the R2 violation posed a moderate risk to the reliability of the BPS because the company had outfitted the panels with protective measures required of other CIP standards and the panels were located within the PSPs during the violation period. The company also kept the Panels in locked or key carded cabinets with tamper alarms, and limited access to those cabinets to CIP qualified personnel. The company also monitored the Panels' operational status in its systems network operations center. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to undertake other mitigation measures to come into compliance with R2.
RFC considered URE's ICP a mitigating factor in making its penalty determination, and applied a mitigating credit because the company had self-reported the violation. The violation began when the Standard became mandatory and enforceable to the company and ended when the company afforded its Panels with all of the protective measures required by CIP-006-3c R2.2. URE neither admits nor denies the R2 violation.

Penalty: $0 (for an aggregate of 12 violations)

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity 5 (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-006-3c

Requirement: R2.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE self-certified a violation of R2 when the company found that it had failed to outfit its remote security system panels (Panels) with protective measures that authorize and/or log access to physical security perimeters (PSPs).

Finding: RFC determined that the R2 violation posed a moderate risk to the reliability of the BPS because the company had outfitted the panels with protective measures required of other CIP standards and the panels were located within the PSPs during the violation period. The company also kept the Panels in locked or key carded cabinets with tamper alarms, and limited access to those cabinets to CIP qualified personnel. The company also monitored the Panels' operational status in its systems network operations center. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to undertake other mitigation measures to come into compliance with R2.
RFC considered URE's ICP a mitigating factor in making its penalty determination, and applied a mitigating credit because the company had self-reported the violation. The violation began when the Standard became mandatory and enforceable to the company and ended when the company afforded its Panels with all of the protective measures required by CIP-006-3c R2.2. URE neither admits nor denies the R2 violation.

Penalty: $0 (for an aggregate of 12 violations)

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity 6 (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-006-3c

Requirement: R2.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE self-certified a violation of R2 when the company found that it had failed to outfit its remote security system panels (Panels) with protective measures that authorize and/or log access to physical security perimeters (PSPs).

Finding: RFC determined that the R2 violation posed a moderate risk to the reliability of the BPS because the company had outfitted the panels with protective measures required of other CIP standards and the panels were located within the PSPs during the violation period. The company also kept the Panels in locked or key carded cabinets with tamper alarms, and limited access to those cabinets to CIP qualified personnel. The company also monitored the Panels' operational status in its systems network operations center. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to undertake other mitigation measures to come into compliance with R2.
RFC considered URE's ICP a mitigating factor in making its penalty determination, and applied a mitigating credit because the company had self-reported the violation. The violation began when the Standard became mandatory and enforceable to the company and ended when the company afforded its Panels with all of the protective measures required by CIP-006-3c R2.2. URE neither admits nor denies the R2 violation.

Penalty: $0 (for an aggregate of 12 violations)

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity 7 (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-006-3c

Requirement: R2.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE self-certified a violation of R2 when the company found that it had failed to outfit its remote security system panels (Panels) with protective measures that authorize and/or log access to physical security perimeters (PSPs).

Finding: RFC determined that the R2 violation posed a moderate risk to the reliability of the BPS because the company had outfitted the panels with protective measures required of other CIP standards and the panels were located within the PSPs during the violation period. The company also kept the Panels in locked or key carded cabinets with tamper alarms, and limited access to those cabinets to CIP qualified personnel. The company also monitored the Panels' operational status in its systems network operations center. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to undertake other mitigation measures to come into compliance with R2.
RFC considered URE's ICP a mitigating factor in making its penalty determination, and applied a mitigating credit because the company had self-reported the violation. The violation began when the Standard became mandatory and enforceable to the company and ended when the company afforded its Panels with all of the protective measures required by CIP-006-3c R2.2. URE neither admits nor denies the R2 violation.

Penalty: $0 (for an aggregate of 12 violations)

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity 9 (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-006-3c

Requirement: R2.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE self-certified a violation of R2 when the company found that it had failed to outfit its remote security system panels (Panels) with protective measures that authorize and/or log access to physical security perimeters (PSPs).

Finding: RFC determined that the R2 violation posed a moderate risk to the reliability of the BPS because the company had outfitted the panels with protective measures required of other CIP standards and the panels were located within the PSPs during the violation period. The company also kept the Panels in locked or key carded cabinets with tamper alarms, and limited access to those cabinets to CIP qualified personnel. The company also monitored the Panels' operational status in its systems network operations center. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to undertake other mitigation measures to come into compliance with R2.
RFC considered URE's ICP a mitigating factor in making its penalty determination, and applied a mitigating credit because the company had self-reported the violation. The violation began when the Standard became mandatory and enforceable to the company and ended when the company afforded its Panels with all of the protective measures required by CIP-006-3c R2.2. URE neither admits nor denies the R2 violation.

Penalty: $0 (for an aggregate of 12 violations)

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity 2 (SPP RE_URE2), Docket No. NP13-27, February 28, 2013

Reliability Standard: CIP-006-3c

Requirement: 5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SPP RE

Issue: SPP RE_URE2 self-reported a violation of R5 after the company's systems operations sustained a lightning strike/power surge that destroyed a remote terminal unit (RTU), which is a part of the company's PSPs' physical access monitoring and alarm system, and that damaged several electrical devices. This damage compromised the company's real-time monitoring at the control center, the electronic management system areas, and the control center server room.

Finding: SPP RE determined that the R5 violation posed a moderate risk to the reliability of the BPS because by not monitoring physical access to ESP access points, the company risked the security of its CCAs. SPP RE acknowledged that the company, however, did not create the risk by its own actions and that security cameras were in place and operational throughout the violation period, allowing the company's control center staff to continuously monitor activity. Other physical security devices such as locks, card readers, authorization and logging controls, and data storage were also operational during the violation. Finally, the company reported no unauthorized access or access attempts to any of its ESP access points during the violation. SPP RE and SPP RE_URE2 entered into a settlement agreement whereby SPP RE_URE2 agreed to undertake other mitigation measures to come into compliance with R5. SPP RE considered the severe weather related event and lightning strike/power surge circumstances to be extenuating circumstances and a mitigating factor in making its penalty determination. The violation began when real-time monitoring was compromised and ended when the RTU was repaired and real-time monitoring was restored. SPP RE_URE2 neither admits nor denies the R5 violation.

Penalty: $0

FERC Order: Issued March 29, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-28-000 (March 27, 2013)

Reliability Standard: CIP-006-3c

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC, TRE, SPP RE

Issue: URE submitted to the three Regional Entities a self-report explaining the following compliance issues. URE reported that a non-critical Cyber Asset was connected to an ESP but was not located within an identified PSP, and on three separate occasions, it did not properly escort URE employee visitors. In addition, further to the multi-regional Compliance Audit, the Regional Entities found an opening in URE’s six-wall border at one facility despite the entire facility having been declared a PSP (aside from the reception area).

Finding: The violation was deemed to pose a moderate risk to BPS reliability which was mitigated by three factors. The non-critical Cyber Asset at issue was protected by multiple layers of human observation and was located in a locked room immediately next to the PSP. In addition, two of the unescorted employee visitors were unable to access the physical location of the CCAs and were unescorted for only one and five minutes. The last unescorted employee had received training, had a PRA, and had access to other CCAs. Finally, the Regional Entities determined that aside from the six-wall issue, the facility was otherwise very secure and the other security measures would have made it difficult for an individual to breach the six-wall border opening or gain access to any of the CCAs. In determining the appropriate penalty and approving the settlement agreement, the Regional Entities considered certain aspects of URE’s internal compliance program as a mitigating factor. In addition, some of the violations were self-reported by URE. URE cooperated during the enforcement process and did not attempt to conceal any of the violations. The violations did not pose a serious or substantial threat to BPS reliability. Finally, URE’s violation history was considered an aggravating factor.

Total Penalty: $90,000 (aggregate for 36 violations)

FERC Order: Issued April 26, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-28-000 (March 27, 2013)

Reliability Standard: CIP-006-3c

Requirement: R2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC, TRE, SPP RE

Issue: URE submitted to the three Regional Entities a self-report explaining that it had not monitored two firewalls that serve as access points to Cyber Assets that authorize or log access to PSPs. While URE collected and retained firewall logs for the firewalls at issue for at least 90 days, it had not detected or provided alerts for attempted, or actual, unauthorized access to the two firewalls, as required.

Finding: The violation was deemed to pose a moderate risk to BPS reliability which was mitigated by two factors. The Cyber Assets protected by the firewalls at issue were afforded other required protections, including being located in a PSP, and having appropriate patches and password controls in place. In addition, none of the logs for the firewalls revealed unusual activity. In determining the appropriate penalty and approving the settlement agreement, the Regional Entities considered certain aspects of URE’s internal compliance program as a mitigating factor. In addition, some of the violations were self-reported by URE. URE cooperated during the enforcement process and did not attempt to conceal any of the violations. The violations did not pose a serious or substantial threat to BPS reliability. Finally, URE’s violation history was considered an aggravating factor.

Total Penalty: $90,000 (aggregate for 36 violations)

FERC Order: Issued April 26, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-28-000 (March 27, 2013)

Reliability Standard: CIP-006-3c

Requirement: R6

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC, TRE, SPP RE

Issue: URE submitted to the three Regional Entities a self-report explaining the following compliance issues. First, URE discovered several instances in which it had not properly logged visitor access to a PSP. In particular, whereas URE was logging only the initial entry and exit to and from a PSP by each individual, it should have been logging each and every entry and exit. There were a few instances in which such interim entries and exits had not been logged in 2010 and 2011. In addition, after conducting an internal audit of visitor logging records, URE discovered numerous discrepancies and omissions in the logs. URE also submitted a self-report to RFC reporting five additional violations of R6 in the RFC involving escorted visitor access to the facility without proper logging.

Finding: The violations were deemed to pose a minimal risk to BPS reliability which was mitigated in all instances because all visitors were escorted and URE logged visitors’ initial entries and exists from the PSP. In determining the appropriate penalty and approving the settlement agreement, the Regional Entities considered certain aspects of URE’s internal compliance program as a mitigating factor. In addition, some of the violations were self-reported by URE. URE cooperated during the enforcement process and did not attempt to conceal any of the violations. The violations did not pose a serious or substantial threat to BPS reliability. Finally, URE’s violation history was considered an aggravating factor.

Total Penalty: $90,000 (aggregate for 36 violations)

FERC Order: Issued April 26, 2013 (no further review)

Unidentified Registered Entity, Docket No. NP13-33 (April 30, 2013)

Reliability Standard: CIP-006-3c

Requirement: 5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: NPCC

Issue: URE self-reported that a telephone line from an unmanned blackstart unit to URE’s remote control room failed, which resulted in the loss of real-time alarm monitoring capabilities and the ability to quick-start the blackstart unit.

Finding: NPCC found that the violation constituted only a minimal risk to BPS reliability since the blackstart unit’s physical access controls were still functional. An operator was dispatched to the blackstart unit for monitoring purposes. In addition, according to the blackstart unit’s logs, no instructions were given during the seven-hour period when the telephone line was down. URE’s compliance program was evaluated as a mitigating factor. URE did not contest the violation.

Total Penalty: $30,000 (aggregate for 8 violations)

FERC Order: Issued May 30, 2013 (no further review)

Unidentified Registered Entity 1 (URE1), Docket No. NP13-39-000 (May 30, 2013)

Reliability Standard: CIP-006-3c

Requirement: 1.4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE1 submitted a self-report disclosing that one contract employee was given physical access prior to CIP training in violation of the requirements of R1.4, which include visitor pass management, response to loss and prohibition of inappropriate use of physical access controls.

Finding: The violation was deemed to pose a minimal risk to BPS reliability, but not a serious or substantial risk which was mitigated because URE1 has 24/7 logging and monitoring of physical and electronic access in place at all facilities, including the facility involved in this violation. In determining the appropriate penalty, WECC gave mitigating credit for URE1’s ICP.

Total Penalty: $62,500 (aggregate for seven violations)

FERC Order: Issued June 28, 2013 (no further review)

Unidentified Registered Entity 4 (URE4), Docket No. NP13-41-000 (June 27, 2013)

Reliability Standard: CIP-006-3c

Requirement: 1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE4 self-certified a violation of CIP-006-3c upon finding that two temporary badges that allowed PSP access at URE4’s control center had been given for use prior to having the rights afforded during the previous use erased from the badges thereby allowing different access rights than intended.

Finding: The violation was deemed to pose a minimal risk to BPS reliability, but not a serious or substantial risk. The individuals who received the badges had up-to-date PRAs on file and had received CIP training. Also, the individuals were listed on URE4’s access list, and URE4’s control center is monitored 24/7. In determining the appropriate penalty, WECC considered URE4’s ICP as a mitigating factor.

Total Penalty: $10,000 (aggregate for 2 violations)

FERC Order: Issued August 26, 2013 (no further review)

Unidentified Registered Entities, FERC Docket No. NP13-47 (July 31, 2013)

Reliability Standard: CIP-006-3c

Requirement: 5 (2 violations)

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC and SERC

Issue: RFC and SERC determined that URE1 did not review the unauthorized access attempts made by a vendor representative at one of its control centers, as required by its procedures. In addition, as a result of software errors in its client monitoring system, URE1 was not, for five hours one day, receiving alarms in its monitoring console related to unauthorized access attempts.

Finding: SERC and RFC found that URE’s CIP-006-3c R5 violations constituted a moderate risk to BPS reliability as they increased the risk of unauthorized access through inadequate technical and procedural controls to monitor the physical access points. The vendor’s unauthorized access attempts were related to an attempted office supply delivery and the representative did not realize he was attempting to gain access to a PSP (even though URE had posted signs about the restricted access). In addition, the substation was guarded by physical site protections (such as a locked gate, security fencing, door controls and periodic inspections). URE admitted the violations. In approving the settlement agreement, NERC BOTCC evaluated as aggravating factors URE’s compliance history and the fact that URE did not promptly prepare mitigation plans to remediate many of the violations. But, URE did self-report some of the violations and was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (even though URE only received partial mitigating credit as most of URE’s violations resulted from a lack of execution and coordination of programs). URE committed to perform certain actions that went above and beyond the compliance requirements. The CIP-002-3 R3 violations presented a serious and substantial risk to BPS reliability, whereas the other violations did not present a serious or substantial risk to BPS reliability.

Total Penalty: $350,000, $175,000 for each URE (aggregate for 62 violations)

FERC Order: Issued August 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)

Reliability Standard: CIP-006-3c Requirements: R1/R1.6.1

Violation Risk Factor: Medium Violation Security Level: Severe

Region: SERC

Issue: URE self-reported that it did not log, as required, the entry and exit of two visitors, accompanied by a contractor with unescorted physical access rights, to one of URE’s PSP.

Finding: SERC determined that the violation constituted only a minimal risk to BPS reliability. The relevant contractor had approved access rights to URE’s CCAs and escorted the visitors at issue in the PSP. Furthermore, the PSP was protected by access controls, such as card readers, guards and continuous video monitoring. Upon a review of the surveillance video, it was concluded that all other visitors to PSPs had been properly escorted. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $250,000 (aggregate for 27 violations)

FERC Order: Issued June 27, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)

Reliability Standard: CIP-006-3c Requirements: R6

Violation Risk Factor: Lower Violation Security Level: Severe

Region: SERC

Issue: URE self-reported that it did not record or maintain logs of a vendor-provided custodial employee’s unauthorized physical access to certain PSPs. The custodial employee at issue attempted to gain entry to a card-access and biometric-controlled center PSP with a second individual’s badge (which triggered an alarm and led to the confiscation of the badge). The custodial employee also gained access, without a valid access card or proper escort, to a control center PSP on one occasion after requesting access locally.

Finding: SERC determined that the violation constituted only a minimal risk to BPS reliability. The PSP that the custodial employee entered is continuously manned and monitored. In addition, URE installed a biometric reader at the PSP entry point, which triggered an alarm when the custodial employee used the incorrect badge and the incorrect badge was promptly confiscated. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $250,000 (aggregate for 27 violations)

FERC Order: Issued June 27, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)

Reliability Standard: CIP-006-3c

Requirement: R1 (3 violations – one for each URE Company)

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: The URE Companies self-reported that they did not properly implement their visitor control programs as, in several instances, employees and contractors without physical access rights obtained access to the PSPs without an escort. In addition, RFC found that URE2 did not have adequate documentation showing that its physical security plan was reviewed annually and approved by a senior manager. URE2 also did not identify all physical access points through each PSP and measures to control access point entry or submit a Technical Feasibility Exception when an Ethernet networking cabling for CCAs was unable to be completely enclosed by a six-wall border.

Finding: RFC determined the violations constituted moderate risk to the BPS reliability as it increased the risk that an individual would be able to physically access, misuse or compromise unprotected Cyber Assets. However, the issues with unauthorized physical access involved existing employees and contractors (many of whom had authorizations pending) and there were no malicious attempt to enter a restricted area. The URE Companies did enact protections to control a visitor’s access to the PSPs, such as door alarms and monitoring by security personnel. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.

Total Penalty: $625,000 (aggregate for 77 violations)

FERC Order: Issued September 26, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)

Reliability Standard: CIP-006-3c

Requirement: R6 (3 violations – one for each URE Company)

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: The URE Companies self-reported that they did not properly implement the technical and procedural mechanisms for logging physical entry at PSP access points as certain personnel were able to enter restricted areas without an escort or the appropriate access rights. URE3 also had an intermittent door lock failure on a PSP door.

Finding: RFC determined the violations posed a moderate risk to the BPS reliability as it increased the risk that unauthorized individuals would be able to gain physical access to the Cyber Assets. But, there were no instances of malicious attempts to gain access to restricted areas and the URE Companies’ employees or contractors involved were either in the process of obtaining authorization, mistakenly believed they had authorization or did not realize they needed an escort. In addition, all alarms and security notifications were working properly. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.

Total Penalty: $625,000 (aggregate for 77 violations)

FERC Order: Issued September 26, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-5-000 (October 30, 2014)

Reliability Standard: CIP-006-3c

Requirement: R5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SPP RE

Issue: URE self-reported that remote terminal unit (RTU) supporting alarms for monitoring doors to its PSP stopped functioning during its 2013 CVA and an alarm lost functionality after a cable became disconnected from the same RTU.

Finding: SPP RE determined that the violation constituted only a minimal risk to the BPS reliability as URE detected and fixed both alarm failures. Moreover, URE monitors all physical access points to its facilities through closed circuit television and throughout the duration of the violation, access was logged and authorized correctly and no unauthorized access was granted. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had previously violated six of the standards, which SPP RE considered an aggravating factor. However, URE did have a compliance program in place and it received mitigating credit for self-reporting three of the violations. Moreover, URE agreed to additional corrective actions including: restructuring its CIP compliance program; hiring an additional system administrator; conducting a one day compliance workshop with SPP RE staff; and implementing an asset management system to further secure its EMS. URE was cooperative throughout the enforcement process and did not conceal or attempt to conceal the violations.

Penalty: $45,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-6-000 (October 30, 2014)

Reliability Standard: CIP-006-3c

Requirement: R5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: Texas RE

Issue: URE self-reported that while replacing an air conditioning unit, it created a temporary access point to its PSP. While monitored and logged, the access point remained unarmed for several hours.

Finding: Texas RE determined that the violation constituted only a minimal risk to the BPS reliability as the temporary access point was located in a secure fenced in building that was equipped with key card access control and staffed at all times. Access to the room was logged, and no activity took place while the alarms were disabled. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the following factors: the URE had an internal compliance program in place; the URE self-reported several of the violations and none posed a serious or substantial risk to the BPS reliability; the URE executed actions beyond those necessary to ensure compliance with the Standard and continues to make several enhancements as part of its self-assessment program; and the URE did not conceal or attempt to conceal the violations. Further, Texas RE did not consider URE's compliance history to be an aggravating factor, and URE was cooperative throughout the duration of the enforcement.

Penalty: $106,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-6-000 (October 30, 2014)

Reliability Standard: CIP-006-3c

Requirement: R6

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: Texas RE

Issue: URE self-reported that it did not ensure that a contractor, who installed a replacement air conditioning unit in its PSP, signed the access log as required by its physical security plan.

Finding: Texas RE determined that the violation constituted only a minimal risk to the BPS reliability as the contractor was escorted at all times while in URE's PSP. In addition, the PSP resided in a building that was fenced in and staffed at all times, and access was restricted using key cards. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the following factors: the URE had an internal compliance program in place; the URE self-reported several of the violations and none posed a serious or substantial risk to the BPS reliability; the URE executed actions beyond those necessary to ensure compliance with the Standard and continues to make several enhancements as part of its self-assessment program; and the URE did not conceal or attempt to conceal the violations. Further, Texas RE did not consider URE's compliance history to be an aggravating factor, and URE was cooperative throughout the duration of the enforcement.

Penalty: $106,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-9-000 (November 25, 2014)

Reliability Standard: CIP-006-3c

Requirement: R4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: MRO, SPP RE and WECC

Issue: URE1 self-reported that it did not thoroughly manage physical access at all access points to its PSP as a security individual, responding to an alarm, gained access without using his identification badge (considered a "unique identified") and left the door open by maneuvering the door latch when he left the area. Shortly after, the individual was able to reenter the area without logging his entry. Upon reentry, the door latch, however, was returned to normal

Finding: MRO determined that the violation posed only a minimal risk to the BPS reliability as the duration of the violation was brief and the security personnel remained close to the door while it was left open. URE1's physical access monitoring system was working correctly and a "forced door" alarm was sounded when the individual opened the door without first swiping his badge. In addition, the URE1 had personnel at the facility at all times and operators at the facility had a visual of the door at issue. Moreover, the individual had a valid PRA, authorized unescorted access to the CCAs, completed cybersecurity training and a legitimate business reason for entering the area. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations for five of the Standards posed a serious or substantial risk to the BPS reliability. However, several of the violations were self-reported and the remainder of the violations posed only a minimal threat to BPS reliability. The UREs had a compliance program in place and their compliance history was not considered an aggravating factor by MRO. Furthermore, the UREs committed to spending $205,000 to retain a consultant to identify untapped opportunities in their CIP management controls for the current and future CIP versions and they received significant mitigating credit for their commitment to their corporate compliance program. The URE Companies were cooperative throughout the duration of the enforcement and none concealed the violations.

Penalty: $150,000 (aggregate for 19 violations)

FERC Order: Pending

Unidentified Registered Entity, FERC Docket No. NP15-9-000 (November 25, 2014)

Reliability Standard: CIP-006-3c

Requirement: R6

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: MRO, SPP RE and WECC

Issue: URE1 self-reported that it did not adequately follow access control procedures requiring sufficient logging of individuals and access times to its PSP as there were five separate incidents where employees entered a PSP without logging their entry or following PSP access procedures. On one occasion, an employee entered a PSP without using their identification badge (considered a "unique identifier"), left the door unsecured when he left and was able to reenter without logging his access. On another day, there were two incidents where an individual followed another person into a PSP, but did not swipe their badge or log their entry (known as "tailgating"). On a separate day, there were two more incidents of "tailgating."

Finding: MRO determined that the violation posed only a minimal risk to the BPS reliability as all individuals involved in the violation had current PRAs, cybersecurity training, authorized unescorted access to CCAs, and a legitimate reason to access the area. In the first incident where the employee gained access without his badge and left the door unsecured, URE1 had personnel stationed at the facility at all times and the operators could see the door. In addition, URE1 discovered the issue quickly through its active review process and quickly reported it to MRO. Since the incidents, URE1 has heightened its monitoring efforts. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations for five of the Standards posed a serious or substantial risk to the BPS reliability. However, several of the violations were self-reported and the remainder of the violations posed only a minimal threat to BPS reliability. The UREs had a compliance program in place and their compliance history was not considered an aggravating factor by MRO. Furthermore, the UREs committed to spending $205,000 to retain a consultant to identify untapped opportunities in their CIP management controls for the current and future CIP versions and they received significant mitigating credit for their commitment to their corporate compliance program. The URE Companies were cooperative throughout the duration of the enforcement and none concealed the violations.

Penalty: $150,000 (aggregate for 19 violations)

FERC Order: Pending

Unidentified Registered Entities (UREs), FERC Docket No. NP15-15-000 (December 30, 2014)

Reliability Standard: CIP-006-3c

Requirement: R5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: URE1 self-reported that a security guard failed to follow procedures or immediately investigate a "door open too long" alarm on a PSP. Four hours later an employee noticed the door was still open, reported it to the compliance program manager and proceeded to repair the door so it would close securely. Corporate security was advised by the compliance manager and video footage confirmed that the door was damaged and there was no unauthorized access attempt during the four hours the door was not secured.

Finding: SERC determined that the violation posed only a minimal but not a serious or substantial risk to the BPS reliability. URE1's failure to immediately respond to an unauthorized access alarm could have resulted in someone gaining unauthorized access to its CCA within the PSP. However, the PSP resides within an access controlled building that is monitored by security personnel 24 hours a day, seven days a week. The PSP door is also protected by cardkey access and monitored by closed circuit video cameras which verified there were no unauthorized access attempts during the duration of the violation. In addition, URE1's intrusion detection system, used for monitoring Cyber Assets within the ESP, would have triggered alarms for any unauthorized electronic access attempts within the PSP. UREs neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs history of violations an aggravating factor. However, the UREs did have an internal compliance program in place, which SERC considered a mitigating factor. While URE1 self-reported a violation, the UREs did not received mitigating credit since it was reported after it received a compliance audit notice. While three of the violations posed a serious or substantial risk to the BPS reliability, the majority of them (18) posed only a minimal or moderate risk. URE agreed to additional mitigating actions including: adding additional staff (including converting contractors to full-time); conducting human performance training at a cost of $50,000; installing firewall analyzer software at a cost of $485,000; and additional mitigating factors for five of the violations. The UREs were cooperative throughout the enforcement process and there was no evidence that they concealed the violations.

Penalty: $120,000 (aggregate for 21 violations)

FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.

Unidentified Registered Entity (UREs), FERC Docket No. NP15-17-000 (December 30, 2014)

Reliability Standard: CIP-006-3c

Requirement: R8

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: During a compliance audit WECC found that URE did not test controls on door alarms, glass break sensors, or logging of alarms in its PACS system for access points at each PSP as part of its maintenance and testing program as required.

Finding: WECC determined that the violation posed only a minimal risk to the BPS reliability as URE had contractors conducting semi-annual preventative maintenance on its PSP. In addition, URE's PSP was guarded with staff 24/7, surrounded by fence and additionally protected with multiple layers of security. URE's PSP security system was tested and proved to meet installation requirements at a specific date. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered URE's prior violation history as an aggravating factor. However, WECC gave URE mitigating credit for its compliance program and agreeing to perform voluntary corrective actions. WECC also determined that all violations posed only a minimal, but not a moderate, serious or substantial risk to the reliability of the BPS. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.

Penalty: $120,000 (aggregate for 13 violations)

FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.

Unidentified Registered Entity (UREs), FERC Docket No. NP15-20-000 (February 26, 2015)

Reliability Standard: CIP-006-3c

Requirement: R1/R1.1/R1.6

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: URE self-reported that for six months it failed to document all visitors to its PSP as it discovered that during this time employees were escorting visitors to its PSP without signing them in and completing the required form. In addition, URE had a seven foot opening to the roof above several walls that was in violation of the requirement to provide an enclosed six-wall border around all Cyber Assets within its ESP.

Finding: SERC found that the violation constituted only a minimal risk to the BPS reliability. While visitors did not sign-in, at all times they were accompanied by an authorized, employee who had a valid PRA and cybersecurity training. The opening that URE failed to enclose would have been difficult to breach as it required one to bypass a guard, mantrap, card readers, biometric readers and then one would have to climb above the walls to reach the opening. Another mitigating factor to the violation was that URE used a six wall cabinet protected by access card readers and a lock to house its CCA. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered URE’s past history of violations an aggravating factor. However, URE did have a compliance program in place, which SERC considered a mitigating factor. Eleven of the violations were self-reported by URE, two of which were reported after receiving a notice of an upcoming compliance audit. However one violation, while self-reported, did pose a serious or substantial risk to the BPS reliability. URE was cooperative throughout the enforcement period and did not attempt to conceal any of the violations. There were no other mitigating or aggravating factors associated with URE’s violations.

Penalty: $70,000 (aggregate for 12 violations)

FERC Order: Pending

Unidentified Registered Entity 1, FERC Docket No. NP15-26-000 (April 30, 2015)

Reliability Standard: CIP-006-3c

Requirement: R1.1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: URE1 self-reported that it discovered openings more than 96 inches large during a PSP inspection. ReliabilityFirst found that URE1 did not record, implement and maintain an approved PSP.

Finding: ReliabilityFirst found that the violation posed only a minimal, but not a serious or substantial risk, to BPS reliability. The severity of the violation was decreased because access to the PSP from the non-compliant openings was constantly monitored. Furthermore, the openings were either difficult to access or opened up to areas accessible only by authorized personnel. The UREs neither admitted nor denied the violations. In approving the settlement between ReliabilityFirst and five UREs in total, the NERC considered the UREs’ prior violations and the minimal to moderate risk posed by the current violations. As mitigating factors, the NERC found that among the UREs subject to the settlement agreement, individual URES had: (1) implemented pre-violation internal compliance programs, (2) self-reported violations, (3) cooperated throughout the enforcement process, (4) not attempted or intended to conceal the violations, (5) made significant progress in post-violation compliance. ReliabilityFirst found that no penalty was necessary since the violations posed minimal risks, the UREs demonstrated improvements in compliance, and the UREs that had prior violations were fully sanctioned for those violations in an FERC-approved settlement. URE1’s mitigation plan obliged the URE to (1) perform a review of the conditions and secure all openings with steel mesh and (2) revise its physical security plan to inspect new perimeters and prevent any future violations.

Penalty: $0 (aggregate for 22 violations)

FERC Order: The NERC did not further review the settlement and the settlement entered into effect on May 29th, 2015.

Unidentified Registered Entity 1, FERC Docket No. NP15-26-000 (April 30, 2015)

Reliability Standard: CIP-006-3c

Requirement: R4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: URE1 self-reported that an employee without authorized unescorted access entered the substation without a valid key card. URE1’s security alarms sounded upon entry and security technicians immediately investigated and escorted the employee out of the substation. The technicians found that the door lock had been disabled, but that the disablement lasted less than 5 days.

Finding: ReliabilityFirst found that the violation posed only a minimal, but not a serious or substantial risk, to BPS reliability. The severity of the violation was decreased because the entry was sufficiently monitored during the time that the door lock was disabled and only one unauthorized entry event occurred. Further, the entry was immediately investigated and the substation was within an area that is protected with security officers. The UREs neither admitted nor denied the violations. In approving the settlement between ReliabilityFirst and five UREs in total, the NERC considered the UREs’ prior violations and the minimal to moderate risk posed by the current violations. As mitigating factors, the NERC found that among the UREs subject to the settlement agreement, individual URES had: (1) implemented pre-violation internal compliance programs, (2) self-reported violations, (3) cooperated throughout the enforcement process, (4) not attempted or intended to conceal the violations, (5) made significant progress in post-violation compliance. ReliabilityFirst found that no penalty was necessary since the violations posed minimal risks, the UREs demonstrated improvements in compliance, and the UREs that had prior violations were fully sanctioned for those violations in an FERC-approved settlement. URE1’s mitigation plan obliged URE1 to properly replace the faulty door lock(s) and screen other lock mechanisms for faults.

Penalty: $0 (aggregate for 22 violations)

FERC Order: The NERC did not further review the settlement and the settlement entered into effect on May 29th, 2015.

Unidentified Registered Entity 2 (FRCC_URE2), FERC Docket No. NP15-29-000 (May 28, 2015)

Reliability Standard: CIP-006-3c

Requirement: R2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: FRCC

Issue: FRCC_URE2 self-reported that 28 of its workstations that controlled access to the Physical Access Control System (PACS) were not protected from unauthorized physical access and were not given the protective measures required by CIP-006-3c R2.2.

Finding: FRCC found that this violation posed a moderate, but not a serious or substantial, risk to BPS reliability because unauthorized physical access to the workstations could increase PACS servers' vulnerability to electronic cyber threats. However, video camera surveillance monitored all workstations, an account was required to log into the workstations, and cardkeys were required to enter buildings containing many of the workstations. To mitigate the violation, FRCC_URE2 (1) installed separate workstations for visitor badging, (2) protected badging workstations with physical and cyber security measures, and (3) decided on remote choices for PACS workstations.

Penalty: $50,000 (aggregate for 6 violations)

FERC Order: FERC approved the settlement on June 26th, 2015.

Unidentified Registered Entity 2 (FRCC_URE2), FERC Docket No. NP15-29-000 (May 28, 2015)

Reliability Standard: CIP-006-3c

Requirement: R2.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: FRCC

Issue: FRCC_URE2 self-reported that during its cyber vulnerability assessment (CVA) process, it scanned ports on Physical Access Control System (PACS) Cyber Assets but failed to timely assess the scans' results against established baselines.

Finding: FRCC found that this violation posed a moderate, but not a serious or substantial, risk to BPS reliability because unauthorized ports and services could have been left open, putting PACS Cyber Assets at risk. However, during mitigation activities for an earlier violation, FRCC_URE2 had fully reviewed its ports and services, and Electronic and Physical Security Perimeters protected the EACMs. To mitigate the violation, FRCC_URE2 (1) updated the process and clarified timeframes for assessing ports and services and (2) reviewed the relevant ports and services.

Penalty: $50,000 (aggregate for 6 violations)

FERC Order: FERC approved the settlement on June 26th, 2015.

Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP19-15-000 (July 31, 2019)

NERC Violation ID: WECC2018020282

Reliability Standard: CIP-006-3c

Requirement: R4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: Western Electricity Coordinating Council (WECC)

Issue: During a scheduled substation service power outage that affected the availability of the electronic access controls, an unidentified entity’s employee was able to use a hard key to enter the control house Physical Security Perimeter (PSP) at a substation containing a Medium Impact BES Cyber System (MIBCS) with an External Routable Connectivity (ERC). The door that the employee accessed required the use of an alternative access key for entry when electronic access controls failed or were out of service. The alternate access key was intended to trigger the Alarm Motoring Station (AMS) that would then authenticate the person requesting access to the alternate access keys, thus enforcing a two-factor authentication per the entity’s physical security plan. However, the door’s key core had not been changed. A similar incident occurred on August 9, 2016 when another employee utilized an issued hard key to enter a control house, even though the key core at this PSP door should have been switched out. WECC determined that that the entity failed to implement a twenty-four hours a day, seven days a week procedure to manage physical access at all PSP access points. The root cause of this violation was inadequate internal controls. Specifically, there was no procedure to confirm all PSP door lock cores were replaced to comply with the entity’s physical security plan.

Finding: WECC found the violation constituted a minimal risk and did not pose a serious or substantial risk to bulk power system reliability. Although the entity failed to appropriately implement its document operation and procedural controls, the entity had a very limited number of individuals who had access to the PSP, and all of whom had legitimate business needs and had Personnel Risk Assessments (PRAs), and CIP training. Additionally, at the time of the violation, in which no harm is known to have occurred, the employees who accessed the PSPs were authorized and had valid PRAs. The violation began when the first employee entered the PSP using a hard key (date not provided) and ended on August 30, 2016 when the ability to access the PSP utilizing a hard key was removed. WECC considered the internal compliance program to be a neutral factor in the penalty determination. Additionally, WECC considered the entity’s compliance history and determined that two previous violations were aggravating factors in the disposition determination. To mitigate the violation, the entity changed the energized access key cores at the two applicable PSPs doors, conducted an audit on all alternate access key PSP doors containing MIBCS to ensure the core locks were appropriate, and updated its physical security plans.

Penalty: No penalty

FERC Order: July 31, 2019 (no further review)

Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP19-15-000 (July 31, 2019)

NERC Violation ID: WECC2017018174

Reliability Standard: CIP-006-3c

Requirement: R1, R1.1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: Western Electricity Coordinating Council (WECC)

Issue: On June 4, 2015, an unidentified entity discovered that part of an Electronic Security Perimeter (ESP), although protected by a perimeter fence, was located outside of the designated Physical Security Perimeter (PSP) of a substation. Although the entity identified the issue in 2015, it mistakenly marked the issue as remediated. While performing a site validation assessment on October 10, 2016, the entity discovered that the relevant part remained connected to the ESP and was located outside the PSP. WECC determined that the entity failed to ensure that all Cyber Assets within an ESP resided within an identified PSP, as required by the reliability standard. The entity submitted a Self-Report on August 14, 2017. The root cause of the violation was an inadequate process. Specifically, the entity did not evaluate the compliance for the ESP and PSP at the substation before or after it was energized.

Finding: WECC found the violation constituted a minimal risk and did not pose a serious or substantial risk to bulk power system (BPS) reliability. WECC noted that the only reason that the entity discovered the violation was because the entity was implementing a newer version of the Critical Infrastructure Procedures (CIP) standards. The entity had no preventive or detective controls and had weak corrective controls as the violation was originally discovered in 2015, but marked as resolved and not re-discovered until October 2016. The violation began on January 13, 2012 when the substation became a Critical Asset for CIP Version 3 and ended on December 9, 2016 when the relays were disconnected from the ESP. WECC considered the internal compliance program to be a neutral factor in the penalty determination. Additionally, WECC determined that the entity’s compliance history to be an aggravating factor in the penalty determination. However, the entity did not receive mitigating credit for cooperation because it did not quickly address the violations, determine the facts, and report the mitigation. Furthermore, the entity did not receive mitigation credit for the Self-Report of the violation since the entity submitted the Self-Report 362 days after the entity discovered the noncompliance. To mitigate the violation, the entity, among other things, enhanced both of its work management tracking systems to identify and track work at BES sites or with BES Cyber Systems, updated its procedure to include instructions on what steps should be followed to add a new ESP, updated its procedure to address its assessments for ESPs and PSPs, and created and provided training.

Penalty: $80,000

FERC Order: July 31, 2019 (no further review)

Unidentified Registered Entity 1 (WECC_URE1) and Unidentified Registered Entity 2 (WECC_URE2), FERC Docket No. NP18-2-000

Please search for this docket no. here ››

Registered Entity (Name Redacted), FERC Docket No. NP19-10-000

Please search for this docket no. here ››

NP18-14-000: Unidentified Registered Entity

Please search for this docket no. here ››

NP19-11-000: Unidentified Registered Entity

Please search for this docket no. here ››

NP19-4-000: Unidentified Registered Entity

Please search for this docket no. here ››

NP19-7-000: Unidentified Registered Entity

Region: WECC

NERC Violation ID Standard Requirement VRF/VSL Discovery Method Start Date End Date
WECC2016016712 CIP-006-3c R2 Medium/Severe Self-Report 6/1/2016 7/1/2017

Issue: CIP-006-3c

The Entity submitted a Self-Report to WECC stating it was in violation of CIP-006-3c R2. The Entity did not document compensating measures to mitigate risk exposure for security patches assessed as applicable but not installed per CIP-007-3a R3, as required by CIP-006-3c R2.

The root cause of this violation was less than adequate procedures. Specifically, The Entity's preventive maintenance for equipment did not consider compliance obligations related to end-of-life equipment. Attachment A includes additional facts regarding the violation.

Finding: CIP-006-3c

The Entity has previous relevant noncompliance with CIP-006-3c R2 and CIP-007-3c R3.  WECC determined The Entity's relevant compliance history with CIP-006-3c R2 to be distinct from the instant noncompliance.  WECC considered the RE's relevant compliance history with CIP-007-3c R3 to be an aggravating factor.

This violation posed a serious risk to the reliability of the bulk power system (BPS). In this instance, The Entity failed to document the compensating measures applied to mitigate the risk where it did not install an applicable patch. Such failure could result in unauthorized access to the vulnerable systems.

Penalty: $356,000

FERC Order: Issued April 30, 2019

NP18-9-000: Unidentified Registered Entity 1 (RFC_URE1)

Please search for this docket no. here ››

NP18-9-000: Unidentified Registered Entity (WECC_URE1), Unidentified Registered Entity (WECC_URE3) Unidentified Registered Entity (WECC_URE4)

Region: WECC

NERC Violation ID Standard Requirement VRF/VSL Discovery Method Start Date End Date
WECC2016015808 CIP-006-3c R5 Medium/Severe Self-Report 7/24/2017 10/18/2017
WECC2016015660 CIP-006-3c R1; R1.7 Lower/Severe Self-Report 6/30/2017 4/21/2017
WECC2014013531 CIP-006-1 R3 Medium/Severe Self-Certification 7/15/2014 4/21/2017

 

Issue: CIP-006-3c R5

WECC_URE1 submitted a Self-Report stating that it was in violation of CIP-006-3c R5. Specifically, WECC_URE1 reported that it discovered six instances of potential noncompliance of CIP-006-3c R5 for not monitoring physical access at all access points to the Physical Security Perimeter (PSP) at five different substations.  Per WECC_URE1's procedures, when the last employee onsite exits a PSP, they are to arm the physical security system so interior motion sensors can monitor for window breaches.  In six instances, WECC_URE1 employees did not arm the security system which caused the interior motion sensors to go offline.  As a result, windows within the PSP did not having monitoring capability for breaches of any kind.  For four of the instances, employees made no attempt to arm the security system when exiting the PSP.  The other two instances involved an employee entering an invalid pin and another employee cleared alarms which caused the alarm not to be armed.

WECC determined that WECC_URE1 failed to monitor physical access at all access points to the PSP twenty-four hours a day, seven days a week on six separate.

The root cause was employees not following procedures to ensure the physical security system alarm for monitoring access to windows in the PSP was enabled.

CIP-006-3c R1

WECC_URE3 submitted a Self-Report stating that it was in violation with CIP-006-3c R1.7. Specifically, WECC_URE3 reported that a fire protection project was started to provide emergency egress for control room operators. A hole was cut in the external concrete wall of the project Physical Security Perimeter (PSP) at the intake deck level. After the hole was cut, a slab of steel was placed over the hole to prevent entry into the PSP. Later, the contractor removed the steel plate and put forms up and poured concrete walls around the entry point. Entry was again prevented by installing a temporary door with a lock. The prime contractor was the only person with a key to the door at that time. Once the concrete was cured in the walls, the contractor installed the permanent steel door that was cored with a construction lock with, again, only one key in the possession of the prime contractor. A door lock was later installed and only project operators had a key to that lock. A newly hired compliance coordinator noticed that the door did not have a proximity card reader on it like the other PSP access points. After doing some research, they learned that it was the newly constructed fire escape egress door which was built as part of the powerhouse fire protection project, which had not yet been completed.

The root cause of the violation was a lack of understanding of the CIP requirements and the need to update physical security plans within 30 calendar days of changes.

CIP-006-1

WECC discovered WECC_URE4 had multiple issues with monitoring its physical access, which originated with an earlier version of the applicable Standard, CIP-006-1 R3. Additionally, the entity attested during Completion of Mitigation Plan certification that there is no additional scope expansion. This was further verified by a WECC risk analyst during the Completion of Mitigation Plan review. 
The cause of the noncompliance was inadequate procedures that led the individuals involved to underestimate the problem, using past events as a basis for their physical access protections, and the data quality from notification systems was less than adequate. The on-duty dispatchers incorrectly made an assumption that the door alarm was a false alarm due to either a SCADA system fault or possibly door movement due to wind and thus failed to take the immediate procedural action. This false assumption was based upon a trend in actual or perceived false alarms following a SCADA upgrade 21 months earlier. This alarms trend, identified as phantom alarms, were at times confused with nuisance alarms (essentially the toggling of an alarm point due to various conditions, environmental, hardware, etc. that lead to a seemingly simultaneous initialization and clearing of an alarm point) were perceived as not credible and thus ignored or not deemed credible.

Finding: CIP-006-3c R5

This violation posed a moderate risk and did not pose a serious or substantial risk to the reliability of the bulk power system (BPS).  In this instance, WECC_URE1 failed to implement technical and procedural controls for monitoring physical access at all access points to the PSPs twenty-four hours a day, seven days a week as it relates to windows within the PSP.  If physical access is not monitored, the potential exists for nefarious individuals to interfere with operations, ultimately resulting in dropping load and/or affecting neighboring facilities. In the event that unauthorized access is granted, an unauthorized user could misoperate BPS elements.

However, WECC_URE1 had some detective controls in place.  WECC_URE1 had video monitoring capabilities which they reviewed at several prescribed times throughout the day. All access doors to the PSPs continued to be monitored; that is door contacts, access controls, and electronic logging remained functional. WECC_URE1 reviewed the CCTV camera and alarm monitoring station system and confirmed there were no unauthorized access attempts during the duration of the violation.  Based on this, WECC determined that the violation posed a moderate risk to the reliability of the BPS. 

CIP-006-3c R1

This violation posed a minimal risk and did not pose a serious or substantial risk to the reliability of the bulk power system.  In this instance, WECC_URE3 failed to update its physical security plan within 30 calendar days after it created a new access point to the PSP. Such failure could result in plans not being current and allowing unknown persons into a PSP due to lack of controls.  An unknown person inside a PSP could potentially misconfigure equipment in the control center and cause a loss of generation, affecting the Bulk Electric System.

However, WECC_URE3 implemented physical or electronic locks on all doors to the PSP and the location has an armed security force that is always monitoring the facility. At all times, there are at least two armed guards to monitor the Physical Access Control Systems (PACS) and continually inspect the perimeter for security threats.  The location also has a multi-tiered key control process that ensures that each individual issued a key to the facility has the correct access for their authorized need.

CIP-006-1

This violation posed a moderate risk and did not pose a serious or substantial risk to the reliability of the bulk power system.  In this instance, WECC_URE4 had two separate issues with monitoring physical access. In the first issue, WECC_URE4 failed to respond to alerts generated at its SCADA system for an actual unauthorized access into a PSP. In the second issue, WECC_URE4 failed to document and implement a process that could allow for immediate notification of unauthorized access attempts to PSPs. 

However, WECC_URE4 implemented good preventative controls to prevent an individual from affecting its load. WECC_URE4 also implemented detective controls to detect access to its CCAs. Specifically, WECC_URE4 implemented logical logging of the devices in scope. Additionally, WECC_URE4 implemented Closed-Circuit Television (CCTV) cameras for forensic logging and monitoring in the case of a detected event.

As further compensation, WECC_URE4's System Operators and Maintenance have monitoring and control implemented for the substation Bulk Electric System (BES) and communications assets.

Procedural controls exist for maintaining and correcting problems in the BES.  Additionally, WECC_URE4 has individual procedures for each substation and transmission line, so every component in the electrical grid that  WECC_URE4's Balancing Authority operates has a procedure for reference for WECC_URE4 System Operators.  Consequently, potential loss of the substations in scope due to physical access to CCAs would be mitigated by various emergency operating procedures.

Penalty: No Penalty

FERC Order: Issued March 29, 2018

Top