Southwestern Power Administration, FERC Docket No. NP11-238-000 (July 28, 2011)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: SPP
Issue: During a spot-check, SPP determined Southwestern Power Administration’s (SPA) test program for significant changes to Cyber Security Assets did not verify that existing security controls were not adversely affected by significant changes to Cyber Assets, such as patches and updates. SPA’s testing only verified application functionality and did not include a test of the proper configuration and operation of the security controls.
Finding: SPP assessed a $19,500 penalty for this and other Reliability Standards violations. The violations all posed a minimal risk to the bulk power system (BPS) but not a serious or substantial risk because SPA runs redundant intrusion detection systems and anti-malware software within the Electronic Security Perimeter (ESP). Moreover, SPA reported that it has not experienced a breach of ESP security. The NERC BOTCC considered the following factors: the violations constituted SPA’s second violation of one of the Reliability Standards; SPA self-reported some but not all of the violations; SPA was cooperative; SPA had a compliance program in place, but SPP did not consider it a mitigating factor; there was no evidence of an attempt or intent to conceal the violation; SPP determined the violation posed a minimal risk but did not pose a serious or substantial risk to the BPS; there were no other aggravating or mitigating factors.
Penalty: $19,500 (aggregated for 4 violations)
FERC Order: Order on Review of Notice of Penalty, Issued July 19, 2012, 140 FERC ¶ 61,048
Unidentified Registered Entity, FERC Docket No. NP10-160-000 (September 13, 2010)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium/Lower
Violation Severity Level: Not provided
Region: WECC
Issue: In June 2008, an Unidentified Registered Entity (URE) self-reported that it did not have the required procedures in place for two Critical Cyber Assets (its Energy Control Center and Backup Energy Control Center). Since the URE's test methodology did not outline baseline production and development parameters, the URE was unable to show that its testing procedures minimized adverse effects on its production system or its operations. In addition, the URE did not possess sufficient documentation showing that it had conducted its testing in ways that reflected its production environment and had not recorded all of its test results.
Finding: WECC found that this violation did not pose a serious or substantial risk to the bulk power system since the URE did actually have relevant procedures in place, even though those procedures did not meet the requirements of the Reliability Standard. The duration of the violation was from July 1, 2008 through October 15, 2009. Furthermore, the violation was self-reported; it was primarily a documentation issue; and this was the URE’s first violation of this Reliability Standard. Even though the URE completed its mitigation plan late, WECC decided not to impose a penalty.
Penalty: $0
FERC Order: Issued October 13, 2010 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-5-000 (October 7, 2010)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: SERC
Issue: An Unidentified Registered Entity (URE) self-reported a violation for failing to create, implement and maintain test procedures to ensure that existing cyber security controls were still intact following changes to Cyber Assets.
Finding: The violation did not pose a serious or substantial risk to the reliability of the bulk power system because the URE is a small Balancing Authority with a low estimated summer peak. Moreover, its Cyber Control Center cyber assets only had one external link, which was with its Reliability Coordinator.
Penalty: $16,000 (aggregate for multiple violations)
FERC Order: Issued January 7, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-72-000 (December 22, 2010)
Reliability Standard: CIP-007-1
Requirement: R3
Violation Risk Factor: Lower
Violation Severity Level: Lower
Region: SERC
Issue: Unidentified Registered Entity (URE) self-reported that its security patch identification application failed to identify two security patches, and thus the URE had failed to perform a required assessment of those two security patches within 30 days of availability of such patches (it was one day late).
Finding: It was determined by SERC that the violation did not pose a serious or substantial risk to the reliability of the bulk power system because the URE's system for assessing patches quickly found the missed patch assessment, and the URE was only one day out of time in assessing the missed patch. The delay did not delay roll out of the security patch as planned. The duration of the violation was February 3, 2010 through February 4, 2010.
Penalty: $2,000
FERC Order: Issued January 21, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-102-000 (January 31, 2011)
Reliability Standard: CIP-007-1
Requirement: R4
Violation Risk Factor: Medium
Violation Severity Level: Lower
Region: WECC
Issue: URE self-reported that it had not installed, or determined the technical feasibility of, anti-virus and malware prevention tools on 4.88% of its cyber assets within the Electronic Security Perimeter.
Finding: It was determined by SERC that the violation did not pose a serious or substantial risk to the reliability of the bulk power system because the URE had various secondary detection measures in place. The duration of the violation was July 1, 2009 (the effective date of the standard for Table 1 entities) through April 13, 2010.
Penalty: $6,500
FERC Order: Issued March 2, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-106-000 (February 23, 2011)
Reliability Standard: CIP-007-1
Requirement: R1, R4
Violation Risk Factor: Medium
Violation Severity Level: High (R1); Moderate (R4)
Region: RFC
Issue: Unidentified Registered Entity (URE) self reported to RFC a possible violation of R1.1 because, after installing a new database, URE found it did not have adequate test procedures for testing the impact of the database on cyber security controls. URE also self-reported to RFC a possible violation of R4/4.2 as it had no procedure for updating anti-virus and malware prevention "signatures," as required by the Standard, due to a firewall issue.
Finding: RFC and URE entered into a Settlement Agreement in which URE neither admitted nor denied the violations, but agreed to the assessed penalty. RFC determined that neither violation posed a serious or substantial risk to the reliability of the bulk power system. URE completed mitigation plans addressing each violation. The NERC Board of Trustees Compliance Committee considered the following in determining the penalty: the violation of CIP-004-1 R4 was a repeat occurrence, which was an aggravating factor since URE completed a mitigation plan associated with the previous violation that should have prevented a reoccurrence; URE was cooperative during the compliance enforcement process; URE's compliance program; there was no evidence of any attempt or intent to conceal a violation; and there were no additional mitigating or aggravating factors that would affect the penalty amount.
Penalty: $15,000 (aggregate for multiple violations)
FERC Order: Issued March 25, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-111-000 (February 23, 2011)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: MRO
Issue: MRO conducted an audit of a Registered Entity in which it determined that the Registered Entity was unable to produce the required documentation of its test procedures or results for 58 percent of its Critical Cyber Assets (CCA) within its Electronic Security Perimeter (ESP). The Registered Entity only possessed documentation concerning its test procedures and results for its Emergency Management System systems.
Finding: MRO and the Registered Entity entered into a settlement agreement to resolve multiple violations, whereby the Registered Entity agreed to pay a penalty of $120,000 and to undertake other mitigation measures to resolve the multiple violations. In terms of the CIP-007-1 violation, MRO found that the violation constituted a moderate risk to bulk power system reliability since the Registered Entity did not possess the required test procedures and results for most of its CCAs and without a test plan the Registered Entity would not be able to verify that significant changes to its CCAs within the ESP did not adversely impact cyber security controls or be able to minimize adverse impacts on the production systems or their operation. But, the Registered Entity was actually performing some testing of its CCAs (even though it did not have a documented test plan). The duration of the CIP-007-1 violation was from July 1, 2008 through March 30, 2010. In approving the settlement agreement, NERC found that these violations were the Registered Entity's first violations of the relevant Reliability Standards; the Registered Entity was cooperative during the enforcement process and did not conceal the violations; the remedies that the Registered Entity adopted in response to the violations were considered a mitigating factor; and there were no additional mitigating or aggravating factors.
Penalty: $120,000 (aggregate for multiple violations)
FERC Order: Issued March 25, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-124-000 (February 23, 2011)
Reliability Standard: CIP-007-1
Requirement: R1.1
Violation Risk Factor: Medium
Violation Severity Level: High
Region: RFC
Issue: RFC found that the Unidentified Registered Entity (URE) failed to create cyber security test procedures which are required to minimize the adverse effects of new cyber assets and significant changes to existing cyber assets.
Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a settlement agreement which included a penalty in the amount of $100,000 for this and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: the violation constituted the URE's first violation of the subject NERC Reliability Standard; the URE self-reported 11 of the 16 violations; the URE cooperated during the compliance enforcement process; the URE's compliance program; the URE did not attempt to conceal a violation or intend to do so; the violation did not create a serious or substantial risk to the bulk power system; and there were no other mitigating or aggravating factors or extenuating circumstances.
Penalty: $100,000 (aggregate for multiple violations)
FERC Order: Issued March 25, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-128-000 (February 23, 2011)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: Not provided
Region: WECC
Issue: Unidentified Registered Entity (URE) self-reported a violation of CIP-007-1 R1. WECC Enforcement determined that although URE had informal cyber security test procedures, it did not have formal documented test procedures and did not keep a record of testing or test results.
Finding: WECC Enforcement determined the violation did not pose a serious or substantial threat to the reliability of the bulk power system because URE had cyber security test procedures in place; they just did not fully comply with all the requirements of CIP-007-1. In determining the penalty amount, the NERC Board of Trustees Compliance Committee considered the following factors: this was URE’s first occurrence of this type of violation; URE was cooperative; and the number and nature of the violations.
Penalty: $450,000 (aggregated for multiple violations)
FERC Order: Issued March 25, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-133-000 (February 28, 2011)
Reliability Standard: CIP-007-1
Requirement: R6
Violation Risk Factor: Medium
Violation Severity Level: Moderate
Region: MRO
Issue: The entity self-reported that it installed certain cyber security appliances on both its Energy Management System and backup system and that it subsequently hired a consultant to conduct a compliance evidence review of its CIP documentation. The consultant identified a potential gap in the documentation for R6 because the entity may not have documented the new appliances as required, and subsequent review confirmed this, and that the log retention and review sub-requirements were also not being fully met. Duration of violation was January 26, 2010 through September 25, 2010.
Finding: MRO determined that this violation posed a minimal risk to the reliability of the bulk power system because the new appliances were implemented to monitor and improve security on the primary and backup energy management systems, but the entity worked with the third-party vendor to install the appliances, and its personnel received applicable training at the time of installation.
Penalty: $0
FERC Order: Issued March 25, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-136-000 (March 30, 2011)
Reliability Standard: CIP-007-1
Requirement: R6
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: The Unidentified Registered Entity (URE) did not review logs of system events related to cyber security to support incident response and maintain records documenting its review of the logs.
Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a penalty in the amount of $14,500 for this and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: the violation constituted URE’s first violation of the subject NERC Reliability Standard; URE self-reported the violation; URE cooperated during the compliance enforcement process; URE’s compliance program; URE did not attempt to conceal a violation or intend to do so; the violation did not create a serious or substantial risk to the bulk power system; and there were no other mitigating or aggravating factors or extenuating circumstances.
Penalty: $14,500 (aggregate for 3 violations)
FERC Order: Issued April 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-137-000 (March 30, 2011)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: WECC
Issue: Prior to the effective date of the Standard for Table 1 entities, URE self-reported that it would be in violation of the Standard on its effective date because it did not have adequate test procedures for ensuring that new cyber assets and significant changes to existing cyber assets would not adversely affect existing cyber security controls. URE had hired an independent contractor to review its compliance and assist with mitigation. Duration of violation was July 1, 2008, when the Standard became enforceable for Table 1 entities, through December 16, 2008, when the violations were mitigated.
Finding: WECC Enforcement determined that the violation did not pose a serious or substantial risk to the bulk power system because URE did have plans and procedures in place (though they were inadequate). Further, the NERC BOTCC concluded the penalty appropriate because this was URE’s first violation of most of the Standards involved, URE self-reported 28 of 30 violations, and URE was cooperative during the investigation.
Penalty: $106,000 (aggregate for 30 violations)
FERC Order: Issued April 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-140-000 (March 30, 2011)
Reliability Standard: CIP-007-1
Requirement: R1, R4
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: WECC
Issue: The Unidentified Registered Entity (URE) failed to maintain adequate cyber security test procedures, as required by R1.1, and failed to document test results in all instances, as required by R1.3. Further, URE failed to use anti-virus software or other malicious software (malware) prevention tools, where technically feasible, to detect, prevent, deter and mitigate the introduction, exposure, and propagation of malware on two of its Critical Cyber Assets as required by R4.
Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a Settlement Agreement, including a penalty in the amount of $27,000 for these and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: the violations constituted URE’s first violations of the subject NERC Reliability Standard; URE self-reported some of the violations; URE cooperated during the compliance enforcement process; URE’s compliance program; URE did not attempt to conceal a violation or intend to do so; the violations did not create a serious or substantial risk to the bulk power system; and there were no other mitigating or aggravating factors or extenuating circumstances.
Penalty: $27,000 (aggregate for 7 violations)
FERC Order: Issued April 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-145-000 (March 30, 2011)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: WECC
Issue: During a spot check, WECC found that the Unidentified Registered Entity (URE) did not possess sufficient cyber security test procedures that are needed to verify that new, or significantly altered, Cyber Assets within the Electronic Security Perimeter will not adversely affect existing cyber security controls.
Finding: WECC and the URE entered into a settlement agreement to resolve multiple violations, whereby the URE agreed to pay a penalty of $13,000 and to undertake other mitigation measures. WECC found that the violation constituted a moderate risk to bulk power system reliability since the lack of cyber security test procedures could lead to the system being compromised. But, the test procedures that the URE did have in place were shown to be able to minimize the adverse effects on the system and its operations. The duration of the violation was from July 1, 2008 through November 15, 2009. In determining the penalty amount, NERC considered the fact that these were the URE’s first violations of the relevant Reliability Standards; the URE was cooperative during the enforcement process and did not attempt to conceal the violations; and there were no additional mitigating or aggravating factors.
Penalty: $13,000 (aggregate for 3 violations)
FERC Order: Issued April 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-161-000 (March 30, 2011)
Reliability Standard: CIP-007-1
Requirement: R1, R5
Violation Risk Factor: Lower (R1); Medium (R5)
Violation Severity Level: N/A
Region: WECC
Issue: An Unidentified Registered Entity (“URE”) self-reported a violation of R1 and R5 after purchasing a facility. WECC determined that the URE violated R1 because it did not have adequate cyber security test procedures and failed to perform testing on six occasions. URE violated R5 because URE did not have a sufficient audit trail of individual user account access activity per R5.1.2, and did not include two Critical Cyber Assets that must remain enabled in its Cyber Security policy, as required by R5.2.1.
Finding: WECC Enforcement determined the violation of R1 did not pose a serious or substantial risk to the Bulk Power System because URE’s test procedures went beyond those required by the Standard, and URE conducted other testing as required. The violation of R5 also did not pose a serious or substantial risk to the BPS, but it did pose a moderate risk because the URE had security systems with unmodifiable passwords, subjecting the system to malicious acts by internal users. Certain systems were only accessible to authorized personnel, which WECC found mitigated the risk. The NERC BOTCC considered the following factors: URE self-reported the violations; URE was cooperative; URE had a compliance procedure in place, which WECC considered a mitigating factor; there was not evidence of any attempt or intent to conceal the violations; and there were no other mitigating or aggravating factors.
Penalty: $35,000 (aggregated for 8 violations)
FERC Order: Issued April 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-166-000 (April 29, 2011)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: SPP
Issue: Unidentified Registered Entity (URE) failed to maintain adequate cyber security test procedures specifically ensuring that new Critical Cyber Assets and significant changes to existing Cyber Assets within the Electronic Security Perimeter do not adversely affect existing cyber security controls.
Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a settlement agreement which included a penalty in the amount of $50,000 for this and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: the violation constituted URE’s first violation of the subject Reliability Standard; URE self-reported some of the violations; URE cooperated during the compliance enforcement process; URE did not attempt to conceal a violation or intend to do so; the violation did not create a serious or substantial risk to the bulk power system; and there were no other mitigating or aggravating factors or extenuating circumstances.
Penalty: $50,000 (aggregate for 14 violations)
FERC Order: Issued May 27, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-167-000 (April 29, 2011)
Reliability Standard: CIP-007-1
Requirement: R1, R2, R3, R4, R5, R6, R7, R8
Violation Risk Factor: Medium, Medium, Lower, Medium, Lower, Medium. Lower, Medium
Violation Severity Level: N/A
Region: WECC
Issue: Unidentified Registered Entity (URE) failed to create, implement and maintain cyber security test procedures ensuring that new Cyber Assets and significant changes to existing Cyber Assets within the Electronic Security Perimeter (ESP) do not adversely affect existing cyber security controls as required by the Standard (R1); establish and document a process to ensure that only those ports and services required for normal and emergency operations are enabled (R2); establish and document a security patch management program for tracking, evaluating, testing and installing applicable cyber security software patches for all Cyber Assets within the ESP (R3); use anti-virus software and other malicious software (malware) prevention tools, where technically feasible, to detect, prevent, deter and mitigate the introduction, exposure and propagation of malware on all Cyber Assets within the ESP (R4); document technical and procedural controls that enforce access authentication of, and accountability for, all user activity and that minimize the risk of unauthorized system access (R5); ensure that all Cyber Assets within the ESP, as technically feasible, implement automated tools or organizational process controls to monitor system events that are related to cyber security (R6); establish formal methods, processes and procedures for disposal or redeployment of Cyber Assets within the ESP as identified and documented in CIP-005 (R7) and perform a cyber vulnerability assessment of all Cyber Assets within the ESP at least annually (R8).
Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a settlement agreement which included a penalty in the amount of $89,000 for this and other violations. In reaching this determination, the NERC BOTCC considered the following facts: the violations constituted URE’s first violations of the subject Reliability Standard; URE self-reported the violations; URE cooperated during the compliance enforcement process; URE’s compliance program; URE did not attempt to conceal a violation or intend to do so; the violations did not create a serious or substantial risk to the bulk power system; URE implemented compliance procedures that led to the discovery of the violations and there were no other mitigating or aggravating factors or extenuating circumstances.
Penalty: $89,000 (aggregate for 13 violations)
FERC Order: Issued May 27, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-179-000 (April 29, 2011)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: MRO
Issue: The Unidentified Registered Entity (URE) self-reported that, as a result of its faulty implementation of a device locking security tool, it lost its Energy Management System (EMS) for 30 minutes. Further, the URE had not properly implemented cyber security test procedures that would minimize adverse effects on its production system or its operations and did not possess documentation showing the test plan and results for the security tool implementation or that the tests were being conducted in a way that reflected the production environment.
Finding: MRO and the URE entered into a settlement agreement to resolve the violation, whereby the URE agreed to pay a penalty of $10,000 and to undertake other mitigation measures. MRO and NERC found that the violation did not constitute a serious or substantial risk to bulk power system reliability since the failure of the EMS appeared to be a one-time lapse by an individual. The URE had appropriate procedures in place and had conducted training for its personnel. In addition, when the EMS failure occurred, the URE quickly detected the problem and notified its Reliability Coordinator (which did not find it necessary to increase the system status in response to the incident). During the incident, the URE’s system operators were still able to communicate directives to relevant field personnel and other control centers as needed. The violation occurred on June 16, 2009. In approving the settlement agreement and the penalty determination, NERC considered the fact that this was the URE’s first violation of this Reliability Standard; the violation was self-reported (even though it was during a Compliance Violation Investigation); the URE was cooperative during the enforcement process and did not conceal the violation; and there were no additional aggravating or mitigating factors.
Penalty: $10,000
FERC Order: Issued May 27, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-181-000 (April 29, 2011)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: NPCC
Issue: Unidentified Registered Entity (URE) self-reported that it could not provide evidence that it fully implemented or documented cyber security test procedures for 12 significant CIP system application changes.
Finding: The violation posed minimal risk, but did not pose a serious or substantial risk, to the reliability of the bulk power system because several other protections were in place. Specifically, the relevant systems were behind a monitored firewall, were protected by anti-virus software, functional testing was conducted and revealed no conflicting system operations, most changes were run successfully in a secure environment before being migrated to the production environment, new systems has standard hardened PC server builds, and there were no post-implementation issues reported.
Penalty: $2,500
FERC Order: Issued May 27, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-181-000 (April 29, 2011)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: NPCC
Issue: Unidentified Registered Entity (URE) self-reported that it could not provide evidence that it fully implemented or documented cyber security test procedures for 23 significant CIP system application changes.
Finding: The violation posed minimal risk, but did not pose a serious or substantial risk, to the reliability of the bulk power system because several other protections were in place. Specifically, the relevant systems were behind a monitored firewall, were protected by anti-virus software, functional testing was conducted and revealed no conflicting system operations, most changes were run successfully in a secure environment before being migrated to the production environment, new systems has standard hardened PC server builds, and there were no post-implementation issues reported.
Penalty: $2,500
FERC Order: Issued May 27, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-181-000 (April 29, 2011)
Reliability Standard: CIP-007-1
Requirement: R1, R2, R3, R8
Violation Risk Factor: Medium, Lower, Lower, Lower
Violation Severity Level: High, Lower, Moderate, Lower
Region: FRCC
Issue: Unidentified Registered Entity (URE) failed to create, maintain or document a procedure for the addition of, or changes to, Critical Cyber Assets (CCAs) as required by CIP-007-1 R1; document the process to ensure that only port and services required for normal and emergency operations are enabled as required CIP-007-1 R2; establish and document a program for tracking, evaluating, testing and installing the applicable cyber security patches as required by CIP-007-1 R3 and perform a cyber vulnerability assessment of all cyber assets within its Electronic Security Perimeter (ESP) as required by CIP-007-1 R8.
Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a settlement agreement which included a penalty in the amount of $23,000 for this and other violations. In reaching this determination, among other facts, the NERC BOTCC considered that the violations posed a minimal risk and did not pose a serious or substantial risk to the reliability of the bulk power system.
Penalty: $23,000 (aggregate for 11 violations)
FERC Order: Issued May 27, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-184-000 (May 26, 2011)
Reliability Standard: CIP-007-1
Requirement: R1, R2, R3, R4, R5, R6, R7, R9
Violation Risk Factor: Medium (R1, R2, R4), Lower (R3, R5, R6, R7, R9)
Violation Severity Level: N/A
Region: RFC
Issue: In violation of CIP-007-1 R1, Unidentified Registered Entity (URE) failed to show that it tested a server in a manner that minimized the impact to or reflected the production environment in accordance with R1.1. Although URE documented that limited testing occurred, it failed to document the results of its testing in accordance with R1.3.
URE did not sufficiently establish, document and implement a process to ensure that only those ports and services required for normal and emergency operations were enabled as required by CIP-007-1 R2. And, URE failed to create documentation identifying the critical ports and services as required by R2.
URE did not establish, document and implement a security patch management program in accordance with CIP-007-1 R3. Further, URE failed to evaluate security patches or upgrades for applicability within 30 calendar days of their availability pursuant to R3.1 or document the implementation of security patches in accordance with R3.2. URE’s security patch management program allowed testing and installation of applicable security patches to be deferred. URE could not provide the implementation of compensating measures in the interim to mitigate risk exposure as required by R3.2.
URE’s malware prevention processes only espoused broad policies and did not specifically describe the processes and programs to be established to prevent malware introduction, exposure and propagation as required by CIP-007-1 R4. URE did not document and implement anti-virus and malware prevention tools on all servers and workstations, and in addition, URE failed to document and implement a process for updating anti-virus and malware prevention “signatures” pursuant to R4.2. URE did not completely address the violation of CIP-007-1 R4 in that it had not documented and implemented a malware prevention policy.
URE did not document technical and procedural controls to enforce access authentication of, and accountability for, all user activity in accordance with CIP-007-1 R5. URE did not establish documented methods, processes and procedures that generate logs of sufficient detail to create historical audit trails of individual user account access activity in accordance with R5.1.2; and it did not require and use passwords subject to the criteria specified in R5.3. URE also failed to document all generic accounts in accordance with R5.2.
URE failed to implement any automated tools or organizational process controls to monitor system events related to cyber security pursuant to CIP-007-1 R6. URE did not implement and document the organizational processes and technical and procedural mechanisms for monitoring for security events on all Cyber Assets within the Electronic Security Perimeter pursuant to R6.1 and ensure that its security monitoring controls issued automated or manual alerts for detected Cyber Security Incidents pursuant to R6.2.
URE did not document formal methods, processes and procedures for disposal or redeployment of Cyber Assets. URE failed to dispose of or redeploy any Cyber Assets within an Electronic Security Perimeter while it was non-compliant with CIP-007-1 R7.
URE lacked documentation of reviews and updates of the documentation specified in CIP-007-1. URE also failed to complete an annual review of all its documentation and failed to document changes resulting from modifications to the systems or controls within 30 calendar days of any change.
Finding: The NERC Board of Trustees Compliance Committee (BOTCC) approved a settlement agreement which included a penalty of $70,000 for these and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: additional, non-related violations of other Reliability Standards were either self reported or discovered during a compliance audit; URE has an Internal Compliance Program which seeks to ensure compliance with all applicable NERC Reliability Standards; URE agreed to take actions that exceed those actions that would be expected to achieve and maintain baseline compliance.
Penalty: $70,000 (aggregate for 26 violations)
FERC Order: Issued September 9, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-193-000 (May 26, 2011)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: High
Region: WECC
Issue: URE self-reported a violation of R1 during a self-certification submission period, and therefore self-certification was held to be the method of discovery. WECC determined that URE had a violation of R1.1 because it did not include security control tests in its cyber security test procedures, and that it had a violation of R1.3 because it did not document test results of system tests to ensure that significant changes to existing Cyber Assets within the ESP did not adversely affect existing cyber security controls.
Finding: WECC determined that the violation posed a moderate risk and did not pose a serious or substantial risk to the reliability of the BPS because although URE's test procedures did not include tests to ensure that significant changes to existing Cyber Assets within the ESP did not adversely affect existing cyber security controls, the program did assess individual components and changes thereto prior to implementation within the production environment. WECC determined that the risk was moderate on account of the significant time-frame involved, which began upon the effective date of the Requirement. In approving the settlement between URE and WECC, the NERC BOTCC considered the following factors: this violation was URE's first violation of all but one of the Reliability Standards at issue in this NOP; URE self-reported three of the violations; URE was cooperative; URE had a compliance program, which WECC considered a mitigating factor; there was no evidence of an attempt or intent to conceal the violation; WECC determined the all but one of the violations posed a minimal risk, one violation posed a moderate risk, and none posed a serious or substantial risk to the BPS; there were no other aggravating or mitigating factors.
Penalty: $60,000 (aggregated for 5 violations)
FERC Order: Issued June 24, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-198-000 (May 26, 2011)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: SPP
Issue: During a spot check, SPP discovered that the Unidentified Registered Entity (URE) had not conducted specific testing of its security controls until after one update was implemented on its production system.
Finding: SPP and the URE entered into a settlement agreement to resolve multiple violations, whereby the URE agreed to pay a penalty of $17,860 and to undertake other mitigation measures. SPP found that the CIP-007-1 violation only posed a minimal risk to bulk power system reliability since the URE was actually conducting functional testing in order to verify that the critical applications were operating as expected. There was also minimal interaction between the SCADA network and the corporate network and the installation of firewalls and intrusion detection systems. The duration of the CIP-007-1 violation was from July 1, 2008 through May 15, 2009. In approving the settlement agreement, NERC found that these violations were the URE’s first violations of the relevant Reliability Standards; the PRC-005-1 violation was self-reported; the URE was cooperative during the enforcement process and did not conceal the violations; the URE had a compliance program in place when the violations occurred (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.
Penalty: $17,860 (aggregate for 7 violations)
FERC Order: Issued June 24, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-204-000 (June 29, 2011)
Reliability Standard: CIP-007-1
Requirement: R5
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: WECC
Issue: A Registered Entity self-reported that the passwords on its Emergency Management System (EMS) did not satisfy the mandates for password strength and were not being changed annually as required.
Finding: WECC and the Registered Entity entered into a settlement agreement to resolve multiple violations, whereby the Registered Entity agreed to pay a penalty of $37,500 and to undertake other mitigation measures. WECC found that the CIP-007-1 violation only constituted a minimal risk to bulk power system reliability since the relevant accounts were only used within a monitored system that was internal of the Registered Entity’s system (which was only able to be accessed within the ESP). The duration of the CIP-007-1 violation was from July 1, 2009 through November 13, 2009. In approving the settlement agreement, NERC found that the Registered Entity was cooperative during the enforcement proceeding and did not conceal the violations; there was a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.
Penalty: $37,500 (aggregate for 4 violations)
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-212-000 (June 29, 2011)
Reliability Standard: CIP-007-1
Requirement: R2, R8
Violation Risk Factor: Medium (for R2, R8)
Violation Severity Level: Severe (for R2, R8)
Region: WECC
Issue: The Registered Entity self-certified that it had not performed a baseline scan for ports and services and therefore was unable to establish and properly document procedures to verify that the only enabled ports and services were those that were needed for normal and emergency operations (R2). The Registered Entity also self-reported that it had not performed the required analysis to show that, in regards to its Cyber Assets, the only enabled ports and services were those that were needed for the operation of the Cyber Assets within the Electronic Security Perimeter (R8).
Finding: The Registered Entity agreed to pay a penalty of $381,600 and to undertake other mitigation measures to resolve multiple violations. WECC found that the CIP-007-1 violations constituted a moderate risk to bulk power system reliability since the violations could have led to unauthorized internal or external access to Critical Cyber Assets. But, the Registered Entity did enact other security measures to mitigate potential security threats (such as periodic vulnerability scans). The duration of both CIP-007-1 violations was from July 1, 2009 through December 15, 2010. In approving the penalty amount, NERC found that these were the Registered Entity’s first violations of the relevant Reliability Standards; three of the violations were self-reported and three of the violations were the result of self-certifications; the Registered Entity was cooperative during the enforcement proceeding and did not conceal the violations; there was a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.
Penalty: $381,600 (aggregate for 6 violations)
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-213-000 (June 29, 2011)
Reliability Standard: CIP-007-1
Requirement: R1, R5, R6
Violation Risk Factor: Lower (R5, R6), Medium (R1)
Violation Severity Level: Not provided
Region: WECC
Issue: The Registered Entity self-reported (in response to the start of WECC’s self-certification process) that it had not instituted the needed technical and procedural controls to minimize the risk of unauthorized system access and that it had not preserved for 90 days the historical audit trails of user account access, properly managed the scope and uses of certain accounts (such as administrator, shared, factory default, and other generic accounts), nor required complex passwords (R5). In addition, the Registered Entity reported that it had not established automated tools or organizational process controls needed to monitor system events regarding cyber security on four HMI PCs in the substation Electronic Security Perimeter (ESP) and 43 workstations and servers in the energy management ESP (R6). During a spot check, WECC also determined that the Registered Entity had not documented, as required, the test results concerning significant changes made to its servers (R1).
Finding: WECC and the Registered Entity entered into a settlement agreement to resolve multiple violations, whereby the Registered Entity agreed to pay a penalty of $143,500 and to undertake other mitigation measures. WECC found that the CIP-007-1 R5 violation constituted a moderate risk to bulk power system reliability since the violation caused the Registered Entity to have an increased level of risk as a result of its failure to minimize unauthorized system access and its lack of needed controls on access authentications for all user activity. The Registered Entity did actually have secondary detection measures in place to mitigate the threat of security attacks. WECC found that the CIP-007-1 R6 violation constituted only a minimal risk to bulk power system reliability since the Registered Entity actually had secondary compensating measures in places for the relevant devices (which only affected 5% of the Registered Entity’s applicable assets with the ESP). WECC also found that the CIP-007-1 R1 violation constituted a moderate risk to bulk power system reliability since, without proper documentation, the Registered Entity could not verify that the proposed changes to Critical Cyber Assets were appropriately tested. But, the Registered Entity had documented its Critical Cyber Assets and did follow testing procedures. The duration of the CIP-007-1 violations was from July 1, 2009 through August 28, 2009 (R5), September 30, 2009 (R6) and December 15, 2010 (R1). In approving the settlement agreement, NERC found that the Registered Entity was cooperative during the enforcement proceeding and did not conceal the violations and there were no additional aggravating or mitigating factors.
Penalty: $143,500 (aggregate for 10 violations)
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-218-000 (June 29, 2011)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: WECC
Issue: The Registered Entity self-reported that it was unable to show that changes within its Electronic Security Perimeter would have not have an adverse impact on its existing cyber security controls. WECC found that the Registered Entity was not following cyber security test procedures in a way that would minimize adverse effects on the production system or its operation, did not possess adequate documentation showing that its test environment reflects its production environment, and did not have adequately documented test results.
Finding: WECC and the Registered Entity entered into a settlement agreement to resolve multiple violations, whereby the Registered Entity agreed to pay a penalty of $130,000 and to undertake other mitigation measures. WECC found that the CIP-007-1 violation constituted a moderate risk to bulk power system reliability since the Registered Entity was not properly handling cyber security controls in its testing procedures. But, the Registered Entity did actually have cyber security testing procedures related to changes in its Electronic Security Perimeter in place and had additional protection measures designed to address cyber security concerns. The duration of the CIP-007-1 violation was from July 1, 2008 through July 27, 2009. In approving the settlement agreement, NERC found that there were three instances of noncompliance with Regional Reliability Standard PRC-STD-005-1 WR1 (which was evaluated as an aggravating factor); some of the violations were self-reported; the Registered Entity was cooperative during the enforcement process and did not conceal the violations; the Registered Entity had a compliance program in place (which was evaluated as a mitigating factor); the penalties for the violations of Reliability Standards EOP-001-0 R6 and EOP-005-1 R2 were aggregated since both penalties were based on a single act of noncompliance; the penalties for the violations of Reliability Standards PRC-STD-005-1 WR1 and VAR-STD-002b-1 WR1 were based on the respective Sanction Tables; and there were no additional aggravating or mitigating factors.
Penalty: $130,000 (aggregate for 27 violations)
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-225-000 (June 29, 2011)
Reliability Standard: CIP-007-1
Requirement: R6
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: RFC
Issue: As a result of a self-report, RFC determined the Unidentified Registered Entity (URE) violated CIP-007-1 R6/6.4 for failing to retain security logs for longer than 14 days, and violated CIP-007-1 R6/6.5 because it was unable to provide evidence that it reviewed the logs for 40 terminal servers that were Critical Cyber Assets. Moreover, it could not produce evidence that it was completing security event logging for seven non-CCA terminal servers, in violation of both R6.4 and R6.5.
Finding: RFC assessed a $10,000 penalty for these and other violations. The violations did not pose a serious or substantial risk to the reliability of the Bulk Power System because the terminal servers are enclosed within a well-managed physical and electronic security perimeter and the URE had other measures in place to protect CIP devices, including assessment, training and awareness programs, monitoring systems and separation of the non-CCA terminal servers from the electronic security perimeter. The NERC BOTCC determined this was the URE’s first occurrence of these types of violations; the URE was cooperative; the URE had a compliance program, which RFC considered a mitigating factor; there was no evidence of any attempt or intent to conceal a violation; and there were no other mitigating or aggravating factors.
Penalty: $10,000 (aggregate for 3 violations)
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-226-000 (July 28, 2011)
Reliability Standard: CIP-007-1 and CIP-007-2a
Requirement: R6
Violation Risk Factor: Lower
Violation Severity Level: N/A (CIP-007-1); High (CIP-007-2a)
Region: RFC
Issue: Unidentified Registered Entity (URE) self-reported that it did not produce and retain all logs for two Critical Cyber Assets (the anti-virus and malicious software server and the database service for a DCS Control System) in the Electronic Security Perimeter for 90 calendar days as required. URE reported that it had changed the administrator passwords for an appliance that is the storage site for the event logs required by CIP-007-1 R6.4 and CIP-007-2a R6. The password changes inadvertently made the event logs on both serves inaccessible and corrupted/altered the administrator’s credentials resulting in the event logs being inaccessible. That caused data gaps, including the loss of the logs required by CIP-007-1 R6 prior to the end of 90 days.
Finding: RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to pay a penalty of $85,000, and to undertake other mitigation measures. RFC determined that the violations did not pose a serious or substantial risk to the reliability of the bulk power system (BPS) as both servers accurately captured the event logs prior to the password change and so right before and right after the gap, there are logs. In approving the penalty amount, NERC found that the violations involving CIP-006 were repeat violations leading to a finding that URE has repeatedly failed to ensure the physical security of its CCAs, which was evaluated as an aggravating factor when determining the penalty; the violations were self-reported; the URE was cooperative during the enforcement process and did not conceal the violations; the URE had a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.
Penalty: $85,000 (aggregate for 12 violations)
FERC Order: Issued August 29, 2011 (no further review)
Unidentified Registered Entity 1, FERC Docket No. NP11-228-000 (June 30, 2011)
Reliability Standard: CIP-007-1
Requirement: R8
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: RFC
Issue: The Registered Entity self-reported that it did not timely conduct an annual cyber vulnerability assessment of its Cyber Assets within its Electronic Security Perimeter as required.
Finding: RFC found that the violation constituted only a minimal risk to bulk power system reliability since the Registered Entity conducted the required vulnerability assessment within a year of the required date. The Registered Entity had also enacted a program for testing and assessments in conformance with the Reliability Standard. The duration of the violation was from December 31, 2009 through December 31, 2010.
Penalty: $0
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entity 1, FERC Docket No. NP11-228-000 (June 30, 2011)
Reliability Standard: CIP-007-1
Requirement: R9
Violation Risk Factor: Lower
Violation Severity Level: High
Region: RFC
Issue: The Registered Entity self-reported that it did not timely complete the documentation review necessary to comply with the Reliability Standard.
Finding: RFC found that the violation constituted only a minimal risk to bulk power system reliability since the Registered Entity conducted the required review within a year of the required date. The Registered Entity has also enacted procedures to keep its documents properly maintained. The duration of the violation was from December 31, 2009 through December 31, 2010.
Penalty: $0
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entity 2, FERC Docket No. NP11-228-000 (June 30, 2011)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: High
Region: SPP
Issue: SPP determined that the Registered Entity had not properly tested its security controls after significant changes were made on Cyber Assets within the electronic physical security perimeter in order to verify that the security controls were not adversely affected by the changes.
Finding: SPP found that the violation constituted only a minimal risk to bulk power system reliability since the Registered Entity’s operating system for its SCADA/EMS did not connect to the Internet. When the Registered Entity did update its software, those updates were tested offline. The duration of the violation was from July 1, 2008 through September 24, 2009.
Penalty: $3,000
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entity 2, FERC Docket No. NP11-228-000 (June 30, 2011)
Reliability Standard: CIP-007-1
Requirement: R5.2.3
Violation Risk Factor: Medium
Violation Severity Level: High
Region: SPP
Issue: SPP determined that the Registered Entity had not adequately managed its SCADA/EMS shared user account with its support vendor personnel to ensure that only those personnel with appropriate authorization are able to access the account and did not properly keep an audit log of account use.
Finding: SPP found that the violation constituted only a minimal risk to bulk power system reliability since the Registered Entity possessed exclusive control of the shared user account, password, and Virtual Private Network token (which were needed to authenticate remote electronic access by the relevant SCADA/EMS support vendor personnel). The duration of the violation was from July 1, 2008 through May 13, 2010.
Penalty: $3,000
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entity 2, FERC Docket No. NP11-228-000 (June 30, 2011)
Reliability Standard: CIP-007-1
Requirement: R8
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: RFC
Issue: The Registered Entity self-reported that it did not timely conduct an annual cyber vulnerability assessment of its Cyber Assets within its Electronic Security Perimeter as required.
Finding: RFC found that the violation constituted only a minimal risk to bulk power system reliability since the Registered Entity conducted the required vulnerability assessment within a year of the required date. The Registered Entity had also enacted a program for testing and assessments in conformance with the Reliability Standard. The duration of the violation was from December 31, 2009 through December 31, 2010.
Penalty: $0
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entity 3, FERC Docket No. NP11-228-000 (June 30, 2011)
Reliability Standard: CIP-007-1
Requirement: R8
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: RFC
Issue: The Registered Entity self-reported that it did not timely conduct an annual cyber vulnerability assessment of its Cyber Assets within its Electronic Security Perimeter as required.
Finding: RFC found that the violation constituted only a minimal risk to bulk power system reliability since the Registered Entity conducted the required vulnerability assessment within a year of the required date. The Registered Entity had also enacted a program for testing and assessments in conformance with the Reliability Standard. The duration of the violation was from December 31, 2009 through December 31, 2010.
Penalty: $0
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entity 3, FERC Docket No. NP11-228-000 (June 30, 2011)
Reliability Standard: CIP-007-1
Requirement: R9
Violation Risk Factor: Lower
Violation Severity Level: High
Region: RFC
Issue: The Registered Entity self-reported that it did not timely complete the documentation review necessary to comply with the Reliability Standard.
Finding: RFC found that the violation constituted only a minimal risk to bulk power system reliability since the Registered Entity conducted the required review within a year of the required date. The Registered Entity also enacted procedures to keep its documents properly maintained. The duration of the violation was from December 31, 2009 through December 31, 2010.
Penalty: $0
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entity 3, FERC Docket No. NP11-228-000 (June 30, 2011)
Reliability Standard: CIP-007-1
Requirement: R9
Violation Risk Factor: Lower
Violation Severity Level: High
Region: RFC
Issue: The Registered Entity self-reported that it did not timely complete the documentation review necessary to comply with the Reliability Standard.
Finding: RFC found that the violation constituted only a minimal risk to bulk power system reliability since the Registered Entity conducted the required review within a year of the required date. The Registered Entity has also enacted procedures to keep its documents properly maintained. The duration of the violation was from December 31, 2009 through December 31, 2010.
Penalty: $0
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-229-000 (July 28, 2011)
Reliability Standard: CIP-007-1
Requirement: R3
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: WECC
Issue: Following a self-report, WECC determined that the Unidentified Registered Entity (URE) did not have procedures in place to consider the impact on existing cyber security controls of the addition or modification of non-critical Cyber Assets.
Finding: WECC assessed a $75,000 penalty for this and other Reliability Standards violations. WECC determined that the violation posed a moderate risk, but did not pose a serious or substantial risk to the reliability of the bulk power system (BPS) because although failing to have formal test procedures increases the possibility of undetected changes to existing security controls, the URE was conducting testing of new and modified Cyber Assets. In approving the settlement between URE and WECC, the NERC BOTCC considered the following factors: the violation did not constitute a repeat violation; URE self-reported the violation of CIP-007-1; URE was cooperative; there was no evidence of an attempt or intent to conceal the violation; WECC determined the violation did not pose a serious or substantial risk to the BPS; there were no other aggravating or mitigating factors.
Penalty: $75,000 (aggregated for multiple violations)
FERC Order: Issued August 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-230-000, July 28, 2011
Reliability Standard: CIP-007-1
Requirement: R5.2.1, R5.2.3
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: RFC
Issue: Following a self-report, RFC determined the Unidentified Registered Entity (URE) failed to minimize and manage the scope and acceptable use of nine servers and operations workstations in violation of R5.2.1 as well as administrator, shared and other generic account privileges in violation of R5.2.3.
Finding: RFC assessed an $18,000 penalty for these and other Reliability Standards violations. RFC determined that the violations did not pose a serious or substantial risk to the reliability of the bulk power system (BPS) because personnel with access to the operating servers and operator workstations were all authorized, completed cyber security training, and had an acceptable personnel risk assessment. Moreover, the loss of the generating unit at issue would have minimal impact on URE’s operations. In approving the settlement between URE and RFC, the NERC BOTCC considered the following factors: the violations did not constitute repeat violations; URE was cooperative; URE self reported the violations; URE had a compliance program in place; there was no evidence of an attempt or intent to conceal the violations; RFC determined the violations did not pose a serious or substantial risk to the BPS; there were no other aggravating or mitigating factors.
Penalty: $18,000 (aggregated for multiple violations)
FERC Order: Issued August 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-233-000 (July 28, 2011)
Reliability Standard: CIP-007-1
Requirement: R1, R8
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: WECC
Issue: Following a Self-Report, WECC determined the Unidentified Registered Entity (URE) did not create and implement cyber security test procedures in a way that minimized adverse effects on the production system and its operation, did not document test results, and failed to include a side-by-side comparison of pre-change versus post-change vulnerability scans. Moreover, WECC found URE did not include in its vulnerability assessment a review to verify that only necessary ports and services for operating Cyber Assets within the Electronic Security Perimeter (ESP) were enabled in violation of R8.
Finding: WECC assessed a $70,000 penalty for this and other Reliability Standards violations. WECC determined that the violations posed a minimal risk to the reliability of the bulk power system (BPS) but did not pose a serious or substantial risk to the reliability of the BPS because URE conducted vulnerability scans on assets within the ESP and protections and monitoring implemented at all ESP access points, although the procedures did not conform to the requirements. In approving the settlement between URE and WECC, the NERC BOTCC considered the following factors: the violations did not constitute repeat violations; URE was cooperative; URE self reported one of the violations; URE received partial self-reporting credit for the CIP-006-1 violation because the Self Report was submitted after the Self-Certification period, and did not receive any credit for self-reporting the CIP-007-1 violations because the Self-Reports were submitted during the Self-Certification period; URE had a compliance program in place; there was no evidence of an attempt or intent to conceal the violations; WECC determined the violations did not pose a serious or substantial risk to the BPS; there were no other aggravating or mitigating factors.
Penalty: $70,000 (aggregated for multiple violations)
FERC Order: Issued August 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-234-000 (July 28, 2011)
Reliability Standard: CIP-007-1
Requirement: R3
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: WECC
Issue: Following a Self-Report, WECC determined the Unidentified Registered Entity (URE) did not assess and document all security patches within 30 days of availability, did not document the implementation of security patches, and did not document compensating measures when an available patch was not installed.
Finding: WECC assessed a $35,000 penalty for this and other Reliability Standards violations. WECC determined that the violation posed a minimal risk to the reliability of the bulk power system (BPS) but the violation did not pose a serious or substantial risk to the reliability of the BPS because URE had other protection systems in place. Specifically, URE was an isolated physical network and maintained a secured firewalled ICCP link to its Balancing Authority and the vendor of the patch management system would have notified URE of patches for systems and vulnerabilities and whether they would have impacted the system. Moreover, the violation only involved a discrete set of cyber assets and only spanned a 5-month time period. In approving the settlement between URE and WECC, the NERC BOTCC considered the following factors: URE was cooperative; URE self reported the violation; URE had a compliance program in place; there was no evidence of an attempt or intent to conceal the violation; WECC determined the violation did not pose a serious or substantial risk to the BPS; there were no other aggravating or mitigating factors.
Penalty: $35,000 (aggregated for multiple violations)
FERC Order: Issued August 29, 2011 (no further review)
Unidentified Registered Entities, FERC Docket No. NP11-237-000 (July 28, 2011)
Reliability Standard: CIP-007-1, CIP-007-2, CIP-007-2a
Requirement: R1, R3.1, R5.2.3, R6
Violation Risk Factor: Medium (R1, R1.1 and R5.2.3); Lower (R1.2, R1.3, 3.1, R6)
Violation Severity Level: N/A for CIP-007-1, Severe for CIP-007-2 (except R5.2.3) and CIP-007-2a; Moderate for CIP-007-2 R5.2.3
Region: ReliabilityFirst
Issue: With regard to R1, Unidentified Registered Entities 1 and 2 (URE 1, URE 2) self-reported that their information services department did not complete cyber security testing when it installed new software. With regard to R3.1, URE 1 and URE 2 self-reported that they failed to timely assess security patches for a software upgrade. URE 2 also miscalculated the due date for an assessment of several additional patches, resulting in testing one day late. With regard to R5.2.3, URE 1 self-reported that the information services department did not timely revoke an individual’s access to a shared account, contrary to its procedure and the requirement of the standard. With regard to R6, URE 1 and URE 2 self-reported that they failed to configure 44 Cyber Assets to send log information to a centralized location for review. Twenty three of the 44 devices were capable of capturing and retaining 90 days of log information such that URE 1 and URE 2 could review that information and determine no events during that period. Nine of the devices could capture between six and 34 days of log information, and the UREs confirmed no events during those periods. In an additional nine instances, the logs had been overwritten so the UREs could not review them. For the remaining three devices, no log information could be retrieved. As a result, the UREs failed to keep and review 90 calendar days of data as required by R6. Duration of the violations was: January 1, 2010-June 18, 2010 (CIP-007-1 R6); June 21, 2010-June 30, 2010 (CIP-007-2a R1); January 1, 2010-July 14, 2010 (CIP-007-2 R3.1); and August 31, 2010-August 16, 2010 (CIP-007-2 R5.2.3).
Finding: ReliabilityFirst determined that the violations did not pose a serious or substantial risk to the reliability of the bulk power system because for violations of R6, sufficient electronic controls were in place to limit access and no cyber security events occurred during the relevant time period; for violations of R1, the servers had other system security protections in place and the information systems department had tested the software on similar systems reducing the chance that the lack of testing on the servers in question would adversely affect protection; for violation of R3.1, the firewalls had very few ports and entry required access from firewall administrators, and the firewalls did not communicate outside the UREs’ system; for R5.2.3, URE 1 had revoked the individual’s unescorted physical and electronic access to the critical cyber assets in a timely manner, and the individual had not tried to re-enter the building as a visitor after resignation. However, ReliabilityFirst noted that it found an aggravating factor in that some of the violations constituted repetitive conduct attributable to the same compliance program. The NERC BOTCC also considered that the UREs self-reported the violations; the UREs were cooperative during the investigation; the UREs had a compliance program at the time of the violation; and there was no evidence that the UREs attempted to conceal a violation.
Penalty: $180,000 (aggregate for 4 violations)
FERC Order: Issued August 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-248-000 (July 28, 2011)
Reliability Standard: CIP-007-1
Requirement: R3.1
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: WECC
Issue: The Unidentified Registered Entity self-reported that it had not properly documented, within 30 days of the security patch availability, the assessments of the security patches for six of its routers.
Finding: The Unidentified Registered Entity agreed to pay a penalty of $5,000 and to undertake other mitigation measures to resolve the violation. WECC found that the violation constituted only a minimal risk to bulk power system reliability since the Unidentified Registered Entity had implemented additional security measures to protect its routers during the violation and its cyber assets were not connected to the internet. The duration of the violation was from July 1, 2009 through November 25, 2009. In approving the penalty amount, NERC found that this was the Unidentified Registered Entity’s first violation of this Reliability Standard; the violation was self-reported; the Unidentified Registered Entity was cooperative during the enforcement process and did not conceal the violation; the Unidentified Registered Entity had a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.
Penalty: $5,000
FERC Order: Issued August 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-249-000 (July 28, 2011)
Reliability Standard: CIP-007-1
Requirement: R2, R4, R5
Violation Risk Factor: Medium (R2, R5), Lower (R4)
Violation Severity Level: N/A
Region: WECC
Issue: WECC found that the Unidentified Registered Entity had failed to: (1) verify that only ports and services that are needed for normal and emergency operators were enabled (R2), (2) sufficiently document and implement certain anti-virus and malware protection tools, as well as document compensating measures designed to mitigate risk caused by the absence of anti-virus and malware protection tools (R4), and (3) properly enact and document the technical and procedural controls needed for access authentication of user activity (R5).
Finding: WECC and the Unidentified Registered Entity entered into a settlement agreement to resolve multiple violations, whereby the Unidentified Registered Entity agreed to pay a penalty of $18,000 and to undertake other mitigation measures. WECC found that the CIP-007-1 violations did not constitute a serious or substantial risk to bulk power system reliability since the relevant Cyber Assets were associated with a facility and Control Center, both of which were within an Electronic Security Perimeter and were protected by tripwires and electronic access controls. The duration of the CIP-007-1 violations was from January 1, 2010 through June 30, 2010. In approving the settlement agreement, NERC found that these were the Unidentified Registered Entity’s first violations of the relevant Reliability Standards; the violations were self-reported; the Unidentified Registered Entity was cooperative during the enforcement process and did not conceal the violations; the Unidentified Registered Entity had a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.
Penalty: $18,000 (aggregate for 9 violations)
FERC Order: Issued August 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-253-000 (July 29, 2011)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: Lower
Region: FRCC
Issue: FRCC found that FRCC_URE1 possessed inadequate documentation regarding its cyber security test procedures for its workstations, databases and applications as FRCC_URE1 was unable to show that its test procedures would minimize the adverse effect to the existing security controls with the Electronic Security Perimeter. In addition, FRCC_URE1 did not sufficiently document its test results.
Finding: FRCC found that the violation constituted only a minimal risk to bulk power system reliability since system testing was being conducted for the functional requirements (which included for some of the security controls).
Penalty: $14,000 (aggregate for 4 violations)
FERC Order: Issued August 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-261-000 (August 31, 2011)
Reliability Standard: CIP-007-1
Requirement: R6.3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: RFC
Issue: Following a Self-Report, RFC determined that the Unidentified Registered Entity (URE) failed to file a Technical Feasibility Exception for certain devices that could not log and report cyber security events in violation of R6.3 because they could not transmit information to devices to which they were not connected.
Finding: SPP determined that the violation did not pose a serious or substantial risk to the reliability of the bulk power system because the devices were connected serially, which generally means they would not affect one another in the event of an outage. The devices were also located within a Physical Security Perimeter and had no remote capability. In approving the settlement agreement, NERC found this was not URE’s first violation of the subject Reliability Standards, URE self-reported seven of the eight violations; RFC considered it an aggravating factor that it discovered one of the violations in a Compliance Spot Check; URE was cooperative; URE had a compliance program, which RFC considered to be a mitigating factor; RFC determined URE’s parent company operated the CIP compliance program and therefore should investigate and review all Self-Reports and violations of the URE; there was no evidence of an intent or attempt to conceal a violation; and there were no other mitigating or aggravating factors.
Penalty: $70,000 (aggregate for 8 violations)
FERC Order: Issued September 30, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-262-000 August 31, 2011
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: SPP
Issue: During a spot-check, SPP determined the Unidentified Registered Entity (URE) violated R1 for failing to conduct any testing to ensure significant changes to Cyber Assets within the Electronic Security Perimeter did not adversely affect existing cyber security controls for certain servers and workstations at its primary and backup control centers.
Finding: SPP determined that the violation posed a minimal risk, but did not pose a serious or substantial risk, to the reliability of the bulk power system because URE performed functional testing of the system and the assets at issue were not part of the Energy Management System, did not connect to the internet, and were primarily used for Inter-Control Center Communications Protocol data exchange. In approving the settlement agreement, NERC found this was URE's first violation of the subject Reliability Standards; URE was cooperative; URE had a compliance program, which SPP considered to be a mitigating factor; there was no evidence of an intent or attempt to conceal a violation; and there were no other mitigating or aggravating factors.
Penalty: $12,000 (aggregate for 4 violations)
FERC Order: Issued September 30, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-263-000 (August 31, 2011)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: TRE
Issue: The Unidentified Registered Entity (URE) self-reported that not all required testing activities had been completed prior to deploying a security update on six production servers used to support the URE's Critical Cyber Assets (CCAs).
Finding: TRE and the URE entered into a settlement agreement to resolve multiple violations, whereby the URE agreed to pay a penalty of $11,000 and to undertake other mitigation measures. TRE found that the CIP-007-1 violation did not constitute a serious or substantial risk to the bulk power system since the URE did finish the testing activities on the security update (with no issues observed during testing), and the security update did not adversely impact any of the security controls on the servers. In approving the settlement agreement, NERC found that this was the URE's first violation of the relevant Reliability Standards; some violations were self-reported; the URE was cooperative during the enforcement process and did not conceal the violations; the URE had a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.
Penalty: $11,000 (aggregate for 5 violations)
FERC Order: Issued September 30, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-264-000 (August 31, 2011)
Reliability Standard: CIP-007-1
Requirement: R5
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: SPP
Issue: During a spot check, SPP found that the Unidentified Registered Entity (URE) had a shared user account that was not secured (either by changing the password or by other means) after the retirement of a dispatcher with authorized access. The URE also did not change one of its passwords annually as required.
Finding: SPP and the URE entered into a settlement agreement to resolve multiple violations, whereby the URE agreed to pay a penalty of $8,000 and to undertake other mitigation measures. SPP found that the CIP-007-1 violation did not constitute a serious or substantial risk to bulk power system reliability. The URE revised its Risk Based Assessment Methodology to include modified procedures and evaluation criteria for identifying Critical Assets. Under the modified procedures and evaluation criteria, the URE does not own or operate any systems or facilities that have the potential to affect bulk power system reliability or operability. Therefore, the URE does not (and did not previously) possess any Critical Assets. As a result of the new finding, the violation of CIP-007-1 became moot. The duration of the violation was from July 1, 2008 through April 13, 2010. In approving the settlement agreement, NERC found that this was the URE's first violation of the relevant Reliability Standards; the URE was cooperative during the enforcement process and did not conceal the violations; and there were no additional aggravating or mitigating factors or other extenuating circumstances.
Penalty: $8,000 (aggregate for 9 violations)
FERC Order: Issued September 30, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-266-000 (August 31, 2011)
Reliability Standard: CIP-007-1
Requirement: R1.1, R2.1
Violation Risk Factor: Medium
Violation Severity Level: Lower
Region: FRCC
Issue: FRCC_URE1 self-reported that its cyber security test procedures did not properly minimize adverse effects on its protection system as its test procedures were concentrated on application and functionality testing (R1.1). FRCC_URE1 also self-reported that 115 of its system operator workstation were improperly excluded from its ports and services review (R2.1).
Finding: FRCC found that the violations did not constitute a serious or substantial risk to bulk power system reliability. In terms of R1.1, FRCC_URE1 was conducting its functionality testing in a proper environment and all the system changes had been sourced from vendor-approved sources. In terms of R2.1, the relevant workstations were based on vendor-approved configurations and system applications. The duration of the violations was from July 1, 2008 through January 29, 2010 (R1.1) and from July 1, 2009 through January 29, 2010 (R2.1).
Penalty: $38,000 (aggregate for 11 violations)
FERC Order: Issued September 30, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-269-000 (September 30, 2011)
Reliability Standard: CIP-007-1
Requirement: R1 and R2
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: WECC
Issue: URE self-certified that it was only "substantially compliant" with R1 because it (1) failed to create, implement and maintain cyber security test procedures in a manner that minimized adverse impacts to its production system; (2) failed to document that testing is performed in a way that reflects the production environment; and (3) failed to document test results. URE also self-certified that it was only "substantially compliant" with R2 because it did not establish and document a process to ensure that only those ports and services required for normal and emergency operation were enabled.
Finding: WECC determined that the violation of R1 posed a moderate risk to the BPS because without proper testing procedures, the likelihood that security controls fail increases with new CAs or significant changes to existing CAs; however, URE did have test procedures (though they were not fully compliant). WECC determined that the violation of R2 posed a minimal and not a serious or substantial risk to the BPS because URE had appropriated change control and change management procedures in place during this period, and the production control system was on a closed network minimizing exposure to cyber attack. Duration of the violations was from the date the Standard became enforceable through January 28, 2010. WECC and the NERC BOTCC took into consideration that URE had a compliance program as a particular mitigating factor.
Penalty: $225,000 (aggregate for 11 violations)
FERC Order: Issued October 28, 2011 (no further review)
Unidentified Registered Entity, Docket No. NP11-270-000 (September 30, 2011)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: High
Region: RFC
Issue: During a spot check, RFC found that RFC_URE4 did not possess sufficient documentation showing that it tested its software upgrades to demonstrate that they would not adversely affect RFC_URE4’s security controls.
Finding: RFC found that the violation posed a moderate risk to bulk power system reliability. RFC_URE4 uses two fully redundant systems at both its primary location and its backup location. As these systems are upgraded at different times, it provides protection from any adverse effects resulting from a software upgrade. Furthermore, RFC_URE4 had a compliance program in place (which RFC evaluated as a mitigating factor).
Penalty: $16,500 (aggregate for 3 violations)
FERC Order: Issued October 28, 2011 (no further review)
Unidentified Registered Entity, Docket No. NP11-270-000 (September 30, 2011)
Reliability Standard: CIP-007-1
Requirement: R2/2.1/2.2, R5
Violation Risk Factor: Medium (R2/2.1/2.2), Lower (R5)
Violation Severity Level: Severe (R2/2.1/2.2, R5)
Region: RFC
Issue: RFC_URE1 self-reported that it had a network switch (located within its Electronic Security Perimeter (ESP)) that had ports and services enabled that were not required for normal and emergency operations (R2/2.1/2.2). RFC_URE1 also self-reported that, in regards to the same network switch, it had not removed or disabled two factory default accounts and had not created satisfactory passwords for the factory default accounts (R5).
Finding: RFC found that the CIP-007-1 violations posed a moderate risk to bulk power system reliability since the relevant network switch was not accessible outside the ESP since it was behind the ESP firewall. In addition, there was a compliance program in place (which was evaluated as a mitigating factor).
Penalty: $30,000 (aggregate for 6 violations)
FERC Order: Issued October 28, 2011 (no further review)
Unidentified Registered Entity, Docket No. NP11-270-000 (September 30, 2011)
Reliability Standard: CIP-007-1
Requirement: R2/2.1/2.2, R5
Violation Risk Factor: Medium (R2/2.1/2.2), Lower (R5)
Violation Severity Level: Severe (R2/2.1/2.2, R5)
Region: RFC
Issue: RFC_URE1 self-reported that it had a network switch (located within its Electronic Security Perimeter (ESP)) that had ports and services enabled that were not required for normal and emergency operations (R2/2.1/2.2). RFC_URE1 also self-reported that, in regards to the same network switch, it had not removed or disabled two factory default accounts and had not created satisfactory passwords for the factory default accounts (R5).
Finding: RFC found that the CIP-007-1 violations posed a moderate risk to bulk power system reliability since the relevant network switch was not accessible outside the ESP since it was behind the ESP firewall. In addition, there was a compliance program in place (which was evaluated as a mitigating factor).
Penalty: $30,000 (aggregate for 6 violations)
FERC Order: Issued October 28, 2011 (no further review)
Unidentified Registered Entity, Docket No. NP11-270-000 (September 30, 2011)
Reliability Standard: CIP-007-1
Requirement: R5
Violation Risk Factor: Lower
Violation Severity Level: Moderate
Region: WECC
Issue: WECC_URE2 self-reported that it had not properly documented the procedural controls used to enforce access authorization and accountability (such as password complexity) for user activity on 31 devices (including switches, firewalls, and servers).
Finding: WECC found that the violation constituted a minimal risk to bulk power system reliability since WECC_URE2 was actually following its manual process for changing passwords, on an annual basis, with manual authentication and witness controls. WECC_URE2 did enact the required technical controls in regards to user activity. WECC_URE2 had a compliance program in place when the violation occurred (which was evaluated as a mitigating factor). In addition, WECC did not consider WECC_URE2’s prior violations of CIP-007-1 R1 and R6 to be an aggravating factor since WECC found the instant violation to be sufficiently distinct.
Penalty: $20,400 (aggregate for 3 violations)
FERC Order: Issued October 28, 2011 (no further review)
Unidentified Registered Entities, FERC Docket No. NP12-1 (October 31, 2011)
Reliability Standard: CIP-007-1
Requirement: R3 (3 violations), R4.2 (1 violation), R1 (3 violations), R5.1 (3 violations), R6 (3 violations)
Violation Risk Factor: Lower (for R3 violations, R6 violations), Medium (for R4.2 violation, R1 violations, R5.1 violations)
Violation Severity Level: Not provided
Region: RFC
Issue: Three UREs, all subsidiaries of the same Parent Company, self-reported that, as a result of their Supervisor’s failure to manage their CIP compliance, they did not, in two consecutive quarters, properly document an assessment of the security patches for applicability at substations within 30 days of the patches availability and did not install certain required patches at the substations (nor did they enact measures to mitigate risk exposure) (R3). One of the UREs also self-reported that, as a result of their Supervisor’s failure to manage their CIP compliance, it had not implemented, during one quarter, a process for updating its anti-virus and malware prevention signatures at its substations (R4.2). The UREs also self-reported that they did not possess the required records of their testing of new CAs or significant changes to existing CAs within the ESP demonstrating that there would be no adverse effects on existing cyber security controls for substations (R1). In addition, the UREs self-reported that they did not verify that shared system accounts and authorized access permissions, for work functions performed at substations, complied with the “need to know” concept as required. The UREs did not limit access, based on the “need to know” principle, to certain diagrams and configuration data information contained in a departmental shared directory on a document-by-document basis (R5.1). The UREs also self-reported that they did not configure their security monitoring controls to issue alerts in response to detected cyber security incidents at their substations and, therefore, they had not properly enacted organizational processes and technical and procedural mechanisms to monitor for security events on their CAs with the ESPs at the substations (R6).
Finding: RFC found that the CIP-007-1 violations constituted a moderate risk to BPS reliability. Regarding the R3 and R4.2 violations, RFC found that the risk was mitigated since the UREs had measures in place to protect against unauthorized access, including a private network exclusively for the CA substations that isolates the data traffic of CA substations from all of the other data traffic and other internal applications utilized by the network. The UREs also control remote access to their CA substations through their corporate IT system, which employs two different methods to validate the access rights of users. In addition, for the R3 violations, once the UREs identified the violations, the UREs implemented the relevant security patches and reaffirmed the importance of security patch management to its employees. For the R4.2 violation, the relevant URE had other measures in place to protect against unauthorized access and the private network reduced the risk of vulnerabilities from not following the requirements for updating the anti-virus and malware prevention signatures. In terms of the R1 violations, the UREs did have in place some procedures to verify that new CAs or significant changes to existing CAs would not adversely affect cyber security controls (even though the procedures were not sufficient to satisfy the requirements of the Reliability Standard). The UREs were also conducting tests while the violations were ongoing. For the R5.1 violations, the information in the directory was only accessible to personnel who had access rights to the CCAs, which required receiving a PRA and cyber security and information access training. In terms of the R6 violations, the UREs were already receiving automated alerts about potential cyber security incidents from an outside vendor who continuously monitored the UREs’ intrusion detection system, which provided additional protection for the ESP. In determining the aggregate penalty amount, NERC BOTCC considered, among other factors, that the Parent Company manages a uniform compliance program among all of its subsidiaries, which is communicated through multiple channels (such as compliance calls, software tools, and training programs). But, the mitigating credit for the compliance program was partially offset by there being insufficient checks on the terminated Supervisor who was responsible for CIP compliance, as the UREs did not notice that the Supervisor was not fulfilling his obligations for the duration of the violations. NERC BOTCC favorably evaluated the fact that the UREs did take corrective action against the Supervisor once the problems were discovered and also initiated a system-wide compliance review.
Penalty: $275,000 (aggregate for 31 violations)
FERC Order: Issued November 30, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-2 (October 31, 2011)
Reliability Standard: CIP-007-1
Requirement: R5/5.3, R2, R5/5.2, R6/6.2/6.5, R5
Violation Risk Factor: Lower (R5/5.3, R6/6.2/6.5, R5), Medium (R2, R5/5.2)
Violation Severity Level: Lower (R5/5.3, R2, R5/5.2, R6/6.2/6.5, R5)
Region: FRCC
Issue: URE self-reported that it did not enforce password requirements for its CA and did not timely submit a request for a Technical Feasibility Exception (R5/5.3). URE also self-reported that it had not properly established a process to verify that, at its generating sites and control center, only those ports and services that were required for normal and emergency operations were enabled for PSP access control devices (R2). In addition, URE self-reported that it had not changed the factory default accounts of its CAs used in its access controls and for devices that authorize and log access to the PSP before places these devices into service as required (R5/5.2). URE also self-reported that it did not properly configure its logging devices so that they would send out an alarm when a cyber security incident was detected and that it had not been reviewing the logs of system events from the logging devices (R6/6.2/6.5). Furthermore, URE self-reported that it had not properly documented its list of users who possessed access rights to shared accounts with access to the CCAs and other CAs within the ESP and to CAs that provide access control and monitoring for the ESP and PSP (R5).
Finding: FRCC found that the R5/5.3 violation constituted a minimal risk to BPS reliability since URE had enacted security controls that provided higher security for password complexity than mandated by the Reliability Standard. FRCC found that the R2, R5/5.2, R6/6.2/6.5 and R5, violations constituted a moderate risk to BPS reliability. For the R2 and R5/5.2 violations, the relevant devices had proprietary operating systems and were not available for remote access outside URE’s network. And even when accessing the devices from inside the network, it requires a correct password and IP address. For the R6/6.2/6.5 violations, all of the logging devices were within the ESP and PSP, were equipped with card reader access controls, and had their access restricted to a limited number of users who had to undergo two-factor authentication. For the R5 violation, all of the relevant users who were improperly kept off the access list had been properly granted access and URE had a two-factor authentication in place of access to the CCAs. URE had a compliance program in place, but it was only evaluated as a neutral factor.
Penalty: $55,000 (aggregate for 11 violations)
FERC Order: Issued November 30, 2011 (no further review).
Unidentified Registered Entity, FERC Docket No. NP12-2 (October 31, 2011)
Reliability Standard: CIP-007-1
Requirement: R2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: MRO
Issue: URE self-reported that, as a result of technical problems that occurred during functional testing and the evaluation of a third-party security provider port management solution, it had not enabled only those ports and services needed for normal and emergency operations (and disabled the other ports and services).
Finding: MRO found that the violation constituted a moderate risk to BPS reliability since the ports were improperly enabled for most of URE’s CCAs within its ESP. URE did install other protective measures within the ESP to monitor for malicious activity. URE had a compliance program in place, which was evaluated as a mitigating factor.
Penalty: $0
FERC Order: Issued November 30, 2011 (no further review).
Unidentified Registered Entity, FERC Docket No. NP12-2 (October 31, 2011)
Reliability Standard: CIP-007-1
Requirement: R5
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: WECC found that URE was unable to identify personnel who had access (and their account use) to a shared account of 25 routers and switchers accessible through a serial or network connection within the PSP. URE also did not have a proper policy for managing the use of its shared accounts.
Finding: WECC found that the violation constituted a minimal risk to BPS reliability. The relevant routers and servers, which are used for network access and management, were in identified ESPs and PSPs and had additional protective measures enacted. Furthermore, the ESPs had intrusion detection and prevention systems, which would send alerts to the security operations center. WECC evaluated URE’s compliance program as a mitigating factor.
Penalty: $8,200 (aggregate for 4 violations)
FERC Order: Issued November 30, 2011 (no further review).
Unidentified Registered Entity, FERC Docket No. NP12-4-000 (November 30, 2011)
Reliability Standard: CIP-007-1
Requirement: R2, R4 and R5
Violation Risk Factor: Medium
Violation Severity Level: Not provided
Region: WECC
Issue: With regard to R2, URE self-reported that it discovered that six ports and services were not necessary for normal and emergency operations. During an audit, WECC subsequently determined that the violation scope was expanded beyond the self-report because the URE relied on its EMS manufacturer’s default port and service specifications to ensure it only enabled appropriate ports and services, which WECC determined was insufficient. With regard to R4, URE self-reported that it had relied on its anti-virus application to test signature files, instead of testing signature files itself, and its documentation did not reflect a process for updating of anti-virus and malware prevention signatures. With regard to R5, during its audit WECC determined that URE failed to review certain user accounts to verify access privileges in accordance with CIP-004 R4 on CAs within the ESP.
Finding: WECC determined that the R2 and R4 violations did not pose a serious or substantial risk to the reliability of the BPS because with regard to R2, URE established an intrusion detection system and program that evaluates traffic and generates alerts if necessary, and with regard to R4, the URE maintains redundant servers and has a process in place whereby a failure of a primary server would start a redundant server such that there was a backup in the event a corrupt signature file rendered a primary server inoperable. WECC also determined that the R5 violation did not pose a serious or substantial risk to the reliability of the BPS because URE produced evidence demonstrating that it performed a majority of annual reviews of user accounts on CCAs, even though it could not demonstrate that it conducted reviews on non-critical CAs. Duration of the violations was from the date the Standard became enforceable through August 20, 2010 (R2), August 12, 2010 (R4) and December 14, 2010 (R5). WECC and the NERC BOTCC took into consideration the following mitigating factors: URE self-reported certain of the violations, URE had an internal compliance program in place at the time of the violations, and URE’s compliance history.
Penalty: $160,000 (aggregate for 16 violations of 6 CIP standards)
FERC Order: Issued December 30, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-10 (December 30, 2011)
Reliability Standard: CIP-007-1
Requirement: R2/2.1/2.2/2.3
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: TRE
Issue: Texas RE_URE found it needed to add more specificity to its procedures, programs, supporting documentation and evidence regarding the issue of enabled ports and services to its ESP in order to comply with the CIP Standards. CIP-007-1 requires that only those ports and services needed for normal and emergency operations should be enabled. URE had done that to 84.6% of its servers by the compliance deadline and the remainder were eventually in compliance by the end of the month. For any unused ports and services that do not allow for disabling, URE must document what security measures are in place to ensure system integrity. URE had the required documents for 80.8% of such servers and the remainder was completed by the end of the month.
Finding: The violation was determined to pose a moderate risk to BPS reliability. Texas URE did have the right ports and services enable or disabled, as appropriate, but the documentation was not available on time. The period of violation was less than one month. Texas RE_URE’s system has other security controls in place such as firewalls and physical access restrictions and during the relevant time period, there were not security breaches. Texas RE_URE’s compliance program was considered a mitigating factor in the determination of the penalty amount.
Penalty: $10,000 (aggregate for 10 violations)
FERC Order: Issued January 27, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-10 (December 30, 2011)
Reliability Standard: CIP-007-1
Requirement: R6/6.2
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: TRE
Issue: URE did not comply with the Standard when it was unable for a period of two weeks to ensure that 15.8% of its CAs within its ESP had appropriate security monitoring devices needed for alerting URE to any detected Cyber Security Incidents.
Finding: The violation was determined to pose a moderate risk to BPS reliability. Texas RE_URE did have the right ports and services enable or disabled, as appropriate, but the documentation was not available on time. Texas RE_URE’s system has other security controls in place such as firewalls and physical access restrictions and during the relevant time period, there were not security breaches. Texas RE_URE’s compliance program was considered a mitigating factor in the determination of the penalty amount.
Penalty: $10,000 (aggregate for 10 violations)
FERC Order: Issued January 27, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-10 (December 30, 2011)
Reliability Standard: CIP-007-1
Requirement: R8/8.1/8.2/8.3/8/4
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: TRE
Issue: URE did not finish and approve its Cyber Asset Vulnerability Assessment Process (required to be undertaken annually) until nearly one month after the compliance deadline. In addition, 15.4% of URE’s servers did not have documentation showing only those ports and services needed for normal and emergency operations were enabled. Finally, URE had not finished its review of controls for default accounts nor documented those results until nearly one month beyond the compliance date.
Finding: The violation was determined to pose a moderate risk to BPS reliability. Texas RE_URE did have the right ports and services enable or disabled, as appropriate, but the documentation was not available on time. Texas RE_URE’s system has other security controls in place such as firewalls and physical access restrictions and during the relevant time period, there were not security breaches. Texas RE_URE’s compliance program was considered a mitigating factor in the determination of the penalty amount.
Penalty: $10,000 (aggregate for 10 violations)
FERC Order: Issued January 27, 2012 (no further review)
Unidentified Registered Entity 1, FERC Docket No. NP12-10 (December 30, 2011)
Reliability Standard: CIP-007-1
Requirement: R2, R3, R5, R6, R8, R9
Violation Risk Factor: Medium (R2); Lower (R3, R5, R6, R8, R9)
Violation Severity Level: Moderate (R2); Severe (R3, R5, R6, R8, R9)
Region: SPP RE
Issue: URE1 self-certified that it was not in compliance with the following Standards. R2: URE1 did not document the correct configurations of enabled ports and services for all of its network devices in the ESP which led to URE1 being unable to know whether the ports and services on devices needed for normal and emergency operations were enabled at any particular time. The ports and services for URE1’s Siemens devices responsible for operations were enabled and documented, and URE1 was using the manufacturer’s recommendations regarding which ports should be disabled and how to do so. R3: URE1 had not documented why certain security patches were not installed on CAs within the ESP. R5: URE1 had no controls documented which would require the access authentication of all user activity on individual and shared user accounts. URE1 had no policy to guarantee that user accounts were implemented and approved by designated personnel (R5.1.1) nor were the system logs collecting data on network devices enough to maintain 90-day audit trails of user account activity (R5.1.2). URE was not performing yearly review of certain access privileges to its CCAs for 2009. In addition, R5.2 calls for a policy for managing shared and generic account privileges and a list of persons with access to those accounts; however, URE1 had no such policy. R6: URE 1 had no system to log, monitor, identify, review and react to security events on CAs within the ESP. R8: URE1 did not explain how to perform a vulnerability assessment or how to interpret the results. It had no plan of action to fix any vulnerabilities found. Also, URE1 had no proof that, as a step in a vulnerability assessment, it reviewed controls for default accounts. R9: URE1 had no evidence that it had undertaken a yearly review of the documentation and processes it maintains per the Standard. URE1 had not documented changes occurring from changes to systems and controls within the 90-day window required by CIP-007.
Finding: SPP RE found the violations of CIP-007-1 R2, R3 and R9 constituted a minimal risk to BPS reliability. Regarding R2, URE1 had documented its ports and services for all of its Siemens devices within the ESP, and these devices were monitored by its EMS SCADA system. Those Siemens devices in the ESP are the most critical devices within the ESP and all ports and services required for operation were enabled and documented and verified that these are the only enabled ports during new or updated software installation. URE1 had also undertaken a review of the services file on each machine while performing the yearly assessment of its CCAs inside the ESP. Regarding R3, SPP RE_URE1 had documented when security patches were installed for CAs within the ESP and the reason why a particular security patch was installed. Because URE1 was reviewing all security patches to determine whether or not a patch should be installed, the violation had a minimal impact on the reliability of the BPS because URE1 was only lacking the documentation of the reasoning for not installing a certain security patches. Regarding R9, URE1 had documentation and procedures referenced in CIP-007 but did not have evidence that it reviewed and updated its documentation annually. Therefore, this is an issue of documentation and URE1’s lack of performance is addressed in its corresponding CIP-007 violations.
Regarding CIP-007-1 R5, R6, R8, it was determined that violation posed a moderate risk to BPS reliability. Regarding R5, although URE1 was not managing a properly secured environment, it had been performing a yearly review of the general access privileges to its CCAs. Because URE1 was not reviewing specific access privileges to its CCAs, the potential existed for someone to falsify an account and have free use of URE1’s system. In failing to adequately monitor its system, URE1 left its system more vulnerable to attack, which in turn created reliability risk to its system and the BPS. Regarding R6, URE1 began to use TripWire to monitor its system but before that URE1 had no alternate system in place to monitor its system. Further, the TripWire program did not monitor all CAs within the EMS network. Because URE1 had no monitoring and logging program to monitor CAs within the EMS network, there was no way to know whether or not unauthorized attempts to tamper with the CAs had occurred within the EMS network leaving the CAs vulnerable to attacks and making it hard to watch for suspicious activity that may have occurred on the URE1 system. Regarding R8, even though URE1 had undertaken a vulnerability assessment, it did not use the results to produce action plans to fix identified vulnerabilities which left URE1 with no way of guaranteeing the ESP was secure. Vulnerabilities that were identified in the assessment included, but were not limited to, firewall rules that did not ensure access was denied by default, the lack of a centralized logging and monitoring process, and some users on the URE1 system logging into the system under the root password. Further, because URE1 had not formally documented its vulnerability assessment process, there was a risk that the assessment would not be performed thoroughly and consistently. The vulnerability assessment conducted was found to be missing some elements required by CIP-007-1 R8.
SPP RE considered URE1’s compliance programs a mitigating factor in determining the appropriate penalty.
Penalty: $68,000 (aggregate for 12 violations)
FERC Order: Issued January 27, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-11 (January 31, 2011)
Reliability Standard: CIP-007-1
Requirement: R2, R3, R5, R6
Violation Risk Factor: Medium (R2, R6), Lower (R3, R5)
Violation Severity Level: N/A (R2, R3, R5, R6)
Region: WECC
Issue: URE self-certified that it did not have a documented procedure, as required, regarding having only its ports and services required for normal and emergency operations be enabled. In fact, URE did have multiple open ports that were not needed for normal or emergency operations. (R2) URE also self-certified that it did not properly document relevant cyber security software patches for all of its CAs within the ESP and that certain of its devices were not patched or upgraded as required. (R3) URE also self-certified that it did not have appropriate methods, processes and procedures for producing logs of its user account access activity which would contain the needed level of detail for creating historical audit trails of individual user account access activity. (R5) Lastly, URE self-certified that it did not have security logging for certain of its CAs within its ESP. As a result of problems with a software upgrade, URE found that 15% of its network devices were not generating logs as required (as the devices were not configured to permit the software to pull a log file). (R6)
Finding: WECC found that the CIP-007-1 R2 violation constituted a moderate risk to the BPS. In regards to R2, URE personnel lacked appropriate awareness of URE’s ports and services and this could have facilitated unauthorized access to CAs and CCAs through the open ports. But, URE was conducting tests on its active and passive security controls, monitoring and logging system events and performing vulnerability assessments. WECC found that the CIP-007-1 R3, R5 and R6 violations constituted only a minimal risk to the BPS. In regards to R3, the relevant devices are not connected to the internet so there was much less system risk and exposure. For R5 and R6, URE had already enacted relevant user access controls. In determining the penalty amount, the NERC BOTCC evaluated URE’s violation history; some of the violations were self-reported; URE was cooperative during the enforcement process and did not conceal the violations; URE has a compliance program in place (which was evaluated as a mitigating factor); the violations did not constitute a serious or substantial risk to BPS reliability; and there were no additional aggravating or mitigating factors.
Penalty: $135,000 (aggregate for 20 violations)
FERC Order: Issued March 1, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-12 (January 31, 2011)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: MRO
Issue: Following a CIP Spot Check of the URE, MRO determined URE violated R1 because it failed to provide sufficient evidence that it used proper procedures to ensure that new CAs and significant changes to CAs within the ESP do not adversely affect existing cyber security controls. Specifically, personnel failed to conduct a test each time they used an intermediate anti-virus server to download anti-virus signature and security patch updates for the CAs within the ESP. URE did not consider the server to be a “new” CA each time it reconnected to the ESP. MRO found that the violation was the result of insufficient understanding among responsible personnel of the criteria for defining and classifying non-critical CAs.
Finding: MRO found that this violation posed a minimal risk, but not a serious or substantial risk, to the reliability of the BPS for the following reasons. First, the intermediate anti-virus server at issue was configured to a hardened, single-purpose device, thus reducing the risk that it would be jeopardized by malware or exploits. URE also tested the anti-malware signatures and security patch updates in a development environment prior to introduction to the ESP, reducing the risk. Finally, the server at issue was not connected simultaneously to the ESP and the URE’s corporate network. MRO considered URE’s compliance program to be a mitigating factor.
Penalty: $4,000
FERC Order: Issued March 1, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-12 (January 30, 2011)
Reliability Standard: CIP-007-1
Requirement: R1, R3
Violation Risk Factor: Medium (R1); Lower (R3)
Violation Severity Level: High (R1); Lower (R3)
Region: WECC
Issue: URE submitted a self-report of possible non-compliance with the Standard once it realized its procedures for testing updated or new software and firmware prior to launching do not include further procedures for testing changes to such software/firmware to ensure there are no adverse affects on existing cyber security controls (R1). And, further, URE’s failure to have a security patch management program in place to evaluate, test and install applicable security patches for new or changed CAs violated the requirements of CIP-007-1 R3.
Finding: The violation constituted a minimal risk to BPS reliability because URE’s CAs did have the protections set forth under CIP-005-1 R1; however, not ensuring CAs responsible for access control and/or monitoring of the ESP are protected through the testing requirements set forth in CIP-007-1 R1 and R3 could allow for unauthorized access to these CAs which, in turn, leaves the possibility of allowing cyber attacks against CCAs required for BPS reliable operation. However, URE’s CAs had protection under CIP-005-1 R1. URE’s self-report was not given credit in terms of assessing the penalty because it was submitted during a self-certification process.
WECC found it appropriate to assess one penalty for URE’s violations of CIP-005-1 R1.5, CIP-006-1 R1.8 and CIP-007-1 R3. Not providing the protections in CIP-007-1 to its Cyber Assets is a single incidence of noncompliance that resulted in violations of CIP-005-1 R1.5 and CIP-006-1 R1.8. Therefore, the penalty assessed for CIP-007-1 R3 is a single penalty for the aggregate of the related violations
Penalty: $55,000 (aggregate for 12 penalties)
FERC Order: Issued March 1, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-12 (January 30, 2012)
Reliability Standard: CIP-007-1
Requirement: R3.1
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that it did not document the assessment of the applicability of thirteen security patches and security upgrades within 30 calendar days of their availability. WECC reviewed URE’s assessment and determined that URE failed to assess security patches for 21 CAs resulting in URE having insufficient records of its security patch management program.
Finding: These violations posed only a moderate risk to the reliability of the BPS because the devices at issue are located within in a PSP and an ESP. Consequently, the devices are protected as required in CIP-005 and CIP-006.
Penalty: $45,000 (aggregate for 7 penalties)
FERC Order: Issued February 29, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-12 (January 30, 2011)
Reliability Standard: CIP-007-1
Requirement: R5/5.1.3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE was not in compliance with CIP-007-1 R5.1.3 as a result of its failure to review its user accounts annually to verify they are in accordance with CIP-004-1 R4.
Finding: The violation constituted a minimal risk to BPS reliability. URE could show that it was aware of what the electronic access rights of its employees were, although it did not review those electronic access rights annually. This violation leaves the possibility that an employee could access ESPs without having a current right to do so thereby creating a possible threat to BPS reliability. In this instance, URE did actually know the electronic access rights of its personnel.
WECC found it appropriate to assess one penalty for URE’s violations of CIP-004-1 R4 and CIP-007-1 R5.1.3. Not performing the required reviews of electronic access rights is one incidence of noncompliance causing a violation of CIP-007-1 R5.1.3. Therefore, the penalty assessed for CIP-004-1 R4 is a single penalty for that violation and the related violations.
Penalty: $55,000 (aggregate for 12 penalties)
FERC Order: Issued March 1, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-12 (January 30, 2012)
Reliability Standard: CIP-007-1
Requirement: R6
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported a violation of CIP-007-1 R6 because it failed to monitor and log security events in its Generation Management System (GMS) for two new CAs and failed to document the monitoring and logging of security events in its GMS for eight existing CAs. WECC confirmed URE’s assessment in determining that URE failed to implement and document the organizational process and technical and procedural mechanisms to monitor security events on all CAs within the ESP.
Finding: This violation posed only a minimal risk to the reliability of the BPS because the devices at issue are not CCAs. Further, the CAs at issue did have physical protections required by CIP-006 and did not have remote access.
Penalty: $45,000 (aggregate for 7 penalties)
FERC Order: Issued February 29, 2012
Unidentified Registered Entity, Docket No. NP12-17 (February 29, 2012)
Reliability Standard: CIP-007-1
Requirement: R1; R4; R5.2.3
Violation Risk Factor: Medium
Violation Severity Level: Severe (R1; R4)
Region: SPP
Issue: During a spot check, SPP determined URE violated R1 and R5.2.3. URE violated R1 because it could not produce evidence that it had adequate measures in place to ensure that new CAs within the ESP did not adversely affect existing cyber security controls. URE violated R5.2.3 because it did not change a shared user account within seven days from the date one of the users retired. URE also submitted a Self-Report that led SPP to determine URE violated R4 because it failed to test anti-virus software signature files before it installed them on SCADA servers. URE then filed a second Self-Report of R4 for failing to install the most recent anti-virus software prevention signatures on its SCADA system because it did not have a proper test environment for evaluation and the vender’s system did not support URE’s SCADA version.
Finding: SPP determined that the violations of R1 and R4 posed a moderate risk and the violation of R5.2.3 posed a minimal risk to the reliability of the BPS. The violations of R1 and R4 were mitigated because URE’s EMS/SCADA vendor applied security updates and functional testing of the updates was conducted offline, which would have indicated if new assets affected the operation of a CA. Redundant security measures such as anti-virus software and limited access also mitigated the risks. The violation of R5.2.3, which lasted for 5 months, was mitigated because the retiree’s physical and network access to the shared user account was removed on the date of his departure.
Penalty: $40,000 (aggregate for 14 violations)
FERC Order: Issued March 30, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: High
Region: SPP RE
Issue: While conducting a spot check, SPP RE found that URE did not adequately test the safety of cyber security controls when significant changes to existing CAs in URE’s ESP were made. URE’s procedure tested for functionality only in violation of CIP-007-1’s requirement that security controls already in place be tested to ensure their safe, reliable operation when updating CAs. URE did not test its cyber security controls for updates made to existing CAs until 22 months after the compliance enforcement date.
Finding: SPP RE found the violation constituted a moderate risk to BPS reliability because URE had other cyber security control measures in place, including firewall rules and automated security analysis tools used to detect security threats. Therefore, in the event of a successful cyber attack, additional security control measures should detect the event. SPP RE took URE’s internal compliance program into consideration when determining the appropriate penalty.
Penalty: $8,800 (aggregate for 4 penalties)
FERC Order: Issued March 30, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SPP RE
Issue: While conducting a spot check, SPP RE found that URE had no procedure to test the safety of existing cyber security controls for CCAs when new CAs or significant changes to existing CAs in URE’s ESP were installed. URE’s procedure tested for functionality only in violation of CIP-007-1’s requirement that security controls already in place be tested to ensure their safe, reliable operation when installing new or changing current CAs.
Finding: SPP RE found the violation constituted a moderate risk to BPS reliability. URE did have a security controls testing procedure based on the requirements of CIP-007-1 at the time of the spot check. However, the earlier version of the procedure required only functional testing, leaving the possibility that new or changed CAs could adversely affect the existing security controls and leave URE’s CCAs open to potential attacks. URE is a small entity and so its size lessened any possible BPS impact. SPP RE took URE’s internal compliance program into consideration when determining the appropriate penalty.
Penalty: $20,800 (aggregate for 7 penalties)
FERC Order: Issued March 30, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)
Reliability Standard: CIP-007-1
Requirement: R1/1.1/1.2/1.3
Violation Risk Factor: Medium
Violation Severity Level: Lower
Region: FRCC
Issue: While conducting a spot check, FRCC found that URE could not show that its router test procedure addressed ESP configuration controls, ports and services to maintain the ESP integrity, lockout or change of password for default user access, user access controls, review of physical security for access control, review of banners, or review of modems access for the ESP, as required by CIP-007-1 R1. Also, the testing procedures related to application changes did not address adverse effects to existing security controls. URE was also not documenting the test results pursuant to its own testing procedures.
Finding: FRCC found the violation constituted a moderate risk to BPS reliability because at the time of the configuration updates, URE followed its SCADA vendor’s approved configurations and only operational testing was performed. The application changes to which testing was determined to be deficient are widely used in URE’s control center but no new ports and services were added. Also, the changes came from trusted control system vendors. FRCC considered URE’s internal compliance program as a mitigating factor in determining the appropriate penalty.
Penalty: $10,000 (aggregate for 3 violations)
FERC Order: Issued March 30, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)
Reliability Standard: CIP-007-1
Requirement: R2/2.1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: NPCC
Issue: URE self-reported that, while conducting an internal review, it found that certain devices required for normal and emergency operations within the ESP did not have the proper documentation of ports and services. The devices are initially configured to a corporate standard configuration after which additional applications are installed depending upon the function to be performed by the device. URE did have documentation of the initial standard corporate configurations, but it did not include ports and services information.
Finding: NPCC found the violation constituted a minimal risk to BPS reliability because ESP access is controlled by firewall rules and router access control lists. Cyber access to URE’s devices is watched over by an intrusion detection system and access is limited to authorized personnel only. There is no access to the public internet from inside the ESP. Also, the CCA devices are in a PSP with access by authorized personnel only. No incidents occurred as a result of URE not having documentation of the normal and emergency ports and services. NPCC considered certain parts of URE’s internal compliance program as a mitigating factor in determining the appropriate penalty.
Penalty: $5,000 (aggregate for 2 penalties)
FERC Order: Issued March 30, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)
Reliability Standard: CIP-007-1
Requirement: R3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SPP RE
Issue: URE self reported that security patches for its Energy Management System were not being evaluated for possible system vulnerabilities within 30 days of availability. Because of this, URE could not determine if there were system vulnerabilities and whether steps to mitigate any risk exposure or an acceptance of risk needed to be documented.
Finding: SPP RE found the violation constituted a moderate risk to BPS reliability because the failure to conduct assessments of security patches could have exposed URE’s CCAs to any number of vulnerabilities, leaving open the possibility of a successful cyber attack against CCAs required for BPS reliability. SPP RE noted that, at the time of the violation, URE had added cyber security control measures in place, such as firewall rules and automated security analysis tools for security threat detection, reducing any risk of a successful attack. SPP RE took URE’s internal compliance program into consideration when determining the appropriate penalty.
Penalty: $8,800 (aggregate for 4 penalties)
FERC Order: Issued March 30, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)
Reliability Standard: CIP-007-1
Requirement: R6/6.1/6.3/6.4
Violation Risk Factor: Medium
Violation Severity Level: Lower
Region: FRCC
Issue: URE self-reported that four switches contained within its ESP were not configured for automatic logging of system events, as required by CIP-007-1 R6. The configuration of the switches had been set to the original EMS vendor specifications.
Finding: FRCC found the violation constituted a moderate risk to BPS reliability because failing to log system events leaves the possibility of Cyber Security Incidents which may have been prevented with proper monitoring, although the switches’ location in the secured ESP decreased the chance of any authorized access. FRCC considered URE’s internal compliance program as a mitigating factor in determining the appropriate penalty.
Penalty: $10,000 (aggregate for 3 violations)
FERC Order: Issued March 30, 2012 (no further review)
Unidentified Registered Entity, Docket No. NP12-22-000 (March 30, 2012)
Reliability Standard: CIP-007-1
Requirement: R1.3
Violation Risk Factor: Lower
Violation Severity Level: Moderate
Region: SPP RE
Issue: While performing a Spot Check, SPP RE found that URE was unable to show that it had compared test data during the time periods before and after installation of new CAs or when making significant changes to its existing CAs in its ESP, required to protect existing cyber security controls from adverse effects. In particular, URE used a software tool to run the comparison of the pre and post network statistic tool runs (which was saved), but it did not save the test results showing that the testing was correctly performed.
Finding: The violation constituted a minimal risk to BPS reliability because URE had performed the appropriate testing and was able to show that SPP RE how the testing is conducted; however, it did not keep the documentation showing it had performed the comparison testing. In determining the appropriate penalty, SPP RE considered URE’s internal compliance program a neutral factor.
Penalty: $12,000 (aggregate for 10 penalties)
FERC Order: Issued April 30, 2012 (no further review)
Unidentified Registered Entity, Docket No. NP12-22-000 (March 30, 2012)
Reliability Standard: CIP-007-1
Requirement: R1.3; R4/4.1/4.2; R5/5.1.3/5.3; R6/6.1/6.2/6.5;
Violation Risk Factor: Lower (R1.3); Medium (R4; R5; R6)
Violation Severity Level: Lower (R1.3; R4; R6); Severe (R5)
Region: SPP RE
Issue: URE submitted a self-report for various violations of the CIP-007-1 Reliability Standards. Regarding R1.3, URE did not keep on file previous security test results performed on its EMS application servers after changes were made to the equipment. URE was not in compliance with R4 because, first, it had nothing in writing to show which assets did not have anti-virus installed, and it was not monitoring the anti-virus management console for virus notifications. Second, URE did not test anti-virus signature files before roll out on critical systems in the production environment. SPP further found that URE had no anti-virus installed on its EMS servers as of the date of compliance enforcement, in violation of R4. Regarding R5, URE had not done an in-depth review of user accounts having access to its EMS application and it had not enforced passwords meeting the CIP-005-1 R5.3 password requirements. Lastly, URE also self reported that it had no process to monitor security events on all CAs inside its ESP, as stated in R6.1. URE has four EMS servers inside its ESP that are configured to log events, but there were no security monitoring tools in place for automatic or manual notification of Cyber Security Incidents (R6.2). URE was not reviewing its logs on a regular basis as well (R6.5).
Finding: The violations constituted a minimal risk to BPS reliability because of the following. URE was performing appropriate security testing on CCAs – servers and workstations – inside its ESP as required, but it failed to save the testing results, in violation of R1.3. The violation of R4.1 and R4.2 also posed minimal risk because even though URE was not testing anti-virus signatures before updating critical systems, the signatures were pushed and updated to the production system regularly. And, although not having anti-virus software on its EMS servers opened URE’s network to vulnerability, the previous operating system was replaced with an operating system having anti-virus protection and no events were reported. URE was manually checking its server logs before its use of an automated alerting program. Regarding the violation of R5.1.3 and R.3, user access to the EMS application was a three-step process, and URE’s program in use during the violation period provided adequate security by other means. URE now has a compliant updated logging system. Lastly, the violation of R6 standards did not pose a serious or substantial risk to BPS reliability because any events on URE’s CA servers inside its ESP were logged, and those logs were reviewed, just not consistently. URE utilized other measures to protect its system from cyber attacks, but not all measures under CIP-007-1 R6.1, R6.2, R6.5 were in place as required. No cyber security events occurred during the violation period as well. URE’s compliance history was considered as a factor in determining the appropriate penalty.
Penalty: $12,000 (aggregate for 8 penalties)
FERC Order: Issued April 30, 2012 (no further review)
Unidentified Registered Entity, Docket No. NP12-22-000 (March 30, 2012)
Reliability Standard: CIP-007-1
Requirement: R2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: NPCC
Issue: URE self-reported and NPCC found that URE had not disabled all unused ports before production use of its CAs residing in its ESP, as required. URE incorrectly believed that by disabling the unused ports on the firewalls, it did not need to disable any unused ports and services on each individual CA.
Finding: The violation constituted a minimal risk to BPS reliability because URE has other security measures in place for overall cyber and physical security including, among other measures, intrusion detection, anti-virus, security logging, access control (cyber and physical) and a defense-in-depth network design to minimize the risk to the BPS. And further, there were no reported incidents related to this violation. In determining the appropriate penalty, NPCC took certain aspects of URE’s compliance program into consideration as mitigating factors.
Penalty: $10,000 (aggregate for 4 penalties)
FERC Order: Issued April 30, 2012 (no further review)
Unidentified Registered Entity, Docket No. NP12-22-000 (March 30, 2012)
Reliability Standard: CIP-007-1
Requirement: R5.2, R5.3
Violation Risk Factor: Lower (both)
Violation Severity Level: Severe (R5.2); Lower (R5.3)
Region: SPP RE
Issue: While performing a Spot Check, SPP RE found that URE had not changed the password to a Windows shared account after an employee having access to that account retired (R5.2). Regarding R5.3, SPP RE found that URE had not changed a password to a Windows shared account in over four years. R5.3 requires annual changing of passwords to Windows shared accounts.
Finding: The violations constituted a minimal risk to BPS reliability because each employee has their own EMS application account that first must be accessed in order to connect to the operator console; and the relevant employee’s physical access rights to the operator console and login access rights to URE’s network had been revoked. With respect to the violation of R5.3, the shared user account was local to one workstation and was used only to login to the workstation after a reboot. Also, the workstation is set up to require the user’s personal EMS application account in order to access to the operator console, and those EMS application accounts are changed yearly. In determining the appropriate penalty, SPP RE considered URE’s internal compliance program a neutral factor.
Penalty: $12,000 (aggregate for 10 penalties)
FERC Order: Issued April 30, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-25 (April 30, 2012)
Reliability Standard: CIP-007-1
Requirement: R3.1/3.2
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: RFC
Issue: URE self-reported that although it had a documented patched management program in place for its cyber security software, it had not required personnel to document the assessment and implementation of security patches for certain of its CAs. URE had not properly identified the personnel who were responsible for the CA owned or managed by multiple business units. Therefore, URE had not properly documented the assessment of security patches and security upgrades within 30 days of availability or the implantation of the security patches as required. URE also did not properly configure its reporting tool, which caused URE to not include all of its CAs within every ESP as part of its vulnerability assessment.
Finding: RFC found that the CIP-007-1 R3.1/3.2 violation constituted a moderate risk to BPS reliability and that this violation appears to be caused by URE’s lack of a comprehensive CIP compliance program. But, all of the relevant assets were located within a secured PSP and only a limited number of individuals, all of whom had received cyber security training and had a valid PRA on file, had access to the PSP. The assets were also located on isolated networks where there was no direct access to the corporate network or the internet and all traffic to the networks had to pass through secured access points. In approving the settlement agreement, the NERC BOTCC considered certain of URE’s violations to be proof of broad deficiencies in URE’s compliance program (even though other aspects of the compliance program were evaluated as mitigating factors); some of the violations were self-reported (even though only partial credit was granted for certain self-reports that occurred right before the compliance audit); URE was cooperative during the enforcement process and promptly submitted effective mitigation plans; and these violations were URE’s first violations of the relevant Reliability Standard.
Penalty: $115,000 (aggregate for 17 violations)
FERC Order: Issued April 30, 2012 (no further review)
Unidentified Registered Entities, Docket No. NP12-26-000 (April 30, 2012)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SPP/RFC/TRE (Regions)
Issue: During a joint Spot Check conducted by SPP and RFC, the following CIP violations were found. UREs did not conduct the required testing to ensure no adverse effects occurred to existing cyber security controls upon installation of patches or upgrades. And, in order to configure and administer SCADA local area network substations, staff at UREs would take laptops in and out of the operations center, which is inside a defined ESP, but the laptops were not subjected to “new” CA requirements each time they were returned to the operations centers. While UREs were implementing the Mitigation Plan addressing the violations, UREs found five other CIP violations. First, new software on station PCs at two substations inside an ESP was not tested upon installation to ensure no adverse effects occurred to cyber security controls. Second, a new patch on station PCs at two substations inside an ESP was not tested upon installation to ensure no adverse effects occurred to cyber security controls. Third, operating system security patches installed on a limited number of servers were not tested upon installation to ensure no adverse effects occurred to cyber security controls. Fourth, during a patch management review, UREs found that an update was mistakenly pushed to production machines inside a substation ESP prior to being tested. Further review indicated the account, previously disabled, had inadvertently been re-enabled because of the update push to production machines. Fifth, a PC that was to be put on the corporate network was mistakenly placed on an ESP network. Intrusion detection software signaled UREs that the PC was not on the correct network, and access to the ESP network on that computer was disabled.
Finding: The Regions found the violations constituted a moderate risk to BPS reliability for several reasons. Regarding the instance of the system account being re-enabled as a result of the security patch installation, UREs did not know the system account had been activated until a normal review of patches was undertaken. With respect to the violation involving the PC being connected to the wrong network – the ESP, which requires all new systems to go through CIP compliance testing – the UREs have a multilevel protection system in place, including intrusion prevention and detection systems and rogue computer detection systems to monitor and prevent attacks on CAs inside ESPs. UREs intrusion detection system found the mistake and signaled employees to the error within 24 hours. Lastly, the laptops taken from the ESP were not used for any other purpose and were in the possession of vetted employees while outside of the ESP and all had intrusion detection, firewall and anti-malware software installed. In determining the appropriate penalty, the Regions considered certain aspects of UREs’ compliance program as a mitigating fact.
Penalty: $27,000 (aggregate for 6 violations (2 in each region))
FERC Order: Order issued May 30, 2012 (no further review)
Unidentified Registered Entity, Docket No. NP12-26-000 (April 30, 2012)
Reliability Standard: CIP-007-1
Requirement: R1/1.1
Violation Risk Factor: Medium
Violation Severity Level: High
Region: NPCC
Issue: URE self-reported that, while conducting an internal CIP audit review, it found its cyber security testing procedure had no specific test to ensure that any changes to existing CCAs did not affect those CCAs’ security controls.
Finding: The violation was determined to pose minimal risk to BPS reliability because URE has in place a comprehensive change management procedure setting forth extensive testing and validation of changes to CCAs before going into service. URE did have a documented corporate change management procedure in use for all assets, but not specifically for CCAs. In determining the appropriate penalty, NPCC considered URE’s internal compliance program in effect during the violation period to be a mitigating factor.
Penalty: $25,000 (aggregate for 4 violations)
FERC Order: Order issued May 30, 2012 (no further review)
Unidentified Registered Entity, Docket No. NP12-26-000 (April 30, 2012)
Reliability Standard: CIP-007-1
Requirement: R2, R5 (R5/5.2.2/5.3)
Violation Risk Factor: Medium (R2); Lower (R5/5.2.2/5.3)
Violation Severity Level: Severe (all)
Region: RFC
Issue: URE self-certified two issues with the CIP-007-1 Reliability Standard. First, URE reported that ports and services to a network switch inside the ESP that were not required for normal or emergency operations were not disabled, as required. Second, URE had not removed or disabled factory default accounts on the network switch. And, the factory default accounts had passwords that did not meet the password complexity requirements of R5.3.
Finding: RFC found the violations constituted a moderate risk to BPS reliability because the relevant network switch is located behind the ESP firewall and is not accessible from outside the ESP. In determining the appropriate penalty, RFC considered certain aspects of URE’s compliance program as a mitigating fact.
Penalty: $12,000 (aggregate for 4 violations)
FERC Order: Order issued May 30, 2012 (no further review)
Unidentified Registered Entity, Docket No. NP12-26-000 (April 30, 2012)
Reliability Standard: CIP-007-1
Requirement: R3
Violation Risk Factor: Lower
Violation Severity Level: Lower
Region: NPCC
Issue: URE self-reported that, while conducting an internal CIP audit review, it found several CAs had not been included in its security patch management system.
Finding: The violation was determined to pose minimal risk to BPS reliability because all of the CAs were located within a defined ESP and PSP and additional security controls were in place, such as account management, strict firewall access control, and event logging and network intrusion detection. In determining the appropriate penalty, NPCC considered URE’s internal compliance program in effect during the violation period to be a mitigating factor.
Penalty: $25,000 (aggregate for 4 violations)
FERC Order: Order issued May 30, 2012 (no further review)
Unidentified Registered Entity, Docket No. NP12-26-000 (April 30, 2012)
Reliability Standard: CIP-007-1
Requirement: R5/5.2.1/5.3.2/5.3.3; R5/5.2.2
Violation Risk Factor: Medium (R5/5.2.1/5.3.2/5.3.3); Lower (R5/5.2.2)
Violation Severity Level: Severe (all)
Region: NPCC
Issue: URE self-reported that passwords for several accounts were not compliant with the Standard. First, URE had three shared accounts with its IT staff that allowed full permissions for any function to be performed on the physical security system, which violates CIP-007-1 R5.2.1. In addition, URE had not changed the passwords since the system was placed into service, which violates R5.3.3’s requirement for annual password changes. And, the passwords in place did not comply with the password complexity requirements of R5.3.2. URE’s second CIP-007-1 violation involved its failure to correctly identify employees with access to shared accounts. In particular, personnel needing access to a particular PC at a number of CA substations shared the PC access password and did not work with the password administrator to protect the use of the password. This left the access list for the ESP not being accurate, as required by R5.2.2, as the employees gained access through sharing a password.
Finding: The violations were determined to pose minimal risk to BPS reliability because, regarding the first R5 violation, URE had in place existing electronic access/account control procedures for its physical security system, and there were no reportable occurrences of unauthorized access connected with the shared accounts during the violation time period. Regarding the second R5 violation, the employees sharing the password all required access to the PC in order to perform their jobs. Each employee involved had been trained on system security and had a PRA on file. If the password administrator had been contacted, each employee would have received his/her own password. Also, the relevant PC is located within the PSP at the substation and only authorized individuals could gain entry. In determining the appropriate penalty, NPCC considered URE’s internal compliance program in effect during the violation period to be a mitigating factor.
Penalty: $8,000 (aggregate for 3 violations)
FERC Order: Order issued May 30, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-27 (May 30, 2012)
Reliability Standard: CIP-007-1
Requirement: 1.1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: MRO
Issue: During a spot check, MRO was unable to establish that URE had ensured new Cyber Assets and significant changes to existing Cyber Assets within the ESP do not adversely affect existing cyber security controls. Although the URE had a documented procedure to ensure system cyber security, MRO noted there was insufficient evidence to demonstrate that the required testing was conducted. URE maintained that it conducted the required testing in accordance with documented procedure; however MRO was not able to verify this with the provided documentation.
Finding: MRO determined the violation posed a minimal risk to the reliability of the bulk power system (BPS). MRO worked with URE to implement an effective Mitigation Plan and expedited the mitigation of this violation to address concerns with testing and change management. URE updated, tested, approved and implemented revised test documentation and procedure.
Penalty: $12,000 (aggregate for 9 violations)
FERC Order: Issued June 29, 2012 (no further review)
Unidentified Registered Entity (URE), FERC Docket No. NP12-27 (May 30, 2012)
Reliability Standard: CIP-007-1
Requirement: R2; R2.2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported a violation of R2, stating it performed an incomplete review of its ports and services. URE failed to ensure that only those ports and services required for normal operation were enabled for thirteen Cyber Assets. The Cyber Assets are used for physical access monitoring.
Finding: WECC determined this violation posed a minimal risk to the reliability of the bulk power system (BPS) as controls were employed to log and monitor access to all Cyber Assets within the ESP. In addition, physical/electronic alerts from monitoring controls are reviewed 24 hours a day, and only authorized personnel are granted access to these devices. The URE reviewed and revised its critical infrastructure protection program procedure to evaluate and assess ports and services for firewalls and switches in order to better clarify the process, and training was completed. Unique device identifiers were also created for tracking data collection.
Penalty: $21,000 (aggregate for 3 violations)
FERC Order: Issued June 29, 2012 (no further review)
Unidentified Registered Entity (URE), FERC Docket No. NP12-27 (May 30, 2012)
Reliability Standard: CIP-007-1
Requirement: R3.1
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: MRO
Issue: During spot check, MRO was unable to determine that URE had established, documented and implemented a security patch management program for tracking, evaluating, testing, and installing appropriate cyber security software patches for all Cyber Assets within the ESP(s).
Finding: MRO determined the violation posed a moderate risk to the reliability of the bulk power system because failure to evaluate patches and apply them in a timely manner to CCAs creates opportunities for exploitation of unpatched vulnerabilities which could render one or more CCAs inoperable. URE mitigated the risk by utilizing a vendor service which identified and evaluated newly available security patches for the URE’s Energy Management System and backup Energy Management System critical and supporting Cyber Assets. Additionally, the vendor service covered the majority of software installed on URE’s CCAs.
Penalty: $12,000 (aggregate for 9 violations)
FERC Order: Issued June 29, 2012 (no further review)
Unidentified Registered Entity (URE), FERC Docket No. NP12-27 (May 30, 2012)
Reliability Standard: CIP-007-1
Requirement: R5; R5.2.2
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported a violation of R5 because it failed to implement a process consistent with R5.2 and failed to identify those individuals with access to shared accounts (per R5.2.2). WECC Subject Matter Experts (SMEs) reviewed URE’s self-report and requested additional information. In response, URE provided a list of previously unidentified individuals with electronic access to Critical Cyber Assets (CCAs) and Cyber Assets within the ESP. SMEs found that URE failed to identify three individuals with access to a total of seven shared accounts, which provided access to approximately 29 Cyber Assets and CCAs associated with two URE Critical Assets, the control center and backup control center.
Finding: WECC determined this violation posed a minimal risk to the reliability of the bulk power system (BPS) because the risks were mitigated by the existing compensating measures in place during the violation period. The three individuals in question had completed training and personnel risk assessments pursuant to CIP-004. Furthermore, access through the seven shared accounts was secured with Physical Security Perimeters and ESPs, and all access to CCAs and Cyber Assets within an ESP through these accounts was documented. URE compiled a list of all shared accounts and the individuals with access to the accounts (per R5.2.2), as well as documented and implemented a new process designed to minimize and manage the scope and acceptable use of administrator, shared, and other generic account privileges. Additionally, URE’s process includes a policy for managing the use of such accounts to limit access to only those with authorization, audit the trail of account use, and secure accounts in the event of personnel changes.
Penalty: $15,600 (aggregate for 3 violations)
FERC Order: Issued June 29, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-36-000 (June 30, 2012)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SERC
Issue: During a Spot Check, the SERC CIP Spot Check team found that URE could not show that it was testing cyber security controls on existing CAs located in the ESP when significant changes were made to those CAs. URE had compliant testing procedures for new CAs brought into the ESP, but the procedures did not address testing for changes made to CAs already in service in the ESP. Testing is required to ensure that when significant changes are made on existing CAs that no cyber security control issues arise because of those changes. SERC found that URE did not consider resources such as ports and services, anti-virus software, and malware prevention tools as “controls” pursuant to the definition in CIP-007-1 R1, and so URE did not include those devices in its procedure, as required by the Standard. URE did address the resources in its internal procedures on CIP-007-1. While the non-compliant procedure was being used, three significant changes were made to existing CAs in URE’s ESP.
Finding: The violation was deemed by SERC to pose moderate risk to BPS reliability because even though testing was not performed pursuant to the Reliability Standard, testing was taking place in an adequate testing environment and URE had addressed testing on certain cyber security controls. URE documented all testing and only used the deficient procedure on three occasions. In determining the appropriate penalty, SERC found URE’s internal compliance program a mitigating factor and also found URE to be cooperative during the Spot Check process. URE neither admitted nor denied SERC’s findings.
Penalty: $0
FERC Order: Issued July 27, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-36-000 (June 30, 2012)
Reliability Standard: CIP-007-1
Requirement: R1, R2, R3
Violation Risk Factor: Medium (R1, R2); Lower (R3)
Violation Severity Level: Severe (R1); High (R2, R3)
Region: WECC
Issue: Upon finding that WECC was beginning the semi-annual CIP Self-Certification process, URE submitted to WECC that it was “Substantially Compliant” with CIP-007-1 R1 and R2 and submitted a self-report stating (1) that it performed only operational checks and not complete security testing pursuant to its testing procedures after more than 300 patches were installed on certain systems (R1.1). (2) three CCAs, two Interface Servers and two Archive Servers were not tested in an environment that accurately reflects the environment in which they are used (R1.2). (3) URE did not document test results for the 300 patches as per its test procedures (R1.3). Regarding R2, URE’s self-report stated that it found one required port on a CCA did not have appropriate documentation. Also, two CCA devices required a service that URE had not documented. WECC’s review found that URE did not have a process for verifying that only those ports and services required for normal and emergency operations are enabled as required by the Standard. Upon further discussion with URE, WECC found that four switches contained in an ESP did not have the ports and services documentation required by the Standard. Regarding R3, URE self-reported it was not consistently applying its Security Patch Management program for four of eighteen CCAs, in particular the four switches mentioned above. URE stated miscommunication about the ownership and responsibility for the devices was behind the error. The manager responsible for determination of roles and responsibility had retired, and no documented system was in place for the designation of ownership and responsibility for the assets. URE is required by R3.1 to have documentation on the assessment of security patches and upgrades within 30 calendar days of those patches or upgrades becoming available; however, URE had no such records. In the event a security patch is not installed, compensating measures for risk susceptibility are required by R3.2; however URE did not have records of any such compensating measures applied to the four CCAs (switches). URE stated some patches had been applied yet the implementation was not recorded.
Finding: The violations were deemed to pose minimal risk to BPS reliability. The devices had security software installed and even though URE had not performed security testing, operational testing of the patches had been undertaken. In addition, the devices did have anti-malware protection and were monitored for changes by software. Finally, even though URE had not established and recorded a security patch management program pursuant to the requirements of CIP-007-1 R3, the devices are located in a PSP and ESP and have other CIP protections. In determining the appropriate penalty, WECC gave mitigating credit for URE’s internal compliance program; however the violations of R1 and R2 were reported as a result of WECC’s Self-Certification process and so no mitigating credit was given for the self-reports. URE agreed/stipulated to WECC’s findings.
Penalty: $67,500 (aggregate for 9 violations)
FERC Order: Issued July 27, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-36-000 (June 30, 2012)
Reliability Standard: CIP-007-1
Requirement: R2/2.1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE filed a self-report with WECC stating that network switches and workstations used for physical access monitoring had not been checked to ensure only those ports and services required for normal operations were enabled in violation of CIP-007-1 R2. The relevant equipment made up 8% of URE’s total CAs.
Finding: WECC found the violation to pose minimal risk to BPS reliability because URE did have other controls in place for logging and monitoring access to all CAs located in the ESP while the violation was ongoing, including physical and electronic alerts which are reviewed 24 hours a day. As well, the only personnel who could access the devices were authorized.
Penalty: $12,000 (aggregate for two violations)
FERC Order: Issued July 27, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-36-000 (June 30, 2012)
Reliability Standard: CIP-007-1
Requirement: R3/3.1
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported a violation of CIP-007-1 R3 by its failure to record security patch assessments within 30 days of availability for 230 devices located in 10 ESPs associated with URE’s control center. The violation encompassed all of URE’s CCAs.
Finding: WECC deemed the violation to pose minimal risk to BPS reliability which was mitigated by the following reasons. URE did properly assess and document a certain kind of security patch/upgrade. URE had assessed and implemented all other kinds of security patches and upgrades; however, it did not document those assessments. In addition, the CCAs and CAs were protected inside PSPs and ESPs. All access to PSPs is restricted and documented and PSPs are protected by security guards. Any individual having access to CAs and CCAs would have had to complete a PRA and cyber security training. Finally, the devices inside the ESPs are protected by anti-virus software and malware prevention devices. URE did not contest WECC’s findings. In determining the appropriate penalty, WECC considered URE’s internal compliance program as a mitigating factor.
Penalty: $12,500 (aggregate for 3 violations)
FERC Order: Issued July 27, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-38 (July 31, 2012)
Reliability Standard: CIP-007-1
Requirement: R5.1.2/5.2.1, R6.5
Violation Risk Factor: Lower (R5.1.2/5.2.1, R6.5)
Violation Severity Level: Severe (R5.1.2/5.2.1, R6.5)
Region: WECC
Issue: WECC determined that URE did not produce logs for 28 of its CAs with the detail needed to create historical audit trails of individual user account access activity for a minimum of 90 days (R5.1.2). And, while URE had a log collection system, the system did not maintain logs for those 28 CAs, and therefore, URE was unable to review logs of system events on those CAs (R6.5). URE also did not change the password, as required, for one of its CAs prior to placing that CA into service (R5.2.1).
Finding: WECC found that the CIP-007-1 violations only constituted a minimal risk to BPS reliability since URE’s security controls for the ESP protect the CAs. These violations represented only a small fraction of URE’s overall devices. URE also has an automated access tracking system and other controls related to the ESP as part of its compliance with the Reliability Standard, which mitigated the risk of this violation. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were URE’s second or third violation of the relevant Reliability Standards; some of the violations were self-reported; URE was cooperative during the enforcement process and did not conceal the violations; URE had an internal compliance program (which was evaluated as a mitigating factor); the violations did not constitute a serious or substantial risk to BPS reliability; and there were no additional aggravating or mitigating factors.
Penalty: $72,000 (aggregate for 12 violations)
FERC Order: Issued August 30, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-40 (July 31, 2012)
Reliability Standard: CIP-007-1
Requirement: R2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that it did not sufficiently document its processes, for 63 CAs and CCAs within the ESP, to ensure that only those ports and services required for normal and emergency operations were enabled. Thus, URE did not properly document the configuration of its ports and services.
Finding: WECC found that the violation only constituted a minimal risk to BPS reliability since URE did document a process for services and one category of ports. In addition, URE had only enabled those ports and services required for normal and emergency operations for the 63 CAs. The CAs are also located within a PSP and ESP and had other protections mandated by the Reliability Standards. URE’s compliance program was evaluated as a mitigating factor.
Penalty: $15,000 (aggregate for 4 violations)
FERC Order: Issued August 30, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-40 (July 31, 2012)
Reliability Standard: CIP-007-1
Requirement: R1/1.3
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: WECC
Issue: Following a Spot Check, WECC determined URE provided insufficient evidence that it had cyber security test procedures for new Cyber Assets in place for a period of 38 days, and could not provide documentation that cyber security controls tests were conducted for two significant changes to Cyber Assets.
Finding: WECC found the violation posed a minimal risk to the reliability of the BPS because it was only a documentation issue. WECC considered URE’s internal compliance program a mitigating factor.
Penalty: $22,000 (aggregate for 3 violations)
FERC Order: Issued August 30, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-44-000 (August 31, 2012)
Reliability Standard: CIP-007-1
Requirement: 2, 4, 5.3, 6
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: Upon notice to URE that WECC was beginning its semi-annual CIP self-certification process, URE submitted self-certifications detailing four CIP violations. (1) R2: URE did not submit Technical Feasibility Exception (TFE) reports for six devices on which it was not able to disable ports and services not used for normal or emergency operations. URE reported that the vendor provided a configuration command to disable ports on the devices; however, URE was unable to implement the command to close the ports. URE submitted the TFEs two months after the self-certification which WECC approved. (2) R4: URE did not submit TFEs for 27 devices on which it could not install anti-virus software. (3) R5.3 URE reported that it had not followed the password complexity and change requirements of the Reliability Standard to ensure Cyber Asset/Critical Cyber Asset security for 13 devices. URE submitted TFEs explaining the issue, which WECC subsequently approved. (4) R6: URE had not implemented automated tools and organization process controls to monitor system events related to cyber security for 15 devices within two ESPs. URE submitted TFEs for the 15 devices, but WECC review found that 14 of the devices were able to have automated or process controls enabled.
Finding: The violations of R2 and R4 posed minimal risk to BPS reliability, and the violations of R5.3 and R6 posed moderate risk to BPS reliability. Regarding R2 and R4, the devices are secured in a PSP and the ports are secured in an ESP. No instances of unauthorized access were reported. Regarding R5.3, the limited amount of CCAs involved and the limited access to those CCAs mitigated any risk to BPS operations. In addition, all access was monitored and logged by URE. Although the passwords to those devices were not compliance with the Standard, they were created with protection in mind. With respect to R6, the violation was limited to 15 devices, which were all inside of a PSP and ESP, so any unauthorized attempts to access the devices would have triggered alarms. Individuals granted access to the devices all had completed PRAs and had undergone cyber security training. In determining the appropriate penalty, WECC considered as a mitigating factor that URE was working to improve its compliance culture and internal compliance program, but URE's compliance history was considered an aggravating factor.
Penalty: $50,000 (aggregate for four violations)
FERC Order: Issued September 28, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-44-000 (August 31, 2012)
Reliability Standard: CIP-007-1
Requirement: 6, 2, 8, 5, 3
Violation Risk Factor: Medium (6, 2, 8, 5); Lower (3)
Violation Severity Level: Severe (all)
Region: FRCC
Issue: URE submitted a self-report explaining several CIP-007-1 violations. (1) R6: URE had not made sure that all Cyber Assets (CAs) in the ESP were provided with proper controls for monitoring cyber security events. URE could not show that it kept logs of events for the required time period. (2) R2: URE did not have a compliant process in place to make sure only those ports and services needed for normal and emergency operations were enabled. URE had secured the majority of its ports and services, but it did not have documentation for each individual device, and rather kept information by type of device. (3) R8: URE had not conducted a cyber vulnerability assessment (CVA) that was in accordance with CIP-007-1. In addition, URE did not have an action plan in place to address vulnerabilities discovered during the CVA. (4) R5: URE was not employing the password complexity and change requirements found in the Reliability Standards for user accounts on all of its workstations and servers. Also, URE could not show that it had minimized the use of admin and shared user accounts nor did it have audit trails on those accounts. (5) R3: URE did not have a compliant security patch management program in place for its CAs inside its ESP.
Finding: FRCC determined the violations posed a moderate risk to BPS reliability. Regarding R6, remote access was controlled and logging at access points was implemented. All relevant devices were located in known and protected ESPs and access was restricted. R2: URE could show that all CAs inside of an ESP were secured. However, not documenting which ports and services are required could leave unknown ports open and subject to cyber-attack. R8: The relevant devices had ESP protections in place, but not completing a CVA leaves the possibility that system vulnerabilities exist but are unknown to URE. R5: The admin and shared accounts were used by individuals having appropriate training, and those individuals kept the accounts secure by not sharing passwords and only using those accounts as needed. URE revoked access as soon as an individual no longer needed access. R3: URE had a patch management program in place for high and critical security patches, but it was lacking a program to deal with lower risk patches or third-party applications. In determining the appropriate penalty, FRCC gave credit to URE's internal compliance program as well as credit for cooperating through the audit process.
Penalty: $75,000 (aggregate for 10 violations)
FERC Order: Issued September 28, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-45-000 (September 28, 2012)
Reliability Standard: CIP-007-1
Requirement: 1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: FRCC
Issue: During a Spot Check, FRCC found that URE violated R1 because it could not produce evidence that its testing procedures ensured that significant changes to URE's CAs in the ESP did not adversely affect existing cyber security controls.
Finding: FRCC determined that the violation posed a moderate risk to the reliability of the BPS because it could result in gaps in URE's secured environment, but the risk was mitigated because all changes to the CAs were application and patch upgrades that were provided and recommended by the vendor, who also supplied installation directions. Other factors FRCC considered were that three of the violations were credited with being self-reported, one violation is a repeat violation, URE cooperated, there was no indication or evidence that URE attempted to conceal the violations, URE's compliance program was a neutral factor, and there were no other mitigating or aggravating factors.
Penalty: $150,000 (aggregate for 12 violations)
FERC Order: Issued October 26, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-45-000 (September 28, 2012)
Reliability Standard: CIP-007-1
Requirement: 2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: FRCC
Issue: URE self-certified that it violated R2 because it failed to document and establish a process to ensure that only those ports and services required for normal and emergency operations were enabled, and it did not ensure only those ports and services were in fact enabled.
Finding: FRCC determined that the violation posed a moderate risk to the reliability of the BPS because it could allow intruders to access open ports. The violation was mitigated by URE's redundant security measures, including strong firewall protections and electronic access points were configured to deny access by default. Other factors FRCC considered were that three of the violations were credited with being self-reported, one violation is a repeat violation, URE cooperated, there was no indication or evidence that URE attempted to conceal the violations, URE's compliance program was a neutral factor, and there were no other mitigating or aggravating factors.
Penalty: $150,000 (aggregate for 12 violations)
FERC Order: Issued October 26, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-45-000 (September 28, 2012)
Reliability Standard: CIP-007-1
Requirement: 3, 5, 6
Violation Risk Factor: Lower (R3); Medium (R5, R6)
Violation Severity Level: Severe
Region: FRCC
Issue: During a Compliance Spot Check, FRCC determined URE failed to establish, document, and implement a security patch management program in violation of R3; failed to review, at least annually, user accounts to verify access privileges, failed to implement a policy to minimize and manage the scope and acceptable use of administrator, shared, and other generic account privileges in violation of R5; and failed to implement automated tools or organizational process controls to monitor system events, including automated alerts, and failed to maintain and document review of logs of system events related to cyber security in violation of R6.
Finding: FRCC determined that the violations posed a moderate risk to the reliability of the BPS because they could lead to unauthorized access to CAs. The violations were mitigated by URE's redundant security measures, including that the ESPs were well monitored, ESP intrusion detection was effective, the patching program was properly implemented for all critical applications, and the unpatched systems were configured to only communicate internally, and best industry practices were used to secure all accounts and shared passwords. Other factors FRCC considered were that three of the violations were credited with being self-reported, one violation is a repeat violation, URE cooperated, there was no indication or evidence that URE attempted to conceal the violations, URE's compliance program was a neutral factor, and there were no other mitigating or aggravating factors.
Penalty: $150,000 (aggregate for 12 violations)
FERC Order: Issued October 26, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-45-000 (September 28, 2012)
Reliability Standard: CIP-007-1
Requirement: 3.1
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: FRCC
Issue: URE self-reported a violation of R3.1. because it failed to perform or document the assessment of 89.3% of available security patches to determine whether they were applicable within 30 days.
Finding: FRCC determined that the violation posed a moderate risk to the reliability of the BPS because it could result in cyber vulnerability, but all of the patches were required and recommended by the vendor. Other factors FRCC considered were that three of the violations were credited with being self-reported, one violation is a repeat violation, URE cooperated, there was no indication or evidence that URE attempted to conceal the violations, URE's compliance program was a neutral factor, and there were no other mitigating or aggravating factors.
Penalty: $150,000 (aggregate for 12 violations)
FERC Order: Issued October 26, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-45-000 (September 28, 2012)
Reliability Standard: CIP-007-1
Requirement: 8
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: FRCC
Issue: URE self-certified a violation of R8 because its Cyber Vulnerability Assessment ("CVA") was deficient. Specifically, URE could not demonstrate that its annual CVA included a review to verify only ports and services required for operation of the CAs within the ESP were enabled, failed to include a review of controls for default accounts for all CAs, and did not include a documented execution status for identified vulnerabilities.
Finding: FRCC determined that the violation posed a moderate risk to the reliability of the BPS because it could lead to risks to the BPS. The violation was mitigated by URE's redundant security measures, including a lack of default passwords and electronic access points were configured to deny access by default. Other factors FRCC considered were that three of the violations were credited with being self-reported, one violation is a repeat violation, URE cooperated, there was no indication or evidence that URE attempted to conceal the violations, URE's compliance program was a neutral factor, and there were no other mitigating or aggravating factors.
Penalty: $150,000 (aggregate for 12 violations)
FERC Order: Issued October 26, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-46 (September 28, 2012)
Reliability Standard: CIP-007-1
Requirement: 1, 3, 4, 5, 6, 7, 8, 9
Violation Risk Factor: Medium (1, 4, 5, 6, 8), Lower (3, 7, 9)
Violation Severity Level: Severe (1, 3, 4, 5, 6, 8, 9), Moderate (7)
Region: WECC
Issue: URE self-certified the following. (1) It had not properly documented its test procedures that are designed to verify that new CAs and significant changes to existing CAs within the ESP do not adversely affect existing cyber security controls. URE's testing procedures did not address the necessary security controls or how the testing would be documented (R1). (2) It had not properly implemented a security patch management program to track, evaluate, test and install the applicable cyber security software patches for all of its CAs within the ESP. Thus, URE was not conducting patch assessments within 30 days of release by the vendor as required (R3). (3) It did not use anti-virus software or other malware prevention tools to detect, prevent, deter and mitigate the impact of malware on URE's CAs within its ESPs (R4). (4) It had not enacted procedures to generate sufficiently detailed logs that are needed to create historical audit trails of user activity for a number of CAs in its energy management system ESP. URE also did not change the passwords for several of its shared accounts within seven days, as specified in its internal policy, and did not change the passwords annually for several other accounts as required (R5). (5) Its system log server was not capturing logs under heavy volume and that it had not retained the logs for at least 90 days. And, while URE had reviewed the security event logs, it had not documented these reviews as mandated (R6). (6) Its procedures for disposing of CAs did not address redeployments of CAs or erasing stored media prior to redeployment (R7). (7) It had not conducted a proper annual vulnerability assessment, including documenting the vulnerability assessment process and reviewing ports, services and controls for default accounts (R8). (8) It did not have a documented procedure for document review and maintenance, which led to inconsistent results as URE document owners followed their owner schedules for document review and maintenance. In addition, URE did not document changes from modifications to the systems or control within 90 days of the change as required (R9).
Finding: WECC found that the CIP-007-1 R1, R3, R4, R5, R6, R8 and R9 violations constituted a moderate risk to BPS reliability. For R1, the lack of proper cyber security testing procedures could have resulted in potentially harmful modifications to the existing security controls for the CCAs. But, URE did have testing in place to minimize adverse effects on the protection system. In terms of R3 and R4, by not having a compliant patch management program and anti-virus software or malware prevention tools, there could be unaddressed vulnerabilities remaining on the system for long periods of time or cyber security vulnerabilities introduced into the CCAs. For R5, the faulty controls for authentication and for accounting for user activity for system access could allow for potential malicious access to the CAs. For R8, by not conducting an annual cyber vulnerability assessment of all of its CAs, URE was potentially allowing cyber vulnerabilities in those CAs to go undetected, which would leave the CAs open to attack. For R9, URE did not have defined procedures for securing its systems found to be CCAs (as well as non-CCAs within the ESP) and thus it was unable to review and update the required documentation. But, for these violations, URE did have compensating measures in place as the CAs were located with an ESP and PSP and all of URE's personnel with access to the CCAs had received personnel risk assessments and CIP training. In terms of R6, by not properly enacting security controls to monitor cyber security system events, URE could potentially face unnoticed and unchecked unauthorized access. But, URE was reviewing the logs of cyber security system events (even though it did not properly document its review). WECC found that the CIP-007-1 R7 violation constituted only a minimal risk to BPS reliability. URE did have procedures in place governing the disposal of CAs within the ESP that were designed to prevent information stored on discarded CAs from being used to obtain access to URE's CCAs. URE agreed and stipulated to the facts of the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE's compliance history and that URE had a compliance program in place when the violations occurred (which was viewed as a mitigating factor). URE was also cooperative during the enforcement process and did not conceal the violations. WECC found that the violations did not constitute a serious or substantial risk to BPS reliability and there were no additional aggravating or mitigating factors.
Penalty: $200,000 (aggregate for 17 violations)
FERC Order: Issued October 26, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-47-000 (September 28, 2012)
Reliability Standard: CIP-007-1
Requirement: 1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: TRE
Issue: URE submitted a self-report detailing four occasions on which it had not conducted required testing to ensure that new CAs and significant changes to existing CAs within its ESP would not adversely affect existing cyber security controls.
Finding: The violation was deemed by TRE to pose minimal risk to BPS reliability which was mitigated because URE has many security controls in place lessening any risk that the failure to test may have caused. In addition, in all four instances, testing eventually was conducted and no issues were discovered. URE neither admitted to nor denied TRE's findings.
Penalty: $0 (for 12 violations)
FERC Order: Issued October 26, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-47-000 (September 28, 2012)
Reliability Standard: CIP-007-1
Requirement: 2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: TRE
Issue: URE submitted a self-report explaining a violation of CIP-007-1 discovered during a Multi-Region CIP Audit. One of URE's parent companies that serves as a service provider on URE's behalf established a procedure to ensure that only required ports and services are enabled; however, it failed to include a type of protocol ports in its system scans that it uses in this process. As such, URE was unable to ensure that it only enables those ports and services required for normal and emergency operations.
Finding: The violation was deemed to pose minimal risk to BPS reliability which was mitigated by the fact that URE employs network security controls such as network intrusion detection and prevention system, which analyzes network traffic for known and suspect malicious activity. The system identifies threats affecting ports. Also, URE's ESP firewalls are designed to only allow traffic using specific protocols to enter the network. This set up prevents unsolicited traffic from passing into the networks segregated by ESPs.
Penalty: $0 (for 12 violations)
FERC Order: Issued October 26, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-47-000 (September 28, 2012)
Reliability Standard: CIP-007-1
Requirement: 3/3.1
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: TRE
Issue: URE submitted a self-report explaining a violation of CIP-007-1 discovered during a Multi-Region CIP Audit. One of URE's parent companies that serves as a service provider on URE's behalf experienced an outage of a third-party software application that included a patch management feature that URE uses to implement CIP-007 processes. URE did not assess the applicability of patches for its third-party software applications during the outage, and URE had no backup method in place for identifying or assessing security patches and upgrades. Also, URE stated that it automatically deems all security patches to be applicable and therefore did not keep records of the assessment of security patches and upgrades for applicability.
Finding: The violation was deemed to pose minimal risk to BPS reliability which was mitigated by the fact that URE had installed all applicable security patches; however, it failed to document this policy in its patch management program. Also, URE employs "defense-in-depth" strategies, with many layers of network security including multiple "demilitarized zones" (DMZs) and firewalls, multifactor authentication into each DMZ, and network intrusion detection and prevention systems. Moreover, Texas URE safeguards the relevant systems by requiring authentication, which also employs anti-virus protection and host intrusion prevention software.
Penalty: $0 (for 12 violations)
FERC Order: Issued October 26, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-47-000 (September 28, 2012)
Reliability Standard: CIP-007-1
Requirement: 4
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: TRE
Issue: URE self-reported that nine of its energy management system (EMS) servers and two other servers, classified as CCAs, did not have anti-virus software or malware prevention tools installed as of the mandatory compliance date of CIP-007-1 R4.
Finding: The violation was deemed by TRE to pose minimal risk to BPS reliability because URE had many other security measures in place to protect system assets before the mandatory enforcement date. In addition, URE is a small facility, and its load amounts to a fraction of one percent inside ERCOT. In determining the appropriate penalty, TRE considered URE's compliance program as a mitigating factor. URE neither admitted to nor denied SPP's findings.
Penalty: $13,500 (aggregate for two violations)
FERC Order: Issued October 26, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-47-000 (September 28, 2012)
Reliability Standard: CIP-007-1
Requirement: 4/4.1/4.2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: TRE
Issue: While conducting an audit, TRE found that URE had 27 CCAs with no anti-virus software or other malware prevention tools installed by the mandatory compliance date of CIP-007-1. In addition, the Audit Team discovered that URE had no process or procedure in place to address the updating, testing or installing of anti-virus and malware prevention signatures between the effective date of CIP-007-1 and the date its procedure was updated.
Finding: The violation was deemed by TRE to pose minimal risk to BPS reliability because URE had many other security measures in place to protect system assets before the mandatory enforcement date. In addition, URE is a small facility, and its load amounts to a fraction of one percent inside ERCOT. In determining the appropriate penalty, TRE considered URE's compliance program as a mitigating factor. URE neither admitted to nor denied TRE's findings.
Penalty: $13,500 (aggregate for two violations)
FERC Order: Issued October 26, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-47-000 (September 28, 2012)
Reliability Standard: CIP-007-1
Requirement: 4.2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: RFC
Issue: URE self-reported a violation of CIP-007-1 R4.2 due to its failure to implement a testing schedule for signature updates on certain CCAs and CAs inside its energy control system and backup energy control system ESPs when it tested and installed a new anti-virus product, as required by its anti-virus and malware prevention signature update procedures.
Finding: The violation was deemed by RFC to pose moderate risk to BPS reliability which was mitigated by the following. First, URE does have an existing procedure for updating anti-virus and malware prevention signatures that includes testing and installing the signatures. Second, all required signatures had been installed according to that procedure on all of its CAs. Third, no adverse effects to any CAs occurred related to the failure to perform signature testing. In determining the appropriate penalty, RFC considered certain aspects of URE's internal compliance program as a mitigating factor. In addition, further mitigating factors included that URE self-reported the violations and URE's cooperation during the enforcement process. URE also promptly submitted a Mitigation Plan to remediate the violation. URE agreed to RFC's findings.
Penalty: $12,000 (aggregate for four violations)
FERC Order: Issued October 26, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-47-000 (September 28, 2012)
Reliability Standard: CIP-007-1
Requirement: 6
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: TRE
Issue: URE submitted a self-report explaining a violation of CIP-007-1 in that URE did not properly implement automated tools and organizational process controls to monitor system events that are related to cyber security for a period of approximately six months for 49 total Critical Cyber Assets (CCAs) relating to two Critical Assets (CAs).
Finding: The violation was deemed to pose moderate risk to BPS reliability because URE had not properly implemented automated tools and organizational process controls to oversee system events that are related to cyber security which caused a loss of reporting on the central system. Mitigating factors lessening the risk to BPS operations are as follows: (1) Outside interactive access to the Cyber Assets is controlled by a redundant firewall pair at the Critical Assets that implements two-factor authentication, as well as the network infrastructure for Texas RE_URE3, which provides defense in depth. (2) The relevant CCAs were protected by anti-virus/malware software, which would have prevented the introduction of virus or malware software. (3) The anti-virus system is separate and distinct from the centralized logging system and was unaffected during the time period. (4) The anti-virus system provides alerts directly to a user on the control system, as well as sends an alert to the anti-virus system console, which shows up in reports run by the administrator. (5) The in-scope CCAs are physically secured and completely enclosed within a (six-wall) border. Physical access is controlled and monitored using electronic locks and video recording. (6) The physical access controls limit physical access to the cyber assets that are within the Electronic Security Perimeter (ESP). And, (7) the event was discovered during a password review and immediately mitigated through proper configuration.
Penalty: $7,000
FERC Order: Issued October 26, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-47-000 (September 28, 2012)
Reliability Standard: CIP-007-1
Requirement: 6
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: URE self-certified that it was violation of CIP-007-1 R6 due to its failure to ensure that all CAs within the ESP implement automated tools or organizational process controls to monitor system events that are related to cyber security. In particular, URE did not implement and document organizational processes and technical and procedural mechanisms for monitoring for security events on 52.8% devices.
Finding: The violation was deemed to pose moderate risk to BPS reliability the subject devices were located at URE's generation sites within the ESPs and Physical Security Perimeters (PSPs), thereby reducing the risk related to cyber security events. URE employs intrusion detection systems and access point protections, including externally-connected communication end points, which allow for monitoring of security events at the ESP's at issue. Also, the subject devices have only necessary ports and services enabled and anti-virus and anti-malware software installed, further reducing the risk to the BPS related to cyber security events. In determining the appropriate penalty, URE was given mitigating credit for its internal compliance program.
Penalty: $17,400
FERC Order: Issued October 26, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-47-000 (September 28, 2012)
Reliability Standard: CIP-007-1
Requirement: 6, 8
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: TRE
Issue: URE submitted a self-report explaining that it had no records documenting its review of security logs in violation of CIP-007-1 R6. In another self-report, URE stated that it had not performed annual cyber vulnerability assessments on certain CAs in violation of CIP-007-1 R8. URE also reported that baseline assessments had been performed on ports and services, but it had no evidence to support that the review of baseline assessments had been performed annually.
Finding: The violations were deemed by TRE to pose minimal risk to BPS reliability. Regarding the violation of R6, URE has security systems in place to mitigate any risk due to problems in security logging. Any security threats are reported and monitored by security operations personnel 24/7. Regarding the violation of R8, even though the annual assessments had not been performed, baseline cyber vulnerability assessments on all affected assets had been performed, and URE has many levels of security controls, including human observation, that would have to be bypassed by a potential attacker.
Penalty: $0 (for 12 violations)
FERC Order: Issued October 26, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-47-000 (September 28, 2012)
Reliability Standard: CIP-007-1
Requirement: 8
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: TRE
Issue: URE submitted a self-report explaining that it had not performed annual cyber vulnerability assessments (Assessments) of ports, services, or default accounts on servers where host applications are used for physical security and port scanning, to support file transfers between applications, and to provide domain authentication services. URE reported that baseline assessments were performed for ports and services, but it had no documentation to show that the baseline assessments had been reviewed annually.
Finding: The violation was deemed by TRE to pose minimal risk to BPS reliability because even though URE hadn't performed annual assessments, initial, and baseline cyber vulnerability assessments had been performed on all affected assets. Also, URE has multiple layers of physical and electronic security to protect cyber assets. URE has redundancy on its server and workstation environments, and any possible attack would have to bypass multiple layers of control, including human observation.
Penalty: $0 (for 12 violations)
FERC Order: Issued October 26, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-47-000 (September 28, 2012)
Reliability Standard: CIP-007-1
Requirement: 8
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: RFC
Issue: URE self-reported a violation of CIP-007-1 R8 based upon its finding that its outside contractor used for cyber vulnerability assessments of its Cyber Assets (CAs) inside of its Electronic Security Perimeter (ESP) was not performing the assessments in accordance with the Reliability Standard. URE found that the cyber vulnerability assessments had not included (1) a document identifying the vulnerability assessment process (R8.1); a review to verify that only ports and services required for operation of the CAs within the ESP are enabled (R8.2); (3) a review of controls for default accounts (R8.3); or (4) documentation of the results of the assessment, the action plan to remediate or mitigate vulnerabilities identified in the assessment, and the execution status of that action plan (R8.4).
Finding: The violation was deemed by RFC to pose moderate risk to BPS reliability which was mitigated by the following. Although the cyber vulnerability assessments were not performed according to the requirements of CIP-007-1 R8, the assessments were based on industry technology practices. All open ports on each system were identified. The assessment classified the known vulnerabilities according to severity. And, additional security measures were in place to adequately protect URE's system. In determining the appropriate penalty, RFC considered certain aspects of URE's internal compliance program as a mitigating factor. In addition, further mitigating factors included that URE self-reported the violations and URE's cooperation during the enforcement process. URE also promptly submitted a Mitigation Plan to remediate the violation. URE agreed to RFC's findings.
Penalty: $12,000 (aggregate for four violations)
FERC Order: Issued October 26, 2012 (no further review)
Unidentified Registered Entity, Docket No. NP13-1 (October 31, 2012)
Reliability Standard: CIP-007-1
Requirement: 2, 3, 8
Violation Risk Factor: Medium (2, 8); Lower (3)
Violation Severity Level: Severe
Region: WECC
Issue: Following a self-report, WECC determined URE violated R2 because URE failed to establish and document a process to ensure that only ports and services required for normal and emergency operations are enabled for 41% of URE's CAs. WECC also determined URE failed to "establish and document a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches" for all CAs in the ESP, as required by R3. Finally, WECC determined URE failed to include a review to verify the status of ports and services and a review of controls for default accounts on over 100 CAs in its annual Cyber Vulnerability Assessment for a period of two years (R8).
Finding: WECC determined that the violation of R2 posed a moderate risk, and the violations of R3 and R8 posed a minimal risk, to the reliability of the BPS. The risk was mitigated because redundant protections were in place, including anti-virus and anti-malware software, two-factor authentication for access, and intrusion detection and protection systems. Moreover, no actual security events occurred during the violation period. In approving the Settlement Agreement between WECC and URE, NERC BOTCC considered the following: URE's violation history, 11 of the 12 violations were self-reported, URE was cooperative, URE had a compliance program in place at the time of the violation, which was considered a mitigating factor, and there was no evidence of any attempt or intent to conceal a violation, nor that the violation was intentional.
Penalty: $200,000 (aggregate for 12 violations)
FERC Order: Issued November 29, 2012 (no further review)
Reliability Standard: CIP-007-1
Requirement: 1 (three violations, one for each URE)
Violation Risk Factor: Medium (1)
Violation Severity Level: Severe (1)
Region: RFC
Issue: URE1 self-reported that its Change Control Procedures did not define "significant change" or specify the cyber security controls that were not adversely affected during a modification or change to Cyber Assets, as required. URE1 also did not properly maintain its security patch documentation, which was supposed to show that the patches were adequately tested before being installed on the production system. In addition, URE2 and URE3's cyber security testing procedures were not implemented in a manner designed to minimize adverse effect on cyber security controls associated with the Cyber Assets. URE2 and URE3 also did not test its new Cyber Assets, as well as significant changes to existing Cyber Assets, in a way that reflected the production environment as required.
Finding: RFC found that the CIP-007-1 R1 violations constituted a moderate risk to BPS reliability since new Cyber Assets or significant changes to existing Cyber Assets could potentially have had an adverse effect on the UREs' existing cyber security controls. But, the UREs did have protective measures in place to secure their CCAs and non-critical Cyber Assets in the ESP as well as the Cyber Assets within the EMS ESP. Furthermore, no security breaches occurred during the course of the violations. In approving the settlement agreement, the NERC BOTCC found that, in the aggregate, the violations constituted a serious or substantial risk to BPS reliability because of the potential for compromised integrity of the CCAs. UREs did not have a culture of compliance for the CIP Reliability Standards and they were not familiar with their CIP processes and procedures (especially as compliance was divided between six executives, leading to inconsistent application of the compliance process and reduced ownership responsibility). But, the UREs were cooperative during the enforcement process, including working with RFC to remedy the violations and enacting measure, in collaboration with RFC, to foster an improved compliance program and to undertake compliance initiatives (which were evaluated as a mitigating factor). In addition, some of the violations were repeat violations and some of the violations were self-reported.
Penalty: $725,000 (aggregate for 73 violations)
FERC Order: Issued November 29, 2012 (no further review)
Reliability Standard: CIP-007-1
Requirement: 2 (three violations, one for each URE)
Violation Risk Factor: Medium (2)
Violation Severity Level: Severe (2)
Region: RFC
Issue: URE1, URE2 and URE3 self-reported that they did not possess sufficient documentation demonstrating that they only enabled those ports and services needed for normal and emergency operations and disabled the other ports and services. For example, the UREs did not specify the operational purposes of its ports and services or establish a baseline for the ports and services (which is needed to compare changes made to the system).
Finding: RFC found that the CIP-007-1 R2 violations constituted a moderate risk to BPS reliability since they could have led to the infiltration of unauthorized network traffic into the ESP. But, the UREs did have measures in place to detect intrusions into the ESPs through ports and services. A third-party security service provider was also monitoring traffic and did not discover any malicious traffic during the course of the violation. In approving the settlement agreement, the NERC BOTCC found that, in the aggregate, the violations constituted a serious or substantial risk to BPS reliability because of the potential for compromised integrity of the CCAs. UREs did not have a culture of compliance for the CIP Reliability Standards and they were not familiar with their CIP processes and procedures (especially as compliance was divided between six executives, leading to inconsistent application of the compliance process and reduced ownership responsibility). But, the UREs were cooperative during the enforcement process, including working with RFC to remedy the violations and enacting measure, in collaboration with RFC, to foster an improved compliance program and to undertake compliance initiatives (which were evaluated as a mitigating factor). In addition, some of the violations were repeat violations and some of the violations were self-reported.
Penalty: $725,000 (aggregate for 73 violations)
FERC Order: Issued November 29, 2012 (no further review)
Reliability Standard: CIP-007-1
Requirement: 2 (three violations, one for each URE)
Violation Risk Factor: Medium (2)
Violation Severity Level: Severe (2)
Region: RFC
Issue: URE1, URE2 and URE3 self-reported that they did not possess sufficient documentation regarding the compensating measures it took to mitigate risk exposure (or acceptance of risk) for those unused ports and services that were unable to be disabled for technical reasons.
Finding: RFC found that the CIP-007-1 R2 violations constituted a moderate risk to BPS reliability since they could have led to the infiltration of unauthorized network traffic into the ESP. But, the UREs did have measures in place to detect intrusions into the ESPs through ports and services. A third-party security service provider was also monitoring traffic and did not discover any malicious traffic during the course of the violation. In approving the settlement agreement, the NERC BOTCC found that, in the aggregate, the violations constituted a serious or substantial risk to BPS reliability because of the potential for compromised integrity of the CCAs. UREs did not have a culture of compliance for the CIP Reliability Standards and they were not familiar with their CIP processes and procedures (especially as compliance was divided between six executives, leading to inconsistent application of the compliance process and reduced ownership responsibility). But, the UREs were cooperative during the enforcement process, including working with RFC to remedy the violations and enacting measure, in collaboration with RFC, to foster an improved compliance program and to undertake compliance initiatives (which were evaluated as a mitigating factor). In addition, some of the violations were repeat violations and some of the violations were self-reported.
Penalty: $725,000 (aggregate for 73 violations)
FERC Order: Issued November 29, 2012 (no further review)
Reliability Standard: CIP-007-1
Requirement: 3 (three violations, one for each URE)
Violation Risk Factor: Lower (3)
Violation Severity Level: Severe (3)
Region: RFC
Issue: URE1 self-reported that it did not conduct a full assessment of certain security patches, as required, within 30 days of the patches becoming available. In one instance, URE1 did not install the patch and did not properly document the compensating measures it took to mitigate its risk exposure. In completing its mitigation plan, URE1 did not timely assess or install 40 patches for its Update Server according to its patch management schedule. URE1, URE2 and URE3 also did not apply their security patch management program to its field management laptops as required. In addition, URE2 and URE3 did not install security patches on three of their operating systems and their applications.
Finding: RFC found that the CIP-007-1 R3 violations constituted a moderate risk to BPS reliability since they increased the risk of infiltration by unauthorized network traffic into the ESP. But, the UREs had implemented a range of protective measures to protect their systems from cyber security breaches, such as a private network for their Critical Asset substations that isolate the Critical Asset Substation data traffic and their Parent Company's Corporate IT access control system. The UREs had also developer a security patch management programs which was applied to all devices (except the field maintenance laptops, which the UREs only used locally to configure the protection relays). In approving the settlement agreement, the NERC BOTCC found that, in the aggregate, the violations constituted a serious or substantial risk to BPS reliability because of the potential for compromised integrity of the CCAs. UREs did not have a culture of compliance for the CIP Reliability Standards and they were not familiar with their CIP processes and procedures (especially as compliance was divided between six executives, leading to inconsistent application of the compliance process and reduced ownership responsibility). But, the UREs were cooperative during the enforcement process, including working with RFC to remedy the violations and enacting measure, in collaboration with RFC, to foster an improved compliance program and to undertake compliance initiatives (which were evaluated as a mitigating factor). In addition, some of the violations were repeat violations and some of the violations were self-reported.
Penalty: $725,000 (aggregate for 73 violations)
FERC Order: Issued November 29, 2012 (no further review)
Reliability Standard: CIP-007-1
Requirement: 3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: RFC
Issue: RFC determined that URE1 did not have sufficient documentation showing which security patches were applied to each of its systems and did not enact the compensating and mitigating measures it developed as part of its Technical Feasibility Exception.
Finding: RFC found that the CIP-007-1 R3 violation constituted a moderate risk to BPS reliability since it increased the risk of infiltration by unauthorized network traffic into the ESP. But, URE1 had established measures to secure its CCAs and had controls to protect their system from cyber security breaches. URE1 has a private network, which is isolated from the UREs' network by firewalls, for its Critical Asset substations that serves to isolate the Critical Asset Substation data traffic and uses its Parent Company's Corporate IT access control system (which controls remote access to all Critical Asset substations and utilizes two-factor authorization). In approving the settlement agreement, the NERC BOTCC found that, in the aggregate, the violations constituted a serious or substantial risk to BPS reliability because of the potential for compromised integrity of the CCAs. UREs did not have a culture of compliance for the CIP Reliability Standards and they were not familiar with their CIP processes and procedures (especially as compliance was divided between six executives, leading to inconsistent application of the compliance process and reduced ownership responsibility). But, the UREs were cooperative during the enforcement process, including working with RFC to remedy the violations and enacting measure, in collaboration with RFC, to foster an improved compliance program and to undertake compliance initiatives (which were evaluated as a mitigating factor). In addition, some of the violations were repeat violations and some of the violations were self-reported.
Penalty: $725,000 (aggregate for 73 violations)
FERC Order: Issued November 29, 2012 (no further review)
Reliability Standard: CIP-007-1
Requirement: 4 (three violations, one for each URE)
Violation Risk Factor: Medium (4)
Violation Severity Level: Lower (4)
Region: RFC
Issue: URE1 self-reported that it did not test is anti-virus and malware prevention signatures, as required, before installing them on its EMS production environment. The UREs also did not test their signatures to determine if there would be adverse effects on the existing cyber security controls. URE1 also did not install anti-virus software, as well as other required malicious software prevention tools, on two of its CCAs and did not file Technical Feasibility Exceptions for those CCAs. In addition, RFC determined that URE 2 and URE3 did not have malware prevention tools or the related signature files for their two backup servers. Furthermore, for four months during a software upgrade while implementing its mitigation plan, URE1 did not test all of its anti-virus signatures before using them in its production systems.
Finding: RFC found that the CIP-007-1 R4 violations constituted a moderate risk to BPS reliability since they increased the risk for malware to be introduced and exposed to the Cyber Assets within the ESP. But, the UREs had enacted measures to protect their CCAs and non-critical Cyber Assets within the ESPs from the malware threat. The UREs had a malware prevention program which covered its CCAs and URE1 filed (belatedly) two Technical Feasibility Exceptions for its relevant CCAs. For URE2 and URE3's backup servers (which were used only approximately 4-5 times a year for restoration operations), they were disconnected to the internet and located beyond firewalls. The UREs also have a private network, which is isolated from the UREs' network by firewalls, for its Critical Asset substations that serves to isolate the Critical Asset Substation data traffic and use their Parent Company's Corporate IT access control system (which controls remote access to all Critical Asset substations and utilizes two-factor authorization). There were also no security breaches that occurred during the course of the violations. In approving the settlement agreement, the NERC BOTCC found that, in the aggregate, the violations constituted a serious or substantial risk to BPS reliability because of the potential for compromised integrity of the CCAs. UREs did not have a culture of compliance for the CIP Reliability Standards and they were not familiar with their CIP processes and procedures (especially as compliance was divided between six executives, leading to inconsistent application of the compliance process and reduced ownership responsibility). But, the UREs were cooperative during the enforcement process, including working with RFC to remedy the violations and enacting measure, in collaboration with RFC, to foster an improved compliance program and to undertake compliance initiatives (which were evaluated as a mitigating factor). In addition, some of the violations were repeat violations and some of the violations were self-reported.
Penalty: $725,000 (aggregate for 73 violations)
FERC Order: Issued November 29, 2012 (no further review)
Reliability Standard: CIP-007-1
Requirement: 5 (three violations, one for each URE)
Violation Risk Factor: Lower (5)
Violation Severity Level: Severe (5)
Region: RFC
Issue: URE1 self-reported that its EMS password policy only required passwords to be updated annually, whereas its internal IT Security Standards mandated that passwords be changed every 90 days. URE1, URE2 and URE3 also did not require all of its CCAs to use passwords that were sufficiently complex (and URE2 and URE3 did not request Technical Feasibility Exception for those CCAs that were unable to comply with the Reliability Standard). In addition, URE1's log management system (used to monitor individual user account access activity) did not maintain logs for 50 days in early 2011 when the system was out of service. URE2 and URE3 also did not change the passwords on the required default accounts before placing their legacy EMS and system into service (and did not request the Technical Feasibility Exceptions that were needed). Furthermore, URE2 and URE3 did not maintain an audit trail of account use for their shared account on the EMS console.
Finding: RFC found that the CIP-007-1 R5 violations constituted a moderate risk to BPS reliability since they increased the risk of unauthorized system access. But, the UREs had enacted protective measures to secure their Cyber Assets within the ESPs, such as technical controls to protect against cyber security breaches. The UREs also have a private network, which is isolated from the UREs' network by firewalls, for its Critical Asset substations that serves to isolate the Critical Asset Substation data traffic and use their Parent Company's Corporate IT access control system (which controls remote access to all Critical Asset substations and utilizes two-factor authorization). In addition, the UREs had implemented additional protective measures for the CCAs within the EMS and EBS ESPs. There were also no security breaches that occurred during the course of the violations. In approving the settlement agreement, the NERC BOTCC found that, in the aggregate, the violations constituted a serious or substantial risk to BPS reliability because of the potential for compromised integrity of the CCAs. UREs did not have a culture of compliance for the CIP Reliability Standards and they were not familiar with their CIP processes and procedures (especially as compliance was divided between six executives, leading to inconsistent application of the compliance process and reduced ownership responsibility). But, the UREs were cooperative during the enforcement process, including working with RFC to remedy the violations and enacting measure, in collaboration with RFC, to foster an improved compliance program and to undertake compliance initiatives (which were evaluated as a mitigating factor). In addition, some of the violations were repeat violations and some of the violations were self-reported.
Penalty: $725,000 (aggregate for 73 violations)
FERC Order: Issued November 29, 2012 (no further review)
Reliability Standard: CIP-007-1
Requirement: 5
Violation Risk Factor: Lower
Violation Severity Level: High
Region: RFC
Issue: During the compliance audit, RFC determined that URE1 did not follow the compensating and mitigating measures contained in its Technical Feasibility Exceptions for certain passwords that were unable to be changed annually as required.
Finding: RFC found that the CIP-007-1 R5 violation constituted a moderate risk to BPS reliability since it increased the risk of unauthorized system access. But, the passwords that URE1's personnel were using satisfied the requirements of the Reliability Standard. In addition, URE1 had implemented technical controls to protect against cyber security breaches. URE1 also participates in a private network, protected by firewalls, for its Critical Asset substations that isolates the Critical Asset Substation data traffic and uses its Parent Company's Corporate IT access control system (which employs two-factor authorization). In approving the settlement agreement, the NERC BOTCC found that, in the aggregate, the violations constituted a serious or substantial risk to BPS reliability because of the potential for compromised integrity of the CCAs. UREs did not have a culture of compliance for the CIP Reliability Standards and they were not familiar with their CIP processes and procedures (especially as compliance was divided between six executives, leading to inconsistent application of the compliance process and reduced ownership responsibility). But, the UREs were cooperative during the enforcement process, including working with RFC to remedy the violations and enacting measure, in collaboration with RFC, to foster an improved compliance program and to undertake compliance initiatives (which were evaluated as a mitigating factor). In addition, some of the violations were repeat violations and some of the violations were self-reported.
Penalty: $725,000 (aggregate for 73 violations)
FERC Order: Issued November 29, 2012 (no further review)
Reliability Standard: CIP-007-1
Requirement: 6 (three violations, one for each URE)
Violation Risk Factor: Lower (6)
Violation Severity Level: Severe (6)
Region: RFC
Issue: URE1 self-reported that it did not properly document its security monitoring tool's organizational processes, as well as the technical and procedural mechanisms, for monitoring for security events on the Cyber Assets within the ESP. URE1 did not maintain logs, as required, of cyber security system events related to incident responses. URE1 did not file Technical Feasibility Exceptions related to incident response for two CCAs and had its log management system out of service for 50 days. In addition, URE2 and URE3 had not configured two net backup boot servers (which were CCAs) to maintain logs of system events related to cyber security. The UREs also did not sufficiently document the procedures for monitoring events on all of their Cyber Assets with the ESPs and did not file Technical Feasibility Exceptions for three Ethernet switches at substations that were unable to monitor cyber security system events.
Finding: RFC found that the CIP-007-1 R6 violations constituted a moderate risk to BPS reliability since they increased the risk of undetected compromising of the CCAs (as well as other cyber security events) occurring. But, the UREs had enacted protected measures (such as a layered architecture and two-factor authentication) to guard the assets within their ESP against system events. Event feeds are continuously monitored and responsible personnel are alerted in instances of potential cyber security-related incident. In addition, the two net backup boot servers, which are behind firewalls, are not connected to the internet and are only used, for restore operations, approximately 4-5 times a year. In approving the settlement agreement, the NERC BOTCC found that, in the aggregate, the violations constituted a serious or substantial risk to BPS reliability because of the potential for compromised integrity of the CCAs. UREs did not have a culture of compliance for the CIP Reliability Standards and they were not familiar with their CIP processes and procedures (especially as compliance was divided between six executives, leading to inconsistent application of the compliance process and reduced ownership responsibility). But, the UREs were cooperative during the enforcement process, including working with RFC to remedy the violations and enacting measure, in collaboration with RFC, to foster an improved compliance program and to undertake compliance initiatives (which were evaluated as a mitigating factor). In addition, some of the violations were repeat violations and some of the violations were self-reported.
Penalty: $725,000 (aggregate for 73 violations)
FERC Order: Issued November 29, 2012 (no further review)
Reliability Standard: CIP-007-1
Requirement: 8
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: RFC
Issue: URE1 self-reported that it did not review its controls for default accounts as part of its annual cyber vulnerability assessment of Cyber Assets, as required.
Finding: RFC found that the CIP-007-1 R8 violation constituted a moderate risk to BPS reliability since it increased the risk that URE1's system was open to unidentified vulnerabilities. But, URE1's EMS CCAs are safeguarded by various protective measures (such as firewalls) and contained in an ESP. In approving the settlement agreement, the NERC BOTCC found that, in the aggregate, the violations constituted a serious or substantial risk to BPS reliability because of the potential for compromised integrity of the CCAs. UREs did not have a culture of compliance for the CIP Reliability Standards and they were not familiar with their CIP processes and procedures (especially as compliance was divided between six executives, leading to inconsistent application of the compliance process and reduced ownership responsibility). But, the UREs were cooperative during the enforcement process, including working with RFC to remedy the violations and enacting measure, in collaboration with RFC, to foster an improved compliance program and to undertake compliance initiatives (which were evaluated as a mitigating factor). In addition, some of the violations were repeat violations and some of the violations were self-reported.
Penalty: $725,000 (aggregate for 73 violations)
FERC Order: Issued November 29, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP13-6 (November 30, 2012)
Reliability Standard: CIP-007-1
Requirement: 6
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE submitted a self-report explaining a violation of CIP-007-1 R6.1 upon its discovery that over 1,000 devices, including workstations, servers and network devices, did not have security monitoring as required. URE reported it was not technically feasible for 88% of the devices to have the required security monitoring capability. WECC Enforcement confirmed that URE’s Cyber Assets located in its control center, facilities and control systems had no monitoring systems for events related to cyber security. URE relied on anti-virus and an intrusion detection system for security.
Finding: WECC deemed the violation to pose moderate risk to BPS reliability, but not serious or substantial risk. Unauthorized access to the Cyber Assets could have been possible with no monitoring systems checking for malicious access. Such access could then be used to further harm CCAs essential to BPS reliability. URE failed to monitor the Cyber Assets for a period of 31 months; however, all of the assets are located and protected within identified ESPs and PSPs. In determining the appropriate penalty, WECC considered that URE self-reported the violation and took voluntary corrective action to remedy the violation. URE’s internal compliance program was considered a mitigating factor and there were no aggravating factors to support a higher penalty. URE was cooperative throughout the enforcement process and did not attempt to conceal the violation nor was it found to be intentional.
Penalty: $62,500
FERC Order: Issued December 28, 2012 (no further review)
Unidentified Registered Entity (URE), FERC Docket No. NP13-11 (December 31, 2012)
Reliability Standard: CIP-007-1
Requirement: 3.2
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SPP
Issue: URE self-reported that it had not timely installed, according to its patch management procedure, 1,826 security patches applicable to CCAs associated with its EMS. Twelve of the patches were rated as high risk, whereas the remainder of the patches were rated as medium risk. In addition, URE did not implement a low-rated patch on two CCA physical security servers (as the implementation of low priority patches was at the discretion of the analyst) – but the process was amended to prohibit patches for CIP-protected Cyber Asset from being given a low rating. URE also had not documented the compensating measure to mitigate risk exposure or filed TFEs for two patches that could not be installed and for one patch that was delayed.
Finding: SPP found that the violation constituted a serious risk to BPS reliability since system patching is critical for a system to guard against malicious attack techniques and to protect against vulnerabilities. By not timely updating the security patches (which covered multiple vulnerabilities), URE increased its exposure to cyber threats, especially denial-of-service type conditions (which had the potential to render EMS controls and output unavailable during a cyber or physical attack). In regards to the patches that were not installed, SPP found that it constituted a moderate risk to BPS reliability. But, the only risk URE faced by not installing the low-rated patch on the physical security servers was having to manually control access until the servers could be restored after the denial-of-service attack. For the patches that were unable to be installed, they were related to low-risk vulnerabilities and would have qualified for technical feasibility exceptions. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE’s violation history (which was considered as an aggravating factor for some of the violations), URE’s internal compliance program (which was not viewed as a mitigating factor) and the fact that some of the violations were self-reported. URE was cooperative during the enforcement process and did not conceal the violations.
Total Penalty: $107,000 (aggregate for 16 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity (URE), FERC Docket No. NP13-11 (December 31, 2012)
Reliability Standard: CIP-007-1
Requirement: 5.1.1/5.2/5.2.3/5.3.3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SPP
Issue: URE self-reported that certain accounts enabled on a dedicated workstation supporting operations map board were not granted in conformance with URE’s CIP account management requirements – and as the accounts were unnecessary, they were removed by URE (5.1.1). URE also self-reported that three shared account passwords for CCA access to its EMS had not been timely changed, pursuant to URE’s password management procedure, when employees left URE (5.2.3). URE had problems with its procedures for securing accounts after personnel changes, as the procedures did not clearly state what users could be given shared account access and specify how that access would be revoked in all cases (5.2). In addition, URE’s shared account entries did not identify the individual using the shared account (although the entries tracked successful log-in and log-out activities) (5.2.3). Also, 169 of URE’s user account passwords (with all of the accounts supporting the URE EMS) had not been changed on an annual basis as required (5.3.3).
Finding: SPP found that the CIP-007-1 R5 violations constituted a moderate risk to BPS reliability. For the employees who left URE, their physical access to the CCAs had been timely revoked, and they did not have remote access rights. The assets were also protected by an access-controlled PSP. In regards to the accounts from the map board workstation, the map board itself was not a Critical Asset since the information it presented was also available through the EMS operator terminals. While URE’s lack of detail on the access levels and the requirements for terminating access potentially could have resulted in user-level employees being granted administrative access and keeping such access longer than necessary, URE did have other controls in place, including password requirements, log reviews, vulnerability analysis and account revocation. In addition, although URE’s inadequate tracking of account users of shared accounts could have allowed a malicious insider to attack the system, URE was properly maintaining its access logs, which provide information on what time access occurs, and the shared accounts are contained in a facility that is continuously monitored. In regards to the passwords, URE’s centralized log reviews also should have alerted URE to any repeated unauthorized access attempts. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE’s violation history (which was considered as an aggravating factor for some of the violations), URE’s internal compliance program (which was not viewed as a mitigating factor) and the fact that some of the violations were self-reported. URE was cooperative during the enforcement process and did not conceal the violations.
Total Penalty: $107,000 (aggregate for 16 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity (URE), FERC Docket No. NP13-11 (December 31, 2012)
Reliability Standard: CIP-007-1
Requirement: 6.5
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SPP
Issue: During a compliance audit, SPP found that URE did not have proper documentation showing that it had reviewed certain logs of system events related to cyber security. URE stated, despite the lack of documentation, it was performing the required reviews.
Finding: SPP found that this violation constituted only a minimal risk to BPS reliability. Although not reviewing the logs may have caused URE to fail to detect malicious connection requests, URE was reviewing its firewall logs and continuously analyzing data traffic through the firewall, which should have captured any potential attacks. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE’s violation history (which was considered as an aggravating factor for some of the violations), URE’s internal compliance program (which was not viewed as a mitigating factor) and the fact that some of the violations were self-reported. URE was cooperative during the enforcement process and did not conceal the violations.
Total Penalty: $107,000 (aggregate for 16 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)
Reliability Standard: CIP-007-1
Requirement: 1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SPP RE
Issue: While conducting a CIP Spot Check, SPP RE determined that URE1 had not ensured that new CAs and significant changes to existing CAs within the ESP would not negatively affect existing cyber security controls. URE1 was found to have no evidence to show that its cyber security controls were being tested.
Finding: SPP RE found that the violation posed a minimal risk to BPS reliability, but not a serious or substantial risk because the issue was primarily documentation related. URE1 had existing processes in place for testing; however, the processes were not documented. URE1 was able to show that security controls had been tested. No incidents were found from the date of mandatory compliance, June 8, 2010, through the violation end date, November 8, 2010. URE1 neither admitted to nor denied the violation. In determining the appropriate penalty, SPP RE found URE’s written ICP to be a neutral factor.
Total Penalty: $15,000 (aggregate for 6 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)
Reliability Standard: CIP-007-1
Requirement: 2; 2.1; 2.2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: FRCC
Issue: URE1 self-reported a violation of R2 when it discovered that it had failed to ensure that those workstations within its ESP that were listed as Cyber Assets with connectivity to production servers had only enabled those ports needed for normal or emergency operations. The company further reported that certain services not required for normal operations of sampled Cyber Assets were erroneously enabled.
Finding: FRCC determined that the R2 violation posed a moderate risk to the reliability of the BPS because the workstations at issue are protected by virtual local area network configurations which limit exposure from the internet and untrusted sources, and which limit access between the workstations and the servers. In addition, the servers’ communications with the production server were limited. FRCC considered URE1’s ICP a mitigating factor in making its penalty determination. The violation began when the standard became mandatory and enforceable for URE1 and ended when the company completed its mitigation plan. URE1 neither admitted nor denied the violation.
Total Penalty: $33,000 (aggregate for 8 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)
Reliability Standard: CIP-007-1
Requirement: 3
Violation Risk Factor: Lower
Violation Severity Level: High
Region: RFC
Issue: URE1 self-reported a violation of R3 after discovering that over a 16-month period, 139 patches for a particular operating system running on particular servers were not assessed for applicability because the security patch tracking tool failed to identify the missed patches. Furthermore, during a four-month period, after the security patch tracking tool was replaced, the entity identified 24 applicable security patches released by the vendor that were not assessed within the required time frame.
Finding: RFC determined that the R3 violation posed a moderate risk to the reliability of the BPS that was mitigated by: (1) the entity’s established and documented patch management program; (2) the fact that the pertinent assets do not have direct Internet access; and (3) the fact that the assets at issue were servers with no direct correlation to BPS controls. RFC considered some aspects of URE1’s ICP, as well as the fact that the entity self-reported the violation and the entity’s commitment to compliance and reliability to be mitigating factors in making its penalty determination. The violation began when the entity should have assessed certain operating system patches for applicability and ended when the entity assessed the subsequent 24 patches. URE1 neither admitted nor denied the violation.
Total Penalty: $10,000 (aggregate for 6 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)
Reliability Standard: CIP-007-1
Requirement: 3; 3.1
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: FRCC
Issue: URE1 self-reported a violation of R3 when it discovered that it had not established, documented or implemented a security patch management program for tracking, evaluating, testing, and installing some third-party applications. These applications had been installed on many of the Cyber Assets within the Electronic Security Perimeters (ESPs).
Finding: FRCC determined that the R3 violation posed a moderate risk to the reliability of the BPS because the Cyber Assets at issue were protected by strong controls of the ESP in which they were located. In addition, only patches for very few applications were not tracked by the patch management program, and none of the patches at issue were critical security patches. FRCC considered URE1’s ICP a mitigating factor in making its penalty determination. The violation began when the standard became mandatory and enforceable for URE1 and ended when the company completed its mitigation plan. URE1 neither admitted nor denied the violation.
Total Penalty: $33,000 (aggregate for 8 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)
Reliability Standard: CIP-007-1
Requirement: 5; 5.1.3; 5.2.2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: FRCC
Issue: Further to a Compliance Audit, FRCC determined that URE1 had violated R5 when the entity could not demonstrate that it conducted at least annual reviews of all user accounts to ensure their access privileges met Standards CIP-003-3 R5 and CIP-004-3 R4. In addition, the entity’s documentation failed to show that it had identified all individuals with access to all the shared accounts for the Cyber Assets within the Electronic Security Perimeter.
Finding: FRCC determined that the R5 violation posed a moderate risk to the reliability of the BPS because for individual access, the entity did have access provisioning controls even if the entity had not documented all shared and administrative accounts. Furthermore, the entity had conducted an annual review of all accounts even if it had not verified specific account privileges. FRCC considered URE1’s ICP a mitigating factor in making its penalty determination. The violation began when the standard became mandatory and enforceable for URE1 and ended when the company completed its mitigation plan. URE1 neither admitted nor denied the violation.
Total Penalty: $33,000 (aggregate for 8 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity 2 (URE2), Docket No. NP13-12-000 (December 31, 2012)
Reliability Standard: CIP-007-1
Requirement: 2.1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: RFC
Issue: While conducting a CIP Compliance Audit, RFC determined that URE2 could not provide complete documentation showing that only those ports and services needed for normal and emergency operations were enabled at all ESP access points.
Finding: RFC determined that the violation posed a moderate risk to the reliability of the BPS, but not a serious or substantial risk; however, NERC review found the violation posed a minimal risk to BPS reliability based upon similar violations in other regions. URE2’s systems inside the ESP have limited connections to outside networks and firewalls restrict network traffic as well. URE2 also has security systems in place to detect and alert any unauthorized access. The violation began on February 18, 2011 and ended on August 12, 2011 when URE2 completed its Mitigation Plan. URE2 admitted to the violation. In determining the appropriate penalty, RFC considered some aspects of URE2’s ICP to be mitigating factors. RFC found URE2 to be cooperative during both the Compliance Audit and follow up enforcement activities but considered that a neutral factor. Also, RFC found that URE’s violation history should not be considered an aggravating factor in penalty determination.
Total Penalty: $65,000 (aggregate for 6 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity 2 (URE2), Docket No. NP13-12-000 (December 31, 2012)
Reliability Standard: CIP-007-1
Requirement: 8.2
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: RFC
Issue: While conducting a CIP Compliance Audit, RFC determined that URE2 could not provide documentation to show that, during its cyber vulnerability assessment, a complete review showing only those ports and services needed for normal and emergency operations were enabled at all ESP access points had been undertaken.
Finding: RFC determined that the violation posed a moderate risk to the reliability of the BPS, but not a serious or substantial risk, because the systems inside the ESP have limited connections to outside networks and firewalls restrict network traffic as well. URE2 also has security systems in place to detect and alert any unauthorized access. The violation began on October 10, 2010, and ended on August 16, 2011 when URE2 completed its Mitigation Plan. URE2 admitted to the violation. In determining the appropriate penalty, RFC considered some aspects of URE2’s ICP to be mitigating factors. Also, RFC found URE2 to be cooperative during both the Compliance Audit and follow up enforcement activities but considered that a neutral factor.
Total Penalty: $65,000 (aggregate for 6 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity (URE), Docket No. NP13-16 (December 31, 2012)
Reliability Standard: CIP-007-1
Requirement: 1, 3
Violation Risk Factor: Medium (R1), Lower (R3)
Violation Severity Level: Severe (R1), High (R3)
Region: WECC
Issue: During an audit, WECC concluded that URE failed to establish and maintain a cyber security test procedure to minimize adverse effects on the production system in violation of R1. WECC also determined that URE violated R3 by failing to assess and update its anti-virus software within 30 days of the update’s availability.
Finding: WECC decided the R1 violation posted a minimal and not a serious or substantial risk to the reliability of the BPS because it was essentially a documentation issue. WECC decided the R3 violation posted a minimal and not a serious or substantial risk to the reliability of the BPS because other than the missed anti-virus software, URE did have a program for assessing and implementing patches for other Cyber Assets and CCAs. Duration of the R1 violation was from the date the standard became mandatory and enforceable until the date URE created and implemented complete cyber security test procedures. Duration of the R3 violation was from the date the anti-virus software became available through when URE completed its mitigation plan.
Total Penalty: $207,000 (aggregate for 12 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-18 (December 31, 2012)
Reliability Standard: CIP-007-1
Requirement: 3.2
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SPP
Issue: URE self-reported that, during a span of two months, it did not timely install 1826 security patches (with 12 of those being high-risk patches) that applied to CCAs associated with its Energy Management System (EMS). In addition, on one occasion, URE did not install a low-rated patch on two CCA physical security servers, as documenting and implementing low-rated patches was left to the discretion of the support engineer/analysis. URE had also not documented any compensating measures taken to mitigate risk exposure (or filed Technical Feasibility Exceptions) for two security patches that were unable to be installed, as well as one patch that was delayed.
Finding: SPP found that the CIP-007-1 R3.2 violation related to not installing the 1826 security patches constituted a serious risk to BPS reliability as system patching is critical to protect against evolving malicious attack techniques and fixing newly discovered vulnerabilities. By not timely installing its security patches, URE increased its exposure to cyber threats, especially in regards to the potential creation of denial-of-service type conditions (which could make EMS controls and output unavailable during an attack, restricting URE's ability to respond to a real-time emergency). But, cyber operability was not lost during the course of the violation. The other noncompliance instances constituted a moderate risk to BPS reliability. For the low-rated patch, the relevant server was charged with managing a PSP, so a denial-of-service attack would not have affected URE's EMS or other assets within the ESP. In addition, the two delayed patches were associated with low-risk vulnerabilities and were not technically feasible to install. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE's Internal Compliance Program (even though the compliance program was not viewed as a mitigating factor) and its violation history (which was viewed as an aggravating factor for some of the violations). NERC BOTCC also considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations.
Penalty: $153,000 (aggregate for 16 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-18 (December 31, 2012)
Reliability Standard: CIP-007-1
Requirement: 4.2
Violation Risk Factor: Lower
Violation Severity Level: High
Region: SPP
Issue: URE self-reported that as a result of computer-to-computer communication issues, URE's energy management (EMS) servers did not receive automated virus-identifying data file updates and communications to the anti-virus servers were being blocked.
Finding: SPP found that the CIP-007-1 R4.2 violation constituted a moderate risk to BPS reliability, but not a serious or substantial risk. URE's EMS servers were located behind an ESP firewall, which restricted internet access, thereby reducing exposure to malware. Even though it was not being automatically updated, URE's anti-virus software was still functioning on the EMS servers. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE's Internal Compliance Program (even though the compliance program was not viewed as a mitigating factor) and its violation history (which was viewed as an aggravating factor for some of the violations). NERC BOTCC also considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations.
Penalty: $153,000 (aggregate for 16 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-18 (December 31, 2012)
Reliability Standard: CIP-007-1
Requirement: 5.2/5.2.3/5.3.3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SPP
Issue: URE self-reported that a shared account password for CCA access to its Energy Management System (EMS) had not been timely changed, according to URE's password management procedure, when two employees who used the password left the company (5.2.3). URE's log entries, while they did capture log-in and log-out events, did not include information on the individual utilizing the shared account as required (5.2.3). In addition, SPP found that URE's procedures did not clearly specify which users could be given shared account access and also did not sufficiently detail all scenarios in which account access would be revoked (5.2). URE also had passwords for 162 accounts, that are used to support URE's EMS, that had not been changed on an annual basis (5.3.3).
Finding: SPP found that the CIP-007-1 R5 violations constituted a moderate risk to BPS reliability. In regards to the two employees who left the company, both had their physical access rights timely revoked and they did not retain any remote access. As the relevant assets were located within an access-controlled PSP, the employees would have had to be physically present at the terminal to access the assets. In terms of the lack of adequate account access procedures, SPP found that it could have resulted in user-level employees improperly receiving and retaining administrative access. But, URE did have mitigating measures in place, including password change requirements, log reviews, vulnerability analysis and account revocation after termination. In addition, SPP determined that URE's failure to properly track individual account users of shared account could have hindered URE's ability to track down a malicious insider using a shared account to damage URE's system. But, URE would have been able to determine through the access logs what time access occurred and the accounts used to access assets are contained within a continuously monitored facility. For the overdue passwords, while they increased the vulnerability of the system, URE conducted centralized logging reviews, which would have provided evidence of unauthorized access attempts. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE's Internal Compliance Program (even though the compliance program was not viewed as a mitigating factor) and its violation history (which was viewed as an aggravating factor for some of the violations). NERC BOTCC also considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations.
Penalty: $153,000 (aggregate for 16 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-18 (December 31, 2012)
Reliability Standard: CIP-007-1
Requirement: 9
Violation Risk Factor: Lower
Violation Severity Level: High
Region: SPP
Issue: URE self-reported that it did not properly review, on an annual basis, its process documents for access management and malicious software prevention.
Finding: SPP found that the CIP-007-1 R9 violation only constituted a minimal risk to BPS reliability. URE did not make any substantive changes were made to the process documents during the review. The prior year's versions of both process documents were still being actively used and there was no compromise to URE's Cyber Assets. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE's Internal Compliance Program (even though the compliance program was not viewed as a mitigating factor) and its violation history (which was viewed as an aggravating factor for some of the violations). NERC BOTCC also considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations.
Penalty: $153,000 (aggregate for 16 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-19 (December 31, 2012)
Reliability Standard: CIP-007-1
Requirement: 1
Violation Risk Factor: Medium (1/1.1), Lower (1.2/1.3)
Violation Severity Level: Severe
Region: SERC
Issue: URE self-reported that its cyber security test procedures did not cover all of its Cyber Assets within ESPs as required. SERC also determined that URE's cyber security test procedures did not include testing for 16 device types of its Cyber Assets that were not being monitored by its change monitoring tool.
Finding: SERC found that the CIP-007-1 R1 violations constituted a moderate risk to BPS reliability. By not having testing procedures in place for all of its Cyber Assets within ESPs, there could have been a negative impact on existing cyber security controls, which could have led to URE's CCA becoming compromised or rendered inoperable. Some of the Cyber Assets within the ESP had undergone test procedures used by the software. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (which SERC evaluated as a mitigating factor). SERC determined that over half of the violations constituted a serious or substantial risk to BPS reliability. URE was unprepared, compliance-wise, when the CIP requirements became mandatory and enforceable. As URE had problems identifying CCAs, Cyber Assets and access points, URE was not providing the mandated protections to all of the required devices, thereby greatly increasing the risk of CCAs becoming comprised or rendered inoperable and causing a loss of monitoring or control of the BPS. SERC found that URE's CIP program failure constituted a serious risk to BPS reliability as URE's CIP procedures were not sufficiently detailed and its personnel had a general lack of awareness about the CIP procedures (including a dependence on manual processes).
Penalty: $950,000 (aggregate for 24 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-19 (December 31, 2012)
Reliability Standard: CIP-007-1
Requirement: 2
Violation Risk Factor: Medium
Violation Severity Level: High
Region: SERC
Issue: URE self-reported that, as a result of an incomplete database inventory list, for many of its Cyber Assets, it was unable to verify that it had only enabled those ports and services necessary for normal and emergency operations. SERC also determined that URE did not have a properly documented process regarding how URE would determine which ports and services needed to be enabled for normal and emergency operations. In addition, as a result of a failed attempt to uninstall an antivirus program seven years ago, a URE port that was not necessary for normal and emergency operations was left open.
Finding: SERC found that the CIP-007-1 R2 violations constituted a serious and substantial risk to BPS reliability. URE did not ensure that it only enabled those ports and services necessary for normal and emergency operations and having unevaluated ports and services caused URE's Cyber Assets and CCAs within ESPs to be susceptible to security vulnerabilities. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (which SERC evaluated as a mitigating factor). SERC determined that over half of the violations constituted a serious or substantial risk to BPS reliability. URE was unprepared, compliance-wise, when the CIP requirements became mandatory and enforceable. As URE had problems identifying CCAs, Cyber Assets and access points, URE was not providing the mandated protections to all of the required devices, thereby greatly increasing the risk of CCAs becoming comprised or rendered inoperable and causing a loss of monitoring or control of the BPS. SERC found that URE's CIP program failure constituted a serious risk to BPS reliability as URE's CIP procedures were not sufficiently detailed and its personnel had a general lack of awareness about the CIP procedures (including a dependence on manual processes).
Penalty: $950,000 (aggregate for 24 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-19 (December 31, 2012)
Reliability Standard: CIP-007-1
Requirement: 3
Violation Risk Factor: Lower
Violation Severity Level: High
Region: SERC
Issue: URE self-reported that although it has a patch management program, it had not developed specific instructions for the performance and documentation of security patch evaluations, the maintenance of the patching server, and the verification that patches had been downloaded and were ready to review. In addition, URE was wising missing certain security patch updates because its database inventory list was incomplete (as it did not contain all of URE's Cyber Assets as required) and its patching server encountered a database error. As a result, URE had not evaluated many security patches within 30 days of their release as required.
Finding: SERC found that the CIP-007-1 R3 violations constituted a serious and substantial risk to BPS reliability. URE did not develop an appropriate security patch management program to govern the tracking, evaluation, testing and installation of cyber security patches for its Cyber Assets within ESPs, which made URE's Cyber Assets susceptible to security vulnerabilities. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (which SERC evaluated as a mitigating factor). SERC determined that over half of the violations constituted a serious or substantial risk to BPS reliability. URE was unprepared, compliance-wise, when the CIP requirements became mandatory and enforceable. As URE had problems identifying CCAs, Cyber Assets and access points, URE was not providing the mandated protections to all of the required devices, thereby greatly increasing the risk of CCAs becoming comprised or rendered inoperable and causing a loss of monitoring or control of the BPS. SERC found that URE's CIP program failure constituted a serious risk to BPS reliability as URE's CIP procedures were not sufficiently detailed and its personnel had a general lack of awareness about the CIP procedures (including a dependence on manual processes).
Penalty: $950,000 (aggregate for 24 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-19 (December 31, 2012)
Reliability Standard: CIP-007-1
Requirement: 4
Violation Risk Factor: Medium
Violation Severity Level: High
Region: SERC
Issue: URE self-reported that two of its servers did not have updated antivirus signatures as a result of a failed virus scanner/antivirus services and an outdated version of the antivirus software, respectively. In addition, since URE did not have an accurate list of its Cyber Assets within ESPs, many of URE's Cyber Assets within its ESP did not have the required malware protection installed. URE also had numerous devices that could not support the installation of malware protection, but that did not have Technical Feasibility Exceptions.
Finding: SERC found that the CIP-007-1 R4 violations constituted a serious and substantial risk to BPS reliability. 14.5% of URE's Cyber Assets did not have the required antivirus and malware prevention tools installed or had compensating measured developed, which could have exposed those assets to viruses and malware. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (which SERC evaluated as a mitigating factor). SERC determined that over half of the violations constituted a serious or substantial risk to BPS reliability. URE was unprepared, compliance-wise, when the CIP requirements became mandatory and enforceable. As URE had problems identifying CCAs, Cyber Assets and access points, URE was not providing the mandated protections to all of the required devices, thereby greatly increasing the risk of CCAs becoming comprised or rendered inoperable and causing a loss of monitoring or control of the BPS. SERC found that URE's CIP program failure constituted a serious risk to BPS reliability as URE's CIP procedures were not sufficiently detailed and its personnel had a general lack of awareness about the CIP procedures (including a dependence on manual processes).
Penalty: $950,000 (aggregate for 24 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-19 (December 31, 2012)
Reliability Standard: CIP-007-1
Requirement: 5
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SERC
Issue: URE self-reported that, as a result of its incomplete Cyber Assets database list, some of its Cyber Assets within ESPs did not have sufficiently complex passwords. URE also did not have adequate management controls for its administrator, shared and other generic accounts. URE also improperly distributed a group password for EMS consoles to URE personnel that did not need to know the password. In addition, URE did not have an audit trail for two shared accounts (which were unable to support the automatic logging of account use) that were part of URE's Physical Access control system.
Finding: SERC found that the CIP-007-1 R5 violations (which lasted approximately a year and a half) constituted a serious and substantial risk to BPS reliability. By not having procedures in place to minimize and manage the scope and use of shared accounts and not developing sufficiently complex passwords for its Cyber Assets, there was an increased risk that the URE's CCAs would be comprised and rendered inoperable. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (which SERC evaluated as a mitigating factor). SERC determined that over half of the violations constituted a serious or substantial risk to BPS reliability. URE was unprepared, compliance-wise, when the CIP requirements became mandatory and enforceable. As URE had problems identifying CCAs, Cyber Assets and access points, URE was not providing the mandated protections to all of the required devices, thereby greatly increasing the risk of CCAs becoming comprised or rendered inoperable and causing a loss of monitoring or control of the BPS. SERC found that URE's CIP program failure constituted a serious risk to BPS reliability as URE's CIP procedures were not sufficiently detailed and its personnel had a general lack of awareness about the CIP procedures (including a dependence on manual processes).
Penalty: $950,000 (aggregate for 24 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-19 (December 31, 2012)
Reliability Standard: CIP-007-1
Requirement: 6
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SERC
Issue: URE self-reported that as a result of an incomplete database inventory list, it had multiple Cyber Assets in ESPs that were not incorporated into its security status monitoring process as required. There were also numerous Cyber Assets that did not have the required automated alerts for cyber security events enabled. SERC also found that several of URE's Cyber Assets were not sending logs, as required, to URE's cyber security monitoring tool. URE also had nine communication processors that were unable to log security events. URE also had several servers and switchers that were being monitored by another tool that did not have alerts properly configured or logs that were being manually reviewed. In addition, URE had numerous devices that were unable to support security status monitoring tools, but that did not have Technical Feasibility Exceptions. Furthermore, URE's monitoring tool stopped working, and thus was not processing system events, for three days.
Finding: SERC found that the CIP-007-1 R6 violations constituted a serious and substantial risk to BPS reliability. URE had insufficient procedures for identifying and documenting Cyber Assets and verifying that all Cyber Assets within ESPs, including newly added Cyber Assets, had the proper security status monitoring. The gaps in URE's cyber security monitoring could have caused a security breach to go undetected. In addition, the failure of URE to properly log all system events could have had a negative impact on URE's ability to conduct a proper incident response. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (which SERC evaluated as a mitigating factor). SERC determined that over half of the violations constituted a serious or substantial risk to BPS reliability. URE was unprepared, compliance-wise, when the CIP requirements became mandatory and enforceable. As URE had problems identifying CCAs, Cyber Assets and access points, URE was not providing the mandated protections to all of the required devices, thereby greatly increasing the risk of CCAs becoming comprised or rendered inoperable and causing a loss of monitoring or control of the BPS. SERC found that URE's CIP program failure constituted a serious risk to BPS reliability as URE's CIP procedures were not sufficiently detailed and its personnel had a general lack of awareness about the CIP procedures (including a dependence on manual processes).
Penalty: $950,000 (aggregate for 24 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-19 (December 31, 2012)
Reliability Standard: CIP-007-1
Requirement: 7
Violation Risk Factor: Lower
Violation Severity Level: Moderate
Region: SERC
Issue: SERC determined that URE's disposal and redeployment procedures incorrectly stated that reformatting disks of Cyber Assets was an acceptable data cleansing method, even though accepted industry practice required a factory reset or multiple pass method.
Finding: SERC found that the CIP-007-1 R7 violation only constituted a minimal risk to BPS reliability. Even though URE had incorrect disposal and redeployment procedures on file, in practice, it was employing the factor reset and multiple pass method when it disposed of redeployed its Cyber Assets. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (which SERC evaluated as a mitigating factor). SERC determined that over half of the violations constituted a serious or substantial risk to BPS reliability. URE was unprepared, compliance-wise, when the CIP requirements became mandatory and enforceable. As URE had problems identifying CCAs, Cyber Assets and access points, URE was not providing the mandated protections to all of the required devices, thereby greatly increasing the risk of CCAs becoming comprised or rendered inoperable and causing a loss of monitoring or control of the BPS. SERC found that URE's CIP program failure constituted a serious risk to BPS reliability as URE's CIP procedures were not sufficiently detailed and its personnel had a general lack of awareness about the CIP procedures (including a dependence on manual processes).
Penalty: $950,000 (aggregate for 24 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-19 (December 31, 2012)
Reliability Standard: CIP-007-1
Requirement: 8
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SERC
Issue: SERC determined that URE had not conducted a cyber vulnerability assessment on approximately 495 of its Cyber Assets within ESPs before the compliance date, as required. URE believed that it had an additional year to come into compliance.
Finding: SERC found that the CIP-007-1 R8 violation constituted a serious and substantial risk to BPS reliability. By not performing a cyber vulnerability analysis before its cyber security program went into effect, URE increased the risk that security vulnerabilities in its Cyber Assets would go undetected. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (which SERC evaluated as a mitigating factor). SERC determined that over half of the violations constituted a serious or substantial risk to BPS reliability. URE was unprepared, compliance-wise, when the CIP requirements became mandatory and enforceable. As URE had problems identifying CCAs, Cyber Assets and access points, URE was not providing the mandated protections to all of the required devices, thereby greatly increasing the risk of CCAs becoming comprised or rendered inoperable and causing a loss of monitoring or control of the BPS. SERC found that URE's CIP program failure constituted a serious risk to BPS reliability as URE's CIP procedures were not sufficiently detailed and its personnel had a general lack of awareness about the CIP procedures (including a dependence on manual processes).
Penalty: $950,000 (aggregate for 24 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-22 (January 31, 2012)
Reliability Standard: CIP-007-1
Requirement: 1, 3.1
Violation Risk Factor: Medium (1), Lower (3.1)
Violation Severity Level: N/A (1, 3.1)
Region: WECC
Issue: URE self-reported that it had not sufficiently tested all of its Cyber Assets within the ESPs, as it did not perform security tests (only functional tests) when there was a significant change made to a Cyber Asset. URE also had not established a security baseline to be used for verifying that no adverse effects result from a significant change to a Cyber Asset. (1) In addition, WECC found that, as URE was improperly relying on its vendor, URE had not properly assessed security patches for 83 of its Cyber Assets in ESPs within 30 days of availability, as required (3.1).
Finding: WECC found that the CIP-007-1 R1 violation constituted a moderate risk to BPS reliability as untested changes could potentially introduce security vulnerabilities into URE's CCAs. But, URE's Distributed Control Systems (DCS) vendor tested all the patches that were applied to URE's DCS. In addition, the patches were all approved for installation before they were installed. Furthermore, WECC found that the CIP-007-1 R3.1 violation only constituted a minimal risk to BPS reliability since URE actually had a security patch management program in place (despite using its vendor to assess and document security patches). In approving the settlement agreement, the NERC BOTCC considered as mitigating factors URE's internal compliance program, including the continuous improvements in URE's compliance culture and URE's enactment of all applicable compliance directives. URE was also cooperative during the enforcement process and did not conceal any violations. In regards to the CIP violations, URE undertook voluntary corrective actions and self-reported the violations within a week of WECC's compliance audit. WECC evaluated as an aggravating factor a previous violation of PRC-005-1 R1 by one of URE's affiliate. But, URE had no reoccurring violations or relevant negative compliance history.
Penalty: $115,000 (aggregate for 6 violations)
FERC Order: Issued March 1, 2013 (no further review)
Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013
Reliability Standard: CIP-007-1
Requirement: R4; R4.1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: FRCC
Issue: URE self-reported a violation of R4 when it employed a network-based intrusion detection system (IDS) to protect all of the Critical Cyber Assets (CCAs) within its Electronic Security Perimeters (ESPs) rather than anti-virus software and other malware prevention tools installed on each CCA workstation.
Finding: FRCC determined that the R4 violation posed a moderate risk to the reliability of the BPS because the CCAs were protected from malware within the ESP, and in the company's locked down environment, all updates were validated to screen out malware. Furthermore, only energy management system vendor-approved applications and configurations were installed on URE's system and new applications underwent two levels of testing prior to installation. The company's network-based IDS also scanned and protected all network segments, monitoring and logging all activities for these access points. FRCC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to pay a penalty and to undertake other mitigation measures to come into compliance with R4.
FRCC considered URE's ICP a mitigating factor in making its penalty determination. The violation began when the standard became mandatory and enforceable to URE and ended when the company updated its risk-based assessment methodology. URE neither admits nor denies the R4 violation.
Penalty: $8,000 (aggregate for 2 violations)
FERC Order: Issued March 1, 2013 (no further review)
Unidentified Registered Entities 1, 2 and 3, Docket No. NP13-24 (February 28, 2012)
Reliability Standard: CIP-007-1
Requirement: 1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE3 self-certified that, in 14 instances when implementing its cyber security test procedures, it had tested for adverse effects prior to enacting changes to its Cyber Assets within the ESP but had not properly documented the test results.
Finding: WECC found that URE3's CIP-007-1 R1 violation constituted a moderate risk to BPS reliability since not properly following the cyber security test procedures may have allowed untested and potentially malicious changes to be released in the production systems. But, the relevant Cyber Assets are located within a PSP and ESP and had protective control measures in place. The UREs stipulated to the facts of the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs' compliance history and that the UREs had followed all applicable compliance directives. UREs' compliance program was also evaluated as a mitigating factor, as well as the fact that the UREs undertook voluntary corrective actions to remediate some of the violations. Some of the violations were also self-reported, and the UREs were cooperative during the enforcement process and did not conceal any of the violations. None of the violations constituted a serious or substantial risk to BPS reliability.
Penalty: $151,500 (aggregate for 9 violations)
FERC Order: Issued March 29, 2013 (no further review)
Unidentified Registered Entities 1, 2 and 3, Docket No. NP13-24 (February 28, 2012)
Reliability Standard: CIP-007-1
Requirement: 3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: URE3 self-certified that, for 196 security patches for six devices within two ESPs, it had not assessed the security patches within 30 days of the patches being available, as required.
Finding: WECC found that URE3's CIP-007-1 R1 violation constituted a moderate risk to BPS reliability since the failure to timely assess the security patches could have increased the risk of vulnerabilities in URE3's system going unaddressed. But, the relevant six devices had other protective measures in place, such as file integrity checking tools, intrusion prevention systems, and dual-factor authentication. In addition, all persons who had access to those devices had received systems training and had PRAs on file. The UREs stipulated to the facts of the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs' compliance history and that the UREs had followed all applicable compliance directives. UREs' compliance program was also evaluated as a mitigating factor, as well as the fact that the UREs undertook voluntary corrective actions to remediate some of the violations. Some of the violations were also self-reported, and the UREs were cooperative during the enforcement process and did not conceal any of the violations. None of the violations constituted a serious or substantial risk to BPS reliability.
Penalty: $151,500 (aggregate for 9 violations)
FERC Order: Issued March 29, 2013 (no further review)
Unidentified Registered Entities 1, 2 and 3, Docket No. NP13-24 (February 28, 2012)
Reliability Standard: CIP-007-1
Requirement: 5.3.2
Violation Risk Factor: Lower
Violation Severity Level: Lower
Region: WECC
Issue: WECC determined that two of URE3's employees' passwords were not sufficiently complex as the relevant passwords did not contain the required combination of alpha, numeric, and special characters.
Finding: WECC found that URE3's CIP-007-1 R5.3.2 violation constituted a minimal risk to BPS reliability since the devices that were the subject of the password protection were contained in a PSP and ESP and had other protective measures in place. The UREs stipulated to the facts of the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs' compliance history and that the UREs had followed all applicable compliance directives. UREs' compliance program was also evaluated as a mitigating factor, as well as the fact that the UREs undertook voluntary corrective actions to remediate some of the violations. Some of the violations were also self-reported, and the UREs were cooperative during the enforcement process and did not conceal any of the violations. None of the violations constituted a serious or substantial risk to BPS reliability.
Penalty: $151,500 (aggregate for 9 violations)
FERC Order: Issued March 29, 2013 (no further review)
Unidentified Registered Entity 1 (MRO_URE1), Docket No. NP13-27, February 28, 2013
Reliability Standard: CIP-007-1
Requirement: 2/2.1/2.2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: MRO
Issue: MRO_URE1 self-reported a violation of R2 after discovering that it had not implemented its documented process to ensure that it had only enabled those ports and services required for normal and emergency operations and after discovering that it had enabled more ports and services than those required. The company also failed to disable other ports and services before the production use of all CAs inside the ESP.
Finding: MRO determined that the R2 violation posed a minimal risk to the reliability of the BPS because the ports and services that were unnecessarily open were only open from trusted corporate networks. Furthermore, two layers of security (a firewall and demilitarized zone) protected the ports and services from exploitation. Finally, no cyber security incidents were identified during the violation period. MRO entered a notice of confirmed violation and MRO_URE1 agreed to pay a penalty and to undertake other mitigation measures to come into compliance with R2. MRO considered MRO_URE1's ICP a mitigating factor in making its penalty determination, and considered the fact that the company's mitigation plan was completed past the approved completion date a neutral factor. The violation began when the Standard became mandatory and enforceable to MRO_URE1 and ended when the company completed its mitigation plan. MRO_URE1 admits the R2 violation.
Penalty: $10,000 (aggregate for 5 violations)
FERC Order: Issued March 29, 2013 (no further review)
Unidentified Registered Entity 1 (MRO_URE1), Docket No. NP13-27, February 28, 2013
Reliability Standard: CIP-007-1
Requirement: R3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: MRO
Issue: MRO_URE1 self-reported a violation of R3 when it discovered that it had failed to fully document security patch assessments, compensating measures, and the implementation of security patches for its transmission management system. The company also did not have a tracking mechanism to monitor or record the 30-day period permitted for analysis of the required software updates to the company's specific access control and monitoring device or physical security access control and monitoring devices. Nor did the company have a tracking mechanism in place to monitor or record the 30-day period allowed for analysis of the required firmware updates for devices within the SCADA engineering group.
Finding: MRO determined that the R3 violation posed a minimal risk to the reliability of the BPS because the company's vendor had performed the required assessments of security patches and upgrades, even they were not documented. The company also partially documented its review of the vendor's assessments. Lastly, the violation pertained to documentary failures, rather than implementation failures. MRO entered a notice of confirmed violation and MRO_URE1 agreed to pay a penalty and to undertake other mitigation measures to come into compliance with R3. MRO considered MRO_URE1's ICP a mitigating factor in making its penalty determination. The violation began when the Standard became mandatory and enforceable to MRO_URE1 and ended when the company completed its mitigation plan. MRO_URE1 admits the R3 violation.
Penalty: $10,000 (aggregate for 5 violations)
FERC Order: Issued March 29, 2013 (no further review)
Unidentified Registered Entity 1 (SPP RE_URE1), Docket No. NP13-27, February 28, 2013
Reliability Standard: CIP-007-1
Requirement: 3
Violation Risk Factor: Lower
Violation Severity Level: Moderate
Region: SPP RE
Issue: SPP RE_URE1 self-reported a violation of R3 when it failed to provide all documentation required by R3 regarding security patches.
Finding: SPP RE determined that the R3 violation posed a minimal risk to the reliability of the BPS because the patch management services for the company's SCADA system were being provided by its vendor, thereby ensuring that those applications were being patched even if no documentation was available. Additionally, the company's CCAs and other CAs within the ESP were protected by a firewall that denies access by default and is monitored continuously. Lastly, the company employed a security information and event management tool to monitor and alert administrators of irregular or suspicious activity within the ESP. SPP RE and SPP RE_URE1 entered into a settlement agreement whereby SPP RE_URE1 agreed to pay a penalty and to undertake other mitigation measures to come into compliance with R3. SPP RE considered SPP RE_URE1's ICP, its compliance history, and the fact that the company's mitigation plan was completed past the approved completion date to be neutral factors in making its penalty determination. The violation began when the Standard became mandatory and enforceable to SPP RE_URE1 and ended upon completion of the mitigation plan. SPP RE_URE1 neither admits nor denies the R3 violation.
Penalty: $8,000 (aggregate for 3 violations)
FERC Order: Issued March 29, 2013 (no further review)
Unidentified Registered Entity 1 (WECC_URE1), Docket No. NP13-27, February 28, 2013
Reliability Standard: CIP-007-1
Requirement: R3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: WECC_URE1 self-reported a violation of R3 when the company failed to assess security patches for third-party software on 27 CCAs and CAs within ESPs that were associated with the company's primary and backup control centers. Furthermore, as part of mitigating the risk arising from patches not having been installed for 15 network devices identified as CCAs within the ESP, the company failed to assess software patches and to document compensating measures applied.
Finding: WECC determined that the R3 violation posed a minimal risk to the reliability of the BPS because all other software patches were assessed and implemented for the 27 CCAs at issue, and the CCAs were located within an ESP and PSP to which access was controlled, logged and monitored. Furthermore, personnel authorized to access the PSP and ESP had completed PRAs and training. These CCAs furthermore had no internet connectivity. In addition, for the 15 devices for which the company did not document compensating measures after having failed to install patches and updates, the company did ultimately assess and implement patches, and the company documented these actions. These 15 devices were within the PSP to which only authorized personnel had physical and electronic access and for which all access was controlled, logged and monitored. Anti-virus software was also installed on these devices. WECC and WECC_URE1 entered into a settlement agreement whereby WECC_URE1 agreed to undertake other mitigation measures to come into compliance with R3. WECC considered the company's ICP a mitigating factor in making its penalty determination, and considered the company's compliance history an aggravating factor. The violation began when the company failed to assess and implement security patches or compensating measures for 15 network devices and ended when the company completed its mitigation plan. WECC_URE1 agrees/stipulates to the R3 violation.
Penalty: $35,000 (aggregate for 2 violations)
FERC Order: Issued March 29, 2013 (no further review)
Unidentified Registered Entities 1, 2 and 3 (UREs), Docket No. NP13-30-000 (March 27, 2013)
Reliability Standard: CIP-007-1
Requirement: 3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: RFC
Issue: While conducting a compliance audit, RFC found URE 1, URE 2, and URE 3 to be out of compliance with CIP-007-1 R3, by their failure to include the tracking of applicable cyber security software patches for all Cyber Assets within the ESP in their security patch management programs.
Finding: These violations were deemed to pose a moderate risk to BPS reliability, but not a serious or substantial risk. The UREs have Technical Feasibility Exceptions for the majority of their CCAs regarding security patching and also have a defense-in-depth strategy that utilizes firewalls, isolation by virtual network configuration, corporate user identification and password requirements, and physical security controls to secure CCA access. In determining the appropriate penalty and approving the settlement agreement, RFC considered UREs’ internal compliance program (ICP) as a mitigating factor, and in addition, the UREs committed to improve their existing ICP, which RFC afforded significant mitigating credit. None of the violations posed serious or substantial risk to BPS reliability. However, UREs’ violation history was considered an aggravating factor.
Total Penalty: $120,000 (aggregate for 24 violations)
FERC Order: Issued April 26, 2013 (no further review)
Unidentified Registered Entities 1, 2 and 3 (UREs), Docket No. NP13-30-000 (March 27, 2013)
Reliability Standard: CIP-007-1
Requirement: 5.2, 5.3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: RFC
Issue: While conducting a compliance audit, RFC found the following instances of non-compliance by URE 1, URE 2, and URE 3 regarding CIP-007-1 R5: (a) deficiencies in the UREs’ account and password management policies, including failure to require the renaming or removal of generic accounts and changing passwords for accounts that must remain enabled (R5.2.1); (b) failure to manage the acceptable use of shared accounts, specifically not requiring passwords to be changed following personnel changes (R5.2.3); (c) use of a password management policy in which the definition of “strong” passwords and mandated characters required in passwords, did not comply with reliability standards (R5.3.1, 5.3.2, 5.3.3).
Finding: The violations of CIP-007-1 R5.2.1, R5.2.3 and R5.3 were deemed to pose a moderate risk to the reliability of the BPS, but not a serious or substantial risk. Although the UREs failed to document effectively the shared account password changes, they did change passwords after personnel turnover. Violations of R5.3.2 were deemed to pose a minimal risk. The UREs’ password policy requires the use of a combination of upper-case alphabetic letters, lower-case alphabetic letters, special characters, and numeric characters. The passwords created using the UREs’ policy were strong, though the policy does not meet the specific requirements of CIP-007-1 R5.3.2. In determining the appropriate penalty and approving the settlement agreement, RFC considered UREs’ internal compliance program (ICP) as a mitigating factor, and in addition, the UREs committed to improve their existing ICP, which RFC afforded significant mitigating credit. None of the violations posed serious or substantial risk to BPS reliability. However, UREs’ violation history was considered an aggravating factor.
Total Penalty: $120,000 (aggregate for 24 violations)
FERC Order: Issued April 26, 2013 (no further review)
Unidentified Registered Entities 1, 2 and 3 (UREs), Docket No. NP13-30-000 (March 27, 2013)
Reliability Standard: CIP-007-1
Requirement: 9
Violation Risk Factor: Lower
Violation Severity Level: High
Region: RFC
Issue: While conducting a compliance audit, RFC found the following instances of non-compliance by URE 1, URE 2, and URE 3 regarding documentation review and maintenance (CIP-007-1 R9) as the UREs failed to document certain modifications to their systems or controls within 30 calendar days of the changes. Specifically: (a) failure to reflect the decommissioning of a certain device in a revised integrated security solution policy; (b) failure to create a list of non-critical Cyber Assets; and (c) failure to update test plans in the change management test track process related to Cyber Assets.
Finding: These violations were deemed to pose a moderate risk to the reliability of the BPS, but not a serious or substantial risk. Though the cyber security documentation was not up to date, the violations resulted from modifications to their system that the UREs deemed necessary. Moreover, no cyber security incidents occurred during the violations. In determining the appropriate penalty and approving the settlement agreement, RFC considered UREs’ internal compliance program (ICP) as a mitigating factor, and in addition, the UREs committed to improve their existing ICP, which RFC afforded significant mitigating credit. None of the violations posed serious or substantial risk to BPS reliability. However, UREs’ violation history was considered an aggravating factor.
Total Penalty: $120,000 (aggregate for 24 violations)
FERC Order: Issued April 26, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-32 (April 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 1.1, 1.2, 1.3
Violation Risk Factor: Medium (1.1), Lower (1.2, 1.3)
Violation Severity Level: Severe (1.1, 1.2, 1.3)
Region: NERC as CEA
Issue: As part of an investigation, NERC determined that URE’s IT system administrator unintentionally created an operational data network (ODN) network storm while installing updated host intrusion protection (HIP) software on its energy management system (EMS) workstations in an operations center building. The EMS hosts were not able to effectively communicate with system dispatcher workstations and other relevant internal and external parties during the network storm. As discovered during the root cause analysis, URE did not develop and follow a specific test procedure for installing and enabling the updates and HIP software related to this incident, which caused the outage of URE’s EMS (1.1). URE also did not properly conduct the testing as the testing configuration did not match the production configuration (1.2). In addition, URE did not possess sufficient documentation on the test results of the EMS test computer before the updates and HIP software were installed (1.3).
Finding: NERC found that the violations constituted a moderate risk to BPS reliability since installing the upgrade resulted in the outage of URE’s EMS and could have introduced exploitable vulnerabilities into its CCAs or other Critical Assets without URE’s knowledge. URE’s operations documents also assumed fully functional and redundant primary and back-up operation center sites, but this did not occur on the day of the incident. But, URE’s dispatchers did have some intermittent data available, which they used to monitor and control the BPS. URE also transmitted this data to WECC and another entity for reliability purposes. URE admitted the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that URE was cooperative during the enforcement process and did not conceal the violations. URE’s compliance program was also evaluated as mitigating factor.
Total Penalty: $40,000
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that it had not properly established and documented a process to ensure that it only enabled those ports and services required for normal and emergency operations. Although it employed a network scan to view what ports and services were running on all its Cyber Assets within the ESPs, URE did not adequately document the results of the scan.
Finding: WECC found that the violation constituted a moderate risk to BPS reliability since having additional ports than those required for normal and emergency operations enabled increases the risk of unauthorized access. But, URE was monitoring its ports and internal traffic through an intrusion detection system (which included automatic alerts) and daily manual reviews during the work-week. URE’s compliance program was evaluated as a mitigating factor. URE stipulated to the violation.
Total Penalty: $53,000 (aggregate for 13 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 2.2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: NPCC
Issue: URE self-reported that it did not disable the ports and services for certain of its switches, programmable logic controllers and media converters that are not required for normal and emergency operations before production use of all its Cyber Assets inside the ESP. This violation affected more than 15% of URE’s Cyber Assets within the ESP.
Finding: NPCC found that the violation constituted only a minimal risk to BPS reliability. The relevant devices were located in an ESP and PSP (with access restricted to authorized personnel). The devices were also protected by network isolation, which prevented the devices from being exposed to untrusted networks (such as the internet). URE’s compliance program was evaluated as a mitigating factor. URE did not contest the violation.
Total Penalty: $10,000 (aggregate for 3 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 2.2
Violation Risk Factor: Medium
Violation Severity Level: Moderate
Region: NPCC
Issue: URE self-reported that it did not perform a complete assessment and keep the required documentation of the review of one of its firewalls and one of its switches to ensure that only those ports and services required for normal and emergency operations were enabled.
Finding: NPCC found that the violation constituted only a minimal risk to BPS reliability since the relevant firewall and switch were protected by an ESP and PSP (with access restricted to authorized personnel). The devices were also protected by network isolation, which prevented the devices from being exposed to untrusted networks (such as the internet). URE’s compliance program was evaluated as a mitigating factor. URE did not contest the violation.
Total Penalty: $50,000 (aggregate for 5 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 2.2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: NPCC
Issue: URE self-reported that it did not complete assessments or keep the required documentation of its review of the ports and services for two switches, one programmable logic controller, seven personal computers, and one media converter (representing 15% of URE’s Cyber Assets).
Finding: NPCC found that the violation constituted only a minimal risk to BPS reliability. The relevant devices were protected by an ESP and PSP. In addition, the devices were further protected by network isolation, which prevented exposure to untrusted networks (such as the internet). No intrusions occurred during the course of the violation. URE’s compliance program was evaluated as a mitigating factor. URE did not contest the violation.
Total Penalty: $25,000 (aggregate for 6 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 2.2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: NPCC
Issue: URE self-reported that it had not disabled those ports and services not required for normal and emergency operations on certain of its switches (12), programmable logic controllers (20), personal computers (2), remote terminal units (2), demand meters (10), card-reader interfaces (9), network attached storage drive (1) and media converters (2) prior to the production use of all of its Cyber Assets inside the ESP.
Finding: NPCC found that the violation constituted only a minimal risk to BPS reliability. The relevant devices were located in an ESP and PSP (with access restricted to authorized personnel). The devices were also protected by network isolation, which prevented the devices from being exposed to untrusted networks (such as the internet). In addition, no intrusions occurred during the course of the violation. URE’s compliance program was evaluated as a mitigating factor. URE did not contest the violation.
Total Penalty: $30,000 (aggregate for 8 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that it had not properly implemented a security patch management program on all of its devices contained in the ESPs. Although URE had installed security patches on 55% of the relevant devices, it was not done pursuant to its documented security patch management program as required.
Finding: WECC found that the violation constituted a moderate risk to BPS reliability since, by not assessing all of the required security patches, it may have resulted in vulnerabilities remaining unaddressed for extended periods of time. But, all of the relevant devices were contained within ESPs and PSPs and were monitored by a security information and event management protection program. In addition, program logs are regularly reviewed and vulnerability scans are conducted on URE’s test system. URE’s compliance program was evaluated as a mitigating factor. URE stipulated to the violation.
Total Penalty: $53,000 (aggregate for 13 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that it had not properly implemented a security patch management program on all of its devices contained in the ESPs. Although URE had installed security patches on 55% of the relevant devices, it was not done pursuant to its documented security patch management program as required.
Finding: WECC found that the violation constituted a moderate risk to BPS reliability since, by not assessing all of the required security patches, it may have resulted in vulnerabilities remaining unaddressed for extended periods of time. But, all of the relevant devices were contained within ESPs and PSPs and were monitored by a security information and event management protection program. In addition, program logs are regularly reviewed and vulnerability scans are conducted on URE’s test system. URE’s compliance program was evaluated as a mitigating factor. URE stipulated to the violation.
Total Penalty: $58,000 (aggregate for 14 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that it had not properly implemented a security patch management program on all of its devices contained in the ESPs.
Finding: WECC found that the violation constituted a moderate risk to BPS reliability since, by not assessing all of the required security patches, it may have resulted in vulnerabilities remaining unaddressed for extended periods of time. But, all of the relevant devices were contained within ESPs and PSPs and were monitored by a security information and event management protection program. In addition, program logs are regularly reviewed and vulnerability scans are conducted on URE’s test system. URE’s compliance program was evaluated as a mitigating factor. URE stipulated to the violation.
Total Penalty: $60,000 (aggregate for 3 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 3.1/3.2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: NPCC
Issue: URE self-reported that it did not properly document the timely assessment of applicable security patches and security upgrades for personal computers, network switches, programmable logic controllers and media converters. URE also did not properly document the implementation of security patches for the operating system of the network switches.
Finding: NPCC found that the violation constituted only a minimal risk to BPS reliability. The relevant devices were located in an ESP and PSP (with access restricted to authorized personnel). The devices were also protected by network isolation, which prevented the devices from being exposed to untrusted networks (such as the internet). In addition, no intrusions occurred during the course of the violation. URE’s compliance program was evaluated as a mitigating factor. URE did not contest the violation.
Total Penalty: $10,000 (aggregate for 3 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 3.1/3.2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: NPCC
Issue: URE self-reported that it did not timely complete the assessment of security patches and security upgrades for a programmable logic controller, two switches and seven personal computers. URE also did not have sufficient documentation regarding its assessment of security patches on the operating systems of the network systems.
Finding: NPCC found that the violation constituted only a minimal risk to BPS reliability. The relevant devices were protected by an ESP and PSP. In addition, the devices were further protected by network isolation, which prevented exposure to untrusted networks (such as the internet). No intrusions occurred during the course of the violation. URE’s compliance program was evaluated as a mitigating factor. URE did not contest the violation.
Total Penalty: $25,000 (aggregate for 6 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 3.1/3.2
Violation Risk Factor: Medium
Violation Severity Level: Moderate
Region: NPCC
Issue: URE self-reported that it did not timely assess security patches and security upgrades for certain of its programmable logic controllers (8), switches (12), demand meters (10), card-reader interfaces (9), network hard drive (1), and remote terminal units (2). URE also did not possess adequate documentation showing that it implemented security patches on the operating systems of the network switches.
Finding: NPCC found that the violation constituted only a minimal risk to BPS reliability. The relevant devices were located in an ESP and PSP (with access restricted to authorized personnel). The devices were also protected by network isolation, which prevented the devices from being exposed to untrusted networks (such as the internet). In addition, no intrusions occurred during the course of the violation. URE’s compliance program was evaluated as a mitigating factor. URE did not contest the violation.
Total Penalty: $30,000 (aggregate for 8 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 4.1/4.2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: NPCC
Issue: URE self-reported that it had not tested and applied anti-virus and anti-malware software to one of its personal computers that performs monitoring, altering, and logging functions.
Finding: NPCC found that the violation constituted only a minimal risk to BPS reliability. The personal computer was protected by an ESP and PSP. The personal computer was also previously configured with third-party software. In addition, the personal computer was further protected by network isolation, which prevented exposure to untrusted networks (such as the internet). No intrusions occurred during the course of the violation. URE’s compliance program was evaluated as a mitigating factor. URE did not contest the violation.
Total Penalty: $25,000 (aggregate for 6 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 4.1/4.2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: NPCC
Issue: URE self-reported that it had not, as required, tested anti-virus and anti-malware software and applied it to one of its personal computers that performed monitoring, alerting and logging functions.
Finding: NPCC found that the violation constituted only a minimal risk to BPS reliability. The device was located in an ESP and PSP (with access restricted to authorized personnel) and configured with a trend micro office scan. The device was also protected by network isolation, which prevented the device from being exposed to untrusted networks (such as the internet). In addition, no intrusions occurred during the course of the violation. URE’s compliance program was evaluated as a mitigating factor. URE did not contest the violation.
Total Penalty: $30,000 (aggregate for 8 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 5
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that it did not have technical controls in place to meet password security standards.
Finding: WECC found that the violation constituted a minimal risk to BPS reliability since URE has adequate password security controls in place such as requiring passwords to be reset every 60 days. URE’s compliance program was evaluated as a mitigating factor. URE stipulated to the violation.
Total Penalty: $53,000 (aggregate for 13 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 5
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that it did not have technical controls in place to meet password security standards.
Finding: WECC found that the violation constituted a minimal risk to BPS reliability since URE has adequate password security controls in place such as requiring passwords to be reset every 60 days. URE’s compliance program was evaluated as a mitigating factor. URE stipulated to the violation.
Total Penalty: $58,000 (aggregate for 14 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 5/5.1.3/5.2.1/5.2.3/5.3.3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that it had not reviewed shared account annually (5.1.3), followed the requirements of 5.2.1 to remove, disable or rename accounts when possible; changed accounts (or removed) upon an employee’s departure (5.2.3); or changed passwords yearly.
Finding: WECC found that the violation constituted a moderate risk to BPS reliability since the failure to follow and implement technical and procedural controls for shared accounts could lead to unauthorized access possibly leading to malicious activity. URE’s compliance program was evaluated as a mitigating factor. URE stipulated to the violation.
Total Penalty: $60,000 (aggregate for 3 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 5.1/5.1.1/5.1.3/5.2/5.2.1/5.3/5.3.3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: NPCC
Issue: URE self-reported that it did not possess the required documentation showing that it had properly managed its monitoring, alerting and logging device. In addition, URE did not change the factory default passwords or change the passwords according to the required intervals for its monitoring, alerting and logging device, one PLC and one media converter.
Finding: NPCC found that the violation constituted only a minimal risk to BPS reliability. The relevant devices were protected by an ESP and PSP. In addition, URE had a Site Keeper, which verified the credentials of personnel before those personnel were granted electronic local or remote interactive access or unescorted physical access to the CCAs. URE’s compliance program was evaluated as a mitigating factor. URE did not contest the violation.
Total Penalty: $25,000 (aggregate for 6 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 5.1/5.1.1/5.1.3/5.2/5.2.1/5.3/5.3.3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: NPCC
Issue: URE self-reported that it did not change the factory default passwords for one personal computer, 2 remote terminal units, 9 DSX land cards, 11 ION demand meters and 20 programmable logic controllers. In addition, URE did not have sufficient documentation for those devices (except the 9 DSX land cards) showing that it had updated the passwords according to the required intervals.
Finding: NPCC found that the violation constituted only a minimal risk to BPS reliability. The devices were all located in an ESP and PSP (with access restricted to authorized personnel). In addition, URE had a site keeper who verified credentials of personnel before granting either electronic local or remote interactive access to the CCAs or unescorted physical access to the CCAs. URE’s compliance program was evaluated as a mitigating factor. URE did not contest the violation.
Total Penalty: $30,000 (aggregate for 8 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 5.3/5.3.3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: MRO
Issue: While completing a mitigation plan for a previous violation of CIP-007-1, it was determined that the technical controls to force passwords to automatically expire was inadvertently not enabled for one of URE’s devices.
Finding: MRO found that the violation constituted only a minimal risk to BPS reliability. Only two individuals had access to the relevant policy platform appliance and both of them had personnel risk assessments on file and had received the required cyber security training. URE had also implemented annual reminders regarding the required password change. URE admitted the violation. URE undertook certain corrective measures above and beyond what was required, which was evaluated as a mitigating factor.
Total Penalty: $10,000 (aggregate for 3 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 5.3/5.3.2/5.3.3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: MRO
Issue: During a spot check, MRO determined that one of URE’s devices did not have the required password complexity settings (to require a combination of alpha, numeric and special characters). In addition, another one of URE’s devices had system limitations that restricted the systematic enforcement of password requirements, but URE had not submitted a Technical Feasibility Exception. URE also did not change its passwords annually on multiple separate accounts as required, including on administrative accounts for devices used to monitor and control the BPS.
Finding: MRO found that the violation constituted a moderate risk to BPS reliability since the violation affected numerous accounts. Without adequately secure passwords, it increased the risk of unauthorized access to protected devices. But, all of the affected devices are contained within an ESP, and URE did not have any cyber security incidents during the course of the violation. In addition, all of the personnel who had access to the affected devices had personnel risk assessments on file and had received the required cyber security training. URE admitted the violation. URE undertook certain corrective measures above and beyond what was required, which was evaluated as a mitigating factor.
Total Penalty: $10,000 (aggregate for 3 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 6.5
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: NPCC
Issue: URE self-reported that its site personnel had not been managing URE’s monitoring, alerting and logging device from the installation of the device. URE also was not reviewing the logs that the device generated on a regular basis.
Finding: NPCC found that the violation constituted only a minimal risk to BPS reliability. This violation was primarily a documentation issue as the monitoring, altering and logging device did not control any other devices. The device was also located inside an ESP and protected by network isolation, which prevented exposure to untrusted networks. In addition, the device was also previously configured with third-party software, which provided additional cyber security protection. A review of the logs did not reveal any abnormal activity. URE’s compliance program was evaluated as a mitigating factor. URE did not contest the violation.
Total Penalty: $25,000 (aggregate for 6 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 6.5
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: NPCC
Issue: URE self-reported that logs that were generated from one of the personal computers were not reviewed on a regular basis as required.
Finding: NPCC found that the violation constituted only a minimal risk to BPS reliability since this was primarily a documentation issue. The relevant personal computer was protected by an ESP and did not control any other devices. The device was previously configured with symantec endpoint protection and further protected by a firewall and network isolation, which prevents exposure to untrusted networks. In addition, the logs did not reveal any unusual activity that occurred during the course of the violation. URE’s compliance program was evaluated as a mitigating factor. URE did not contest the violation.
Total Penalty: $30,000 (aggregate for 8 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 7
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that it had no procedures in place regarding the disposal or redeployment of certain CAs within its ESPs. Furthermore, URE could not show when CAs had been retired. URE did not have an adequate security patch management program to document destruction, disposal or redeployment of CAs.
Finding: WECC found that the violation constituted a moderate risk to BPS reliability since CAs not properly disposed of could allow access to sensitive data related to cybersecurity and, in turn, unauthorized and malicious activities affecting BPS operations. URE’s compliance program was evaluated as a mitigating factor. URE stipulated to the violation.
Total Penalty: $60,000 (aggregate for 3 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 8
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that it had not undertaken Cyber Vulnerability Assessments on all CAs in its ESPs and as required by the Standard.
Finding: WECC found that the violation constituted a minimal risk to BPS reliability since the relevant devices are monitored with intrusion detection equipment and are set to automatically alert operations upon unauthorized access attempts. URE’s compliance program was evaluated as a mitigating factor. URE stipulated to the violation.
Total Penalty: $53,000 (aggregate for 13 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 8
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that it had not undertaken Cyber Vulnerability Assessments on all CAs in its ESPs and as required by the Standard.
Finding: WECC found that the violation constituted a minimal risk to BPS reliability since the relevant devices are monitored with intrusion detection equipment and are set to automatically alert operations upon unauthorized access attempts. URE’s compliance program was evaluated as a mitigating factor. URE stipulated to the violation.
Total Penalty: $58,000 (aggregate for 14 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-34 (May 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 1, 2, 3, 5, 7, 8, 9
Violation Risk Factor: Medium (1, 2), Lower (3, 5, 7, 8, 9)
Violation Severity Level: Moderate (1, 2), High (9), Severe (3, 5, 7, 8)
Region: TRE
Issue: During a compliance audit, TRE determined that while URE's parent company has a change control management policy that directs how changes to the IT infrastructure are managed, URE did not have sufficient documentation, prior to its contract with a vendor, showing that URE was testing and upgrading its software or implementing security patches and updates as required (1). Prior to hiring the vendor, URE did not properly update and document its cyber-security software patches for all its CCAs within the ESP (3). One of URE's firewalls allows Telnet access to a device since a switch was unable to generate an authentication key to enable access. While URE had taken actions to limit risk (such as only allowing business network IP addresses to connect to the device from outside the plant network), TRE found that URE's actions were insufficient to mitigate the risk (2). In addition, URE's process for enforcing access authentication of, and accountability for, all user activity did not address access and control for shared accounts used by URE plant employees. URE also did not have sufficient details on all user accounts that have electronic access to Critical Assets and CCAs and did not have sufficient accountability for shared accounts used by URE's technicians to login (with the same passwords) to the plant network systems. Furthermore, URE's logs did not provide sufficient information on the acceptable use of administrator, shared and other generic account privileges, including factory default accounts (5). For two modems listed on URE's Cyber Assets list but not located in its facilities, TRE determined that URE did not have the required records regarding the disposal or redeployment of the modems (7). In addition, URE performed an incomplete cyber vulnerability assessment as it did not evaluate the plant network. And while the cyber vulnerability assessment evaluated the business network, a vulnerability regarding a firewall was not remedied through a supporting action as required (8). Lastly, URE was not performing the mandated annual reviews on its CIP-007 documents (9).
Finding: TRE found that the CIP-007-1 R1, 2, 3, 5, 7, 8 and 9 violations constituted a moderate risk to BPS reliability. But, URE had implemented its change control management policy, which evaluates whether significant changes to Cyber Assets within the ESP could adversely affect existing cyber security controls and the violation was limited to specific software updates (1). Pursuant to URE's documented ports and services procedures, vulnerabilities were discovered (and recommendations to address vulnerabilities were made) (2). In addition, security patches from the Windows server update for the operating system and applications were applied automatically. Vendors and websites provide alerts for non-Microsoft updates. Quarterly evaluations are also performed by technicians on plant network computers (3). URE did have a policy in place regarding technical and procedural controls for enforcing access authentication of, and accountability for, all user activity (5). URE also had developed an asset disposal or deployment policy that was successfully applied to other devices (7). URE also performed a partial cyber vulnerability assessment, which discovered vulnerabilities that need to be addressed (8). Lastly, URE had engaged in periodic reviews of its CIP-007 documents and a majority of those documents have been in effect since the Reliability Standard became enforceable (9). URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact the violations were URE's first violations of the relevant Reliability Standards and that none of the violations constituted a serious or substantial risk to BPS reliability. URE had a compliance program in place, but it was only evaluated as a neutral factor. URE was also cooperative during the enforcement process and did not conceal the violations.
Total Penalty: $137,000 (aggregate for 24 violations)
FERC Order: Issued June 28, 2013 (no further review)
Unidentified Registered Entity, Docket No. NP13-36, May 30, 2013
Reliability Standard: CIP-007-1
Requirement: 1, 2, 3, 8, 9
Violation Risk Factor: Medium (R1, R2, R8, R9); Lower (R3, R8, R9)
Violation Severity Level: Moderate (R1, R2); High (R9); Severe (R3, R8)
Region: Texas RE
Issue: During a compliance audit, Texas RE found that URE could not show that its change control management policy met the requirements of CIP-007 during the entire period the Reliability Standard was mandatory and enforceable. URE could not show that it had been testing or upgrading software or implementing security patches and updates on a timely basis (R1). Regarding R2, URE allowed an outside service to access one device on one of its firewalls, but could not show that it had plans in place to mitigate any risk involved with allowing this outside access to the device (R2.3). Regarding R3, it was determined that URE had not updated or documented cybersecurity software patches for all ESP CCAs. Texas RE further found URE to be non-compliant with R8 because the cyber vulnerability assessment (CVA) in place by URE did not address the plant network and therefore did not have an action plan in place to remediate or mitigate vulnerabilities. And, the CVA for the business network did identify a vulnerability, but URE had no follow up action plan to show that addressed, documented or acknowledged the issue (R8.4). Regarding R9, URE was not reviewing all required CIP-007 documentation on a yearly basis.
Finding: The violations were deemed to pose a moderate risk to BPS reliability, but not a serious or substantial risk. Risk was mitigated because although the plan had not been approved or reviewed as required, it was in use during the relevant time period. In determining the appropriate penalty, Texas RE considered URE’s internal compliance program as a neutral factor. The violations were the first by URE and URE cooperated during the enforcement process. Texas RE determined URE did not attempt (or intend) to conceal any violations.
Total Penalty: $137,000 (aggregate for 24 violations)
FERC Order: Issued June 28, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-38-000 (May 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: WECC determined that while URE performed functionality testing to verify that significant changes to existing Cyber Assets or CCAs within ESPs do not negatively impact system operations, URE did not assess the impact of significant changes on ESP security, as required. URE also did not document its testing to reflect the production environment and did not provide evidence of the test results.
Finding: WECC found that the CIP-007-1 R1 violation constituted a moderate risk to BPS reliability. But, while URE did not assess significant changes to the security of the ESP at its generating station, the violation was only limited to one ESP. URE had created clusters of Cyber Assets within mini ESPs protected by additional firewalls and passwords within the larger ESP. Thus, entry into the ESP through the energy management system would not expose all Cyber Assets to attack or misuse. In addition, the ESP is protected by URE’s corporate local area network (LAN), which is an isolated network only accessible through specific credentials and passwords. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact that some of the violations were self-reported and that URE engaged in voluntary corrective action to remediate the violations. URE also had an internal compliance program in place (which was evaluated as a mitigating factor). URE was cooperative during the enforcement process, did not conceal the violations and implemented the applicable WECC compliance directives. But, URE did have prior violations of the Reliability Standards (which was evaluated as an aggravating factor). None of the violations constituted a serious or substantial risk to BPS reliability.
Total Penalty: $291,000 (aggregate for 17 violations)
FERC Order: Issued June 28, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-38-000 (May 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self-certified that it did not properly establish, both at its control center and at its generating station, procedures to verify that it only enabled those ports and services required for normal and emergency operations.
Finding: WECC found that the CIP-007-1 R2 violation constituted a moderate risk to BPS reliability. But, URE secured its Cyber Assets within perimeters where access was controlled and monitored and had in place other measures to limit the physical access to its Cyber Assets and ports and services. URE also trained its employees who had physical and logical access rights on the use of ports and services. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact that some of the violations were self-reported and that URE engaged in voluntary corrective action to remediate the violations. URE also had an internal compliance program in place (which was evaluated as a mitigating factor). URE was cooperative during the enforcement process, did not conceal the violations and implemented the applicable WECC compliance directives. But, URE did have prior violations of the Reliability Standards (which was evaluated as an aggravating factor). None of the violations constituted a serious or substantial risk to BPS reliability.
Total Penalty: $291,000 (aggregate for 17 violations)
FERC Order: Issued June 28, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-38-000 (May 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: URE self-certified that it had not adequately established a security patch management program for Cyber Assets at its generating station as it did not discuss vendor testing. URE did not properly document its assessment of security patches for the EMS Cyber Assets and, for a subset of the Cyber Assets in its EMS system, did not timely assess available security patches.
Finding: WECC found that the CIP-007-1 R3 violation constituted a moderate risk to BPS reliability. But, URE’s EMS vendor was actually conducting the security patch management for the Cyber Assets at URE’s generating station. In addition, many of the EMS devices were relatively new and thus only a few patches were even available. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact that some of the violations were self-reported and that URE engaged in voluntary corrective action to remediate the violations. URE also had an internal compliance program in place (which was evaluated as a mitigating factor). URE was cooperative during the enforcement process, did not conceal the violations and implemented the applicable WECC compliance directives. But, URE did have prior violations of the Reliability Standards (which was evaluated as an aggravating factor). None of the violations constituted a serious or substantial risk to BPS reliability.
Total Penalty: $291,000 (aggregate for 17 violations)
FERC Order: Issued June 28, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-38-000 (May 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 5
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self-certified that it had not adequately established, implemented, and documented the technical and procedural controls necessary to enforce access authentication of, and accountability for, all user activity. URE also did not change the passwords, as required, for factory default accounts before putting systems into service. In addition, passwords for its Cyber Assets associated with the plant control system and at its generating station were not sufficiently complex and did not change annually.
Finding: WECC found that the CIP-007-1 R5 violation only constituted a minimal risk to BPS reliability. URE was monitoring and logging all shared and individual user account activity, and all individuals who had access had received cyber security training and had a PRA on file. In addition, all the Cyber Assets and CCAs were contained with PSPs and ESPs. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact that some of the violations were self-reported and that URE engaged in voluntary corrective action to remediate the violations. URE also had an internal compliance program in place (which was evaluated as a mitigating factor). URE was cooperative during the enforcement process, did not conceal the violations and implemented the applicable WECC compliance directives. But, URE did have prior violations of the Reliability Standards (which was evaluated as an aggravating factor). None of the violations constituted a serious or substantial risk to BPS reliability.
Total Penalty: $291,000 (aggregate for 17 violations)
FERC Order: Issued June 28, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-38-000 (May 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 6
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self-certified that 60 of its network devices and 33 servers associated with its control center did not have organizational process controls to monitor system events related to cyber security. URE also did not have the required automated tools or organizational process controls to monitor system events at its generating station.
Finding: WECC found that the CIP-007-1 R6 violation constituted a moderate risk to BPS reliability. But, URE did have appropriate measures in place to detect cyber security events for the majority of CCAs and Cyber Assets within its control center ESP. In addition, URE had tripwires on systems within the ESP, and access to the Cyber Assets within both the control center and generating station ESPs was controlled and monitored. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact that some of the violations were self-reported and that URE engaged in voluntary corrective action to remediate the violations. URE also had an internal compliance program in place (which was evaluated as a mitigating factor). URE was cooperative during the enforcement process, did not conceal the violations and implemented the applicable WECC compliance directives. But, URE did have prior violations of the Reliability Standards (which was evaluated as an aggravating factor). None of the violations constituted a serious or substantial risk to BPS reliability.
Total Penalty: $291,000 (aggregate for 17 violations)
FERC Order: Issued June 28, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-38-000 (May 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 8
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: In advance of a compliance audit, URE self-reported that it did not timely perform a cyber vulnerability assessment on 118 Cyber Assets and CCAs comprising its EMS. URE had deployed a new EMS, and waited to conduct its cyber vulnerability assessment until after its vendor completed the stability testing.
Finding: WECC found that the CIP-007-1 R8 violation only constituted a minimal risk to BPS reliability. URE had timely conducted a cyber vulnerability assessment of its Cyber Assets and CCAs outside of the EMS, and completed its cyber vulnerability assessment for its EMS Cyber Assets and CCAs in the spring of the next year. URE also timely completed a full cyber vulnerability assessment of its Cyber Assets and CCAs in the following two years. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact that some of the violations were self-reported and that URE engaged in voluntary corrective action to remediate the violations. URE also had an internal compliance program in place (which was evaluated as a mitigating factor). URE was cooperative during the enforcement process, did not conceal the violations and implemented the applicable WECC compliance directives. But, URE did have prior violations of the Reliability Standards (which was evaluated as an aggravating factor). None of the violations constituted a serious or substantial risk to BPS reliability.
Total Penalty: $291,000 (aggregate for 17 violations)
FERC Order: Issued June 28, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-38-000 (May 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 8
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: In advance of a compliance audit, URE self-reported that it did not timely perform a cyber vulnerability assessment on 118 Cyber Assets and CCAs comprising its EMS. URE had deployed a new EMS, and waited to conduct its cyber vulnerability assessment until after its vendor completed the stability testing.
Finding: WECC found that the CIP-007-1 R8 violation only constituted a minimal risk to BPS reliability. URE had timely conducted a cyber vulnerability assessment of its Cyber Assets and CCAs outside of the EMS, and completed its cyber vulnerability assessment for its EMS Cyber Assets and CCAs in the spring of the next year. URE also timely completed a full cyber vulnerability assessment of its Cyber Assets and CCAs in the following two years. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact that some of the violations were self-reported and that URE engaged in voluntary corrective action to remediate the violations. URE also had an internal compliance program in place (which was evaluated as a mitigating factor). URE was cooperative during the enforcement process, did not conceal the violations and implemented the applicable WECC compliance directives. But, URE did have prior violations of the Reliability Standards (which was evaluated as an aggravating factor). None of the violations constituted a serious or substantial risk to BPS reliability.
Total Penalty: $291,000 (aggregate for 17 violations)
FERC Order: Issued June 28, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-38-000 (May 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 9
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: WECC determined that URE did not conduct the required annual review of the CIP-007 documentation at its generating station or for its power operations EMS and did not timely update the CIP-007 documentation to include modifications to systems or controls.
Finding: WECC found that the CIP-007-1 R9 violation only constituted a minimal risk to BPS reliability. URE did possess documentation regards the changes it made to its systems and controls (even through it was not included in URE’s CIP-007 documentation). URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact that some of the violations were self-reported and that URE engaged in voluntary corrective action to remediate the violations. URE also had an internal compliance program in place (which was evaluated as a mitigating factor). URE was cooperative during the enforcement process, did not conceal the violations and implemented the applicable WECC compliance directives. But, URE did have prior violations of the Reliability Standards (which was evaluated as an aggravating factor). None of the violations constituted a serious or substantial risk to BPS reliability.
Total Penalty: $291,000 (aggregate for 17 violations)
FERC Order: Issued June 28, 2013 (no further review)
Unidentified Registered Entity 1 (URE1), Docket No. NP13-39-000 (May 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 5
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: While conducting a compliance audit, URE was found to be in violation of CIP-007-1 R5 by its inability to provide evidence to show that it renamed administrator and factory default accounts. Also, URE1 could not show that it identified individuals with access to shared accounts.
Finding: The violation was deemed to pose a minimal risk to BPS reliability, but not a serious or substantial risk which was mitigated because URE1 does have an account management policy although it was not being consistently used. In determining the appropriate penalty, WECC gave mitigating credit for URE1’s ICP.
Total Penalty: $62,500 (aggregate for seven violations)
FERC Order: Issued June 28, 2013 (no further review)
Unidentified Registered Entity 1 (URE1), Docket No. NP13-39-000 (May 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 8
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: While conducting a compliance audit, URE was found to be in violation of CIP-007-1 R8 by its failure to undertake cyber vulnerability assessments (CVA) on all ESP Cyber Assets on a yearly basis and in accordance with the Standard. Also, the CVA used in other years did not include all CCAs located in the ESP. URE1 could not show that only those ports and services required for operation of the Cyber Assets within the ESP were reviewed and enabled. Lastly, URE1 had no written action plans to remediate or mitigate vulnerabilities identified by the CVA.
Finding: The violation was deemed to pose a minimal risk to BPS reliability, but not a serious or substantial risk which was mitigated because URE1 does have an account management policy although it was not being consistently used. In determining the appropriate penalty, WECC gave mitigating credit for URE1’s ICP.
Total Penalty: $62,500 (aggregate for seven violations)
FERC Order: Issued June 28, 2013 (no further review)
Unidentified Registered Entity 3 (URE3), Docket No. NP13-39-000 (May 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 5
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SERC
Issue: URE3 submitted a self-report describing a violation of CIP-007-1 R5 because it found that a technician supervisor was allowing his username and password used for access to the Energy Management System to be shared in violation of the Standard.
Finding: The violation was deemed to pose a minimal risk to BPS reliability, but not a serious or substantial risk because the issue involved two employees both having completed cyber security training and PRAs on file. The individuals could have accessed the EMS on their own credentials, but for convenience were using the supervisor’s password and username. In addition, the CCA is monitored by video and badges are required for access which allowed the individuals using the CCA to be identified. SERC’s investigation revealed no other similar instances of the violation. In determining the appropriate penalty, SERC considered URE3’s ICP as a mitigating factor.
Total Penalty: $5,000 (aggregate for two violations)
FERC Order: Issued June 28, 2013 (no further review)
Unidentified Registered Entity 1 (URE1), Docket No. NP13-41-000 (June 27, 2013)
Reliability Standard: CIP-007-1
Requirement: 2
Violation Risk Factor: Medium
Violation Severity Level: Severe Region(s): WECC
Issue: WECC_URE1 submitted a self-certified violation asserting that it had violated CIP-007-1R2. WECC_URE1 had established a process of recognizing, authorizing, and recording ports and services on an application basis but not on a Cyber Asset basis. Though WECC_URE1 failed to document ports and services on an asset-by asset basis for all Cyber Assets within Electronic Security Perimeters (ESPs), it failed to document ports and services on an application basis. Due to the fact that WECC_URE1 did not have a mapping document that would map an application to the Cyber Asset on which the application was installed, WECC_URE1 could not confirm that all enabled ports and services on all Cyber Assets within its ESPs were required for normal and emergency operation. Additionally, based on evidence provided by WECC_URE1 at a WECC Compliance Audit, WECC concluded that some ports and services recognized as in-scope Cyber assets were not approved with a provided business justification by WECC_URE1. Therefore, WECC_URE1 did not ensure that the only ports and services enabled were those required for normal and emergency operations, as mandated by CIP-007-1 R2.
Finding: This violation was deemed to pose a minimal risk but not a serious or substantial risk to the integrity of the bulk power system. WECC_URE1 claims that it implemented controls to log and monitor electronic and physical access to Critical Cyber Assets within four ESPs. Additionally, WECC_URE1 preforms periodic programmed scanning for ports and services and vulnerabilities in the Cyber Assets within the ESP. In addition, WECC_URE1 conducts constant automated software installed on all devices which tracks any configuration change and alerts the security department in the event that a device is compromised. In determining the appropriate penalty, WECC_URE1’s internal compliance program was viewed as a mitigating factor.
Total Penalty: $60,000 (aggregate for 6 violations)
FERC Order: Issued August 26, 2013 (no further review)
Unidentified Registered Entity 1 (URE1), Docket No. NP13-41-000 (June 27, 2013)
Reliability Standard: CIP-007-1
Requirement: 3, 3.2
Violation Risk Factor: Medium
Violation Severity Level: Severe Region(s): WECC
Issue: WECC_URE1 self-certified a violation to WECC asserting it was in violation of CIP-007-1 R3. WECC_URE1did not record its patching determinations for security patches pertinent to Cyber Assets located in Electronic Security Perimeters (ESPs) and Physical Security Perimeters (PSPs). The majority of the patches were security updates.
Finding: This violation was deemed to pose a moderate risk but not a serious or substantial risk to the integrity of the bulk power system. Though WECC_URE1 did not document its security patch determinations in their entirety, WECC_URE1 has confirmed that all applicable security patches have been installed. Additionally, WECC_URE1 employed controls to log and monitor electronic and physical access to Critical Cyber Assets within ESPs. WECC_URE1also conducts continuous monitoring software installed on all devices so that any change in configuration is tracked and the security department is alerted if a device is compromised. Security alerts are reviewed daily. In determining the appropriate penalty, WECC_URE1’s internal compliance program was viewed as a mitigating factor.
Total Penalty: $60,000 (aggregate for 6 violations)
FERC Order: Issued August 26, 2013 (no further review)
Unidentified Registered Entity 1 (URE1), Docket No. NP13-41-000 (June 27, 2013)
Reliability Standard: CIP-007-1
Requirement: 4
Violation Risk Factor: Lower
Violation Severity Level: Severe Region(s): WECC
Issue: While conducting a Compliance Audit of WECC_URE1, WECC determined that WECC_URE1 had a violation of CIP-007-1R4. During the Compliance Audit, the audit team visually validated confirmed anti-virus and malware software programs installed on all Cyber Assets. According to the results, WECC_URE1 did not use anti-virus software and other malicious software prevention tools to identify, prevent, and repair the introduction, exposure, and transmission of malware on 4.42% Cyber Assets within the Electronic Security Perimeters (ESPs). In four of the mentioned assets, it was not feasible to use malicious software tools or anti-virus. However, WECC_URE1 did not file Technical Feasibility Exceptions (TFEs) for those devices in a timely manner.
Finding: This violation was deemed to pose a minimal risk but not a serious or substantial risk to the integrity of the bulk power system. The Cyber Assets did not have anti-virus software installed, but they are located in controlled areas behind restricted firewalls and access to them is limited. The Cyber Assets are situated within an ESP, and logical ports and services access to the network are limited to normal and emergency operations. Furthermore, all ESPs are monitored constantly every day of the week. In determining the appropriate penalty, WECC_URE1’s internal compliance program was viewed as a mitigating factor.
Total Penalty: $60,000 (aggregate for 6 violations)
FERC Order: Issued August 26, 2013 (no further review)
Unidentified Registered Entity (URE), FERC Docket No. NP13-45 (July 31, 2013)
Reliability Standard: CIP-007-1
Requirement: 2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that it was non-compliant with CIP-007-1 R2 when it discovered it had not ensured that only those ports and services needed for normal and emergency operations were enabled on 48 CCAs and 61 non-critical CAs within an ESP associated with URE’s control center and backup control center. URE depended on vendor documentation rather than its own investigation as to which ports and services should be enabled or disabled.
Finding: The violation was deemed to pose a moderate, but not serious or substantial, risk to BPS reliability. All of the subject devices are associated with control centers and by URE leaving enabled unneeded ports and services the possibility for cyber attack or misuse to several ESPs is heightened. WECC found the risk to be mitigated by the facts that the CCAs and CAs within ESPs are physically secured by a PSP. Any employees having physical and electronic access to the devices have up-to-date PRAs and attended cybersecurity training. Electronic access was controlled, logged and monitored in addition. URE and WECC reached a settlement whereby URE agreed/stipulated to the facts of the violations and agreed to pay a penalty of $198,000. In determining the appropriate penalty, WECC considered URE’s internal compliance program as a mitigating factor. The violations were self-reported. URE cooperated during the enforcement investigation, and WECC found no evidence that URE tried to or intended to conceal a violation. URE’s violation history was not found to be an aggravating factor in the penalty determination.
Total Penalty: $198,000 (aggregate for ten violations)
FERC Order: Issued August 30, 2013 (no further review)
Unidentified Registered Entity (URE), FERC Docket No. NP13-45 (July 31, 2013)
Reliability Standard: CIP-007-1
Requirement: 3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that it was non-compliant with CIP-007-1 R3 when it discovered it that it had not assessed security patches for 76 devices in its operating system environment, visualization software and ancillary systems within the required timeframe after the patches were available. WECC Enforcement ultimately discovered that 132 devices were involved in the violation.
Finding: The violation was deemed to pose a moderate, but not serious or substantial, risk to BPS reliability. All of the subject devices are associated with control centers. WECC found the risk to be mitigated by the facts that all employees having physical and electronic access to the devices have up-to-date PRAs and attended cybersecurity training. Electronic access was controlled, logged and monitored in addition. URE and WECC reached a settlement whereby URE agreed/stipulated to the facts of the violations and agreed to pay a penalty of $198,000. In determining the appropriate penalty, WECC considered URE’s internal compliance program as a mitigating factor. The violations were self-reported. URE cooperated during the enforcement investigation, and WECC found no evidence that URE tried to or intended to conceal a violation. URE’s violation history was not found to be an aggravating factor in the penalty determination.
Total Penalty: $198,000 (aggregate for ten violations)
FERC Order: Issued August 30, 2013 (no further review)
Unidentified Registered Entity (URE), FERC Docket No. NP13-45 (July 31, 2013)
Reliability Standard: CIP-007-1
Requirement: 4
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that it was non-compliant with CIP-007-1 R4 when it discovered it that it had not used antivirus software or malware prevention tools on a number of Cyber Assets within the ESP. WECC Enforcement ultimately discovered that 192 devices were involved in the violation. URE also did not file Technical Feasibility Exceptions for the 192 devices within a timely manner.
Finding: The violation was deemed to pose a moderate, but not serious or substantial, risk to BPS reliability. Compensating measures by URE that WECC considered were that all of the subject devices are located in a PSP and all employees having physical and electronic access to the devices have up-to-date PRAs and attended cybersecurity training. Electronic access was controlled, logged and monitored in addition. URE and WECC reached a settlement whereby URE agreed/stipulated to the facts of the violations and agreed to pay a penalty of $198,000. In determining the appropriate penalty, WECC considered URE’s internal compliance program as a mitigating factor. The violations were self-reported. URE cooperated during the enforcement investigation, and WECC found no evidence that URE tried to or intended to conceal a violation. URE’s violation history was not found to be an aggravating factor in the penalty determination.
Total Penalty: $198,000 (aggregate for ten violations)
FERC Order: Issued August 30, 2013 (no further review)
Unidentified Registered Entity (URE), FERC Docket No. NP13-45 (July 31, 2013)
Reliability Standard: CIP-007-1
Requirement: 6
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that it was non-compliant with CIP-007-1 R6 when it discovered it that it had implemented automated tools or organization processes to control and monitor cybersecurity events on a total of 339 devices within one ESP. WECC Enforcement ultimately discovered that the subject devices either were not configured, wrongly configured or unable to log and monitor.
Finding: The violation was deemed to pose a moderate, but not serious or substantial, risk to BPS reliability, which was mitigated because all the devices were secured in a PSP with restricted and logged physical access. All employees having physical and electronic access to the devices have up-to-date PRAs and attended cybersecurity training. URE and WECC reached a settlement whereby URE agreed/stipulated to the facts of the violations and agreed to pay a penalty of $198,000. In determining the appropriate penalty, WECC considered URE’s internal compliance program as a mitigating factor. The violations were self-reported. URE cooperated during the enforcement investigation, and WECC found no evidence that URE tried to or intended to conceal a violation. URE’s violation history was not found to be an aggravating factor in the penalty determination.
Total Penalty: $198,000 (aggregate for ten violations)
FERC Order: Issued August 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-55 (September 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: Unidentified Registered Entity (URE) self-reported that it had not properly documented the formal test procedures or archived the test results of significant changes to its non-Windows Cyber Assets (i.e., switches, servers and encryptors that perform the functions of the EMS and distributed control system environments). URE did not create and implement the required procedures to ensure that changes to its existing Cyber Assets within the ESP did not adversely affect existing cyber security controls.
Finding: WECC found that the violation constituted a moderate risk to BPS reliability since it increased the risk that untested and potentially malicious changes would be released into the production systems and that URE would fail to detect and prevent potentially harmful modifications to the existing security controls for the CCAs. But, all of URE’s relevant devices were contained in PSPs and ESPs, are subject to monitoring and logging, and are protected by antivirus and malware prevention tools. URE also monitors all administrator accounts and passwords and performs an annual review of the accounts and ports/services on all devices. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact that certain of the violation were self-reported and that URE had a compliance program in place when the violations occurred. URE’s prior violations of the Reliability Standards were not considered as an aggravating factor, as they were not similar to the instant violations and did not implicate broader corporate issues. URE was also cooperative during the enforcement process and did not conceal the violations. The violations did not present a serious or substantial risk to BPS reliability.
Total Penalty: $150,000 (aggregate for 16 violations)
FERC Order: Issued October 30, 3013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-55 (September 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: Unidentified Registered Entity (URE) self-reported that it did not establish a patch management program or document compensating measures for all of its non-Windows devices within the ESPs. While a vendor performed the annual patching of the distributed control system, URE had no documentation showing that the vendor reviewed security patches or upgrades within 30 days of their availability.
Finding: WECC found that the violation constituted a moderate risk to BPS reliability since it increased the risk of vulnerabilities being left unaddressed for an extended period of time and a successful cyber attack against the CCAs being carried out. But, all of URE’s relevant devices were contained in PSPs and ESPs, are subject to monitoring and logging, and are protected by antivirus and malware prevention tools. URE also monitors all administrator accounts and passwords and performs an annual review of the accounts and ports/services on all devices. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact that certain of the violation were self-reported and that URE had a compliance program in place when the violations occurred. URE’s prior violations of the Reliability Standards were not considered as an aggravating factor, as they were not similar to the instant violations and did not implicate broader corporate issues. URE was also cooperative during the enforcement process and did not conceal the violations. The violations did not present a serious or substantial risk to BPS reliability.
Total Penalty: $150,000 (aggregate for 16 violations)
FERC Order: Issued October 30, 3013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-55 (September 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 8
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: Unidentified Registered Entity (URE) self-reported that it did not fully complete the required annual cyber vulnerability assessment of all the assets within its EMS ESPs in 2010 and 2011.
Finding: WECC found that the violation constituted a moderate risk to BPS reliability since it increased the risk of cyber vulnerabilities going unchecked and undetected and allowing for malicious access. But, all of URE’s Cyber Assets had antivirus and malware prevention tools installed and were contained in a physically secured PSP with restricted access. The Cyber Assets were also subject to continuous monitoring and the CCAs had a maintenance and recovery team always available. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact that certain of the violation were self-reported and that URE had a compliance program in place when the violations occurred. URE’s prior violations of the Reliability Standards were not considered as an aggravating factor, as they were not similar to the instant violations and did not implicate broader corporate issues. URE was also cooperative during the enforcement process and did not conceal the violations. The violations did not present a serious or substantial risk to BPS reliability.
Total Penalty: $150,000 (aggregate for 16 violations)
FERC Order: Issued October 30, 3013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-18 (December 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SERC
Issue: During a compliance audit, SERC found that URE failed to verify that only those ports and services required for normal and emergency operations were enabled. Although URE was unable to disable unused ports on three clocks, it did not file a Technical Feasibility Exception describing compensating measures, as required.
Finding: SERC found that the CIP-007-1 R2 violation constituted only a minimal risk to BPS reliability as the Cyber Assets in question only provide time synchronization for other devices in the ESP and cannot be used to communicate with devices in any other way or be used to compromise the network. The Cyber Assets were also subject to real-time monitoring. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a partial mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. None of the violations constituted a serious or substantial risk to BPS reliability. In addition, URE engaged in physical security measures that SERC determined to be above-and-beyond what was required.
Total Penalty: $110,000 (aggregate for 15 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-18 (December 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 5
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SERC
Issue: URE self-reported that it did not identify, as required, two contractors who had access to a shared account which provided read-only access to an application that resided on four CCAs and 14 EMS network support personnel who had access to a shared account which provided administrative access to two ESP access points. URE also did not annually change the passwords as required on 17 shared accounts and a local administrator password to a door card access controller. In addition, URE did not employ sufficiently complex passwords for a shared account with access to 52 network devices or on certain local accounts (which were not technically capable of enforcing the password requirements).
Finding: SERC found that the CIP-007-1 R5 violation constituted a moderate risk to BPS reliability as it increased the risk of the CCAs becoming compromised. But, no cyber security incidents occurred during the violation period and the CCAs were contained within a PSP. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a partial mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. None of the violations constituted a serious or substantial risk to BPS reliability. In addition, URE engaged in physical security measures that SERC determined to be above-and-beyond what was required.
Total Penalty: $110,000 (aggregate for 15 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-19-000 (December 30, 2013)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: During a compliance audit, WECC determined that URE’s change control procedures did not adequately include cyber security testing and processes for assessing whether changes to existing ESPs or the addition of new Cyber Assets would adversely affect existing security controls.
Finding: WECC determined that the violation posed a moderate risk to BPS reliability. URE’s testing only covered Cyber Asset operability, not cyber security controls. However, prior to deployment within an ESP, URE tests all changes in its Development Environment or quality assurance environments, which includes some testing of cyber security controls. Furthermore, URE’s ESPs are protected by user authentication, system event logging and a host-based intrusion-detection system on system servers. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, this was URE’s second violation of CIP-004-3 R4, which was viewed as an aggravating factor. URE cooperated throughout the enforcement process and did not conceal the violations. URE also committed to engage in additional actions to mitigate the violations and ensure future compliance.
Penalty: $185,000 (aggregate for 11 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-19-000 (December 30, 2013)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: During a compliance audit, WECC determined that URE’s change control procedures did not adequately include cyber security testing and processes for assessing whether changes to existing ESPs or the addition of new Cyber Assets would adversely affect existing security controls.
Finding: WECC determined that the violation posed a moderate risk to BPS reliability. URE’s testing only covered Cyber Asset operability, not cyber security controls. However, prior to deployment within an ESP, URE tests all changes in its Development Environment or quality assurance environments, which includes some testing of cyber security controls. Furthermore, URE’s ESPs are protected by user authentication, system event logging and a host-based intrusion-detection system on system servers. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, this was URE’s second violation of CIP-004-3 R4, which was viewed as an aggravating factor. URE cooperated throughout the enforcement process and did not conceal the violations. URE also committed to engage in additional actions to mitigate the violations and ensure future compliance.
Total Penalty: $185,000 (aggregate for 11 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-19-000 (December 30, 2013)
Reliability Standard: CIP-007-1
Requirement: R2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: During a compliance audit, WECC determined that, for two consecutive years, URE only documented its ports and services that were enabled and did not include an assessment as to whether the open ports and services were required for normal or emergency operations.
Finding: WECC determined that the violation posed a moderate risk to BPS reliability. However, all devices with open ports and services were protected by ESPs and PSPs, with access to the Cyber Assets monitored by a logging server and intrusion detection system.. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, this was URE’s second violation of CIP-004-3 R4, which was viewed as an aggravating factor. URE cooperated throughout the enforcement process and did not conceal the violations. URE also committed to engage in additional actions to mitigate the violations and ensure future compliance.
Penalty: $185,000 (aggregate for 11 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-19-000 (December 30, 2013)
Reliability Standard: CIP-007-1
Requirement: R2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: During a compliance audit, WECC determined that, for two consecutive years, URE only documented its ports and services that were enabled and did not include an assessment as to whether the open ports and services were required for normal or emergency operations.
Finding: WECC determined that the violation posed a moderate risk to BPS reliability. However, all devices with open ports and services were protected by ESPs and PSPs, with access to the Cyber Assets monitored by a logging server and intrusion detection system.. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, this was URE’s second violation of CIP-004-3 R4, which was viewed as an aggravating factor. URE cooperated throughout the enforcement process and did not conceal the violations. URE also committed to engage in additional actions to mitigate the violations and ensure future compliance.
Total Penalty: $185,000 (aggregate for 11 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-19-000 (December 30, 2013)
Reliability Standard: CIP-007-1
Requirement: R3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: During a compliance audit, WECC determined that URE did not have a process for tracking, evaluating and testing applicable non-Microsoft cyber security software patches and did not evaluate the security patches for a particular company within 30 days of availability.
Finding: WECC determined that the violation posed only a minimal risk to BPS reliability. URE did have a current security patch management program in place that covered Microsoft operating patches. In addition, the devices at issue were monitored using a logging server and a host-based intrusion detection system that provided automatic notifications of any malicious cyber security activities. URE also tracks and assesses vulnerabilities identified by the National Vulnerability Database. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, this was URE’s second violation of CIP-004-3 R4, which was viewed as an aggravating factor. URE cooperated throughout the enforcement process and did not conceal the violations. URE also committed to engage in additional actions to mitigate the violations and ensure future compliance.
Penalty: $185,000 (aggregate for 11 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-19-000 (December 30, 2013)
Reliability Standard: CIP-007-1
Requirement: R3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: During a compliance audit, WECC determined that URE did not have a process for tracking, evaluating and testing applicable non-Microsoft cyber security software patches and did not evaluate the security patches for a particular company within 30 days of availability.
Finding: WECC determined that the violation posed only a minimal risk to BPS reliability. URE did have a current security patch management program in place that covered Microsoft operating patches. In addition, the devices at issue were monitored using a logging server and a host-based intrusion detection system that provided automatic notifications of any malicious cyber security activities. URE also tracks and assesses vulnerabilities identified by the National Vulnerability Database. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, this was URE’s second violation of CIP-004-3 R4, which was viewed as an aggravating factor. URE cooperated throughout the enforcement process and did not conceal the violations. URE also committed to engage in additional actions to mitigate the violations and ensure future compliance.
Total Penalty: $185,000 (aggregate for 11 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-19-000 (December 30, 2013)
Reliability Standard: CIP-007-1
Requirement: R4
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: During a compliance audit, WECC determined that URE did not have anti-virus software or malware software prevention tools installed on certain of its Cyber Assets (or, in the alternative, file relevant Technical Feasibility Exceptions for those assets), including its virtual memory system servers and networking equipment that supported its SCADA system in two ESPs.
Finding: WECC determined that the violation posed only a minimal risk to BPS reliability. URE did have anti-virus and malware prevention tools installed on its operating system-based Cyber Assets. In addition, the devices at issue are contained in a “frozen state” such that changes could not be made, thereby limiting the risk posed by malicious software. The devices were also protected by ESPs and restricted firewalls. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, this was URE’s second violation of CIP-004-3 R4, which was viewed as an aggravating factor. URE cooperated throughout the enforcement process and did not conceal the violations. URE also committed to engage in additional actions to mitigate the violations and ensure future compliance.
Penalty: $185,000 (aggregate for 11 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-19-000 (December 30, 2013)
Reliability Standard: CIP-007-1
Requirement: R4
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: During a compliance audit, WECC determined that URE did not have anti-virus software or malware software prevention tools installed on certain of its Cyber Assets (or, in the alternative, file relevant Technical Feasibility Exceptions for those assets), including its virtual memory system servers and networking equipment that supported its SCADA system in two ESPs.
Finding: WECC determined that the violation posed only a minimal risk to BPS reliability. URE did have anti-virus and malware prevention tools installed on its operating system-based Cyber Assets. In addition, the devices at issue are contained in a “frozen state” such that changes could not be made, thereby limiting the risk posed by malicious software. The devices were also protected by ESPs and restricted firewalls. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, this was URE’s second violation of CIP-004-3 R4, which was viewed as an aggravating factor. URE cooperated throughout the enforcement process and did not conceal the violations. URE also committed to engage in additional actions to mitigate the violations and ensure future compliance.
Total Penalty: $185,000 (aggregate for 11 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-19-000 (December 30, 2013)
Reliability Standard: CIP-007-1
Requirement: R5.2.3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: During a compliance audit, WECC determined that URE did not have documented procedures for creating an audit trail of shared account use or for securing a shared account after personnel changes.
Finding: WECC determined that the violation posed only a minimal risk to BPS reliability. URE keeps a list of all shared account users that is restricted to individuals with specific authorized access. Although it was not documented, URE did follow shared account procedures for changing passwords in the event of personnel changes and on an annual basis. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, this was URE’s second violation of CIP-004-3 R4, which was viewed as an aggravating factor. URE cooperated throughout the enforcement process and did not conceal the violations. URE also committed to engage in additional actions to mitigate the violations and ensure future compliance.
Penalty: $185,000 (aggregate for 11 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-19-000 (December 30, 2013)
Reliability Standard: CIP-007-1
Requirement: R5.2.3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: During a compliance audit, WECC determined that URE did not have documented procedures for creating an audit trail of shared account use or for securing a shared account after personnel changes.
Finding: WECC determined that the violation posed only a minimal risk to BPS reliability. URE keeps a list of all shared account users that is restricted to individuals with specific authorized access. Although it was not documented, URE did follow shared account procedures for changing passwords in the event of personnel changes and on an annual basis. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, this was URE’s second violation of CIP-004-3 R4, which was viewed as an aggravating factor. URE cooperated throughout the enforcement process and did not conceal the violations. URE also committed to engage in additional actions to mitigate the violations and ensure future compliance.
Total Penalty: $185,000 (aggregate for 11 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-19-000 (December 30, 2013)
Reliability Standard: CIP-007-1
Requirement: R8.4
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: During a compliance audit, WECC found that URE, for two consecutive years, did not adequately document and execute action plans for remediating vulnerabilities identified in its cyber vulnerability assessment (CVA). Specifically, URE’s first year action plan did not include sufficient documentation showing that the action plan had been executed and the second year action plan did not cover identified vulnerabilities related to ports and services.
Finding: WECC determined that the violation posed a moderate risk to BPS reliability as URE’s action plans at issue did not adequately address vulnerabilities or properly follow through on the execution. As part of its CVAs, URE did identify certain vulnerabilities. In addition, URE noted all open ports and services and started the process of remedying open ports and services not required for normal and emergency operations. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, this was URE’s second violation of CIP-004-3 R4, which was viewed as an aggravating factor. URE cooperated throughout the enforcement process and did not conceal the violations. URE also committed to engage in additional actions to mitigate the violations and ensure future compliance.
Total Penalty: $185,000 (aggregate for 11 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-19-000 (December 30, 2013)
Reliability Standard: CIP-007-1
Requirement: R8.4
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: During a compliance audit, WECC found that URE, for two consecutive years, did not adequately document and execute action plans for remediating vulnerabilities identified in its cyber vulnerability assessment (CVA). Specifically, URE’s first year action plan did not include sufficient documentation showing that the action plan had been executed and the second year action plan did not cover identified vulnerabilities related to ports and services.
Finding: WECC determined that the violation posed a moderate risk to BPS reliability as URE’s action plans at issue did not adequately address vulnerabilities or properly follow through on the execution. As part of its CVAs, URE did identify certain vulnerabilities. In addition, URE noted all open ports and services and started the process of remedying open ports and services not required for normal and emergency operations. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, this was URE’s second violation of CIP-004-3 R4, which was viewed as an aggravating factor. URE cooperated throughout the enforcement process and did not conceal the violations. URE also committed to engage in additional actions to mitigate the violations and ensure future compliance.
Penalty: $185,000 (aggregate for 11 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-19-000 (December 30, 2013)
Reliability Standard: CIP-007-1
Requirement: R9
Violation Risk Factor: Lower
Violation Severity Level: High
Region: WECC
Issue: During a compliance audit, WECC determined that URE did not review and approve on an annual basis, as required, the Reliability Standard CIP-007 documentation.
Finding: WECC determined that the violation posed only a minimal risk to BPS reliability. URE had engaged in the required review of its CIP-007 documentation for the year prior and the year after the year at issue. In addition, URE did not make any changes to CIP-007 programs and procedures during the relevant year and therefore URE’s documentation remained current. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, this was URE’s second violation of CIP-004-3 R4, which was viewed as an aggravating factor. URE cooperated throughout the enforcement process and did not conceal the violations. URE also committed to engage in additional actions to mitigate the violations and ensure future compliance.
Penalty: $185,000 (aggregate for 11 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-19-000 (December 30, 2013)
Reliability Standard: CIP-007-1
Requirement: R9
Violation Risk Factor: Lower
Violation Severity Level: High
Region: WECC
Issue: During a compliance audit, WECC determined that URE did not review and approve on an annual basis, as required, the Reliability Standard CIP-007 documentation.
Finding: WECC determined that the violation posed only a minimal risk to BPS reliability. URE had engaged in the required review of its CIP-007 documentation for the year prior and the year after the year at issue. In addition, URE did not make any changes to CIP-007 programs and procedures during the relevant year and therefore URE’s documentation remained current. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, this was URE’s second violation of CIP-004-3 R4, which was viewed as an aggravating factor. URE cooperated throughout the enforcement process and did not conceal the violations. URE also committed to engage in additional actions to mitigate the violations and ensure future compliance.
Total Penalty: $185,000 (aggregate for 11 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-20 (December 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SERC
Issue: URE self-reported that its cyber security test procedures did not include, as required, processes to determine whether cyber security controls were impacted by new Cyber Assets or significant changes to existing Cyber Assets within the ESP. URE also did not test server security patches in a version-specific test environment and had a generic account installed within the EMS production environment as a result of a technician using a retired checklist to install patches on the EMS workstations and servers.
Finding: SERC found that the CIP-007-1 R1 violation constituted a moderate risk to BPS reliability since not following the appropriate cyber security test procedures can have a negative impact on the cyber security controls and not testing Cyber Assets in the appropriate production environment could lead to security vulnerabilities being undetected. But, all of URE’s Cyber Assets are protected by ESPs and PSPs, which have numerous protective measures in place. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. Certain of the violations constituted a serious or substantial risk to BPS reliability. URE also engaged in mitigating measures that SERC determined to be above-and-beyond what was required.
Total Penalty: $198,000 (aggregate for 21 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-20 (December 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SERC
Issue: URE self-reported that its process for determining the hardening of baseline ports and services did not properly identify those ports and services required for normal and emergency operations and therefore URE did not adequately assess the ports and services for 20 of its CCAs.
Finding: SERC found that the CIP-007-1 R2 violation constituted a moderate risk to BPS reliability as the ports and services at issue were susceptible to security vulnerabilities. But, the CCAs were protected by secured firewalls, which restricted outside remote electronic access. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. Certain of the violations constituted a serious or substantial risk to BPS reliability. URE also engaged in mitigating measures that SERC determined to be above-and-beyond what was required.
Total Penalty: $198,000 (aggregate for 21 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-20 (December 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SERC
Issue: URE self-reported that, as a result of email address changes, it did not timely evaluate a collection of patches within 30 days of their release and that security patches associated with third-party applications had not been installed on 196 Cyber Assets (and URE had not enacted any compensating measures).
Finding: SERC found that the CIP-007-1 R3 violation constituted a serious or substantial risk to BPS reliability as out-of-date security patches increase the risk of unauthorized electronic access to the CCAs and there being unaddressed cyber vulnerabilities for an extended period of time, which increases the risk of there being a successful cyber attack against URE’s CCAs. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. Certain of the violations constituted a serious or substantial risk to BPS reliability. URE also engaged in mitigating measures that SERC determined to be above-and-beyond what was required.
Total Penalty: $198,000 (aggregate for 21 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-20 (December 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 4
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SERC
Issue: URE self-reported that it did not install antivirus software and malware prevention tools on 81 Cyber Assets, and that it did not timely file Technical Feasibility Exceptions (TFEs) for those Cyber Assets even though they were incapable of having the required software and tools.
Finding: SERC found that the CIP-007-1 R4 violation constituted only a minimal risk to BPS reliability as the TFEs were only filed 28 days late and the Cyber Assets at issue had compensating measures in place (including intrusion detection systems and intrusion prevention systems). Furthermore, other devices in the ESP were equipped with antivirus software that was designed to combat malware. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. Certain of the violations constituted a serious or substantial risk to BPS reliability. URE also engaged in mitigating measures that SERC determined to be above-and-beyond what was required.
Total Penalty: $198,000 (aggregate for 21 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-20 (December 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 5
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SERC
Issue: URE self-reported that it did not appropriately document the technical and procedural controls for 85 shared accounts or maintain the required list of designed personnel for approving user accounts. In addition, URE, for two years, did not conduct the annual review of access privileges, as required. URE had not instituted appropriate password controls for 16 CCAs or designated personnel to implement user accounts. URE did not include a vendor on its list of individuals with access to a shared account and did not maintain the appropriate documentation regarding a shared generic use account installed on two network switches. Furthermore, URE did not annually change three account passwords associated with 41 Cyber Assets and did not retain the required documentation concerning default accounts on 54 devices.
Finding: SERC found that the CIP-007-1 R5 violation constituted a serious or substantial risk to BPS reliability as the lack of technical and procedural controls on the shared, administrator and generic accounts increased the risk that an attacker would be able to access or compromise the CCAs and rendering URE’s network inoperable. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. Certain of the violations constituted a serious or substantial risk to BPS reliability. URE also engaged in mitigating measures that SERC determined to be above-and-beyond what was required.
Total Penalty: $198,000 (aggregate for 21 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-20 (December 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 6
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SERC
Issue: URE self-reported that, since its security information and event manager device was only storing event logs locally and over-writing the logs with new events, 17 CCAs and seven Cyber Assets did not have the necessary equipment in place to monitor system events. In addition, five other CCAs (all servers) were also not adequately monitoring system events.
Finding: SERC found that the CIP-007-1 R6 violation constituted only a minimal risk to BPS reliability. While inadequate monitoring of system events for cyber security incidents could result in an undetected cyber breach, all of URE’s Cyber Assets were protected by ESPs and PSPs. The PSPs were continuously guarded and monitored, and the ESPs required multiple layers of user authentication. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. Certain of the violations constituted a serious or substantial risk to BPS reliability. URE also engaged in mitigating measures that SERC determined to be above-and-beyond what was required.
Total Penalty: $198,000 (aggregate for 21 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-20 (December 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 7
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SERC
Issue: URE self-reported that its front end processors and its physical access control systems (PACS) assets did not have the required formal methods, processes and procedures for disposal and redeployment. URE also did not possess adequate records regarding the destruction and erasing of data from the hard drive of an EMS workstation prior to its disposal.
Finding: SERC found that the CIP-007-1 R7 violation constituted a moderate risk to BPS reliability since improper disposal could have resulted in unauthorized retrieval and the release of sensitive cyber security or reliability data. But, none of URE’s devices at issue were actually disposed or redeployed during the course of the violation. In addition, URE had a failed hard drive, which made it more difficult to recover any data from the device. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. Certain of the violations constituted a serious or substantial risk to BPS reliability. URE also engaged in mitigating measures that SERC determined to be above-and-beyond what was required.
Total Penalty: $198,000 (aggregate for 21 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-20 (December 30, 2013)
Reliability Standard: CIP-007-1
Requirement: 8
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SERC
Issue: URE self-reported that for three years it did not perform the required cyber vulnerability assessment on 35 CCAs.
Finding: SERC found that the CIP-007-1 R8 violation constituted a serious or substantial risk to BPS reliability as the lack of complete cyber vulnerability assessments could have resulted in a failure to identify systems or components at risk within the ESP and a failure to mitigate vulnerabilities. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. Certain of the violations constituted a serious or substantial risk to BPS reliability. URE also engaged in mitigating measures that SERC determined to be above-and-beyond what was required.
Total Penalty: $198,000 (aggregate for 21 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity (URE), FERC Docket No. NP14-29 (January 30, 2014)
Reliability Standard: CIP-007-1
Requirement: 2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self-certified that, while it documented a baseline of all open ports on its system for Cyber Assets at six locations, it had not adequately reviewed its ports and services to verify that it had only enabled those ports and services required for normal and emergency operations.
Finding: WECC found that the CIP-007-1 R2 violation constituted only a minimal risk to BPS reliability. The ports were all identified applications on devices that were within an ESP and had antivirus and malware prevention tools installed. URE was also monitoring all logical access and used protective boundary devices to restrict access. URE neither admits nor denies the violations. In approving the settlement agreement, NERC BOTCC considered the fact that URE had prior violations of the Reliability Standards, which were evaluated as aggravating factors. But, URE did have an internal compliance program in place, which was viewed as a mitigating factor. URE also provided WECC with a narrative on its compliance-related improvements. URE was cooperative during the enforcement process and did not conceal the violations. The violations only posed a minimal or moderate risk to BPS reliability.
Total Penalty: $109,000 (aggregate for 5 violations)
FERC Order: Issued February 28, 2014 (no further review)
Unidentified Registered Entity (URE), FERC Docket No. NP14-29 (January 30, 2014)
Reliability Standard: CIP-007-1
Requirement: 3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: URE self-certified that it did not track, evaluate and install 46 security patches applicable to 24 networking devices. URE was also not monitoring patch releases for 78 devices, including programmable logic controllers, emission analyzers, global positioning system clocks, chart recorders, thin client, protocol converters and switches.
Finding: WECC found that the CIP-007-1 R3 violation constituted a moderate risk to BPS reliability as the violation increased the risk that vulnerabilities would remain unaddressed for extended periods of time and as a result there would be a successful cyber-attack against the CCAs. But, the devices were all located in an ESP, which had monitored access and protective boundary devices. The relevant devices also had antivirus and malware prevention tools installed and had established backup procedures to protect against outages or malicious activity. URE neither admits nor denies the violations. In approving the settlement agreement, NERC BOTCC considered the fact that URE had prior violations of the Reliability Standards, which were evaluated as aggravating factors. But, URE did have an internal compliance program in place, which was viewed as a mitigating factor. URE also provided WECC with a narrative on its compliance-related improvements. URE was cooperative during the enforcement process and did not conceal the violations. The violations only posed a minimal or moderate risk to BPS reliability.
Total Penalty: $109,000 (aggregate for 5 violations)
FERC Order: Issued February 28, 2014 (no further review)
Unidentified Registered Entity (URE), FERC Docket No. NP14-29 (January 30, 2014)
Reliability Standard: CIP-007-1
Requirement: 6
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self-certified that it did not implement, as required, the necessary automated tools or organizational process controls to monitor cyber security system events for 83 Cyber Assets (including programmable logic controllers, emission analyzers, global positioning system clocks, chart recorders, thin client and protocol converters) within the ESP.
Finding: WECC found that the CIP-007-1 R6 violation constituted only a minimal risk to BPS reliability. All of the relevant devices were located in an ESP, which had monitored access and protective boundary devices. The relevant devices also had antivirus and malware prevention tools installed (where technically feasible) and had established backup procedures to protect against outages or malicious activity. URE neither admits nor denies the violations. In approving the settlement agreement, NERC BOTCC considered the fact that URE had prior violations of the Reliability Standards, which were evaluated as aggravating factors. But, URE did have an internal compliance program in place, which was viewed as a mitigating factor. URE also provided WECC with a narrative on its compliance-related improvements. URE was cooperative during the enforcement process and did not conceal the violations. The violations only posed a minimal or moderate risk to BPS reliability.
Total Penalty: $109,000 (aggregate for 5 violations)
FERC Order: Issued February 28, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-30 (January 30, 2014)
Reliability Standard: CIP-007-1
Requirement: 1/1.1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: RFC
Issue: During a compliance audit, RFC determined that URE had inadequate cyber security test procedures for new Cyber Assets and significant changes to existing Cyber Assets within the ESP were inadequate. For example, the test plan descriptions and results of testing did not reflect testing of cyber security controls and there was insufficient documentation showing that the testing prevented adverse effects on cyber security controls. In addition, URE used a “rolling wave” method to conduct cyber security testing for software changes or upgrades (i.e., performing testing on less critical assets first, and then waiting to verify successful deployment prior to continuing deployment to more critical assets), an approach which RFC found does not minimize adverse effects on the production environment since untested upgrades may contaminate the environment.
Finding: RFC found that the CIP-007-1 R1 violation constituted a moderate risk to BPS reliability as a change to the system can introduce unknown vulnerabilities. The duration of the violation also prolonged URE’s exposure to the risk. But, pursuant to URE’s testing process, the personnel responsible for approving the changes were aware of the impact the change would have. In addition, URE had instituted additional procedures for changes to the firewall rules and used the cyber vulnerability assessment process to test all cyber security controls and confirm that it had documented all changes since the prior year. Also, the ESP and physical access control system (PACS) environments had additional network-based monitoring systems (such as the intrusion detection system and the PACS network access point firewalls) that log network activity and produce logs for the security information and event management system. URE’s devices were also protected by malware prevention software and security patches. Furthermore, no security incidents had occurred as a result of URE’s “rolling wave” approach. URE neither admits nor denies the violations. In approving the settlement agreement, NERC BOTCC considered URE’s Reliability Standards violation history, which was evaluated as an aggravating factor. But, most of the violations were self-reported and URE did have an internal compliance program in place, which was viewed as a mitigating factor. In addition, URE agreed to perform reliability enhancement activities that were considered above-and-beyond what was required for compliance with the Reliability Standard. URE was also cooperative during the enforcement process and did not conceal the violations. The violations did not constitute a serious or substantial risk to BPS reliability, even though in the aggregate, the violations were found to present an increased risk to URE’s Cyber Assets and to be indicative of programmatic failure.
Total Penalty: $75,000 (aggregate for 13 violations)
FERC Order: Issued February 28, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-30 (January 30, 2014)
Reliability Standard: CIP-007-1
Requirement: 2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: RFC
Issue: URE self-reported that it did not maintain, between annual cyber vulnerability assessments (CVAs), its baseline configuration of ports and services necessary for secure operations. Thus, URE may have been unable to detect unauthorized modifications of the ports and services. URE also had seven open ports and services that were not required to be enabled for normal and emergency operations. In addition, URE did not appropriately document, individually or by specified grouping, which ports and services should be enabled or listening on which devices.
Finding: RFC found that the CIP-007-1 R2 violation constituted a moderate risk to BPS reliability. By not adequately protecting the Cyber Assets within the ESP, it increased the risk of a security gap. The duration of the violation also prolonged URE’s exposure to the risk. But, all changes to the ports and services were required to go through the change control process and receive prior approval. An annual review of the change ticket assessments did not reveal any unauthorized enabled ports and services. In regards to the relevant open ports and services, the devices are not connected to the Internet or the business local area network and were protected by ESPs and PSPs. In addition, the ESP and physical access control system (PACS) environments had additional network-based monitoring systems (such as the intrusion detection system and the PACS network access point firewalls) that log network activity and produce logs for the security information and event management system. URE’s devices were also protected by malware prevention software and security patches. URE neither admits nor denies the violations. In approving the settlement agreement, NERC BOTCC considered URE’s Reliability Standards violation history, which was evaluated as an aggravating factor. But, most of the violations were self-reported and URE did have an internal compliance program in place, which was viewed as a mitigating factor. In addition, URE agreed to perform reliability enhancement activities that were considered above-and-beyond what was required for compliance with the Reliability Standard. URE was also cooperative during the enforcement process and did not conceal the violations. The violations did not constitute a serious or substantial risk to BPS reliability, even though in the aggregate, the violations were found to present an increased risk to URE’s Cyber Assets and to be indicative of programmatic failure.
Total Penalty: $75,000 (aggregate for 13 violations)
FERC Order: Issued February 28, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-30 (January 30, 2014)
Reliability Standard: CIP-007-1
Requirement: 3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: RFC
Issue: URE self-reported that it was not timely assessing security patches and security upgrades for applicability within 30 days of availability (as it was only evaluating security patches within 30 days of release from the vendor). Also, URE’s vendor was only testing the patches, not assessing their applicability as required. In addition, URE’s patch implementation program did not adequately address software updates (beyond security patches) for certain software.
Finding: RFC found that the CIP-007-1 R3 violation constituted a moderate risk to BPS reliability since URE’s failure to have a complete security patches and security upgrades program increases the risk to the Cyber Assets. The duration of the violation also prolonged URE’s exposure to the risk. But, URE did assess the security patches (although outside of the required timeframe). The devices were also protected by PSPs and ESPs, and the accounts at issue do not have direct outward facing access to the corporate business network or to the Internet. URE neither admits nor denies the violations. In approving the settlement agreement, NERC BOTCC considered URE’s Reliability Standards violation history, which was evaluated as an aggravating factor. But, most of the violations were self-reported and URE did have an internal compliance program in place, which was viewed as a mitigating factor. In addition, URE agreed to perform reliability enhancement activities that were considered above-and-beyond what was required for compliance with the Reliability Standard. URE was also cooperative during the enforcement process and did not conceal the violations. The violations did not constitute a serious or substantial risk to BPS reliability, even though in the aggregate, the violations were found to present an increased risk to URE’s Cyber Assets and to be indicative of programmatic failure.
Total Penalty: $75,000 (aggregate for 13 violations)
FERC Order: Issued February 28, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-30 (January 30, 2014)
Reliability Standard: CIP-007-1
Requirement: 4
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: RFC
Issue: URE self-reported that its anti-virus and malware prevention signatures on its voltage regulators for its generating stations were not up to date or available and that it had not submitted a Technical Feasibility Exception. RFC also found that URE used a “rolling wave” approach for testing anti-virus and malware prevention signatures (i.e., performing testing and implementing on less critical assets first, and then waiting to verify successful deployment prior to continuing deployment to more critical assets), an approach which RFC found does not adequately address testing requirements as the signatures are placed into the production environment prior to testing.
Finding: RFC found that the CIP-007-1 R4 violation constituted a moderate risk to BPS reliability since the “rolling wave” approach increases the risk that the Cyber Assets would be compromised within the production environment. The duration of the violation also prolonged URE’s exposure to the risk. But, the voltage regulator devices at issue are protected by an ESP and PSP and the site is subject to continuous monitoring. In addition, no security incidents resulted from URE’s “rolling wave” approach. URE neither admits nor denies the violations. In approving the settlement agreement, NERC BOTCC considered URE’s Reliability Standards violation history, which was evaluated as an aggravating factor. But, most of the violations were self-reported and URE did have an internal compliance program in place, which was viewed as a mitigating factor. In addition, URE agreed to perform reliability enhancement activities that were considered above-and-beyond what was required for compliance with the Reliability Standard. URE was also cooperative during the enforcement process and did not conceal the violations. The violations did not constitute a serious or substantial risk to BPS reliability, even though in the aggregate, the violations were found to present an increased risk to URE’s Cyber Assets and to be indicative of programmatic failure.
Total Penalty: $75,000 (aggregate for 13 violations)
FERC Order: Issued February 28, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-30 (January 30, 2014)
Reliability Standard: CIP-007-1
Requirement: 5
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: RFC
Issue: URE self-reported that it did not implement an adequate audit trail for account use on one shared account since multiple users were able to access the account through one laptop. URE also did not possess sufficient documentation regarding audit trails of individual user account activity for its generating station voltage regulators as URE did not review logs or the logs were unavailable. URE also did not rename certain shared administrator accounts as required and could not properly document individual access to shared accounts.
Finding: RFC found that the CIP-007-1 R5 violation constituted a moderate risk to BPS reliability. By not renaming administrator accounts, it increased the risk that an intruder who obtains part of the login information would be able to perform administrative tasks on the system and compromise BPS reliability. But, the administrator accounts at issue do not have direct outward facing access to the corporate business network or the Internet. Only individuals with personnel risks assessments and cyber security training had physical access to the Cyber Assets. The voltage regulator devices are protected by an ESP and PSP and are subject to continuous monitoring. In addition, no cyber security events occurred during the violations and thus URE had no need for the audit trails. URE neither admits nor denies the violations. In approving the settlement agreement, NERC BOTCC considered URE’s Reliability Standards violation history, which was evaluated as an aggravating factor. But, most of the violations were self-reported and URE did have an internal compliance program in place, which was viewed as a mitigating factor. In addition, URE agreed to perform reliability enhancement activities that were considered above-and-beyond what was required for compliance with the Reliability Standard. URE was also cooperative during the enforcement process and did not conceal the violations. The violations did not constitute a serious or substantial risk to BPS reliability, even though in the aggregate, the violations were found to present an increased risk to URE’s Cyber Assets and to be indicative of programmatic failure.
Total Penalty: $75,000 (aggregate for 13 violations)
FERC Order: Issued February 28, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-30 (January 30, 2014)
Reliability Standard: CIP-007-1
Requirement: 6/6.3/6.4/6.5
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: RFC
Issue: URE self-reported that monitoring was temporarily disabled on five of its Cyber Assets within the ESP. URE also did not submit Technical Feasibility Exceptions for several devices that were configured to the security information and event management system, but that were technically incapable of monitoring or generating logs. In addition, the collection of IP addresses for one of URE’s aggregate switches was misconfigured, resulting in URE being unable to reviewing logging for that switch. Due to problems with the frequency at which log buffers were sending logging information to a collection device, URE also had several devices which were not generating the required messages related to denied firewall traffic.
Finding: RFC found that the CIP-007-1 R6 violations constituted a moderate risk to BPS reliability since they represented multiple vulnerabilities on URE’s system. But, URE controls physical access to the devices through a key management program and had additional security measures in place (such as alarm-protected doors, continuous monitoring, qualified personnel, disabled single default local administrator account, controlled access PSP, password protections, and anti-virus software on all operating system servers and workstations). The voltage regulator devices are also contained within an ESP and PSP and subject to continuous monitoring. The loss of traffic from the aggregate switch would not affect BPS operations (as URE’s system segments traffic from the aggregate switch feeder system). Furthermore, the logging information only serves to provide insight on the traffic flowing across the network. URE neither admits nor denies the violations. In approving the settlement agreement, NERC BOTCC considered URE’s Reliability Standards violation history, which was evaluated as an aggravating factor. But, most of the violations were self-reported and URE did have an internal compliance program in place, which was viewed as a mitigating factor. In addition, URE agreed to perform reliability enhancement activities that were considered above-and-beyond what was required for compliance with the Reliability Standard. URE was also cooperative during the enforcement process and did not conceal the violations. The violations did not constitute a serious or substantial risk to BPS reliability, even though in the aggregate, the violations were found to present an increased risk to URE’s Cyber Assets and to be indicative of programmatic failure.
Total Penalty: $75,000 (aggregate for 13 violations)
FERC Order: Issued February 28, 2014 (no further review)
Unidentified Registered Entity (URE), FERC Docket No. NP14-37 (March 31, 2014)
Reliability Standard: CIP-007-1
Requirement: 1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: While conducting a compliance audit, URE could not provide test records for significant changes made to asset areas. URE was also in violation of the standard because it was only performing functional testing but not security testing as part of its procedures.
Finding: WECC determined the violation posed a moderate risk to BPS reliability, but did not pose a serious or substantial risk. URE failed to perform security testing on seven assets and could not ensure systems were secure prior to the implementation of software upgrades, vendor releases, version upgrades, and system upgrades. However, the risk was mitigated by several factors. URE had layers of security controls in place during the pendency of the violation. Specifically, URE had network separation with firewall technology, host intrusion detection systems, annual cyber vulnerability assessments, and monitoring and alerting processes that included third-party analysis and reporting. Additionally, all traffic to and from URE's ESPs passed through multiple firewalls, which were configured to restrict, monitor, and alert upon suspected malicious activity. Lastly, URE performs functionality testing on all assets prior to making significant changes. This type of testing verifies that the device operates correctly prior to being released into production. In approving the settlement agreement, WECC considered that although the violation of CIP-006-1 R1 is URE’s third violation of that Reliability Standard, the current violation is distinct because it relates to a separate sub-requirement, and therefore WECC determined it was not recurring conduct and aggravation was not warranted for the instant violation. Also, the CIP-007-1 R1 violation is URE’s fourth violation of that Reliability Standard, however, the prior violations were concurrent with the instant violations, and therefore WECC did not consider them as an aggravating factor in the penalty determination. However, the CIP-007-1 R2 violation was URE’s second violation of that Reliability Standard, which WECC determined was an aggravating factor in the penalty determination. URE has a compliance program in place which was given mitigating credit, and URE was cooperative during the compliance enforcement process. There was no evidence of any attempt or intent to conceal a violation, and the violations did not pose a serious or substantial risk to BPS reliability. No other mitigating or aggravating factors or extenuating circumstances affecting the assessed penalty were noted.
Total Penalty: $465,000 (aggregate for 8 violations)
FERC Order: Issued April 30, 2014 (no further review)
Unidentified Registered Entity (URE), FERC Docket No. NP14-37 (March 31, 2014)
Reliability Standard: CIP-007-1
Requirement: 2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: While conducting a compliance audit, WECC Audit Staff found that URE did not ensure that only those ports and services required for normal and emergency operations were enabled. WECC’s Audit Team identified eight power supply controllers that had ports open and were not required for normal or emergency operations, but could not be disabled. The ports were used for remote logging and for securing systems determined to be CCAs.
Finding: WECC determined the violation posed a moderate risk to BPS reliability, but did not pose a serious or substantial risk. Specifically, URE failed to document compensating controls and submit a TFE for the eight RAS devices that have ports open that are not required but could not be disabled. The ports were used for remote logging and for securing systems determined to be CCAs. However, the risk was mitigated by several factors. URE used network and host intrusion detection and protection systems to provide protection against attacks, exploits, and vulnerabilities. This system included network separation and firewall technology which was monitored at all times. URE’s devices were physically secure because URE used ID badge systems, cameras, and physical security monitors to deter and prevent unauthorized physical access to areas or systems. Further, all individuals with access to ESPs and PSPs had PRAs and cyber security training. In approving the settlement agreement, WECC considered that although the violation of CIP-006-1 R1 is URE’s third violation of that Reliability Standard, the current violation is distinct because it relates to a separate sub-requirement, and therefore WECC determined it was not recurring conduct and aggravation was not warranted for the instant violation. Also, the CIP-007-1 R1 violation is URE’s fourth violation of that Reliability Standard, however, the prior violations were concurrent with the instant violations, and therefore WECC did not consider them as an aggravating factor in the penalty determination. However, the CIP-007-1 R2 violation was URE’s second violation of that Reliability Standard, which WECC determined was an aggravating factor in the penalty determination. URE has a compliance program in place which was given mitigating credit, and URE was cooperative during the compliance enforcement process. There was no evidence of any attempt or intent to conceal a violation, and the violations did not pose a serious or substantial risk to BPS reliability. No other mitigating or aggravating factors or extenuating circumstances affecting the assessed penalty were noted.
Total Penalty: $465,000 (aggregate for 8 violations)
FERC Order: Issued April 30, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-39-000 (April 30, 2014)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that, after installing log data collection software, it did not perform adequate testing (as it only tested a sample of devices instead of all devices in which the software was installed) and thus did not maintain complete and accurate cyber security control test results for significant changes to its Cyber Assets. WECC determined that the violation impacted 40 Cyber Assets (27 CCAs and 13 non-critical Cyber Assets) within two ESPs.
Finding: WECC found that the violation constituted a moderate risk to BPS reliability since it resulted in the relevant Cyber Assets being vulnerable to exploitations and increased the risk of unauthorized access to URE’s ESPs. However, URE’s networks were separated from its corporate environment and the internet and all traffic to and from the ESPs is restricted and monitored by firewalls. In addition, the devices at issue are contained within physically secure area with restricted access. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, URE’s compliance history was viewed as an aggravating factor. But, as mitigating considerations, URE self-reported three of the violations, pursued voluntary corrective actions to remedy the violations and had a compliance program in place. URE was cooperative during the enforcement process and did not conceal the violations. The violations were also not intentional.
Total Penalty: $155,000 (aggregate for 9 violations)
FERC Order: Issued May 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-39-000 (April 30, 2014)
Reliability Standard: CIP-007-1
Requirement: R3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that it did not maintain adequate records regarding the security patches and Cyber Assets that were released and thus was unable to verify that it had properly documented its evaluation of applicable security patches within 30 days of availability. This violation affected almost 500 Cyber Assets (consisting of 20 CCAs and over 450 non-critical Cyber Assets) within two ESPs.
Finding: WECC found that the violation constituted a moderate risk to BPS reliability as an unknown number of patches were missed and there was an increased risk that a large number of URE’s Cyber Assets would be compromised by known vulnerabilities. However, the devices at issue are located within physically secure areas with restricted access. Furthermore, the devices had anti-virus tools installed and were monitored by an intrusion detection system. URE also kept its networks separate from its corporate environment and internet, and all traffic to and from URE’s ESPs first passes through firewalls. In addition, the device manufacturers did not provide patches for most of the devices as URE submitted Technical Feasibility Exceptions for almost 80% of the Cyber Assets at issue. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, URE’s compliance history was viewed as an aggravating factor. But, as mitigating considerations, URE self-reported three of the violations, pursued voluntary corrective actions to remedy the violations and had a compliance program in place. URE was cooperative during the enforcement process and did not conceal the violations. The violations were also not intentional.
Total Penalty: $155,000 (aggregate for 9 violations)
FERC Order: Issued May 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-39-000 (April 30, 2014)
Reliability Standard: CIP-007-1
Requirement: R6
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that over 500 devices (consisting of nearly 400 CCAs and over 100 non-critical Cyber Assets) within two ESPs were not sending system event logs to its centralized logging server. URE failed to submit Technical Feasibility Exceptions for over 400 of these devices that were technically unable to log or monitor system events.
Finding: WECC found that the violation constituted a moderate risk to BPS reliability as URE’s lack of logging and monitoring controls increased the risk of unauthorized access to its Cyber Assets would not have been detected. However, the relevant ESPs employed intrusion detection systems and all traffic to and from the ESPs first passes through firewalls that send alerts regarding any suspicious activity. Furthermore, the devices at issues are located in physically-secure areas with restricted access. URE also had controls in place to monitor its other Cyber Assets for system events. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, URE’s compliance history was viewed as an aggravating factor. But, as mitigating considerations, URE self-reported three of the violations, pursued voluntary corrective actions to remedy the violations and had a compliance program in place. URE was cooperative during the enforcement process and did not conceal the violations. The violations were also not intentional.
Total Penalty: $155,000 (aggregate for 9 violations)
FERC Order: Issued May 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-41-000 (May 29, 2014)
Reliability Standard: CIP-007-1
Requirement: R5/R1.2
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that, as a result of the improper configuration of a server, over 30 of its workstations used in its supervisory control and data acquisition (SCADA), energy management system (EMS) and remedial action scheme (RAS) systems were not able to generate logs with the information necessary to create historical audit trails of all user access activity for at least 90 days, as required.
Finding: WECC found that the violation constituted a moderate risk to BPS reliability. Without proper logging procedures and controls, malicious attempts to gain access to URE’s SCADA, EMS and RAS systems could have gone undetected and there would have been no audit trail to allow for an investigation of any unauthorized access. But, URE’s SCADA, EMS and RAS systems were protected by authentication controls and URE’s personnel were continuously monitoring network activity. In addition, the devices at issue could only be accessed on-site and are protected by a PSP. URE does not dispute the violations. In approving the settlement agreement, NERC BOTCC found that the violations constituted a moderate risk to BPS reliability, but not a serious or substantial risk. However, URE’s compliance history was considered an aggravating factor. NERC BOTCC did consider the fact that URE self-reported the violations and that there was a compliance program in place. URE was also cooperative during the enforcement process and did not conceal the violations.
Total Penalty: $98,500 (aggregate for 2 violations)
FERC Order: Issued June 27, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-41-000 (May 29, 2014)
Reliability Standard: CIP-007-1
Requirement: R6
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that over 30 workstations used in its supervisory control and data acquisition (SCADA), energy management system (EMS) and remedial action scheme (RAS) systems did not have the required automated tools or organizational process controls to monitor cyber security system events as a server was not configured correctly to receive logs of such events from the workstations. In addition, URE found approximately 150 additional servers and workstations and 50 network switches that were not forwarding logs as required to the log monitoring servers.
Finding: WECC found that the violation constituted a moderate risk to BPS reliability. Without the required logging procedures and controls, URE did not have any way to identify or investigate forced attacks, multiple password attempts or irregular logons to its workstations. As such, unauthorized individuals could have gained access to URE’s SCADA, EMS and RAS systems. However, URE did have an authentication system for its SCADA, EMS and RAS systems and there were trained personnel on-site responsible for real-time monitoring of network activity. In addition, the devices at issue could only be accessed on-site and any unauthorized access to the PSPs would have been detected by URE’s physical access control system. URE does not dispute the violations. In approving the settlement agreement, NERC BOTCC found that the violations constituted a moderate risk to BPS reliability, but not a serious or substantial risk. However, URE’s compliance history was considered an aggravating factor. NERC BOTCC did consider the fact that URE self-reported the violations and that there was a compliance program in place. URE was also cooperative during the enforcement process and did not conceal the violations.
Total Penalty: $98,500 (aggregate for 2 violations)
FERC Order: Issued June 27, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)
Reliability Standard: CIP-007-1 Requirements: R1
Violation Risk Factor: Medium Violation Security Level: Severe
Region: SERC
Issue: URE self-reported that, after revising its change management program to cover testing of significant changes to existing Cyber Assets within the ESP to ensure that the changes do not adversely affect existing cyber security controls, it did not install the software needed for such testing until 22 months later. This delay in installing the software resulted in a failure to test certain security controls for 142 CCAs and 69 Cyber Assets within an ESP.
Finding: SERC determined that the violation constituted a serious or substantial risk to BPS reliability as the lack of testing of the cyber security controls prior to implementation in the production environment increased the risk of security vulnerabilities affecting URE’s critical and non-critical Cyber Assets inside the ESPs. However, URE did have certain procedures in place regarding change control and testing of significant changes and conducted functional testing of the Cyber Assets before implementation in the production environment. In addition, URE’s ESPs are protected by real-time monitoring, including an intrusion detection system. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.
Total Penalty: $250,000 (aggregate for 27 violations)
FERC Order: Issued June 27, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)
Reliability Standard: CIP-007-1 Requirements: R2
Violation Risk Factor: Medium Violation Security Level: Severe
Region: SERC
Issue: During a spot check, SERC determined that URE had enabled ports and services that were not required for normal or emergency operations on 174 devices and failed to provide baseline documentation regarding required ports and services for 211 devices.
Finding: SERC determined that the violation constituted a serious or substantial risk to BPS reliability since the violation increased the risk that unauthorized individuals or malware could exploit the open ports and services and disrupt operation or gain access to URE’s CCAs The risk was compounded since URE also failed to properly ensure that new Cyber Assets and significant changes to existing Cyber Assets within the ESP would not adversely affect existing cyber security controls on its CCAs and non-CCAs and to properly ensure that at the ESP access points only those ports and services required for emergency operations and for monitoring Cyber Assets within ESPs were enabled. However, URE had implemented several protective measures, including intrusion detection system devices in its ESPs and on the corporate network, an access control model that denied access by default, third-party security logging and monitoring and procedures for managing the ports and services on Cyber Assets within its ESPs. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.
Total Penalty: $250,000 (aggregate for 27 violations)
FERC Order: Issued June 27, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)
Reliability Standard: CIP-007-1 Requirements: R3
Violation Risk Factor: Lower Violation Security Level: Severe
Region: SERC
Issue: During a compliance spot check, SERC determined that URE’s cyber security patch and vulnerability management procedures did not sufficiently address, as required, the assessment of security patches within 30 days of its availability, testing of patches and deployment of patches to several device types. URE also did not maintain an adequate patch evaluation list, as the list showed patches released without a completed assessment or a documented mandatory installation date, was missing information on the applicability of patches and any compensatory measures applied and did not include assessments of security patches applicable to non-operating system software. In addition, URE failed to evaluate and apply certain historical patches for Cyber Assets inside an ESP or properly document its security patch assessments and the associated software inventory required for patch review.
Finding: SERC determined that the violation constituted a moderate risk to BPS reliability since it increased the risk of URE having unaddressed vulnerabilities for extended periods of time. However, the security patches that URE did not assess were only applicable to a limited number of non-critical Cyber Assets. In addition, all of URE’s Cyber Assets were protected by ESPs and PSPs. Furthermore, no malicious activity involving the Cyber Assets at issue was detected during the violation. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.
Total Penalty: $250,000 (aggregate for 27 violations)
FERC Order: Issued June 27, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)
Reliability Standard: CIP-007-1 Requirements: R4
Violation Risk Factor: Medium Violation Security Level: Severe
Region: SERC
Issue: URE self-reported that it did not file a Technical Feasibility Exception (TFE), as required by its corporate policy, for a server used for archiving historical data that (due to hardware resource restrictions) did not support anti-malware software.
Finding: SERC determined that the violation constituted a minimal risk to BPS reliability. The relevant server was contained within an ESP and PSP and was unable to control aspects of the BPS. All other devices in the ESP had anti-malware installed, which mitigated the risk of spreading malware among the devices in the ESP. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.
Total Penalty: $250,000 (aggregate for 27 violations)
FERC Order: Issued June 27, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)
Reliability Standard: CIP-007-1 Requirements: R4/R4.2
Violation Risk Factor: Medium Violation Security Level: Severe
Region: SERC
Issue: During a compliance spot check, SERC discovered that URE did not timely implement adequate procedures for testing and installing antivirus and malware “signatures” for all of its Cyber Assets.
Finding: SERC determined that the violation constituted only a minimal risk to BPS reliability as URE generally installed, when technically feasible, antivirus software and other malware prevention tools on its Cyber Assets within ESPs. In addition, URE affirmed that it tested antivirus and malware signatures in a development environment before installing them. URE also proved that a third party vendor tested the antivirus and malware signatures before they were utilized. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.
Total Penalty: $250,000 (aggregate for 27 violations)
FERC Order: Issued June 27, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)
Reliability Standard: CIP-007-1 Requirements: R5
Violation Risk Factor: Medium Violation Security Level: Severe
Region: SERC
Issue: URE self-reported that it had not timely disabled or removed, as required, 48 shared or administrator accounts on servers and workstations with 90 days or more of inactivity. URE also reported having numerous servers that were not properly configured to ensure password requirements, including the controls for enforcing the use of special characters in passwords. In addition, SERC conducted a spot check and determined that URE did not use passwords for all accounts on its Cyber Assets, did not change all default passwords, did not properly modify password on default accounts for certain Cyber Assets prior to placing the assets in service, had accounts that were no longer needed and did not annually change passwords for all its Cyber Asset and administrative accounts.
Finding: SERC determined that the violation constituted a moderate risk to BPS reliability as it increased the risk that the Cyber Assets would be vulnerable and individuals could obtain unauthorized access and compromise URE’s system. However, all of the devices at issue were contained within an ESP and PSP and were protected by firewalls, physically secured facilities with card readers, biometric controls, real-time monitoring and an intrusion detection system. Malware prevention and antivirus software were current and operating effectively during the violation. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.
Total Penalty: $250,000 (aggregate for 27 violations)
FERC Order: Issued June 27, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)
Reliability Standard: CIP-007-1 Requirements: R6
Violation Risk Factor: Medium Violation Security Level: Severe
Region: SERC
Issue: URE self-reported that it had three Cyber Assets within an ESP that were not logging security events as required. Two of the devices did not have the needed software installed and configured correctly, and the other device was an antiquated server that did not support the logging software but did not have a Technical Feasibility Exception on file. URE further reported that, due to improper configuration and failure to install certain software, twelve host devices were not able to send or log security monitoring messages and its centralized server was unable to process cyber security logs for seven non-critical Cyber Assets. In addition, two network outages caused the logging and monitoring of seven Cyber Assets to be unavailable for a total of 120 minutes.
Finding: SERC determined that the violation constituted a moderate risk to BPS reliability as it increased the risk of an undetected security breach and URE’s CCAs becoming inoperable and a loss in monitoring and controlling of the BPS. The lack of adequate logs may also have hindered URE’s ability to investigate any incidents. However, the ESP protecting the devices at issue had real-time monitoring and an intrusion detection system. Other security controls were operational and current and no unauthorized access attempts occurred during the course of the violation. During the network outages, trained technical personnel monitored the system conditions. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.
Total Penalty: $250,000 (aggregate for 27 violations)
FERC Order: Issued June 27, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-45-000 (July 31, 2014)
Reliability Standard: CIP-007-1
Requirement: R2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: During a compliance audit, WECC determined that URE failed to establish a process to ensure that only those ports and services required for normal and emergency operations were enabled. For three years, this resulted in additional ports and services being enabled for 21 CCAs, 2 non-CCAs, 8 electronic access control and monitoring devices and 7 physical access control system assets.
Finding: WECC determined the violation constituted a moderate risk to the BPS reliability as the devices at issue are used to support all of URE’s ESPs. But, the ESPs had security incident and events management technology installed and ESP traffic was managed by firewalls designed to protect against suspicious malicious activity. Furthermore, the devices are located in physically secure areas where access is protected by guards, cameras and alarms and the BPS was not compromised due to the violation. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history to be an aggravating factor. However, none of the violations posed a serious or substantial risk to BPS reliability. In addition, URE had an internal compliance program in place, which was viewed as a mitigating factor. One of the violations was also self-reported. URE cooperated throughout the enforcement process and did not conceal the violations.
Total Penalty: $180,000 (aggregate for 7 violations)
FERC Order: Issued August 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-45-000 (July 31, 2014)
Reliability Standard: CIP-007-1
Requirement: R5/R5.2.3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that it did not have adequate policies in place for determining who was using a shared account and thus was unable to create the required audit trails for the shared accounts.
Finding: WECC determined the violation constituted a minimal risk to the BPS reliability. URE had implemented account controls on all shared accounts and completed PRAs and CIP training for all personnel who had access to the shared accounts. Furthermore, all devices at issue were located within a PSP with restricted physical access and no actual harm to the BPS occurred. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history to be an aggravating factor. However, none of the violations posed a serious or substantial risk to BPS reliability. In addition, URE had an internal compliance program in place, which was viewed as a mitigating factor. One of the violations was also self-reported. URE cooperated throughout the enforcement process and did not conceal the violations.
Total Penalty: $180,000 (aggregate for 7 violations)
FERC Order: Issued August 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-46-000 (July 31, 2014)
Reliability Standard: CIP-007-1
Requirement: R1/R1.3 (4 violations – one for URE1, URE4, URE5 and URE6)
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: RFC
Issue: URE1, URE4, URE5 and URE6 self-reported their failure to properly document the testing of certain of their devices in order to ensure that those devices did not negatively affect existing cybersecurity controls.
Finding: RFC determined the violations constituted only a minimal risk to BPS reliability as it only involved documentation errors. URE1, URE4, URE5 and URE6 actually performed the required testing on the dial-up devices pursuant to the URE Parent Company’s test procedures. In addition, the relevant URE Companies had automated tools and organizational process controls in place for monitoring any events related to cybersecurity for remote access to the devices. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC found that all but two of the violations constituted only a minimal risk to BPS reliability and did not represent any systemic failure (the other two violations posed a moderate risk). However, these violations constituted the URE Companies’ fifth violation of CIP-004 and the second violation of CIP-007, which was considered to be an aggravating factor (although not a substantial aggravating factor). However, the URE Companies were awarded significant mitigating credit for substantial and voluntary improvements to their compliance programs. The majority of the violations were also self-reported. The URE Companies cooperated throughout the enforcement process and did not conceal the violations.
Total Penalty: $50,000 (aggregate for 35 violations)
FERC Order: Issued August 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-46-000 (July 31, 2014)
Reliability Standard: CIP-007-1
Requirement: R5 (4 violations – one for URE1, URE4, URE5 and URE6)
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: RFC
Issue: URE1, URE4, URE5 and URE6 self-reported their failure to establish, implement and document the necessary technical and procedural controls for the authentication of and accountability for all user activity on the local access port on certain of their to dial-up devices.
Finding: RFC determined the violations constituted only a minimal risk to BPS reliability as unauthorized access to the local service port necessitates physical access via a locked fence and a locked building door that is monitored for entry. The local service port has password protection and an alarm that is triggered in the event of unauthorized access attempts to the devices. Additionally, cybersecurity events, related to remote access to the devices, are monitored by automated tools and organizational process controls. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC found that all but two of the violations constituted only a minimal risk to BPS reliability and did not represent any systemic failure (the other two violations posed a moderate risk). However, these violations constituted the URE Companies’ fifth violation of CIP-004 and the second violation of CIP-007, which was considered to be an aggravating factor (although not a substantial aggravating factor). However, the URE Companies were awarded significant mitigating credit for substantial and voluntary improvements to their compliance programs, as demonstrated in subsequent CIP compliance audits. The majority of the violations were also self-reported. The URE Companies cooperated throughout the enforcement process and did not conceal the violations.
Total Penalty: $50,000 (aggregate for 35 violations)
FERC Order: Issued August 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-46-000 (July 31, 2014)
Reliability Standard: CIP-007-1
Requirement: R5/R5.3.3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: RFC
Issue: URE2 self-certified that it failed to annually change passwords for 10 local accounts at one Critical Asset facility or delete those accounts when a new password management directory was installed. URE2 also did not implement log-on passwords for a shared operator account on eight devices at the same Critical Asset facility.
Finding: RFC determined that this violation posed a minimal risk to BPS reliability. URE2 has a defense-in-depth strategy that employs multiple layered defenses against unauthorized access and the devices at issue were located within a PSP. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC found that all but two of the violations constituted only a minimal risk to BPS reliability and did not represent any systemic failure (the other two violations posed a moderate risk). However, these violations constituted the URE Companies’ fifth violation of CIP-004 and the second violations of CIP-007, which was considered to be an aggravating factor (although not a substantial aggravating factor). However, the URE Companies were awarded significant mitigating credit for substantial and voluntary improvements to their compliance programs, as demonstrated in subsequent CIP compliance audits. The majority of the violations were also self-reported. The URE Companies cooperated throughout the enforcement process and did not conceal the violations.
Total Penalty: $50,000 (aggregate for 35 violations)
FERC Order: Issued August 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-46-000 (July 31, 2014)
Reliability Standard: CIP-007-1
Requirement: R6 (4 violations – one for URE1, URE4, URE5 and URE6)
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: RFC
Issue: URE1, URE4, URE5 and URE6 self-reported their failure to adequately monitor local logical access to certain devices for cybersecurity system events.
Finding: RFC determined that the violations constituted only a minimal risk to BPS reliability as unauthorized access to the local service port necessitates physical access via a locked fence and a locked building door that is monitored for entry. The local service port has password protection and an alarm that is triggered in the event of unauthorized access attempts to the devices. Additionally, cybersecurity events, related to remote access to the devices, are monitored by automated tools and organizational processes controls. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC found that all but two of the violations constituted only a minimal risk to BPS reliability and did not represent any systemic failure (the other two violations posed a moderate risk). However, these violations constituted the URE Companies’ fifth violation of CIP-004 and the second violations of CIP-007, which was considered to be an aggravating factor (although not a substantial aggravating factor). However, the URE Companies were awarded significant mitigating credit for substantial and voluntary improvements to their compliance programs, as demonstrated in subsequent CIP compliance audits. The majority of the violations were also self-reported. The URE Companies cooperated throughout the enforcement process and did not conceal the violations.
Total Penalty: $50,000 (aggregate for 35 violations)
FERC Order: Issued August 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-46-000 (July 31, 2014)
Reliability Standard: CIP-007-1
Requirement: R6
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: RFC
Issue: URE2 self-certified that it did not implement the required organizational processes and technical and procedural mechanisms to monitor cybersecurity events for six CCAs.
Finding: RFC determined that the violation posed a moderate risk to BPS reliability. URE2’s lack of controls increased the risk that malicious acts on its CCA could have resulted in loss of operational control or visibility and such acts would go undetected. But, the CCAs were contained within PSPs and were subject to physical access control and monitoring. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC found that all but two of the violations constituted only a minimal risk to BPS reliability and did not represent any systemic failure (the other two violations posed a moderate risk). However, these violations constituted the URE Companies’ fifth violation of CIP-004 and the second violations of CIP-007, which was considered to be an aggravating factor (although not a substantial aggravating factor). However, the URE Companies were awarded significant mitigating credit for substantial and voluntary improvements to their compliance programs, as demonstrated in subsequent CIP compliance audits. The majority of the violations were also self-reported. The URE Companies cooperated throughout the enforcement process and did not conceal the violations.
Total Penalty: $50,000 (aggregate for 35 violations)
FERC Order: Issued August 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)
Reliability Standard: CIP-007-1
Requirement: R1 (3 violations – one for each URE Company)
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: RFC
Issue: The URE Companies self-reported that they did not properly ensure that new Cyber Assets and significant changes to Cyber Assets within the ESPs would not adversely impact existing cybersecurity controls.
Finding: RFC determined the violation posed only a minimal risk to the BPS reliability as the URE Companies made few significant changes to their CCAs on an annual basis. The URE Companies followed a change control process with risk-based testing and changes were first tested in a quality assurance environment. Additionally, all Cyber Assets within the ESPs were protected by defense-in-depth perimeters, including with firewall protection and monitoring. In addition certain of the Cyber Assets were not connected to the internet. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.
Total Penalty: $625,000 (aggregate for 77 violations)
FERC Order: Issued September 26, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)
Reliability Standard: CIP-007-1
Requirement: R2 (3 violations – one for each URE Company)
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: RFC
Issue: The URE Companies self-reported that, after tests on their Cyber Assets, they were unable to verify that only those ports and services required for normal and emergency operations were enabled.
Finding: RFC determined the violations posed a moderate risk to the BPS reliability as it increased the risk that unauthorized network traffic would be able to infiltrate the ESPs. But, the URE Companies did provide protections through the use of vulnerability scans, remediation actions, review of all ESP and CCA ports during initial implementation, utilization of additional electronic perimeters with intrusion detection systems and antivirus software on Windows assets. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.
Total Penalty: $625,000 (aggregate for 77 violations)
FERC Order: Issued September 26, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)
Reliability Standard: CIP-007-1
Requirement: R3 (3 violations – one for each URE Company)
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: RFC
Issue: The URE Companies self-reported that they did not follow the corporate patch management program for certain devices and did not timely assess certain patches for applicability within 30 calendar days of availability. In addition, while URE1 reported the technical infeasibility of installing a patch for one Cyber Asset, it did not document the compensating measures it enacted to mitigate risk exposure or acceptance of risk.
Finding: RFC determined the violations posed a moderate risk to the BPS reliability since it increased the risk that unauthorized network traffic could infiltrate the ESPs or that an individual would be able to exploit known vulnerabilities. But all of the URE Companies’ Cyber Assets were protected by defense-in-depth perimeters, including firewalls and monitoring for events within the ESPs and PSPs. The URE Companies were also reviewing and implementing patches for key elements such as operating systems and crucial SCADA applications. Additionally, URE1 had a patch assessment process and was performing regular quarterly patching on certain operating system assets. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.
Total Penalty: $625,000 (aggregate for 77 violations)
FERC Order: Issued September 26, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)
Reliability Standard: CIP-007-1
Requirement: R4 (3 violations – one for each URE Company)
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: RFC
Issue: The URE Companies self-reported that they did not properly implement and document their processes for implementing antivirus and malware updates (such as in regards to testing and installing signature files) or, when the operating system did not support certain automatic updates, document compensating measures to mitigate risk exposure or risk acceptance. In addition, RFC found that URE2 failed to install antivirus and malware prevention tools on one of its servers and did not document the testing of antivirus signatures for two sets of Cyber Asset devices.
Finding: RFC determined the violations posed a moderate risk to the BPS reliability since it increased the risk that malware could infiltrate the Cyber Assets within the ESPs. But, the URE Companies did monitor their network traffic (especially in regards to malicious signatures) and isolate their Cyber Assets from typical malware attack vectors. Additionally, no email clients were installed on the Cyber Assets and the Cyber Assets were not connected to the internet. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.
Total Penalty: $625,000 (aggregate for 77 violations)
FERC Order: Issued September 26, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)
Reliability Standard: CIP-007-1
Requirement: R5 (3 violations – one for each URE Company)
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: RFC
Issue: The URE Companies self-reported that, in regards to the access rights of certain IT administrators, they did not adequately establish, implement and document the mandated technical and procedural controls for authenticating access to their Cyber Assets for all user activity. The URE Companies also did not enforce password frequency change or complexity requirement for certain Cyber Assets. In addition, the URE Companies did not timely verify certain user access privileges on an annual basis or to formally authorize access to certain shared accounts. Furthermore, RFC determined that URE2 did not generate the required logs of user activity for certain sampled devices and Windows platforms, conduct an annual review of user account privileges or enact a complete policy for managing shared accounts that require an audit trail of account use and steps for securing the account after personnel changes.
Finding: RFC determined the violations posed a moderate risk to the BPS reliability since it increased the risk of unauthorized system access and system misuse or compromise. But, the IT administrators all had training, Personnel Risk Assessments and network access credentials and their work was monitored by the URE Companies. In addition, the URE Companies were actually conducting some of the required annual reviews and managing user account privileges (including revoking physical and electronic access rights when an employee was terminated). The URE Companies also provided all their assets with some protective measures and controls. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.
Total Penalty: $625,000 (aggregate for 77 violations)
FERC Order: Issued September 26, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)
Reliability Standard: CIP-007-1
Requirement: R6 (3 violations – one for each URE Company)
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: RFC
Issue: The URE Companies self-reported that they did not properly log system events regarding cybersecurity for CCAs, other protected assets and access controls and monitoring assets. During a compliance audit, RFC discovered that URE2 did not conduct adequate security events monitoring as mandated by its organizational processes and technical and procedural mechanisms or issue the required alerts for detected Cyber Security incidents.
Finding: RFC determined the violations posed a moderate risk to the BPS reliability since it increased the risk of undetected misuse or compromise of the CCAs and other cyber security-related system events. While the URE Companies did not provide adequate automated monitoring, they implemented manual monitoring and reviewing. The URE Companies also enacted protective measures for all of their Cyber Assets based on their corporate policies and defense-in-depth strategy. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.
Total Penalty: $625,000 (aggregate for 77 violations)
FERC Order: Issued September 26, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)
Reliability Standard: CIP-007-1
Requirement: R7 (3 violations – one for each URE Company)
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: RFC
Issue: During a compliance audit, RFC found that URE2 failed to provide sufficient evidence that it established formal methods, processes or procedures for disposing or redeploying Cyber Assets within its ESP. Subsequently, URE1 and URE3 self-reported the same violation.
Finding: RFC determined the violations posed a moderate risk to the BPS reliability since it increased the risk that unauthorized, untrained individuals could access sensitive data through the Cyber Assets. But, the URE Companies did store devices that were removed from service within existing PSPs. In addition, while the documentation was inadequate, the URE Companies had actually sanitized, erased and destroyed the hard drives in all of the equipment after it was redeployed or removed from service. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.
Total Penalty: $625,000 (aggregate for 77 violations)
FERC Order: Issued September 26, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)
Reliability Standard: CIP-007-1
Requirement: R8 (3 violations – one for each URE Company)
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: RFC
Issue: The URE Companies self-reported that they did not maintain complete lists of all ports and services and thus were unable to verify that only those ports and services required for the operations of the Cyber Assets within the ESPs were enabled. In addition, the URE Companies failed to retain documentation during their cyber vulnerability assessments (CVAs) of compliance with Reliability Standard CIP-007-1 R8.
Finding: RFC determined the violations posed a moderate risk to the BPS reliability as the failure to annually perform adequate CVAs increased the risk of cyber vulnerabilities. While the URE Companies did not fully document the implementation of their CVAs, they did perform periodic automated vulnerability scans to identify open ports and services and to evaluate and manage any unusual issues discovered. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.
Total Penalty: $625,000 (aggregate for 77 violations)
FERC Order: Issued September 26, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)
Reliability Standard: CIP-007-1
Requirement: R9 (3 violations – one for each URE Company)
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: RFC
Issue: The URE Companies self-reported that they did not adequately review, update and maintain documentation, on an annual basis, regarding their compliance with Reliability Standard CIP-007-1.
Finding: RFC determined the violations posed a minimal risk to the BPS reliability as the violations only involved documentation deficiencies. In practice, the URE Companies had established documented processes for the annual review and approval of CIP documentation, although their workflow processes did not provide adequate evidence of compliance with the Reliability Standard. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.
Total Penalty: $625,000 (aggregate for 77 violations)
FERC Order: Issued September 26, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP15-5-000 (October 30, 2014)
Reliability Standard: CIP-007-1
Requirement: R1/R1.1/R1.2/R1.3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SPP RE
Issue: URE self-reported that it did not have procedures for testing third party software, verify that third party patches would not adversely affect its existing cybersecurity controls, or document results of tests on some of its Cyber Assets. During a compliance audit, SPP RE found that URE did not require testing for a software update on a third party’s network monitoring device as part of its cybersecurity testing procedures.
Finding: SPP RE determined that the violation constituted a moderate risk to the BPS reliability as URE’s failure to thoroughly test third party patches before installing them in production and its lack of patch records, increased the risk that a patch might be installed that would adversely affect its cybersecurity controls and URE would have a limited ability to investigate it. However, consistent with its patch management procedures, URE only installed patches in production after they had been implemented in a stand-by environment and host and network devices were scanned to ensure there would be no adverse effects to its network. In addition, URE’s network monitoring device would have limited any risk in the case of an event, and URE runs a daily vulnerability scanning utility to identify configuration changes to its devices. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had previously violated six of the standards, which SPP RE considered an aggravating factor. However, URE did have a compliance program in place and it received mitigating credit for self-reporting three of the violations. Moreover, URE agreed to additional corrective actions including: restructuring its CIP compliance program; hiring an additional system administrator; conducting a one day compliance workshop with SPP RE staff; and implementing an asset management system to further secure its EMS. URE was cooperative throughout the enforcement process and did not conceal or attempt to conceal the violations.
Penalty: $45,000 (aggregate for 20 violations)
FERC Order: Issued November 28, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP15-5-000 (October 30, 2014)
Reliability Standard: CIP-007-1
Requirement: R2/R2.1/R2.2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SPP RE
Issue: URE self-reported that it did not maintain baseline documentation of ports and services that are required for normal or emergency operations.
Finding: SPP RE determined that the violation constituted a moderate risk to the BPS reliability as increased the risk of and area exposed to malicious access to URE’s ESP and limited its ability to identify any unauthorized changes to its environment. However, URE remained informed of any changes to its ports and services and the devices at issue were protected by anti-malware software and kept behind secure firewalls. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had previously violated six of the standards, which SPP RE considered an aggravating factor. However, URE did have a compliance program in place and it received mitigating credit for self-reporting three of the violations. Moreover, URE agreed to additional corrective actions including: restructuring its CIP compliance program; hiring an additional system administrator; conducting a one day compliance workshop with SPP RE staff; and implementing an asset management system to further secure its EMS. URE was cooperative throughout the enforcement process and did not conceal or attempt to conceal the violations.
Penalty: $45,000 (aggregate for 20 violations)
FERC Order: Issued November 28, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP15-5-000 (October 30, 2014)
Reliability Standard: CIP-007-1
Requirement: R3/R3.1/R3.2
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SPP RE
Issue: URE self-reported that its security patch management program, for tracking, evaluating, testing and installing third party cybersecurity patches, was not documented and it did not include the evaluation and installation of third party patches. In addition, four of URE’s patches had not been evaluated within 30 days of release.
Finding: SPP RE determined that the violation constituted a moderate risk to BPS reliability as it increased the risk that URE’s cybersecurity controls could be vulnerable due to overlooked patches or installing patches that were not thoroughly tested. But URE proved that it remained aware of the functionality of third-party patches and SPP RE determined that the patches at issue were not patches installed to mitigate risk on host operating systems. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had previously violated six of the standards, which SPP RE considered an aggravating factor. However, URE did have a compliance program in place and it received mitigating credit for self-reporting three of the violations. Moreover, URE agreed to additional corrective actions including: restructuring its CIP compliance program; hiring an additional system administrator; conducting a one day compliance workshop with SPP RE staff; and implementing an asset management system to further secure its EMS. URE was cooperative throughout the enforcement process and did not conceal or attempt to conceal the violations.
Penalty: $45,000 (aggregate for 20 violations)
FERC Order: Issued November 28, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP15-5-000 (October 30, 2014)
Reliability Standard: CIP-007-1
Requirement: R5 (5.1.2, 5.1.3, 5.2.3, 5.3.2)
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SPP RE
Issue: URE self-reported that it did not maintain an audit trail for the use of shared accounts, log successful local and domain user access attempts, or enforce the required password complexity for some accounts. During a compliance audit SPP RE discovered that for a one shared account URE could not prove that it had been assessed, users identified or an audit trail of its use maintained. SPP RE also discovered that URE did not review access privileges for local accounts on its physical security server and it failed to enforce password complexity at a login level for one of its routers.
Finding: SPP RE determined that the violation constituted a moderate risk to the BPS reliability as URE’s ability to identify and mitigate malicious activity on its account was limited by its failure to apply all required CIP account controls. URE’s failure to require password complexity also increased the risk that unauthorized individuals could gain access to its accounts through forceful password attacks. However, URE utilized a password generator to create complex passwords and URE only granted access on a need-to-know basis. Furthermore, only three individuals had access to the account discovered in SPP RE’s audit and only five individuals had access to the accounts associated to the physical security server that were not reviewed. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had previously violated six of the standards, which SPP RE considered an aggravating factor. However, URE did have a compliance program in place and it received mitigating credit for self-reporting three of the violations. Moreover, URE agreed to additional corrective actions including: restructuring its CIP compliance program; hiring an additional system administrator; conducting a one day compliance workshop with SPP RE staff; and implementing an asset management system to further secure its EMS. URE was cooperative throughout the enforcement process and did not conceal or attempt to conceal the violations.
Penalty: $45,000 (aggregate for 20 violations)
FERC Order: Issued November 28, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP15-6-000 (October 30, 2014)
Reliability Standard: CIP-007-1
Requirement: R1/R1.1/R1.2/R1.3
Violation Risk Factor: Medium
Violation Severity Level: High
Region: Texas RE
Issue: URE self-certified and self-reported that it failed to document that testing was performed in an environment similar to its production environment before making changes to its Cyber Assets. URE also failed to ensure that personnel understood the necessity of the requirement and to document the test results in its change management system.
Finding: Texas RE determined that the violation constituted a moderate risk to the BPS reliability as a failure to properly document or train the URE's personnel on the required testing procedures increased the risk of vulnerabilities to its Cyber Assets and possible modification of its cybersecurity controls. But URE did test changes to its Cyber Assets in an environment that mirrored its production environment and all its CCAs were protected by firewalls and monitored by an intrusion prevention system. Furthermore, URE received and investigated real-time alerts for unknown communications within its ESP and primary CCAs were physically located in a secure facility that was monitored at all times. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the following factors: the URE had an internal compliance program in place; the URE self-reported several of the violations and none posed a serious or substantial risk to the BPS reliability; the URE executed actions beyond those necessary to ensure compliance with the Standard and continues to make several enhancements as part of its self-assessment program; and the URE did not conceal or attempt to conceal the violations. Further, Texas RE did not consider URE's compliance history to be an aggravating factor, and URE was cooperative throughout the duration of the enforcement.
Penalty: $106,000 (aggregate for 20 violations)
FERC Order: Issued November 28, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP15-6-000 (October 30, 2014)
Reliability Standard: CIP-007-1
Requirement: R2/R2.1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: Texas RE
Issue: In the course of a compliance audit, Texas RE determined that URE failed to disable ports and services on a device that were enabled for troubleshooting before it placed the device into production.
Finding: Texas RE determined that the violation constituted only a minimal risk to the BPS reliability as the ports at issue represented point-to-point connections between the Cyber Assets, and Cyber Assets outside the environment they resided could not access them. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the following factors: the URE had an internal compliance program in place; the URE self-reported several of the violations and none posed a serious or substantial risk to the BPS reliability; the URE executed actions beyond those necessary to ensure compliance with the Standard and continues to make several enhancements as part of its self-assessment program; and the URE did not conceal or attempt to conceal the violations. Further, Texas RE did not consider URE's compliance history to be an aggravating factor, and URE was cooperative throughout the duration of the enforcement.
Penalty: $106,000 (aggregate for 20 violations)
FERC Order: Issued November 28, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP15-6-000 (October 30, 2014)
Reliability Standard: CIP-007-1
Requirement: R4
Violation Risk Factor: Medium
Violation Severity Level: Moderate
Region: Texas RE
Issue: URE self-reported that for six devices and three servers (all Cyber Assets within its ESP) antivirus and malware protection software was not installed.
Finding: Texas RE determined that the violation constituted only a minimal risk to the BPS reliability. URE utilized firewalls, group user authentication, shared account reviews, infrastructure reviews, employee training, cyber incident detection, and ESP/PSP access authentication to provide multi-layered protections. URE's firewalls and intrusion prevention systems were located in a secure facility, monitored at all times, and alerts were sent and investigated for any unfamiliar communications within its ESP. In addition, the devices at issue were physically located in a secure facility that was continuously monitored. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the following factors: the URE had an internal compliance program in place; the URE self-reported several of the violations and none posed a serious or substantial risk to the BPS reliability; the URE executed actions beyond those necessary to ensure compliance with the Standard and continues to make several enhancements as part of its self-assessment program; and the URE did not conceal or attempt to conceal the violations. Further, Texas RE did not consider URE's compliance history to be an aggravating factor, and URE was cooperative throughout the duration of the enforcement.
Penalty: $106,000 (aggregate for 20 violations)
FERC Order: Issued November 28, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP15-6-000 (October 30, 2014)
Reliability Standard: CIP-007-1
Requirement: R5/R5.1/R5.2/R5.3.3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: Texas RE
Issue: In the course of a compliance audit, Texas RE found that URE did not have a complete list of all its shared and default accounts with the associated access privileges for Cyber Assets to its ESPs and it failed to annually change the passwords on those accounts.
Finding: Texas RE determined that the violation constituted a moderate risk to the BPS reliability as it increased the risk of unauthorized access to URE's Cyber Assets and the threat of a malicious attack on its system. Additionally, URE did not have a complete list of all its shared and default accounts and a list of default accounts identified by its CVA was missing almost half of accounts. However, only a small number of employees and contractors had access to the Cyber Assets at issue and the Cyber Assets were securely located in an ESP that resided in a PSP. In addition, URE utilized employment status and access revocation alerts to further monitor cyber and physical access to CCAs in its ESP. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the following factors: the URE had an internal compliance program in place; the URE self-reported several of the violations and none posed a serious or substantial risk to the BPS reliability; the URE executed actions beyond those necessary to ensure compliance with the Standard and continues to make several enhancements as part of its self-assessment program; and the URE did not conceal or attempt to conceal the violations. Further, Texas RE did not consider URE's compliance history to be an aggravating factor, and URE was cooperative throughout the duration of the enforcement.
Penalty: $106,000 (aggregate for 20 violations)
FERC Order: Issued November 28, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP15-9-000 (November 25, 2014)
Reliability Standard: CIP-007-1 (2 violations – one for URE1 and one for URE1)
Requirement: R3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: MRO, SPP RE and WECC
Issue: During a joint compliance audit SPP RE determined that URE2 failed to create and document a process for tracking, assessing, testing and installing cybersecurity patches associated with Cyber Assets within its ESP. Upon review of all Cyber Assets for all operating regions, it was determined that URE2 and URE1 failed to include six and over 20 Cyber Assets respectively in their patch management program, which resulted in the UREs collectively failing to assess three patches for five of URE2's six Cyber Assets and almost forty patches for ten of the URE1's 20 plus Cyber Assets. URE1 had two patches that involved software vulnerabilities that were not assessed.
Finding: SPP RE determined that the violation posed a moderate risk to the BPS reliability as it increased the risk of unauthorized access and manipulation of UREs' Cyber Assets, which could have led to a diminished ability to control and monitor aspects of various BPS facilities under the UREs' control. However, the UREs assessed and installed the required patches after the infraction was discovered and with the exception of two patches that addressed security issues, all other patches were optional. In addition, all of the Cyber Assets at issue were located within a PSP and protected behind ESP firewalls that could only be accessed through the network and required authorization for remote access. None of the Cyber Assets were CCA and all showed no degradation in performance. The UREs found no malware or unauthorized access to its ESP network. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations for five of the Standards posed a serious or substantial risk to the BPS reliability. However, several of the violations were self-reported and the remainder of the violations posed only a minimal threat to BPS reliability. The UREs had a compliance program in place and their compliance history was not considered an aggravating factor by MRO. Furthermore, the UREs committed to spending $205,000 to retain a consultant to identify untapped opportunities in their CIP management controls for the current and future CIP versions and they received significant mitigating credit for their commitment to their corporate compliance program. The URE Companies were cooperative throughout the duration of the enforcement and none concealed the violations.
Penalty: $150,000 (aggregate for 19 violations)
FERC Order: Pending
Unidentified Registered Entity, FERC Docket No. NP15-9-000 (November 25, 2014)
Reliability Standard: CIP-007-1 (2 violations – one for URE1 and one for URE3)
Requirement: R5/R5.2.3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: MRO, SPP RE and WECC
Issue: URE1 and URE3 self-reported to MRO and WECC respectively, that they failed to sufficiently follow their EMS account management policy for managing and limiting the access of administrator, shared and other generic accounts. On two occasions the UREs failed to change passwords for EMS shared accounts within seven days of a change in status for an employee. Specifically, the password was not changed on a shared account until three weeks after an employee resigned and six months after an EMS administrator retired. However, both individuals were not able to access their EMS accounts because they did not have remote access ability and their physical access rights to CCA had been revoked. In addition, employees with system administrative responsibilities had full access to all EMS functions through a shared account and some were able to access the shared EMS administrative account remotely through the corporate network or in some instances, from particular devices. The UREs explained the password violation was the result of a lapse between their policy requirements and the procedure for implementing the policy.
Finding: MRO determined that the violation posed only a minimal risk to the BPS reliability. as the two employees' remote access had been revoked so their ability to access the EMS accounts was limited to physical access, which had been revoked their last day of employment or by falsely using another individual's credentials. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations for five of the Standards posed a serious or substantial risk to the BPS reliability. However, several of the violations were self-reported and the remainder of the violations posed only a minimal threat to BPS reliability. The UREs had a compliance program in place and their compliance history was not considered an aggravating factor by MRO. Furthermore, the UREs committed to spending $205,000 to retain a consultant to identify untapped opportunities in their CIP management controls for the current and future CIP versions and they received significant mitigating credit for their commitment to their corporate compliance program. The URE Companies were cooperative throughout the duration of the enforcement and none concealed the violations.
Penalty: $150,000 (aggregate for 19 violations)
FERC Order: Pending
Unidentified Registered Entity, FERC Docket No. NP15-9-000 (November 25, 2014)
Reliability Standard: CIP-007-1 (2 violations – one for URE1 and one for URE1)
Requirement: R5/R5.3.1/R5.3.2/R5.3.3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: MRO, SPP RE and WECC
Issue: URE1 and URE3 self-reported to MRO and WECC respectively, that they failed to annually change four domain accounts (accessible by employees with administrator responsibilities) to CFE (communication front end) assets that communicate with the EMS. Specifically, URE1 and URE3 had not changed passwords for numerous local administrator accounts to CFE assets from either the date of acquisition or prior to the standard's mandatory compliance date. URE3 also failed to annually change the password on two application personal computer. Through the mitigation process, the UREs discovered TFEs (technical feasibility exceptions) needed to be filed for some EMS database server accounts. In addition, MRO also determined that the UREs changed passwords based solely on procedural, but technical controls as required by the standard. During a joint compliance audit, SPP RE and WECC determined that passwords on UREs' Critical Asset substation relays did not meet the password complexity requirements. However, the UREs were able to file TFEs to resolve the issue.
Finding: MRO determined that the violation posed a serious or substantial risk to the BPS reliability as the UREs' failure to protect CFE assets with dynamic and complex passwords lasted a long time and increased the risk that someone could corrupt the "front end" communications between the EMS and BPS facilities. In addition, the UREs' utilized routable communications between two of the CFEs and some of the non-BPS substation facilities, which further increased the risk. The UREs also failed to annually change the passwords for domain accounts used for accessing CFE devices and several employees who knew the passwords were no longer employees of the UREs. However, the CFEs and non-BPS substations at issue were behind a firewall that limited network traffic and there was never a connection from the non-BPS facilities to the CFEs. The UREs also filed the appropriate TFEs where the vendor could not implement the password changes for the EMS database accounts. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations for five of the Standards posed a serious or substantial risk to the BPS reliability. However, several of the violations were self-reported and the remainder of the violations posed only a minimal threat to BPS reliability. The UREs had a compliance program in place and their compliance history was not considered an aggravating factor by MRO. Furthermore, the UREs committed to spending $205,000 to retain a consultant to identify untapped opportunities in their CIP management controls for the current and future CIP versions and they received significant mitigating credit for their commitment to their corporate compliance program. The URE Companies were cooperative throughout the duration of the enforcement and none concealed the violations.
Penalty: $150,000 (aggregate for 19 violations)
FERC Order: Pending
Unidentified Registered Entity, FERC Docket No. NP15-9-000 (November 25, 2014)
Reliability Standard: CIP-007-1
Requirement: R7/R7.1/R7.2 (2 violations – one for URE1 and one for URE3)
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: MRO, SPP RE and WECC
Issue: URE1 and URE1 (collectively, the UREs) self-reported to MRO and WECC respectively, that Cyber Assets in production did not match their list of Cyber Assets. In addition, the UREs did not correctly apply their substation change control and configuration management process to substation CCAs that were commissioned after a specific date and in five instances substations that were disposed of or decommissioned. The UREs failed to properly apply the requirements of their substation change control and configuration management process for three relays and two local control units that were either disposed of or deployed substation CCA.
Finding: MRO determined that the violation posed only a minimal risk to the BPS reliability as the devices at issue would have presented limited risk as the three relays and two local control units at issue did not have routable protocol communication capability and they could only be accessed through a dialup connection. Furthermore, information contained on the devices was limited to protection system settings an device configurations, which posed minimal risk to cybersecurity. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations for five of the Standards posed a serious or substantial risk to the BPS reliability. However, several of the violations were self-reported and the remainder of the violations posed only a minimal or moderate threat to BPS reliability. The UREs had a compliance program in place and their compliance history was not considered an aggravating factor by MRO. Furthermore, the UREs committed to spending $205,000 to retain a consultant to identify untapped opportunities in their CIP management controls for the current and future CIP versions and they received significant mitigating credit for their commitment to their corporate compliance program. The URE Companies were cooperative throughout the duration of the enforcement and none concealed the violations.
Penalty: $150,000 (aggregate for 19 violations)
FERC Order: Pending
Unidentified Registered Entity, FERC Docket No. NP15-11-000 (November 25, 2014)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: ReliabilityFirst, MRO and SERC (collectively, "Regions")
Issue: URE self-reported and ReliabilityFirst determined in a compliance audit violations of CIP-007-1. Specifically, URE failed to perform cybersecurity testing on 75 misclassified Cyber Assets. URE was further in violation of the standard for (1) performing cybersecurity testing in production instead of an environment representative of its production environment, (2) failing to conduct cybersecurity testing for significant changes on third party managed devices used to support phone operations (turret servers) and (3) failing to install specific security patches.
Finding: ReliabilityFirst determined that the violation constituted a moderate risk to the BPS reliability as there was an increased risk of negative events occurring in URE's production environment due to its failure to first test significant changes in a test environment. The duration of the violation further increased the risk. However, the risk was mitigated by URE's defense in-depth strategies including the ability to monitor, identify and respond to disruptive network events; implementation of current patches, antivirus and malware prevention software; account and access management processes; and user and system logging and monitoring. Furthermore URE located its Cyber Assets in a facility that controlled and protected access physically and electronically utilizing guards, and account management and access control. The risk was further mitigated by URE's stringent change management process which required in-depth functional testing of significant change to Cyber Assets. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations. While none of the violations independently posed a serious or substantial threat to the BPS reliability, collectively they represented a significant risk to BPS reliability. Eighteen of the violations posed only a minimal or moderate risk to the BPS reliability and only one posed a serious or substantial risk to the BPS reliability. URE did have a history of prior violations; however, this was their first comprehensive CIP audit so the Regions did not consider their prior history an aggravating factor. URE self-reported several of the violations, performed several reliability enhancements and outreach programs and agreed to above and beyond compliance measures, including the implementation of an improvement program that is focused on improving its compliance with CIP standards and cybersecurity efforts. However, due to the duration of several of URE's violations, the Regions considered this risk negatively. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations. There were no additional mitigating factors that affected the penalty.
Penalty: $75,000 (aggregate for 19 violations)
FERC Order: Issued December 23, 2014 (no further review)
Unidentified Registered Entities (UREs), FERC Docket No. NP15-15-000 (December 30, 2014)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SERC
Issue: URE1 self-reported that its testing procedures, which included steps for reviewing ports and services after a significant change in Cyber Assets was made, did not address testing when a security patch was deployed for changes to software, version upgrades or new applications to ensure the changes did not affect existing cybersecurity controls. URE1 also failed to include procedures for testing how significant changes might affect existing cybersecurity controls for malware prevention software, account management and security status monitoring. Lastly, the test procedures did not address how test results should be documented.
Finding: SERC determined that the violation posed a moderate risk to the BPS reliability as there was an increased risk that untested changes to Cyber Assets could have resulted in cybersecurity control vulnerabilities that could have allowed intrusion to or corruption of CCAs. However, URE1 did verify that only required ports and services were enabled prior to making significant changes to Cyber Assets and all Cyber Assets were protected by an intrusion prevention system at the ESP and resided behind secure PSPs and ESPs. UREs neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs history of violations an aggravating factor. However, the UREs did have an internal compliance program in place, which SERC considered a mitigating factor. While URE1 self-reported a violation, the UREs did not received mitigating credit since it was reported after it received a compliance audit notice. While three of the violations posed a serious or substantial risk to the BPS reliability, the majority of them (18) posed only a minimal or moderate risk. URE agreed to additional mitigating actions including: adding additional staff (including converting contractors to full-time); conducting human performance training at a cost of $50,000; installing firewall analyzer software at a cost of $485,000; and additional mitigating factors for five of the violations. The UREs were cooperative throughout the enforcement process and there was no evidence that they concealed the violations.
Penalty: $120,000 (aggregate for 21 violations)
FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.
Unidentified Registered Entities (UREs), FERC Docket No. NP15-15-000 (December 30, 2014)
Reliability Standard: CIP-007-1
Requirement: R2.2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SERC
Issue: URE1 self-reported that support personnel failed to disable or document as necessary for normal or emergency operations hundreds of undefined ports and services that were left open on approximately 15% of Cyber Assets (including Critical Cyber Assets and non-critical Cyber Assets) as required by URE1's system security management procedures.
Finding: SERC determined that the violation posed a serious or substantial risk to the BPS reliability as URE1's failure to disable unnecessary ports and services on Cyber Assets for years, increased the risk that an unauthorized individual could gain access to CCAs and disrupt or hinder URE1's ability to control the areas of the BPS under its control. Weaknesses in URE1's procedures for documenting or justifying ports and services, was evident in its failure to remediate the unnecessary ports and services identified in its annual CVA. However, URE1 maintained an intrusion prevention system on its ESP, where the CCAs and non-critical Cyber Assets resided. UREs neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs history of violations an aggravating factor. However, the UREs did have an internal compliance program in place, which SERC considered a mitigating factor. While URE1 self-reported a violation, the UREs did not received mitigating credit since it was reported after it received a compliance audit notice. While three of the violations posed a serious or substantial risk to the BPS reliability, the majority of them (18) posed only a minimal or moderate risk. URE agreed to additional mitigating actions including: adding additional staff (including converting contractors to full-time); conducting human performance training at a cost of $50,000; installing firewall analyzer software at a cost of $485,000; and additional mitigating factors for five of the violations. The UREs were cooperative throughout the enforcement process and there was no evidence that they concealed the violations.
Penalty: $120,000 (aggregate for 21 violations)
FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.
Unidentified Registered Entities (UREs), FERC Docket No. NP15-15-000 (December 30, 2014)
Reliability Standard: CIP-007-1
Requirement: R3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SERC
Issue: URE1 self-reported that it did not review or sufficiently document the assessment or implementation of security patches for communication processors, EMS devices, workstations, and servers (Cyber Assets) within the ESP within 30 days of availability as required.
Finding: SERC determined that the violation posed a moderate risk to the BPS reliability as there was an increased risk that someone could maliciously gain access to URE1's CCA or non-critical Cyber Assets through unpatched vulnerabilities and degrade its ability to monitor or control the BPS. However communications on the communication processors were limited to those originating within URE1's ESP. In addition, a physically secure facility protected the communication processors, a network-based intrusion system monitored the EMS devices, and a host-based intrusion detection system was used to deploy the workstations. However, one patch was not assessed for 33 days instead of the required 30 days, and another patch affected seven Cyber Assets. But URE1's Cyber Assets are kept within an ESP and PSP and the ESP is separate and apart from the enterprise network. Additionally, the EMS has its own active directory, which is maintained separately from URE1's enterprise directory. UREs neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs history of violations an aggravating factor. However, the UREs did have an internal compliance program in place, which SERC considered a mitigating factor. While URE1 self-reported a violation, the UREs did not received mitigating credit since it was reported after it received a compliance audit notice. While three of the violations posed a serious or substantial risk to the BPS reliability, the majority of them (18) posed only a minimal or moderate risk. URE agreed to additional mitigating actions including: adding additional staff (including converting contractors to full-time); conducting human performance training at a cost of $50,000; installing firewall analyzer software at a cost of $485,000; and additional mitigating factors for five of the violations. The UREs were cooperative throughout the enforcement process and there was no evidence that they concealed the violations.
Penalty: $120,000 (aggregate for 21 violations)
FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.
Unidentified Registered Entities (UREs), FERC Docket No. NP15-15-000 (December 30, 2014)
Reliability Standard: CIP-007-1
Requirement: R6
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SERC
Issue: URE1 self-reported that its procedures for monitoring CCA to detect an attempts to access unauthorized ports and services did not sufficiently support the requirements of CIP-007-1 and resulted in URE1's lack of implementing adequate processes for monitoring its Cyber Assets within its ESP. In addition, URE1 relied on its system operators' knowledge and experience to identify functional abnormalities within their cyber security system instead of proactively reviewing its system as required by the standard.
Finding: SERC determined that the violation posed a moderate risk to the BPS reliability as URE1's reliance on personnel to identify possible security events or threats increased the risk that someone could infiltrate its CCA and impede URE1's ability to control its portion of the BPS. However, URE1 monitored system performance 24/7 with trained personnel, maintained an intrusion prevention system within its ESP and all CCA at issue were securely located within and ESP and PSP. UREs neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs history of violations an aggravating factor. However, the UREs did have an internal compliance program in place, which SERC considered a mitigating factor. While URE1 self-reported a violation, the UREs did not received mitigating credit since it was reported after it received a compliance audit notice. While three of the violations posed a serious or substantial risk to the BPS reliability, the majority of them (18) posed only a minimal or moderate risk. URE agreed to additional mitigating actions including: adding additional staff (including converting contractors to full-time); conducting human performance training at a cost of $50,000; installing firewall analyzer software at a cost of $485,000; and additional mitigating factors for five of the violations. The UREs were cooperative throughout the enforcement process and there was no evidence that they concealed the violations.
Penalty: $120,000 (aggregate for 21 violations)
FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.
Unidentified Registered Entities (UREs), FERC Docket No. NP15-15-000 (December 30, 2014)
Reliability Standard: CIP-007-1
Requirement: R8.3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SERC
Issue: URE1 self-reported that its annual CVA review procedures did not contain enough detail to ensure staff reviewed the controls for default accounts. However, URE1's CVA review did sufficiently include procedures for reviewing default accounts, evaluating the results and documenting and tracking remediation plans for any issues discovered. URE1's remediation plans indicated that a scan for default applications, default system accounts, and logins was conducted for two years and indicated that no default accounts were enabled. However, the plans also indicated that URE1 did not scan default user accounts the following year.
Finding: SERC determined that the violation posed a moderate risk to the BPS reliability as it increased the risk that someone could disrupt URE1's ability to control and operate portions of the BPS due to an attack on its CCA through possible vulnerable default accounts that had not been sufficiently reviewed during an annual CVA. However, all enabled ports and services were reviewed by URE1 and there were documented mitigation plans to remediate any issues discovered during the CVA. Furthermore, PSPs and ESPs protected all of URE1's Cyber Assets and network and host-based intrusion detection systems monitored URE1's network. URE1's Cyber Asset security monitoring system confirmed that no unauthorized access or malicious activity took place throughout the duration of the violation. UREs neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs history of violations an aggravating factor. However, the UREs did have an internal compliance program in place, which SERC considered a mitigating factor. While URE1 self-reported a violation, the UREs did not received mitigating credit since it was reported after it received a compliance audit notice. While three of the violations posed a serious or substantial risk to the BPS reliability, the majority of them (18) posed only a minimal or moderate risk. URE agreed to additional mitigating actions including: adding additional staff (including converting contractors to full-time); conducting human performance training at a cost of $50,000; installing firewall analyzer software at a cost of $485,000; and additional mitigating factors for five of the violations. The UREs were cooperative throughout the enforcement process and there was no evidence that they concealed the violations.
Penalty: $120,000 (aggregate for 21 violations)
FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.
Unidentified Registered Entity (UREs), FERC Docket No. NP15-17-000 (December 30, 2014)
Reliability Standard: CIP-007-1
Requirement: R5/R5.2
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: During a compliance audit WECC found that URE had a PACS device with a built-in Windows administrator account that URE had failed to disable, remove or rename.
Finding: WECC determined that the violation posed only a minimal risk to the BPS reliability as URE had changed the password at least once, although not annually, after enabling the account and the event was isolated, not pervasive. Furthermore, URE maintains a defense in-depth architecture, which protects its systems including physical and logical cybersecurity controls made up of special locks, closed circuit television and logical perimeters. In addition, URE employs firewalls, vulnerability scanning tools and a security events management system that provide internal cybersecurity controls. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered URE's prior violation history as an aggravating factor. However, WECC gave URE mitigating credit for its compliance program and agreeing to perform voluntary corrective actions. WECC also determined that all violations posed only a minimal, but not a moderate, serious or substantial risk to the reliability of the BPS. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.
Penalty: $120,000 (aggregate for 13 violations)
FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.
Unidentified Registered Entity (UREs), FERC Docket No. NP15-17-000 (December 30, 2014)
Reliability Standard: CIP-007-1
Requirement: R6/R6.1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: During a compliance audit WECC found that URE could not confirm that it was conducting security event monitoring for a video display board, categorized as a CCA, as required.
Finding: WECC determined that the violation posed only a minimal risk to the BPS reliability as the lack of monitoring on the video display board proved to be an isolated event. In addition, URE has a defense in-depth architecture of physical and logical cybersecurity controls including physical security mechanisms, special locks, closed circuit television and logical perimeter and internal cybersecurity controls, including firewalls, vulnerability scanning tools and a security events management system. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered URE's prior violation history as an aggravating factor. However, WECC gave URE mitigating credit for its compliance program and agreeing to perform voluntary corrective actions. WECC also determined that all violations posed only a minimal, but not a moderate, serious or substantial risk to the reliability of the BPS. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.
Penalty: $120,000 (aggregate for 13 violations)
FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.
Unidentified Registered Entity (UREs), FERC Docket No. NP15-20-000 (February 26, 2015)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SERC
Issue: During a compliance audit SERC determined that URE was unable to prove that it tested all new and significant changes to Cyber Assets to verify that they did not negatively affect existing cybersecurity controls. While URE could prove that it had performed testing for some significant changes to Cyber Assets and that it had a written process for testing significant and new security related changes, it was not able to prove that all were fully tested.
Finding: SERC found that the violation posed only a minimal and not a serious or substantial risk to the BPS reliability. While URE did not document all tests results, it had conducted some testing on its Cyber Assets. In addition, before implementing a change in production, URE first tested the changes to its CCA on a quality assurance system. URE also protected all its CCA utilizing an ESP and PSP and allowing only individuals with valid PRAs access to the CCA. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered URE’s past history of violations an aggravating factor. However, URE did have a compliance program in place, which SERC considered a mitigating factor. Eleven of the violations were self-reported by URE, two of which were reported after receiving a notice of an upcoming compliance audit. However one violation, while self-reported, did pose a serious or substantial risk to the BPS reliability. URE was cooperative throughout the enforcement period and did not attempt to conceal any of the violations. There were no other mitigating or aggravating factors associated with URE’s violations.
Penalty: $70,000 (aggregate for 12 violations)
FERC Order: Pending
Unidentified Registered Entity (UREs), FERC Docket No. NP15-20-000 (February 26, 2015)
Reliability Standard: CIP-007-1
Requirement: R2/R.1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SERC
Issue: During a compliance audit SERC determined that URE did not ensure that only services required for normal or emergency operations were enabled. A non-critical Cyber Asset server, with services that were set to default installation settings and not required for normal or emergency operations, was incorrectly enabled. URE had removed the services on other similar devices.
Finding: SERC found that the violation posed only a minimal, but not a serious or substantial risk to the BPS reliability. URE housed the server within a secure ESP and the server was a non-critical Cyber Asset with no ability to connect to outside networks or affect the BPS. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered URE’s past history of violations an aggravating factor. However, URE did have a compliance program in place, which SERC considered a mitigating factor. Eleven of the violations were self-reported by URE, two of which were reported after receiving a notice of an upcoming compliance audit. However one violation, while self-reported, did pose a serious or substantial risk to the BPS reliability. URE was cooperative throughout the enforcement period and did not attempt to conceal any of the violations. There were no other mitigating or aggravating factors associated with URE’s violations.
Penalty: $70,000 (aggregate for 12 violations)
FERC Order: Pending
Unidentified Registered Entity (UREs), FERC Docket No. NP15-20-000 (February 26, 2015)
Reliability Standard: CIP-007-1
Requirement: R3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SERC
Issue: URE self-reported that its implementation of its patch management program was insufficient as 66% of its Cyber Assets, within the ESP, were not included in the security patch management program documentation. As such, URE failed to apply patches and service packs to the Cyber Assets omitted. In addition, SERC determined during a compliance audit that URE did not assess some security patches for several years instead of assessing them within 30 calendar days of availability as required. For several years, URE also did not have in writing its patch management assessment process. However, during this time URE did install several security patches.
Finding: SERC determined that the violation posed a serious or substantial risk to the BPS reliability as the lack of a complete list of Cyber Assets or a thorough process for assessing and implementing security patches increased the risk of exposing its Cyber Assets to vulnerabilities that could have led to a cyber-attack. However, all of URE’s Cyber Assets were maintained within a secure ESP and PSP, that required authorization for anyone to access and antivirus software was installed and monitored on all Cyber Assets. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered URE’s past history of violations an aggravating factor. However, URE did have a compliance program in place, which SERC considered a mitigating factor. Eleven of the violations were self-reported by URE, two of which were reported after receiving a notice of an upcoming compliance audit. However one violation, while self-reported, did pose a serious or substantial risk to the BPS reliability. URE was cooperative throughout the enforcement period and did not attempt to conceal any of the violations. There were no other mitigating or aggravating factors associated with URE’s violations.
Penalty: $70,000 (aggregate for 12 violations)
FERC Order: Pending
Unidentified Registered Entity (UREs), FERC Docket No. NP15-20-000 (February 26, 2015)
Reliability Standard: CIP-007-1
Requirement: R4
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SERC
Issue: URE self-reported that it did not use preventative antivirus software and other malware tools that would help detect, prevent, deter, and mitigate malware on all its Cyber Assets within its ESP. The devices URE failed to install the antirust software or malware on included: switches, routers, remote terminal units, and a digital video recorder. While not all of the devices were capable of running the preventative tools, URE also failed to file Technical Feasibility Exceptions (TFEs) for them. In addition, URE self-reported that specific CCA did not have antivirus or malware installed on them because URE incorrectly assumed that it was included in a monitoring tool that URE installed on the devices.
Finding: SERC determined that the violation posed a moderate risk to the BPS reliability as the possibility that someone could install malicious software on URE’s Cyber Assets was increased due URE’s failure to protect all its Cyber Assets with antivirus and antimalware software. However, URE did provide some measures of protection by maintaining all Cyber Assets with an ESP. Additionally, URE would have been alerted to any possible security event as the systems’ security and system logs were routed to a central server that was monitored 24/7. It was later determined that there were no viruses or malware on the systems after URE installed antivirus software and ran a full scan. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered URE’s past history of violations an aggravating factor. However, URE did have a compliance program in place, which SERC considered a mitigating factor. Eleven of the violations were self-reported by URE, two of which were reported after receiving a notice of an upcoming compliance audit. However one violation, while self-reported, did pose a serious or substantial risk to the BPS reliability. URE was cooperative throughout the enforcement period and did not attempt to conceal any of the violations. There were no other mitigating or aggravating factors associated with URE’s violations.
Penalty: $70,000 (aggregate for 12 violations)
FERC Order: Pending
Unidentified Registered Entity (UREs), FERC Docket No. NP15-20-000 (February 26, 2015)
Reliability Standard: CIP-007-1
Requirement: R5/R5.2/R5/3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SERC
Issue: URE self-reported that it failed to provide or follow controls that would reduce the risk of unauthorized system access by its lack of access authentication enforcement and accountability of all user activity. Two of URE’s shared user accounts and several local administrator accounts, with no legitimate business requirement for operating, were enabled. However, the accounts could not be accessed remotely and they were primarily used for installing software. In addition, 65% of URE’s passwords did not meet the complexity requirement as they technically could not accommodate the alpha, numeric or special character requirement. But URE also did not file TFAs for them. URE also had no records of which individuals had access to shared accounts on CCA network devices. Furthermore, after installing two Cyber Assets, URE failed to change the default passwords. Lastly, URE found over one hundred passwords on workstations that had expired and not been changed annually as required. While the workstations had a function that should have triggered a password change after 365 days, the feature only worked after there was a login attempt. Furthermore, URE’s policies did not enforce changing the passwords annually. However, there was no access to the accounts in question.
Finding: SERC determined that the violation posed a moderate risk to the BPS reliability as URE’s lack of controls and to follow access policies, including password changes, increased the threat of unauthorized access to its CCA and the security of its ESP. However, all CCA were kept within a secure ESP and PSP and all users had valid PRAs and cybersecurity training. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered URE’s past history of violations an aggravating factor. However, URE did have a compliance program in place, which SERC considered a mitigating factor. Eleven of the violations were self-reported by URE, two of which were reported after receiving a notice of an upcoming compliance audit. However one violation, while self-reported, did pose a serious or substantial risk to the BPS reliability. URE was cooperative throughout the enforcement period and did not attempt to conceal any of the violations. There were no other mitigating or aggravating factors associated with URE’s violations.
Penalty: $70,000 (aggregate for 12 violations)
FERC Order: Pending
Unidentified Registered Entity (UREs), FERC Docket No. NP15-20-000 (February 26, 2015)
Reliability Standard: CIP-007-1
Requirement: R6
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SERC
Issue: URE self-reported that it failed to monitor security events related to Cyber Assets within its ESP due to a lack of automated tools and process controls for monitoring cybersecurity events. Specific servers were not configured to send system logs to a centralized server at URE and logs of system events related to cybersecurity were not reviewed by URE nor were they documented. URE also failed to manually review event logs for two remote terminal units. In addition, three of URE’s Cyber Assets lacked processes for monitoring system events related to cyber security and they did not have nor were they capable of generating system event logs and URE failed to file TFAs for them.
Finding: SERC determined that the violation posed a moderate risk to the BPS reliability as there was an increased risk that URE could lose control of its portion of the BPS and/or CCA could have been disabled due to undetected security breaches on its Cyber Assets as a result of URE’s lack of procedures and controls for monitoring cybersecurity events. However, URE did have some protections to mitigate this risk including: maintaining all CCA within an ESP and PSP and restricting access to only authorized personnel with valid PRAs and cyber security training. Additionally, upon review, no significant cybersecurity events took place during the course of the violation. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered URE’s past history of violations an aggravating factor. However, URE did have a compliance program in place, which SERC considered a mitigating factor. Eleven of the violations were self-reported by URE, two of which were reported after receiving a notice of an upcoming compliance audit. However one violation, while self-reported, did pose a serious or substantial risk to the BPS reliability. URE was cooperative throughout the enforcement period and did not attempt to conceal any of the violations. There were no other mitigating or aggravating factors associated with URE’s violations.
Penalty: $70,000 (aggregate for 12 violations)
FERC Order: Pending
Unidentified Registered Entity, FERC Docket No. NP15-24-000 (April 30, 2015)
Reliability Standard: CIP-007-1
Requirement: R1
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: ReliabilityFirst
Issue: During its compliance audit, ReliabilityFirst found that URE did not create, effectuate and maintain procedures for cyber security testing of all ESP Cyber Assets (R1.1); did not record that its testing reflects the production environment (R1.5); and did not document the test results as required (R1.2).
Finding: ReliabilityFirst found that the violation posed a serious or substantial risk, because inadequate testing of cyber security controls exposed the Cyber Assets to a greater risk of being compromised. The severity of the violation was increased because URE had no compensating measures in place and the violation lasted for a prolonged period of time. URE neither admitted nor denied the violations. In approving the settlement, the NERC considered URE's compliance history and the serious risk of all but one of the violations as aggravating factors. As mitigating factors, the NERC considered URE's (1) pre-violation compliance program, (2) self-reporting of four violations, (3) cooperation throughout the enforcement process, (5) lack of attempts or intentions to conceal the violations, (4) commitment to a comprehensive mitigation plan, (5) improvements in CIP compliance and permission for future ReliabilityFirst spot checks, (6) allowance of on-site risk management and compliance implementation reviews. URE's mitigation plan obliged URE, among other things, to create, effectuate and maintain required test procedures for Cyber Assets.
Penalty: $150,000 (aggregate for 18 violations)
FERC Order: Issued May 29, 2015 (no further review)
Unidentified Registered Entity, FERC Docket No. NP15-24-000 (April 30, 2015)
Reliability Standard: CIP-007-1
Requirement: R2.1, R2.2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: ReliabilityFirst
Issue: During its compliance audit, ReliabilityFirst found that URE failed to create, record, and effectuate procedures to enable only those ports and services required for operation (and prevent other ports and services) to gain access to Cyber Assets within the ESP and Cyber Assets that authorize and/or log access to the PSP.
Finding: ReliabilityFirst found that the violation posed a serious or substantial risk because failing to record all listening ports and active services created greater risk of Cyber Asset compromise. The severity of the violation was increased because URE had no compensating measures in place and the violation lasted for a prolonged period of time. URE neither admitted nor denied the violations. In approving the settlement, the NERC considered URE's compliance history and the serious risk of all but one of the violations as aggravating factors. As mitigating factors, the NERC considered URE's (1) pre-violation compliance program, (2) self-reporting of four violations, (3) cooperation throughout the enforcement process, (5) lack of attempts or intentions to conceal the violations, (4) commitment to a comprehensive mitigation plan, (5) improvements in CIP compliance and permission for future ReliabilityFirst spot checks, (6) allowance of on-site risk management and compliance implementation reviews. URE's completed mitigation plan obliged URE, among other things, to (1) clearly record that only required ports and services are enabled for all Cyber Assets within the ESP and (2) clearly record that non-required ports and services are disabled prior to production use.
Penalty: $150,000 (aggregate for 18 violations)
FERC Order: Issued May 29, 2015 (no further review)
Unidentified Registered Entity, FERC Docket No. NP15-24-000 (April 30, 2015)
Reliability Standard: CIP 007-1
Requirement: R3.2
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: ReliabilityFirst
Issue: During its compliance audit, ReliabilityFirst found that URE did not effectuate a management program to track, evaluate, test and install cyber security software patches for Cyber Assets within the ESP. URE also did not provide sufficient evidence of its effectuation of software security patches and did not monitor certain sources of software patches.
Finding: ReliabilityFirst found that this was a serious violation because the failure to install software patches made URE vulnerable to outside attack. The severity of the violation was increased because URE had no compensating measures in place and the violation lasted for a prolonged period of time. URE neither admitted nor denied the violations. In approving the settlement, the NERC considered URE's compliance history and the serious risk of all but one of the violations as aggravating factors. As mitigating factors, the NERC considered URE's (1) pre-violation compliance program, (2) self-reporting of four violations, (3) cooperation throughout the enforcement process, (5) lack of attempts or intentions to conceal the violations, (4) commitment to a comprehensive mitigation plan, (5) improvements in CIP compliance and permission for future ReliabilityFirst spot checks, (6) allowance of on-site risk management and compliance implementation reviews. URE's mitigation plan obliged URE to (1) clearly record the assessments of all security patches and sources for Cyber Assets and (2) schedule installation of security patches according to URE policy.
Penalty: $150,000 (aggregate for 18 violations)
FERC Order: Issued May 29, 2015 (no further review)
Unidentified Registered Entity, FERC Docket No. NP15-24-000 (April 30, 2015)
Reliability Standard: CIP-007-1
Requirement: R4.1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: ReliabilityFirst
Issue: During its compliance audit, ReliabilityFirst found that URE did not use antivirus or malicious software prevention tools on all Cyber Assets within the ESP. Additionally, URE did not record and effectuate the prevention tools and compensating measures to mitigate risk for Cyber Assets that did not or could not have prevention tools installed.
Finding: ReliabilityFirst found that the violation posed a serious or substantial risk because the lack of prevention tools left the UE vulnerable to viruses and malware. The severity of the violation was increased because URE had no compensating measures in place and the violation lasted for a prolonged period of time. URE neither admitted nor denied the violations. In approving the settlement, the NERC considered URE's compliance history and the serious risk of all but one of the violations as aggravating factors. As mitigating factors, the NERC considered URE's (1) pre-violation compliance program, (2) self-reporting of four violations, (3) cooperation throughout the enforcement process, (5) lack of attempts or intentions to conceal the violations, (4) commitment to a comprehensive mitigation plan, (5) improvements in CIP compliance and permission for future ReliabilityFirst spot checks, (6) allowance of on-site risk management and compliance implementation reviews. URE's mitigation plan obliged URE, among other things, to (1) clearly record that prevention tools are used on all Cyber Assets within the ESP and (2) create and effectuate compensating measures for those Cyber Assets that are unable to run prevention tools.
Penalty: $150,000 (aggregate for 18 violations)
FERC Order: Issued May 29, 2015 (no further review)
Unidentified Registered Entity, FERC Docket No. NP15-24-000 (April 30, 2015)
Reliability Standard: CIP-007-1
Requirement: R5.1.2, R5.2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: ReliabilityFirst
Issue: During its compliance audit, ReliabilityFirst found that URE failed to establish, effectuate and record technical and procedural controls that establish access authentication and minimize the risk of unauthorized access. First, URE presented evidence of logging security events, but did not create historical records for individual account access activity. Second, URE did not effectuate a policy to manage and restrict account privileges for Cyber Assets. Third, URE did not identify individuals or roles with shared account access to Cyber Assets and EACM devices. Fourth, URE did not create an audit record of shared account use or procedures for securing the account in the event of personnel changes.
Finding: ReliabilityFirst determined that the violation posed a serious or substantial risk because it increased the risk for unauthorized access and decreased URE's potential to detect such access. The severity of the violation was increased because URE had no compensating measures in place and the violation lasted for a prolonged period of time. URE neither admitted nor denied the violations. In approving the settlement, the NERC considered URE's compliance history and the serious risk of all but one of the violations as aggravating factors. As mitigating factors, the NERC considered URE's (1) pre-violation compliance program, (2) self-reporting of four violations, (3) cooperation throughout the enforcement process, (5) lack of attempts or intentions to conceal the violations, (4) commitment to a comprehensive mitigation plan, (5) improvements in CIP compliance and permission for future ReliabilityFirst spot checks, (6) allowance of on-site risk management and compliance implementation reviews. URE's mitigation plan obliged URE, among other things, to (1) clearly record historical records for individual user account access for Cyber Assets, EACM and PACs and (2) create and effectuate a policy that manages and restricts account privileges.
Penalty: $150,000 (aggregate for 18 violations)
FERC Order: Issued May 29, 2015 (no further review)
Unidentified Registered Entity, FERC Docket No. NP15-24-000 (April 30, 2015)
Reliability Standard: CIP-007-1
Requirement: R6.1, R6.2, R6.4, R6.5
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: ReliabilityFirst
Issue: During its compliance audit, ReliabilityFirst found that over four years, URE failed to ensure complete use of automated tools or organizational process controls to monitor cyber security events by Cyber Assets. URE did not ensure that all Cyber Assets were monitoring for security events. Further, the monitoring systems did not issue automated or manual alerts for ECS. Finally, URE did not present logs for 90 days and did not show that it reviewed the ECS system event logs.
Finding: ReliabilityFirst determined that the violation posed a serious or substantial risk because URE's failure to monitor cyber security events increased the risk that system compromises would go undetected. The severity of the violation was increased because URE had no compensating measures in place and the violation lasted for a prolonged period of time. URE neither admitted nor denied the violations. In approving the settlement, the NERC considered URE's compliance history and the serious risk of all but one of the violations as aggravating factors. As mitigating factors, the NERC considered URE's (1) pre-violation compliance program, (2) self-reporting of four violations, (3) cooperation throughout the enforcement process, (5) lack of attempts or intentions to conceal the violations, (4) commitment to a comprehensive mitigation plan, (5) improvements in CIP compliance and permission for future ReliabilityFirst spot checks, (6) allowance of on-site risk management and compliance implementation reviews. URE's mitigation plan obliged URE, among other things, to (1) create and effectuate cyber-security event monitoring procedures, (2) ensure monitoring of all ESP access points and Cyber Assets within an ESP for security events.
Penalty: $150,000 (aggregate for 18 violations)
FERC Order: Issued May 29, 2015 (no further review)
Unidentified Registered Entity, FERC Docket No. NP15-24-000 (April 30, 2015)
Reliability Standard: CIP-007-1
Requirement: R7
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: ReliabilityFirst
Issue: During its compliance audit, ReliabilityFirst found that URE did not create a formal policy outlining procedures, policies and methods for the disposal or redeployment of Cyber Assets within the ESP.
Finding: ReliabilityFirst determined that the violation posed a minimal, and not a serious or substantial risk. Despite its lack of a formal policy and URE's failure to maintain an inventory list, URE was in fact disposing of Cyber Assets accordingly since there was access to the equipment storage area and URE created an inventory list prior to destroying any items. The severity of the violation was increased because URE had no compensating measures in place and the violation lasted for a prolonged period of time. URE neither admitted nor denied the violations. In approving the settlement, the NERC considered URE's compliance history and the serious risk of all but one of the violations as aggravating factors. As mitigating factors, the NERC considered URE's (1) pre-violation compliance program, (2) self-reporting of four violations, (3) cooperation throughout the enforcement process, (5) lack of attempts or intentions to conceal the violations, (4) commitment to a comprehensive mitigation plan, (5) improvements in CIP compliance and permission for future ReliabilityFirst spot checks, (6) allowance of on-site risk management and compliance implementation reviews. URE's mitigation plan obliged URE, among other things, to create and effectuate formal policies for the disposal or redeployment of Cyber Assets within the ESP.
Penalty: $150,000 (aggregate for 18 violations)
FERC Order: Issued May 29, 2015 (no further review)
Unidentified Registered Entity, FERC Docket No. NP15-24-000 (April 30, 2015)
Reliability Standard: CIP-007-1
Requirement: R8.1, R8.2, R8.3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: ReliabilityFirst
Issue: During its compliance audit, ReliabilityFirst found that URE did not record its CVA process for one year, conduct a review to ensure that only required ports and services are enabled, and conduct a review for default account controls.
Finding: ReliabilityFirst determined that the violation posed a serious or substantial risk because URE was not adequately informed of the Cyber Asset and ESP access point vulnerabilities, which exposed URE to increased risk. The severity of the violation was increased because URE had no compensating measures in place and the violation lasted for a prolonged period of time. URE neither admitted nor denied the violations. In approving the settlement, the NERC considered URE's compliance history and the serious risk of all but one of the violations as aggravating factors. As mitigating factors, the NERC considered URE's (1) pre-violation compliance program, (2) self-reporting of four violations, (3) cooperation throughout the enforcement process, (5) lack of attempts or intentions to conceal the violations, (4) commitment to a comprehensive mitigation plan, (5) improvements in CIP compliance and permission for future ReliabilityFirst spot checks, (6) allowance of on-site risk management and compliance implementation reviews. URE's mitigation plan obliged URE, among other things, to (1) ensure that the annual CVA includes all Cyber Assets within the ESP, EACMs, PACs and access points and that only required ports and services are enabled and (2) clearly record a review of default account controls and ensure that the annual CVA reviews the default account controls, as well as ports and services and access points.
Penalty: $150,000 (aggregate for 18 violations)
FERC Order: Issued May 29, 2015 (no further review)
Unidentified Registered Entities 1 and 2, FERC Docket No. NP15-26-000 (April 30, 2015)
Reliability Standard: CIP-007-1
Requirement: R2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: ReliabilityFirst
Issue: URE1 and URE2 self-reported that their Cyber Vulnerability Assessments showed vulnerabilities in current ports and services. Both UREs found that some of their Cyber Assets did not disable non-essential ports and services and other Cyber Assets were not properly documented. ReliabilityFirst found that URE1 and URE2 did not implement a process to ensure that only ports and services required for operations were enabled.
Finding: ReliabilityFirst found that the violation posed only a minimal, but not a serious or substantial risk, to BPS reliability. The severity of the violation was increased because a significant number of Cyber Assets were affected for an extended period of time. However, defense measures in the UREs’ networks, such as intrusion prevention, lowered the risk of external threats. Furthermore, both UREs mitigated the violations through improvements to their compliance programs. The UREs neither admitted nor denied the violations. In approving the settlement between ReliabilityFirst and five UREs in total, the NERC considered the UREs’ prior violations and the minimal to moderate risk posed by the current violations. As mitigating factors, the NERC found that among the UREs subject to the settlement agreement, individual URES had: (1) implemented pre-violation internal compliance programs, (2) self-reported violations, (3) cooperated throughout the enforcement process, (4) not attempted or intended to conceal the violations, (5) made significant progress in post-violation compliance. ReliabilityFirst found that no penalty was necessary since the violations posed minimal risks, the UREs demonstrated improvements in compliance, and the UREs that had prior violations were fully sanctioned for those violations in an FERC-approved settlement. Both URE1 and URE2’s mitigation plans obliged the UREs to evaluate the ports and services procedures and revise the procedures to improve their effectiveness and efficiency.
Penalty: $0 (aggregate for 22 violations)
FERC Order: The NERC did not further review the settlement and the settlement entered into effect on May 29th, 2015.
Unidentified Registered Entities 1 and 2, FERC Docket No. NP15-26-000 (April 30, 2015)
Reliability Standard: CIP-007-1
Requirement: R3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: ReliabilityFirst
Issue: URE1 and URE2 self-reported that they did not meet the 30 day self-imposed time limit for recording patching implementation plans on two CCA servers. ReliabilityFirst found that URE1 and URE2 did not show evidence that their patch management program was implemented in regards to the two CCAs.
Finding: ReliabilityFirst found that the violation posed only a minimal, but not a serious or substantial risk, to BPS reliability. The severity of the violations was decreased because only two devices were affected as a result of human error. Further, there was no evidence of a system error in the implementation of patches or of further CIP-007 R3 violations. The UREs neither admitted nor denied the violations. In approving the settlement between ReliabilityFirst and five UREs in total, the NERC considered the UREs’ prior violations and the minimal to moderate risk posed by the current violations. As mitigating factors, the NERC found that among the UREs subject to the settlement agreement, individual URES had: (1) implemented pre-violation internal compliance programs, (2) self-reported violations, (3) cooperated throughout the enforcement process, (4) not attempted or intended to conceal the violations, (5) made significant progress in post-violation compliance. ReliabilityFirst found that no penalty was necessary since the violations posed minimal risks, the UREs demonstrated improvements in compliance, and the UREs that had prior violations were fully sanctioned for those violations in an FERC-approved settlement. URE1 and URE2’s mitigation plans obliged the UREs, among other things, to develop internal control mechanisms to monitor patch implementation within the 30 day self-imposed time limit.
Penalty: $0 (aggregate for 22 violations)
FERC Order: The NERC did not further review the settlement and the settlement entered into effect on May 29th, 2015.
Unidentified Registered Entity 1, FERC Docket No. NP15-26-000 (April 30, 2015)
Reliability Standard: CIP-007-1
Requirement: R5.2.1
Violation Risk Factor: Medium
Violation Severity Level: High
Region: ReliabilityFirst
Issue: URE1 self-reported that it failed to rename several EACM accounts and one default administrative account due to faulty records, which affected Cyber Assets. ReliabilityFirst found that URE1 did not effectuate a policy to minimize and manage account privileges.
Finding: ReliabilityFirst found that the violation posed only a minimal, but not a serious or substantial risk, to BPS reliability. The severity of the violation was decreased because the Cyber Assets were located behind firewalls within the ESP. The UREs neither admitted nor denied the violations. In approving the settlement between ReliabilityFirst and five UREs in total, the NERC considered the UREs’ prior violations and the minimal to moderate risk posed by the current violations. As mitigating factors, the NERC found that among the UREs subject to the settlement agreement, individual URES had: (1) implemented pre-violation internal compliance programs, (2) self-reported violations, (3) cooperated throughout the enforcement process, (4) not attempted or intended to conceal the violations, (5) made significant progress in post-violation compliance. ReliabilityFirst found that no penalty was necessary since the violations posed minimal risks, the UREs demonstrated improvements in compliance, and the UREs that had prior violations were fully sanctioned for those violations in an FERC-approved settlement. URE1’s mitigation plan obliged URE1, among other things, to implement procedures to rename account administrators on affected devices.
Penalty: $0 (aggregate for 22 violations)
FERC Order: The NERC did not further review the settlement and the settlement entered into effect on May 29th, 2015.
Unidentified Registered Entities 1 and 2, FERC Docket No. NP15-26-000 (April 30, 2015)
Reliability Standard: CIP-007-1
Requirement: R5.3.3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: ReliabilityFirst
Issue: URE1 and URE2 self-reported that passwords on several local server accounts were not annually updated because the accounts were not recorded in the system for managing passwords.
Finding: ReliabilityFirst found that the violation posed only a minimal, but not a serious or substantial risk, to BPS reliability. The severity of the violation was decreased because the affected Cyber Assets were located behind firewalls in an ESP and logins with password changes were required to enter the system. Furthermore, both UREs had significantly improved internal controls to promptly identify such issues in the future. The UREs neither admitted nor denied the violations. In approving the settlement between ReliabilityFirst and five UREs in total, the NERC considered the UREs’ prior violations and the minimal to moderate risk posed by the current violations. As mitigating factors, the NERC found that among the UREs subject to the settlement agreement, individual URES had: (1) implemented pre-violation internal compliance programs, (2) self-reported violations, (3) cooperated throughout the enforcement process, (4) not attempted or intended to conceal the violations, (5) made significant progress in post-violation compliance. ReliabilityFirst found that no penalty was necessary since the violations posed minimal risks, the UREs demonstrated improvements in compliance, and the UREs that had prior violations were fully sanctioned for those violations in an FERC-approved settlement. The UREs’ mitigation plans obliged the UREs, among other things, to create a report to authenticate password changes.
Penalty: $0 (aggregate for 22 violations)
FERC Order: The NERC did not further review the settlement and the settlement entered into effect on May 29th, 2015.
Unidentified Registered Entities 1, 2, FERC Docket No. NP15-26-000 (April 30, 2015)
Reliability Standard: CIP-007-1
Requirement: R5.3.3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: ReliabilityFirst
Issue: URE1 and URE2 self-reported that passwords on several local server accounts were not annually updated because the accounts were not recorded in the system for managing passwords.
Finding: ReliabilityFirst found that the violation posed only a minimal, but not a serious or substantial risk, to BPS reliability. The severity of the violation was decreased because the affected Cyber Assets were located behind firewalls in an ESP and logins with password changes were required to enter the system. Furthermore, both UREs had significantly improved internal controls to promptly identify such issues in the future. The UREs neither admitted nor denied the violations. In approving the settlement between ReliabilityFirst and five UREs in total, the NERC considered the UREs’ prior violations and the minimal to moderate risk posed by the current violations. As mitigating factors, the NERC found that among the UREs subject to the settlement agreement, individual URES had: (1) implemented pre-violation internal compliance programs, (2) self-reported violations, (3) cooperated throughout the enforcement process, (4) not attempted or intended to conceal the violations, (5) made significant progress in post-violation compliance. ReliabilityFirst found that no penalty was necessary since the violations posed minimal risks, the UREs demonstrated improvements in compliance, and the UREs that had prior violations were fully sanctioned for those violations in an FERC-approved settlement. The UREs’ mitigation plans obliged the UREs, among other things, to create a report to authenticate password changes.
Penalty: $0 (aggregate for 22 violations)
FERC Order: The NERC did not further review the settlement and the settlement entered into effect on May 29th, 2015.
NP19-16-000: Unidentified Registered Entity
Region: WECC
NERC Violation ID | Standard | Requirement | VRF/VSL | Discovery Method | Start Date | End Date |
---|---|---|---|---|---|---|
WECC2018019480 | CIP-007-1 | R2 | Medium/Severe | Self-Report | 7/22/2009 | 3/31/2017 |
WECC2017017880 | CIP-007-1 | R3 | Lower/Severe | Self-Report | 7/22/2009 | 9/5/2017 |
WECC2017017881 | CIP-007-1 | R5 | Medium/Severe | Self-Report | 7/22/2009 | 11/4/2016 |
WECC2017017882 | CIP-007-1 | R6 | Medium/Severe | Self-Report | 7/22/2009 | 7/31/2017 |
WECC2018019481 | CIP-007-1 | R8 | Medium/Severe | Self-Report | 7/22/2009 | 6/16/2017 |
WECC2017017883 | CIP-010-2 | R1 | Medium/High | Self-Report | 7/1/2016 | 3/31/2017 |
WECC2017017884 | CIP-010-2 | R2 | Medium/Severe | Self-Report | 8/5/2016 | 6/28/2017 |
Issue: CIP-007-1 R2
WECC determined that the Entity failed to ensure that only those ports and services of its CCAs required for normal and emergency operations were enabled.
WECC determined that this violation posed a serious and substantial risk to the reliability of the bulk power system (BPS).
CIP-007-1 R3
WECC determined that the Entity failed to, either separately or as a component of the documented configuration management process specified in CIP-003 RG, establish and document a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all Cyber Assets within the ESP.
WECC determined that this violation posed a serious and substantial risk to the reliability of the BPS.
CIP-007-1 R5
The Entity failed to ensure the technical and procedural controls that enforce access authentication of and accountability for all user activity.
WECC determined that this violation posed a serious and substantial risk to the reliability of the BPS. The Entity failed to establish, implement, and document technical and procedural controls that minimize the risk of unauthorized system access
CIP-007-1 R6
The Entity failed ensure that all Cyber Assets within the ESP, as technically feasible, implement automated tools or organizational process controls to monitor system events that are related to cyber security.
WECC determined this violation posed a serious and substantial risk to the reliability of the BPS.
CIP-007-1 R8
The Entity failed to perform a Cyber Vulnerability Assessment (CVA) of all Cyber Assets within the ESP, at least annually.
WECC determined that this violation posed a moderate risk to the reliability of the BPS.
CIP-010-2 R1
The Entity failed to develop a baseline configuration for the systems, individually or by group. WECC determined that this violation posed a serious and substantial risk to the reliability of the BPS.
CIP-010-2 R2
The Entity failed to monitor for changes to the baseline configuration of the system once every 35 calendar days. WECC determined that this violation posed a serious and substantial risk to the reliability of the BPS.
Finding: CIP-007-1 R2
WECC considered the Entity's compliance history an aggravating factor in determining the penalty. The Entity has prior violations of CIP-007 R2, R3, R5, R6, and R8. One violation posed a moderate risk and all other violations posed a serious risk to the reliability of the BPS. WECC determined that the root cause of the violations was insufficient procedures and documentation tools used to satisfy the separate protections of the CIP reliability standards.
CIP-007-1 R3
WECC considered the Entity's compliance history an aggravating factor in determining the penalty. The Entity has prior violations of CIP-007 R2, R3, R5, R6, and R8. One violation posed a moderate risk and all other violations posed a serious risk to the reliability of the BPS. WECC determined that the root cause of the violations was insufficient procedures and documentation tools used to satisfy the separate protections of the CIP reliability standards.
CIP-007-1 R5
WECC considered the Entity's compliance history an aggravating factor in determining the penalty. The Entity has prior violations of CIP-007 R2, R3, R5, R6, and R8. One violation posed a moderate risk and all other violations posed a serious risk to the reliability of the BPS. WECC determined that the root cause of the violations was insufficient procedures and documentation tools used to satisfy the separate protections of the CIP reliability standards.
CIP-007-1 R6
WECC considered the Entity's compliance history an aggravating factor in determining the penalty. The Entity has prior violations of CIP-007 R2, R3, R5, R6, and R8. One violation posed a moderate risk and all other violations posed a serious risk to the reliability of the BPS. WECC determined that the root cause of the violations was insufficient procedures and documentation tools used to satisfy the separate protections of the CIP reliability standards.
CIP-007-1 R8
WECC considered the Entity's compliance history an aggravating factor in determining the penalty. The Entity has prior violations of CIP-007 R2, R3, R5, R6, and R8. One violation posed a moderate risk and all other violations posed a serious risk to the reliability of the BPS. WECC determined that the root cause of the violations was insufficient procedures and documentation tools used to satisfy the separate protections of the CIP reliability standards.
CIP-010-2 R1
WECC considered the Entity's compliance history an aggravating factor in determining the penalty. The Entity has prior violations of CIP-007 R2, R3, R5, R6, and R8 and CIP-010 R1. One violation posed a moderate risk and all other violations posed a serious risk to the reliability of the BPS. WECC determined that the root cause of the violations was insufficient procedures and documentation tools used to satisfy the separate protections of the CIP reliability standards.
CIP-010-2 R2
WECC considered the Entity's compliance history an aggravating factor in determining the penalty. The Entity has prior violations of CIP-007 R2, R3, R5, R6, and R8 and CIP-010 R1. One violation posed a moderate risk and all other violations posed a serious risk to the reliability of the BPS. WECC determined that the root cause of the violations was insufficient procedures and documentation tools used to satisfy the separate protections of the CIP reliability standards.
Penalty: $2,100,000
FERC Order: Issued August 29, 2019