Unidentified Registered Entity 2 (SERC_URE2), FERC Docket No. NP18-25-000 (August 30, 2018)
NERC Violation ID: SERC2017018380
Reliability Standard: CIP-010-2
Requirement: R1, P1.4
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SERC Reliability Corporation (SERC)
Issue: SERC_URE2 failed to realize that mandatory cyber controls could be impacted by a change that deviated from the baseline configuration. Following the change, SERC_URE2 also failed to verify that required cyber security controls were not adversely affected. SERC_URE2 submitted a Self-Report stating the violation was the result of the failure of an information security specialist to determine what CIP security controls could have been impacted before initiating a change that deviated from the baseline configuration for Electronic Access Control and/or Monitoring System servers that provided network authentication services to all CIP networks of SERC_URE2’s parent company. Through interviews and observations, SERC_URE2 conducted an investigation into the matter and determined that the personnel responsible for patching the domain servers relied on prior experience to assume that patching changes would not impact existing cyber security controls, and subsequently, the personnel failed to both document the changes and to verify that no security controls had been affected. SERC_URE2 identified the root causes of the violation to be a lack of comprehensive work procedures and checklists, exacerbated by a lack of management oversight and appropriate internal controls. Further, SERC_URE2 used different cyber security control testing procedures for patching all other assets.
Finding: SERC found the violation constituted a moderate risk and did not pose a serious or substantial risk to the reliability of the bulk power system (BPS). By its failure to document the security controls that could be impacted, SERC_URE2 could have permitted changes to be made, resulting in unforeseen impacts to its security controls. This violation involved a two-person team responsible for patching the specific domain servers. The domain servers did not provide access to any critical applications and only provided network authentication. The duration of the violation started when the Standard became mandatory and enforceable on SERC_URE2 and ended when SERC_URE2 completed training and updated its procedures. SERC considered SERC_URE2’s internal compliance program as a mitigating factor, and the compliance history of SERC_URE2 and its affiliate to be an aggravating factor. To mitigate the violation, SERC_URE2, among other steps, executed cyber security controls validation, improved domain controller procedures, and implemented and trained employees on a central services compliance checklist.
Penalty: $220,000
FERC Order: Issued August 30, 2018 (no further review)
Unidentified Registered Entity 1 (NPCC_URE1), FERC Docket No. NP20-3-000 (October 31, 2019)
NERC Violation ID: NPCC2018019845
Reliability Standard: CIP-010-2
Requirement: R3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: Northeast Power Coordinating Council, Inc. (NPCC)
Issue: A compliance audit revealed that an unidentified entity failed to document the planned completion date or the status of its 2018 Cyber Vulnerability Assessment (CVA). The root causes of this violation was the lack of regular review by the entity and an undue reliance on a single person, who at the time of the audit, was responsible for the overseeing the vulnerability assessments.
Finding: NPCC found the violation constituted a moderate risk and did not pose a serious or substantial risk to bulk power system reliability. By allowing vulnerabilities to go unmitigated, an attacker could take advantage of technical flaws and configuration errors and ultimately gain control of one Medium Impact Bulk Electric System Cyber System. The duration of the violation started on July 1, 2016 when the entity failed to document the planned completion date and/or the status of the CVA findings and ended on June 6, 2018 when the entity documented the completion date and/or the status of the CVA findings. NPCC reviewed the entity’s internal compliance program and considered it to be a neutral factor in the penalty determination. Additionally, NPCC considered the entity’s compliance history and determined there were no relevant instances of noncompliance. To mitigate the violation, the entity updated its mitigation plans before the audit was complete and initiated a process to review vulnerability assessment action plans quarterly with additional staffing.
Penalty: $84,000
FERC Order: October 31, 2019
Unidentified Registered Entity 1 (MRO_URE1), FERC Docket No. NP19-17-00 (August 29, 2019)
NERC Violation ID: MRO2017018150
Reliability Standard: CIP-010-2
Requirement: R1.1.2
Violation Risk Factor: Medium
Violation Severity Level: Lower
Region: Midwest Reliability Organization (MRO)
Issue: A compliance audit and a subsequent condition analysis identified multiple Cyber Assets that did not have baselines that had all installed commercially available software. On two devices, an unidentified entity did not include the software on the document baseline, and although it would typically document its baselines in either its baseline tool or patch management system, the entity did not sufficiently or specifically identify the software for numerous devices. The references in the patch management system were not specific enough to identify the unique or incremental software version that was installed on each Cyber Asset. As a result of the insufficient details, the entity did not detect the noncompliance during its vulnerability assessment. The root cause of the noncompliance was the entity’s deficient process for developing baselines and detecting errors or omissions.
Finding: MRO found the violation constituted a minimal risk and did not pose a serious or substantial risk to bulk power system (BPS) reliability. For almost all of the affected Cyber Assets, the noncompliance was limited to a lack of sufficient detail regarding the software, rather than an omission of the software. Furthermore, the entity’s software change process and change form reduced the risk of an inadvertent or unapproved change. Additionally, the software was also well managed by the entity’s Subject Matter Experts, which reduced the risk of an unexpected change to the software. As a result, no harm is known to have occurred. he duration of the violation was from July 1, 2016 when the reliability standard became mandatory and enforceable and ended on May 11, 2018 when the entity updated the existing baselines to include all intentionally installed software. MRO considered the scope of the noncompliance and the discovery method to be an aggravating factor in the disposition. MRO determined that the noncompliance did not warrant a financial penalty given the minimal impact of the noncompliance upon the BPS. Additionally, MRO considered the entity’s compliance history and determined there were no relevant issues of noncompliance. To mitigate the violation, the entity conducted an extent of condition analysis, corrected baselines, improved the process to identify any commercially available software, and validated the new process of identifying any commercially available or intentionally installed software.
Penalty: $0
FERC Order: August 29, 2019 (no further review)
Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP19-15-000 (July 31, 2019)
NERC Violation ID: WECC2017016926
Reliability Standard: CIP-010-2
Requirement: R1; P1.1.1, P1.1.2, P1.1.4, P1.1.5
Violation Risk Factor: Medium
Violation Severity Level: High
Region: Western Electricity Coordinating Council (WECC)
Issue: An unidentified entity submitted a Self-Report that it was in violation of the Reliability Standard. On August 4, 2016, during its first performance of a bookend review of baseline configurations, subject matter experts became concerned that some baseline elements might be missing from some Cyber Asset baseline configuration details. At the time, the entity believed it may or may not have complete baseline configuration captured for only a few Cyber Assets since port scanning could not be accomplished due to connectivity problems between its configuration monitoring tool and the Cyber Assets. However, to examine the scope of the issue and to perform the necessary due diligence, on August 25, 2016, each Cyber Asset in its Cyber Asset inventory to ensure that all required and applicable baseline elements were captured for each applicable Cyber Asset. The root cause of the violation was inadequate procedures. While the entity had a procedure to meet objectives of the Requirements, the procedure did not contain complete and accurate information to meet these objectives. Additionally, the entity had no procedure in place to address configuration and communication issues with the Security Information and Event Management.
Finding: WECC found the violation constituted a moderate risk and did not pose a serious or substantial risk to bulk power system reliability. Although the entity did not implement controls to prevent this violation from occurring, it did employ defective controls that identified the violation and employed multiple monitoring systems and methods to log, detect, and alert on the overall health of the affected Cyber Assets. The violation began on July 1, 2016 when the Standard and Requirement became mandatory and enforceable and ended on May 1, 2017 when baseline configurations were developed and captured for the Cyber Assets in scope. WECC considered the entity’s internal compliance program to be a mitigating factor and the entity’s compliance history to be an aggravating factor in the penalty determination. While the entity received mitigating credit for admitting to the violation, it did not receive mitigating credit for self-reporting. WECC applied mitigating credit for improvements that the entity was making on its system. These improvements include a System-Wide Transmission Protection Standardization and Upgrade Project, which was not undertaken as a result of a mitigation plan, but rather was the result of the entity’s systematic post-event root cause analysis and corrective action planning program. To mitigate the violation, the entity, among other things, collected the number and names of devices missing baseline elements and completed baseline configurations on the Cyber Assets in scope, documented a process to capture cyber security controls on all new Cyber Assets and/or new device types at Transmission facilities, upgraded applicable configuration monitoring tool device profilers to compatible firmware versions, provided training, and updated baseline reports to include only the required information.
Penalty: $74,000
FERC Order: July 31, 2019 (no further review)
Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP19-15-000 (July 31, 2019)
NERC Violation ID: WECC2017016929
Reliability Standard: CIP-010-2
Requirement: R2; P2.1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: Western Electricity Coordinating Council (WECC)
Issue: An unidentified entity submitted a February 3, 2017 Self-Report that it is was in violation of the Reliability Standard. On November 1, 2016, the entity’s subject matter experts (SMEs) discovered a misconfiguration with its configuration monitoring tool used to monitor the entity’s Cyber Asset baseline configurations, which caused an Electronic Access Control and Monitoring Systems associated with the High Impact Bulk Electric System Cyber Systems not to have its baseline configuration monitored from August 6, 2016 to November 1, 2016. During the entity’s investigation, it discovered additional Cyber Assets whose baseline configurations from August 6, 2016 to January 26, 2017 were not being monitored at least once every thirty-five days. The root cause of the violation was inadequate procedures.
Finding: WECC found the violation constituted a moderate risk and did not pose a serious or substantial risk to bulk power system reliability. Although the entity failed to monitor for changes to the baseline configuration, as well as document and investigate detected unauthorized changes, the entity implemented strong controls that included an asset management system. The violation began on August 6, 2016 when changes to baseline configurations were not being monitored and ended on May 11, 2017, when monitoring of changes to baseline configurations commenced on the Cyber Assets in scope. WECC considered the entity’s internal compliance program to be a mitigating factor, and the entity’s compliance history to be an aggravating factor in the penalty determination. While the entity received mitigating credit for admitting to the violation, it did not receive mitigating credit for self-reporting. WECC applied mitigating credit for improvements that the entity was making on its system. These improvements included a System-Wide Transmission Protection Standardization and Upgrade Project, which was not undertaken as a result of a mitigation plan, but rather was the result of the entity’s systematic post-event root cause analysis and corrective action planning program. To mitigate the violation, the entity, among other things, worked with its Security Information and Event Management vendor to develop and implement a solution that tracks the number of days since an asset was last monitored, implemented new configuration monitoring tool rules, policy tests, and reports, upgraded applicable configuration monitoring tool device profilers to compatible firmware versions, and provided training.
Penalty: $74,000
FERC Order: July 31, 2019 (no further review)
Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP19-6-000 (March 28, 2019)
NERC Violation ID: WECC2017017208
Reliability Standard: CIP-010-2
Requirement: R1; P1.1, 1.2, 1.3, and 1.4
Violation Risk Factor: Medium
Violation Severity Level: High
Region: Western Electricity Coordinating Council (WECC)
Issue: During a Compliance Audit, WECC determined that an unidentified entity was in violation of the Reliability Standard. The entity failed to include unidentified items in its baseline configurations for unidentified entities which were classified as Protected Cyber Assets, one Physical Access Control Systems (PACS) sever, one supervisory control and data acquisition (SCADA), a Bulk Electric System (BES) Cyber Asset, Electronic Access Control or Monitoring Systems (EACMS), all associated with its Medium Impact Bulk Electric Cyber System (MIBCS). WECC auditors also identified a PACS server that had a security patch update installed after the mandatory and enforceable date of July 1, 2016, that was not included on the device’s baseline configuration. The entity was also not able to provide evidence that any of the required change management activities had been performed during an installation on January 30, 2017. The installation of this software would have caused a deviation from the device’s baseline configuration. The root cause of the violation was the entity not following the documented process.
Finding: WECC found the violation constituted a moderate risk and did not pose a serious or substantial risk to bulk power system reliability. Because the entity failed to maintain baseline configurations to include logical network accessible ports and security patches applied to assets and failed to perform required change management activities for BES Cyber Assets, EACMS, and PACS, such failure could result in a lack of protective measures for those ports due to not knowing which ports were accessible, which could lead to cyber security vulnerabilities in those network devices. However, even though the entity did not implement internal controls, because it was a small municipal power company, WECC determined that the likelihood of the potential harm occurring was low. The violation began on July 1, 2016 when the Reliability Standard became mandatory and enforceable and ended on May 31, 2017 when baseline configurations were updated. WECC noted that the entity did not have defective controls in place that could have helped identify the issues sooner and to lessen the violation duration and noted that had there not been a Compliance Audit, the violation duration would have been longer due to the lack of controls. Based on this, WECC applied an aggravating factor and escalated the disposition treatment to an expedited settlement. WECC considered the entity’s internal compliance program to be a neutral factor and found that there were no relevant instances of noncompliance after it reviewed the entity’s compliance history. To mitigate the violation, the entity, among other things, updated its baseline configurations for the devices in scope, updated its Change of Control and Configuration Management Procedure, held a meeting to discuss the changes to the procedure, included baseline changes as a standing item for discussion and reinforcement at monthly CIP compliance meetings and will review all baselines, on an annual basis at the minimum, to ensure that they are accurate and up to date.
Penalty: $0
FERC Order: March 28, 2019 (no further review)
Registered Entity (Name Redacted), FERC Docket No. NP20-7-000
Reliability Standard: CIP-010-2
Requirement: R2
Violation ID: RFC2017017060
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: ReliabilityFirst
Issue: An entity self-reported its violation of CIP-010-2 R2. The entity had a documented program permitting the use of baseline configurations by device type/group for purposes of management activities required by CIP-010-R1. The entity’s personnel had improperly applied the same approach for monitoring baselines changes under CIP-010-2 R2. In other words, they incorrectly assumed that monitoring one device within a device type or group would be representative of all devices within that type or group, which is not permitted by CIP-010-2 R2. Due to this error, as changes were made to individual devices within a group, the entity did not identify or update the baseline to reflect these changes across all devices within a device type.
Finding: ReliabilityFirst found that this violation posed a moderate and not a serious/substantial risk to the Bulk Power System’s (BPS) reliability. Not monitoring baselines has the potential to affect the reliability of the BPS by reducing the entity’s ability to identify unauthorized activity, changes, or vulnerabilities and by introducing system instability when making changes to assets. The entity’s inadequate monitoring caused issues with maintaining adequate baselines, authorizing changes, and not having justifications for open ports, each of which carries distinct risks.
Having said that, ReliabilityFirst did not consider the risk to be serious and substantial since (a) the entity detected these issues within four months from the effective date of the CIP version 5 standards; (b) it had other stringent defense-in-depth measures in place to control access and communications and otherwise protect and secure the devices at issue; and (c) although the entity discovered some discrepancies in its baselines, it was performing limited baseline management, which reduced the risk that it would make decisions or take action based on incorrect or outdated information. In addition, the entity was performing reliability testing and security event monitoring on all the devices during the time period in question, which included logging and alerting events.
To mitigate this violation, the entity took numerous measures, including, inter alia, (a) changing management training of change management tool and compliance change management requirements to entity IT; (b) investigating and documenting port ranges in baseline documentation and systems for all entity IT devices requiring baselines or port and service justification; (c) completing an analysis of actual software vs. required software and undertaking an inventory of potential removals; (d) replacing documentation that describes the promotion or baselines as it relates to change management and to maintain consistency with the NERC CIP asset directory; and (e) conducted a quality review and sampling of changes and ongoing performance (baseline updates, authorizations, baseline monitoring).
ReliabilityFirst considered the entity’s strong internal compliance program to be a mitigating factor in its penalty determination. Additionally, it also took into account that 90% of the non-compliance had been self-reported. ReliabilityFirst also determined that the entity’s compliance history should not serve as a basis for aggravating the penalty because the entity’s prior noncompliance was the result of a different root cause.
Duration of Violation: The violation commenced on July 1, 2016 (when the standard became mandatory and enforceable) and ended on August 1, 2017 (once the entity corrected its non-compliance).
Penalty: $50,000
FERC Order: Issued February 28, 2020 (no further review)
Registered Entity (Name Redacted), FERC Docket No. NP20-2-000
Please search for this docket no. here ››
Registered Entity (Name Redacted), FERC Docket No. NP20-15-000
Please search for this docket no. here ››
Unidentified Registered Entity 2 (SERC_URE2) and Unidentified Registered Entity 3 (SERC_URE3), FERC Docket No. NP18-25-000
Please search for this docket no. here ››
Registered Entity (Name Redacted), FERC Docket No. NP19-9-000
Please search for this docket no. here ››
Registered Entity (Name Redacted), FERC Docket No. NP19-10-000
Please search for this docket no. here ››
NP19-4-000: Unidentified Registered Entity
Please search for this docket no. here ››
NP20-12-000: Unidentified Registered Entity
Please search for this docket no. here ››
NP19-11-000: Unidentified Registered Entity
Please search for this docket no. here ››
NP18-6-000: Unidentified Registered Entity
Please search for this docket no. here ››
NP20-6-000: Unidentified Registered Entity 2 (URE-2)
Method of Discovery: Self-Report
Violation ID: WECC2019021165
Standard: CIP-010-2
Requirement: R1 (1.4.1, 1.4.2, 1.4.3, 1.5.1, 1.5.2)
VRF: Medium
VSL: Severe
Issue: Several Bulk Electric System (BES) Cyber Assets (BCAs) associated with URE-2's High Impact BES Cyber Systems (HIBCS) located at the primary and backup Controls Centers that had software removed and interfaces turned off because the BCAs were scheduled to be decommissioned. The software, which was part of the interface, was sending false errors to the software vendor through a different connection than the interface, resulting in the software vendor calling the entity and initiating the software removal to solve the false error reporting. The BCAs were then turned on, at which time the software removal occurred without the entity first determining the required cyber security controls in CIP-005 and CIP-007 that could be impacted by the change or verifying that any identified cyber security controls were not adversely affected, once the change had taken place; nor documenting any results as required.
Finding: WECC determined this issue posed a moderate risk and did not pose a serious or substantial risk to the reliability of the bulk power system (BPS). In this instance, for a change that deviated from an existing baseline configuration related to BCAs, the entity failed to determine required cyber security controls in CIP-005 and CIP-007 that could be impacted by the change; verify those identified controls were not adversely affected; and document the results of the verification as required, as well as failed to test in a production or test environment and document the results prior to implementing the change as required. Such failure could have caused the BCA interfaces to become inoperable and affect traffic that was being sent from one BCA to another, which could potentially affect the reliability of the BPS. However, in this instance the interfaces on the BCA were turned off and not capable of sending data between servers; therefore, the potential harm was lessened. The entity had implemented good detective controls in the form of a daily delta report for baseline configuration changes which is how this issue was discovered. Lastly, WECC confirmed the root cause of this violation was an isolated incident and not condoned by the entity's management, which lessens the likelihood of a future issue. No harm is known to have occurred.
Duration: 14-25 February 2019
Penalty: $0
FERC Order: Issued December 30, 2019 (no further review)
NP20-6-000: Unidentified Registered Entity 1 (URE-1)
Please search for this docket no. here ››
NP20-6-000: Unidentified Registered Entity 3 (URE-3)
Please search for this docket no. here ››
NP20-20-000: Unidentified Registered Entity
Please search for this docket no. here ››
NP19-16-000: Unidentified Registered Entity
Please search for this docket no. here ››
NP18-25-000: Unidentified Registered Entity 2 (WECC_URE2)
Region: WECC
NERC Violation ID | Standard | Requirement | VRF/VSL | Discovery Method | Start Date | End Date |
---|---|---|---|---|---|---|
WECC2017017928 | CIP-010-2 | R1 | Medium/Moderate | Compliance Audit | N/A | N/A |
WECC2017017930 | CIP-010-2 | R2 | Medium/Severe | Compliance Audit | N/A | N/A |
Issue: CIP-010-2 R1
During a Compliance Audit, WECC determined that WECC_URE2 was in violation of CIP-010-2 R1 Parts 1.1.1. and 1.1.4.
Specifically, regarding CIP-010-2 R1 Part 1.1.1., WECC_URE2 failed to provide evidence demonstrating that it had developed a baseline configuration on one Electronic Access Control or Monitoring Systems (EACMS) associated with a High Impact BES Cyber System (HIBCS) that was decommissioned, after which time baseline evidence was no longer available. Operationally, WECC_URE2 used a real-time security application to actively monitor baseline configurations for the EACMS, BES Cyber Asset (BCA), and Protected Cyber Assets (PCAs) in scope. The monitoring application included an automatic process, then unrecognized by WECC_URE2, to purge data after 90 days for any device to which it was no longer connected. As a result, 90 days after the devices in scope were decommissioned and disconnected from the monitoring application, WECC_URE2 lost its administrative records documenting automatic baseline reviews for these devices.
The root cause for both instances of this violation was a less than adequate process--specifically, for appropriately retaining compliance evidence for decommissioned devices and documenting what ports to scan for complete baseline configurations for its PACS.
WECC determined that both instances of this violation began when the Standard and Requirement became mandatory and enforceable on WECC_URE2.
The first instance ended when WECC_URE2 decommissioned the device, and the second instance ended when WECC_URE2 developed complete baseline configurations for the PACS in scope, for a total of approximately 90 days and 530 days of noncompliance, respectively.
CIP-010-2 R2
During a Compliance Audit, WECC determined that WECC_URE2 was in violation of CIP-010-2 R2 Part 2.1. After reviewing all relevant information, WECC determined that WECC_URE2 failed to monitor at least once every 35 calendar days for changes to the baseline configuration for less than 30 devices, and failed to retain evidence of compliance for less than 10 devices, all associated with its HIBCS, per CIP-010-2 R2 Part 2.1.
The root cause of the violation was a lack of internal controls to ensure that manual processes were followed, and a lack of process on how to appropriately retain compliance evidence for decommissioned devices.
WECC determined that the first six instances began when the monitoring should have occurred, and ended when monitoring was completed, for a total of approximately five days of noncompliance in each instance.
WECC determined that the decommissioned assets violation began when the Standard and Requirement became mandatory and enforceable on WECC_URE2, and ended when WECC_URE2 decommissioned the assets in scope, for a total of approximately 90 days of noncompliance.
Finding: CIP-010-2 R1
This violation posed a moderate risk and did not pose a serious or substantial risk to the reliability of the Bulk Power System (BPS). Specifically, WECC_URE2 failed to provide evidence and completeness of baseline configurations for two instances related to EACMS and PACS associated with WECC_URE2's HIBCS. Such failure could lead to unauthorized network device access, which could potentially cause instability, disruption, or complete Electronic Security Perimeter (ESP) network communication outage. Additionally, undocumented ports and services could lead to unauthorized privileged access to the vulnerable systems; thereby potentially providing a malicious actor with the ability to add, change, or remove user physical access rights to allow unauthorized personnel into critical BES operational areas.
CIP-010-2 R2
This violation posed a moderate risk and did not pose a serious or substantial risk to the reliability of the BPS. Specifically, in these instances, WECC_URE2 failed to monitor at least once every 35 calendar days for changes to the baseline configurations and maintain evidence that it had done so. Such failure could potentially result in allowing a malicious actor to change a device's configuration without WECC_URE2's awareness in order to gain access to other Cyber Assets and possibly affect generation or limit visibility into WECC_URE2's operations which could impact the BPS.
However, WECC_URE2 implemented strong detective controls by utilizing an automated baseline configuration monitoring tool on applicable assets. However, WECC_URE2 did not implement controls to prevent this violation from occurring. Based on this, WECC determined that the potential harm had a moderate likelihood of occurring.
Penalty: $45,000
FERC Order: Issued March 29, 2018
NP18-25-000: Unidentified Registered Entity 2 (WECC_URE2)
Region: WECC
NERC Violation ID | Standard | Requirement | VRF/VSL | Discovery Method | Start Date | End Date |
---|---|---|---|---|---|---|
WECC2017017928 | CIP-010-2 | R1 | Medium/Moderate | Compliance Audit | N/A | N/A |
WECC2017017930 | CIP-010-2 | R2 | Medium/Severe | Compliance Audit | N/A | N/A |
Issue: CIP-010-2 R1
During a Compliance Audit, WECC determined that WECC_URE2 was in violation of CIP-010-2 R1 Parts 1.1.1. and 1.1.4.
Specifically, regarding CIP-010-2 R1 Part 1.1.1., WECC_URE2 failed to provide evidence demonstrating that it had developed a baseline configuration on one Electronic Access Control or Monitoring Systems (EACMS) associated with a High Impact BES Cyber System (HIBCS) that was decommissioned, after which time baseline evidence was no longer available. Operationally, WECC_URE2 used a real-time security application to actively monitor baseline configurations for the EACMS, BES Cyber Asset (BCA), and Protected Cyber Assets (PCAs) in scope. The monitoring application included an automatic process, then unrecognized by WECC_URE2, to purge data after 90 days for any device to which it was no longer connected. As a result, 90 days after the devices in scope were decommissioned and disconnected from the monitoring application, WECC_URE2 lost its administrative records documenting automatic baseline reviews for these devices.
The root cause for both instances of this violation was a less than adequate process--specifically, for appropriately retaining compliance evidence for decommissioned devices and documenting what ports to scan for complete baseline configurations for its PACS.
WECC determined that both instances of this violation began when the Standard and Requirement became mandatory and enforceable on WECC_URE2.
The first instance ended when WECC_URE2 decommissioned the device, and the second instance ended when WECC_URE2 developed complete baseline configurations for the PACS in scope, for a total of approximately 90 days and 530 days of noncompliance, respectively.
CIP-010-2 R2
During a Compliance Audit, WECC determined that WECC_URE2 was in violation of CIP-010-2 R2 Part 2.1. After reviewing all relevant information, WECC determined that WECC_URE2 failed to monitor at least once every 35 calendar days for changes to the baseline configuration for less than 30 devices, and failed to retain evidence of compliance for less than 10 devices, all associated with its HIBCS, per CIP-010-2 R2 Part 2.1.
The root cause of the violation was a lack of internal controls to ensure that manual processes were followed, and a lack of process on how to appropriately retain compliance evidence for decommissioned devices.
WECC determined that the first six instances began when the monitoring should have occurred, and ended when monitoring was completed, for a total of approximately five days of noncompliance in each instance.
WECC determined that the decommissioned assets violation began when the Standard and Requirement became mandatory and enforceable on WECC_URE2, and ended when WECC_URE2 decommissioned the assets in scope, for a total of approximately 90 days of noncompliance.
Finding: CIP-010-2 R1
This violation posed a moderate risk and did not pose a serious or substantial risk to the reliability of the Bulk Power System (BPS). Specifically, WECC_URE2 failed to provide evidence and completeness of baseline configurations for two instances related to EACMS and PACS associated with WECC_URE2's HIBCS. Such failure could lead to unauthorized network device access, which could potentially cause instability, disruption, or complete Electronic Security Perimeter (ESP) network communication outage. Additionally, undocumented ports and services could lead to unauthorized privileged access to the vulnerable systems; thereby potentially providing a malicious actor with the ability to add, change, or remove user physical access rights to allow unauthorized personnel into critical BES operational areas.
CIP-010-2 R2
This violation posed a moderate risk and did not pose a serious or substantial risk to the reliability of the BPS. Specifically, in these instances, WECC_URE2 failed to monitor at least once every 35 calendar days for changes to the baseline configurations and maintain evidence that it had done so. Such failure could potentially result in allowing a malicious actor to change a device's configuration without WECC_URE2's awareness in order to gain access to other Cyber Assets and possibly affect generation or limit visibility into WECC_URE2's operations which could impact the BPS.
However, WECC_URE2 implemented strong detective controls by utilizing an automated baseline configuration monitoring tool on applicable assets. However, WECC_URE2 did not implement controls to prevent this violation from occurring. Based on this, WECC determined that the potential harm had a moderate likelihood of occurring.
Penalty: $45,000
FERC Order: Issued August 29, 2019