NERC Case Notes: Reliability Standard CIP-002-3

Alert

14 min read

 

Unidentified Registered Entity, FERC Docket No. NP12-25 (April 30, 2012)

Reliability Standard: CIP-002-3

Requirement: R3.2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: URE self-reported that it did not include certain assets (85 CAs that use a routable protocol within a control center) on its list of CCAs essential to the operation of CAs that should have been included.

Finding: RFC found that the CIP-002-3 violation constituted only a minimal risk to BPS reliability. URE also maintained a broader list of CCAs that included all of the required assets within the ESP. As URE relied on this broader list (as opposed to the more restricted list provided to RFC), it was still providing full protection to all of its CCAs. In approving the settlement agreement, the NERC BOTCC considered certain of URE’s violations to be proof of broad deficiencies in URE’s compliance program (even though other aspects of the compliance program were evaluated as mitigating factors); some of the violations were self-reported (even though only partial credit was granted for certain self-reports that occurred right before the compliance audit); URE was cooperative during the enforcement process and promptly submitted effective mitigation plans; and these violations were URE’s first violations of the relevant Reliability Standard.

Penalty: $115,000 (aggregate for 17 violations)

FERC Order: Issued April 30, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-002-3

Requirement: R1; R1.1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: Further to a compliance audit, WECC discovered a violation of R1 when it found that URE's Critical Asset identification methodology (Methodology) failed to include a risk-based assessment component, as it did not identify the specific factors employed by the company's subject matter experts when applying the criteria set forth in the Methodology to the company's list of assets.

Finding: WECC determined that the R1 violation posed a moderate risk to the reliability of the BPS because by employing the Methodology, the company could have misidentified or failed to identify Critical Assets and corresponding Critical Cyber Assets (CCAs), which given cross-cutting nature of networked technology, could render one or more Critical Assets vulnerable to misuse or malicious attack and thus jeopardize BPS reliability. This risk is mitigated, however, by the company's corporate security policies that include maintaining security staff, overseeing physical facility protections, and responding to alarms, and that were in place during the violation. The risk was further mitigated because the company's Methodology had been developed based on criteria in Version 4 of the CIP Reliability Standards. In addition, the company did not remove the additional CIP protections from assets that were not identified as "critical" under the Methodology. Lastly, in practice, the SMEs apply the Methodology by reviewing the assets and criteria in meetings with SMEs who are knowledgeable about and responsible for the company's system.

WECC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to pay a penalty and to undertake other mitigation measures to come into compliance with R1.

WECC considered URE's ICP a mitigating factor in making its penalty determination. The violation began when the company modified its Methodology in a manner that did not comply with CIP-002-3 R1.1, and ended when the company completed its mitigation plan. URE agrees/stipulates to the R1 violation.

Penalty: $15,000

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entities 1, 2, 3, 4 – RFC_URE1, RFC_URE2, RFC_URE3, MRO_URE1 (collectively, RFC-MRO_UREs), Docket No. NP13-41-000 (June 27, 2013)

Reliability Standard: CIP-002-3

Requirement: 3

Violation Risk Factor: High

Violation Severity Level: High Region(s): ReliabilityFirst, MRO

Issue: RFC_URE1 reported through self-certification a violation of CIP-002-3 R3 and MRO_URE1 self-reported a violation of CIP-002-3 R3. While performing an internal CIP compliance, the entities found that one relay had been omitted from their Critical Cyber Assets (CCAs) lists.

Finding: The violation was deemed to pose a minimal risk to BPS reliability, but not serious or substantial risk. RFC_URE1 and MRO_URE1 employed the same protections to the two relays which were provided to the CCA’s included on the CCA lists. In determining the appropriate penalty, RFC found the RFC-MRO_UREs’ internal compliance program to be a mitigating factor; however, the repeat noncompliance was considered an aggravating factor. The CIP programs at RFC-MRO_UREs had been reviewed and revised after previous CIP violations to ensure compliance; however, the current violations of CIP-003-3 R6, CIP-007-3 R1 and R2 and CIP-004-3 R3 were found to be evidence of a failure of the CIP compliance program, which was an aggravating factor in penalty determination. Several of the violations were self-reported, which RFC found to be a mitigating factor.

Total Penalty: $20,000 (aggregate for 9 violations)

FERC Order: Issued August 26, 2013 (no further review)

Unidentified Registered Entities, FERC Docket No. NP13-47 (July 31, 2013)

Reliability Standard: CIP-002-3

Requirement: 3 (5 violations)

Violation Risk Factor: High

Violation Severity Level: Severe

Region: RFC and SERC

Issue: URE2 self-reported to SERC that, as a result of a clerical error, it did not include 44 devices on its initial CCA list signed by a senior executive (even though it was still providing those 44 devices with the required CCA protections). URE1 and URE2 (collectively, URE) also self-reported to RFC and SERC that its asset database for tracking CCAs improperly omitted 58 URE1 devices (46 of which are CCAs) and 53 URE2 devices (34 of which are CCAs) that run operating systems which do not support the asset client. In addition, URE2 self-reported to SERC that in Fall 2010 when its technicians connected fives devices at two transmission substations to make the devices accessible remotely, it did not evaluate the five Cyber Assets at the substations prior to connecting them to ESP and determine whether they were CCAs. URE1 also self-reported to RFC that it did not evaluate three devices at one facility (which were non-critical Cyber Assets within the ESP) as CCAs and that it connected a laptop computer to the controls network to resolve a blackstart testing issue, even though the laptop was not identified and protected as a CCA. During a compliance audit, SERC determined that URE had not assessed the server management interface (that communicates within a control center using a routable protocol) and the virtual infrastructure interface (that communicates on a private network within a control center using a routable protocol) to determine whether they were CCAs. As a result, URE1 did not assess 128 Cyber Assets and URE2 did not assess 166 Cyber Assets (30 total of which are CCAs) and none of those Cyber Assets were logically located within ESPs.

Finding: SERC and RFC found that the CIP-002-3 R3 violations constituted a serious and substantial risk to BPS reliability since having unidentified CCAs increases the chances that URE would fail to provide the Cyber Assets essential to the operation of Critical Assets with the required security protection. For example, with the server management interface devices, unauthorized personnel could gain access and potentially compromise the CCAs residing on the server. But, SERC and RFC found that the risk to the BPS was mitigated since URE had numerous measures in place to protect the BPS. For example, some of the devices were still receiving the required protections, were located in an ESP and had site physical security and were logging and being monitored for cyber security events. URE admitted the violations. In approving the settlement agreement, NERC BOTCC evaluated as aggravating factors URE’s compliance history and the fact that URE did not promptly prepare mitigation plans to remediate many of the violations. But, URE did self-report some of the violations and was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (even though URE only received partial mitigating credit as most of URE’s violations resulted from a lack of execution and coordination of programs). URE committed to perform certain actions that went above and beyond the compliance requirements. The CIP-002-3 R3 violations presented a serious and substantial risk to BPS reliability, whereas the other violations did not present a serious or substantial risk to BPS reliability.

Total Penalty: $350,000, $175,000 for each URE (aggregate for 62 violations)

FERC Order: Issued August 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-55 (September 30, 2013)

Reliability Standard: CIP-002-3

Requirement: 1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: Unidentified Registered Entity (URE) self-reported that it did not have an appropriate risk-based assessment methodology for identifying Critical Assets. Instead, URE employed the bright-line criteria contained in Version 4 of the CIP Reliability Standard to its 2013 assessment and review of Critical Assets, even though the Version CIP Standards do not go into effect until April 1, 2014.

Finding: WECC found that the violation only constituted a minimal risk to BPS reliability as the revised methodology resulted in only one of URE’s generator facilities being delisted as a Critical Asset. The relevant generator facility was only classified as a Critical Asset as a result of overly stringent criteria and an updated risk-based assessment methodology would also have resulted in the generator facility being delisted as a Critical Asset. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact that one of the violations was self-reported and that URE had a compliance program in place when the violations occurred. URE’s prior violations of the Reliability Standards were not considered as an aggravating factor, as they were not similar to the instant violations and did not implicate broader corporate issues. URE was also cooperative during the enforcement process and did not conceal the violations. The violations did not present a serious or substantial risk to BPS reliability.

Total Penalty: $150,000 (aggregate for 16 violations)

FERC Order: Issued October 30, 3013 (no further review)

Unidentified Registered Entity 1 (RFC_URE1), FERC Docket No. NP15-29-000 (May 28, 2015)

Reliability Standard: CIP-002-3

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: RFC_URE1 self-reported that it violated CIP-002-3 R1 by failing to "identify and document a risk-based assessment methodology to use to identify its Critical Assets" as required by the standard. RFC_URE1 was operating under the incorrect belief that it was not subject to NERC Reliability Standards.

Finding: ReliabilityFirst found that this violation posed a moderate, but not a serious or substantial, risk to BPS reliability due to the inherent risk of RFC_URE1's failure to develop a methodology to identify Critical Assets based on risk. However, application of a risk-based methodology found that RFC_URE1 had no Critical Assets, and RFC_URE1's Bulk Electric System facilities were relatively small. To mitigate the violation, RFC_URE1 (1) created a risk-based methodology to determine whether it had Critical Assets and applied the methodology and (2) decided if a list of Critical Assets should be developed.

Penalty: No penalty

FERC Order: FERC approved the settlement on June 26th, 2015.

Unidentified Registered Entity 1 (RFC_URE1), FERC Docket No. NP15-29-000 (May 28, 2015)

Reliability Standard: CIP-002-3

Requirement: R2

Violation Risk Factor: High

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: RFC_URE1 self-reported that it violated CIP-002-3 R2 by failing to "develop a list of its identified Critical Assets determined through an annual application of the risk-based assessment methodology" required in CIP-002-3 R1, and by failing to "review this list at least annually." RFC_URE1 was operating under the incorrect belief that it was not subject to NERC Reliability Standards.

Finding: ReliabilityFirst found that this violation posed a moderate, but not a serious or substantial, risk to BPS reliability due to the inherent risk of RFC_URE1's failure to develop a methodology to identify Critical Assets based on risk and RFC_URE1's failure to review the list. However, application of a risk-based methodology found that RFC_URE1 had no Critical Assets, and RFC_URE1's Bulk Electric System facilities were relatively small. To mitigate the violation, RFC_URE1 (1) created a risk-based methodology to determine whether it had Critical Assets and applied the methodology and (2) decided if a list of Critical Assets should be developed.

Penalty: No penalty

FERC Order: FERC approved the settlement on June 26th, 2015.

Unidentified Registered Entity 1 (RFC_URE1), FERC Docket No. NP15-29-000 (May 28, 2015)

Reliability Standard: CIP-002-3

Requirement: R3

Violation Risk Factor: High

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: RFC_URE1 self-reported that it violated CIP-002-3 R3 by failing to "develop a list of associated Critical Cyber Assets essential to the operation of the Critical Asset[s]" as required by the standard. RFC_URE1 was operating under the incorrect belief that it was not subject to NERC Reliability Standards.

Finding: ReliabilityFirst found that this violation posed a moderate, but not a serious or substantial, risk to BPS reliability due to the inherent risk of RFC_URE1's failure to create a list of associated Critical Cyber Assets essential to Critical Assets' operations. However, application of a risk-based methodology found that RFC_URE1 had no Critical Assets. Additionally, RFC_URE1's Bulk Electric System facilities were relatively small. To mitigate the violation, RFC_URE1 (1) created a risk-based methodology to determine whether it had Critical Assets and applied the methodology and (2) decided if a list of Critical Assets should be developed.

Penalty: No penalty

FERC Order: FERC approved the settlement on June 26th, 2015.

Unidentified Registered Entity 1 (RFC_URE1), FERC Docket No. NP15-29-000 (May 28, 2015)

Reliability Standard: CIP-002-3

Requirement: R4

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: RFC_URE1 self-reported that it violated CIP-002-3 R4 because its senior manager failed to "approve annually the risk-based assessment methodology, the list of Critical Assets and the list of Critical Cyber Assets." RFC_URE1 was operating under the incorrect belief that it was not subject to NERC Reliability Standards.

Finding: ReliabilityFirst found that this violation posed a moderate, but not a serious or substantial, risk to BPS reliability due to the inherent risk of RFC_URE1's failure to have its senior manager approve the required methodology and lists. However, application of a risk-based methodology found that RFC_URE1 had no Critical Assets. Additionally, RFC_URE1's Bulk Electric System facilities were relatively small. To mitigate the violation, RFC_URE1 (1) created a risk-based methodology to determine whether it had Critical Assets and applied the methodology, (2) decided if a list of Critical Assets should be developed, and (3) received approval of the methodology and the Critical Assets list decision from management.

Penalty: No penalty

FERC Order: FERC approved the settlement on June 26th, 2015.

Unidentified Registered Entity 1 (SERC_URE1), FERC Docket No. NP18-25-000 (August 30, 2018)

NERC Violation ID: SERC2016016635

Reliability Standard: CIP-002-3

Requirement: R3

Violation Risk Factor: High

Violation Severity Level: Severe

Region: SERC Reliability Corporation (SERC)

Issue: During a site walk-down of a substation in preparation for CIP Version 5, SERC_URE1 discovered two Cyber Assets that it had not identified as Critical Cyber Assets (CCAs). Four years and seven months prior to this discovery, SERC_URE1 identified a substation as a Critical Asset but did not identify two dial-up accessible revenue meters with supervisory control and data acquisition (SCADA) connections providing real-time data into their energy management systems as CCAs.SERC_URE1 submitted a Self-Report stating that it had violated CIP-002-3 by failing to identify all CCAs essential to the operation of the Critical Asset. SERC_URE1 identified the root causes of the violation to be inadequate training and ineffective procedural controls. Namely, SERC_URE1 found that the individual employee did not have the requisite knowledge of how to assess the dial-up accessible revenue meters and that no formal checklist for identification of the meters existed at the time of implementation.

Finding: SERC found the violation constituted a moderate risk and did not pose a serious or substantial risk to bulk power system (BPS) reliability. By its failure to identify and protect Cyber Assets as CCAs for nearly five years, SERC_URE1 may have been vulnerable to a potential attack vector into the Electronic Security Perimeter, where a malicious actor could compromise or degrade interconnected Cyber Assets. However, if such a scenario were to materialize, only two Cyber Assets were located at one site and were within a secured building and a larger secured perimeter fence outside. The duration of the violation started when SERC_URE1 identified the Critical Asset through the application of its risk-based assessment methodology (RBAM) but did not identify the CCAs and lasted until SERC_URE1 correctly classified the devices as CCAs. SERC considered SERC_URE1’s compliance history to be an aggravating factor in determining the penalty while its internal compliance program was deemed a neutral factor. To mitigate the violation, SERC_URE1 performed a number of steps including classifying the meters as Bulk Electric System Cyber Assets, applying all necessary requirements under CIP Version 6, performing an extent of condition review to determine there were no outstanding instances of noncompliance, and implementing revised and new procedures pertaining to dial-up assets.

Penalty: $95,000

FERC Order: Issued August 30, 2018 (no further review)

Top