NERC Case Notes: Reliability Standard CIP-006-2

Alert

33 min read

 

Unidentified Registered Entity, FERC Docket No. NP11-181-000 (April 29, 2011)

Reliability Standard: CIP-006-2

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: N/A

Region: NPCC

Issue: When a physical security equipment vendor was called in to repair two control room doors, the vendor, without authorization, had possession of an authorized access test card that had remained activated since commissioning of the security system in late 2009. The vendor had utilized this card on four different occasions to perform repairs. On those four occasions, the vendor had not been escorted at all times during these periods as required by CIP-006-2 Requirement 1.6.

Finding: NPCC assessed a penalty in the amount of $4,000 for this violation. In reaching this determination, NPCC considered the following facts: the violation posed a minimal risk and did not pose a serious or substantial risk to the reliability of the bulk power system because the vendor did not breach any electronic security perimeters or configurations of the cyber assets; the vendor was part of the original team that installed the Unidentified Registered Entity’s physical security system to comply with the CIP Reliability Standards. The vendor was a trusted contractor, and the vendor's employee was in good standing.

Penalty: $4,000

FERC Order: Issued May 27, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-192-000 (May 26, 2011)

Reliability Standard: CIP-006-2

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: High

Region: WECC

Issue: Following a Self-Report by URE, WECC determined that URE did not provide continuous escorted access to two individuals without authorized unescorted physical access to URE's physical security perimeters (PSP) because physical access logs indicated an employee who had authorized unescorted access to the PSP opened doors to URE's server racks for two other employees without authorized unescorted access and left while the two unauthorized employees worked on equipment in the server racks for approximately three hours. When the unauthorized employees left, they inadvertently left certain doors to the server racks open.

Finding: WECC determined that the violation posed a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS because the two individuals that were not continuously escorted were URE employees that had undergone CIP training and had a personnel risk assessment. Moreover, the PSP did not contain any Critical Cyber Assets, and was under video surveillance at URE's central monitoring facility. In approving the settlement between URE and WECC, the NERC BOTCC considered the following factors: this violation was URE's first violation of the Reliability Standards at issue; URE self-reported the violations; URE was cooperative; URE had a compliance program, which WECC considered a mitigating factor; there was no evidence of an attempt or intent to conceal the violation; WECC determined the violations did not pose a serious or substantial risk to the BPS; there were no other aggravating or mitigating factors.

Penalty: $12,200 (aggregated for 3 violations)

FERC Order: Issued June 24, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-199-000 (May 26, 2011)

Reliability Standard: CIP-006-2

Requirement: R1.5 (two violations)

Violation Risk Factor: Medium (both violations)

Violation Severity Level: Severe (both violations)

Region: NPCC

Issue: The Unidentified Registered Entity (URE) self-reported that one of its employees who had approved physical access to only certain Physical Security Perimeters (PSPs) was inadvertently granted access to another PSP as a result of an administrative error with the physical security software application. The inadvertent access was revoked within a week, and the relevant employee did not access the other PSP (Violation 1). In addition, the URE self-reported that a service technician contractor for the physical security monitoring system, in anticipation of upcoming work, inappropriately gave himself access to a certain PSP without following the appropriate protocol. The unauthorized access was revoked within two weeks, and the relevant contract did not access that PSP (Violation 2).

Finding: NPCC found that Violation 1 only constituted a minimal risk to bulk power system reliability since the relevant employee was not aware that he had additional access to the other PSP and the URE promptly revoked the inadvertent PSP access privileges. The duration of the first violation was from August 24, 2010 through August 31, 2010. NPCC also found that Violation 2 only constituted a minimal risk to bulk power system reliability since the URE’s review identified the improper access privileges and quickly revoked the privileges. The duration of the second violation was from August 20, 2010 through August 31, 2010.

Penalty: $3,500 (aggregate for 2 penalties)

FERC Order: Issued June 24, 2011 (no further review)

Unidentified Registered Entity 2, FERC Docket No. NP11-206-000 (June 29, 2011)

Reliability Standard: CIP-006-2

Requirement: R4

Violation Risk Factor: Medium

Violation Severity Level: Moderate

Region: NPCC

Issue: Registered Entity 2 self-reported that in two instances, employees who did not possess the appropriate authorization rights used a master key to gain access to an Emergency Management System computer workstation (which is a Critical Cyber Asset (CCA)).

Finding: NPCC and the Registered Entities’ parent company entered into a settlement agreement to resolve multiple violations, whereby the Registered Entities’ parent company agreed to pay a penalty of $80,000 and to undertake other mitigation measures. The duration of the CIP-006-2 violation was from May 8, 2010 through May 28, 2010. NPCC found that the CIP-006-2 violation only constituted a minimal risk to bulk power system reliability since an alarm was triggered when the unauthorized employees gained access (and security addressed those instances) and the relevant employees did not possess electronic access to the CCAs. In approving the settlement agreement, NERC found that these violations were the Registered Entities’ parent company’s first violations of the relevant Reliability Standards; the violations were self-reported; the Registered Entities’ parent company was cooperative during the enforcement proceeding and did not conceal the violations; and there were no additional aggravating or mitigating factors.

Penalty: $80,000 (aggregate for 21 violations)

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-226-000 (July 28, 2011)

Reliability Standard: CIP-006-1 and CIP-006-2

Requirement: R1.8 (CIP-006-001); R2.2 (CIP-006-2)

Violation Risk Factor: Lower

Violation Severity Level: N/A (R1.8); Lower (R2.2)

Region: RFC

Issue: Unidentified Registered Entity (URE) self-reported that seven individuals with access to certain cyber assets did not have complete or current Personnel Risk Assessments. All were database administrations and had access to data related to URE’s building access system , which is a cyber assets. The building access system provides access control and monitoring of Physical Security Perimeters (PSP) by restricting access to the PSPs to authorized individuals only and logs authorized or attempted unauthorized access. As such, URE is required to ensure that building access system is protected as required by CIP-004 R3..

Finding: RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to pay a penalty of $85,000, and to undertake other mitigation measures. RFC determined that the violations did not pose a serious or substantial risk to the reliability of the bulk power system because the building access system is separate from the networks that support the bulk power system. Further, the completed personnel risk assessments had no identified issues. In approving the penalty amount, NERC found that the violations involving CIP-006 were repeat violations indicating that URE has repeatedly failed to ensure the physical security of its CCAs, which was evaluated as an aggravating factor when determining the penalty; the violations were self-reported; the URE was cooperative during the enforcement process and did not conceal the violations; the URE had a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.

Penalty: $85,000 (aggregate for 12 violations)

FERC Order: Issued August 29, 2011 (no further review)

Unidentified Registered Entities, FERC Docket No. NP11-237-000 (July 28, 2011)

Reliability Standard: CIP-006-1 and CIP-006-2

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: N/A for CIP-006-1, High for CIP-006-2

Region: ReliabilityFirst

Issue: Unidentified Registered Entities 1, 2 and 3 (URE 1, URE 2 and URE 3) self-reported that a consultant had performed a mock audit and found numerous violations of the CIP Standards in their shared Electronic Security Perimeter (ESP). In particular, URE 1 and URE 2 self-reported that they failed to ensure that all Cyber Assets within an ESP also reside within a Physical Security Perimeter (PSP) in violation of R1.1. In addition, on two occasions URE 1 and URE 2 failed to continuously escort two contract workers requiring escorted physical access to the PSP to finish work within the PSP in violation of R1. Duration of violation was January 1, 2010 through December 23, 2010 (for R1.1) and for R1, the duration of violation consisted of the two dates upon which the workers did not receive continuous escort (June 18, 2010 and July 21, 2010).

Finding: ReliabilityFirst determined that the violations did not pose a serious or substantial risk to the reliability of the bulk power system because the communications assets associated with the relevant access points were physically protected even if they did not all reside in a PSP. In addition, the two visiting workers posed a low risk because they both had or were in the process of receiving a Personnel Risk Assessment and one was in the process of completing cyber security training. However, it noted that it found an aggravating factor in that some of the violations constituted repetitive conduct attributable to the same compliance program. The NERC BOTCC also considered that the UREs self-reported the violations; the UREs were cooperative during the investigation; the UREs had a compliance program at the time of the violation; there was no evidence that the UREs attempted to conceal a violation; and URE 1 and URE 2 promptly prepared, drafted and submitted its mitigation plan for the violations of CIP-006-1 such that ReliabilityFirst assessed a zero dollar penalty for those violations.

Penalty: $180,000 (aggregate for multiple violations)

FERC Order: Issued August 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-2 (October 31, 2011)

Reliability Standard: CIP-006-2

Requirement: R2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE self-reported that it had not properly protected its physical access control system by implementing the protective measures mandated by the Reliability Standards (i.e., URE did not annually change the password for a shared administrator account for a database that stores data for its physical access control system software and there were four instances where URE did not timely secure access to the shared administrator account after personnel changes).

Finding: RFC found that the violation constituted a moderate risk to BPS reliability. In terms of the personnel changes, none of the relevant employees were terminated for cause and they had their physical and cyber access rights revoked after their employment was finished. In addition, the relevant shared account is primarily accessed electronically (and not by human users) to run the physical access control system and to produce reports. If there was any attempted human use of the shared account, the system owner and IT security would have been alerted. Certain parts of URE’s compliance program were evaluated as a partial mitigating factor.

Penalty: $35,000 (aggregate for 5 violations)

FERC Order: Issued November 30, 2011 (no further review).

Unidentified Registered Entities 1-4, FERC Docket No. NP12-10 (December 30, 2011)

Reliability Standard: CIP-006-2

Requirement: R1, R4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: RFC_UREs self-reported that when their parent company was sold, there was a time period during which the parent company and the purchasing company shared a locked room housing data storage servers. Those servers have the ability to act as a backup control center and, therefore, are considered CAAs. During one instance, an employee of the purchasing company allowed a computer manufacturer vendor entry to the PSP surrounding the servers and then left the vendor unescorted for 25 minutes. In addition, the employee did not document the event.

Finding: RFC determined the violation constituted a moderate risk to BPS reliability. Even though the vendor was not escorted for 25 minutes, the CCAs are housed in locked cabinets to which the vendor had no access. Also, the data center is monitored through video surveillance which showed the vendor did not attempt to access the CCAs. The purchasing company relocated its employees and data storage services to avoid any similar incidents. RFC considered RFC_UREs’ compliance programs a mitigating factor in determining the appropriate penalty.

Penalty: $6,000

FERC Order: Issued January 27, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-11 (January 31, 2011)

Reliability Standard: CIP-006-2

Requirement: R1, R2

Violation Risk Factor: Medium (R1, R2)

Violation Severity Level: Severe (R1, R2)

Region: WECC

Issue: URE self-reported that in one instance (involving the use of a conference room) an employee who did not have unescorted physical access authorization rights was left unescorted within URE’s PSP. In addition, one or more individuals left the relevant conference room, without an escort, to use their mobile phones. (R1) URE also self-reported that one of its communication technicians inadvertently created an unauthorized access point through the access control system’s ESP. As this access point was not intended, URE did not follow its process for access request and authorization for control of electric access at all of its electronic access points to its ESP. (R2)

Finding: WECC found that the CIP-006-2 violations constituted only a minimal risk to the BPS. In regards to R1, there was one only one CCA located with the relevant PSP (which comprises a large area). In addition, one of the relevant employees never left the conference room and the other relevant employees did not go near the CCA. For R2, the unauthorized access point was physically located at URE (and therefore was only accessibly by URE employees). Also, URE was able to correct the problem within 10 days. In determining the penalty amount, the NERC BOTCC evaluated URE’s violation history; some of the violations were self-reported; URE was cooperative during the enforcement process and did not conceal the violations; URE has a compliance program in place (which was evaluated as a mitigating factor); the violations did not constitute a serious or substantial risk to BPS reliability; and there were no additional aggravating or mitigating factors.

Penalty: $135,000 (aggregate for 20 violations)

FERC Order: Issued March 1, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-12 (January 30, 2012)

Reliability Standard: CIP-006-1 (the violation involves later versions of this standard--CIP-006-2 R2.2 and CIP-006-3 R2.2)

Requirement: R1.8

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: WECC

Issue: In the course of a self-certification, URE self-reported a violation of CIP-006-1 R1 in that it failed to ensure that CAs used in the Access Control and Monitoring (ACM) of the PSPs received all the required protections. In response to the report, WECC performed an on-site audit and confirmed URE’s assessment. Specifically, WECC held URE violated CIP-006-1 R1.8 because it failed to protect CAs in the ACM of the PSPs in the following three ways:

First, in violation of CIP-005 R3, five switches that serve as electronic access points to seven physical ACM controllers were not configured to send syslogs to URE’s syslog server. Consequently, designated personnel could not receive alerts generated from these controllers.

Second, in violation of CIP-007 R3, URE failed to properly document two assessments: 1) URE did not document the applicability of a security patch for three ACM devices within thirty days of the patch becoming available; 2) URE failed to document the assessment of security patches for sixteen switches located in the ESP for five devices used in the ACM of the ESPs.

Third, in violation of CIP-009 R4 and R5, URE failed to document in its Recovery Plan the backup and restore procedures for seven physical ACM control panels. These features of the Recovery Plan are used to store access control authentication data for the card readers. While URE annually tested to ensure that essential recovery information was stored on backup media, it did not comply with documentation requirements.

Finding: These violations posed only a moderate risk to the reliability of the BPS because the risk was mitigated by three factors. First, only personnel with proper training and Personnel Risk Assessments had access to the devices in question. Second, URE’s server was located within secured rooms inside a PSP, and secured by a firewall equipped with anti-virus and malware protection tools.

Penalty: $45,000 (aggregate for 7 penalties)

FERC Order: Issued February 29, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)

Reliability Standard: CIP-006-2

Requirement: R3

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: URE self-certified that it was not in compliance with CIP-006-2 R2 because two servers considered CAs and used for access control and monitoring of its ESP were not located in an identified PSP.

Finding: ReliabilityFirst found the violation constituted a moderate risk to BPS reliability which was mitigated because the servers were located in a secured room to which access was restricted by a badge reader and biometrics (fingerprints) required to enter. ReliabilityFirst considered certain parts of URE’s compliance program as mitigating factors in determining the appropriate penalty.

Penalty: $55,000 (aggregate for 8 penalties)

FERC Order: Issued March 30, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)

Reliability Standard: CIP-006-2

Requirement: R8

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: URE self-certified, and ReliabilitlyFirst confirmed, that it was not in compliance with CIP-006-2 R8 because it did not have in place a maintenance and testing program to help ensure all its physical security systems under CIP-006 R4, R5 and R6 function properly.

Finding: ReliabilityFirst found the violation constituted a moderate risk to BPS reliability which was mitigated because URE’s security vendor had tested the physical security systems before the mandatory compliance date. Specifically, tests were performed to make sure that card readers worked correctly; the system created and maintained an entry log; the system would deny access to unauthorized cards; the system sounded an alarm for doors forced open or remaining open for a defined period of time; all security cameras were correctly positioned; and the badge creation system worked properly. ReliabilityFirst considered certain parts of URE’s compliance program as mitigating factors in determining the appropriate penalty.

Penalty: $55,000 (aggregate for 8 penalties)

FERC Order: Issued March 30, 2012 (no further review)

Unidentified Registered Entity, Docket No. NP12-22-000 (March 30, 2012)

Reliability Standard: CIP-006-2

Requirement: R2, R5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: NPCC

Issue: URE self-reported and NPCC found that, regarding R2, URE had insufficient access restrictions on equipment used to create badges, thereby qualifying the equipment as CAs that authorize and/or monitor access to the PSP. Since the equipment is considered to be access control and monitoring assets, each item requires technical controls to monitor access, which URE did not have in place.

Regarding the violation of R5, for two CAs at two facilities, URE had not put in place the required technical controls to monitor physical access at all entry points, 24/7, to its PSP.

Finding: The violations constituted a minimal risk to BPS reliability because URE has other security measures in place for overall cyber and physical security including, among other measures, intrusion detection, anti-virus, security logging, access control (cyber and physical) and a defense-in-depth network design to minimize the risk to the BPS. Also, with respect to R5, once URE submitted its Mitigation Plan for approval, NPCC Enforcement found the two assets were not CAs after all. And further, there were no reported incidents related to any security lapses on the part of URE. In determining the appropriate penalty, NPCC took certain aspects of URE’s compliance program into consideration as mitigating factors.

Penalty: $10,000 (aggregate for 4 penalties)

FERC Order: Issued April 30, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-27 (May 30, 2012)

Reliability Standard: CIP-006-2

Requirement: 2.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: MRO

Issue: URE self-reported a violation of R2 because it failed to retain and review logs for Cyber Assets which allow access to the PSPs (as required by associated Standards CIP-007-2 R6.4 and CIP-005-2 R3.2). URE also failed to document a Cyber Asset that authorizes access to PSPs (per CIP-003-2 R6).

Finding: MRO and URE entered into a settlement agreement to resolve multiple violations, in which URE agreed to pay a penalty of $12,000 and to undertake other mitigation measures. MRO determined the violation presented a minimal risk to the security of the BPS since there were other layered defenses at URE’s control center that provided security to detect unauthorized access, and the violation only related to the failure to retain and review certain logs. In addition, URE immediately took corrective action to address the concern with failure to review logs. URE reconfigured remote interactive access protocol and security for the LAN controller, and the security manager received training regarding the use of the change control and configuration management procedure from the IT supervisor.

Penalty: $12,000 (aggregate for 9 violations)

FERC Order: Issued June 29, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-38 (July 31, 2012)

Reliability Standard: CIP-006-2

Requirement: R3

Violation Risk Factor: Medium

Violation Severity Level: Lower

Region: WECC

Issue: WECC determined that URE did not place one of its CAs that is used in the access control and monitoring of URE’s ESP within an identified PSP, as required. A CA that was used to monitor and alert for logical access to six CCAs was located on the main floor data room within the facility, an area that was not an identified PSP.

Finding: WECC found that the CIP-006-2 violation only constituted a minimal risk to BPS reliability since URE’s main floor data room within the facility has similar security protections as do the PSPs. URE also employed a range of protective measures to its ESP’s access control and monitoring devices. In addition, URE has an automated access tracking system and on-site security. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were URE’s second or third violation of the relevant Reliability Standards; some of the violations were self-reported; URE was cooperative during the enforcement process and did not conceal the violations; URE had an internal compliance program (which was evaluated as a mitigating factor); the violations did not constitute a serious or substantial risk to BPS reliability; and there were no additional aggravating or mitigating factors.

Penalty: $72,000 (aggregate for 12 violations)

FERC Order: Issued August 30, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-45-000 (September 28, 2012)

Reliability Standard: CIP-006-2

Requirement: 5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: FRCC

Issue: URE self-reported that it violated R5 because as the result of the implementation of new physical access controls, it failed to implement controls to ensure that all unauthorized access attempts were reviewed immediately consistent with the procedures specified in CIP-008-2. Although the system appropriately logged security events, the system was not configured to send notifications of the events to the responsible individuals.

Finding: FRCC determined that the violation posed a moderate risk to the reliability of the BPS because it could result in unauthorized access. The risk was mitigated because all but one of the relevant PSPs is within a secure area. Other factors FRCC considered were that three of the violations were credited with being self-reported, one violation is a repeat violation, URE cooperated, there was no indication or evidence that URE attempted to conceal the violations, URE's compliance program was a neutral factor, and there were no other mitigating or aggravating factors.

Penalty: $150,000 (aggregate for 12 violations)

FERC Order: Issued October 26, 2012 (no further review)

Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)

Reliability Standard: CIP-006-2

Requirement: 1.1, 2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: Texas RE

Issue: URE1 filed a self-report explaining that it found two PSPs with drop down ceilings did not have six-wall borders. The PSPs contained ESPs with ESP access points and access control/monitoring devices (R1.1). In addition, the vendor that houses URE1’s card key system did not ensure all protective measures provided under the CIP Reliability Standards were in place (R2).

Finding: Texas RE determined that both violations posed a moderate risk to the reliability of the BPS, but not a serious or substantial risk. The issue with the ceilings involved areas where URE1 had door card key access systems and were in a building also using card key access systems and security guards and video surveillance. Also, the card key system was in a PSP with guards inside an ESP with no remote access. URE1 neither admitted nor denied the violation. Texas RE considered URE1’s ICP as a mitigating factor.

Total Penalty: $51,000 (aggregate for 5 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-16 (December 31, 2012)

Reliability Standard: CIP-006-2

Requirement: 1

Violation Risk Factor: Medium

Violation Severity Level: Moderate

Region: WECC

Issue: During an audit, WECC concluded that URE failed to identify an access point to its PSP, such that it failed to implement a physical security plan that included processes ensuring identification of all access points pursuant to R1. URE also self-reported that it failed to provide continuous escorted visitor access within the PSP on one instance.

Finding: WECC decided the violation posed a minimal and not a serious or substantial risk to the reliability of the BPS because of the layered access security URE had in place. Duration of violation was from the day following certification of URE’s mitigation plan for a prior violation, until the date URE completed its new mitigation plan.

Total Penalty: $207,000 (aggregate for 12 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)

Reliability Standard: CIP-006-2

Requirement: 3

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that not all devices used in the access control and monitoring of its ESP were located in a PSP.

Finding: WECC found that the violation constituted a minimal risk to BPS reliability since the devices did have other CIP protections and had restricted access. URE’s compliance program was evaluated as a mitigating factor. URE stipulated to the violation.

Total Penalty: $58,000 (aggregate for 14 violations)

FERC Order: Issued May 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)

Reliability Standard: CIP-006-2 Requirements: R3

Violation Risk Factor: Medium Violation Security Level: Severe

Region: SERC

Issue: URE self-reported that one of its firewalls used to protect a facility’s dispatch control call center ESP was not contained within a PSP, as required.

Finding: SERC determined that the violation constituted only a minimal risk to BPS reliability. While the firewall at issue was not located in a PSP, it resided in a restricted area that was protected by physical security controls, including continuous video monitoring and card access systems. Only 10 IT administrators had access to the area and each had completed cyber security training and had a PRA on file. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $250,000 (aggregate for 27 violations)

FERC Order: Issued June 27, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)

Reliability Standard: CIP-006-2 Requirements: R3

Violation Risk Factor: Medium Violation Security Level: Severe

Region: SERC

Issue: During a spot check, SERC found that URE did not properly ensure, through its contract with a managed security service provider (MSSP), that all of its ESP electronic access control and monitoring (EACM) devices were contained within a defined PSP. For example, at the MSSP location, the servers used for the management of ESP access points and, at URE, servers used to configure ESP access points and manage firewalls and routers were located outside established PSPs.

Finding: SERC determined that the violation constituted a moderate risk to BPS reliability since it increased the possibility of unauthorized physical access to URE’s EACM devices. However, the EACM devices at issue were located in restricted areas and protected by certain physical security controls, such as continuous video monitoring and card access systems. In addition, the MSSP had security controls for protecting the EACM devices and it conducted testing to ensure the continued effectiveness of such controls. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $250,000 (aggregate for 27 violations)

FERC Order: Issued June 27, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)

Reliability Standard: CIP-006-2

Requirement: R2/2.2 (3 violations – one for each URE Company)

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: The URE Companies self-reported that they did not provide the required protective measures to certain newly-identified physical access control system (PACS) devices.

Finding: RFC determined the violations posed a moderate risk to the BPS reliability as it increased the risk that an unauthorized individual could physically access the CCAs and cause them to be misused or compromised. However, the newly-identified PACS devices were contained within locked cabinets inside a PSP and there were no deliberate attempts to circumvent the physical access controls. Electronic access was limited to those individuals that had access to the URE Companies’ other PACS devices. In addition, all assets receive a baseline level of protection pursuant to the URE Companies’ corporate policies and defense-in-depth strategy. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.

Total Penalty: $625,000 (aggregate for 77 violations)

FERC Order: Issued September 26, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-5-000 (October 30, 2014)

Reliability Standard: CIP-006-2

Requirement: R3

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SPP RE

Issue: URE self-reported that two Cyber Assets used for the access and/or monitoring of its ESP were not located within an identified PSP.

Finding: SPP RE determined that the violation constituted only a minimal risk to the BPS reliability as URE did have controls in place to prevent unauthorized access to the Cyber Assets. In addition, URE located the Cyber Assets at issue within a corporate data center with physical access controls and access was restricted to IT system administrators only. Furthermore, the Cyber Assets remained behind a corporate firewall and had to adhere to URE’s corporate change management policy. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had previously violated six of the standards, which SPP RE considered an aggravating factor. However, URE did have a compliance program in place and it received mitigating credit for self-reporting three of the violations. Moreover, URE agreed to additional corrective actions including: restructuring its CIP compliance program; hiring an additional system administrator; conducting a one day compliance workshop with SPP RE staff; and implementing an asset management system to further secure its EMS. URE was cooperative throughout the enforcement process and did not conceal or attempt to conceal the violations.

Penalty: $45,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-5-000 (October 30, 2014)

Reliability Standard: CIP-006-2

Requirement: R1 (1.6)

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SPP RE

Issue: During a compliance audit SPP RE determined that URE failed to follow its visitor control program on a consistent basis at its primary and backup control centers as evidenced by manual logs that included personnel or visitors who should not have been granted access and information that was missing, incomplete or categorized wrong.

Finding: SPP RE determined that the violation constituted only a minimal risk to the BPS reliability since URE did escort all visitors to its PSP and the facility is monitored by video. In addition, URE is able to quickly detect any malicious activity through the use of networking monitoring that monitors fluctuations within the devices. Additionally, the inconsistencies in URE’s logs were due to recording errors; not the inability of URE to identify individuals who accessed its control centers. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had previously violated six of the standards, which SPP RE considered an aggravating factor. However, URE did have a compliance program in place and it received mitigating credit for self-reporting three of the violations. Moreover, URE agreed to additional corrective actions including: restructuring its CIP compliance program; hiring an additional system administrator; conducting a one day compliance workshop with SPP RE staff; and implementing an asset management system to further secure its EMS. URE was cooperative throughout the enforcement process and did not conceal or attempt to conceal the violations.

Penalty: $45,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-11-000 (November 25, 2014)

Reliability Standard: CIP-006-2

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: ReliabilityFirst, MRO and SERC (collectively, "Regions")

Issue: During a compliance audit ReliabilityFirst determined that URE did not ensure that all ESP Cyber Assets were contained within a continuous six foot wall boundary as URE had openings larger than 96 square inches at several PSPs and URE did not have a six foot wall boundary around cabling running between two rooms at one facility. Two more PSP openings were discovered by URE during mitigation.

Finding: ReliabilityFirst determined that the violation constituted only a minimal risk to the BPS reliability as the openings were located either above a dropped ceiling or below a raised floor making them difficult to see and a special tool would have been required to access them. In addition, stop mechanisms, ductwork, wiring conduit, cable trays, and the building's steel infrastructure would have made it difficult to reach the openings. The facility where the openings were located was in a restricted area that was manned 24 hours a day with controlled access, surveillance cameras, and additional physical monitoring. The exposed cable was sufficiently protected by additional protective measure. Moreover, URE's intrusion detection system and real-time monitoring of its ESP Cyber Assets were not corrupted throughout the duration of the violation. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations. While none of the violations independently posed a serious or substantial threat to the BPS reliability, collectively they represented a significant risk to BPS reliability. Eighteen of the violations posed only a minimal or moderate risk to the BPS reliability and only one posed a serious or substantial risk to the BPS reliability. URE did have a history of prior violations; however, this was their first comprehensive CIP audit so the Regions did not consider their prior history an aggravating factor. URE self-reported several of the violations, performed several reliability enhancements and outreach programs and agreed to above and beyond compliance measures, including the implementation of an improvement program that is focused on improving its compliance with CIP standards and cybersecurity efforts. However, due to the duration of several of URE's violations, the Regions considered this risk negatively. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations. There were no additional mitigating factors that affected the penalty.

Penalty: $75,000 (aggregate for 19 violations)

FERC Order: Issued December 23, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-11-000 (November 25, 2014)

Reliability Standard: CIP-006-2

Requirement: R2.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: ReliabilityFirst, MRO and SERC (collectively, "Regions")

Issue: URE self-reported that it did not perform the required cybersecurity testing for 75 Cyber Assets that were incorrectly categorized and the controllers on its physical access badge reader system were not properly categorized as Cyber Assets.

Finding: ReliabilityFirst determined that the violation constituted a moderate risk to the BPS reliability as URE's failure to perform the required cybersecurity testing on all Cyber Assets increased the risk that they would be vulnerable to attack. The risk was further increased due to the duration of the violation. However, the risk was mitigated by URE's defense in-depth strategies including the ability to monitor, identify and respond to disruptive network events through its network operations center; the use of a rigorous change management program; implementation of current patches; antivirus and malware prevention software; account and access management processes; and user and system logging and monitoring. Furthermore URE located its Cyber Assets in a facility that controlled and protected access physically and electronically utilizing guards, and account management and access control. In addition, access logs for the devices were monitored regularly to identify suspicious activity and there were no indication of a Cyber Security occurrence throughout the duration of the violation. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations. While none of the violations independently posed a serious or substantial threat to the BPS reliability, collectively they represented a significant risk to BPS reliability. Eighteen of the violations posed only a minimal or moderate risk to the BPS reliability and only one posed a serious or substantial risk to the BPS reliability. URE did have a history of prior violations; however, this was their first comprehensive CIP audit so the Regions did not consider their prior history an aggravating factor. URE self-reported several of the violations, performed several reliability enhancements and outreach programs and agreed to above and beyond compliance measures, including the implementation of an improvement program that is focused on improving its compliance with CIP standards and cybersecurity efforts. However, due to the duration of several of URE's violations, the Regions considered this risk negatively. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations. There were no additional mitigating factors that affected the penalty.

Penalty: $75,000 (aggregate for 19 violations)

FERC Order: Issued December 23, 2014 (no further review)

Top