NERC Case Notes: Reliability Standard CIP-006-3

Alert

8 min read

 

Unidentified Registered Entities (UREs), Docket No. NP13-17 (December 31, 2012)

Reliability Standard: CIP-006-3

Requirement: 2.2 (3 violations)

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: The UREs, which are three entities that operate from the same control room and share the same energy management system, self-reported that they had not provided or did not have sufficient documentation showing that they had provided the required protective measures for two of their Cyber Assets that authorize and/or log access to the PSP (one physical security server that used cyber keys and one that used access cards). For example, the UREs did not have properly documented change control and configuration management process for adding, modifying, replacing, or removing CCA hardware or software and had not sufficiently documented its cyber security test results in all cases where there were significant changes to existing Cyber Assets or its security patch assessments and compensating measures. In addition, the UREs had enabled additional ports and services than those required by the Reliability Standards.

Finding: RFC found that the violations constituted a moderate risk to BPS reliability since the lack of the complete operational and procedural controls to manage access to the PSP increased the risk of unauthorized malicious access to the Cyber Assets. But, the additional enabled ports and services were only open for communications with other trusted corporate networks (that were further protected with additional measures such as firewalls). The protective measures represented a defense-in-depth strategy that guarded the transmission management system. The UREs neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that the violations were self-reported and that these were the UREs first violations of the relevant Reliability Standards. The UREs were cooperative during the enforcement process and did not conceal the violations. The UREs’ compliance program was also evaluated as mitigating factor.

Total Penalty: $80,000 (aggregate for 21 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entities, FERC Docket No. NP13-47 (July 31, 2013)

Reliability Standard: CIP-006-3

Requirement: 1.1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC and SERC

Issue: RFC and SERC determined that, when installing a shower room, URE1’s cut a hole above the drop ceiling tiles to route a heating, ventilation and air conditioning connection, but URE1 did not identify this hole as a physical access point in its physical security plan. URE1 also had a two foot-by-two foot opening above a raised ceiling in an operations center PSP and a gap exceeding 96 square inches above the suspended ceilings in the six-wall border of the PSP in the operations center energy management room. URE2 also self-reported that, during a site inspection, it discovered an opening in the PSP wall at a substation control house that was left when a heating duct was removed. URE2 also had two Cyber Assets within the ESP at a substation that were located outside of the associated PSP and did not submit a Technical Feasibility Exception or propose compensation measures.

Finding: SERC and RFC found that URE1’s CIP-006-3 R1.1 violations only constituted a minimal risk to BPS reliability as the locations are continuously monitored. The connection opening and gap were inaccessible and not visible as entry points. The relevant PSP is located within a secured non-public corporate building. SERC and RFC found that URE2’s CIP-006-3 R1.1 violations constituted a moderate risk to BPS reliability since it increased the risk that people would be able to gain unauthorized access to the Cyber Assets not protected by the implementation of the physical security plan. But, the control house is in the secured fence area of the substation, with the utility room only accessible by a normally locked exterior door with no access to the inside of the PSP. The opening was small and not easily accessible. URE2 also strictly controls access to the ESP and the substation perimeter was protected by locked gates and secured control house. The relevant devices are also password protected and serially connected with no Internet Protocols or routable protocols enabled. URE admitted the violations. In approving the settlement agreement, NERC BOTCC evaluated as aggravating factors URE’s compliance history and the fact that URE did not promptly prepare mitigation plans to remediate many of the violations. But, URE did self-report some of the violations and was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (even though URE only received partial mitigating credit as most of URE’s violations resulted from a lack of execution and coordination of programs). URE committed to perform certain actions that went above and beyond the compliance requirements. The CIP-002-3 R3 violations presented a serious and substantial risk to BPS reliability, whereas the other violations did not present a serious or substantial risk to BPS reliability.

Total Penalty: $350,000, $175,000 for each URE (aggregate for 62 violations)

FERC Order: Issued August 30, 2013 (no further review)

Unidentified Registered Entities, FERC Docket No. NP13-47 (July 31, 2013)

Reliability Standard: CIP-006-3

Requirement: 1.4, 1.6.2, 1.8

Violation Risk Factor: Medium (1.4, 1.6.2, 1.8)

Violation Severity Level: Severe (1.4, 1.6.2, 1.8)

Region: RFC and SERC

Issue: RFC and SERC determined that URE did not include information on a restricted key backup process in its physical security plan as required (1.4). URE1 also allowed two individuals without unescorted physical access rights to be unescorted in the PSP, in violation of its policy for continuously escorting visitors (1.6.2). In addition, although URE performed an annual review of its physical security plan, it did not also conduct an annual review of the documents referenced by the physical security plan as required (1.8).

Finding: SERC and RFC found that URE1’s CIP-006-3 R1.4 violation only constituted a minimal risk to BPS reliability. In regards to R1.4, the keys provide access to the PSP when the primary access control is unavailable. Use of the key triggers an alarm for reporting such use at the security console. SERC and RFC found that URE1’s CIP-006-3 R1.6.2 and R1.8 violations constituted a moderate risk to BPS reliability as there was an increased risk that someone would be able to gain unauthorized access to Cyber Assets that were not properly protected by the physical security plan; but, the two people at issue previously completed work inside the PSPs and have received cyber security training and have PRAs on file. URE also restricted remote access to the ESP. URE admitted the violations. In approving the settlement agreement, NERC BOTCC evaluated as aggravating factors URE’s compliance history and the fact that URE did not promptly prepare mitigation plans to remediate many of the violations. But, URE did self-report some of the violations and was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (even though URE only received partial mitigating credit as most of URE’s violations resulted from a lack of execution and coordination of programs). URE committed to perform certain actions that went above and beyond the compliance requirements. The CIP-002-3 R3 violations presented a serious and substantial risk to BPS reliability, whereas the other violations did not present a serious or substantial risk to BPS reliability.

Total Penalty: $350,000, $175,000 for each URE (aggregate for 62 violations)

FERC Order: Issued August 30, 2013 (no further review)

Unidentified Registered Entities, FERC Docket No. NP13-47 (July 31, 2013)

Reliability Standard: CIP-006-3

Requirement: 2 (2 violations – RFC and SERC), 4

Violation Risk Factor: Medium (2, 4)

Violation Severity Level: Severe (2, 4)

Region: RFC and SERC

Issue: RFC and SERC determined that URE did not provide adequate protections to certain of its physical access control and monitoring (PACM) devices that are used to authorize and log access to the PSP. URE did not identify and provide protective measures for 52 Cyber Assets that authorize and/or log access to the PSP (2). URE1 did not have sufficient records regarding the quantity of keys produced or to who had the keys for one of its key systems to control physical access to a facility (4).

Finding: SERC and RFC found that URE’s CIP-006-3 R2 and R4 violations constituted a moderate risk to BPS reliability. In regards to R2, URE’s failure to provide the required protective measures increased the risk that CCAs would be compromised. But, even if the PACM devices did not operate, URE had implemented alternative measures to access the facilities (such as keyed locks and a protected key system). For R4, URE did not completely control physical access to the station, which increased the chance of unauthorized access occurring. But, the badge system is the primary means of accessing the PSP and was fully functional during the course of the violation. The PSP was continuously monitored from a security console, as well as being protected by a gated fence and security personnel. URE admitted the violations. In approving the settlement agreement, NERC BOTCC evaluated as aggravating factors URE’s compliance history and the fact that URE did not promptly prepare mitigation plans to remediate many of the violations. But, URE did self-report some of the violations and was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (even though URE only received partial mitigating credit as most of URE’s violations resulted from a lack of execution and coordination of programs). URE committed to perform certain actions that went above and beyond the compliance requirements. The CIP-002-3 R3 violations presented a serious and substantial risk to BPS reliability, whereas the other violations did not present a serious or substantial risk to BPS reliability.

Total Penalty: $350,000, $175,000 for each URE (aggregate for 62 violations)

FERC Order: Issued August 30, 2013 (no further review)

Top