NERC Case Notes: Reliability Standard CIP-003-3 | White & Case LLP International Law Firm, Global Law Practice
NERC Case Notes: Reliability Standard CIP-003-3

NERC Case Notes: Reliability Standard CIP-003-3

White & Case NERC Database

This page contains the NOP (Notice of Penalty) and ACP (Administrative Citation of Penalty) summaries. Click here to read the FFT (Find, Fix and Track) summaries.

Unidentified Registered Entity (URE), FERC Docket No. NP13-11 (December 31, 2012)

Reliability Standard: CIP-003-3

Requirement: 6

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: SPP

Issue: URE self-reported that while it had established a change control and configuration management process for its CCAs, not all of its process documents had the required supervisory and managerial approval, a change implementation date, a notification date (for groups affected by change) and an implementation date. URE also self-reported that for software additions on its CCAs, it had not properly followed its change control and configuration management process. URE also had an additional instance (involving a virtual device residing on an existing server that was powered on inside an ESP) in which it did not follow its change control and configuration management process.

Finding: SPP found that the violation related to URE’s incomplete change control and configuration management process constituted a moderate risk to BPS reliability, but that there were mitigating factors in place. For example, URE had instituted a multi-tier approach to help ensure that some preliminary level of review and approval would occur before any system changes were made. Also, all changes requested during the violation period had received board approval. SPP found that the violation related to the software addition only constituted a minimal risk to BPS reliability since URE’s client configuration manager management server alerted URE’s information security personnel, who promptly uninstalled the offending software. SPP found that the violation related to the virtual device constituted a moderate risk to BPS reliability since the activation of the device (which had not been tested) within the ESP could potentially have introduced unknown vulnerabilities into the ESP. But, URE’s vulnerability scanner immediately alerted URE’s staff, who quickly responded to the device activation, and there were no adverse impacts caused by the activation. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE’s violation history (which was considered as an aggravating factor for some of the violations), URE’s internal compliance program (which was not viewed as a mitigating factor) and the fact that some of the violations were self-reported. URE was cooperative during the enforcement process and did not conceal the violations.

Total Penalty: $107,000 (aggregate for 16 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)

Reliability Standard: CIP-003-3

Requirement: 6

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: WECC

Issue: URE1 filed a self-report explaining that it did not follow its CCA/CA change control and configuration management process on 14 instances over two months associated with its control center and back-up control center.

Finding: WECC determined that the violation posed a minimal risk to BPS reliability, but not a serious or substantial risk. All of URE1’s CCAs are located with an ESP with controlled and monitored access. URE1 did not contest the violation. In determining the appropriate penalty, WECC considered that the violation was self-reported and URE1 ICP as mitigating factors.

Total Penalty: $5,000

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-003-3

Requirement: R6

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: URE self-reported a violation of R6 because it failed to carry out its configuration management activities (i.e. change control process and change management procedures) to document the changes it made to its firewall and to its anti-virus software.

Finding: RFC determined that the R6 violation posed a minimal risk to the reliability of the BPS because the company had a documented change management procedure in place at the time of the violation for changes to Critical Cyber Asset hardware or software. Furthermore, the violations represented isolated incidents, rather than systemic compliance issues. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to pay a penalty and to undertake other mitigation measures to come into compliance with R6.
RFC considered URE's ICP a mitigating factor in making its penalty determination. The violation began when the company installed the firewall into the ESP and ended when the company implemented its change management process and configuration management activities to document the changes it made to its firewall and ant-virus system. URE neither admits nor denies the R6 violation.

Penalty: $40,000 (aggregate for 8 violations)

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entities 1, 2, 3, 4 (RFC_URE1, RFC_URE2, RFC_URE3, MRO_URE1) (collectively, RFC-MRO_UREs), Docket No. NP13-41-000 (June 27, 2013)

Reliability Standard: CIP-003-3

Requirement: 5

Violation Risk Factor: Lower

Violation Severity Level: Severe Region(s): ReliabilityFirst, MRO

Issue: RFC_URE1 and RFC_URE2 reported through self-reports violations of CIP-003-3 R5 upon finding that each had given a contractor access to a tool that identifies whether a Cyber Asset is a CCA, which is protected CCA information. The contractor had had access to the information for many years before such access was deactivated. RFC_URE1 and RFC_URE2 eventually reactivated the account allowing read and write access privileges. Due to technical issues, the ability to add security keys to inactive users had not been implemented and therefore the inadvertent access was allowed. The corporate security system of RFC_URE1 and RFC_URE2 reported the contractor’s access as “unapproved” and it was reported as such.

Finding: These violations were deemed to pose a moderate, but not serious or substantial risk to BPS reliability. The contractor only had access to determine which Cyber Assets were CCAs, but was not granted access to those CCAs. The individual, who had authorized access for many years prior to deactivation, completed cyber security training and did not attempt to access the tool which allowed access to CCA information. In determining the appropriate penalty, RFC found the RFC-MRO_UREs’ internal compliance program to be a mitigating factor; however, the repeat noncompliance was considered an aggravating factor. The CIP programs at RFC-MRO_UREs had been reviewed and revised after previous CIP violations to ensure compliance; however, the current violations of CIP-003-3 R6, CIP-007-3 R1 and R2 and CIP-004-3 R3 were found to be evidence of a failure of the CIP compliance program, which was an aggravating factor in penalty determination. Several of the violations were self-reported, which RFC found to be a mitigating factor.

Total Penalty: $20,000 (aggregate for 9 violations)

FERC Order: Issued August 26, 2013 (no further review)

Unidentified Registered Entities 1, 2, 3, 4 (RFC_URE1, RFC_URE2, RFC_URE3, MRO_URE1) (collectively, RFC-MRO_UREs), Docket No. NP13-41-000 (June 27, 2013)

Reliability Standard: CIP-003-3

Requirement: 6

Violation Risk Factor: Lower

Violation Severity Level: Severe Region(s): ReliabilityFirst, MRO

Issue: RFC_URE2 initially self-certified a violation of CIP-003-3 R6, and upon further review self-report further CIP-007-3 Reliability Standards violations. URE found through an internal self-assessment that a CCA router was missing a configuration baseline, which is required by CIP-003-3 R6. URE also did not follow established testing procedures on the router. In particular, URE did not carry out procedures for cybersecurity testing (CIP-007-3 R1.1); did not document that the testing was conducted in a way that reflects the production environment (CIP-007-3 R1.2); and did not document test results (CIP-007-3 R1.3). Lastly, URE did not document that only those ports and services needed for normal or emergency operations were enabled on the router, which left URE unable to show that the ports and services were enabled or disabled as appropriate (CIP-007-3 R2).

Finding: The violation was deemed to pose a moderate, but not serious or substantial, risk to BPS reliability. RFC_URE2 ensured that the router was secured with a domain identification and password, with authorization within the network and with membership requirement within the security group. Additionally, the devices supported by the network are built and operated using management templates to grant access to only the ports and services necessary for normal and emergency operations; though RFC_URE2 did not document that this had occurred for this router. In determining the appropriate penalty, RFC found the RFC-MRO_UREs’ internal compliance program to be a mitigating factor; however, the repeat noncompliance was considered an aggravating factor. The CIP programs at RFC-MRO_UREs had been reviewed and revised after previous CIP violations to ensure compliance; however, the current violations of CIP-003-3 R6, CIP-007-3 R1 and R2 and CIP-004-3 R3 were found to be evidence of a failure of the CIP compliance program, which was an aggravating factor in penalty determination. Several of the violations were self-reported, which RFC found to be a mitigating factor.

Total Penalty: $20,000 (aggregate for 9 violations)

FERC Order: Issued August 26, 2013 (no further review)

Unidentified Registered Entities, FERC Docket No. NP13-47 (July 31, 2013)

Reliability Standard: CIP-003-3

Requirement: 4 (2 violations – RFC and SERC), 5 (2 violations – RFC and SERC), 6 (2 violations – RFC and SERC)

Violation Risk Factor: Medium (4), Lower (5, 6)

Violation Severity Level: Severe (4, 5, 6)

Region: RFC and SERC

Issue: URE1 and URE2 (collectively, URE) self-reported that tickets in its change control system should have been classified as CCA information, but were not (4). In addition, URE did not have sufficient documentation of its access privileges or include links to defined or approved rules (as URE’s documentation did not clearly delineate which individuals are assigned to which roles or the access rights that they possessed). URE also did not properly assess and document, on an annual basis, its processes for controlling access privileges to CCA information (5). URE also did not properly document the entity or vendor-related changes made, pursuant to the change control process, to the hardware and software components of 60.04% of its CCAs. There were also several instances where URE’s business units did not follow the change control process. URE did not adequately establish and documents its configuration management process for adding, modifying, replacing or removing CCA hardware or software (6).

Finding: SERC and RFC found that the CIP-003-3 R4, R5 and R6 violations constituted a moderate risk to BPS reliability. For the R4 violations, it increased the chances of inappropriate access to CCA information. But, the risk to the BPS was mitigated since URE’s CCA information repositories are not publicly available and URE limits who has access to the information. In terms of the R5 violations, without the appropriate processes to control access to protected information, URE cannot guarantee that protected information is secured, which increases the chances of excessive or unauthorized access to URE’s system. But, the risk to the BPS was mitigated since authorization was required to access the information and URE limited access to individuals with a business need to access the information. For the R6 violations, configuration management is intended to ensure a secure environment and insufficient implementation and support of configuration management increases the risk of unwanted security vulnerabilities and unauthorized access points and can affect the availability of critical systems. The risk to the BPS was mitigated by URE performing a staged implementation in development environments before implementing the changes and that URE did have change management systems in place to manage any changes that would introduce new Cyber Assets into the ESP and the addition of new access points to the ESP. URE admitted the violations. In approving the settlement agreement, NERC BOTCC evaluated as aggravating factors URE’s compliance history and the fact that URE did not promptly prepare mitigation plans to remediate many of the violations. But, URE did self-report some of the violations and was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (even though URE only received partial mitigating credit as most of URE’s violations resulted from a lack of execution and coordination of programs). URE committed to perform certain actions that went above and beyond the compliance requirements. The CIP-002-3 R3 violations presented a serious and substantial risk to BPS reliability, whereas the other violations did not present a serious or substantial risk to BPS reliability.

Total Penalty: $350,000, $175,000 for each URE (aggregate for 62 violations)

FERC Order: Issued August 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-11-000 (November 25, 2014)

Reliability Standard: CIP-003-3

Requirement: R2/R3

Violation Risk Factor: Medium/Lower

Violation Severity Level: Severe/Severe

Region: ReliabilityFirst, MRO and SERC (collectively, "Regions")

Issue: URE self-reported that it did not document the delegation of responsibilities by senior manager to delegates which resulted in a cybersecurity manager approving extensions to cybersecurity exceptions on four occasions and senior management not approving cybersecurity exceptions annually on three occasions.

Finding: ReliabilityFirst determined that the violation constituted only a minimal risk to the BPS reliability since a documentation error caused the violation and only one of the cybersecurity exceptions related to a CIP matter. To mitigate the risk additional delegates were appointed including the cybersecurity manager, who was also qualified to review and approve extensions. URE later assigned the responsibility of reviewing cybersecurity extensions to the cybersecurity manager as part of URE's mitigation plan. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations. While none of the violations independently posed a serious or substantial threat to the BPS reliability, collectively they represented a significant risk to BPS reliability. Eighteen of the violations posed only a minimal or moderate risk to the BPS reliability and only one posed a serious or substantial risk to the BPS reliability. URE did have a history of prior violations; however, this was their first comprehensive CIP audit so the Regions did not consider their prior history an aggravating factor. URE self-reported several of the violations, performed several reliability enhancements and outreach programs and agreed to above and beyond compliance measures, including the implementation of an improvement program that is focused on improving its compliance with CIP standards and cybersecurity efforts. However, due to the duration of several of URE's violations, the Regions considered this risk negatively. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations. There were no additional mitigating factors that affected the penalty.

Penalty: $75,000 (aggregate for 19 violations)

FERC Order: Issued December 23, 2014 (no further review)

Unidentified Registered Entities (UREs), FERC Docket No. NP15-15-000 (December 30, 2014)

Reliability Standard: CIP-003-3

Requirement: R6

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: SERC

Issue: URE1 self-reported that it did not update malware prevention software on CCA according to its change control and configuration management process which requires that all changes to hardware and software on Cyber Assets are documented using a change control management ticket that includes testing, approvals and documentation.

Finding: SERC determined that the violation posed only a minimal risk to the BPS reliability as URE1 detected the oversight the next day and conducted subsequent testing (which indicated no issues) thereby reducing the risk of a malicious attack on its cybersecurity controls or CCAs. Additionally, URE1 had conducted cybersecurity and functionality testing on the malware updates, which demonstrated no adverse impacts on functionality or operations. URE1's EMS was monitored 24/7 by operators, who alert personnel whenever there is a reduction in system performance. In addition, system administrators are alerted by a security status monitoring program whenever there are signs of malicious software activity. Furthermore, the workstations at issue are protected within a PSP, reside in an ESP and only personnel with current PRAs and cybersecurity training can access them. UREs neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs history of violations an aggravating factor. However, the UREs did have an internal compliance program in place, which SERC considered a mitigating factor. While URE1 self-reported a violation, the UREs did not received mitigating credit since it was reported after it received a compliance audit notice. While three of the violations posed a serious or substantial risk to the BPS reliability, the majority of them (18) posed only a minimal or moderate risk. URE agreed to additional mitigating actions including: adding additional staff (including converting contractors to full-time); conducting human performance training at a cost of $50,000; installing firewall analyzer software at a cost of $485,000; and additional mitigating factors for five of the violations. The UREs were cooperative throughout the enforcement process and there was no evidence that they concealed the violations.

Penalty: $120,000 (aggregate for 21 violations)

FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.

Unidentified Registered Entity 1, FERC Docket No. NP15-26-000 (April 30, 2015)

Reliability Standard: CIP-003-3

Requirement: R6

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: URE1 self-reported that it did not follow its change control process (that required changes to be logged and approved by a change management advisory committee member) in one instance as a result of human error. ReliabilityFirst found that URE1 did not create and record a change control process and configuration management for (1) adding, modifying, replacing or removing CCA hardware and (2) identifying, controlling and recording all entity or vendor-related changes, as per its change control process.

Finding: ReliabilityFirst found that the violation posed only a minimal, but not a serious or substantial risk, to BPS reliability. The severity of the violation was decreased because the change was still approved by a staff member and URE1 mitigated its actions to prevent a recurrence. The UREs neither admitted nor denied the violations. In approving the settlement between ReliabilityFirst and five UREs in total, the NERC considered the UREs’ prior violations and the minimal to moderate risk posed by the current violations. As mitigating factors, the NERC found that among the UREs subject to the settlement agreement, individual URES had: (1) implemented pre-violation internal compliance programs, (2) self-reported violations, (3) cooperated throughout the enforcement process, (4) not attempted or intended to conceal the violations, (5) made significant progress in post-violation compliance. ReliabilityFirst found that no penalty was necessary since the violations posed minimal risks, the UREs demonstrated improvements in compliance, and the UREs that had prior violations were fully sanctioned for those violations in an FERC-approved settlement. URE1’s mitigation plan obliged URE1, among other things, to require validation of all change approvals prior to the start of work.

Penalty: $0 (aggregate for 22 violations)

FERC Order: The NERC did not further review the settlement and the settlement entered into effect on May 29th, 2015.

Unidentified Registered Entity 1 (FRCC_URE1), FERC Docket No. NP15-29-000 (May 28, 2015)

Reliability Standard: CIP-003-3

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: FRCC

Issue: FRCC_URE1 self-reported that a badge allowing a janitorial contractor physical access to Critical Cyber Assets (CCAs) was not timely revoked when the contractor began a leave of absence. The badge was given to a new and unauthorized contractor. FRCC_URE1 retrieved the badge two days later.

Finding: FRCC found that this violation posed a moderate, but not a serious or substantial, risk to BPS reliability because unauthorized access increases CCAs' vulnerability to physical attacks and alterations. FRCC found the risk was aggravated because the unauthorized janitorial contractor did not have a CIP-level personnel risk assessment on file and had not done cyber security training. However, the janitorial contractor would not have been allowed to physically contact the CCAs because authorized personnel staffed FRCC_URE1 at all times and would not have allowed such contact. To mitigate the violation, FRCC_URE1 (1) retrieved the unauthorized badge, (2) audited janitorial badges to ensure that individuals with badges were authorized, (3) retrained janitorial employees on security requirements, and (4) developed a Spanish version of cyber security training.

Penalty: $13,000 (aggregate for 2 violations)

FERC Order: FERC approved the settlement on June 26th, 2015.