NERC Case Notes: Reliability Standard CIP-005-1 | White & Case LLP International Law Firm, Global Law Practice
NERC Case Notes: Reliability Standard CIP-005-1

NERC Case Notes: Reliability Standard CIP-005-1

White & Case NERC Database

This page contains the NOP (Notice of Penalty) and ACP (Administrative Citation of Penalty) summaries. Click here to read the FFT (Find, Fix and Track) summaries.

NERC Registered Entity, FERC Docket No. NP10-135-000 (July 6, 2010)

Reliability Standard: CIP-005-1

Requirement: R2

Violation Risk Factor: Medium

Violation Severity Level: Not provided

Region: WECC

Issue: The NERC Registered Entity failed to properly configure its firewall access models for certain circuits to appropriately restrict access. No publicly available information was provided regarding the duration of this violation.

Finding: The NERC Registered Entity mitigated the violation by reconfiguring the affected circuits and correcting its firewall access models. No further publicly available information was provided.

Penalty: $8,000

FERC Order: Issued August 5, 2010 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-166-000 (April 29, 2011)

Reliability Standard: CIP-005-1

Requirement: R1/1.5

Violation Risk Factor: Medium

Violation Severity Level: N/A

Region: SPP

Issue: Unidentified Registered Entity (URE) failed to document testing procedures for Critical Cyber Assets that control or monitor an Electronic Security Perimeter to demonstrate that testing is performed in a manner that reflects the production environment.

Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a Settlement Agreement, including a penalty in the amount of $27,000 for these and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: the violation constituted URE’s first violation of the subject NERC Reliability Standard; URE self-reported some of the violations; URE cooperated during the compliance enforcement process; URE’s compliance program; URE did not attempt to conceal a violation or intend to do so; the violation did not create a serious or substantial risk to the bulk power system; and there were no other mitigating or aggravating factors or extenuating circumstances.

Penalty: $50,000 (aggregate for 14 violations)

FERC Order: Issued May 27, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-166-000 (April 29, 2011)

Reliability Standard: CIP-005-1

Requirement: R2

Violation Risk Factor: Medium

Violation Severity Level: N/A

Region: SPP

Issue: Unidentified Registered Entity (URE) failed to document the organizational processes and technical and procedural mechanisms that it was using to control access to electronic access points to the Electronic Security Perimeter.

Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a settlement agreement which included a penalty in the amount of $50,000 for this and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: the violation constituted URE’s first violation of the subject Reliability Standard; URE self-reported some of the violations; URE cooperated during the compliance enforcement process; URE did not attempt to conceal a violation or intend to do so; the violation did not create a serious or substantial risk to the bulk power system; and there were no other mitigating or aggravating factors or extenuating circumstances.

Penalty: $50,000 (aggregate for 14 violations)

FERC Order: Issued May 27, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-167-000 (April 29, 2011)

Reliability Standard: CIP-005-1

Requirement: R4

Violation Risk Factor: Medium

Violation Severity Level: N/A

Region: WECC

Issue: Unidentified Registered Entity (URE) did not perform a cyber vulnerability assessment of the electronic access points to the Electronic Security Perimeter at least annually.

Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a settlement agreement which included a penalty in the amount of $89,000 for this and other violations. In reaching this determination, the NERC BOTCC considered the following facts: the violation constituted URE’s first violation of the subject Reliability Standards; URE self-reported the violation; URE cooperated during the compliance enforcement process; URE’s compliance program; URE did not attempt to conceal a violation or intend to do so; the violation did not create a serious or substantial risk to the bulk power system; URE implemented compliance procedures that led to the discovery of the violations and there were no other mitigating or aggravating factors or extenuating circumstances.

Penalty: $89,000 (aggregate for 13 violations)

FERC Order: Issued May 27, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-181-000 (April 29, 2011)

Reliability Standard: CIP-005-1

Requirement: R4

Violation Risk Factor: Lower

Violation Severity Level: Medium

Region: FRCC

Issue: Unidentified Registered Entity ("URE") failed to perform a cyber vulnerability assessment of its electronic access points to the ESP.

Finding: The violation posed minimal risk but did not pose a serious or substantial risk to the reliability of the bulk power system, because URE performed an assessment in 2006, and there had been no major infrastructure changes since that time.

Penalty: $23,000 (aggregated for 11 violations)

FERC Order: Issued May 27, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-184-000 (May 26, 2011)

Reliability Standard: CIP-005-1

Requirement: R1, R2, R3, R5

Violation Risk Factor: Medium (R1, R2, R3), Lower (R5)

Violation Severity Level: N/A

Region: RFC

Issue: Consistent with CIP-005-1 R1, the Unidentified Registered Entity (URE) failed to identify access points to an Electronic Security Perimeter (ESP) and did not consider end points of communication links within an ESP as access points to the ESP as required by R1.3. Further, URE did not identify and protect certain non-critical Cyber Assets consistent with R1.4, and it did not identify an externally connected network switch that terminates within an ESP as an access point to an ESP consistent with R1.1. URE also failed to consider the end point of a router within an ESP connecting two discrete ESPs as an access point in accordance with R1.3.
In violation of CIP-005-1 R2, while URE did produce evidence that it has some technical controls in place at electronic access points to the ESPs, it did not sufficiently control electronic access to Critical Cyber Assets consistent with R2.6. Further, URE could not show that its open ports and services are only those required for operations and for monitoring Cyber Assets within the ESP, as required by R2.2.
In violation of CIP-005-1 R3, URE failed to address monitoring electronic access and did not create electronic or manual processes for monitoring and logging access at access points. Further, URE did not create monitoring processes for detecting and alerting for attempted or actual unauthorized accesses with appropriate notification to designated response personnel as required by R3.2.
In violation of CIP-005-1 R5, URE did not generate and retain electronic access logs for at least 90 calendar days as required by CIP-005-1 R5.2, and did not document changes resulting from modifications to the network or controls within 90 calendar days of the changes being completed as required by CIP-005-1 R5.3.

Finding: The NERC Board of Trustees Compliance Committee (BOTCC) approved a settlement agreement which included a penalty of $70,000 for these and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: additional, non-related violations of other Reliability Standards were either self reported or discovered during a compliance audit; URE has an Internal Compliance Program which seeks to ensure compliance with all applicable Reliability Standards; URE agreed to take actions that exceed those actions that would be expected to achieve and maintain baseline compliance.

Penalty: $70,000 (aggregate for 26 violations)

FERC Order: Issued September 9, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-189-000 (May 26, 2011)

Reliability Standard: CIP-005-1

Requirement: R1, R1.4

Violation Risk Factor: Lower

Violation Severity Level: N/A

Region: FRCC

Issue: URE self-reported that it failed to identify eight digital wall clocks in its Energy Control Center (ECC) as Cyber Assets within the Electronic Security Perimeter. FRCC review determined that a back-up server was also not properly identified as a Cyber Asset. URE had previously self-reported a violation of this standard for failing to list thirteen new assets on the Critical Asset list when they were added to the ECC as part of an EMS upgrade. Duration of the violations was July 1, 2009 when the standard became mandatory and enforceable through October 27, 2009 for the earlier violation and March 29, 2010 for the second violation.

Finding: FRCC determined that the violations posed a minimal risk to the bulk power system because the employees did not exercise unescorted physical access to Cyber Assets during the time they had such rights. The NERC BOTCC also considered that the URE self-reported the violations.

Penalty: $17,000 (aggregate for 5 violations)

FERC Order: Issued June 24, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-192-000 (May 26, 2011)

Reliability Standard: CIP-005-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: N/A

Region: WECC

Issue: Following a Self-Report by URE, WECC determined that URE failed to follow its personnel risk assessment program and did not ensure the protective measures to Critical Cyber Assets because an employee performed an escort function within a Physical Security Perimeter (PSP) on one occasion without a valid PRA.

Finding: WECC determined that the violation posed a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS because the individual at issue was current on CIP training and underwent a background check at the start of employment. In addition, the PSP was equipped with video cameras, and the video feed was monitored at URE's central monitoring facility. In approving the settlement between URE and WECC, the NERC BOTCC considered the following factors: this violation was URE's first violation of the Reliability Standards at issue; URE self-reported the violations; URE was cooperative; URE had a compliance program, which WECC considered a mitigating factor; there was no evidence of an attempt or intent to conceal the violation; WECC determined the violations did not pose a serious or substantial risk to the BPS; there were no other aggravating or mitigating factors.

Penalty: $12,200 (aggregated for 3 violations)

FERC Order: Issued June 24, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-204-000 (June 29, 2011)

Reliability Standard: CIP-005-1

Requirement: R2

Violation Risk Factor: Medium

Violation Severity Level: N/A

Region: WECC

Issue: A Registered Entity self-reported that it had not properly configured its Energy Management System’s (EMS) firewall within its Electronic Security Perimeter (ESP) to deny access by default at network access points.

Finding: WECC and the Registered Entity entered into a settlement agreement to resolve multiple violations, whereby the Registered Entity agreed to pay a penalty of $37,500 and to undertake other mitigation measures. WECC found that the CIP-005-1 violation only constituted a minimal risk to bulk power system reliability since the Registered Entity’s permissive access rule only applied to access between the two ESPs or either one of the ESPs and the quality assurance network (and did not allow entry or exit from the Registered Entity’s corporate network, field data acquisition network segments, or the Internet). Plus, communications with WECC and other utilities were further restricted based on IP address and the port at the LAN network at the Registered Entity’s corporate network level. The duration of the CIP-005-1 violation was from July 1, 2009 through October 15, 2009. In approving the settlement agreement, NERC found that the Registered Entity was cooperative during the enforcement proceeding and did not conceal the violations; there was a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.

Penalty: $37,500 (aggregate for 4 violations)

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-212-000 (June 29, 2011)

Reliability Standard: CIP-005-1

Requirement: R2, R3

Violation Risk Factor: Medium (for R2, R3)

Violation Severity Level: Severe (for R2, R3)

Region: WECC

Issue: The Registered Entity self-certified that it had not initiated the required organizational processes or the technical and procedural mechanisms necessary to control the electronic access at all of the electronic access points to its Electronic Security Perimeters (ESPs) (R2). The Registered Entity also self-certified that it did not have an electronic or manual process to monitor and log access 24 hours a day, seven days a week at all of the access points to the ESP (R3).

Finding: The Registered Entity agreed to pay a penalty of $381,600 and to undertake other mitigation measures to resolve multiple violations. WECC found that the CIP-005-1 violations constituted a moderate risk to bulk power system reliability. In regards to R2, the lack of proper mechanisms to control electronic access to the ESP could potentially have exposed the Registered Entity’s Critical Cyber Assets to security attacks. In regards to R3, the Registered Entity’s inability to detect all unauthorized access at the access points to the ESP could have led to malicious access attempts, which would have compromised the security of the Critical Cyber Assets. But, the Registered Entity did implement additional security measures to mitigate potential security threats. The duration of the CIP-005-1 violations was from July 1, 2009 through March 23, 2010 (R2) and April 30, 2010 (R3). In approving the penalty amount, NERC found that these were the Registered Entity’s first violations of the relevant Reliability Standards; three of the violations were self-reported and three of the violations were the result of self-certifications; the Registered Entity was cooperative during the enforcement proceeding and did not conceal the violations; there was a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.

Penalty: $381,600 (aggregate for 6 violations)

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-213-000 (June 29, 2011)

Reliability Standard: CIP-005-1

Requirement: R3

Violation Risk Factor: Medium

Violation Severity Level: Not provided

Region: WECC

Issue: The Registered Entity self-reported (in response to the start of WECC’s self-certification process) that it had not initiated and properly documented an electronic or manual process to monitor and log authorized user accounts and therefore it was unable to detect unauthorized access attempts at its Electronic Security Perimeter.

Finding: WECC and the Registered Entity entered into a settlement agreement to resolve multiple violations, whereby the Registered Entity agreed to pay a penalty of $143,500 and to undertake other mitigation measures. WECC found that the CIP-005-1 violation constituted a moderate risk to bulk power system reliability since the Registered Entity would not have known about unauthorized access to its Electronic Security Perimeter, thereby exposing itself to security attacks. But, the Registered Entity did have certain secondary security measures in place. The duration of the CIP-005-1 violation was from July 1, 2009 through September 30, 2009. In approving the settlement agreement, NERC found that the Registered Entity was cooperative during the enforcement proceeding and did not conceal the violation and there were no additional aggravating or mitigating factors.

Penalty: $143,500 (aggregate for 10 violations)

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity 1, FERC Docket No. NP11-228-000 (June 30, 2011)

Reliability Standard: CIP-005-1

Requirement: R4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: The Registered Entity self-reported that it did not timely conduct a cyber vulnerability assessment of the electronic access points to its Electronic Security Perimeter as required.

Finding: RFC found that the violation constituted only a minimal risk to bulk power system reliability since the Registered Entity conducted the required vulnerability assessment within a year of the required date. The Registered Entity had shared its cyber vulnerability testing and assessment with its employees and conducted an abbreviated evaluation of its substation systems in conformance with the Reliability Standard. The duration of the violation was from December 31, 2009 through December 31, 2010.

Penalty: $0

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity 2, FERC Docket No. NP11-228-000 (June 30, 2011)

Reliability Standard: CIP-005-1

Requirement: R4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: The Registered Entity self-reported that it did not timely conduct a cyber vulnerability assessment of the electronic access points to its Electronic Security Perimeter as required.

Finding: RFC found that the violation constituted only a minimal risk to bulk power system reliability since the Registered Entity conducted the required vulnerability assessment within a year of the required date. The Registered Entity had shared its cyber vulnerability testing and assessment with its employees and conducted an abbreviated evaluation of its substation systems in conformance with the Reliability Standard. The duration of the violation was from December 31, 2009 through December 31, 2010.

Penalty: $0

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity 3, FERC Docket No. NP11-228-000 (June 30, 2011)

Reliability Standard: CIP-005-1

Requirement: R4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: The Registered Entity self-reported that it did not timely conduct a cyber vulnerability assessment of the electronic access points to its Electronic Security Perimeter as required.

Finding: RFC found that the violation constituted only a minimal risk to bulk power system reliability since the Registered Entity conducted the required vulnerability assessment within a year of the required date. The Registered Entity had shared its cyber vulnerability testing and assessment with its employees and conducted an abbreviated evaluation of its substation systems in conformance with the Reliability Standard. The duration of the violation was from December 31, 2009 through December 31, 2010.

Penalty: $0

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-230-000 (July 28, 2011)

Reliability Standard: CIP-005-1

Requirement: R2.4

Violation Risk Factor: Medium

Violation Severity Level: N/A

Region: RFC

Issue: Following a self-report, RFC determined the Unidentified Registered Entity (URE) did not have any procedural or technical controls to verify authenticity of users at access points to the Electronic Security Perimeter.

Finding: RFC assessed an $18,000 penalty for this and other Reliability Standards violations. RFC determined that the violation did not pose a serious or substantial risk to the reliability of the bulk power system (BPS) because the ESP at issue was associated with one of URE’s smallest generators and only 8 people had access, all of whom had completed CIP training and personnel risk assessments. In approving the settlement between URE and RFC, the NERC BOTCC considered the following factors: the violation did not constitute a repeat violation; URE was cooperative; URE self reported the violations; URE had a compliance program in place; there was no evidence of an attempt or intent to conceal the violation; RFC determined the violation did not pose a serious or substantial risk to the BPS; there were no other aggravating or mitigating factors.

Penalty: $18,000 (aggregated for multiple violations)

FERC Order: Issued August 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-234-000 (July 28, 2011)

Reliability Standard: CIP-005-1

Requirement: R1, R3

Violation Risk Factor: Medium

Violation Severity Level: N/A

Region: WECC

Issue: Following a Self-Report, WECC determined the Unidentified Registered Entity (URE) did not identify and document all access points to its Electronic Security Perimeters (ESP) in violation of R1, and did not monitor and document access to all ESPs pursuant to its ESP monitoring procure in violation of R3.

Finding: WECC assessed a $35,000 penalty for this and other Reliability Standards violations. WECC determined that the violation of R1 posed a moderate risk and the violation of R3 posed a minimal risk to the reliability of the bulk power system (BPS) but the violations did not pose a serious or substantial risk to the reliability of the BPS because although failing to identify all ESP access points could expose Critical Cyber Assets to inappropriate access attempts, URE had other protection systems in place. Specifically, URE physically disconnected dial-up connections from the EMS when not in use and maintained a secured, firewalled link to its Balancing Authority. In addition, URE had manual and automatic electronic logging to monitor access to the ESPs. In approving the settlement between URE and WECC, the NERC BOTCC considered the following factors: URE was cooperative; URE self reported the violations; URE had a compliance program in place; there was no evidence of an attempt or intent to conceal the violation; WECC determined the violation did not pose a serious or substantial risk to the BPS; there were no other aggravating or mitigating factors.

Penalty: $35,000 (aggregated for multiple violations)

FERC Order: Issued August 29, 2011 (no further review)

Unidentified Registered Entities, FERC Docket No. NP11-237-000 (July 28, 2011)

Reliability Standard: CIP-005-1

Requirement: R1, R2, R3

Violation Risk Factor: Medium

Violation Severity Level: N/A

Region: ReliabilityFirst

Issue: Unidentified Registered Entities 1, 2 and 3 (URE 1, URE 2 and URE 3) self-reported that a consultant had performed a mock audit and found numerous violations of the CIP Standards in their shared Electronic Security Perimeter (ESP). In particular, URE 1 and URE 2 failed to implement an access control model that denies access by default, and failed to enable only ports and services required for operations and for monitoring Cyber Assets within the ESP, both in violation of R2. URE 1 and URE 2 also failed to identify two non-critical Cyber Assets within the ESP and one Cyber Asset as an access point to the ESP in violation of R1. In addition, URE 1 and URE 2 did not implement logging at the nine access points to the ESP for which they did not have proper access control as there were no firewalls at those access points, in violation of R3. Duration of violation was January 1, 2010 through December 23, 2010 (for R2 and R3) or August 25, 2010 (for R1).

Finding: ReliabilityFirst determined that the violations did not pose a serious or substantial risk to the reliability of the bulk power system because the communications assets associated with the relevant access points were physically protected, and the network systems involved did not communicate outside the UREs. Moreover, the network systems utilize redundant protection that alerts URE 1 and URE 2 to anomalies and potential security issues, and connections to the network systems are password protected. Due to physical constraints, ReliabilityFirst determined it would be hard for an unauthorized user to access the UREs’ systems. However, it noted that it found an aggravating factor in that some of the violations constituted repetitive conduct attributable to the same compliance program. The NERC BOTCC also considered that the UREs self-reported the violations; the UREs were cooperative during the investigation; the UREs had a compliance program at the time of the violation; there was no evidence that the UREs attempted to conceal a violation; and URE 1 and URE 2 promptly prepared, drafted and submitted its mitigation plan for some of the violations of CIP-005-1 such that ReliabilityFirst assessed a zero dollar penalty for those violations.

Penalty: $180,000 (aggregate for 4 violations)

FERC Order: Issued August 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-247-000 (July 28, 2011)

Reliability Standard: CIP-005-1

Requirement: R2.6

Violation Risk Factor: Lower

Violation Severity Level: N/A

Region: RFC

Issue: The Unidentified Registered Entity self-reported that it had missed a command while configuring its electronic access control devices, which caused 13 devices (out of 17) not to show on the user screen an Appropriate Use Banner on all interactive access attempts.

Finding: RFC and the Unidentified Registered Entity entered into a settlement agreement to resolve multiple violations, whereby the Unidentified Registered Entity agreed to pay a penalty of $15,000 and to undertake other mitigation measures. RFC found that the CIP-005-1 violation did not constitute a serious or substantial risk to bulk power system reliability since only ten information technology employees had access to the relevant ports and those employees knew the content of the Appropriate Use Banner and the security standards. The relevant ports are not involved in directly monitoring or controlling the bulk electric system and only represented a small subset of the Unidentified Registered Entity’s Critical Cyber Assets. The duration of the CIP-005-1 violation was from January 1, 2010 through May 14, 2010. In approving the settlement agreement, NERC found that these were the Unidentified Registered Entity’s first violations of the relevant Reliability Standards; the violations were self-reported; the Unidentified Registered Entity was cooperative during the enforcement process and did not conceal the violations; the Unidentified Registered Entity had a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.

Penalty: $15,000 (aggregate for 5 violations)

FERC Order: Issued August 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-266-000 (August 31, 2011)

Reliability Standard: CIP-005-1

Requirement: R2.1

Violation Risk Factor: Medium

Violation Severity Level: Lower

Region: FRCC

Issue: FRCC_URE1 self-reported that the firewall at its Emergency Backup System was improperly configured to allow "any-any" default rules (including after the system was put into production) and was not configured to deny all rule and all explicit access privileges as required.

Finding: FRCC found that the violation did not constitute a serious or substantial risk to bulk power system reliability since the firewall had only allowed communications from the primary control center's Electronic Security Perimeter (which is a controlled environment and trusted network). The duration of the violation was from July 1, 2009 through September 17, 2009.

Penalty: $38,000 (aggregate for 11 violations)

FERC Order: Issued September 30, 2011 (no further review)

Unidentified Registered Entity, Docket No. NP11-270-000 (September 30, 2011)

Reliability Standard: CIP-005-1

Requirement: R3/3.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: RFC_URE1 self-reported that it had not configured its firewalls to notify its security management software tool of access denial events, which meant that the security logging and alerts would not have functioned properly if there had been unauthorized access attempts at the firewalls.

Finding: RFC found that the violation posed a moderate risk to bulk power system reliability since RFC_URE1’s Critical Cyber Assets within its Electronic Security Perimeter (ESP) would remain protected from unauthorized access attempts as RFC_URE1 had programmed the firewalls on its ESP to deny access by default. The security management software tool also recorded all permitted access attempts and changes to the firewall configuration. In addition, there was a compliance program in place (which was evaluated as a mitigating factor).

Penalty: $30,000 (aggregate for 6 violations)

FERC Order: Issued October 28, 2011 (no further review)

Unidentified Registered Entity, Docket No. NP11-270-000 (September 30, 2011)

Reliability Standard: CIP-005-1

Requirement: R3/3.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: RFC_URE3 self-reported that it had not properly enabled its logging and alert system for notification of unauthorized access attempts to the Electronic Security Perimeter (ESP).

Finding: RFC found that the violation posed a moderate risk to bulk power system reliability. During the course of the violation, RFC_URE3’s internal computer network was being actively monitored by intrusion detection software, which would have discovered any intrusion into the ESP or suspicious behavior and alerted RFC_URE3. In addition, there were no unauthorized ESP access attempts during the violation. RFC evaluated certain parts of URE_RFC3’s compliance program as mitigating factors.

Penalty: $6,000

FERC Order: Issued October 28, 2011 (no further review)

Unidentified Registered Entities, FERC Docket No. NP12-1 (October 31, 2011)

Reliability Standard: CIP-005-1

Requirement: R1.5 (3 violations), R5 (3 violations), R2 (3 violations), R3.2 (3 violations)

Violation Risk Factor: Medium (for R1.5 violations, R2 violations and R3.2 violations), Lower (for R5 violations)
Violation Severity Level: Not provided

Region: RFC

Issue: Three UREs, all subsidiaries of the same Parent Company, self-reported that, as a result of their Supervisor’s failure to manage CIP compliance, they did not provide sufficient protective measures to their Crossbow Access Control System (CACS), which is a CA used in access control and monitoring of the ESP. The CACS functions as the central authentication and monitoring portal for the UREs’ CA substations (R1.5). Also as a result of their Supervisor’s failure to manage CIP compliance, they did not review, update and maintain all of the required documentation regarding compliance with CIP Reliability Standards (R5). In addition, the UREs self-reported that they had not properly documented the configuration of the firewalls of all ports and services needed to operate and monitor the CA within the ESPs or the quarterly review process for authorization rights (R2). Finally, the UREs self-reported that they did not properly enact or document a security monitoring process to detect and provide alerts for unauthorized attempts to access the ESP (R3.2).

Finding: RFC found that the CIP-005-1 violations constituted a moderate risk to BPS reliability. Regarding the R1.5 violations, all 26 users and 4 administrators possessing access to the control system had received a PRA and cyber security training. Furthermore, the control system’s security communicates with the UREs’ servers to determine what type of access is being sought, which provides an additional mechanism for protecting access to the control system. The UREs also installed other authentications and monitoring protections to guard CCAs, thereby protecting against unauthorized access to ESPs. Regarding the R5 violations, the risk of the violations was mitigated as the UREs have certain protections in place to protect the ESPs at their CA substations (even though those procedures were not properly documented). Regarding R2 violations, the UREs had installed and documented a multi-tiered solution to protect their CCAs within their CA substations, including a device which securely communicates with one of the UREs’ servers and authenticates those seeking access to the substations or to discrete devices. For the R3.2 violations, the access points to the ESPs, especially the firewalls, were restricting traffic as intended. The UREs also have separate intrusion detection systems that automatically logs and monitors access to the ESPs, as well as a security services provider that continuously monitors the intrusion detection system. In determining the aggregate penalty amount, NERC BOTCC considered, among other factors, that the Parent Company manages a uniform compliance program among all of its subsidiaries, which is communicated through multiple channels (such as compliance calls, software tools, and training programs). But, the mitigating credit for the compliance program was partially offset by there being insufficient checks on the terminated Supervisor who was responsible for CIP compliance, as the UREs did not notice that the Supervisor was not fulfilling his obligations for the duration of the violations. NERC BOTCC favorably evaluated the fact that the UREs did take corrective action against the Supervisor once the problems were discovered and also initiated a system-wide compliance review.

Penalty: $275,000 (aggregate for 31 violations)

FERC Order: Issued November 30, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-2 (October 31, 2011)

Reliability Standard: CIP-005-1

Requirement: R2/2.6, R1, R2/2.1/2.2

Violation Risk Factor: Lower (R2/2.6), Medium (R1, R2/2.1/2.2)

Violation Severity Level: Severe (R2/2.6), High (R1), Moderate (R2/2.1/2.2)

Region: FRCC

Issue: URE self-reported that two of its firewalls that functioned as access points to the ESP did not have acceptable use banners that contained the required language as described in URE’s procedure document (R2/2.6). URE also self-reported that it improperly classified a device (a communication link connecting discrete ESPs) when developing its list of CAs. The device should have been classified as an access point to the ESP (R1). In addition, URE self-reported that it had not applied the access control model of deny by default for its identified access points and did not enact access control rules that would only allow a clearly identified unique host access to the ports and services required for normal operation (R2/2.1/2.2).

Finding: FRCC found that the R2/2.6 violation constituted only a minimal risk to BPS reliability since URE did have an acceptable use banner for its electronic access control devices that was able to inform and deter unauthorized access attempts. FRCC found that the R1 and R2/2.1/2.2 violation constituted a moderate risk to BPS reliability. For the R1 violation, the relevant device was located within a PSP that was not connected to the corporate-wide area network and was in a dedicated encrypted point-to-point tunnel with no remote access. For the R2/2.1/2.2 violation, the firewall rules restricted access to the trusted networks and only allowed access to the non-interactive ports and services. Furthermore, only three of URE’s employees possess access to the rule set and the configuration files for the firewalls. URE had a compliance program in place, but it was only evaluated as a neutral factor.

Penalty: $55,000 (aggregate for 11 violations)

FERC Order: Issued November 30, 2011 (no further review).

Unidentified Registered Entity, FERC Docket No. NP12-2 (October 31, 2011)

Reliability Standard: CIP-005-1

Requirement: R1/1.5

Violation Risk Factor: Medium

Violation Severity Level: High

Region: WECC

Issue: URE self-reported that some of its CCA logs were not being properly gathered and stored by its central log collector system. These logs were also not being properly processed (as specified by the policies and procedures for logging user account access) and monitored for access.

Finding: WECC found that the violation constituted a minimal risk to BPS reliability since the logging occurred at the device level and was able to be manually reviewed if needed. This was URE’s first violation of the relevant Reliability Standard. WECC evaluated URE’s compliance program as a mitigating factor.

Penalty: $37,000 (aggregate for 4 violations)

FERC Order: Issued November 30, 2011 (no further review).

Unidentified Registered Entity, FERC Docket No. NP12-4-000 (November 30, 2011)

Reliability Standard: CIP-005-1

Requirement: R1, R2, R3 and R4

Violation Risk Factor: Medium

Violation Severity Level: Not provided

Region: WECC

Issue: WECC determined during an audit that (1) in violation of R1, URE did not provide the protective measures to its ESPs’ ACMs required by the Standard because it could not demonstrate that it reviewed, at least annually, user accounts to verify access privileges are controlled in accordance with the CIP standards; (2) in violation of R2, URE only deployed IP filters at the ESP boundary relative to external interactive access into the ESP which did not result in strong controls, allowing for a significant amount of default access rather than denying access by default; (3) in violation of R3, URE did not implement an electronic or manual process for monitoring and logging access at access points to its ESPs on a 24/7 basis, as shown in a review of a sample 24-hour period; and (4) in violation of R4, URE failed to include the discovery of all access points to the ESP in its first cyber vulnerability assessment, though its second assessment was compliant with the Standard.

Finding: WECC determined that the violation of R1 posed a minimal and not serious or substantial risk to the reliability of the BPS because URE did apply the protective measures required by the Standard, it merely failed to annually review the user accounts. WECC determined that the violations of R2 and R3 did not pose a serious or substantial risk to the reliability of the BPS because URE maintained an intrusion detection system to monitor for possible cyber security issues, and its EMS application limited access only to specified users. WECC also determined that the violation of R4 did not pose a serious or substantial risk to the reliability of the BPS because URE’s cyber vulnerability assessment had met four of the five components required by the Standard, and due to the design and location of the ESP, it was unlikely that unknown access points existed. Duration of the violations was from the date the Standard became enforceable through December 14, 2010 (R1), September 17, 2010 (R2 and R3) and May 29, 2011 (R4). WECC and the NERC BOTCC took into consideration the following mitigating factors: URE self-reported certain of the violations (though not the CIP-005-1 violations), URE had an internal compliance program in place at the time of the violations, and URE’s compliance history.

Penalty: $160,000 (aggregate for 16 violations of 6 CIP standards)

FERC Order: Issued December 30, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-10 (December 30, 2011)

Reliability Standard: CIP-005-1

Requirement: R2/2.1

Violation Risk Factor: Medium

Violation Severity Level: N/A

Region: TRE

Issue: Texas RE_URE found it needed to add more specificity to its procedures, programs, supporting documentation and evidence regarding the issue of enabled ports and services to its ESP in order to comply with the CIP Standards. As a result, all scans and associated enabling/disabling of ports and services were not finished by the required date but were completed until almost a month later, when Texas RE_URE’s ports and services acceptability procedure document was approved, dated and signed.

Finding: The violation was determined to pose a moderate risk to BPS reliability. Texas RE_URE did have the right ports and services enable or disabled, as appropriate, but the documentation was not available on time. Texas RE_URE’s system has other security controls in place such as firewalls and physical access restrictions and during the relevant time period, there were not security breaches. Texas RE_URE’s compliance program was considered a mitigating factor in the determination of the penalty amount.

Penalty: $10,000 (aggregate for 10 violations)

FERC Order: Issued January 27, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-10 (December 30, 2011)

Reliability Standard: CIP-005-1

Requirement: R4/4.1/4.2/4.4/4.5

Violation Risk Factor: Medium

Violation Severity Level: N/A

Region: TRE

Issue: Texas RE_URE found it needed to add more specificity to its procedures, programs, supporting documentation and evidence regarding the issue of enabled ports and services to its ESP in order to comply with the CIP Standards. As a result, not until early 2010 did Texas RE_URE complete certain requirements such as production of a document showing the vulnerability assessment process, its review confirming that only ports and services needed for ESP operations were enabled, its review of controls for default accounts, passwords, and network management community strings; and documentation of the assessment results.

Finding: The violation was determined to pose a moderate risk to BPS reliability. Texas RE_URE did have the right ports and services enable or disabled, as appropriate, but the documentation was not available on time. Texas RE_URE’s system has other security controls in place such as firewalls and physical access restrictions and during the relevant time period, there were not security breaches. Texas RE_URE’s compliance program was considered a mitigating factor in the determination of the penalty amount.

Penalty: $10,000 (aggregate for 10 violations)

FERC Order: Issued January 27, 2012 (no further review)

Unidentified Registered Entity 1, FERC Docket No. NP12-10 (December 30, 2011)

Reliability Standard: CIP-005-1

Requirement: R1/1.5, R2, R3, R4

Violation Risk Factor: Medium (R1.5, R2, R3, R4)

Violation Severity Level: Severe (R1.5, R3, R4); High (R2)

Region: SPP RE

Issue: URE1 self-certified that it was not in compliance with a number of Standards regarding the protection of CCAs and CAs responsible for monitoring and controlling access to the ESP (R1/1.5). URE1 had no documented configurations for all ports and services on its CCAs nor did it have technical procedures on how to log unauthorized outgoing communications from trusted and entrusted interfaces (R2). It had no system for logging and monitoring unauthorized attempts and access within its Energy Management System network of access points to the ESP or for security events for other system components (R3). URE1 did not explain how to perform a vulnerability assessment or how to interpret the results. It had no plan of action to fix any vulnerabilities found. Also, URE1 had no proof that, as a step in a vulnerability assessment, it reviewed default accounts, passwords and Simple Network Management Protocol (SNMP) community strings inside its ESP. URE1 also reported its first vulnerability assessment on its ESP was undertaken about ten months past the required date for compliance with CIP-005-1 R4.

Finding: SPP RE found the violations of R1.5, R3 and R4 constituted a moderate risk to BPS reliability because non-compliance with R1.5 and R3 could leave URE1’s system vulnerable to attack. Regarding R3, URE1 uses TripWire to monitor its system. , although it did not use any logging or monitoring process prior to using TripWire and that program does not monitor all EMS access points on the ESP. which left URE1 with no way to know whether the system had any unauthorized attempts or access. With no procedure in place to fix vulnerabilities, there was no way to guarantee the ESP was secure (R4). Also, the assessment that had been conducted was missing certain requirements of CIP-005 R4. Regarding CIP-005-1 R2, it was determined that violation posed a minimal risk to BPS reliability. URE1 was following the manufacturer configurations for ports and services which were most of its CCA equipment. The ESP has a control mode installed that would not generally allow access to the ESP. Only outgoing communications were missing “deny by default” protection. SPP RE considered URE1’s compliance programs a mitigating factor in determining the appropriate penalty.

Penalty: $68,000 (aggregate for 12 violations)

FERC Order: Issued January 27, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-11 (January 31, 2011)

Reliability Standard: CIP-005-1

Requirement: R2

Violation Risk Factor: Medium

Violation Severity Level: N/A

Region: WECC

Issue: URE self-certified that a number of its devices had ports and services improperly enabled that were not needed for operations and for monitoring CAs within URE’s ESP. In addition, URE had also not properly documented the configuration of the ports and services for the relevant devices.

Finding: WECC found that the CIP-005-1 violation constituted a moderate risk to the BPS as those extra enabled ports and services were a risk to URE’s CAs (as it could facilitate an unauthorized internal or external access that could lead to cyber attacks). But, the violation was limited to certain devices and URE was monitoring and logging system events. In determining the penalty amount, the NERC BOTCC evaluated URE’s violation history; some of the violations were self-reported; URE was cooperative during the enforcement process and did not conceal the violations; URE has a compliance program in place (which was evaluated as a mitigating factor); the violations did not constitute a serious or substantial risk to BPS reliability; and there were no additional aggravating or mitigating factors.

Penalty: $135,000 (aggregate for 20 violations)

FERC Order: Issued March 1, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-12 (January 30, 2011)

Reliability Standard: CIP-005-1

Requirement: R1/1.5

Violation Risk Factor: Lower

Violation Severity Level: Moderate

Region: WECC

Issue: URE submitted a self-report of possible non-compliance with the Standard once it realized it was not testing updated or new software and firmware prior to launching to ensure there would be adverse affects on existing cyber security controls as required by R1.5. URE also self-reported that its patch management program is directed to operating system and major application patches, leaving minor or peripheral applications on CAs responsible for protection of the ESP with inconsistent protections. URE eventually reported all CAs not having the protections set forth under CIP-007-1 R1 and R3. And, further, URE’s failure to evaluate, test and install applicable security patches for its CAs is a violation of CIP-007-1 R3.

Finding: The violation constituted a minimal risk to BPS reliability because URE’s CAs did have the protections set forth under CIP-005-1 R1; however, not ensuring CAs responsible for access control and/or monitoring of the ESP are protected through the testing requirements set forth in CIP-007-1 R1 and R3 could allow for unauthorized access to these CAs which, in turn, leaves the possibility of allowing cyber attacks against CCAs required for BPS reliable operation. However, URE’s CAs were afforded some protection under CIP-005-1 R1. URE’s self-report was not given credit in terms of assessing the penalty because it was submitted during a self-certification process.

Penalty: $55,000 (aggregate for 12 penalties)

FERC Order: Issued March 1, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)

Reliability Standard: CIP-005-1

Requirement: R2/2.2

Violation Risk Factor: Medium

Violation Severity Level: Moderate

Region: NPCC

Issue: URE self-reported that, while conducting an internal review, it found that certain baseline ports and services related to control center firewalls did not have complete configuration documentation.

Finding: NPCC found the violation constituted a minimal risk to BPS reliability because URE’s CCAs were protected by account management controls, an intrusion detection system and access log review protocols. The EMS network cannot be accessed from the public internet nor can devices within the EMS and ESP be used to connect to the public internet because the EMS network space uses non-routable private addresses for added system protection. Also, the missing documentation did not cause any incidents to occur at URE. NPCC considered certain parts of URE’s internal compliance program as a mitigating factor in determining the appropriate penalty.

Penalty: $5,000 (aggregate for 2 penalties)

FERC Order: Issued March 30, 2012 (no further review)

Unidentified Registered Entity, Docket No. NP12-22-000 (March 30, 2012)

Reliability Standard: CIP-005-1

Requirement: R2/2.2/2.4; R3/3.2; R5/5.1

Violation Risk Factor: Medium (R2/2.2/2.4; R3/3.2); Lower (R5/5.1)

Violation Severity Level: High (all)

Region: SPP RE

Issue: URE submitted a self-report for various violations of the CIP-005-1 Reliability Standards. In particular, URE was non-compliant with R2.2 and 2.4 because it had not documented the configuration for the ports and services used to access its ESP nor did it have a documented process to be used by IT staff for remote access to URE’s EMS through its ESP firewall or the external login procedure used for read-only EMS users. Regarding R3, URE had not identified the order of firewall logging nor had it properly documented its firewall access logs. Also, URE did not have a formal written process for IT staff to use when a user became locked out of a firewall. Regarding R5, URE also self-reported it had no documentation to show access point and CA configurations, and its procedures for access and logging were not properly recorded. As a result, URE did not have all proper documents, and was therefore in violation of the requirement to review documents and procedures set forth in CIP-005 on a yearly basis.

Finding: The violations constituted a minimal risk to BPS reliability because of the following. The violation of R2 was documentation relation. With respect to access restriction (R2.4), the ESP firewall was properly restricting access to the EMS. The users were allowed read-only rights and first had to authenticate through the PSP, then the workstation and lastly the EMS application. Administrative rights were given to only three employees and URE had other security measures to ensure server access was protected. URE also had documented its ports and services in earlier vulnerability assessments, but they had mistakenly been omitted from URE’s CIP procedures. Regarding the violation of R3, URE was found to have several existing security measures in place for protecting unauthorized access to the EMS system and URE conducted manual reviews of its server logs. In addition, no cyber security events were reported during the violation period. Finally, with respect to R5, SPP RE found URE had current and past documentation for access points to its ESP which were contained in vulnerability assessment reports undertaken by its EMS vendor, which it was noted serve as a review of URE’s access point configurations. URE’s compliance history was considered as a factor in determining the appropriate penalty.

Penalty: $12,000 (aggregate for 8 penalties)

FERC Order: Issued April 30, 2012 (no further review)

Unidentified Registered Entity, Docket No. NP12-26-000 (April 30, 2012)

Reliability Standard: CIP-005-1

Requirement: R1/1.5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: NPCC

Issue: URE self-reported that, while conducting an internal CIP audit review, it found ten devices associated with ESP access control and monitoring had not been correctly identified as access control and monitoring devices. As such, the devices were not part of URE’s NERC CIP compliance program and were not given all protective measures under R1.5.

Finding: The violation was determined to pose minimal risk to BPS reliability because all ten devices were located within a defined ESP and PSP and additional security controls were in place, such as account management, strict firewall access control, and event logging and network intrusion detection. In determining the appropriate penalty, NPCC considered URE’s internal compliance program in effect during the violation period to be a mitigating factor. NPCC considered that URE’s Mitigation Plan was not completed on time, but NPCC did not adjust the penalty figure because URE was finishing related work under a separate Mitigation Plan that was on a different completion schedule and NPCC was aware of the revised timeframe.

Penalty: $25,000 (aggregate for 4 violations)

FERC Order: Order issued May 30, 2012 (no further review)

Unidentified Registered Entity, Docket No. NP12-26-000 (April 30, 2012)

Reliability Standard: CIP-005-1

Requirement: R3.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE self-certified a violation of CIP-005-1 R3 due to its security monitoring process for detection and notification of unauthorized access attempts being misconfigured at two firewalls located on an ESP. URE’s security management software tool was only alerting URE of unauthorized access attempts based on the frequency of access turndowns from a particular IP address, but the two firewalls were not configured to report access denial instances to the security management tool. URE’s security logging and alert system would not have reported any unauthorized access to the firewalls on the ESP under the current configuration.

Finding: RFC found the violation constituted a moderate risk to BPS reliability which was mitigated because the firewalls were set up to deny access by default so CCAs in the ESP were protected during the violation period. Also, the security management software tool was logging all allowed access attempts and firewall configuration changes. In determining the appropriate penalty, RFC considered certain aspects of URE’s compliance program as a mitigating fact.

Penalty: $12,000 (aggregate for 4 violations)

FERC Order: Order issued May 30, 2012 (no further review)

Unidentified Registered Entity (URE), FERC Docket No. NP12-27 (May 30, 2012)

Reliability Standard: CIP-005-1

Requirement: R1; R1.5

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported a violation of CIP-005-1 R1 because it had failed to afford all security measures to Cyber Assets used in access control and monitoring of the ESP (pursuant to R1.5), specifically the measure that requires entities to identify individuals with access to shared accounts (per CIP-007-1 R5). WECC Subject Matter Experts (SMEs) found that URE failed to identify three individuals with access to shared user accounts to Cyber Assets used in ESP access control and monitoring. SMEs determined that the individuals were not identified as having access to shared accounts that allowed access to three ESP access points. WECC determined URE’s failure to list individuals with access to shared accounts for ESP devices pursuant to CIP-007-5 R5 constituted a violation of CIP-005-1 R1.5.

Finding: WECC determined this violation posed a minimal risk to the reliability of the bulk power system (BPS) the risks were mitigated by the existing compensating measures in place during the violation period. The individuals in question had completed a personnel risk assessment and cyber security training (per CIP-004), and. Furthermore, electronic access to devices using shared accounts was logged and monitored, and all CCAs and Cyber Assets were secured within ESPs and Physical Security Perimeters. URE compiled a list of all shared accounts and the individuals with access to the accounts (per CIP-007-1 R5.2.2), as well as documented and implemented a new process designed to minimize and manage the scope and acceptable use of administrator, shared, and other generic account privileges. Additionally, URE’s process includes a policy for managing the use of such accounts to limit access to only those with authorization, audit the trail of account use, and secure accounts in the event of personnel changes.

Penalty: $15,600 (aggregate for 3 violations)

FERC Order: Issued June 29, 2012 (no further review)

Unidentified Registered Entity (URE), FERC Docket No. NP12-27 (May 30, 2012)

Reliability Standard: CIP-005-1

Requirement: R2; R2.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported a violation of R2, because it failed to ensure that only those ports and services required for normal operation were enabled on two firewalls that control access points to its ESP.

Finding: WECC and the URE entered into a settlement agreement to resolve multiple violations, in which the Registered Entity agreed to pay a penalty of $21,000 and to undertake other mitigation measures. WECC determined that the violations posed a minimal risk to the reliability of the bulk power system since access to all Cyber Assets within the ESP were monitored and physical/electronic alerts from monitoring controls are reviewed 24 hours a day. Moreover, only authorized personnel are granted access to these devices. The URE reviewed and revised its program procedure for critical infrastructure protection and training was completed.

Penalty: $21,000 (aggregate for 3 violations)

FERC Order: Issued June 29, 2012 (no further review)

Unidentified Registered Entity (URE), FERC Docket No. NP12-27 (May 30, 2012)

Reliability Standard: CIP-005-1

Requirement: R5.1

Violation Risk Factor: Lower

Violation Severity Level: Moderate

Region: MRO

Issue: During spot check, MRO was unable to establish that URE reviewed, updated, and maintained all documentation to support the annual reviews required by R5.1. MRO noted that URE had not ensured that all required documentation had been reviewed, updated and maintained on an annual basis.

Finding: MRO determined the violation posed a minimal risk to the reliability of the bulk power system (BPS) because it was administrative violation that related to properly documenting review of policies and procedures. The URE had evidence for the majority of the documents examined, and despite the fact a small number of documents lacked evidence of a review, the violation was not due to a lack of procedures. In response, URE formalized the annual documentation review process, completed training for all standard owners and conducted necessary annual reviews.

Penalty: $12,000 (aggregate for 9 violations)

FERC Order: Issued June 29, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-29 (May 30, 2012)

Reliability Standard: CIP-005-1

Requirement: R2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that, despite its policy against using dial-up connection to CAs and CCAs, one of its engineers remotely accessed a relay (which was a CA within as ESP) by dialing a modem number for a communication processor to the relay. URE had not properly implemented its procedure for securing dial-up access to the ESP since the legacy modem line that was used to connect to the equipment at substation should have been disabled.

Finding: WECC found that the CIP-005-1 violation constituted a moderate risk to BPS reliability. The device used to connect to the relay could also have been used to connect to numerous other relays (all of which are CAs) and the failure to control electric access to the ESP exposes the CCAs within the ESP to the risk of security attacks. But, URE had security measures designed to prevent access to the CCAs and the devices used to connect to the relays were password-protected and are located with an ESP and PSP. Furthermore, the engineer who accessed the relay is current on his CIP training and has a PRA on file. In approving the settlement agreement, NERC considered as mitigating factors that the violations were self-reported; URE had an internal compliance program in place that was reviewed by WECC; URE was cooperative during the process and did not conceal the violation; URE completed all applicable compliance directives; the violations were not intentional; and this was URE’s first violation of one of the Reliability Standards. But, this was URE’s second violation of CIP-005-1 R2, which WECC viewed as an aggravating factor.

Penalty: $162,200 (aggregate for 2 violations)

FERC Order: Order issued June 29, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-36-000 (June 30, 2012)

Reliability Standard: CIP-005-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: Upon finding that WECC was beginning the semi-annual CIP Self-Certification process, URE submitted to WECC that it was “Substantially Compliant” with CIP-005-1 R1 and submitted a self-report stating that it had not provided all of the CIP protective measures to the RSA device responsible for keeping the logs required for the purpose of access control and/or monitoring of URE’s ESP and CCAs. The relevant device also preserves firewall rules and changes made to firewalls. In particular, WECC reported that URE did not apply all protective measures to CAs for access control and monitoring its ESP, as detailed in CIP-003, CIP-004 R3, CIP-005 R2 and R3, CIP-006 R2 and R3, CIP-007 R1 and R3 through R9, CIP-008, and CIP-009.

WECC found that URE had not provided the protective measures under the CIP Reliability Standards as follows: CIP-005 R2.5.3: URE had no cyber access list required to review rights granted to employees with cyber access. CIP-007 R1: URE did not test anti-virus software installed before being put in service and had not ensured that an operating system patch for Windows Server 2003 would not negatively impact existing security controls. CIP-007 R4: no anti-virus or anti-malware software had been installed to the RSA device. CIP-007 R8: the RSA device had not been assessed for cyber vulnerabilities. CIP-009 R1 through R4: URE had no recovery plan in place associated with the RSA device.

WECC further found upon consultation with URE that four switches externally connected but having end points inside the ESP had not been recorded as ESP access points, as required under CIP-005 R1. URE claimed the switches had been designated as CCAs but not as ESP access points since traffic did not flow through those devices to the ESP. Finally, WECC discovered one keyboard, video and mouse switch located outside of the ESP but providing remote access to CCAs were also unidentified access points to the ESP.

Finding: The violation was deemed to pose moderate risk to BPS reliability because URE’s failure to provide all CIP protective measures to every CA inside the ESP leaves those assets at risk for cyber attacks not being noticed or responded to. Access to the CAs could then be further abused for the purpose of disrupting BPS operations. WECC found the violation did not represent serious or substantial risk to BPS reliability because all employees with access to the relevant devices had current PRAs on file and had received CIP training. Any access could be checked through Windows Active Directory. The RSA device is contained in a PSP and all firewall logs were reviewed daily during the week. Alerts to failed logins or unusual traffic were automated and set up to be sent to URE security personnel. In determining the appropriate penalty, WECC gave mitigating credit for URE’s internal compliance program, but no self-report credit was given since URE reported the violations during the Self-Certification submission process. URE agreed/stipulated to WECC’s findings.

Penalty: $67,500 (aggregate for 9 violations)

FERC Order: Issued July 27, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-36-000 (June 30, 2012)

Reliability Standard: CIP-005-1

Requirement: R1/1.5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-certified a violation of CIP-005-1 R1.5 because it did not avail all security measures under the Standard to CAs used in access control and monitoring of the ESP. Specifically, all security patches/upgrades are required to have a documented assessment of possible impact to the system; however, URE did not have such documentation.

Finding: WECC deemed the violation to pose minimal risk to BPS reliability which was mitigated by the following reasons. URE did properly assess and document a certain kind of security patch/upgrade. URE had assessed and implemented all other kinds of security patches and upgrades; however, it did not document those assessments. In addition, the CCAs and CAs were protected inside PSPs and ESPs. All access to PSPs is restricted and documented and PSPs are protected by security guards. Any individual having access to CAs and CCAs would have had to complete a PRA and cyber security training. The devices inside the ESPs are protected by anti-virus software and malware prevention devices. URE did not contest WECC’s findings. In determining the appropriate penalty, WECC considered URE’s internal compliance program as a mitigating factor.

Penalty: $12,500 (aggregate for 3 violations)

FERC Order: Issued July 27, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-36-000 (June 30, 2012)

Reliability Standard: CIP-005-1

Requirement: R2/2.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE filed a self-report with WECC stating that it had not review its ports and services completely. In particular, URE stated it did not ensure that it had enabled only those ports and services required for normal operations on six firewalls that control all of URE’s ESPs.

Finding: WECC found the violation to pose minimal risk to BPS reliability because URE did have other controls in place for logging and monitoring access to all CAs contained in the ESP while the violation was ongoing, including physical and electronic alerts which are reviewed 24 hours a day. As well, the only personnel who could access the devices were authorized.

Penalty: $12,000 (aggregate for two violations)

FERC Order: Issued July 27, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-40 (July 31, 2012)

Reliability Standard: CIP-005-1

Requirement: R2.2, R1.5

Violation Risk Factor: Medium (R2.2, R1.5)

Violation Severity Level: Severe (R2.2, R1.5)

Region: WECC

Issue: URE self-reported that it did not fully document the configuration of the ports and services at all of its ESP service points, even though it had actually enabled only those ports and services required for operating and monitoring CAs within the ESP as required (R.2.2). URE also self-reported that it did not properly document the configuration of the ports and services for CAs used in ESP access control and monitoring (R1.5).

Finding: WECC found that the CIP-005-1 violations only constituted a minimal risk to BPS reliability since URE did actually have a documented process for addressing services and one category of ports and had enacted mechanisms used in ESP access controls. URE had only the ports and services enabled that were required for normal operations and monitoring. In addition, the CAs with electronic access control and monitoring had 96.6% of the required protective measures. These violations also involve primarily documentation issues. URE’s compliance program was evaluated as a mitigating factor.

Penalty: $15,000 (aggregate for 4 violations)

FERC Order: Issued August 30, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-44-000 (August 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 1, 4

Violation Risk Factor: Medium (both)

Violation Severity Level: Severe (both)

Region: FRCC

Issue: URE submitted a self-report explaining two CIP-005-1 violations. First, URE had not identified and documented all serially connected communication end points as access points to its ESP in violation of R1. Second, URE could not show that its cyber vulnerability assessment (CVA) of electronic access points to its ESP was conducted completely and accurately as required by R4. The CVA did not include a review of ports and services or default community strings nor did it have an action plan to correct any found vulnerabilities.

Finding: FRCC determined the violations posed a moderate risk to BPS reliability. Although URE did protect access points, devices connected to those access points were not given the same security protections and could be accessed by unauthorized individuals, but those devices used serial, non-routable protocols and were protected inside a PSP. Ultimately, however, any risk was abated because personnel with access to the ESP are all vetted and have completed cyber security training. With respect to the CVA, final results showed that all ESP access points were securely configured and communicated with trusted network devices only. In determining the appropriate penalty, FRCC gave credit to URE's internal compliance program as well as credit for cooperating through the audit process.

Penalty: $75,000 (aggregate for 10 violations)

FERC Order: Issued September 28, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-44-000 (August 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 2/2.2/2.4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: FRCC

Issue: While conducting a CIP compliance audit, FRCC found that URE had not disabled ports and services not needed for operations and monitoring on one access point to an ESP. Also, URE was not using adequate controls for remote interactive access. The process in use by URE could not completely authenticate the party attempting access.

Finding: FRCC determined the violation posed a moderate risk to BPS reliability because leaving ports and services open when not needed exposes URE to the possibility of cyber attacks; however, in this instance, the ports that were open were limited to trusted networks controlled and maintained by URE. Also, the inability to authenticate users attempting to access URE's network exposes URE to the possibility of unauthorized users gaining access to the network. For the instant violation, the risk was limited because URE has other protections in place for its ESP. In determining the appropriate penalty, FRCC gave credit to URE's internal compliance program as well as credit for cooperating through the audit process.

Penalty: $75,000 (aggregate for 10 violations)

FERC Order: Issued September 28, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-44-000 (August 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 2/2.2, 4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: While conducting an on-site compliance audit of URE, WECC found two violations of CIP-005-1. First, URE did not follow the requirements of R2.2 because it had not enabled only those ports and services required for operating and monitoring its Cyber Assets inside of an ESP, and it had not documented an unauthorized service to the access point for its backup control center ESP. Specifically, the audit discovered an internet protocol and port were found to be undocumented access points to the backup control center ESP. Also, a default password was enabled that left URE's facility vulnerable to attack. URE held that its internet protocol service, port and password were not enabled and were in default mode, which would prevent access to the ESP. However, WECC found that the default mode was "enabled," which is a violation of the Standard. Second, URE provided WECC with the results of a cyber vulnerability assessment it had performed. WECC reviewed the results and found that URE had not correctly used the information provided by the assessment to ensure that only those access points required for its operations were enabled. WECC ultimately determined that URE failed to perform an accurate cyber vulnerability assessment.

Finding: Both violations posed moderate risk to BPS reliability. URE provided WECC with evidence that its system was adequately protected. URE uses electronic access controls to its ESP and physical access controls for its PSP. URE's internet protocol software vendor confirmed that the service was in a default setting, which precludes access and prevents attacks.

Penalty: $30,000 (aggregate for two violations)

FERC Order: Issued September 28, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-45-000 (September 28, 2012)

Reliability Standard: CIP-005-1

Requirement: 2.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: FRCC

Issue: URE self-reported that it could not establish that only those ports and services required for operations and monitoring CAs within the ESP had been enabled.

Finding: FRCC determined that the violation posed a moderate risk to the reliability of the BPS because it could allow intruders to access open ports. The violation was mitigated by URE's redundant security measures, including strong firewall protections and electronic access points were configured to deny access by default. Other factors FRCC considered were that three of the violations were credited with being self-reported, one violation is a repeat violation, URE cooperated, there was no indication or evidence that URE attempted to conceal the violations, URE's compliance program was a neutral factor, and there were no other mitigating or aggravating factors.

Penalty: $150,000 (aggregate for 12 violations)

FERC Order: Issued October 26, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-45-000 (September 28, 2012)

Reliability Standard: CIP-005-1

Requirement: 4.5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: FRCC

Issue: During a Compliance Spot Check, FRCC determined URE did not include a documented remediation or mitigation plan for identified vulnerabilities in its Cyber Vulnerability Assessment.

Finding: FRCC determined that the violation posed a moderate risk to the reliability of the BPS because it could lead to risks to the BPS. The violation was mitigated by the fact that the majority of identified vulnerabilities were located outside the ESP, and none of the vulnerabilities were externally exploitable or could otherwise compromise immediate system security. Other factors FRCC considered were that three of the violations were credited with being self-reported, one violation is a repeat violation, URE cooperated, there was no indication or evidence that URE attempted to conceal the violations, URE's compliance program was a neutral factor, and there were no other mitigating or aggravating factors.

Penalty: $150,000 (aggregate for 12 violations)

FERC Order: Issued October 26, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-47-000 (September 28, 2012)

Reliability Standard: CIP-005-1

Requirement: 1/1.6

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: TRE

Issue: URE submitted a self-report explaining that it found a server had been installed inside a transmission substation ESP but was not identified as a CCA or non-CCA within the ESP due to an incorrectly configured gateway router setting.

Finding: The violation was deemed by TRE to pose minimal risk to BPS reliability which was mitigated because the device was installed within URE's ESP and was unable to communicate outside of the ESP. In addition, URE has access control measures in place at the ESP and PSP levels.

Penalty: $0 (for 12 violations)

FERC Order: Issued October 26, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-47-000 (September 28, 2012)

Reliability Standard: CIP-005-1

Requirement: 2, 4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: TRE

Issue: URE submitted a self-report explaining two violations of CIP-005-1 discovered during a Multi-Region CIP Audit. First, one of URE's parent companies that serves as a service provider on URE's behalf could not show that only ports and services required for operations and for monitoring Cyber Assets within the Electronic Security Perimeter (ESP) were enabled. Even though URE performs an annual review of all ports and services, it had no baseline record of required ports and services. Without a baseline record, URE could not determine a history of modifications to the ports and services in order to verify their configurations. Also, URE had no list of ports and services and the reason that they are open, nor did URE maintain a document identifying the content of all its required appropriate use banners. (R2).

Second, URE also self-reported that the parent company acting as the service provider did not have a list of ports and services that are required for operation. URE provided documentation of an annual review of ports and services and documentation of the function for each port and service, including initial configurations, but did not provide documentation of which ports and services are required for operation, as required by CIP-005-1 R4.2. In addition, URE did not account for all access points to its Electronic Security Perimeter (ESP) as part of its cyber vulnerability assessment, as required by CIP-005-1 R4.3.

Finding: The violations were deemed by TRE to pose minimal risk to BPS reliability. URE performs an annual review of each Cyber Asset and documents the process for each Cyber Asset to ensure that it enables only ports and services required for operations and monitoring of Cyber Assets within the ESP. URE also displays appropriate use banners on all its access control devices, but it did not document the content of all such banners. Regarding CIP-005 R4.3, URE conducts an annual discovery scan to identify all Cyber Assets within a specific ESP and compares the results of this scan to a list of known devices, and then identifies and confirms access points, as applicable. URE states that it has correctly identified all the access points to the ESP, and even through URE did not conduct a scan that would discover all possible access points to its ESP, it did conduct an annual scan that discovered all Cyber Assets connected to a network with the ESP.

Penalty: $0 (for 12 violations)

FERC Order: Issued October 26, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-47-000 (September 28, 2012)

Reliability Standard: CIP-005-1

Requirement: 4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE self-reported a violation of CIP-005-1 R4 based upon its finding that its outside contractor used to conduct cyber vulnerability assessments of electronic access points to its Electronic Security Perimeter (ESP) was not performing the assessments in accordance with the Reliability Standard but instead was conducting the assessments according to standard IT practices. URE found that the cyber vulnerability assessments had not included (1) a document identifying the vulnerability assessment process (R4.1); a review to verify that only ports and services required for operations at those access points are enabled (R4.2); (3) the discovery of all access points to the ESP (R4.3); or (4) documentation of the results of the assessment, the action plan to remediate or mitigate vulnerabilities identified in the assessment, and the execution status of that action plan (R4.5).

Finding: The violation was deemed by RFC to pose moderate risk to BPS reliability which was mitigated by the following. Although the cyber vulnerability assessments were not performed according to the requirements of CIP-005-1 R4, the assessments were based on information technology practices. All open ports on each system were identified. The assessment classified the known vulnerabilities according to severity. And, additional security measures were in place to adequately protect URE's system. In determining the appropriate penalty, RFC considered certain aspects of URE's internal compliance program as a mitigating factor. In addition, further mitigating factors included that URE self-reported the violations and URE's cooperation during the enforcement process. URE also promptly submitted a Mitigation Plan to remediate the violation. URE agreed to RFC's findings.

Penalty: $12,000 (aggregate for four violations)

FERC Order: Issued October 26, 2012 (no further review)

Unidentified Registered Entity, Docket No. NP13-1 (October 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 1, 2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: Following a self-report, WECC determined URE violated R1 because it failed to identify two non-critical CAs used for communications within a defined ESP and also failed to provide all the required protections to several CAs that are part of URE's ESP access control and monitoring systems (R2).

Finding: WECC determined that the violations posed a minimal risk to the reliability of the BPS. The violation of R1 was mitigated because the CAs were located within an ESP and subject to associated protections. The violation of R2 was mitigated because the enabled ports at issue only involved printer access and were protected by other systems such as intrusion detection and prevention systems. In approving the Settlement Agreement between WECC and URE, NERC BOTCC considered the following: URE's violation history, 11 of the 12 violations were self-reported, URE was cooperative, URE had a compliance program in place at the time of the violation, which was considered a mitigating factor, and there was no evidence of any attempt or intent to conceal a violation, nor that the violation was intentional.

Penalty: $200,000 (aggregate for 12 violations)

FERC Order: Issued November 29, 2012 (no further review)

Unidentified Registered Entity, Docket No. NP13-1 (October 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: Following a self-report, WECC determined URE violated R4 because URE failed to perform an annual Cyber Vulnerability Assessment (CVA) for 67% of its ESP access points during a two-year period.

Finding: WECC determined that the violation posed a moderate risk to the reliability of the BPS because it could cause vulnerabilities susceptible to malicious access to go undetected. The violation was mitigated by URE's CVA program, which included the discovery and control of all access points to the ESP. URE also has intrusion detection systems and system logging to monitor access. In approving the Settlement Agreement between WECC and URE, NERC BOTCC considered the following factors: URE's violation history, 11 of the 12 violations were self-reported, URE was cooperative, URE had a compliance program in place at the time of the violation, which was considered a mitigating factor, and there was no evidence of any attempt or intent to conceal a violation, nor that the violation was intentional.

Penalty: $200,000 (aggregate for 12 violations)

FERC Order: Issued November 29, 2012 (no further review)

Unidentified Registered Entity 1, Unidentified Registered Entity 2, and Unidentified Registered Entity 3, FERC Docket No. NP13-4 (October 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 1 (three violations, one for each URE)

Violation Risk Factor: Medium (1)

Violation Severity Level: High (1)

Region: RFC

Issue: Based on a self-report, RFC determined that URE1, URE2 and URE3 had not verified that one of its applications displayed an appropriate use banner, when technically feasible, on the user screen for all interactive access attempts or enacted technical and procedural controls for access authentication and accountability for all user activity and to limit the risk of unauthorized system access for shared service accounts. The UREs also did not properly make sure that significant changes that were made to 19 of its Cyber Asset devices did not have an adverse effect on their existing cyber security controls. URE1 also did not submit the correct device count for two Technical Feasibility Exception requests that it filed for devices that are part of its access control and monitoring of its ESPs. URE1 also did not have accurate documentation of one of its ESP, as it improperly included a firewall on a diagram of its emergency backup system (EBS) ESP. In addition, URE1, URE2 and URE3 did not change the default password for an enabled guest account as required. In regards to the Cyber Assets used in the access control and monitoring of the ESPs, the UREs did not enable only those ports and services required for operations and monitoring of Cyber Assets within ESP at all of the ESP’s access points, implement security patches for two of its Cyber Assets and hardware patches for one of its Cyber Assets, properly document measures to mitigate the risk of exposure, and install technical controls that require the use of password of certain complexity. While implementing its mitigation plan, URE1 also did not install appropriate use banners on two of its monitoring systems contained in the ESP of URE1’s EMS and EBS. URE1 also improperly removed three access points from its EMS and did not reset them to their factory default settings, as required, before it sent them back to its vendor. In addition, URE2 and URE3 improperly listed two devices as access control and monitoring devices, instead of as access points to the ESP (which they were), and identified two additional devices as CCAs (even though they were also access points to the ESP). URE 2 and URE3 did not properly show, as required, the infrastructure of their EMS network on their EMS ESP drawing. In addition, URE2 and URE3 did not provide the required protections to several of its Cyber Access used for the access control and monitoring of the ESP, including not properly documenting the testing of firewalls, not only enabling ports and services required for normal and emergency operations for 25 Cyber Assets, not implementing security patches for two operating systems and properly documenting measures to mitigate risk exposure, not installing technical controls for password complexity, and not creating recovery plans for Cyber Assets. Furthermore, as a result of the Cyber Vulnerability Assessments, it was determined that several of the UREs CCAs included on their substation CCA list did not correspond to respective ESP drawings. Also, field maintenance laptops used by the UREs should have been contained in the ESP diagrams as non-critical Cyber Assets within a defined ESP (which they were not).

Finding: RFC found that the CIP-005-1 R1 violations constituted a moderate risk to BPS reliability since the violations could lead to cyber intrusions on the CCAs. But, the risks were mitigated through a variety of measures. For example, the UREs had in place processes to control electronic access at all electronic access points to the ESP. The UREs did not have any device unprotected as a result of incorrect ESP drawings. The UREs also utilized firewalls and their Parent Company’s access control system (which authenticates access to the UREs’ substations and its discrete devices). The UREs also limited their open ports and services and the UREs had a policy of denying access to Cyber Assets by default. In addition, the UREs Cyber Assets were not adversely affected by significant change as they continued to properly operate and no security patches were released during the course of the violations. Furthermore, all of the electronic access monitoring and control devices are contained within a PSP, which controls physical access through access authorization and logging devices. The UREs also had procedural controls that applied to password complexity. There is a wide range of protective measures in place to guard access to the ESP and the Cyber Assets located within the ESP. In approving the settlement agreement, the NERC BOTCC found that, in the aggregate, the violations constituted a serious or substantial risk to BPS reliability because of the potential for compromised integrity of the CCAs. UREs did not have a culture of compliance for the CIP Reliability Standards and they were not familiar with their CIP processes and procedures (especially as compliance was divided between six executives, leading to inconsistent application of the compliance process and reduced ownership responsibility). But, the UREs were cooperative during the enforcement process, including working with RFC to remedy the violations and enacting measure, in collaboration with RFC, to foster an improved compliance program and to undertake compliance initiatives (which were evaluated as a mitigating factor). In addition, some of the violations were repeat violations and some of the violations were self-reported.

Penalty: $725,000 (aggregate for 73 violations)

FERC Order: Issued November 29, 2012 (no further review)

Unidentified Registered Entity 1, Unidentified Registered Entity 2, and Unidentified Registered Entity 3, FERC Docket No. NP13-4 (October 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 2 (three violations, one for each URE)

Violation Risk Factor: Medium (2)

Violation Severity Level: Severe (2)

Region: RFC

Issue: During a compliance audit, RFC determined that URE1 had not, as required, only enabled those ports required for normal operations and monitoring of Cyber Assets within the ESP for its serial server devices and the EMS and the EBS EMS firewalls. RFC found that URE1 also did not have a list of open ports and services or a description of why the ports and services were open and did not display an appropriate use banner on the user screen of an electronic access control device during interactive access attempts. For URE2 and URE3, RFC determined that they also did not display an appropriate use banner on the user screen of electric access controls devices upon all interactive access attempts and that their EMS firewalls were unable to support an appropriate use banner for certain logins (and URE2 and URE3 did not file for Technical Feasibility Exceptions).

Finding: RFC found that the CIP-005-1 R2 violations constituted a moderate risk to BPS reliability since the inconsistent applications of mechanisms to control electric access to the ESP could have exposed the UREs to unauthorized access and made them vulnerable to cyber intrusion. But, the UREs did have appropriate use banner configured on their access control system, which required identification, authentication and authorization before a user was able to access certain assets or firewalls. The UREs also limited access to the EMS as the EMS ESP was contained within an established PSP and provided with additional protective measures. In addition, the UREs had a private network for their Critical Asset substations, which is protected by firewalls, that isolated Critical Asset substation data traffic from other bulk electric and distribution traffic. In approving the settlement agreement, the NERC BOTCC found that, in the aggregate, the violations constituted a serious or substantial risk to BPS reliability because of the potential for compromised integrity of the CCAs. UREs did not have a culture of compliance for the CIP Reliability Standards and they were not familiar with their CIP processes and procedures (especially as compliance was divided between six executives, leading to inconsistent application of the compliance process and reduced ownership responsibility). But, the UREs were cooperative during the enforcement process, including working with RFC to remedy the violations and enacting measure, in collaboration with RFC, to foster an improved compliance program and to undertake compliance initiatives (which were evaluated as a mitigating factor). In addition, some of the violations were repeat violations and some of the violations were self-reported.

Penalty: $725,000 (aggregate for 73 violations)

FERC Order: Issued November 29, 2012 (no further review)

Unidentified Registered Entity 1, Unidentified Registered Entity 2, and Unidentified Registered Entity 3, FERC Docket No. NP13-4 (October 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 3.2, 4

Violation Risk Factor: Medium (3.2, 4)

Violation Severity Level: Severe (3.2, 4)

Region: RFC

Issue: URE1 self-reported that its security monitoring process alert did not designate response personnel as required and that its IT personnel did not properly implement the procedures for monitoring and responding to alerts (such as having automated notifications when an alert was generated). In addition, URE1 was not reviewing, at least every 90 days when alerting was not technically feasible, the access logs for unauthorized access (3.2). URE1 also self-reported that during its annual cyber vulnerability assessment, it had not reviewed its controls for default accounts and network management community strings as required (4).

Finding: RFC found that the CIP-005-1 R3.2 and R4 violations constituted a moderate risk to BPS reliability. For R3.2, someone may have been able to access URE1's ESP without leaving a record of the intrusion and without URE1 knowing (and, thus, URE1 would have been unable to prevent or track intrusions that could potentially harm the integrity of CCAs within the ESP). But, URE1's staff members were monitoring the system continuously and had undergone training regarding the appropriate responses to a full range of incidents. And when URE1 did review its access logs, there were no unauthorized access attempts or actual access to the EMS ESP. In regards to R4, this violation also provided an opportunity for the vulnerabilities in URE1's ESP access points to be exploited (without URE1 being aware). But, URE1's had an established ESP around its EMS and EBS CCAs and its non-critical Cyber Assets and had enacted the other protective measures required by the Reliability Standard. In approving the settlement agreement, the NERC BOTCC found that, in the aggregate, the violations constituted a serious or substantial risk to BPS reliability because of the potential for compromised integrity of the CCAs. UREs did not have a culture of compliance for the CIP Reliability Standards and they were not familiar with their CIP processes and procedures (especially as compliance was divided between six executives, leading to inconsistent application of the compliance process and reduced ownership responsibility). But, the UREs were cooperative during the enforcement process, including working with RFC to remedy the violations and enacting measure, in collaboration with RFC, to foster an improved compliance program and to undertake compliance initiatives (which were evaluated as a mitigating factor). In addition, some of the violations were repeat violations and some of the violations were self-reported.

Penalty: $725,000 (aggregate for 73 violations)

FERC Order: Issued November 29, 2012 (no further review)

Unidentified Registered Entity 1, Unidentified Registered Entity 2, and Unidentified Registered Entity 3, FERC Docket No. NP13-4 (October 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 5 (three violations, one for each URE)

Violation Risk Factor: Lower (5)

Violation Severity Level: High (5)

Region: RFC

Issue: During a compliance audit, RFC determined that URE1 mistakenly included a firewall in its documentation of the ESP for the EMS Network and EBS Network that was not contained in the ESP (and, thus, its ESP documentation did not reflect its current configurations and processes). RFC also found that URE2 and URE3's documentation was incomplete since it did not list four devices as access points to the ESP and did not have the current configuration of their EMS network for the EMS ESP. In addition, as learned from the Cyber Vulnerability Assessments, there were several CCAs on the substation CCA list of the UREs that did not correspond to ESP drawing.

Finding: RFC found that the CIP-005-1 R5 violations constituted only a minimal risk to BPS reliability since none of the UREs' devices were unprotected and the violations only involved incorrect ESP drawings. The UREs had also implemented procedures to control electronic access to the ESP and had installed firewalls and an access control system (which securely communicated with the Parent Company's Server). In approving the settlement agreement, the NERC BOTCC found that, in the aggregate, the violations constituted a serious or substantial risk to BPS reliability because of the potential for compromised integrity of the CCAs. UREs did not have a culture of compliance for the CIP Reliability Standards and they were not familiar with their CIP processes and procedures (especially as compliance was divided between six executives, leading to inconsistent application of the compliance process and reduced ownership responsibility). But, the UREs were cooperative during the enforcement process, including working with RFC to remedy the violations and enacting measure, in collaboration with RFC, to foster an improved compliance program and to undertake compliance initiatives (which were evaluated as a mitigating factor). In addition, some of the violations were repeat violations and some of the violations were self-reported.

Penalty: $725,000 (aggregate for 73 violations)

FERC Order: Issued November 29, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-11 (December 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 1

Violation Risk Factor: Medium

Violation Severity Level: High

Region: SPP

Issue: SPP found that URE had improperly identified an EMS front-end device as an ESP access point and a CCA, but the device only qualified as a CCA. URE also did not identify, as required, an ESP access point (a signal switching device) for both RTU traffic and the EMS front-end.

Finding: SPP found that the violation constituted only a minimal risk to BPS reliability. The EMS front-end device was implementing and performing the expected access control functions. The RTU traffic crossing the signal switching device was non-routable and used leased line analog communication circuits, which reduced exposure to vulnerabilities. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE’s violation history (which was considered as an aggravating factor for some of the violations), URE’s internal compliance program (which was not viewed as a mitigating factor) and the fact that some of the violations were self-reported. URE was cooperative during the enforcement process and did not conceal the violations.

Total Penalty: $107,000 (aggregate for 16 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity (URE), FERC Docket No. NP13-11 (December 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 4.2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: SPP

Issue: During a compliance audit, SPP found that URE did not possess sufficient documentation showing that enabled ports and services had been reviewed pursuant to URE’s annual vulnerability assessments of the ESP access points. As a result of the settings on URE’s vulnerability tool, ports and services that were not required for operations may have remained enabled.

Finding: SPP found that the violation constituted only a minimal risk to BPS reliability. URE’s firewall was protected from access through unauthorized ports and any unauthorized port traffic through the firewall would be blocked at the host machines. In addition, all of the enabled ports and services had been properly documented. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE’s violation history (which was considered as an aggravating factor for some of the violations), URE’s internal compliance program (which was not viewed as a mitigating factor) and the fact that some of the violations were self-reported. URE was cooperative during the enforcement process and did not conceal the violations.

Total Penalty: $107,000 (aggregate for 16 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: FRCC

Issue: Further to a Compliance Audit, FRCC determined that URE1 had violated R1 by failing to document all Critical Cyber Assets (CCAs) located within the Electronic Security Perimeter (ESP). In particular, two access points were not marked as access points on the logical ESP drawings. In addition, for one year following the compliance enforcement date, the entity did not document its ESP and access points, and it did not include a VLAN in the ESP drawings until two years following the compliance enforcement date.

Finding: FRCC determined that the R1 violation posed a minimal risk to the reliability of the BPS because all CCAs were indeed protected within the ESP, and the access points at issue were not outside-facing. In addition, the CCAs at issue were included in the entity’s official CCA list. Furthermore, explicit permissions pursuant to the Energy Management System dictated communications from the access points to certain devices. FRCC considered URE1’s ICP a mitigating factor in making its penalty determination. The violation began when the standard became mandatory and enforceable for URE1 and ended when the company completed its mitigation plan. URE1 neither admitted nor denied the violation.

Total Penalty: $33,000 (aggregate for 8 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 1; 1.5

Violation Risk Factor: Medium

Violation Severity Level: Moderate

Region: RFC

Issue: URE1 self-reported a violation of R1 after discovering that six of its servers utilized in access control and monitoring (ACM) of the ESP were not communicating with the device responsible for deploying malware prevention signatures for eleven months, due to a defect in the anti-malware product. In addition, the entity self-reported that some of its Cyber Assets used in ACM were omitted from the entity’s annual cyber vulnerability assessment.

Finding: RFC determined that the R1 violation posed a moderate risk to the reliability of the BPS which was mitigated by: (1) earlier versions of the Signatures that operated continually on the affected servers; (2) the protection already afforded to the servers by the firewalls that limit access and do not allow connection to the internet; (3) the location of the servers outside of the ESP which limited the risk to the entity’s critical cyber asset at issue; and (4) the physical security perimeter that also protects the servers to which access was limited. In addition, no malware was found on the servers when the issue was ultimately identified. The risk to the reliability of the BPS caused by the entity failing to include ACM devices in its annual assessment was mitigated by the firewalls included in the annual assessment; the intrusion detection system that was in place during the violation; the entity’s 90-day logs that include operating system audit logs, application logs, system logs, virtual PC security events, system alerts, and anti-virus/malware detection alerts; and the fact that there is no direct internet access to the devices. Finally, the devices performed their functions during the violation period. RFC considered some aspects of URE1’s ICP, as well as the fact that the entity self-reported the violation, and the entity’s commitment to compliance and reliability to be mitigating factors in making its penalty determination. The violation began when the entity failed to implement its process for updating Signatures and ended when the entity conducted an interim assessment for its ACM Devices. URE1 neither admitted nor denied the violation.

Total Penalty: $10,000 (aggregate for 6 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 2; 2.2; 2.4; 2.6

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: FRCC

Issue: Further to a Compliance Audit, FRCC determined that URE1 had violated R2 when it determined that the entity had enabled web services on its access points to the ESP when not operationally required. In this regard, the entity had not specified only those ports required by Cyber Assets to communicate with trusted devices outside the ESP, nor had the entity implemented strong authentication controls at the access points. In addition, while all access points had banners implemented, the content of the banner at the access points for all remote interactive access was not documented, and for access points with documented banner content, the documentation did not match the actual banner content.

Finding: FRCC determined that the R2 violation posed a moderate risk to the reliability of the BPS because access to services on the access points allowing possible access to protocol configuration services was limited to certain devices with specified addresses, and remote access was limited and controlled. FRCC considered URE1’s ICP a mitigating factor in making its penalty determination. The violation began when the standard became mandatory and enforceable for URE1 and ended when the company completed its mitigation plan. URE1 neither admitted nor denied the violation.

Total Penalty: $33,000 (aggregate for 8 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 3; 3.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: FRCC

Issue: Further to a Compliance Audit, FRCC determined that URE1 had violated R3 when it determined that the entity had not implemented one of the security monitoring processes (logs and alert configurations) that alerted for failed or denied attempts at accessing the Electronic Security Perimeter.

Finding: FRCC determined that the R3 violation posed a minimal risk to the reliability of the BPS for a number of reasons, including: the entity had properly configured all access rule sets at the access points, thereby blocking unauthorized access attempts and detecting unauthorized access through other alert criteria; the entity had a firewall that restricted all untrusted traffic; the entity had an intrusion detection system that monitored the access point at issue; and the access point at issue logged all activity. FRCC considered URE1’s ICP a mitigating factor in making its penalty determination. The violation began when the standard became mandatory and enforceable for URE1 and ended when the company reached the necessary mitigation milestone. URE1 neither admitted nor denied the violation.

Total Penalty: $33,000 (aggregate for 8 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 4; 4.2; 4.3; 4.4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: FRCC

Issue: Further to a Compliance Audit, FRCC determined that URE1 had violated R4 when it determined that the entity could not show that its cyber vulnerability assessment (CVA) included an evaluation that that only ports and services required for operations at the access points were enabled. FRCC further determined that the CVA neither provided for documentation of all access points to all Electronic Security Perimeters (ESPs) nor did it document the review of controls for default accounts, passwords, and network management community strings.

Finding: FRCC determined that the R4 violation posed a moderate risk to the reliability of the BPS because undertaking the CVA itself would help to minimize the impact of open vulnerabilities, and such assessment had indeed been undertaken, even if the documentation was incomplete. FRCC considered URE1’s ICP a mitigating factor in making its penalty determination. The violation began when the standard became mandatory and enforceable for URE1 and ended when the company completed its mitigation plan. URE1 neither admitted nor denied the violation.

Total Penalty: $33,000 (aggregate for 8 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity 2 (URE2), Docket No. NP13-12-000 (December 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 1.6

Violation Risk Factor: Lower

Violation Severity Level: High

Region: RFC

Issue: While conducting a CIP Compliance Audit, RFC determined that URE2 did not have one device documented as a CA within its ESP.

Finding: RFC determined that the violation posed a minimal risk to the reliability of the BPS, but not a serious or substantial risk, because the relevant device does not transmit data to the EMS. URE2 determined that the device did not need ESP protection and reconfigured it outside of the ESP. But, the device was located within an ESP and PSP so it was protected by the security protections afforded to those areas. The violation began on January 17, 2011, and ended on March 28, 2011 when the device was relocated outside of the ESP. URE2 admitted to the violation. In determining the appropriate penalty, RFC considered some aspects of URE2’s ICP to be mitigating factors. Also, RFC found URE2 to be cooperative during both the Compliance Audit and follow up enforcement activities but considered that a neutral factor.

Total Penalty: $65,000 (aggregate for 6 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity 2 (URE2), Docket No. NP13-12-000 (December 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 2.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: While conducting a CIP Compliance Audit, RFC determined that URE2 could not provide evidence that only those ports and services needed for operations and monitoring CAs within the ESP were enabled at all ESP access points.

Finding: RFC determined that the violation posed a moderate risk to the reliability of the BPS, but not a serious or substantial risk, because the systems inside the ESP have limited connections to outside networks and firewalls restrict network traffic as well. URE2 also has security systems in place to detect and alert any unauthorized access. The violation began on February 18, 2011, and ended on August 12, 2011 when URE2 completed its Mitigation Plan. URE2 admitted to the violation. In determining the appropriate penalty, RFC considered some aspects of URE2’s ICP to be mitigating factors. Also, RFC found URE2 to be cooperative during both the Compliance Audit and follow up enforcement activities but considered that a neutral factor.

Total Penalty: $65,000 (aggregate for 6 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity 2 (URE2), Docket No. NP13-12-000 (December 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 4.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: While conducting a CIP Compliance Audit, RFC determined that URE2 had not included a review in its cyber vulnerability assessment to ensure that only those ports and services needed for operations and monitoring CAs within the ESP were enabled at all ESP access points.

Finding: RFC determined that the violation posed a moderate risk to the reliability of the BPS, but not a serious or substantial risk, because the systems inside the ESP have limited connections to outside networks and firewalls restrict network traffic as well. URE2 also has security systems in place to detect and alert any unauthorized access. The violation began on January 27, 2011, and ended on August 16, 2011 when URE2 completed its Mitigation Plan. URE2 admitted to the violation. In determining the appropriate penalty, RFC considered some aspects of URE2’s ICP to be mitigating factors. Also, RFC found URE2 to be cooperative during both the Compliance Audit and follow up enforcement activities but considered that a neutral factor.

Total Penalty: $65,000 (aggregate for 6 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-16 (December 31, 2012)

Reliability Standard: CIP-005-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Lower

Region: WECC

Issue: During an audit, WECC determined that URE violated R1 because it did not afford Cyber Assets used in the access control and monitoring of an ESP the protective measures that are required by R1.

Finding: WECC decided the violation posted a minimal and not a serious or substantial risk to the reliability of the BPS because of particular factors unique to URE’s network and strong, layered security measures in place. Duration of violation was from the date the standard became mandatory and enforceable until URE completed its mitigation plan.

Total Penalty: $ 207,000 (aggregate for 12 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-18 (December 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 1

Violation Risk Factor: Medium

Violation Severity Level: High

Region: SPP

Issue: URE self-reported that it had improperly identified an Energy Management System (EMS) front-end device as an ESP access point (even though the equipment did not satisfy the criteria for being an access point), instead of solely as a CCA. In addition, URE did not identify as an ESP access point the signal-switching device where serial protocol traffic from the field remote terminal unit (RTU) entered the ESP. The signal-switching device was the access point for both the RTU traffic and the EMS front-end.

Finding: SPP found that the CIP-005-1 R1 violation only constituted a minimal risk to BPS reliability. Even though URE did not properly identify the correct access point, the device was performing the necessary access control functions. In regards to the RTU traffic, the device was non-routable and utilized lead line analog communication circuits, which reduced its exposure to vulnerabilities. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE's Internal Compliance Program (even though the compliance program was not viewed as a mitigating factor) and its violation history (which was viewed as an aggravating factor for some of the violations). NERC BOTCC also considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations.

Penalty: $153,000 (aggregate for 16 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-18 (December 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 2.2/2.6

Violation Risk Factor: Medium (2.2), Lower (2.6)

Violation Severity Level: Severe (2.2/2.6)

Region: SPP

Issue: URE self-reported that it did not include an appropriate use banner, or request Technical Feasibility Exceptions, on a pair of Cyber Assets used to access the URE ESP (2.6). In addition, URE was unable to verify that it had only enabled those ports and services required for the operation and monitoring of Cyber Assets within the ESP. URE's firewall rule set did not contain documentation explaining why any port was enabled and did not specifically limit traffic between IP addresses to specified ports (2.2).

Finding: SPP found that the CIP-005-1 R2.2/2.6 violations only constituted a minimal risk to BPS reliability. Only authorized and trained URE personnel had physical access rights to the Cyber Assets that did not have appropriate use banners. In regards to its ports and services, URE had other measures in place to protect against intrusions, including automated log review, anti-virus software, and host-level hardening. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE's Internal Compliance Program (even though the compliance program was not viewed as a mitigating factor) and its violation history (which was viewed as an aggravating factor for some of the violations). NERC BOTCC also considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations.

Penalty: $153,000 (aggregate for 16 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-18 (December 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 4.2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: SPP

Issue: During a compliance audit, SPP found that, after a cyber vulnerability assessment, certain of URE's ports and services may have been enabled that were not required for operations at the access points to the ESP. URE has a vulnerability tool that can identify the ports and services that are used to communicate with the firewall interface, but was unable to identify the ports and services that allow traffic to flow through the firewall.

Finding: SPP found that the CIP-005-1 R4.2 violation only constituted a minimal risk to BPS reliability. URE was properly evaluating those ports and services that provided access to the firewall interface. In addition, the host machines being accessed through the firewall only had the necessary ports enabled, which would function to block unauthorized port traffic. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE's Internal Compliance Program (even though the compliance program was not viewed as a mitigating factor) and its violation history (which was viewed as an aggravating factor for some of the violations). NERC BOTCC also considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations.

Penalty: $153,000 (aggregate for 16 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-19 (December 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: URE self-reported that, when the Reliability Standard went into effect, 23.8% of its CCAs were not residing in an ESP as required. While URE had the necessary ESP infrastructure in place for those 23.8% CCAs, the URE's primary EMS firewall management server did not function properly and the ESPs could not be brought online as a result. The failure of the EMS firewall management server caused a communications outage at a major URE data center, and the ESPs could only be brought online once the data center was recovered. URE also did not properly identify multiple ESP access points and ESP Cyber Assets as URE did not have adequate procedures in place when the Reliability Standard went into effect to identify and document ESP access points and ESP Cyber Assets. URE did not have procedures in place to reconcile findings from network scans with the devices that were listed in its database. URE's database, when it was being developed, did not have any inventory controls, no physical inventory and no control mechanisms in place to verify that the information in the database continued to be accurate in a rapidly changing environment. URE discovered many of the errors during a cyber vulnerability assessment it conducted.

Finding: SERC found that the CIP-005-1 R1 violations constituted a serious and substantial risk to BPS reliability. URE did not have all of its CCAs residing within an ESP and it had not identified and documented all ESP access points as required. Furthermore, URE did not have sufficient procedures and tools in place to properly identify and document ESP access points, CCAs and Cyber Assets. Control center protection, especially the establishment of ESPs, is at the heart of protecting BPS reliability and URE's failure to establish adequate ESPs increased the vulnerability of URE's control center CCA (and thus the risk of the CCAs being compromised and rendered inoperable). URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (which SERC evaluated as a mitigating factor). SERC determined that over half of the violations constituted a serious or substantial risk to BPS reliability. URE was unprepared, compliance-wise, when the CIP requirements became mandatory and enforceable. As URE had problems identifying CCAs, Cyber Assets and access points, URE was not providing the mandated protections to all of the required devices, thereby greatly increasing the risk of CCAs becoming comprised or rendered inoperable and causing a loss of monitoring or control of the BPS. SERC found that URE's CIP program failure constituted a serious risk to BPS reliability as URE's CIP procedures were not sufficiently detailed and its personnel had a general lack of awareness about the CIP procedures (including a dependence on manual processes).

Penalty: $950,000 (aggregate for 24 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-19 (December 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 2

Violation Risk Factor: Medium (2/2.1/2.2/2.3/2.4), Lower (2.5/2.6)

Violation Severity Level: Severe

Region: SERC

Issue: During a spot check, SERC determined that URE had not enacted sufficiently strong access points controls, as required, to authenticate the accessing party. URE also did not properly document that it had only enabled those ports and services requires for operating and monitoring its Cyber Assets with the ESP. In addition, as a result of insufficient planning and monitoring of firewall traffic before the establishment of the ESPs, URE did not properly restrict access to specific ports on its ESP firewalls. URE was also not performing the required quarterly reviews of user who had access through ESP firewalls.

Finding: SERC found that the CIP-005-1 R2 violations constituted a serious and substantial risk to BPS reliability. URE did not have proper procedures in place to verify that its ESP access points were configured as required by the Reliability Standards, which increased the risk of its CCAs becoming compromised or rendered inoperable. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (which SERC evaluated as a mitigating factor). SERC determined that over half of the violations constituted a serious or substantial risk to BPS reliability. URE was unprepared, compliance-wise, when the CIP requirements became mandatory and enforceable. As URE had problems identifying CCAs, Cyber Assets and access points, URE was not providing the mandated protections to all of the required devices, thereby greatly increasing the risk of CCAs becoming comprised or rendered inoperable and causing a loss of monitoring or control of the BPS. SERC found that URE's CIP program failure constituted a serious risk to BPS reliability as URE's CIP procedures were not sufficiently detailed and its personnel had a general lack of awareness about the CIP procedures (including a dependence on manual processes).

Penalty: $950,000 (aggregate for 24 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-19 (December 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 3, 4

Violation Risk Factor: Medium (3, 4)

Violation Severity Level: Severe (3, 4)

Region: SERC

Issue: SERC determined that URE had not implemented electronic or manual processes to continuously monitor and log access at seven of its ESP access points (two routers acting as firewalls and five firewalls) (3). SERC also discovered that URE had not conducted a cyber vulnerability assessment of any of its electronic access points within the ESP before the required compliance date. URE mistakenly believed that it had an additional year to complete the required cyber vulnerability assessment.

Finding: SERC found that the CIP-005-1 R3 and R4 violations constituted a serious and substantial risk to BPS reliability. In regards to CIP-005-1 R3, without continuous monitoring and logging of access attempts, URE may not have been alerted to unauthorized access attempts designed to gain entry into its ESP. For CIP-005-1 R4, by not performing a cyber vulnerability assessment before implementing its cyber security program, URE increased the risk that there were undetected weaknesses in the security of its ESP access points. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (which SERC evaluated as a mitigating factor). SERC determined that over half of the violations constituted a serious or substantial risk to BPS reliability. URE was unprepared, compliance-wise, when the CIP requirements became mandatory and enforceable. As URE had problems identifying CCAs, Cyber Assets and access points, URE was not providing the mandated protections to all of the required devices, thereby greatly increasing the risk of CCAs becoming comprised or rendered inoperable and causing a loss of monitoring or control of the BPS. SERC found that URE's CIP program failure constituted a serious risk to BPS reliability as URE's CIP procedures were not sufficiently detailed and its personnel had a general lack of awareness about the CIP procedures (including a dependence on manual processes).

Penalty: $950,000 (aggregate for 24 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-22 (January 31, 2012)

Reliability Standard: CIP-005-1

Requirement: 1

Violation Risk Factor: Medium

Violation Severity Level: N/A

Region: WECC

Issue: URE self-reported that it did not properly document its testing procedures and a security patch management program for its Cyber Assets used in the access control and monitoring of the ESPs at one of URE's facilities.

Finding: WECC found that the CIP-005-1 R1 violation constituted a moderate risk to BPS reliability as it could have led to malicious access to URE's Cyber Assets. But, URE did enact alternative security measures to protect its Cyber Assets. In approving the settlement agreement, the NERC BOTCC considered as mitigating factors URE's internal compliance program, including the continuous improvements in URE's compliance culture and URE's enactment of all applicable compliance directives. URE was also cooperative during the enforcement process and did not conceal any violations. In regards to the CIP violations, URE undertook voluntary corrective actions and self-reported the violations within a week of WECC's compliance audit. WECC evaluated as an aggravating factor a previous violation of PRC-005-1 R1 by one of URE's affiliate. But, URE had no reoccurring violations or relevant negative compliance history.

Penalty: $115,000 (aggregate for 6 violations)

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-005-1

Requirement: R2; R2.1; R2.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: FRCC

Issue: Further to a Compliance Spot Check, FRCC discovered a violation of R2 when URE was unable to show that it had an access control model that required explicit access permissions (and thereby denied access as a default) at access points to its Electronic Security Perimeter (ESP). In addition, the company had failed to enable only those ports and services required for normal and emergency operations

Finding: FRCC determined that the R2 violation posed a moderate risk to the reliability of the BPS because the subnets for which the company had not specified permissions were trusted subnets that were owned and operated by URE's corporate groups or by a secure vendor. Furthermore, the company had not permitted access to subnets from unknown sources, and other traffic had been denied at all of the company's access points. Access to the subnets owned by the company's energy management system vendor was controlled and secured by the entity at all times. Finally, the company's complete intrusion detection system scanned and protected all network segments and monitored and logged all activities for each of the relevant access points. FRCC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to pay a penalty and to undertake other mitigation measures to come into compliance with R2.
FRCC considered URE's ICP a mitigating factor in making its penalty determination and considered its compliance history to be a neutral factor. The fact that URE corrected deficiencies in its firewall rules was deemed to be a mitigating factor. The violation began when the standard became mandatory and enforceable to URE and ended when the company updated its risk-based assessment methodology. UREneither admits nor denies the R2 violation.

Penalty: $8,000 (aggregate for 2 violations)

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity 1 (MRO_URE1), Docket No. NP13-27, February 28, 2013

Reliability Standard: CIP-005-1

Requirement: 1/1.5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: MRO

Issue: MRO_URE1 self-reported a violation of R1.5 after discovering that three CAs (the Devices) used in the access control and monitoring of the ESPs had not been provided the protective measures of R1.5. The company could not demonstrate that only the required ports and services were enabled, nor did it document the assessment and implementation of security patches for the Devices. The company also failed to document that it followed its established change control and configuration management procedures for Critical Cyber Asset hardware or software with regard to two of the Devices. In addition, the company did not implement banners in certain log-in instances for one of the Devices, and it had no documents verifying testing of security configurations pertaining to certain changes to and additions of new routers and switches. Lastly, without gaining required approval, the company granted an individual logical access to the Device for a three-month period.

Finding: MRO determined that the R1 violation posed a minimal risk to the reliability of the BPS because none of the systems at issue are used to operate and control Critical Assets. In addition, the extra ports and services enabled were open only for communications from other trusted corporate networks which were protected by firewalls, virtual local area network constraints, and domain and local account security restrictions at all relevant times. Furthermore, the company's vendor completed the required security patch and upgrade assessments, which were partially documented by the company, and the testing deficiency upon commissioning pertained to a failure to document the baseline configuration, not a failure to test at all. The violation pertaining to the logon banners was also documentary in nature. Lastly, the individual that was provided with unauthorized logical access had undertaken the required cyber security training and had undergone a personnel risk assessment, and this access did not lead to a BPS incident during the relevant time period. MRO entered a notice of confirmed violation and MRO_URE1 agreed to pay a penalty and to undertake other mitigation measures to come into compliance with R1. MRO considered MRO_URE1's ICP a mitigating factor in making its penalty determination. The violation began when the Standard became mandatory and enforceable to MRO_URE1 and ended when MRO_URE1 completed its mitigation plan. MRO_URE1 admits the R1 violation.

Penalty: $10,000 (aggregate for 5 violations)

FERC Order: Issued March 29, 2013 (no further review)

Unidentified Registered Entity 1 (MRO_URE1), Docket No. NP13-27, February 28, 2013

Reliability Standard: CIP-005-1

Requirement: 2/2.2/2.6

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: MRO

Issue: MRO_URE1 self-reported a violation of R2 after discovering that it could not produce evidence that only those ports and services required for operations and monitoring of CAs at the access points to the ESP were enabled. The company also had not maintained a formal document identifying the content of appropriate use banners.

Finding: MRO determined that the R2 violation posed a minimal risk to the reliability of the BPS because the extra ports and services enabled by the company were open only from trusted corporate networks which were themselves continuously protected by firewalls, virtual local area network constraints, and domain and local account security restrictions. Furthermore, the violation regarding appropriate use banners pertained not to the company's use of logon banners, but to its lack of documentation regarding the content of such banners. Lastly, there were no cyber security incidents throughout the duration of the violation. MRO entered a notice of confirmed violation and MRO_URE1 agreed to pay a penalty and to undertake other mitigation measures to come into compliance with R2. MRO considered MRO_URE1's ICP a mitigating factor in making its penalty determination. The violation began when the Standard became mandatory and enforceable to MRO_URE1 and ended, for R2.6, when the logon banner standard language procedure was published, and for R2.2, when the company completed its annual cyber vulnerability assessment and enhanced its change control documentation to ensure that only ports and services required for operations and for monitoring CAs within the ESP were enabled. MRO_URE1 admits the R2 violation.

Penalty: $10,000 (aggregate for 5 violations)

FERC Order: Issued March 29, 2013 (no further review)

Unidentified Registered Entities 1, 2 and 3 (UREs), Docket No. NP13-30-000 (March 27, 2013)

Reliability Standard: CIP-005-1

Requirement: 1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: While conducting a compliance audit, RFC found the following instances of non-compliance by URE 1, URE 2, and URE 3 regarding CIP-005-1 R1: (1) the ESP had not been completely identified and documented; (2) switches that were enabled in the UREs’ telecommunications and server rooms could not be identified and, therefore, they were not documented or included as being within the ESP; (3) dual access printers located at the control centers were not documented or identified as ESP access points; (4) the UREs had no documentation of certain non-CCAs (printers) inside the ESP; and (5) the UREs did not maintain documentation of all CAs inside the ESP.

Finding: The violations were deemed to pose a moderate risk to the reliability of the BPS, but not a serious or substantial risk, because they allow the risk that CCAs found outside of the established ESP could be the target of cyber attacks. However, UREs’ ESPs are protected by many existing security protections, which decreased any risk to overall BPS reliability. In determining the appropriate penalty and approving the settlement agreement, RFC considered UREs’ internal compliance program (ICP) as a mitigating factor, and in addition, the UREs committed to improve their existing ICP, which RFC afforded significant mitigating credit. None of the violations posed serious or substantial risk to BPS reliability. However, UREs’ violation history was considered an aggravating factor.

Total Penalty: $120,000 (aggregate for 24 violations)

FERC Order: Issued April 26, 2013 (no further review)

Unidentified Registered Entities 1, 2 and 3 (UREs), Docket No. NP13-30-000 (March 27, 2013)

Reliability Standard: CIP-005-1

Requirement: 2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: While conducting a compliance audit, RFC found that URE 1, URE 2, and URE 3, in violation of CIP-005-1 R2, failed to sufficiently detail organizational processes and technical and procedural mechanisms for controlling electronic access at all access points to the ESP. The UREs only had a high level description of how they would implement these procedures. RFC also found that the UREs, in violation of CIP-005-1 R2.4, failed to implement strong procedural or technical controls at the access points to ensure authenticity of the accessing party, with respect to a server enabling access to UREs’ ESP. The UREs did not submit a Technical Feasibility Exception (TFE) for this server.

Finding: The violation was deemed to pose a moderate risk to the reliability of the BPS, but not a serious or substantial risk, because the UREs were performing the required controls, even though they failed to sufficiently document these controls. Additionally, the UREs had in place firewalls that limited interactive access to only restricted virtual consoles and authenticated transmission management system applications and systems within the ESP. In determining the appropriate penalty and approving the settlement agreement, RFC considered UREs’ internal compliance program (ICP) as a mitigating factor, and in addition, the UREs committed to improve their existing ICP, which RFC afforded significant mitigating credit. None of the violations posed serious or substantial risk to BPS reliability. However, UREs’ violation history was considered an aggravating factor.

Total Penalty: $120,000 (aggregate for 24 violations)

FERC Order: Issued April 26, 2013 (no further review)

Unidentified Registered Entity 2 (URE), Docket No. NP13-30-000 (March 27, 2013)

Reliability Standard: CIP-005-1

Requirement: 4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: While conducting a compliance audit, RFC found URE2 violated CIP-005-1 R4 in failing to include the access points to some of its substations’ ESPs in its cyber vulnerability assessment (CVA) for one year.

Finding: The violation was deemed to pose a moderate risk to the reliability of the BPS because individuals could exploit vulnerabilities of the ESP access points that would have been discovered by the application by the CVA. But RFC found that the violation did not pose a serious or substantial risk because the substations at issue had the same access control requirements as sites actually scanned by the CVA, and no additional issues with the CVAs were found. Finally, the likelihood of unauthorized and undetected access was minimal as only a subset of users with appropriate credentials had remote access to the substations. In determining the appropriate penalty and approving the settlement agreement, RFC considered UREs’ internal compliance program (ICP) as a mitigating factor, and in addition, the UREs committed to improve their existing ICP, which RFC afforded significant mitigating credit. None of the violations posed serious or substantial risk to BPS reliability. However, UREs’ violation history was considered an aggravating factor.

Total Penalty: $120,000 (aggregate for 24 violations)

FERC Order: Issued April 26, 2013 (no further review)

Unidentified Registered Entities 1, 2 and 3 (UREs), Docket No. NP13-30-000 (March 27, 2013)

Reliability Standard: CIP-005-1

Requirement: 5

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: While conducting a compliance audit, RFC found that URE 1, URE 2, and URE 3 failed to maintain all documentation to ensure compliance with the standards of CIP-005 as certain documentation required by the Standard did not reflect current configurations.

Finding: The violation was deemed to pose a minimal and not serious or substantial risk to the reliability of the BPS because, even though the UREs’ procedures for controlling and monitoring electronic ESP access 24 hours a day did not contain figures reflective of the UREs’ current configurations, the UREs did maintain detailed diagrams of actual access points to the control center and substation ESPs. In determining the appropriate penalty and approving the settlement agreement, RFC considered UREs’ internal compliance program (ICP) as a mitigating factor, and in addition, the UREs committed to improve their existing ICP, which RFC afforded significant mitigating credit. None of the violations posed serious or substantial risk to BPS reliability. However, UREs’ violation history was considered an aggravating factor.

Total Penalty: $120,000 (aggregate for 24 violations)

FERC Order: Issued April 26, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)

Reliability Standard: CIP-005-1

Requirement: 1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that it did not identify certain port servers, communication switches and internal network switches as access points to its ESPs. In addition, URE was not providing active directory servers, active control servers, an intrusion detection system, and security information and event management devices with all of the required protective measures.

Finding: WECC found that the violation constituted a moderate risk to BPS reliability since it increased the risk that unauthorized access to the ESP would go unnoticed and unchecked and that the Cyber Assets used in the access control and monitoring of the ESP could be manipulated. But, all of URE’s CCAs (including the switches) are protected by PSPs and ESPs. In addition, the active directory servers and active control servers are contained in physically secure areas and in the corporate network. URE’s compliance program was evaluated as a mitigating factor. URE stipulated to the violation.

Total Penalty: $53,000 (aggregate for 13 violations)

FERC Order: Issued May 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)

Reliability Standard: CIP-005-1

Requirement: 1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that it did not identify certain port servers, communication switches and internal network switches as access points to its ESPs. In addition, URE was not providing active directory servers, active control servers, an intrusion detection system, and security information and event management devices with all of the required protective measures.

Finding: WECC found that the violation constituted a moderate risk to BPS reliability since it increased the risk that unauthorized access to the ESP would go unnoticed and unchecked and that the Cyber Assets used in the access control and monitoring of the ESP could be manipulated. But, all of URE’s CCAs (including the switches) are protected by PSPs and ESPs. In addition, the active directory servers and active control servers are contained in physically secure areas and in the corporate network. URE’s compliance program was evaluated as a mitigating factor. URE stipulated to the violation.

Total Penalty: $58,000 (aggregate for 14 violations)

FERC Order: Issued May 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)

Reliability Standard: CIP-005-1

Requirement: 2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that it did not update its firewall rules after certain devices were decommissioned from its network and, as a result, the firewalls were permitting traffic to devices no longer on the network. URE also did not have a list of ports and services for certain logical access points to its ESP that was approved by a URE director and placed into URE’s document management system, as required by its procedures.

Finding: WECC found that the violation only constituted a minimal risk to BPS reliability. URE’s draft list of ports and services for certain logical access points to its ESP was approved by subject matter experts (even though not by the director of technology services as required). The CCAs are protected by an intrusion detection system, antivirus/malware prevention tools and unique accounts with strong passwords. URE also only allowed in traffic from trusted networks. In addition, all of URE’s CCAs are contained within a PSP, which restricts access to authorized personnel. URE’s compliance program was evaluated as a mitigating factor. URE stipulated to the violation.

Total Penalty: $53,000 (aggregate for 13 violations)

FERC Order: Issued May 30, 2013 (no further review)

Unidentified Registered Entity, Docket No. NP13-33 (April 30, 2013)

Reliability Standard: CIP-005-1

Requirement: 2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that it did not ensure only those ports and services required for the operation and monitoring of Cyber Assets within the ESP.

Finding: WECC found that the violation constituted only a minimal risk to BPS reliability because the devices were protected by intrusion detection systems and would alert operators of any abnormal traffic. URE’s compliance program was evaluated as a mitigating factor. URE did not contest the violation.

Total Penalty: $58,000 (aggregate for 14 violations)

FERC Order: Issued May 30, 2013 (no further review)

Unidentified Registered Entity, Docket No. NP13-33 (April 30, 2013)

Reliability Standard: CIP-005-1

Requirement: 2.2

Violation Risk Factor: Medium

Violation Severity Level: Moderate

Region: NPCC

Issue: URE self-reported that it did not properly document, for one of its firewalls, the configuration of ports and services required for the operation and monitoring of Cyber Assets within the ESP.

Finding: NPCC found that the violation constituted only a minimal risk to BPS reliability. The relevant devices were located in an ESP and PSP (with access restricted to authorized personnel). The devices were also protected by network isolation, which prevented the devices from being exposed to untrusted networks (such as the internet). URE’s compliance program was evaluated as a mitigating factor. URE did not contest the violation.

Total Penalty: $10,000 (aggregate for 3 violations)

FERC Order: Issued May 30, 2013 (no further review)

Unidentified Registered Entity, Docket No. NP13-33 (April 30, 2013)

Reliability Standard: CIP-005-1

Requirement: 2.2

Violation Risk Factor: Medium

Violation Severity Level: Moderate

Region: NPCC

Issue: URE self-reported that it did not perform a complete assessment and keep the required documentation of the review of one of its firewalls and one of its switches.

Finding: NPCC found that the violation constituted only a minimal risk to BPS reliability since the relevant firewall and switch were protected by an ESP and PSP (with access restricted to authorized personnel). The devices were also protected by network isolation, which prevented the devices from being exposed to untrusted networks (such as the internet). URE’s compliance program was evaluated as a mitigating factor. URE did not contest the violation.

Total Penalty: $50,000 (aggregate for 5 violations)

FERC Order: Issued May 30, 2013 (no further review)

Unidentified Registered Entity, Docket No. NP13-33 (April 30, 2013)

Reliability Standard: CIP-005-1

Requirement: 2.2

Violation Risk Factor: Medium

Violation Severity Level: Moderate

Region: NPCC

Issue: URE self-reported that it did not complete assessments, or keep the required documentation, of its review of the ports and services for one firewall and one personal computer.

Finding: NPCC found that the violation constituted only a minimal risk to BPS reliability. The relevant devices were protected by an ESP and PSP. In addition, the devices were further protected by network isolation, which prevented exposure to untrusted networks (such as the internet). No intrusions occurred during the course of the violation. URE’s compliance program was evaluated as a mitigating factor. URE did not contest the violation.

Total Penalty: $25,000 (aggregate for 6 violations)

FERC Order: Issued May 30, 2013 (no further review)

Unidentified Registered Entity, Docket No. NP13-33 (April 30, 2013)

Reliability Standard: CIP-005-1

Requirement: 2.2

Violation Risk Factor: Medium

Violation Severity Level: Moderate

Region: NPCC

Issue: URE self-reported that it did not properly document the configuration of ports and services for seven firewalls and one personal computer required for the operations and monitoring of Cyber Assets within the ESP.

Finding: NPCC found that the violation constituted only a minimal risk to BPS reliability. The relevant devices were located in an ESP and PSP (with access restricted to authorized personnel). The devices were also protected by network isolation, which prevented the devices from being exposed to untrusted networks (such as the internet). In addition, no intrusions occurred during the course of the violation. URE’s compliance program was evaluated as a mitigating factor. URE did not contest the violation.

Total Penalty: $30,000 (aggregate for 8 violations)

FERC Order: Issued May 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)

Reliability Standard: CIP-005-1

Requirement: 4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that in one year, it did not perform the required cyber vulnerability assessment for logical access points to the ESPs. In addition, in another year, URE did not perform a cyber vulnerability assessment for certain of its switches that serve as access points to its ESPs.

Finding: WECC found that the violation constituted a moderate risk to BPS reliability since by not conducting all of the required cyber vulnerability assessments of all the electronic access points to URE’s ESPs, it could have allowed unauthorized access to the ESP occur. But, URE uses an anomaly-based network intrusion detection system, with alerts triggered upon detection of any abnormal usage of ports and services. Plus, all of UREs have antivirus/malware prevention tools installed and have established unique accounts and passwords to protect access. There are also logs of all traffic entering the ESPs. URE’s compliance program was evaluated as a mitigating factor. URE stipulated to the violation.

Total Penalty: $53,000 (aggregate for 13 violations)

FERC Order: Issued May 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)

Reliability Standard: CIP-005-1

Requirement: 4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that in one year, it did not perform the required cyber vulnerability assessment for logical access points to the ESPs. In addition, in another year, URE did not perform a cyber vulnerability assessment for certain of its switches that serve as access points to its ESPs.

Finding: WECC found that the violation constituted a moderate risk to BPS reliability since by not conducting all of the required cyber vulnerability assessments of all the electronic access points to URE’s ESPs, it could have allowed unauthorized access to the ESP occur. But, URE uses an anomaly-based network intrusion detection system, with alerts triggered upon detection of any abnormal usage of ports and services. Plus, all of UREs have antivirus/malware prevention tools installed and have established unique accounts and passwords to protect access. There are also logs of all traffic entering the ESPs. URE’s compliance program was evaluated as a mitigating factor. URE stipulated to the violation.

Total Penalty: $58,000 (aggregate for 14 violations)

FERC Order: Issued May 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-34 (May 30, 2013)

Reliability Standard: CIP-005-1

Requirement: 1, 4, 5.1

Violation Risk Factor: Medium (1, 4), Lower (5.1)

Violation Severity Level: Severe (1, 4, 5.1)

Region: TRE

Issue: During a compliance audit, TRE determined that URE had not identified all access points to the ESP and had not properly maintained documentation regarding its ESP, all the interconnected critical and non-critical Cyber Assets within the ESP, and all the electronic access points to the ESP (5.1). TRE found that a modem listed as a non-critical Cyber Asset was not located in URE's facilities and that there was an undocumented switch present (even though it was not connected). In addition, URE's original Critical Asset List did not specify which assets were CCAs and certain Cyber Assets that resided in the ESP were not adequately identified and protected (1). TRE also determined that URE did not complete a full cyber vulnerability assessment on its business and plant networks since it did not adequately review all the electronic access points to the ESP (4).

Finding: TRE found that the CIP-005-1 R1 violation only constituted a minimal risk to BPS reliability. Even though URE's Critical Asset list was not updated after the change in status of the modem and the switch, URE later reported those devices to be out of commission. TRE found that the CIP-005-1 R4 and 5.1 violations constituted a moderate risk to BPS reliability. But, URE had reviewed the enabled statuses of the majority of URE's ESP access points as well as the related ports and services and had assessed the vulnerability risk of the access points within its ESP. URE also had an ESP security program in place, even though it had not been reviewed on an annual basis as required. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact the violations were URE's first violations of the relevant Reliability Standards and that none of the violations constituted a serious or substantial risk to BPS reliability. URE had a compliance program in place, but it was only evaluated as a neutral factor. URE was also cooperative during the enforcement process and did not conceal the violations.

Total Penalty: $137,000 (aggregate for 24 violations)

FERC Order: Issued June 28, 2013 (no further review)

Unidentified Registered Entity, Docket No. NP13-36, May 30, 2013

Reliability Standard: CIP-005-1

Requirement: 1, 4, 5

Violation Risk Factor: Medium (1, 4); Lower (5)

Violation Severity Level: Severe (all)

Region: Texas RE

Issue: During a compliance audit, Texas RE found that URE had not identified all access points to its ESP. URE also could not provide complete documentation of its ESP to include interconnected critical and non-critical Cyber Assets and all electronic access points (R1). Auditors found that URE had not performed complete cyber vulnerability assessments (CVA) on its business and plant networks during a two-year period; therefore, no CVA was available to include the minimum requirements of the Standard and to show that all ESP access points had been identified (R4). Regarding R5, the audit further showed that URE was not reviewing its CIP-005 policy and procedures on a yearly basis as required.

Finding: The violation of R1 was deemed to pose minimal risk to BPS reliability, but not a serious or substantial risk. The R4 violation was deemed to pose a moderate risk to BPS reliability, but not a serious or substantial risk. Risk was mitigated because of URE’s use and dependence on its ESP security program, even though the program was not reviewed on a yearly basis. In determining the appropriate penalty, Texas RE considered URE’s internal compliance program as a neutral factor. The violations were the first by URE and URE cooperated during the enforcement process. Texas RE determined URE did not attempt (or intend) to conceal any violations.

Total Penalty: $137,000 (aggregate for 24 violations)

FERC Order: Issued June 28, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-38-000 (May 30, 2013)

Reliability Standard: CIP-005-1

Requirement: 1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-certified that it did not identify three firewalls as access points to its generating station ESP.

Finding: WECC found that the CIP-005-1 violation constituted only a minimal risk to BPS reliability. URE had a layered security system in place to protect the CCAs. Access to the three firewalls at issue is only granted through a secured, corporate network and password protections were in place. In addition, only 28 personnel had access to the devices. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact that some of the violations were self-reported and that URE engaged in voluntary corrective action to remediate the violations. URE also had an internal compliance program in place (which was evaluated as a mitigating factor). URE was cooperative during the enforcement process, did not conceal the violations and implemented the applicable WECC compliance directives. But, URE did have prior violations of the Reliability Standards (which was evaluated as an aggravating factor). None of the violations constituted a serious or substantial risk to BPS reliability.

Total Penalty: $291,000 (aggregate for 17 violations)

FERC Order: Issued June 28, 2013 (no further review)

Unidentified Registered Entity 1 (URE1), Docket No. NP13-39-000 (May 30, 2013)

Reliability Standard: CIP-005-1

Requirement: 1; 1.5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: ReliabilityFirst Corporation (RFC)

Issue: URE1 self-reported that, while undergoing a vendor evaluation of its CIP program, it was found not to have given all CIP protections to all devices classified as Cyber Assets used in the access control and/or monitoring of its ESP, particularly its security event and incident management system used to combine security event logs from ESP access points. The servers also put out automatic alerts of potential cyber security events.

Finding: The violation was deemed to pose a moderate risk to BPS reliability, but not a serious or substantial risk. RFC found the violation was not documentation related and involved an entire class of assets which could be used to harm BPS operations. The risk was mitigated, however, because the relevant system is housed at a staffed corporate data center with controlled access. Also, URE1 did have some CIP protective measures in place including a compliant PRA program; controlled, monitored electronic access; and appropriate test procedures, methods, and processes for the disposal or redeployment of Cyber Assets used for ESP access, which is monitored. URE also performs annual cyber vulnerability assessments.

Total Penalty: $0 (for 2 violations)

FERC Order: Issued June 28, 2013 (no further review)

Unidentified Registered Entity 1 (URE1), Docket No. NP13-39-000 (May 30, 2013)

Reliability Standard: CIP-005-1

Requirement: 2; 2.4; 2.6

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: While conducting a Compliance Audit, WECC found URE1 to be non-compliant with CIP-005-1 R2 because it had not enabled only those ports and services required for operations and for monitoring Cyber Assets within its ESP. Also, the procedures and controls in place by URE to ensure authenticity at the ESP access points in cases of external interactive access did not meet the requirements of CIP-005. Finally, URE1 was not displaying an appropriate use banner on its user screen upon attempting access.

Finding: The violation was deemed to pose a moderate risk to BPS reliability, but not a serious or substantial risk. URE1 was not using restrictive rules intended to prevent malicious activities from a source to a destination device which could lead to compromised, degraded performance, and possible denial of service of an asset. Warning banners are required so that all users are knowledgeable that the asset they are connected to is for restricted access only. The lack of strong controls at the access point for all traffic entering the ESP allows direct access to a device prior to formal authorization. The risk was mitigated because URE1 authenticates all access prior to network access. In determining the appropriate penalty, WECC gave mitigating credit for URE1’s ICP.

Total Penalty: $62,500 (aggregate for seven violations)

FERC Order: Issued June 28, 2013 (no further review)

Unidentified Registered Entity 1 (URE1), Docket No. NP13-41-000 (June 27, 2013)

Reliability Standard: CIP-005-1

Requirement: 2, 2.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: NPCC

Issue: URE1 self-reported that it had not (1) ensured only ports and services required for normal and emergency operations and monitoring Cyber Assets located in two ESPs were enabled, and (2) documented the configuration of those ports and services pursuant to the requirements of the Standard.

Finding: The violation was deemed to pose a moderate risk to BPS reliability, but not a serious or substantial risk. NPCC considered that inconsistent protection of Cyber Assets in the ESPs could allow unauthorized access to those assets; however, risk was mitigated by other protection systems in place by URE that prevent outside access to the two ESPs. In addition, access to the ESPs is logged and monitored, and the ESPs are alarmed in the event of particular cybersecurity issues. In determining the appropriate penalty, NPCC considered URE1’s ICP as a mitigating factor.

Total Penalty: $7,000 (aggregate for 2 violations)

FERC Order: Issued August 26, 2013 (no further review)

Unidentified Registered Entity (URE), FERC Docket No. NP13-45 (July 31, 2013)

Reliability Standard: CIP-005-1

Requirement: 1, 2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that it was non-compliant with CIP-005-1 R1 and R2. Regarding R1, URE found an ESP access point which had not been identified and recorded as such. WECC’s follow-up investigation ultimately determined nine devices externally connected to the ESP having end points that terminated at a device inside the ESP had not been considered ESP access points, and a total of 127 devices were not given all protections afforded by CIP-005-1. Regarding R2, URE was found to have servers that were not protected by authentication controls at the ESP boundary. URE also could not show that only ports and services required for normal and emergency operations were enabled. And, two-factor identification was not required for outside ESP access on nine servers.

Finding: The violations were deemed to pose moderate, but not serious or substantial, risk to BPS reliability. The unidentified ESP access points left 339 CCAs connected to two control centers open to possible cyber attack or misuse. However, regarding R1, risk was mitigated by the fact that the nine ESP access points and related devices were in a PSP, and the individuals with access to the devices had current PRAs on filed and had completed CIP cybersecurity training. Regarding R2, the devices involved are associated with URE’s control system and unauthorized access would not have been detected; but the relevant access points are housed in a secure location with monitoring and card key restrictions. The devices that had no two-factor authentication requirements were in URE’s corporate environment and access required certain credentials. URE also had an intrusion detection system that monitored the ESP. URE and WECC reached a settlement whereby URE agreed/stipulated to the facts of the violations and agreed to pay a penalty of $198,000. In determining the appropriate penalty, WECC considered URE’s internal compliance program as a mitigating factor. The violations were self-reported. URE cooperated during the enforcement investigation, and WECC found no evidence that URE tried to or intended to conceal a violation. URE’s violation history was not found to be an aggravating factor in the penalty determination.

Total Penalty: $198,000 (aggregate for ten violations)

FERC Order: Issued August 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-55 (September 30, 2013)

Reliability Standard: CIP-005-1

Requirement: 1, 2

Violation Risk Factor: Medium (1, 2)

Violation Severity Level: Severe (1, 2)

Region: WECC

Issue: Unidentified Registered Entity (URE) self-reported that it did not previously identify, as required, access points created by devices with dual-homed network interface cards used for inter-control center communication protocols (ICCP) communications with neighboring transmission entities (1). In addition, URE’s ESP firewall rules that control access to the ESP were too broad as they did not provide a sufficient amount of access control since they did not filter traffic based on the specific addresses of the machines (2).

Finding: WECC found that the CIP-005-1 R1 violation constituted a moderate risk to BPS reliability since the lack of proper documentation of the ESP access points could facilitate unauthorized access to URE’s ESP. But, URE had identified and protected the ICCP servers as CCAs and the devices were contained in a PSP and would provide automated alerts in cases of unauthorized access. The devices also had antivirus and malware prevention tools installed and are equipped with an intrusion detection system. WECC found that the CIP-005-1 R2 violation only constituted a minimal risk to BPS reliability. The firewall rules only permitted traffic, on a network-to-network basis, from secured and trusted networks to other secured and trusted networks. Any suspicious traffic would be flagged and an alert sent to URE’s control center or support staff. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact that certain of the violation were self-reported and that URE had a compliance program in place when the violations occurred. URE’s prior violations of the Reliability Standards were not considered as an aggravating factor, as they were not similar to the instant violations and did not implicate broader corporate issues. URE was also cooperative during the enforcement process and did not conceal the violations. The violations did not present a serious or substantial risk to BPS reliability.

Total Penalty: $150,000 (aggregate for 16 violations)

FERC Order: Issued October 30, 3013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-55 (September 30, 2013)

Reliability Standard: CIP-005-1

Requirement: 4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: Unidentified Registered Entity (URE) self-reported that it did not a complete annual cyber vulnerability assessment in 2010 and 2011 that covered the electronic access points to its Energy Management System (EMS) ESPs.

Finding: WECC found that the violation constituted a moderate risk to BPS reliability since cyber vulnerabilities in the ESPs may have gone unchecked and undetected and been exploited to gain malicious access. No URE manager was responsible for compliance with this Reliability Standard and there was a lack of oversight by URE’s compliance office. But, URE had an intrusion detection system in place to protect against malicious or suspicious network activity. In addition, URE’s Cyber Assets had antivirus and malware prevention tools installed, are contained within a PSP, and are subject to continuous monitoring. URE also always had a team available for the maintenance and recovery of the CCAs. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact that certain of the violation were self-reported and that URE had a compliance program in place when the violations occurred. URE’s prior violations of the Reliability Standards were not considered as an aggravating factor, as they were not similar to the instant violations and did not implicate broader corporate issues. URE was also cooperative during the enforcement process and did not conceal the violations. The violations did not present a serious or substantial risk to BPS reliability.

Total Penalty: $150,000 (aggregate for 16 violations)

FERC Order: Issued October 30, 3013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-18 (December 30, 2013)

Reliability Standard: CIP-005-1

Requirement: 1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: In anticipation of a compliance audit, URE self-reported that it unintentionally created several unauthorized access points to its ESP as a result of a declassification of an ESP subnet and servers that were accessible from a separate private network. In addition, URE had four additional undocumented access points as a result of changes to the IP addresses of certain switches. URE also did not provide all of the required protective measures to four electronic access control and/or monitoring systems, two firewall management servers and two servers used to configure secure ports on switches. During the compliance audit, SERC also found that URE did not properly identify 149 access points associated with devices terminating within the ESP (including serial point-to-point devices from the energy management system control center to remote field locations and mixed trust network switches with ESP and non-ESP virtual local area networks). URE also did not enact the mandated access rules at its electronic access points to restrict tariff to only those ports and services required for operations and for monitoring the Cyber Assets within the ESP. In addition, URE and had devices that were unable to enforce the password requirements.

Finding: SERC found that the CIP-005-1 R1 violation constituted a moderate risk to BPS reliability since URE’s failures to identify and protect access points could facilitate unauthorized access to the CCAs, which increases the risk of the CCAs being compromised and made inoperable. But, in all of the above-described instances, there were mitigating factors, such as no direct exposure to connectivity outside of URE’s control systems network, firewall access control lists, real-time monitoring, and communications that are asynchronous and non-routable in nature. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a partial mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. None of the violations constituted a serious or substantial risk to BPS reliability. In addition, URE engaged in physical security measures that SERC determined to be above-and-beyond what was required.

Total Penalty: $110,000 (aggregate for 15 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-19-000 (December 30, 2013)

Reliability Standard: CIP-005-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: During a compliance audit, WECC determined that URE did not develop and document a test procedure for confirming that all ESP access control and monitoring (ACM) devices did not adversely affect existing cyber security controls prior to implementing the devices in the production environment. In addition, URE did not install anti-virus software on the devices as required.

Finding: WECC determined that the violation posed only a minimal risk to BPS reliability. URE’s quality assurance (QA) environment used for pre-deployment operational testing of Cyber Assets contained many of the same cyber security controls that are contained in the production environment (such as antivirus software, user authentication, system event logging and an intrusion detection system for system servers) and would have identified certain changes to the security measures. In addition, access to the ESP ACM devices is protected by continuous system event monitoring, which provides alerts to URE staff regarding cyber security events. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, this was URE’s second violation of CIP-004-3 R4, which was viewed as an aggravating factor. URE cooperated throughout the enforcement process and did not conceal the violations. URE also committed to engage in additional actions to mitigate the violations and ensure future compliance.

Penalty: $185,000 (aggregate for 11 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-19-000 (December 30, 2013)

Reliability Standard: CIP-005-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: During a compliance audit, WECC determined that URE did not develop and document a test procedure for confirming that all ESP access control and monitoring (ACM) devices did not adversely affect existing cyber security controls prior to implementing the devices in the production environment. In addition, URE did not install anti-virus software on the devices as required.

Finding: WECC determined that the violation posed only a minimal risk to BPS reliability. URE’s quality assurance (QA) environment used for pre-deployment operational testing of Cyber Assets contained many of the same cyber security controls that are contained in the production environment (such as antivirus software, user authentication, system event logging and an intrusion detection system for system servers) and would have identified certain changes to the security measures. In addition, access to the ESP ACM devices is protected by continuous system event monitoring, which provides alerts to URE staff regarding cyber security events. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, this was URE’s second violation of CIP-004-3 R4, which was viewed as an aggravating factor. URE cooperated throughout the enforcement process and did not conceal the violations. URE also committed to engage in additional actions to mitigate the violations and ensure future compliance.

Total Penalty: $185,000 (aggregate for 11 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-20 (December 30, 2013)

Reliability Standard: CIP-005-1

Requirement: 1/1.1/1.2/1.3/1.4/1.5/1.6

Violation Risk Factor: Medium (1/1.1/1.2/1.3/1.4/1.5), Lower (1.6)

Violation Severity Level: Severe (1/1.1/1.2/1.3/1.4/1.5)

Region: SERC

Issue: URE self-reported that it did not provide all of its Cyber Assets used in the electronic access control and/or monitoring (EACM) of the ESP with all of the required protective measures. URE also did not designate as access points, as required, certain Cyber Assets that had network connections that crossed the ESP boundary, which were used for monitoring and logging of security or intrusion events. In addition, one of URE’s employees improperly obtained electronic access to two EACM devices (which were within the employee’s job functions) without proper approval and URE did not review and update access to shared accounts for certain servers and logging appliances after personnel changes. URE also did not identify and document 59 access points to its energy management system (EMS), which were serially connected between the front-end processors and field remote terminal units, within the ESP.

Finding: SERC found that the CIP-005-1 R1 violation constituted a serious or substantial risk to BPS reliability since the lack of adequate procedures for identifying and documenting electric access points greatly increases the risk of URE’s CCAs becoming compromised and made inoperable. By not fully protecting all of the EACM devices, vulnerabilities could infect the ESP. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. Certain of the violations constituted a serious or substantial risk to BPS reliability. URE also engaged in mitigating measures that SERC determined to be above-and-beyond what was required.

Total Penalty: $198,000 (aggregate for 21 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-20 (December 30, 2013)

Reliability Standard: CIP-005-1

Requirement: 2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: URE self-reported that when it temporarily modified an ESP access point configuration during severe weather conditions, it inadvertently omitted the explicit-deny rule for the Energy Management System (EMS) ESP on a remote virtual private network (that vendors and contractors used to connect to the corporate network). URE did not apply multi-factor authentication to interactive access attempts into the ESP originating from within the corporate network, as required. In addition, URE’s cyber security procedures did not adequately address, as required, how the authentication server would be used as an access control mechanism to access the ESPs remotely. URE also did not properly review the authorization rights of administrators for all electronic access points to the ESPs.

Finding: SERC found that the CIP-005-1 R2 violation constituted a serious or substantial risk to BPS reliability. By failing to have the explicit-deny rule fully in place for the EMS, nine unauthorized users (who did not have cyber training or personnel risk assessments on file) gained unrestricted access into the ESP, which increased the chances of URE’s CCAs becoming compromised and rendered inoperable (when the system was already stressed). In addition, not have adequate technical and procedural controls for ESP user authentication also increased the risk of unauthorized access to the CCAs. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. Certain of the violations constituted a serious or substantial risk to BPS reliability. URE also engaged in mitigating measures that SERC determined to be above-and-beyond what was required.

Total Penalty: $198,000 (aggregate for 21 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-20 (December 30, 2013)

Reliability Standard: CIP-005-1

Requirement: 4/4.1/4.2/4.3/4.4/4.5

Violation Risk Factor: Medium (4/4.2/4.3/4.4/4.5), Lower (4.1)

Violation Severity Level: Severe (4/4.2/4.3/4.4/4.5)

Region: SERC

Issue: URE self-reported that it did not perform the required annual cyber vulnerability assessment for two access points to an ESP or review specific access points for the network management community strings.

Finding: SERC found that the CIP-005-1 R4 violation constituted a moderate risk to BPS reliability since by not undertaking a complete annual cyber vulnerability assessment it increased the risk of the CCAs being vulnerable and becoming compromised. But, no reportable cyber security incidents occurred during the course of the violation. In addition, only authorized personnel had access to network community strings, and the network community strings were changed annually. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. Certain of the violations constituted a serious or substantial risk to BPS reliability. URE also engaged in mitigating measures that SERC determined to be above-and-beyond what was required.

Total Penalty: $198,000 (aggregate for 21 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-30 (January 30, 2014)

Reliability Standard: CIP-005-1

Requirement: 2/2.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE self-reported that each year, as part of its cyber vulnerability assessment, it restarted its baseline of ports and services necessary for secure operations. As a result, URE may have been unable to detect unauthorized modifications to ports and services since the last cyber vulnerability assessment. In addition, URE’s list of ports and services did not, as required, document or tie the ports and services to individual assets or specified groupings. Furthermore, on one of URE’s switches, not all of the enabled ports are listed, and three ports and services were enabled that were not required for normal or emergency operations.

Finding: RFC found that the CIP-005-1 R2 violation constituted a moderate risk to BPS reliability. The ESP access points were not sufficiently protected for an extended period of time, which increased the risk of there being a gap in the ESP security defenses. But, all changes to the ports and services were required to receive prior authorization through the change control process. The cyber vulnerability assessment also did not detect any unauthorized enabled ports and services. In addition, the devices at issue are protected by ESPs and PSPs. URE neither admits nor denies the violations. In approving the settlement agreement, NERC BOTCC considered URE’s Reliability Standards violation history, which was evaluated as an aggravating factor. But, most of the violations were self-reported and URE did have an internal compliance program in place, which was viewed as a mitigating factor. In addition, URE agreed to perform reliability enhancement activities that were considered above-and-beyond what was required for compliance with the Reliability Standard. URE was also cooperative during the enforcement process and did not conceal the violations. The violations did not constitute a serious or substantial risk to BPS reliability, even though in the aggregate, the violations were found to present an increased risk to URE’s Cyber Assets and to be indicative of programmatic failure.

Total Penalty: $75,000 (aggregate for 13 violations)

FERC Order: Issued February 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-39-000 (April 30, 2014)

Reliability Standard: CIP-005-1

Requirement: R1/R1.1/R1.5/R1.6

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that it did not provide all of its Cyber Assets used in the electronic access control and monitoring of URE’s ESPs with the required protective measures as URE did not properly document the ports and services required for normal or emergency operations for 12 Cyber Assets. Subsequently, during a compliance audit, WECC found that URE did not identify 24 ESP access points or 29 Cyber Assets used for the controlling and monitoring of ESP access points.

Finding: WECC found that the violation constituted a moderate risk to BPS reliability since it resulted in the 65 Cyber Assets at issue becoming vulnerable to exploitation. However URE’s ESPs are guarded by an intrusion detection system and access point protections and any traffic to and from URE’s ESPs first goes through firewalls that restrict, monitor and provide alerts of suspicious activity. In addition, all the devices at issue are contained within physically secured areas with restricted access. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, URE’s compliance history was viewed as an aggravating factor. But, as mitigating considerations, URE self-reported three of the violations, pursued voluntary corrective actions to remedy the violations and had a compliance program in place. URE was cooperative during the enforcement process and did not conceal the violations. The violations were also not intentional.

Total Penalty: $155,000 (aggregate for 9 violations)

FERC Order: Issued May 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)

Reliability Standard: CIP-005-1 Requirements: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: During a compliance audit, SERC determined that URE failed to identify as ESP access points certain field devices serially connected to an ESP and endpoints of certain intrusion detection systems that use network span ports that cross the ESP.

Finding: SERC determined that the violation posed only a minimal risk to BPS reliability. The field devices at issue did not use a routable protocol and the network switch port analyzer was configured to only monitor network traffic. Additionally, URE established controls for ESP access point management, logging, monitoring and change control and testing of significant changes. The ESPs were also subject to real-time monitoring. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $250,000 (aggregate for 27 violations)

FERC Order: Issued June 27, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)

Reliability Standard: CIP-005-1 Requirements: R1/R1.5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: During a compliance spot check, SERC determined that URE, through its contract with a managed security service provider (MSSP), did not fully identify and adequately protect all of its Cyber Assets used for access control and monitoring of its ESP. URE also did not specify in its contract with the MSSP that the electronic access control and monitoring (EACM) devices must be located in a PSP.

Finding: SERC determined that this violation constituted a moderate risk to BPS reliability as having CCA monitoring information and EACM devices outside of established ESPs increased the risk of information and devices being compromised. But, the devices at issues were contained within a restricted that had certain physical security controls (such as continuous monitoring by security cameras and card access systems). In addition, the MSSP personnel were provided training and conducted testing to ensure that changes and updates to the devices did not result in a degradation of the security controls. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $250,000 (aggregate for 27 violations)

FERC Order: Issued June 27, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)

Reliability Standard: CIP-005-1 Requirements: R2/R2.2

Violation Risk Factor: Medium Violation Security Level: Severe

Region: SERC

Issue: During a compliance spot check, SERC determined that URE enabled additional ports and services besides those required for normal or emergency operations, including a firewall that allowed a CCA to connect to any destination outside of the ESP without a service restriction and a firewall that permitted any employee with VPN access to connect to any destination within a facility’s ESP.

Finding: SERC determined that the violation constituted a moderate risk to BPS reliability since enabling ports and services that were not required for normal and emergency operations increased the risk that an unauthorized individual or malware could connect inside URE’s ESP and disrupt operations. This risk was elevated since URE failed to ensure new Cyber Assets and significant changes to existing Cyber Assets did not adversely affect existing cyber security controls and did not disable ports and services not required for emergency and normal operations from 174 Cyber Assets. But, URE did employ an an access control model that, by default, denies access. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $250,000 (aggregate for 27 violations)

FERC Order: Issued June 27, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)

Reliability Standard: CIP-005-1 Requirements: R3/R3.2

Violation Risk Factor: Medium Violation Security Level: Severe

Region: SERC

Issue: During a compliance audit, SERC determined that, as a result of high rates of firewall processing and filtering, six of URE’s firewalls at a single facility were not adequately logging authorized and unauthorized ESP access attempts.

Finding: SERC determined that the violation constituted only a minimal risk to BPS reliability. While the firewalls at issue were not logging all access attempts, they were logging configuration changes and protocol-based tariff denials and would have been able to respond to any malicious activity detected. In addition, URE employed a third party security vendor, who provides real-time monitoring of URE’s ESP and is on alert for malicious activity. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $250,000 (aggregate for 27 violations)

FERC Order: Issued June 27, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-45-000 (July 31, 2014)

Reliability Standard: CIP-005-1

Requirement: R1; R1.5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: During a compliance audit, WECC found that URE failed to provide all of the required protective measures to 2 Cyber Assets (a firewall manager and server) used in the electronic access control and monitoring of its ESPs.

Finding: WECC determined the violation constituted a moderate risk to the BPS reliability since it increased the possibility that URE’s Cyber Assets and ESPs could be manipulated or compromised and result in disruption to the operation of the BPS. But, URE’s ESPs did have security incident and events management technology installed and the devices at issue are located in physically secure areas with locks, guards and cameras. In addition, no actual manipulation or compromise of the Cyber Assets occurred during the course of the violation. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history to be an aggravating factor. However, none of the violations posed a serious or substantial risk to BPS reliability. In addition, URE had an internal compliance program in place, which was viewed as a mitigating factor. One of the violations was also self-reported. URE cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $180,000 (aggregate for 7 violations)

FERC Order: Issued August 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-45-000 (July 31, 2014)

Reliability Standard: CIP-005-1

Requirement: R2/R2.4/R2.5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: During a compliance audit, WECC found that URE did not have sufficiently strong procedural or technical controls for its electronic access points to the ESPs as URE did not properly identify and describe the process for access requests and authorization for external interactive access or the authentication methods.

Finding: WECC determined the violation constituted a moderate risk to the BPS reliability as it increased the risk that the ESPs and the assets protected by the ESPs would be manipulated or compromised. But, URE’s ESPs are protected by security incident and events management technology and the devices at issue are located in secure physical locations that contain alarms, cameras and guards. In addition, no manipulation or compromise of the assets within the ESPs, the ESPs or the access points actually occurred. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history to be an aggravating factor. However, none of the violations posed a serious or substantial risk to BPS reliability. In addition, URE had an internal compliance program in place, which was viewed as a mitigating factor. One of the violations was self-reported. URE cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $180,000 (aggregate for 7 violations)

FERC Order: Issued August 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-46-000 (July 31, 2014)

Reliability Standard: CIP-005-1

Requirement: R5.2 (4 violations – one for URE1, URE4, URE5 and URE6)

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: URE1, URE4, URE5 and URE6 self-reported that, after a redesign which caused certain of their devices to terminate on a different cluster of firewalls, they did not document, within a timely manner, modifications to their ESPs.

Finding: RFC determined these violations posed a minimal risk to BPS reliability as it only involved documentation errors. The URE Parent Company prepared, approved and implemented the relevant changes and all appropriate personnel were aware of the changes. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC found that all but two of the violations constituted only a minimal risk to BPS reliability and did not represent any systemic failure (the other two violations posed a moderate risk). However, these violations constituted the URE Companies’ fifth violation of CIP-004 and the second violation of CIP-007, which was considered to be an aggravating factor (although not a substantial aggravating factor). However, the URE Companies were awarded significant mitigating credit for substantial and voluntary improvements to their compliance programs, as demonstrated in subsequent CIP compliance audits. The majority of the violations were also self-reported. The URE Companies cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $50,000 (aggregate for 35 violations)

FERC Order: Issued August 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)

Reliability Standard: CIP-005-1

Requirement: R1 (3 violations – one for each URE Company)

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: RFC determined that URE2 did not identify all access point to its ESP, provide the required protective measures to its firewall management device, describe the revision history/version management on its ESP diagram, or provide all of the required protections to a set of printers within an ESP. URE1 was also unable to verify that all of its CCAs are contained with an ESP, to adequately identify and document all of its ESPs, or to appropriately consider communication links terminating at end points within defined ESPs as ESP access points. URE3 was also unable to verify that it identified all access points to its ESPs, properly identified and protected the non-critical Cyber Assets within the ESP, provided the required protective measures to the Cyber Assets used in the access control and monitoring of the ESPs, or maintained sufficient documentation regarding ESP electronic access points.

Finding: RFC determined that the violations posed a moderate risk to the BPS reliability as the failure to identify all ESP access points and implement the required protections increased the risk of unauthorized electronic access to the CCAs and non-critical Cyber Assets. But, the URE Companies did implement certain protective measures to guard their ESPs, ESP access points, Cyber Assets used in the access control and monitoring of the ESPs and CCAs. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.

Total Penalty: $625,000 (aggregate for 77 violations)

FERC Order: Issued September 26, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)

Reliability Standard: CIP-005-1

Requirement: R2 (3 violations – one for each URE Company)

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: The URE Companies self-reported that, as a result of allowing external vendors to use single generic user identification, they could not identify the specific person accessing the ESP and thus were unable to verify the authenticity of the accessing party. The URE Companies had also not enacted authentication controls on a reporting tool that permitted external interactive access to the ESPs. In addition, the URE Companies did not properly implement processes for controlling remote access to its supervisory control and data acquisition (SCADA) system as the URE Companies did not adequately document the monitoring of the vendor performing SCADA IT work. Furthermore, IT administrators were able to bypass the URE Companies’ controls using an active directory authentication control to gain access to CCAs with an ESP. URE2 also did not appropriately identify and document two devices with access to the ESP or conduct sufficient firewall rule set reviews. URE1 and URE2 also did not specify that they only enable ports and services required for operations and monitoring.

Finding: RFC determined the violations constituted a moderate risk to the BPS reliability. The URE Companies’ violations increased the risk of unauthorized access to their ESPs and cyber intrusion. But, the URE Companies did enact protective measures to guard the Cyber Assets within the ESP and ESP access points, based on the URE Companies’ corporate policies and procedures and defense-in-depth strategy. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.

Total Penalty: $625,000 (aggregate for 77 violations)

FERC Order: Issued September 26, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)

Reliability Standard: CIP-005-1

Requirement: R3 (3 violations – one for each URE Company)

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: The URE Companies self-reported that they did not implement, as required, a manual or electronic process for continuously monitoring and logging access points to the ESPs. The URE Companies allowed external vendors to use a generic ID that permitted multiple individuals to access the CCAs remotely and their IT administrators to access the ESPs through an active directory authentication tool that did not properly monitor and log access. Thus, the URE Companies were unable to authenticate the specific person accessing the CCAs at any given time. In addition, the URE Companies did not apply their existing logging, monitoring and alerting processes for certain firewall devices, and URE2 did not properly identify and document such processes for two of its CCAs with dial-up accessibility.

Finding: RFC determined that the violations constituted a moderate risk to the BPS reliability as it increased the risk that an individual would be able to gain access to the ESPs without leaving any record of the intrusion and cause harm to the integrity of the CCAs within the ESPs. But, the URE Companies did enact protective measures to detect and alert for unauthorized access and to guard the Cyber Assets within the ESP and ESP access points. The URE Companies monitored the external vendors’ work as it was being performed and only local IT administrators (who had network access credentials, training and Personnel Risk Assessments) had access through the active directory authentication control. In addition, the URE Companies secured their SCADA networks and implemented processes and controls governing remote access. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.

Total Penalty: $625,000 (aggregate for 77 violations)

FERC Order: Issued September 26, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)

Reliability Standard: CIP-005-01

Requirement: R4 (3 violations – one for each URE Company)

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: The URE Companies self-reported that, as a part of their annual Cyber Vulnerability Assessments (CVAs), they did not verify that only those ports and services required for operations at the access the access points are enabled. The URE Companies also did not maintain adequate documentation regarding the required components of their annual CVAs. In addition, URE2 did not have a vulnerability assessment plan, and its CVA process was lacking in regards to actions plan to remediate or mitigate vulnerabilities.

Finding: RFC determined that the violations constituted a moderated risk to the BPS reliability as it increased the risk that the URE Companies would be unaware of certain cyber vulnerabilities that could be exploited to gain unauthorized access to CCAs. But, the URE Companies had enacted protective measures to guard against unauthorized access to the ESPs (such as performing vulnerability scanning). The URE Companies also provided all of its cyber assets with some protective measures, according to their corporate policies and defense-in-depth strategy. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.

Total Penalty: $625,000 (aggregate for 77 violations)

FERC Order: Issued September 26, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)

Reliability Standard: CIP-005-1

Requirement: R5 (3 violations – one for each URE Company)

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: The URE Companies self-reported that they did not timely review, update and maintain the required documentation showing compliance with CIP-005 on an annual basis. URE2’s ESP diagrams did not incorporate revision history or version maintenance as required.

Finding: RFC determined the violations constituted only a minimal risk to the BPS reliability. While the URE Companies did have processes in place for the annual review and approval of CIP-related documentation, the documentation deficiencies were the result of workflow processes and lack of evidence of task completion. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.

Total Penalty: $625,000 (aggregate for 77 violations)

FERC Order: Issued September 26, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-5-000 (October 30, 2014)

Reliability Standard: CIP-005-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SPP RE

Issue: URE self-reported that it did not identify four devices and two receiver devices as electronic access points to its ESPs. SPP RE also determined that URE did not provide the unidentified access points the controls required by the standard where it was technically feasible and it did not have technical feasibility exceptions (TFEs) on file for the others. In addition, URE self-reported that two servers, outside its ESPs, were not provided several of the required protective measures.

Finding: SPP RE determined that the violation constituted a moderate risk to the BPS reliability as inadequate protections on URE’s servers and the lack of controls on electronic access points increases the risk that access credentials could be stolen and used to gain unauthorized access to and malicious attacks on URE’s ESP. However, URE maintained the servers in a corporate data center where physical access was controlled and access was restricted to IT system administrators which mitigated the risk of accessing the servers. In addition, the devices at issue were physically located within a physical security perimeter (“PSP”) and their location and functionality within URE’s network limited the risk of unauthorized access to its ESPs. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had previously violated six of the standards, which SPP RE considered an aggravating factor. However, URE did have a compliance program in place and it received mitigating credit for self-reporting three of the violations. Moreover, URE agreed to additional corrective actions including: restructuring its CIP compliance program; hiring an additional system administrator; conducting a one day compliance workshop with SPP RE staff; and implementing an asset management system to further secure its EMS. URE was cooperative throughout the enforcement process and did not conceal or attempt to conceal the violations.

Penalty: $45,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-5-000 (October 30, 2014)

Reliability Standard: CIP-005-1

Requirement: R2/R2.1/R2.2/R2.4/R2.5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SPP RE

Issue: URE self-reported that it did not request technical feasibility exceptions (TFEs) for two switches and four devices (two of which were unable to authenticate access to its ESP), apply the required documentation for two of the four devices or require its emergency management system (EMS) vendor to authenticate itself as an accessing party prior to entering URE’s ESP firewalls. During a compliance audit, SPP RE further found that when a party went through a utility server to access a jump box that allowed interactive access to its ESP, URE did not require access authentication.

Finding: SPP RE determined that the violation posed only a minimal risk to the BPS reliability since URE required the EMS vendor to authenticate itself at the corporate firewall before gaining access to its ESP firewall and URE would also have to actively grant the vendor access to the corporate firewall, which it did not. In addition, the inability of the devices to implement the technical controls was mitigated by the location and role of the devices at issue. Furthermore, while eight of the employees were able to access URE’s server, URE’s password requirements and its continuous monitoring and alerts for changes in device configurations would have prevented them from accessing URE’s jump box. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had previously violated six of the standards, which SPP RE considered an aggravating factor. However, URE did have a compliance program in place and it received mitigating credit for self-reporting three of the violations. Moreover, URE agreed to additional corrective actions including: restructuring its CIP compliance program; hiring an additional system administrator; conducting a one day compliance workshop with SPP RE staff; and implementing an asset management system to further secure its EMS. URE was cooperative throughout the enforcement process and did not conceal or attempt to conceal the violations.

Penalty: $45,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-5-000 (October 30, 2014)

Reliability Standard: CIP-005-1

Requirement: R3/R3.1 and R3.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SPP RE

Issue: URE self-reported that four electronic access points and two devices were unable to monitor, log or alert for electronic access attempts to its ESP. In addition, URE was not logging access when IT personnel physically connected at the switches.

Finding: SPP RE determined that the violation posed only a minimal risk to the BPS reliability as URE required physical access to its PSP where the switches at issue resided. In addition, URE continuously monitors and receives alerts for malicious activity related to its network and logging and alert data is sent to its EMS system. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had previously violated six of the standards, which SPP RE considered an aggravating factor. However, URE did have a compliance program in place and it received mitigating credit for self-reporting three of the violations. Moreover, URE agreed to additional corrective actions including: restructuring its CIP compliance program; hiring an additional system administrator; conducting a one day compliance workshop with SPP RE staff; and implementing an asset management system to further secure its EMS. URE was cooperative throughout the enforcement process and did not conceal or attempt to conceal the violations.

Penalty: $45,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-5-000 (October 30, 2014)

Reliability Standard: CIP-005-1

Requirement: R4/R4.2/R4.3/R4.4/R4.5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SPP RE

Issue: URE self-reported that it did not include in its Cyber-Vulnerability Assessment program a review that only required ports and services were enabled; the identification of all access points to its ESP; a review of controls for default accounts, passwords, and network management community string controls; and documentation of the CVA results.

Finding: SPP RE determined that the violation constituted a moderate risk to the BPS as an inadequate CVA action plan increased the risk that vulnerabilities would not be addressed and could pose an increased threat to URE’s EMS and electronic access points that are not evaluated thoroughly increased the risk of malicious attacks on URE’s ESP. However, URE was running scans within its ESP to identify all connected devices; active ports and services on devices; and vulnerabilities on the devices. In addition, as part of its annual review of access points, and while the violation was pending, URE was verifying the necessity of its enabled ports and services. URE also continuously monitored the status, configuration and behavior of its network device hardware. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had previously violated six of the standards, which SPP RE considered an aggravating factor. However, URE did have a compliance program in place and it received mitigating credit for self-reporting three of the violations. Moreover, URE agreed to additional corrective actions including: restructuring its CIP compliance program; hiring an additional system administrator; conducting a one day compliance workshop with SPP RE staff; and implementing an asset management system to further secure its EMS. URE was cooperative throughout the enforcement process and did not conceal or attempt to conceal the violations.

Penalty: $45,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-6-000 (October 30, 2014)

Reliability Standard: CIP-005-1

Requirement: R1/R1.4/R1.6

Violation Risk Factor: Medium

Violation Severity Level: Moderate

Region: Texas RE

Issue: URE self-reported that five non-critical Cyber Assets in its ESP were not correctly identified or documented when two non-critical Cyber Assets that connected two devices were not listed on its ESP list. One server was not listed on any ESP lists for two years and two additional servers that were listed as CCAs on a date specific ESP list were not included on any future lists for almost a year.

Finding: Texas RE determined that the violation constituted only a minimal risk to the BPS reliability since the five devices at issue accounted for less than 5% of all devices in the URE's ESPs and all were afforded the required protections by URE. In addition, the servers at issue were never moved from testing into production and therefore, should have been have been listed as non-critical Cyber Assets. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the following factors: the URE had an internal compliance program in place; the URE self-reported several of the violations and none posed a serious or substantial risk to the BPS reliability; the URE executed actions beyond those necessary to ensure compliance with the Standard and continues to make several enhancements as part of its self-assessment program; and the URE did not conceal or attempt to conceal the violations. Further, Texas RE did not consider URE's compliance history to be an aggravating factor, and URE was cooperative throughout the duration of the enforcement.

Penalty: $106,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entities (UREs), FERC Docket No. NP15-15-000 (December 30, 2014)

Reliability Standard: CIP-005-1

Requirement: R1.1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: URE1 self-reported that it misunderstood a NERC compliance guidance document and failed to identify access points for Cyber Assets that are non-essential to the operation of Critical Assets and serially connected to Cyber Assets in the ESP. At several ESP facilities, dial-up gateways used for electronic access control and monitoring (EACM devices), were incorrectly identified as access points instead of the internal modems, which are communications end points that end at the ESP and permit access to the CCA. Additionally, URE1 failed to identify serially connected non-Critical Assets outside of the ESP as access points.

Finding: SERC determined that the violation posed only a minimal risk to the BPS reliability. The failure to identify the modems as access points was due to a documentation error and the risk of unauthorized access to URE1's CCA was reduced since the modems resided behind the gateway devices that controlled and authenticated access attempts. Additionally, Cyber Assets that had serial connections with devices in the ESP were maintained in locked cabinets and resided in a secure facility. The non-routable networks with serial communication links limited the need for perimeter protection and the failure to identify the access points did not result in any adverse effects on URE1's network. UREs neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs history of violations an aggravating factor. However, the UREs did have an internal compliance program in place, which SERC considered a mitigating factor. While URE1 self-reported a violation, the UREs did not received mitigating credit since it was reported after it received a compliance audit notice. While three of the violations posed a serious or substantial risk to the BPS reliability, the majority of them (18) posed only a minimal or moderate risk. URE agreed to additional mitigating actions including: adding additional staff (including converting contractors to full-time); conducting human performance training at a cost of $50,000; installing firewall analyzer software at a cost of $485,000; and additional mitigating factors for five of the violations. The UREs were cooperative throughout the enforcement process and there was no evidence that they concealed the violations.

Penalty: $120,000 (aggregate for 21 violations)

FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.

Unidentified Registered Entities (UREs), FERC Docket No. NP15-15-000 (December 30, 2014)

Reliability Standard: CIP-005-1

Requirement: R1.1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: URE2 self-reported that it misunderstood a NERC compliance guidance document and failed to identify access points for Cyber Assets that are non-essential to the operation of Critical Assets and serially connected to Cyber Assets in the ESP. Specifically URE2 did not identify access points for serially connected non-essential Cyber Assets outside the ESP that connected to CCA (machines and switches operated by personnel) and non-critical Cyber Assets (protocol converters).

Finding: SERC determined that the violation posed only a minimal risk to the BPS reliability. The failure to identify the modems as access points was due to a documentation error and the risk of unauthorized access to URE2's CCA was reduced since the modems resided behind the gateway devices that controlled and authenticated access attempts. Additionally, Cyber Assets that had serial connections with devices in the ESP were maintained in locked cabinets and resided in a secure facility. The non-routable networks with serial communication links limited the need for perimeter protection and the failure to identify the access points did not result in any adverse effects on URE2's network. The UREs neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs history of violations an aggravating factor. However, the UREs did have an internal compliance program in place, which SERC considered a mitigating factor. While URE1 self-reported a violation, the UREs did not received mitigating credit since it was reported after it received a compliance audit notice. While three of the violations posed a serious or substantial risk to the BPS reliability, the majority of them (18) posed only a minimal or moderate risk. URE agreed to additional mitigating actions including: adding additional staff (including converting contractors to full-time); conducting human performance training at a cost of $50,000; installing firewall analyzer software at a cost of $485,000; and additional mitigating factors for five of the violations. The UREs were cooperative throughout the enforcement process and there was no evidence that they concealed the violations.

Penalty: $120,000 (aggregate for 21 violations)

FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.

Unidentified Registered Entities (UREs), FERC Docket No. NP15-15-000 (December 30, 2014)

Reliability Standard: CIP-005-1

Requirement: R1.5 (2 violations – one for each URE Company)

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: The UREs self-reported that network management devices, that were previously identified and protected as EACM devices, had not been identified and protected as EACMs due to misinterpreting the Requirement. SERC also determined that the UREs incorrectly identified and included in its report several authentication servers as EACMs. In addition, the UREs' recovery plans also failed to include procedures for recovering firewalls.

Finding: SERC determined that the violation posed only a minimal risk to the BPS reliability. UREs failure to protect all its EACM devices increased the risk that someone could maliciously steel or alter access credentials allowing them to alter the access control rules and access the UREs' ESPs. In addition, without procedures for recovering firewall EACMs the UREs would have found it difficult to recover the firewalls that allow them to remotely protect and control its Supervisory Control and Data Acquisition system. However, the UREs kept the management EACM devices within a secured PSP behind the corporate firewall, only CIP authorized personnel had access to them and a two-factor authentication was required to access the devices. In addition, the UREs had recovery plans available to the technicians responsible for recovering the firewall EACMs and twice the devices were successfully recovered without a delay. The UREs neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs history of violations an aggravating factor. However, the UREs did have an internal compliance program in place, which SERC considered a mitigating factor. While URE1 self-reported a violation, the UREs did not received mitigating credit since it was reported after it received a compliance audit notice. While three of the violations posed a serious or substantial risk to the BPS reliability, the majority of them (18) posed only a minimal or moderate risk. URE agreed to additional mitigating actions including: adding additional staff (including converting contractors to full-time); conducting human performance training at a cost of $50,000; installing firewall analyzer software at a cost of $485,000; and additional mitigating factors for five of the violations. The UREs were cooperative throughout the enforcement process and there was no evidence that they concealed the violations.

Penalty: $120,000 (aggregate for 21 violations)

FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.

Unidentified Registered Entity (UREs), FERC Docket No. NP15-17-000 (December 30, 2014)

Reliability Standard: CIP-005-1

Requirement: R1/R1.5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: When WECC met with URE to discuss self-certifications for CIP-009 R1 and CIP-009 R4, it determined that URE had failed to provide the required protective measures of CIP-05-1 R1 to four devices (modems, servers and firewalls) used for the electronic access control and monitoring (EACM) of two ESPs.

Finding: WECC determined that the violation posed only a minimal risk to the BPS reliability as the EACM devices were maintained in a secure PSP where access was restricted, monitored and logged. Furthermore, had there been an issue with the devices, URE had maintenance contracts with vendors, who were required to notify URE and recover the devices within eight hours of an incident. Additionally, URE regularly recorded backup tapes and had procedures in place for backing up and restoring Windows devices. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered URE's prior violation history as an aggravating factor. However, WECC gave URE mitigating credit for its compliance program and agreeing to perform voluntary corrective actions. WECC also determined that all violations posed only a minimal, but not a moderate, serious or substantial risk to the reliability of the BPS. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.

Penalty: $120,000 (aggregate for 13 violations)

FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.

Unidentified Registered Entity (UREs), FERC Docket No. NP15-17-000 (December 30, 2014)

Reliability Standard: CIP-005-1

Requirement: R2/R2.1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: During a compliance audit WECC found that security controls were lacking for two access points to URE's ESPs. Specifically, URE did not have access permissions for all communication at access points on two servers and there was insufficient network separation between two ESPs and the physical security network at one access point.

Finding: WECC determined that the violation posed only a minimal risk to the BPS reliability as the servers at issue were protected with antivirus software, patching and logging. The ability to route communications across interfaces was disabled and URE had real-time logging and monitoring of all traffic on the devices. The servers were maintained behind a PSP and firewalls with specific rules for approved network traffic provided additional protection to the devices. While emergency vendors were allowed modem access to the devices, no other interactive access to the ESPs or across access point boundaries was allowed. Lastly, the access points at issue were limited in scope to collecting logs and generating alerts from ESP devices and physical access control system (PACS) devices. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered URE's prior violation history as an aggravating factor. However, WECC gave URE mitigating credit for its compliance program and agreeing to perform voluntary corrective actions. WECC also determined that all violations posed only a minimal, but not a moderate, serious or substantial risk to the reliability of the BPS. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.

Penalty: $120,000 (aggregate for 13 violations)

FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.

Unidentified Registered Entity, FERC Docket No. NP15-9-000 (November 25, 2014)

Reliability Standard: CIP-005-1

Requirement: R1/R1.5 (3 violations – one for each URE Company)

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: MRO, SPP RE and WECC

Issue: URE1, URE2 and URE3 self-reported to MRO, SPP RE, and WECC respectively, that a class of servers used to access several Critical Assets and CCAs, and to monitor, alarm, and log access to CIP substation ESPs, were not afforded the required protective measures. In addition, events related to cybersecurity were not monitored or controlled by the UREs. As the UREs failed to review security event logs which lacked continuous event data over a period of time and revealed script failures. The UREs also did not respond to alarm logs sent from servers and dial-up devices that were used to authenticate calls to substations and they failed to conduct testing procedures to ensure security controls on the servers would not adversely affect existing controls. In addition, the UREs did not annually change shared passwords for the servers and a CVA on the system was not conducted for one year. In another year the UREs did not verify that ports and services required for normal or emergency operations were enabled.

Finding: MRO determined that the violation posed a moderate but not a serious or substantial risk to the BPS reliability. In one year URE had an insufficient CVA, yet they did not correct the issues in the subsequent year's CVA. During another year, UREs' CVA revealed that they had failed to maintain a list of required ports and services and yet they did not rectify the issue in the following year's CVA. Additionally, the UREs installed devices without implementing their CIP documentation change control process. However, several factors mitigated the risk posed by the violations including UREs' test environment and procedures which included plans for reversing any changes that would have adversely affected their security controls. Furthermore, access to UREs' CIP substation ESPs was only granted through a dedicated modem within their corporate network. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations for five of the Standards posed a serious or substantial risk to the BPS reliability. However, several of the violations were self-reported and the remainder of the violations posed only a minimal threat to BPS reliability. The UREs had a compliance program in place and their compliance history was not considered an aggravating factor by MRO. Furthermore, the UREs committed to spending $205,000 to retain a consultant to identify untapped opportunities in their CIP management controls for the current and future CIP versions and they received significant mitigating credit for their commitment to their corporate compliance program. The URE Companies were cooperative throughout the duration of the enforcement and none concealed the violations.

Penalty: $150,000 (aggregate for 19 violations)

FERC Order: Pending

Unidentified Registered Entity, FERC Docket No. NP15-9-000 (November 25, 2014)

Reliability Standard: CIP-005-1

Requirement: R1/R1.5/R1.6 (3 violations – one for each URE Company)

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: MRO, SPP RE and WECC

Issue: URE1, URE2 and URE3 (collectively UREs) self-reported to MRO, SPP RE, and WECC respectively that they failed to provide all the required protective measures to Cyber Assets used for controlling access and/or monitoring their ESPs. The URE's security patch management program failed to include non-Microsoft applications in the discovery and assessment phase for some servers causing UREs to overlook the assessment of almost 60% of their patches, although none were critical to the UREs configuration. For several of their shared system accounts the UREs failed to (1) include account names and users who authorized access on a designated approver list (2) create or review documentation of access control procedures (3) review lists of authorized users (4) create an audit trail of user access or (5) annually change passwords. Two-thirds of the accounts were removed since they were not necessary. In addition the UREs failed to apply their change control and configuration management process to four (one replacement and three new) Critical Asset substation ESP electronic access points to ensure security controls were tested before deploying them into production. As such, the UREs had no documentation for them.

Finding: MRO determined that the violation posed a moderate risk to the BPS reliability as the UREs did not provide, maintain or document users, access privileges or user access logs for a large number of its shared system accounts and they failed to ensure that new and changes to electronic access points to substation ESPs were tested for security controls. UREs' inadequate protective measures created hundreds of CCAs with unprotected electronic access points that could have been used to access and disrupt the BPS. However, the risk was limited by the fact that the electronic access points could only be accessed from URE's network, which required authentication. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations for five of the Standards posed a serious or substantial risk to the BPS reliability. However, several of the violations were self-reported and the remainder of the violations posed only a minimal threat to BPS reliability. The UREs had a compliance program in place and their compliance history was not considered an aggravating factor by MRO. Furthermore, the UREs committed to spending $205,000 to retain a consultant to identify untapped opportunities in their CIP management controls for the current and future CIP versions and they received significant mitigating credit for their commitment to their corporate compliance program. The URE Companies were cooperative throughout the duration of the enforcement and none concealed the violations.

Penalty: $150,000 (aggregate for 19 violations)

FERC Order: Pending

Unidentified Registered Entity, FERC Docket No. NP15-9-000 (November 25, 2014)

Reliability Standard: CIP-005-1

Requirement: R5/R5.1/R5.2 (2 violations – one for URE1 and one for URE3)

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: MRO, SPP RE and WECC

Issue: URE1 and URE3 self-reported to MRO and WECC respectively, that their list of Cyber Assets did not correctly reflect the Cyber Assets they had in production. In addition, on two occasions the UREs' documentation was not updated within 90 days of a change as required because the UREs failed to correctly follow their substation change control and configuration management process when decommissioning and commissioning substation ESP access points.

Finding: MRO determined that the violation posed only a minimal risk to the BPS reliability as the violation involved only two 115kV BPS facilities. In addition, access to UREs CCA was mitigated by the fact that the devices were dial-up applications, with no routable connectivity which could only be accessed through a special server within the UREs' corporate network. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations for five of the Standards posed a serious or substantial risk to the BPS reliability. However, several of the violations were self-reported and the remainder of the violations posed only a minimal threat to BPS reliability. The UREs had a compliance program in place and their compliance history was not considered an aggravating factor by MRO. Furthermore, the UREs committed to spending $205,000 to retain a consultant to identify untapped opportunities in their CIP management controls for the current and future CIP versions and they received significant mitigating credit for their commitment to their corporate compliance program. The URE Companies were cooperative throughout the duration of the enforcement and none concealed the violations.

Penalty: $150,000 (aggregate for 19 violations)

FERC Order: Pending

Unidentified Registered Entity, FERC Docket No. NP15-11-000 (November 25, 2014)

Reliability Standard: CIP-005-1/CIP-005-3a/CIP-005-2

Requirement: R1.5/R1.5/R1.5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: ReliabilityFirst, MRO and SERC (collectively, "Regions")

Issue: URE self-reported violations and during a compliance audit, ReliabilityFirst discovered an additional violation of the standards where URE failed to (1) timely change passwords on 21 access control and monitoring devices (ACMs), CCAs, and non-CCAs; (2) locate two sets of ACMs in a Physical Security perimeter (PSP); (3) implement test procedures and perform an annual CVA for 52 ACMs; (4) identify ACMs as access points and provide the required protections and (5) identify additional access points to eight CCA servers.

Finding: ReliabilityFirst determined that the violations constituted a moderate risk to the BPS reliability as it increased the risk of unauthorized access to its ESP due to insufficient protections and inefficient password security measures. The risk was further increased due to the length of the violations. However, the risk was mitigated by several factors. Specifically, URE was able to monitor, identify and respond to disruptive network events through its network operations center that monitors enterprise-wide performance and activity. The assets at issue were also protected by URE's use of a rigorous change management program; implementation of current patches; antivirus and malware prevention software; account and access management processes; and user and system logging and monitoring. In addition, the assets at issue resided in a facility that controlled and protected access physically and electronically utilizing guards, and account management and access control. Moreover, less than three percent of URE's non-user accounts were overdue for password changes. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations. While none of the violations independently posed a serious or substantial threat to the BPS reliability, collectively they represented a significant risk to BPS reliability. Eighteen of the violations posed only a minimal or moderate risk to the BPS reliability and only one posed a serious or substantial risk to the BPS reliability. URE did have a history of prior violations; however, this was their first comprehensive CIP audit so the Regions did not consider their prior history an aggravating factor. URE self-reported several of the violations, performed several reliability enhancements and outreach programs and agreed to above and beyond compliance measures, including the implementation of an improvement program that is focused on improving its compliance with CIP standards and cybersecurity efforts. However, due to the duration of several of URE's violations, the Regions considered this risk negatively. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations. There were no additional mitigating factors that affected the penalty.

Penalty: $75,000 (aggregate for 19 violations)

FERC Order: Issued December 23, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-11-000 (November 25, 2014)

Reliability Standard: CIP-005-1

Requirement: R2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: ReliabilityFirst, MRO and SERC (collectively, "Regions")

Issue: During a compliance audit ReliabilityFirst determined that URE could not explain how certain network objects were being used on one device and it had open ports and services for Cyber Assets within its ESP that it could not provide a valid business reason for enabling.

Finding: ReliabilityFirst determined that the violation constituted a moderate risk to the BPS reliability as unnecessary open ports and services increased the risk of unauthorized access to URE's secure services through unprotected networks. The risk was further increased by the duration of the violation. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations. While none of the violations independently posed a serious or substantial threat to the BPS reliability, collectively they represented a significant risk to BPS reliability. Eighteen of the violations posed only a minimal or moderate risk to the BPS reliability and only one posed a serious or substantial risk to the BPS reliability. URE did have a history of prior violations; however, this was their first comprehensive CIP audit so the Regions did not consider their prior history an aggravating factor. URE self-reported several of the violations, performed several reliability enhancements and outreach programs and agreed to above and beyond compliance measures, including the implementation of an improvement program that is focused on improving its compliance with CIP standards and cybersecurity efforts. However, due to the duration of several of URE's violations, the Regions considered this risk negatively. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations. There were no additional mitigating factors that affected the penalty.

Penalty: $75,000 (aggregate for 19 violations)

FERC Order: Issued December 23, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-11-000 (November 25, 2014)

Reliability Standard: CIP-005-1

Requirement: R4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: ReliabilityFirst, MRO and SERC (collectively, "Regions")

Issue: During a compliance audit ReliabilityFirst determined that URE did not conduct a thorough annual review of all active ports and services as required.

Finding: ReliabilityFirst determined that the violation constituted a moderate risk to the BPS reliability as active ports and services were reviewed throughout the year when URE made changes to its system. Further minimizing the risk was URE's defense in-depth strategies including the ability to monitor, identify and respond to disruptive network events through its network operations center; the use of a rigorous change management program; implementation of current patches; antivirus and malware prevention software; account and access management processes; and user and system logging and monitoring. Furthermore URE located its Cyber Assets in a facility that controlled and protected access physically and electronically utilizing guards, and account management and access control. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations. While none of the violations independently posed a serious or substantial threat to the BPS reliability, collectively they represented a significant risk to BPS reliability. Eighteen of the violations posed only a minimal or moderate risk to the BPS reliability and only one posed a serious or substantial risk to the BPS reliability. URE did have a history of prior violations; however, this was their first comprehensive CIP audit so the Regions did not consider their prior history an aggravating factor. URE self-reported several of the violations, performed several reliability enhancements and outreach programs and agreed to above and beyond compliance measures, including the implementation of an improvement program that is focused on improving its compliance with CIP standards and cybersecurity efforts. However, due to the duration of several of URE's violations, the Regions considered this risk negatively. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations. There were no additional mitigating factors that affected the penalty.

Penalty: $75,000 (aggregate for 19 violations)

FERC Order: Issued December 23, 2014 (no further review)

Unidentified Registered Entity (UREs), FERC Docket No. NP15-20-000 (February 26, 2015)

Reliability Standard: CIP-005-1

Requirement: R1/R1.1/R1.5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: During a compliance audit SERC determined that URE had classified and protected serial switches and a domain controller that allows access from its corporate network through a virtual private network (VPN) and full administrative access to the its ESP for remote users as Cyber Assets, but failed to identify them as access points to its ESP. URE also failed to remove a domain controller (considered part of an electronic access control and monitoring system-“EACM”) from its ESP after an upgrade and it did not identify an EACM system.

Finding: SERC found that the violation posed a moderate risk to the BPS reliability as there was an increased risk that someone could access systems in URE’s ESP due to access points that were not identified and protected. However, SERC considered several mitigating factors including: (1) the domain controller that remained on the ESP was not able to perform electronic access and control monitoring for the new EMS; (2) intrusion attempts would have been identified through URE’s logging and monitoring capabilities; and (3) only authorized personnel with valid personnel risk assessments (PRAs) and cybersecurity training have access to the devices in URE’s ESP. Furthermore, there was no threat of remotely accessing URE’s corporate network through the devices at issue as URE has a policy that prohibits all remote access. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered URE’s past history of violations an aggravating factor. However, URE did have a compliance program in place, which SERC considered a mitigating factor. Eleven of the violations were self-reported by URE, two of which were reported after receiving a notice of an upcoming compliance audit. However one violation, while self-reported, did pose a serious or substantial risk to the BPS reliability. URE was cooperative throughout the enforcement period and did not attempt to conceal any of the violations. There were no other mitigating or aggravating factors associated with URE’s violations.

Penalty: $70,000 (aggregate for 12 violations)

FERC Order: Pending

Unidentified Registered Entity (UREs), FERC Docket No. NP15-20-000 (February 26, 2015)

Reliability Standard: CIP-005-1

Requirement: R1/R1.4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: URE self-reported that it failed to identify and protect as required all non-critical Cyber Assets. One of URE’s printers was placed into production before the standard was instituted and therefore, was not provided the required protections. In addition, a tape library that ensures the management of accurate back-ups was also not protected as required because it was removed from URE’s inventory list 10 months after it was installed. However the tape library remained in use in URE’s production environment.

Finding: SERC found that the violation constituted only a minimal risk to the BPS reliability as URE provided sufficient, alternative protective measures while the tape library was in production. In addition, neither of the devices performed essential ESP functions or had the ability to affect BPS reliability as they solely provided user access and functionality assistance. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered URE’s past history of violations an aggravating factor. However, URE did have a compliance program in place, which SERC considered a mitigating factor. Eleven of the violations were self-reported by URE, two of which were reported after receiving a notice of an upcoming compliance audit. However one violation, while self-reported, did pose a serious or substantial risk to the BPS reliability. URE was cooperative throughout the enforcement period and did not attempt to conceal any of the violations. There were no other mitigating or aggravating factors associated with URE’s violations.

Penalty: $70,000 (aggregate for 12 violations)

FERC Order: Pending

Unidentified Registered Entity (UREs), FERC Docket No. NP15-20-000 (February 26, 2015)

Reliability Standard: CIP-005-1

Requirement: R3

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: URE self-reported that not all of its access points to its ESP were being monitored twenty-four (24) hours a day, seven (7) days a week. Specifically, the access points were not monitored when the URE had a firewall and front-end processors and were not configured correctly to forward access logs to a centralized server that monitors cybersecurity events.

Finding: SERC found that the violation constituted a moderate risk to the BPS reliability as unmonitored access points increased the risk that someone could gain unauthorized access to URE’s ESP potentially corrupting or disabling systems. However, the potential risk was reduced due to the fact that URE’s ESP by default would deny access based on how firewalls were configured and URE had a PSP with restricted access surrounding all its devices within its ESP. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered URE’s past history of violations an aggravating factor. However, URE did have a compliance program in place, which SERC considered a mitigating factor. Eleven of the violations were self-reported by URE, two of which were reported after receiving a notice of an upcoming compliance audit. However one violation, while self-reported, did pose a serious or substantial risk to the BPS reliability. URE was cooperative throughout the enforcement period and did not attempt to conceal any of the violations. There were no other mitigating or aggravating factors associated with URE’s violations.

Penalty: $70,000 (aggregate for 12 violations)

FERC Order: Pending

Unidentified Registered Entity, FERC Docket No. NP15-24-000 (April 30, 2015)

Reliability Standard: CIP-005-1

Requirement: R1.5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: During its compliance audit, ReliabilityFirst found that URE did not sufficiently protect its electronic access control monitoring (EACM) Cyber Assets, which were involved in the control or monitoring of an ESP. Notably, URE violated several protective measures of CIP-007, regarding: cyber security testing procedures (R1), security patch management (R3), account management (R5.1.2, R5.2.1, R5.2.2, and R5.2.3), EACM disposal or redeployment procedures (R7), and Cyber Vulnerability Assessments (CVAs) (R8.1, R8.2, and R8.3).

Finding: ReliabilityFirst found that the violation posed a serious or substantial risk. The severity of the violation was increased because URE had no compensating measures in place and the violation lasted for a prolonged period of time. URE neither admitted nor denied the violations. In approving the settlement, the NERC considered URE's compliance history and the serious risk of all but one of the violations as aggravating factors. As mitigating factors, the NERC considered URE's (1) pre-violation compliance program, (2) self-reporting of four violations, (3) cooperation throughout the enforcement process, (5) lack of attempts or intentions to conceal the violations, (4) commitment to a comprehensive mitigation plan, (5) improvements in CIP compliance and permission for future ReliabilityFirst spot checks, and (6) allowance of on-site risk management and compliance implementation reviews. URE's mitigation plan obliged URE to (1) record and effectuate all procedures relating to the protective measures and (2) include of all EACMs in the remaining steps of the mitigation plan.

Penalty: $150,000 (aggregate for 18 violations)

FERC Order: Issued May 29, 2015 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-24-000 (April 30, 2015)

Reliability Standard: CIP-005-1

Requirement: R2.1, R2.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: During its compliance audit, ReliabilityFirst found that URE did not show that it had documented organization control processes for electronic access to the ESP. First, URE did not meet the documented organization process by enabling only ports and services required for operations and monitoring. Second, URE's firewall disallowed inbound traffic, but URE's default setting of "permit by default" allowed outbound traffic. Finally, URE did not enable only ports and services required for operations and for monitoring Cyber Assets within the ESP.

Finding: ReliabilityFirst found that the violation posed a serious or substantial risk, because a failure to limit communication across the access points increased the risk to CCAs. The severity of the violation was increased because URE had no compensating measures in place and the violation lasted for a prolonged period of time. URE neither admitted nor denied the violations. In approving the settlement, the NERC considered URE's compliance history and the serious risk of all but one of the violations as aggravating factors. As mitigating factors, the NERC considered URE's (1) pre-violation compliance program, (2) self-reporting of four violations, (3) cooperation throughout the enforcement process, (5) lack of attempts or intentions to conceal the violations, (4) commitment to a comprehensive mitigation plan, (5) improvements in CIP compliance and permission for future ReliabilityFirst spot checks, (6) allowance of on-site risk management and compliance implementation reviews. URE's mitigation plan obliged URE, among other things, to (1) set the default for ESP access to "deny access by default" and (2) change access configuration to limit ports and services to only those that are required.

Penalty: $150,000 (aggregate for 18 violations)

FERC Order: Issued May 29, 2015 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-24-000 (April 30, 2015)

Reliability Standard: CIP-005-1

Requirement: R3.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: During its compliance audit, ReliabilityFirst found that URE did not have a documented process for monitoring and logging access at ESP access points. Furthermore, URE only monitored failed login attempts, but not attempted or successful unauthorized access.

Finding: ReliabilityFirst found that the violation posed a serious or substantial risk, because a failure to monitor and log access could lead to undetected attacks, compromise of the ESP, and untimely and insufficient responses to attacks. The severity of the violation was increased because URE had no compensating measures in place and the violation lasted for a prolonged period of time. URE neither admitted nor denied the violations. In approving the settlement, the NERC considered URE's compliance history and the serious risk of all but one of the violations as aggravating factors. As mitigating factors, the NERC considered URE's (1) pre-violation compliance program, (2) self-reporting of four violations, (3) cooperation throughout the enforcement process, (5) lack of attempts or intentions to conceal the violations, (4) commitment to a comprehensive mitigation plan, (5) improvements in CIP compliance and permission for future ReliabilityFirst spot checks, (6) allowance of on-site risk management and compliance implementation reviews. URE's mitigation plan obliged URE, among other things, to (1) create and effectuate system events monitoring procedures and (2) ensure that alerts are generated for both unauthorized attempts and actual unauthorized access.

Penalty: $150,000 (aggregate for 18 violations)

FERC Order: Issued May 29, 2015 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-24-000 (April 30, 2015)

Reliability Standard: CIP-005-1

Requirement: R4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: During its compliance audit, ReliabilityFirst found that URE's CVAs did not include all of the required elements, namely: review of ports and services (R4.2), discovery of access points to ESP (R4.3), and review of controls for default accounts, passwords and network management community strings (R4.4). Further, URE did not clearly document the CVA process or results.

Finding: ReliabilityFirst found that the violation posed a serious or substantial risk, because failure to adequately perform CVA prevented URE from analyzing its security practices and identifying needed improvements. The severity of the violation was increased because URE had no compensating measures in place and the violation lasted for a prolonged period of time. URE neither admitted nor denied the violations. In approving the settlement, the NERC considered URE's compliance history and the serious risk of all but one of the violations as aggravating factors. As mitigating factors, the NERC considered URE's (1) pre-violation compliance program, (2) self-reporting of four violations, (3) cooperation throughout the enforcement process, (5) lack of attempts or intentions to conceal the violations, (4) commitment to a comprehensive mitigation plan, (5) improvements in CIP compliance and permission for future ReliabilityFirst spot checks, (6) allowance of on-site risk management and compliance implementation reviews. URE's mitigation plan obliged URE, among other things, to (1) ensure that the CVA includes all Cyber Assets within ESPs, EACMs, PACs and access points and ensure the enabling of only ports and services required for operation and (2) document CVA results and URE's action plan to address the findings.

Penalty: $150,000 (aggregate for 18 violations)

FERC Order: Issued May 29, 2015 (no further review)

Unidentified Registered Entity 1, FERC Docket No. NP15-26-000 (April 30, 2015)

Reliability Standard: CIP-005-1

Requirement: R1.5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: URE self-reported that it did not identify and record an EACM device on its CIP Cyber Asset list, so that the device did not receive CIP-005 protections. The EACM was not located at the Critical Asset it supports and was connected to the substation by non-routable microwave transport.

Finding: ReliabilityFirst determined that the violation posed only a minimal, but not a serious or substantial risk, to BPS reliability. The severity of the violation was decreased because the EACM carried non-essential data to a substation with no CCAs; the EACM’s connectivity type was unique so that the issue was an isolated incident; and the problem was quickly detected and mitigated. The UREs neither admitted nor denied the violations. In approving the settlement between ReliabilityFirst and five UREs in total, the NERC considered the UREs’ prior violations and the minimal to moderate risk posed by the current violations. As mitigating factors, the NERC found that among the UREs subject to the settlement agreement, individual URES had: (1) implemented pre-violation internal compliance programs, (2) self-reported violations, (3) cooperated throughout the enforcement process, (4) not attempted or intended to conceal the violations, (5) made significant progress in post-violation compliance. ReliabilityFirst found that no penalty was necessary since the violations posed minimal risks, the UREs demonstrated improvements in compliance, and the UREs that had prior violations were fully sanctioned for those violations in an FERC-approved settlement. URE1’s mitigation plan obligated URE1 to (1) bring the EACM into compliance with CIP-005 by implementing a Physical Security Perimeter (PSP) at the substation and (2) to validate all electronic configurations and update its documentation to record the changes.

Penalty: $0 (aggregate for 22 violations)

FERC Order: The NERC did not further review the settlement and the settlement entered into effect on May 29th, 2015.