NERC Case Notes: Reliability Standard CIP-005-3a | White & Case LLP International Law Firm, Global Law Practice
NERC Case Notes: Reliability Standard CIP-005-3a

NERC Case Notes: Reliability Standard CIP-005-3a

White & Case NERC Database

This page contains the NOP (Notice of Penalty) and ACP (Administrative Citation of Penalty) summaries. Click here to read the FFT (Find, Fix and Track) summaries.

Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-005-3a

Requirement: R1; R1.5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported a violation of R1 after discovering that it had failed to assess available patches pertaining to three servers employed as authentication devices, three RSA SecurID two factor authentication appliances, and four firewalls access points, all of which were located in the company's control centers and used for access, control and monitoring (ACM)

Finding: WECC determined that the R1 violation posed a minimal risk to the reliability of the BPS because Physical Security Perimeters protected the relevant network devices from unauthorized physical access, authorized access to the devices is restricted to only five people all of whom completed Personnel Risk Assessments and CIP training, and the company controlled, logged and monitored all electronic access. Furthermore, the company met 24 of the 25 CIP requirements for these devices. WECC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to pay a penalty and to undertake other mitigation measures to come into compliance with R1.

WECC considered URE's ICP a mitigating factor in making its penalty determination. The violation began when the company should have begun assessing the devices in scope for available patches and ended when the company completed its mitigation plan. URE does not contest the R1 violation.

Penalty: $10,000

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-005-3a

Requirement: R5

Violation Risk Factor: Lower

Violation Severity Level: Lower

Region: RFC

Issue: URE self-reported a violation of R5 when it found that the two security monitoring tools used for network devices had been receiving more activity logs than anticipated, and as a result, had overwritten some of the security logs to make space for new log messages. This meant that only 81 days of logs were recorded on 12 access points to the ESPs, 14 Cyber Assets within the ESP, and 2 Cyber Assets used in access control and/or monitoring of the ESPs.

Finding: RFC determined that the R5 violation posed a minimal risk to the reliability of the BPS because the company was only 9 days of logs short of the standard for two months, the logs had been alerting property, the company had monitored the logs daily during the violation, and the company was quick to respond to the violation. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to undertake other mitigation measures to come into compliance with R5.

RFC considered URE's ICP a mitigating factor in making its penalty determination, and applied a mitigating credit because the company had self-reported the violation. The violation began when the company did not retain security logs for 90 calendar days and ended when the company adjusted its monitoring tools to retain 90 calendar days of logs. URE admits the R5 violation.

Penalty: $0

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-28-000 (March 27, 2013)

Reliability Standard: CIP-005-3a

Requirement: R2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC, TRE, SPP RE

Issue: While conducting a regional compliance audit, the Regional Entities found a violation of R2 because URE did not maintain a baseline record of ports and services required for operations and for monitoring Cyber Assets within the ESP, and thus, in its annual review of such ports and services, it could not determine a history of modifications to verify their configurations. URE could not provide evidence that only those required ports and services had been enabled, and it failed to maintain a document identifying the content of all its required appropriate use banners.

Finding: The violation was deemed to pose a minimal risk to BPS reliability, which was mitigated because during URE’s annual review of each Cyber Asset, subject matter experts look for unneeded ports, or anomalous entries, and URE documents the results of such reviews. In addition, although URE failed to document the content of its appropriate use banners, it implemented appropriate use banners on all its access control devices. In determining the appropriate penalty and approving the settlement agreement, the Regional Entities considered certain aspects of URE’s internal compliance program as a mitigating factor. In addition, some of the violations were self-reported by URE. URE cooperated during the enforcement process and did not attempt to conceal any of the violations. The violations did not pose a serious or substantial threat to BPS reliability. Finally, URE’s violation history was considered an aggravating factor.

Total Penalty: $90,000 (aggregate for 36 violations)

FERC Order: Issued April 26, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-28-000 (March 27, 2013)

Reliability Standard: CIP-005-3a

Requirement: R4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC, TRE, SPP RE

Issue: While conducting a regional compliance audit, the Regional Entities found a violation of R2 when URE was unable to provide a list of ports and services that are required for operations of the electronic access points to the ESPs and when its Cyber Vulnerability Assessment failed to discover all access points to its ESP.

Finding: The violation was deemed to pose a moderate risk to BPS reliability, which was mitigated by URE’s annual review of each Cyber Asset in which subject matter experts look for unneeded ports, or anomalous entries, and URE documents the results of such reviews. In addition, URE’s annual discovery scan identified all Cyber Assets connected to a network within the ESP, even if it did not identify all possible access points to the ESP. In determining the appropriate penalty and approving the settlement agreement, the Regional Entities considered certain aspects of URE’s internal compliance program as a mitigating factor. In addition, some of the violations were self-reported by URE. URE cooperated during the enforcement process and did not attempt to conceal any of the violations. The violations did not pose a serious or substantial threat to BPS reliability. Finally, URE’s violation history was considered an aggravating factor.

Total Penalty: $90,000 (aggregate for 36 violations)

FERC Order: Issued April 26, 2013 (no further review)

Unidentified Registered Entities, FERC Docket No. NP13-47 (July 31, 2013)

Reliability Standard: CIP-005-3a

Requirement: 3, 4 (2 violations – RFC and SERC)

Violation Risk Factor: Medium (3, 4)

Violation Severity Level: Severe (3, 4)

Region: RFC and SERC

Issue: URE1 did not monitor access at its ESP access points 24 hours a day, seven days a week as it had an outage (for 91 minutes) on its intrusion detection system while it conducted system maintenance and did not have a mechanism in place to perform monitoring during the outage. In addition, URE1 was not properly aggregating logs for a month from one of its routers at one of its ESP access points (3). URE2’s annual cyber vulnerability assessments of the electronic access points to the ESP did not timely include a complete review of URE2’s routers to ensure that only ports and services required for operations at access points were enabled. In addition, URE1’s annual cyber vulnerability assessments of the electronic access points to the ESP did not timely include 13 firewalls and 10 routers. URE1 and URE2 (collectively, URE) also did not perform the required review of used firewall rules or conduct a review of all of the ports in the year. (4)

Finding: SERC and RFC found that the CIP-005-3a R3 and R4 violations constituted a moderate risk to BPS reliability. In regards to the R3 violation, without the appropriate continuous monitoring procedures in place at the ESP access points, there was an increased risk of individuals gaining unauthorized access to an entity’s ESP and there being no record of such intrusion. But, URE1 did have other monitoring measures in place (such as logging all access points to the ESP) during the outage of the intrusion detection system. URE1 also alerted the affected telecommunication groups, server support groups, and system operations coordinators to immediately report any suspicious activity. In terms of the R4 violations, it increased the chances for individuals to be able to exploit vulnerabilities in URE’s ESP access points and gain unauthorized access to CCAs within the ESP. But, the routers in questions had received the required protections. The devices were also protected by site physical security and were located within a PSP. URE admitted the violations. In approving the settlement agreement, NERC BOTCC evaluated as aggravating factors URE’s compliance history and the fact that URE did not promptly prepare mitigation plans to remediate many of the violations. But, URE did self-report some of the violations and was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (even though URE only received partial mitigating credit as most of URE’s violations resulted from a lack of execution and coordination of programs). URE committed to perform certain actions that went above and beyond the compliance requirements. The CIP-002-3 R3 violations presented a serious and substantial risk to BPS reliability, whereas the other violations did not present a serious or substantial risk to BPS reliability.

Total Penalty: $350,000, $175,000 for each URE (aggregate for 62 violations)

FERC Order: Issued August 30, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP14-17-000 (December 30, 2013)

Reliability Standard: CIP-005-3a

Requirement: 2.4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-certified that it was in violation of the requirements of CIP-005-3a R2 because it found that users on devices in its Energy Management System ESP could use shell, virtual network computing, or remote desktop to receive a remote login to devices in URE’s Generation Management System ESP. The remote login only required a user to provide a name and password to access the system. WECC determined that identification by only a user name and password does not meet the procedural and technical controls in place to ensure only allowed parties may access URE’s system.

Finding: This violation was deemed by WECC to pose a minimal risk to BPS reliability, but not serious or substantial risk. Although URE could not absolutely identify the individuals with external interactive access to the GMS ESP, all the devices relevant to this violation were located in a secured PSP. Also, URE monitors outside access of its system. In determining the appropriate penalty, WECC considered that URE had two previous violations of CIP-002 R3, which was an aggravating factor; but URE has a compliance program in place that was given mitigating credit. URE followed all compliance orders; was cooperative during the enforcement process; and did not attempt to or intend to conceal a violation.

Total Penalty: $144,000 (aggregate for two violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-18 (December 30, 2013)

Reliability Standard: CIP-005-3a

Requirement: 2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: URE self-reported that it did not establish sufficient procedural and technical control to establish the authenticity of parties seeking to gain entry to ESP access points. For example, URE modified its firewall rules to facilitate the deployment of new servers, which inadvertently allowed a web browser from a corporate workstation to access a non-critical Cyber Asset inside an ESP. In addition, when testing secondary authentication methods, six of URE’s virtual workstations on a subnet outside an ESP were able to access Cyber Assets inside an ESP, bypassing primary remote access authentication.

Finding: SERC found that the CIP-005-3a R2 violation constituted a moderate risk to BPS reliability since the lack of adequate procedural or technical controls on the ESP access points increased the risk of unauthorized access to the ESP and the CCAs being compromised. But, the only personnel who gained access were certain URE IT support administrators, all of whom had current PRAs on file and had authorized access to CCAs on a need to know basis. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a partial mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. None of the violations constituted a serious or substantial risk to BPS reliability. In addition, URE engaged in physical security measures that SERC determined to be above-and-beyond what was required.

Total Penalty: $110,000 (aggregate for 15 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-18 (December 30, 2013)

Reliability Standard: CIP-005-3a

Requirement: 5

Violation Risk Factor: Lower

Violation Severity Level: Lower

Region: SERC

Issue: URE self-reported that it did not maintain the required electronic access logs for at least 90 days as required, as URE decommissioned a switch that was used as a dial-up ESP access point and inadvertently deleted five days of logs (which had not yet been manually reviewed). URE also did not timely update an ESP diagram after it removed a network printer.

Finding: SERC found that the CIP-005-3a R5 violation constituted only a minimal risk to BPS reliability. Only five days of logs were missing for one switch, and the relevant switch had additional protective measures in place. In addition, the printer at issue was a non-Critical Cyber Assets and was no longer located in URE’s ESP. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a partial mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. None of the violations constituted a serious or substantial risk to BPS reliability. In addition, URE engaged in physical security measures that SERC determined to be above-and-beyond what was required.

Total Penalty: $110,000 (aggregate for 15 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-20 (December 30, 2013)

Reliability Standard: CIP-005-3a

Requirement: 3

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: URE self-reported that during a scheduled network outage, URE did not perform the required logging and monitoring for approximately 28 hours.

Finding: SERC found that the CIP-005-3a R3 violation constituted a moderate risk to BPS reliability since the lack of continuous monitoring of the ESP increased the risk that URE would fail to detect unauthorized access attempts to the ESP and that its CCAs would be compromised. But, the violation only lasted for 28 hours and URE requires multiple layers of authentication in order to gain access to the ESP. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. Certain of the violations constituted a serious or substantial risk to BPS reliability. URE also engaged in mitigating measures that SERC determined to be above-and-beyond what was required.

Total Penalty: $198,000 (aggregate for 21 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-30 (January 30, 2014)

Reliability Standard: CIP-005-3a

Requirement: 3.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE self-reported that its process syslog collector was not running on the electronic security manager and, as a result of a stoppage of the process parse text collector, there were three gaps in logging of over 10 hours on certain electronic access control and monitoring devices.

Finding: RFC found that the CIP-005-3a R3.2 violation constituted a moderate risk to BPS reliability as the missing logs increased the risk of there being undetected and unauthorized access to URE’s system. But, the missing logs were only from a limited number of devices. In addition, no cyber security events occurred on URE’s monitored equipment. URE neither admits nor denies the violations. In approving the settlement agreement, NERC BOTCC considered URE’s Reliability Standards violation history, which was evaluated as an aggravating factor. But, most of the violations were self-reported and URE did have an internal compliance program in place, which was viewed as a mitigating factor. In addition, URE agreed to perform reliability enhancement activities that were considered above-and-beyond what was required for compliance with the Reliability Standard. URE was also cooperative during the enforcement process and did not conceal the violations. The violations did not constitute a serious or substantial risk to BPS reliability, even though in the aggregate, the violations were found to present an increased risk to URE’s Cyber Assets and to be indicative of programmatic failure.

Total Penalty: $75,000 (aggregate for 13 violations)

FERC Order: Issued February 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-46-000 (July 31, 2014)

Reliability Standard: CIP-005-3a

Requirement: R1/R1.5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: During a compliance audit, RFC found that URE7 did not change a default administrator account name on a checkpoint firewall before the firewall went into service.

Finding: RFC determined that the violation constituted a moderate risk to BPS reliability as having default account information on a firewall (which may be publicly available) could result in the URE Companies’ systems being vulnerable to compromise. However, the URE Parent Company utilizes a layered defense-in-depth system, which provided several additional defenses against unauthorized access (e.g. physical perimeter defense, network defense, application defenses and data and resource defenses). The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC found that all but two of the violations constituted only a minimal risk to BPS reliability and did not represent any systemic failure (the other two violations posed a moderate risk). However, these violations constituted the URE Companies’ fifth violation of CIP-004 and the second violation of CIP-007, which was considered to be an aggravating factor (although not a substantial aggravating factor). However, the UREs were awarded significant mitigating credit for substantial and voluntary improvements to their compliance programs, as demonstrated in subsequent CIP compliance audits. The majority of the violations were also self-reported. The URE Companies cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $50,000 (aggregate for 35 violations)

FERC Order: Issued August 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-46-000 (July 31, 2014)

Reliability Standard: CIP-005-3a

Requirement: R3/R3.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: During a compliance audit, RFC found that URE7 failed to alert responsible personnel regarding access attempts or actual unauthorized access to its ESP. Instead, URE7’s alerts were limited to failed logins and local account creation.

Finding: RFC determined this violation constituted only a minimal risk to BPS reliability as URE7 was continuously monitoring and logging system events that occurred on Cyber Assets with the ESP. URE7’s firewalls were also properly filtering and denying unauthorized access attempts to its ESP. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC found that all but two of the violations constituted only a minimal risk to BPS reliability and did not represent any systemic failure (the other two violations posed a moderate risk). However, these violations constituted the URE Companies’ fifth violation of CIP-004 and the second violation of CIP-007, which was considered to be an aggravating factor (although not a substantial aggravating factor). However, the URE Companies were awarded significant mitigating credit for substantial and voluntary improvements to their compliance programs, as demonstrated in subsequent CIP compliance audits. The majority of the violations were also self-reported. The URE Companies cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $50,000 (aggregate for 35 violations)

FERC Order: Issued August 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-5-000 (October 30, 2014)

Reliability Standard: CIP-005-3a

Requirement: R5 (5.1 and 5.2)

Violation Risk Factor: Lower

Violation Severity Level: Lower

Region: SPP RE

Issue: During a compliance audit SPP RE determined that URE’s documentation had not been updated with the associated processes and configurations for a newly implemented jump box and URE did not update its ESP network diagram within 90 days of removing a virtual private network (VPN).

Finding: SPP RE determined that the violation constituted only a minimal risk to the BPS reliability as URE restricts remote access to only one jump box that is administered by a small number of staff. In addition, the VPN as issue impacted only network documentation not the diagram. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had previously violated six of the standards, which SPP RE considered an aggravating factor. However, URE did have a compliance program in place and it received mitigating credit for self-reporting three of the violations. Moreover, URE agreed to additional corrective actions including: restructuring its CIP compliance program; hiring an additional system administrator; conducting a one day compliance workshop with SPP RE staff; and implementing an asset management system to further secure its EMS. URE was cooperative throughout the enforcement process and did not conceal or attempt to conceal the violations.

Penalty: $45,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-10-000 (November 25, 2014)

Reliability Standard: CIP-005-3a

Requirement: R1/R1.5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that its Cyber Assets used for controlling and monitoring access to its ESP were not afforded all the required protections. URE failed to document the assessment of 47 security patches for 38 electronic access control and monitoring devices (EACMs) within 30 days of availability by two of its firewall vendors.

Finding: WECC determined that the violation posed only a minimal risk to the BPS reliability as URE utilized several methods for blocking unauthorized access to its CCA. User access was logged and monitored at all times and network traffic to and from access points to URE's ESP was sent to a centralized server, which issued alarms for unknown activity to personnel, who could then block unauthorized access. Unknown activity was further identified through URE's host-based intrusion detection system and antivirus tools which signaled alerts for unknown activity. In response to the alerts, security personnel could stop communications to URE's CCA at the access points thereby preventing any outside intrusion. Access points at the ESP were protected by redundancy, which would allow URE quick recovery in the event of a security breach. Unidentified traffic or failures would have been detected by access point activity logs that issued alerts and triggered appropriate recovery procedures. URE also had trained security personnel responsible for analyzing and responding to traffic and activity on access points to its ESP. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations and self-reported the CIP-005-3a R1 violation. None of the violations posed a serious or substantial threat to the BPS reliability with two violations posing only a minimal threat and the remaining two posing a moderate threat. However, WECC did consider URE's compliance history an aggravating factor. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.

Penalty: $150,000 (aggregate for 4 violations)

FERC Order: Pending

Unidentified Registered Entity, FERC Docket No. NP15-10-000 (November 25, 2014)

Reliability Standard: CIP-005-3a

Requirement: R1/R1.5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that its Cyber Assets used for controlling and monitoring access to its ESP were not afforded all the required protections. URE failed to document the assessment of 47 security patches for 38 electronic access control and monitoring devices (EACMs) within 30 days of availability by two of its firewall vendors.

Finding: WECC determined that the violation posed only a minimal risk to the BPS reliability as URE utilized several methods for blocking unauthorized access to its CCA. User access was logged and monitored at all times and network traffic to and from access points to URE's ESP was sent to a centralized server, which issued alarms for unknown activity to personnel, who could then block unauthorized access. Unknown activity was further identified through URE's host-based intrusion detection system and antivirus tools which signaled alerts for unknown activity. In response to the alerts, security personnel could stop communications to URE's CCA at the access points thereby preventing any outside intrusion. Access points at the ESP were also protected by redundancy, which would allow URE to quickly recover data in the event of a security breach. Unidentified traffic or failures would have been detected by access point activity logs that issued alerts and triggered appropriate recovery procedures. URE also had trained security personnel responsible for analyzing and responding to traffic and activity on access points to its ESP. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations and self-reported the CIP-005-3a R1 violation. None of the violations posed a serious or substantial threat to the BPS reliability with two violations posing only a minimal threat and the remaining two posing a moderate threat. However, WECC did consider URE's compliance history an aggravating factor. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.

Penalty: $150,000 (aggregate for 4 violations)

FERC Order: Pending

Unidentified Registered Entities (UREs), FERC Docket No. NP15-15-000 (December 30, 2014)

Reliability Standard: CIP-005-3a

Requirement: R3

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: URE1 self-reported that a firewall analyst failed to fully configure the logging command when implementing electronic statements for allowing host machines to communicate with a field data concentrator within an ESP which resulted in a lack of access logging for 8% of the security policies for that access point.

Finding: SERC determined that the violation posed only a minimal risk to the BPS reliability as the lack of logging access increased the risk that URE1 would not be able to detect, analyze or respond to unauthorized access across its ESP. However the violation involved only one access point and affected only 8% of those security policies, which were designed according to URE1's procedures that restricted access to authorized personnel. Furthermore a virtual private network encrypted all traffic from the host device. The UREs neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs history of violations an aggravating factor. However, the UREs did have an internal compliance program in place, which SERC considered a mitigating factor. While URE1 self-reported a violation, the UREs did not received mitigating credit since it was reported after it received a compliance audit notice. While three of the violations posed a serious or substantial risk to the BPS reliability, the majority of them (18) posed only a minimal or moderate risk. URE agreed to additional mitigating actions including: adding additional staff (including converting contractors to full-time); conducting human performance training at a cost of $50,000; installing firewall analyzer software at a cost of $485,000; and additional mitigating factors for five of the violations. The UREs were cooperative throughout the enforcement process and there was no evidence that they concealed the violations.

Penalty: $120,000 (aggregate for 21 violations)

FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.

Unidentified Registered Entity (UREs), FERC Docket No. NP15-17-000 (December 30, 2014)

Reliability Standard: CIP-005-3a

Requirement: R4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: During a compliance audit WECC found that the configuration information of a dial-up modem used by a third party vendor to conduct URE's CVA was omitted from URE's annual CVA. In addition for two years, URE did not document the status of its action plan for mediating vulnerabilities for four access points found during its CVA.

Finding: WECC determined that the violation posed only a minimal risk to the BPS reliability as URE proactively prevents malicious cyber-attacks through a defense in-depth architecture that includes: physical and logical cybersecurity controls; special locks, closed circuit television and other physical security mechanisms; firewalls; vulnerability scanning tools; and internal cybersecurity controls. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered URE's prior violation history as an aggravating factor. However, WECC gave URE mitigating credit for its compliance program and agreeing to perform voluntary corrective actions. WECC also determined that all violations posed only a minimal, but not a moderate, serious or substantial risk to the reliability of the BPS. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.

Penalty: $120,000 (aggregate for 13 violations)

FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.

Unidentified Registered Entity 2 (FRCC_URE2), FERC Docket No. NP15-29-000 (May 28, 2015)

Reliability Standard: CIP-005-3a

Requirement: R1.5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: FRCC

Issue: FRCC_URE2 self-reported that during its cyber vulnerability assessment (CVA) process, it scanned ports on electronic access control and monitoring (EACM) Cyber Assets but failed to timely assess the scans' results against established baselines. FRCC_URE2 also self-reported that before commissioning two EACMs, it had failed to change three default passwords.

Finding: FRCC found that this violation posed a moderate, but not a serious or substantial, risk to BPS reliability because unauthorized ports and services could have been left open, putting EACMs at risk. However, during mitigation activities for an earlier violation, FRCC_URE2 had fully reviewed its ports and services, access to the default accounts required a two-factor authorization into the Electronic Security Perimeter (ESP), and ESPs and Physical Security Perimeters protected the EACMs. To mitigate the violation, FRCC_URE2 (1) updated the process and clarified timeframes for assessing ports and services, (2) reviewed the relevant ports and services, (3) changed the relevant passwords, and (4) informed appropriate employees of the requirements for securing default accounts.

Penalty: $50,000 (aggregate for 6 violations)

FERC Order: FERC approved the settlement on June 26th, 2015.

Unidentified Registered Entity 2 (FRCC_URE2), FERC Docket No. NP15-29-000 (May 28, 2015)

Reliability Standard: CIP-005-3a

Requirement: R4.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: FRCC

Issue: FRCC_URE2 self-reported that during its cyber vulnerability assessment (CVA) process, it scanned ports on access point Cyber Assets but failed to timely assess the scans' results against established baselines. FRCC_URE2 also self-reported that during the CVA, it failed to review the ports and services rule set through the firewall.

Finding: FRCC found that this violation posed a moderate, but not a serious or substantial, risk to BPS reliability because unauthorized ports and services could have been left open, putting Cyber Assets at risk. However, during mitigation activities for an earlier violation, FRCC_URE2 had fully reviewed its ports and services rule sets, and Physical Security Perimeters protected the access points at issue. To mitigate the violation, FRCC_URE2 (1) updated the process and clarified timeframes for assessing ports and services and (2) reviewed ports and services through the firewall and at the access points.

Penalty: $50,000 (aggregate for 6 violations)

FERC Order: FERC approved the settlement on June 26th, 2015.