NERC Case Notes: Reliability Standard CIP-007-2

Alert

9 min read

 

MRO-3, FERC Docket No. NP11-104-000 (February 1, 2011)

Reliability Standard: CIP-007-2

Requirement: R6

Violation Risk Factor: Lower

Violation Severity Level: High

Region: MRO

Issue: An Unidentified Registered Entity (URE-MRO3) filed a self-report after discovering that its system event logs on four Critical Cyber Assets consisting of newly configured domain servers had not been properly maintained for 90 days. URE-MRO3 determined that when it transitioned from its previous domain servers to the newly configured domain servers, the technician in charge disabled a Windows Remote Manager Service after concluding it was unnecessary because URE-MRO3 had a Windows Event Collector service running locally. The technician did not realize that the two programs were dependent upon one another in such a manner that the Event Collector stopped functioning when the Remote Manager Service was disabled.

Finding: MRO found that this violation posed a minimal risk to the reliability of the bulk power system because although the system event logs and services were not activated for 90 days, URE-MRO3 had other procedures in place for the continuous, real-time monitoring of access to the physical cyber access points to the Electronic Security Perimeter, as well as other testing and monitoring procedures. Moreover, URE-MRO3 conducted a review of the physical security access logs and confirmed nothing unusual had occurred.

Penalty: $0

FERC Order: Issued March 3, 2011 (no further review)

Unidentified Registered Entities, FERC Docket No. NP11-237-000 (July 28, 2011)

Reliability Standard: CIP-007-1, CIP-007-2, CIP-007-2a

Requirement: R1, R3.1, R5.2.3, R6

Violation Risk Factor: Medium (R1, R1.1 and R5.2.3); Lower (R1.2, R1.3, 3.1, R6)

Violation Severity Level: N/A for CIP-007-1, Severe for CIP-007-2 (except R5.2.3) and CIP-007-2a; Moderate for CIP-007-2 R5.2.3

Region: ReliabilityFirst

Issue: With regard to R1, Unidentified Registered Entities 1 and 2 (URE 1, URE 2) self-reported that their information services department did not complete cyber security testing when it installed new software. With regard to R3.1, URE 1 and URE 2 self-reported that they failed to timely assess security patches for a software upgrade. URE 2 also miscalculated the due date for an assessment of several additional patches, resulting in testing one day late. With regard to R5.2.3, URE 1 self-reported that the information services department did not timely revoke an individual’s access to a shared account, contrary to its procedure and the requirement of the standard. With regard to R6, URE 1 and URE 2 self-reported that they failed to configure 44 Cyber Assets to send log information to a centralized location for review. Twenty three of the 44 devices were capable of capturing and retaining 90 days of log information such that URE 1 and URE 2 could review that information and determine no events during that period. Nine of the devices could capture between six and 34 days of log information, and the UREs confirmed no events during those periods. In an additional nine instances, the logs had been overwritten so the UREs could not review them. For the remaining three devices, no log information could be retrieved. As a result, the UREs failed to keep and review 90 calendar days of data as required by R6. Duration of the violations was: January 1, 2010-June 18, 2010 (CIP-007-1 R6); June 21, 2010-June 30, 2010 (CIP-007-2a R1); January 1, 2010-July 14, 2010 (CIP-007-2 R3.1); and August 31, 2010-August 16, 2010 (CIP-007-2 R5.2.3).

Finding: ReliabilityFirst determined that the violations did not pose a serious or substantial risk to the reliability of the bulk power system because for violations of R6, sufficient electronic controls were in place to limit access and no cyber security events occurred during the relevant time period; for violations of R1, the servers had other system security protections in place and the information systems department had tested the software on similar systems reducing the chance that the lack of testing on the servers in question would adversely affect protection; for violation of R3.1, the firewalls had very few ports and entry required access from firewall administrators, and the firewalls did not communicate outside the UREs’ system; for R5.2.3, URE 1 had revoked the individual’s unescorted physical and electronic access to the critical cyber assets in a timely manner, and the individual had not tried to re-enter the building as a visitor after resignation. However, ReliabilityFirst noted that it found an aggravating factor in that some of the violations constituted repetitive conduct attributable to the same compliance program. The NERC BOTCC also considered that the UREs self-reported the violations; the UREs were cooperative during the investigation; the UREs had a compliance program at the time of the violation; and there was no evidence that the UREs attempted to conceal a violation.

Penalty: $180,000 (aggregate for 4 violations)

FERC Order: Issued August 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-12 (January 31, 2011)

Reliability Standard: CIP-007-2

Requirement: R4; R5/5.3

Violation Risk Factor: Medium (R4); Lower (R5)

Violation Severity Level: Severe

Region: RFC

Issue: Following a Self-Report, RFC determined that URE violated R4 for failing to use anti-virus software and other malware prevention tools or implement and document compensating measures on three CCAs within its ESP. The CCAs were incapable of using anti-virus software and other malware prevention tools, but URE never submitted a TFE request for the assets because it incorrectly categorized or failed to account for the CCAs while reviewing its CCA list. RFC also determined URE violated R5.3 because it did not use passwords that met the specifications of the Standard. The three CCAs at issue, which were the same CCAs at issue in the violation of R4, were incapable of processing the complex passwords required by R5.3. Moreover, URE did not update 91 shared account passwords associated with the three CCAs within the annual timeframe required by R5.3.3.

Finding: RFC found that this violation posed a moderate risk, but did not pose a serious or substantial risk, to the reliability of the BPS because of the nature of the violation, offset by the mitigating factors. Specifically, URE kept all three CCAs at issue in physically protected locations at all times during the period of violation; URE had multiple layers of defense in place to reduce the CCA’s risk of exposure to malware, including perimeter defenses such as firewalls and logging; network defenses such as intrusion detection and prevention software; host defenses such as firewalls and malware on other assets; and procedural controls such as cyber policies and procedures.

In assessing the penalty, RFC favorably considered aspects of URE’s compliance program and remedial measures URE took to improve its CCA access authorization and monitoring systems.

Penalty: $25,000 (aggregate for 6 violations)

FERC Order: Issued March 1, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)

Reliability Standard: CIP-007-2

Requirement: R1

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: URE submitted a self-certification reporting non-compliance with the Standard due to it lacking procedures for testing on existing CCAs or CAs to ensure that new CAs or significant changes to existing CAs housed in the ESP have no negative affect on existing cyber security controls. Also URE was unable to show that security testing for CAs within the ESP was undertaken or the results of the testing.

Finding: RFC found the violation constituted a minimal risk to BPS reliability which was mitigated since the violation is documentation related only. URE reported that the required testing was done, but URE failed to document the results. RFC considered certain parts of URE’s internal compliance program as a mitigating factor in determining the appropriate penalty.

Penalty: $55,000 (aggregate for 8 violations)

FERC Order: Issued March 30, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)

Reliability Standard: CIP-007-2

Requirement: R3, R4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: URE self-certified, and ReliabilitlyFirst confirmed, that it was not in compliance with CIP-007-2 R3 because it did not apply security patches to one CA located in its ESP during the duration of the violation. Regarding R4, URE reported it had not tested malware prevention signatures (Signatures) prior to installation on a transmission control room personal computer, a CA, located in its ESP (URE’s other CAs within its ESP are not involved in this violation). The transmission control room personal computer was set to automatically update the anti-virus signature files directly from a server without prior testing in violation of the Standard.

Finding: ReliabilityFirst found the violation constituted a moderate risk to BPS reliability which was mitigated because URE utilizes multiple security alerts to evaluate monthly any vulnerabilities or any possible level of threat to its system. Also, URE has security systems in place including network intrusion detection systems, access controls at the firewall and system logging. Additionally, the CA on which Signatures were not tested has no direct Internet access lessening the possible exposure to malware. ReliabilityFirst considered certain parts of URE’s compliance program as mitigating factors in determining the appropriate penalty.

Penalty: $55,000 (aggregate for 8 penalties)

FERC Order: Issued March 30, 2012 (no further review)

Unidentified Registered Entities 1, 2 and 3, Docket No. NP13-24 (February 28, 2012)

Reliability Standard: CIP-007-2

Requirement: 6

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE3 self-certified that two of its servers, which are used as primary and back-up real-time providers of SCADA information, were not properly configured to send Syslogs, a standard for computer data logging, to its Syslog servers. Therefore, URE3 was not reviewing or retaining logs of system events as required.

Finding: WECC found that URE3's CIP-007-2 R6 violation constituted a moderate risk to BPS reliability since unauthorized access to URE3's Cyber Assets could have gone unnoticed, which could potentially have led to harm to the CCAs that are essential to the operation of the BPS. But, the servers were contained within a PSP and ESP and provided with protective measures. The UREs stipulated to the facts of the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs' compliance history and that the UREs had followed all applicable compliance directives. UREs' compliance program was also evaluated as a mitigating factor, as well as the fact that the UREs undertook voluntary corrective actions to remediate some of the violations. Some of the violations were also self-reported, and the UREs were cooperative during the enforcement process and did not conceal any of the violations. None of the violations constituted a serious or substantial risk to BPS reliability.

Penalty: $151,500 (aggregate for 9 violations)

FERC Order: Issued March 29, 2013 (no further review)

Top