NERC Case Notes: Reliability Standard CIP-007-2a

Alert

28 min read

 

Unidentified Registered Entity, FERC Docket No. NP11-226-000 (July 28, 2011)

Reliability Standard: CIP-007-1 and CIP-007-2a

Requirement: R6

Violation Risk Factor: Lower

Violation Severity Level: N/A (CIP-007-1); High (CIP-007-2a)

Region: RFC

Issue: Unidentified Registered Entity (URE) self-reported that it did not produce and retain all logs for two Critical Cyber Assets (the anti-virus and malicious software server and the database service for a DCS Control System) in the Electronic Security Perimeter for 90 calendar days as required. URE reported that it had changed the administrator passwords for an appliance that is the storage site for the event logs required by CIP-007-1 R6.4 and CIP-007-2a R6. The password changes inadvertently made the event logs on both serves inaccessible and corrupted/altered the administrator’s credentials resulting in the event logs being inaccessible. That caused data gaps, including the loss of the logs required by CIP-007-1 R6 prior to the end of 90 days.

Finding: RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to pay a penalty of $85,000, and to undertake other mitigation measures. RFC determined that the violations did not pose a serious or substantial risk to the reliability of the bulk power system (BPS) as both servers accurately captured the event logs prior to the password change and so right before and right after the gap, there are logs. In approving the penalty amount, NERC found that the violations involving CIP-006 were repeat violations leading to a finding that URE has repeatedly failed to ensure the physical security of its CCAs, which was evaluated as an aggravating factor when determining the penalty; the violations were self-reported; the URE was cooperative during the enforcement process and did not conceal the violations; the URE had a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.

Penalty: $85,000 (aggregate for multiple violations)

FERC Order: Issued August 29, 2011 (no further review)

Unidentified Registered Entities, FERC Docket No. NP11-237-000 (July 28, 2011)

Reliability Standard: CIP-007-1, CIP-007-2, CIP-007-2a

Requirement: R1, R3.1, R5.2.3, R6

Violation Risk Factor: Medium (R1, R1.1 and R5.2.3); Lower (R1.2, R1.3, 3.1, R6)

Violation Severity Level: N/A for CIP-007-1, Severe for CIP-007-2 (except R5.2.3) and CIP-007-2a; Moderate for CIP-007-2 R5.2.3

Region: ReliabilityFirst

Issue: With regard to R1, Unidentified Registered Entities 1 and 2 (URE 1, URE 2) self-reported that their information services department did not complete cyber security testing when it installed new software. With regard to R3.1, URE 1 and URE 2 self-reported that they failed to timely assess security patches for a software upgrade. URE 2 also miscalculated the due date for an assessment of several additional patches, resulting in testing one day late. With regard to R5.2.3, URE 1 self-reported that the information services department did not timely revoke an individual’s access to a shared account, contrary to its procedure and the requirement of the standard. With regard to R6, URE 1 and URE 2 self-reported that they failed to configure 44 Cyber Assets to send log information to a centralized location for review. Twenty three of the 44 devices were capable of capturing and retaining 90 days of log information such that URE 1 and URE 2 could review that information and determine no events during that period. Nine of the devices could capture between six and 34 days of log information, and the UREs confirmed no events during those periods. In an additional nine instances, the logs had been overwritten so the UREs could not review them. For the remaining three devices, no log information could be retrieved. As a result, the UREs failed to keep and review 90 calendar days of data as required by R6. Duration of the violations was: January 1, 2010-June 18, 2010 (CIP-007-1 R6); June 21, 2010-June 30, 2010 (CIP-007-2a R1); January 1, 2010-July 14, 2010 (CIP-007-2 R3.1); and August 31, 2010-August 16, 2010 (CIP-007-2 R5.2.3).

Finding: ReliabilityFirst determined that the violations did not pose a serious or substantial risk to the reliability of the bulk power system because for violations of R6, sufficient electronic controls were in place to limit access and no cyber security events occurred during the relevant time period; for violations of R1, the servers had other system security protections in place and the information systems department had tested the software on similar systems reducing the chance that the lack of testing on the servers in question would adversely affect protection; for violation of R3.1, the firewalls had very few ports and entry required access from firewall administrators, and the firewalls did not communicate outside the UREs’ system; for R5.2.3, URE 1 had revoked the individual’s unescorted physical and electronic access to the critical cyber assets in a timely manner, and the individual had not tried to re-enter the building as a visitor after resignation. However, ReliabilityFirst noted that it found an aggravating factor in that some of the violations constituted repetitive conduct attributable to the same compliance program. The NERC BOTCC also considered that the UREs self-reported the violations; the UREs were cooperative during the investigation; the UREs had a compliance program at the time of the violation; and there was no evidence that the UREs attempted to conceal a violation.

Penalty: $180,000 (aggregate for 4 violations)

FERC Order: Issued August 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-253-000 (July 29, 2011)

Reliability Standard: CIP-007-2a

Requirement: R3.1

Violation Risk Factor: Lower

Violation Severity Level: Lower

Region: FRCC

Issue: FRCC_URE1 self-reported that it had not timely documented, within 30 days of the availability of the security patch, its assessment on the applicability of the security patch. It took FRCC_URE1 35 days to complete the required assessment.

Finding: FRCC found that the violation constituted only a minimal risk to bulk power system reliability since the assessment was only 5 days overdue and the relevant security patch was still put into place in the appropriate implementation cycle.

Penalty: $14,000 (aggregate for multiple violations)

FERC Order: Issued August 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-266-000 (August 31, 2011)

Reliability Standard: CIP-007-2a

Requirement: R3.1, R5, R7.2

Violation Risk Factor: Lower

Violation Severity Level: N/A

Region: NPCC

Issue: NPCC_URE2 self-reported that it had not properly documented, in its Critical Infrastructure Management System Security Patch Notification Report, its assessment of six security patches or upgrades for their applicability, within 30 days of their availability, as required (R3.1). NPCC_URE2 also self-reported that it had not implemented compensatory measures, as required, after the suspension of the technical controls on three of its Critical Cyber Assets (CCAs) for five days (R5). NPCC also found that NPCC_URE2 had reclassified five Generator Control System (GCS) consoles as non-CCAs. In doing so, NPCC_URE2 reconfigured its Electronic Security Perimeter to exclude the GCS consoles, but did not erase the data storage media (R7.2).

Finding: NPCC found that the violations constituted a minimal risk to bulk power system reliability. In terms of R3.1, NPCC_URE2's third-party patch monitor notified NPCC_URE2 when the patches were release and NPCC_URE2's acknowledgement of the patches was only 5-6 days outside the required timeframe. In addition, this delay only impacted the creation of the documentation on the patch applicability. In terms of R5, even during the violation, the cyber assets were securely stored within the Physical Security Perimeter, which was staffed 24 hours a day by authorized personnel. In terms of R7.2, the GCS consoles were not moved outside the Physical Security Perimeter and the access controls stayed active. The GCS consoles were located in a non-public area subject to multiple layers of security. The duration of the violations was May 14, 2010 through May 19, 2010 (R3.1), April 22, 2010 through April 26, 2010 (R5), and April 8, 2010 through September 24, 2010 (R7.2).

Penalty: $6,000 (aggregate for 4 violations)

FERC Order: Issued September 30, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)

Reliability Standard: CIP-007-2a

Requirement: R2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: URE self-reported that it had not disabled unused ports and services on a transmission control room personal computer, residing in the ESP, as required by CIP-007-2a R2 and as set forth in URE’s procedures.

Finding: ReliabilityFirst found the violation constituted a moderate risk to BPS reliability which was mitigated because URE does have a documented process to meet the requirements of the Standard, but it did not implement its plan in this instance. Also, unused ports and services on the firewall surrounding the personal computer at issue were disabled, lessening the possibility of outside attacks to the CAs inside the ESP. Finally, URE had separate security measures in place, such as intrusion detection, anti-virus, security logging, cyber and physical access control, and defense-in-depth network design for system protection. ReliabilityFirst considered certain parts of URE’s compliance program as mitigating factors in determining the appropriate penalty.

Penalty: $55,000 (aggregate for 8 penalties)

FERC Order: Issued March 30, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-47-000 (September 28, 2012)

Reliability Standard: CIP-007-2a

Requirement: 7/7.1

Violation Risk Factor: Lower

Violation Severity Level: Moderate

Region: WECC

Issue: URE was found to be in violation of CIP-007-2a R7.1 because it returned a hard drive disk, a Critical Cyber Asset (CCA), to the hardware vendor without erasing sensitive data contained on the hard drive.

Finding: The violation was deemed to pose minimal risk to BPS reliability because the incident was due to human error, and URE showed that there were no other similar instances. In addition, the disk was unreadable and the vendor confirmed that it destroys all devices upon their return. In determining the appropriate penalty, URE's compliance program was considered a mitigating factor.

Penalty: $65,000 (for 11 violations)

FERC Order: Issued October 26, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-19 (December 31, 2012)

Reliability Standard: CIP-007-2a

Requirement: 6

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: SERC

Issue: URE self-reported that it potentially lost the ability to monitor and log system events related to its Cyber Assets within ESPs as a result of numerous outages that occurred on its servers used to monitor and log cyber security system events.

Finding: SERC found that the CIP-007-2a R6 violations constituted a moderate risk to BPS reliability. While URE did have procedures for monitoring and logging system events, it was unable to continuously monitor for cyber security system events for its CCAs with ESPs during the outages, which could have led to security breaches going undetected. In addition, the failure of URE to properly log all system events could have had a negative impact on URE's ability to conduct a proper incident response. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (which SERC evaluated as a mitigating factor). SERC determined that over half of the violations constituted a serious or substantial risk to BPS reliability. URE was unprepared, compliance-wise, when the CIP requirements became mandatory and enforceable. As URE had problems identifying CCAs, Cyber Assets and access points, URE was not providing the mandated protections to all of the required devices, thereby greatly increasing the risk of CCAs becoming comprised or rendered inoperable and causing a loss of monitoring or control of the BPS. SERC found that URE's CIP program failure constituted a serious risk to BPS reliability as URE's CIP procedures were not sufficiently detailed and its personnel had a general lack of awareness about the CIP procedures (including a dependence on manual processes).

Penalty: $950,000 (aggregate for 24 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-007-2a

Requirement: R6; R6.2; R6.3; R6.4; R6.5

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: URE self-reported a violation of R6 when three of its Cyber Assets were not properly configured to send logs of detected Cyber Security Incidents to a newly installed security log monitoring system. In addition, the company did not properly configure 17 switches within 16 of its ESPs to send logging information to a security monitoring tool for network device. As a result, the system did not capture the logs from all devices.

Finding: RFC determined that the R6 violation posed a moderate risk to the reliability of the BPS. A number of factors reduced the likelihood of successful unauthorized access attempts, including: an active corporate monitoring system which activated alarms for attempts to access the ESPs and the devices in them, a corporate log server which recorded logs being sent by the 17 networks switches for ninety days, and restricted electronic access to the network switches which would require unauthorized access attempts to first pass through the access point to the ESP or have physical access to the device.
In addition, the majority of the network switches only provide pass-through communications. As a result, compromised switches are less likely to affect the system outside of the local area network. Finally, the access point protections given to the Critical Cyber Assets did not permit unauthorized traffic into the ESP during the violation period. RFC and URE entered into a settlement agreement to resolve the violations whereby URE agreed to undertake mitigation measures to come into compliance with R6.
RFC considered URE's ICP a mitigating factor in making its penalty determination, and applied a mitigating credit because the company had self-reported the violation. The violation began when the company installed new devices and ended when the company configured all missed devices to send security and event logs to the log monitoring system. URE admits the R6 violation.

Penalty: $0

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-007-2a; CIP-007-3

Requirement: R5.1; R5.1.3; R5.2; R5.3.2

Violation Risk Factor: Lower / Medium

Violation Severity Level: Severe

Region: RFC

Issue: Further to a Compliance Audit, RFC determined that URE violated R5 when it failed to manage accounts in such a manner as to minimize the risk of unauthorized system access. Specifically, URE had not granted access permissions on a "need to know" basis with respect to work functions performed, and was unable to show that it conducted annual reviews of its user accounts and access privileges. RFC further found that that the company had granted access privileges to several individuals who were not recorded as having been given such access privileges, and who therefore were not included in the annual review of all user accounts and access privileges. These same stray access privileges meant that the company was unable to demonstrate that it had implemented its policy to minimize and manage the scope and acceptable use of administrator, shared, and other generic account privileges including factory default accounts. Finally, URE lacked the procedural controls to mandate use of passwords that contained alpha, numeric, and "special" characters.

Finding: RFC determined that the R5 violation posed a moderate risk to the reliability of the BPS. The risk was mitigated because URE's access permissions were granted to employees with "need to know" status. Additionally, although the company lacked the procedural controls to mandate the proper access passwords, the company required and used proper access passwords during the violation period nonetheless. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to pay a penalty and to undertake other mitigation measures to come into compliance with R5.
RFC considered URE's ICP a mitigating factor in making its penalty determination. The violation began when the company was required to comply with CIP-007-3 R5, and ended when the company completed its mitigation plan. URE neither admits nor denies the R5 violation.

Penalty: $40,000 (aggregate for 8 violations)

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-007-2a; CIP-007-3

Requirement: R8.2; R8.3

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: Further to a Compliance Audit, RFC determined that URE violated R8 because although the company performed a cyber vulnerability assessment that included a list of all active ports and services, it was unable to show that it enabled only ports and services required for the operation of the Cyber Assets in its Electronic Security Perimeter (ESP). Additionally, the company failed to show that as part of the cyber vulnerability assessment it performed a review of all default accounts, and it reviewed controls for default accounts, passwords, and network management community strings.

Finding: RFC determined that the R8 violation posed a moderate risk to the reliability of the BPS. The risk was mitigated because during the violation period, the company enabled monitoring, logging and alerting, as well as anti-virus protections on all Critical Cyber Assets (CCAs) within the ESP where technically feasible. In addition, the company used an intrusion prevention system to protect all ESP access points, which logged, alerted, and constantly monitored all access points during the violation period. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to pay a penalty and to undertake other mitigation measures to come into compliance with R8.
RFC considered URE's ICP a mitigating factor in making its penalty determination. The violation began when the company was required to comply with CIP-007-3 R8, and ended when URE determined which ports and services are necessary for the operation of Cyber Assets, enabled only those ports and services, and performed a review of its default accounts. URE neither admits nor denies the R8 violation.

Penalty: $40,000 (aggregate for 8 violations)

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity, Docket No. NP13-36, May 30, 2013

Reliability Standard: CIP-007-2a

Requirement: 5, 7

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: Texas RE

Issue: During a compliance audit, Texas RE found that URE could not show that its change control management policy met the requirements of CIP-007 during the entire period the Reliability Standard was mandatory and enforceable. The audit further found URE to be non-compliant with all requirements of R5.2 in that URE could not show that shared accounts were being managed. The Standard requires detailed logs to be maintained that show individual user account activity regarding access of CAs and CCAs within its ESP for at least 90 days, but URE could not provide such documentation. Regarding R7, URE did not have proper records to show how Cyber Assets were being disposed or redeployed. In particular, two modems listed as CAs could not be accounted for.

Finding: The violations were deemed to pose a moderate risk to BPS reliability, but not a serious or substantial risk. Risk was mitigated because URE does use an established process that requires identification prior to accessing assets, which minimized the chances of an unauthorized user gaining access to the asset. Regarding R7, URE does have a policy for the disposal or redeployment of assets, and this instance involved only two modems, not all devices in the program. In determining the appropriate penalty, Texas RE considered URE’s internal compliance program as a neutral factor. The violations were the first by URE and URE cooperated during the enforcement process. Texas RE determined URE did not attempt (or intend) to conceal any violations.

Total Penalty: $137,000 (aggregate for 24 violations)

FERC Order: Issued June 28, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-39-000 (April 30, 2014)

Reliability Standard: CIP-007-2a

Requirement: R4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: During a compliance audit, WECC determined that URE did not install anti-virus or malware tools on three Cyber Assets (consisting of one network scanner and two application whitelisting devices) when they were commissioned. URE later filed a Technical Feasibility Exception (TFE) for the two whitelisting devices.

Finding: WECC found that the violation constituted only a minimal risk to BPS reliability. The Cyber Assets at issue are located within a physically secure area with restricted access. In addition, URE’s networks were separate from URE’s corporate environment and the internet. URE had installed anti-virus software and malware on all other capable Cyber Assets and all traffic to and from the ESP first passes through firewalls. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, URE’s compliance history was viewed as an aggravating factor in accessing the monetary penalty. But, as mitigating considerations, URE self-reported three of the violations, pursued voluntary corrective actions to remedy the violations and had a compliance program in place. URE was cooperative during the enforcement process and did not conceal the violations. The violations were also not intentional.

Total Penalty: $155,000 (aggregate for 9 violations)

FERC Order: Issued May 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-6-000 (October 30, 2014)

Reliability Standard: CIP-007-2a

Requirement: R9

Violation Risk Factor: Lower

Violation Severity Level: High

Region: Texas RE

Issue: URE self-certified and self-reported that after completing a change, it did not update a section of its change management procedure for over a year instead of the required 30 calendar days.

Finding: Texas RE determined that the violation constituted only a minimal risk to the BPS reliability as URE implemented and documented the implementation of its change management system. The section that URE failed to update addressed the disposal and redeployment of Cyber Assets, which was not affected by the change at issue throughout the duration of the violation. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the following factors: the URE had an internal compliance program in place; the URE self-reported several of the violations and none posed a serious or substantial risk to the BPS reliability; the URE executed actions beyond those necessary to ensure compliance with the Standard and continues to make several enhancements as part of its self-assessment program; and the URE did not conceal or attempt to conceal the violations. Further, Texas RE did not consider URE's compliance history to be an aggravating factor, and URE was cooperative throughout the duration of the enforcement.

Penalty: $106,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-11-000 (November 25, 2014)

Reliability Standard: CIP-007-2a

Requirement: R2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: ReliabilityFirst, MRO and SERC (collectively, "Regions")

Issue: URE self-reported two violations and ReliabilityFirst, through a compliance audit, discovered an additional violation of URE's failure to ensure that only required ports and services are enabled for all Cyber Assets. URE had 75 Cyber Assets that it did not follow proper processes and procedures for when reviewing ports and services; failed to prove that only ports and services required for normal or emergency operations were enabled for numerous systems and failed to review weekly enterprise security manager scans.

Finding: ReliabilityFirst determined that the violation constituted a moderate but not a serious or substantial risk to the BPS reliability. URE's insufficient process for ensuring only required ports and services were enabled increased the risk that someone could gain unauthorized access to Cyber Assets within its ESP. This risk was increased due to the lengthy duration of the violation. However, the risk was mitigated by URE's defense in-depth strategies including network configurations with protocol settings that had to be met to enter the network. Any malicious traffic trying to gain access to URE's ESPs would have been detected through URE's intrusion detection and prevention system regardless of which ports and services were enabled. In addition, URE maintained current patches on its devices and they were further protected by antivirus and malware software. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations. While none of the violations independently posed a serious or substantial threat to the BPS reliability, collectively they represented a significant risk to BPS reliability. Eighteen of the violations posed only a minimal or moderate risk to the BPS reliability and only one posed a serious or substantial risk to the BPS reliability. URE did have a history of prior violations; however, this was their first comprehensive CIP audit so the Regions did not consider their prior history an aggravating factor. URE self-reported several of the violations, performed several reliability enhancements and outreach programs and agreed to above and beyond compliance measures, including the implementation of an improvement program that is focused on improving its compliance with CIP standards and cybersecurity efforts. However, due to the duration of several of URE's violations, the Regions considered this risk negatively. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations. There were no additional mitigating factors that affected the penalty.

Penalty: $75,000 (aggregate for 19 violations)

FERC Order: Issued December 23, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-11-000 (November 25, 2014)

Reliability Standard: CIP-007-2a

Requirement: R5

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: ReliabilityFirst, MRO and SERC (collectively, "Regions")

Issue: URE self-reported that it did not annually change 21 passwords (3%) for 706 non-user accounts for CCAs, ACM devices, and non-CCA Cyber Assets. During a compliance audit ReliabilityFirst determined that URE did not have historical audit trails for individual user account access activity. ReliabilityFirst also determined that URE had developed a mitigation process to ensure passwords were changed within 180 days (remedying a TFE); however, it included a device that technically could not perform that process. During mitigation, URE also self-reported that its quarterly entitlement reviews did not include a review of accounts associated with its information application (a CCA) or specific active directory groups used for accessing PI.

Finding: ReliabilityFirst determined that the violation constituted only a minimal risk to the BPS reliability as the password violation was merely a documentation error. Less than 10% of URE's devices lacked an audit trail for user account activity and URE recorded and reviewed log activity on those devices. In addition, URE produced, retained and logged events related to system security. Furthermore, URE was able to identify any possible suspicious network events or cybersecurity incidents through its network operations center that monitors and responds to enterprise-wide security tools and controls. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations. While none of the violations independently posed a serious or substantial threat to the BPS reliability, collectively they represented a significant risk to BPS reliability. Eighteen of the violations posed only a minimal or moderate risk to the BPS reliability and only one posed a serious or substantial risk to the BPS reliability. URE did have a history of prior violations; however, this was their first comprehensive CIP audit so the Regions did not consider their prior history an aggravating factor. URE self-reported several of the violations, performed several reliability enhancements and outreach programs and agreed to above and beyond compliance measures, including the implementation of an improvement program that is focused on improving its compliance with CIP standards and cybersecurity efforts. However, due to the duration of several of URE's violations, the Regions considered this risk negatively. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations. There were no additional mitigating factors that affected the penalty.

Penalty: $75,000 (aggregate for 19 violations)

FERC Order: Issued December 23, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-11-000 (November 25, 2014)

Reliability Standard: CIP-007-2a

Requirement: R6

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: ReliabilityFirst, MRO and SERC (collectively, "Regions")

Issue: URE self-certified and ReliabilityFirst determined that URE's cybersecurity system events were not monitored using automated procedures or organizational process controls for some Cyber Assets in its ESP. URE also failed to file TFEs for logging on certain vendor managed devices or to review access logs for three vendor managed turret servers (CCAs) in three facilities.

Finding: ReliabilityFirst determined that the violation constituted only a minimal risk to the BPS reliability. While undocumented, URE monthly reviewed turret server access logs at one facility and daily reviewed alarming of access logs for turrets servers in two facilities. In addition, had the telephone service on the turret servers become inoperable, URE had alternate means of communicating. URE also had defense in-depth strategies including the ability to monitor, identify and respond to disruptive network events through its network operations center; the use of a rigorous change management program; current patches; antivirus and malware prevention software; account and access management processes; and user and system logging and monitoring. Furthermore URE located its Cyber Assets in a facility that controlled and protected access physically and electronically utilizing guards, and account management and access control. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations. While none of the violations independently posed a serious or substantial threat to the BPS reliability, collectively they represented a significant risk to BPS reliability. Eighteen of the violations posed only a minimal or moderate risk to the BPS reliability and only one posed a serious or substantial risk to the BPS reliability. URE did have a history of prior violations; however, this was their first comprehensive CIP audit so the Regions did not consider their prior history an aggravating factor. URE self-reported several of the violations, performed several reliability enhancements and outreach programs and agreed to above and beyond compliance measures, including the implementation of an improvement program that is focused on improving its compliance with CIP standards and cybersecurity efforts. However, due to the duration of several of URE's violations, the Regions considered this risk negatively. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations. There were no additional mitigating factors that affected the penalty.

Penalty: $75,000 (aggregate for 19 violations)

FERC Order: Issued December 23, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-11-000 (November 25, 2014)

Reliability Standard: CIP-007-2a

Requirement: R8

Violation Risk Factor: Moderate

Violation Severity Level: Severe

Region: ReliabilityFirst, MRO and SERC (collectively, "Regions")

Issue: URE self-reported that its CVA of 93 Cyber Assets lacked several requirements. Specifically, URE's CVA process was not appropriate for all devices in scope; it failed to review a list of required ports and services on an annual basis; it could not prove it reviewed default account controls and it did not document CVA results. In addition, URE did not include in all its CVAs action plans, remediation plans, or the status for executing the plans. ReliabilityFirst also discovered during a compliance audit that URE had an additional violation of the standard.

Finding: ReliabilityFirst determined that the violation constituted a serious or substantial risk to the BPS reliability as there was an increased risk of corrupting or disabling URE's Cyber Assets due to deficiencies in its CVA and CVA processes. The number of devices and duration of the violation further increased the risk. However, URE had defense in-depth strategies including the ability to monitor, identify and respond to disruptive network events through its network operations center; the use of a rigorous change management program; implementation of current patches; antivirus and malware prevention software; account and access management processes; and user and system logging and monitoring. Furthermore URE located its Cyber Assets in a facility that controlled and protected access physically and electronically utilizing guards, and account management and access controls. In addition, access logs for the devices were monitored regularly to identify suspicious activity and there was no indication of a Cyber Security occurrence throughout the duration of the violation. URE also performs weekly security scans that confirm systems are operating as prescribed and can identify any anomalies that might be attributed to incorrectly opened ports. While controls for default accounts are not specifically reviewed, URE runs system-wide security scans that can identify default account configurations and other settings. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations. While none of the violations independently posed a serious or substantial threat to the BPS reliability, collectively they represented a significant risk to BPS reliability. Eighteen of the violations posed only a minimal or moderate risk to the BPS reliability and only one posed a serious or substantial risk to the BPS reliability. URE did have a history of prior violations; however, this was their first comprehensive CIP audit so the Regions did not consider their prior history an aggravating factor. URE self-reported several of the violations, performed several reliability enhancements and outreach programs and agreed to above and beyond compliance measures, including the implementation of an improvement program that is focused on improving its compliance with CIP standards and cybersecurity efforts. However, due to the duration of several of URE's violations, the Regions considered this risk negatively. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations. There were no additional mitigating factors that affected the penalty.

Penalty: $75,000 (aggregate for 19 violations)

FERC Order: Issued December 23, 2014 (no further review)

Top