NERC Case Notes: Reliability Standard CIP-007-3 | White & Case LLP International Law Firm, Global Law Practice
NERC Case Notes: Reliability Standard CIP-007-3

NERC Case Notes: Reliability Standard CIP-007-3

White & Case NERC Database

This page contains the NOP (Notice of Penalty) and ACP (Administrative Citation of Penalty) summaries. Click here to read the FFT (Find, Fix and Track) summaries.

Unidentified Registered Entity, FERC Docket No. NP11-253-000 (July 29, 2011)

Reliability Standard: CIP-007-3

Requirement: R3, R4

Violation Risk Factor: Lower (R3, R4)

Violation Severity Level: Lower (R3), Severe (R4)

Region: NPCC

Issue: NPCC_URE3 self-reported that although the control systems for two of its generating units were added to the Critical Cyber Asset (CCA) list on January 1, 2010, the required assessment, documentation and installation of patches for those control systems were not conducted as required. NPCC_URE3 did not request a technical feasibility exception for the control systems.

Finding: NPCC found that this violation constituted only a minimal risk to bulk power system reliability since both control systems used a non-routable protocol and were not connected to a network (and therefore, there was no actual impact on the bulk power system).

Penalty: $0 (aggregate for 4 violations)

FERC Order: Issued August 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-2 (October 31, 2011)

Reliability Standard: CIP-007-3

Requirement: R5

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: URE self-reported that it had not annually changed the password for one of the accounts on a CCA within the ESP as required.

Finding: RFC found that the violation constituted only a minimal risk to BPS reliability since the relevant account was on a server that only contained archived data. URE had also changed the password on the relevant account in previous years. Certain parts of URE’s compliance program were evaluated as a partial mitigating factor.

Penalty: $35,000 (aggregate for 5 violations)

FERC Order: Issued November 30, 2011 (no further review).

Unidentified Registered Entity, FERC Docket No. NP12-12 (January 31, 2011)

Reliability Standard: CIP-007-3

Requirement: R6; R6.4; R6.5

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: Following a Self-Report, RFC determined that URE violated R6 because URE reported that it was missing the log records for a 41-day period for one CA within its ESP and installed on host servers that are CCAs and part of the EMS. The CA allows multiple operating systems to function concurrently on the host servers. RFC also found that URE violated R6.4 by failing to retain the log records at issue for ninety calendar days, and also could not review all the logs of system events related to cyber security in violation of R6.5 because it could not locate the logs for one CA within its ESP. The violations were caused by the erroneous elimination of certain records.

Finding: RFC found that this violation posed a moderate risk, but did not pose a serious or substantial risk, to the reliability of the BPS because of the nature of the violation, offset by the mitigating factors. Specifically, RFC determined that the following factors mitigated the risk: the CA at issue is physically located within PSPs, and the purpose of the CA is to manage operating systems within a host server, which means it provides no ability to control BPS facilities.

In assessing the penalty, RFC favorably considered aspects of URE’s compliance program and remedial measures URE took to improve its CCA access authorization and monitoring systems.

Penalty: $25,000 (aggregate for 6 violations)

FERC Order: Issued March 1, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-12 (January 30, 2012)

Reliability Standard: CIP-007-3

Requirement: R8

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported a violation of CIP-007-3 R8 in failing to annually assess its system, including 12 CAs. URE determined that until the most recent year, it had previously performed annual assessment.

Finding: This violation posed only a minimal risk to the reliability of the BPS for two reasons. First, because the devices at issue were located in a PSP and an ESP, the devices were protected as required in CIP-005 and CIP-006. Second, all individuals with access to the devices had completed training and Personnel Risk Assessments.

Penalty: $45,000 (aggregate for 7 penalties)

FERC Order: Issued February 29, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)

Reliability Standard: CIP-007-3

Requirement: R3

Violation Risk Factor: Lower

Violation Severity Level: High

Region: WECC

Issue: URE self reported that it had no security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for CAs within its ESPs. In addition, URE reported that it had not installed all patches on its system.

Finding: WECC found the violation constituted a moderate risk to BPS reliability which was mitigated by four things. First, all seven of the URE’s CAs within its ESP responsible for controlling remote turbines did have the security patches. Second, anti-virus protection was installed on the relevant devices. Third, system logs were in use and reviewed every day. Fourth, the relevant devices are housed in an ESP and PSP and have CIP protections. WECC considered URE’s and its affiliates’ violation history when determining the appropriate penalty.

Penalty: $12,300 (aggregate for 2 penalties)

FERC Order: Issued March 30, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)

Reliability Standard: CIP-007-3

Requirement: R4

Violation Risk Factor: Medium

Violation Severity Level: High

Region: WECC

Issue: URE self reported that it did not have in place a process for updating anti-virus and malware prevention signatures on all of its CAs.

Finding: WECC found the violation constituted a minimal risk to BPS reliability which was mitigated by four things. First, anti-virus protection was installed on the relevant devices. Second, the CAs were reviewed every day. Third, the relevant devices are housed in an ESP and PSP. Fourth, the devices have CIP protections. WECC considered URE’s and its affiliates’ violation history when determining the appropriate penalty.

Penalty: $12,300 (aggregate for 2 penalties)

FERC Order: Issued March 30, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)

Reliability Standard: CIP-007-3

Requirement: R4/4.1/4.2

Violation Risk Factor: Medium

Violation Severity Level: High

Region: WECC

Issue: URE self reported that it had no security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for CAs within its ESPs. Regarding R4, URE had not implemented a procedure for updating anti-virus and malware “signatures” on its 17 CAs.

Finding: WECC found the violation constituted a moderate risk to BPS reliability because the failure to update anti-virus and malware prevention signatures could lead to security vulnerabilities on CAs by malicious software leaving open the possibility of negative impact to the BPS. BPS risk was lessened by the fact that the CAs in question have anti-virus and malware prevention tools installed and daily reviews. The relevant CAs were located in an ESP and a PSP which have CIP protections. WECC considered URE’s and its affiliates’ violation history when determining the appropriate penalty.

Penalty: $12,300 (aggregate for 2 penalties)

FERC Order: Issued March 30, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-25 (April 30, 2012)

Reliability Standard: CIP-007-3

Requirement: R4.1, R6

Violation Risk Factor: Medium (R4.1), Lower (R6)

Violation Severity Level: Severe (R4.1, R6)

Region: RFC

Issue: URE self-reported that it had not documented certain anti-virus and malware prevention tools as required for nine of its CCAs and CAs in one of the ESPs at one of its facilities (representing 2.63% of its CAs within an ESP). URE had also not installed anti-virus software on three CAs within an ESP in the Systems Operations Center (SOC). URE’s implementation process did not include a test to check that all of the CAs in the ESP are included in the report on the status of anti-virus and malware protection. In addition, URE did not submit a Technical Feasibility Exception for one of its CCAs within the ESP that was not capable of running the anti-virus and anti-malware software. (R4.1) URE also self-reported that it had not implemented automated tools or organizational process controls in order to monitor system events related to cyber security for ten of its CAs within the ESP. For those ten CAs, URE did not properly record failed logon attempts as it did not aggregate the failed attempts and communicate them to the domain controller. (R6)

Finding: RFC found that the CIP-007-3 violations constituted a moderate risk to BPS reliability. In regards to R4.1, besides the exceptions noted above, URE has installed all of the mandated anti-virus software. For R6, RFC determined that the risks were mitigated since URE had installed local logging on the local device in order to track and retain logs of authenticated and unauthenticated events. In addition, all of the relevant assets were located within a secured PSP and only a limited number of individuals, all of whom had received cyber security training and had a valid PRA on file, had access to the PSP. The assets were also located on isolated networks where there was no direct access to the corporate network or the internet and all traffic to the networks had to pass through secured access points. In approving the settlement agreement, the NERC BOTCC considered certain of URE’s violations to be proof of broad deficiencies in URE’s compliance program (even though other aspects of the compliance program were evaluated as mitigating factors); some of the violations were self-reported (even though only partial credit was granted for certain self-reports that occurred right before the compliance audit); URE was cooperative during the enforcement process and promptly submitted effective mitigation plans; and these violations were URE’s first violations of the relevant Reliability Standard.

Penalty: $115,000 (aggregate for 17 violations)

FERC Order: Issued April 30, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-25 (April 30, 2012)

Reliability Standard: CIP-007-3

Requirement: R1.1, R2

Violation Risk Factor: Medium (R1.1, R2)

Violation Severity Level: Severe (R1.1, R2)

Region: RFC

Issue: URE self-reported that it did not properly verify that significant changes to existing CAs within the ESP would not adversely affect the existing cyber security controls. URE’s testing only focused on whether the CAs would continue to function after the application of a significant change, not on whether the change would affect existing cyber security controls in the ESP. URE was also not utilizing a test environment during its testing and therefore it was not performing its cyber security testing in a manner that minimizes adverse effects on the production system or its operation, as required. (R1.1) URE also self-reported that it had not established, documented and implemented procedures to verify, for 121 of its CAs, that only the ports and services required for normal and emergency operations are enabled. (R2)

Finding: RFC found that the CIP-007-3 R1.1 and R2 violations constituted a moderate risk to BPS reliability and the R2 violation appears to be caused by URE’s lack of a comprehensive CIP compliance program. But, all of the assets were located within a secured PSP and only a limited number of individuals, all of whom had received cyber security training and had a valid PRA on file, had access to the PSP. As a result, for R2, RFC found that there is a decreased probability that an individual could accidentally (or purposely) access open ports and services that would have an adverse effect on URE’s system. In addition, the assets were also located on isolated networks where there was no direct access to the corporate network or the internet and all traffic to the networks had to pass through secured access points (which would block well-known malicious traffic). In terms of R2, RFC found no evidence of malware on the devices and noted that there would be a reduced chance that an individual could tamper with URE’s system through its ports and services. In regards to R1.1, as a result of the protection around the assets, it was less likely that URE’s test procedures would have had an adverse effect on the production environment. In approving the settlement agreement, the NERC BOTCC considered certain of URE’s violations to be proof of broad deficiencies in URE’s compliance program (even though other aspects of the compliance program were evaluated as mitigating factors); some of the violations were self-reported (even though only partial credit was granted for certain self-reports that occurred right before the compliance audit); URE was cooperative during the enforcement process and promptly submitted effective mitigation plans; and these violations were URE’s first violations of the relevant Reliability Standard.

Penalty: $115,000 (aggregate for 17 violations)

FERC Order: Issued April 30, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-25 (April 30, 2012)

Reliability Standard: CIP-007-3

Requirement: R6.1/6.5

Violation Risk Factor: Lower (R6.1/6.5)

Violation Severity Level: Severe (R6.1/6.5)

Region: RFC

Issue: URE self-reported that it did not properly review the logs of system events related to cyber security since it did not configure its automated log monitoring to monitor all of the required devices and it did not monitor certain of its CCAs and CAs within the ESP for some of its Registered Functions as required.

Finding: RFC found that the CIP-007-3 R6.1/6.5 violation constituted a moderate risk to BPS reliability and that the violation appears to be caused by URE’s lack of a comprehensive CIP compliance program. The assets were located on isolated networks where there was no direct access to the corporate network or the internet and all traffic to the networks had to pass through secured access points (which would block well-known malicious traffic). Therefore, RFC found that there was a decreased chance that a cyber security system event would occur. Plus, all of the assets were located within a secured PSP and only a limited number of individuals, all of whom had received cyber security training and had a valid PRA on file, had access to the PSP. As a result, RFC found that there was a decreased probability that a cyber security system event would go unnoticed. In approving the settlement agreement, the NERC BOTCC considered certain of URE’s violations to be proof of broad deficiencies in URE’s compliance program (even though other aspects of the compliance program were evaluated as mitigating factors); some of the violations were self-reported (even though only partial credit was granted for certain self-reports that occurred right before the compliance audit); URE was cooperative during the enforcement process and promptly submitted effective mitigation plans; and these violations were URE’s first violations of the relevant Reliability Standard.

Penalty: $115,000 (aggregate for 17 violations)

FERC Order: Issued April 30, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-25 (April 30, 2012)

Reliability Standard: CIP-007-3

Requirement: R2.1, R3.1/3.2

Violation Risk Factor: Medium (R2.1), Lower (R3.1/3.2)

Violation Severity Level: Severe (R2.1, R3.1/3.2)

Region: RFC

Issue: During a compliance audit, RFC found that even though URE had procedures concerning only having ports and services enabled that are required for normal and emergency operations, URE was not properly following its policy. (R2.1) RFC also found that URE was not installing security patches until a vulnerability assessment alerted URE to a vulnerability. But since URE did not properly configure its vulnerability assessment device to evaluate URE’s system, the device did not detect any vulnerabilities and therefore URE did not install any security patches (or document compensating measures to mitigate risk exposure when it did not install the patches). (R3.1/3.2)

Finding: RFC found that the CIP-007-3 R2.1 and R3.1/3.2 violations constituted a moderate risk to BPS reliability and that the R2.1 violation appears to be caused by URE’s lack of a comprehensive CIP compliance program. URE had installed local logging to track and retain logs of both authenticated and unauthenticated events. All of the relevant assets were located within a secured PSP and only a limited number of individuals, all of whom had received cyber security training and had a valid PRA on file, had access to the PSP. Plus, the assets were located on isolated networks where there was no direct access to the corporate network or the internet and all traffic to the networks had to pass through secured access points (which blocked known malicious traffic at the network perimeter). Therefore, there was a decreased chance that an individual would be able to access open ports and services that would have an adverse effect on URE’s system or tamper with URE’s system through its ports and services or that the system would be susceptible to malware. In approving the settlement agreement, the NERC BOTCC considered certain of URE’s violations to be proof of broad deficiencies in URE’s compliance program (even though other aspects of the compliance program were evaluated as mitigating factors); some of the violations were self-reported (even though only partial credit was granted for certain self-reports that occurred right before the compliance audit); URE was cooperative during the enforcement process and promptly submitted effective mitigation plans; and these violations were URE’s first violations of the relevant Reliability Standard.

Penalty: $115,000 (aggregate for 17 violations)

FERC Order: Issued April 30, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-25 (April 30, 2012)

Reliability Standard: CIP-007-3

Requirement: R5.1.2/5.1.3/5.3.2

Violation Risk Factor: Lower (R5.1.2, R5.3.2), Medium (R5.1.3)

Violation Severity Level: Moderate (R5.1.2), Severe (R5.1.3, R5.3.2)

Region: RFC

Issue: During a compliance audit, RFC found that URE had not maintained, for two months, the required historical audit trails of individual user account access activity for a device within the ESP and that it did not review the user accounts for that device. URE was also only following Microsoft Windows’ standard for password complexity, which does not satisfy the requirements of the Reliability Standard.

Finding: RFC found that the CIP-007-3 R5.1.2/5.1.3/5.3.2 violations constituted a moderate risk to BPS reliability. URE had kept audit trails on the devices that contained enough detail to create a historical audit trail of individual user account access activity for the rest of the time (outside the above-mentioned two-month period). URE had also conducted the required review for all other devices. In approving the settlement agreement, the NERC BOTCC considered certain of URE’s violations to be proof of broad deficiencies in URE’s compliance program (even though other aspects of the compliance program were evaluated as mitigating factors); some of the violations were self-reported (even though only partial credit was granted for certain self-reports that occurred right before the compliance audit); URE was cooperative during the enforcement process and promptly submitted effective mitigation plans; and these violations were URE’s first violations of the relevant Reliability Standard.

Penalty: $115,000 (aggregate for 17 violations)

FERC Order: Issued April 30, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-25 (April 30, 2012)

Reliability Standard: CIP-007-3

Requirement: R8.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: During a compliance audit, RFC found that URE did not verify, when it conducted its cyber vulnerability assessment, that it had only enabled those ports and services required for operation of the CAs within the ESP.

Finding: RFC found that the CIP-007-3 8.2 violation constituted a moderate risk to BPS reliability and that this violation appears to have been caused by URE’s lack of a comprehensive CIP compliance program. All of the relevant assets were located on isolated networks where there was no direct access to the corporate network or the internet and all traffic to the networks had to pass through secured access points (which blocked known malicious traffic at the network perimeter). In addition, the assets were located within a secured PSP and only a limited number of individuals, all of whom had received cyber security training and had a valid PRA on file, had access to the PSP. Therefore, there was a decreased chance that an individual would be able to access open ports and services that would have an adverse effect on URE’s system or tamper with URE’s system through its ports and services. In approving the settlement agreement, the NERC BOTCC considered certain of URE’s violations to be proof of broad deficiencies in URE’s compliance program (even though other aspects of the compliance program were evaluated as mitigating factors); some of the violations were self-reported (even though only partial credit was granted for certain self-reports that occurred right before the compliance audit); URE was cooperative during the enforcement process and promptly submitted effective mitigation plans; and these violations were URE’s first violations of the relevant Reliability Standard.

Penalty: $115,000 (aggregate for 17 violations)

FERC Order: Issued April 30, 2012 (no further review)

Unidentified Registered Entity, Docket No. NP12-26-000 (April 30, 2012)

Reliability Standard: CIP-007-3

Requirement: R9

Violation Risk Factor: Lower

Violation Severity Level: High

Region: WECC

Issue: URE self-certified that it had not reviewed documentation on an annual basis with respect to 12 required topics under CIP-007-3. Specifically, no review was performed for: change implementation; anti-virus and malware prevention; required tests for modifications to CAs; security patches; risk assessment; user account access activities; shared accounts; passwords; asset disposal or redeployment requests; data destruction; security tests; and ports and services.

Finding: WECC found the violation constituted a minimal risk to BPS reliability because no changes had been made to the relevant CIP procedures, and all CCAs are housed in ESPs and PSPs with CIP protections in place. In determining the appropriate penalty, RFC considered certain aspects of URE’s internal compliance program as a mitigating fact.

Penalty: $17,300 (aggregate for 2 violations)

FERC Order: Order issued May 30, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-40 (July 31, 2012)

Reliability Standard: CIP-007-3

Requirement: R5.1.2

Violation Risk Factor: Lower

Violation Severity Level: High

Region: WECC

Issue: URE self-reported that, as a result of a configuration change to the service account from an administrator account with fewer privileges, URE’s log collector was not able to pull logs from 23 of its CAs within two ESPs at its control centers. Thus, URE was not able to generate logs with the detail needed to create historical audit trails of individual user account access activity for 90 days.

Finding: WECC found that the violation constituted a moderate risk to BPS reliability as URE was not able to generate the necessary logs, and the relevant assets are located in URE’s control centers. But, URE does have intrusion detection and prevention controls for assets within the ESP, such as physical and electronic surveillance, which mitigated the risk to the BPS. URE’s compliance program was evaluated as a mitigating factor. URE’s compliance history was also considered.

Penalty: $39,000 (aggregate for 3 violations)

FERC Order: Issued August 30, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-40 (July 31, 2012)

Reliability Standard: CIP-007-3

Requirement: 6.4

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that, as a result of a configuration change to the service account from an administrator account with fewer privileges, URE’s log collector was not able to pull logs from 23 of its CAs within two ESPs at its control centers. Thus, URE was not able to maintain logs of security events for a minimum of 90 days.

Finding: WECC found that the violation constituted a moderate risk to BPS reliability as URE was not able to properly maintain logs of security events, and the relevant assets are located in URE’s control centers. But, URE does have intrusion detection and prevention controls for assets within the ESP, such as physical and electronic surveillance, which mitigated the risk to the BPS. URE’s compliance program was evaluated as a mitigating factor. URE’s compliance history was also considered.

Penalty: $39,000 (aggregate for 3 violations)

FERC Order: Issued August 30, 2012 (no further review)

Unidentified Registered Entity (URE), FERC Docket No. NP13-11 (December 31, 2012)

Reliability Standard: CIP-007-3

Requirement: 1.1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SPP

Issue: URE self-reported that, as a result of its installation technician being unaware of the CCA status, software updates for some of its CCAs (consoles used to connect operators to URE’s EMS) were not tested prior to installation. In another instance, a system engineer did not check the CCA master list and therefore did not test a software update to the EMS servers prior to installation as required.

Finding: SPP found that the violation constituted only a minimal risk to BPS reliability. In regards to the consoles, URE’s client configuration manager management server alerted URE’s information security personnel, who promptly uninstalled the offending software. The software patches were identified and removed within five days, and the updates did not reduce URE’s capability to monitor or control the transmission system and did not compromise the security of URE’s Cyber Assets. For the EMS servers, a cyber security control test was performed within 24 hours of the upgrade, and it found no issues that had to be fixed. The upgrade was also from a trusted vendor, and the prior version of the software had functioned properly. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE’s violation history (which was considered as an aggravating factor for some of the violations), URE’s internal compliance program (which was not viewed as a mitigating factor) and the fact that some of the violations were self-reported. URE was cooperative during the enforcement process and did not conceal the violations.

Total Penalty: $107,000 (aggregate for 16 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity (URE), FERC Docket No. NP13-11 (December 31, 2012)

Reliability Standard: CIP-007-3

Requirement: 5.1.1

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: SPP

Issue: URE self-reported that, as a result of its system engineers not following division process and department procedure, it did not ensure that all user accounts were implemented as approved by designated personnel as a generic domain account was inadvertently created in a CIP production domain.

Finding: SPP found that this violation only constituted a minimal risk to BPS reliability as the account was not accessed during the course of the violation, and the account did not contain any BPS-sensitive information. In addition, the domain on which the account was located did not have the software that would be required to make the account meaningful. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE’s violation history (which was considered as an aggravating factor for some of the violations), URE’s internal compliance program (which was not viewed as a mitigating factor) and the fact that some of the violations were self-reported. URE was cooperative during the enforcement process and did not conceal the violations.

Total Penalty: $107,000 (aggregate for 16 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity (URE), FERC Docket No. NP13-11 (December 31, 2012)

Reliability Standard: CIP-007-3

Requirement: 9

Violation Risk Factor: Lower

Violation Severity Level: High

Region: SPP

Issue: URE self-reported that even though it completed an annual review of its access management document,and there were no substantive changes to the overall functional process, the document did not receive the required final approval. In addition, URE did not conduct an annual review of its malicious software prevention process document as required.

Finding: SPP found that the CIP-007-3 R9 violation only constituted a minimal risk to BPS reliability since the prior year’s versions of the access management document and the malicious software prevention process document were still in active use and there was no decrease in URE’s capability to effectively manage and protect its Cyber Assets. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE’s violation history (which was considered as an aggravating factor for some of the violations), URE’s internal compliance program (which was not viewed as a mitigating factor) and the fact that some of the violations were self-reported. URE was cooperative during the enforcement process and did not conceal the violations.

Total Penalty: $107,000 (aggregate for 16 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)

Reliability Standard: CIP-007-3

Requirement: 1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE1 self-reported a violation of R1 after discovering that a repair to a printer that was designated as a Cyber Asset and was located within the ESP had not been recognized as a significant change that required testing of the printer’s security controls. The repair at issue did in fact cause the printer’s security configurations to reset to factory default settings.

Finding: RFC determined that the R1 violation posed a moderate risk to the reliability of the BPS which was mitigated by the fact that: (1) the printer was within both a PSP and ESP during the violation period; (2) the network firewalls surrounding the ESP were operational during the violation period; and (3) no breaches of the ESP were found during the period. RFC considered some aspects of URE1’s ICP, as well as the fact that the entity self-reported the violation, and the entity’s commitment to compliance and reliability to be mitigating factors in making its penalty determination. The violation began when the printer repair was conducted, and ended when the entity removed the printer from the ESP. URE1 neither admitted nor denied the violation.

Total Penalty: $10,000 (aggregate for 6 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)

Reliability Standard: CIP-007-3

Requirement: 2/2.1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE1 self-reported a violation of R2 after discovering that a repair to a printer that was designated as a Cyber Asset and was located within the ESP caused the printer’s security configurations to reset to factory default settings, which enabled previously disabled logical ports. The enabled ports at issue were not used during the violation period.

Finding: RFC determined that the R2/2.1 violation posed a moderate risk to the reliability of the BPS which was mitigated by the fact that: (1) the printer was within both a PSP and ESP during the violation period; (2) the network firewalls surrounding the ESP were operational during the violation period; and (3) no breaches of the ESP were found during the period. RFC considered some aspects of URE1’s ICP, as well as the fact that the entity self-reported the violation, and the entity’s commitment to compliance and reliability to be mitigating factors in making its penalty determination. The violation began when the printer repair was conducted, and ended when the entity removed the printer from the ESP. URE1 neither admitted nor denied the violation.

Total Penalty: $10,000 (aggregate for 6 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)

Reliability Standard: CIP-007-3

Requirement: 3; 3.1

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: MRO

Issue: URE1 self-reported a violation of R3 after discovering that 30 calendar days after security patches or upgrades had become available, the entity had not documented its assessment of such patches and upgrades for applicability. This violation pertained to two secure access devices used for access control and monitoring of the entity’s Electronic Security Perimeters (ESPs).

Finding: MRO determined that the R3 violation posed a minimal risk to the reliability of the BPS because the risk was limited by other electronic security measures in place during the violation period. Such measures included a firewall which is configured to prevent unauthorized access and to only permit access from specific authorized hosts. In addition, there was only one of eleven patches missed by the entity’s assessment of patch upgrades. Finally, there was no cyber incident during the violation period. MRO considered URE1’s violation history to be an aggravating factor, and URE1’s ICP to be a mitigating factor in making its penalty determination. The violation began when the entity was required to document the assessment of the security patch and ended during the security patch meeting when the assessment was documented. URE1 admitted to the violation.

Total Penalty: $20,000 (aggregate for 3 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)

Reliability Standard: CIP-007-3

Requirement: 4/4.2

Violation Risk Factor: Medium

Violation Severity Level: High

Region: RFC

Issue: URE1 self-reported a violation of R4 after discovering that, over a six-day period, the entity had installed signature files (virus detection files with up-to-date virus signatures) into the production environment without testing or evaluating those signature files. This violated the entity’s internal malware management procedure. Furthermore, the entity discovered that after correcting the error, it failed to re-enable the signature file update process. As a result, the entity did not deploy updated signature files into the production environment for two days.

Finding: RFC determined that the R4 violation posed a moderate risk to the reliability of the BPS because the entity had a documented procedure in place during the violation. and firewalls protect the CCAs within the ESP, reducing the chance of anti-virus and malware infection. RFC considered some aspects of URE1’s ICP, as well as the fact that the entity self-reported the violation and the entity’s commitment to compliance and reliability to be mitigating factors in making its penalty determination. The violation began when the entity installed the specific signature files into the production environment without prior testing and evaluation, and ended when the entity re-enabled the signature file process to deploy signature files updates into the production environment after testing and evaluation. URE1 neither admitted nor denied the violation.

Total Penalty: $10,000 (aggregate for 6 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)

Reliability Standard: CIP-007-3

Requirement: 6; 6.4

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: MRO

Issue: URE1 self-certified a violation of R6 after discovering that it had failed to keep 90 calendar days of cyber security logs pertaining to monitoring system events. This violation occurred when the event logs of five workstations (which are Critical Cyber Assets) became corrupted due to an issue with the operating system installed on the workstations.

Finding: MRO determined that the R6 violation posed a minimal risk to the reliability of the BPS because the five workstations at issue are located within the entity’s Electronic Security Perimeter, which are secured per CIP requirements. Furthermore, the entity employed an intrusion detection system, and all five workstations at issue had current security patches. Additionally, the entity had strong internal controls for performing manual checks of its automated process during the violation period. MRO considered URE1’s ICP to be a mitigating factor in making its penalty determination. The violation began on the first day that the entity did not have historical logs for the workstations at issue and ended when the mitigation plan was completed. URE1 admitted to the violation.

Total Penalty: $20,000 (aggregate for 3 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entities (UREs), Docket No. NP13-17 (December 31, 2012)

Reliability Standard: CIP-007-3

Requirement: 2 (3 violations)

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: The UREs, which are three entities that operate from the same control room and share the same energy management system, self-reported that while they had a documented process regarding the ports and services to be enabled for normal and emergency operations, the UREs enabled, in contrast to the policy, additional ports and services than those required for normal and emergency operations. The UREs also did not disable, as required, other ports and services before the production use of all Cyber Assets inside the ESP and did not document compensating measures to mitigate risk exposure in situations where the UREs were unable to disable unused ports and services.

Finding: RFC found that the violations constituted a moderate risk to BPS reliability since the additional enabled ports and services increased the risk that unauthorized network traffic would infiltrate the ESP. But, the additional ports and services that were enabled were only open for communications with other trusted corporate networks (that were further protected with additional measures such as firewalls). The protective measures represented a defense-in-depth strategy that guarded the transmission management system. The UREs neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that the violations were self-reported and that these were the UREs first violations of the relevant Reliability Standards. The UREs were cooperative during the enforcement process and did not conceal the violations. The UREs’ compliance program was also evaluated as mitigating factor.

Total Penalty: $80,000 (aggregate for 21 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entities (UREs), Docket No. NP13-17 (December 31, 2012)

Reliability Standard: CIP-007-3

Requirement: 3 (3 violations)

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: The UREs, which are three entities that operate from the same control room and share the same energy management system, self-reported that while they had developed a security patch management program, they did not properly document patch assessments for their transmission management system or the compensating measures to mitigate risk exposure in situations where a patch was unable to be installed. A vendor was conducting the security patch assessments within the required thirty days and provided the relevant information to the UREs for their review. But, the UREs did not have a tracking mechanism to monitor the thirty-day periods to analyze the required network infrastructure software updates, the firmware updates, and the other required software updates.

Finding: RFC found that the violations constituted a moderate risk to BPS reliability. While the improper documentation of patch assessments and implementation increased the risk to the BPS, the UREs had actually installed all of the required security patches and security upgrades. The UREs’ vendor was conducting the required assessment, which was then reviewed by the UREs. The UREs neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that the violations were self-reported and that these were the UREs first violations of the relevant Reliability Standards. The UREs were cooperative during the enforcement process and did not conceal the violations. The UREs’ compliance program was also evaluated as mitigating factor.

Total Penalty: $80,000 (aggregate for 21 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entities (UREs), Docket No. NP13-17 (December 31, 2012)

Reliability Standard: CIP-007-3

Requirement: 8 (3 violations)

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: The UREs, which are three entities that operate from the same control room and share the same energy management system, self-reported that while they did perform an annual cyber vulnerability assessment, they did not evaluate its Cyber Assets within the ESPs as part of that assessment. The UREs also did not review, as part of its cyber vulnerability assessment, whether they only included those ports and services required for operation of the Cyber Assets within the ESP.

Finding: RFC found that the violations constituted a moderate risk to BPS reliability. Review of the enabled ports and services found that additional ports and services were enabled that are not required for operations, which increased the risk that unauthorized network traffic would infiltrate the ESP. But, the additional ports and services that were enabled were only open for communications with other trusted corporate networks (that were further protected with additional measures such as firewalls). The protective measures represented a defense-in-depth strategy that guarded the transmission management system. The UREs neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that the violations were self-reported and that these were the UREs first violations of the relevant Reliability Standards. The UREs were cooperative during the enforcement process and did not conceal the violations. The UREs’ compliance program was also evaluated as mitigating factor.

Total Penalty: $80,000 (aggregate for 21 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-18 (December 31, 2012)

Reliability Standard: CIP-007-3

Requirement: 4.1/4.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SPP

Issue: URE self-certified that its anti-virus on-access scanner had stopped functioning on some of its workstations in the Energy Management System (EMS) environment and that the anti-virus software on one of its workstations in the EMS/Supervisory Control and Data Acquisition (SCADA) did not work for approximately two weeks.

Finding: SPP found that the CIP-007-3 R4.1/4.2 violations constituted a moderate risk to BPS reliability. The lack of anti-virus software for two weeks could have exposed the workstation to harmful malware and acted as a gateway to other devices on the EMS network. But, even though URE was not performing all of the required on-access scans, it was conducting weekly full-disk scans that would have detected any malware threats. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE's Internal Compliance Program (even though the compliance program was not viewed as a mitigating factor) and its violation history (which was viewed as an aggravating factor for some of the violations). NERC BOTCC also considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations.

Penalty: $153,000 (aggregate for 16 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-007-3

Requirement: R6

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE self-reported a violation of R6 after discovering that it had failed to properly configure its security monitoring controls on a Microsoft Windows server that was designated as a Critical Cyber Asset (CCA) and was used to collect standard Windows event logs. Specifically, the CCA was not configured to provide either automated or manual alerts for detected Cyber Security Incidents. In addition, until the company discovered the violation reported herein, it did not review logs of system events pertaining to the CCA at issue or maintain records regarding the review of such logs.

Finding: RFC determined that the R6 violation posed a minimal risk to the reliability of the BPS because the CCA at issue neither provides control capability for the BPS, nor contains compromising data. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to undertake other mitigation measures to come into compliance with R6.
RFC considered URE's ICP a mitigating factor in making its penalty determination, and applied a mitigating credit because the company had self-reported six of the violations covered by the settlement agreement. The violation began when the standard became mandatory and enforceable to the company and ended when the company configured the affected CCA to issue automated alerts for detected Cyber Security Incidents pursuant to R6. URE neither admits nor denies the R6 violation.

Penalty: $0 (for an aggregate of 12 violations)

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-007-2a; CIP-007-3

Requirement: R5.1; R5.1.3; R5.2; R5.3.2

Violation Risk Factor: Lower / Medium

Violation Severity Level: Severe

Region: RFC

Issue: Further to a Compliance Audit, RFC determined that URE violated R5 when it failed to manage accounts in such a manner as to minimize the risk of unauthorized system access. Specifically, URE had not granted access permissions on a "need to know" basis with respect to work functions performed, and was unable to show that it conducted annual reviews of its user accounts and access privileges. RFC further found that that the company had granted access privileges to several individuals who were not recorded as having been given such access privileges, and who therefore were not included in the annual review of all user accounts and access privileges. These same stray access privileges meant that the company was unable to demonstrate that it had implemented its policy to minimize and manage the scope and acceptable use of administrator, shared, and other generic account privileges including factory default accounts. Finally, URE lacked the procedural controls to mandate use of passwords that contained alpha, numeric, and "special" characters.

Finding: RFC determined that the R5 violation posed a moderate risk to the reliability of the BPS. The risk was mitigated because URE's access permissions were granted to employees with "need to know" status. Additionally, although the company lacked the procedural controls to mandate the proper access passwords, the company required and used proper access passwords during the violation period nonetheless. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to pay a penalty and to undertake other mitigation measures to come into compliance with R5.
RFC considered URE's ICP a mitigating factor in making its penalty determination. The violation began when the company was required to comply with CIP-007-3 R5, and ended when the company completed its mitigation plan. URE neither admits nor denies the R5 violation.

Penalty: $40,000 (aggregate for 8 violations)

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-007-2a; CIP-007-3

Requirement: R8.2; R8.3

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: Further to a Compliance Audit, RFC determined that URE violated R8 because although the company performed a cyber vulnerability assessment that included a list of all active ports and services, it was unable to show that it enabled only ports and services required for the operation of the Cyber Assets in its Electronic Security Perimeter (ESP). Additionally, the company failed to show that as part of the cyber vulnerability assessment it performed a review of all default accounts, and it reviewed controls for default accounts, passwords, and network management community strings.

Finding: RFC determined that the R8 violation posed a moderate risk to the reliability of the BPS. The risk was mitigated because during the violation period, the company enabled monitoring, logging and alerting, as well as anti-virus protections on all Critical Cyber Assets (CCAs) within the ESP where technically feasible. In addition, the company used an intrusion prevention system to protect all ESP access points, which logged, alerted, and constantly monitored all access points during the violation period. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to pay a penalty and to undertake other mitigation measures to come into compliance with R8.
RFC considered URE's ICP a mitigating factor in making its penalty determination. The violation began when the company was required to comply with CIP-007-3 R8, and ended when URE determined which ports and services are necessary for the operation of Cyber Assets, enabled only those ports and services, and performed a review of its default accounts. URE neither admits nor denies the R8 violation.

Penalty: $40,000 (aggregate for 8 violations)

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-28-000 (March 27, 2013)

Reliability Standard: CIP-007-3

Requirement: R2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC, TRE, SPP RE

Issue: While conducting a regional compliance audit, the Regional Entities found that URE violated R2 when certain protocol ports in its system scans that URE uses in the process implemented to ensure that only required ports and services were enabled, were not included in the process itself.

Finding: The violation was deemed to pose a moderate risk to BPS reliability which was mitigated by URE’s use of network security controls that analyze traffic for threats affecting ports. In addition, URE’s ESP firewall configuration blocks unsolicited traffic from passing into the networks segregated by ESPs. In determining the appropriate penalty and approving the settlement agreement, the Regional Entities considered certain aspects of URE’s internal compliance program as a mitigating factor. In addition, some of the violations were self-reported by URE. URE cooperated during the enforcement process and did not attempt to conceal any of the violations. The violations did not pose a serious or substantial threat to BPS reliability. Finally, URE’s violation history was considered an aggravating factor.

Total Penalty: $90,000 (aggregate for 36 violations)

FERC Order: Issued April 26, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-28-000 (March 27, 2013)

Reliability Standard: CIP-007-3

Requirement: R3

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC, TRE, SPP RE

Issue: While conducting a regional compliance audit, the Regional Entities found that URE failed to document the assessment of security patches and upgrades for applicability within thirty calendar days of availability of such patches or upgrades, and also failed to document the implementation of security patches. The latter violation occurred when due to an outage of URE’s third-party software application that included a patch management feature; URE did not assess the applicability of patches for its third-party software applications.

Finding: The violation was deemed to pose a moderate risk to BPS reliability which was mitigated by URE’s representation that it indeed installed all relevant security patches, even if such installation was not documented. It was further mitigated by URE applying defense-in-depth strategies and by URE protecting the systems at issue by requiring authentication and employing antivirus protection and host intrusion prevention software. In determining the appropriate penalty and approving the settlement agreement, the Regional Entities considered certain aspects of URE’s internal compliance program as a mitigating factor. In addition, some of the violations were self-reported by URE. URE cooperated during the enforcement process and did not attempt to conceal any of the violations. The violations did not pose a serious or substantial threat to BPS reliability. Finally, URE’s violation history was considered an aggravating factor.

Total Penalty: $90,000 (aggregate for 36 violations)

FERC Order: Issued April 26, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-28-000 (March 27, 2013)

Reliability Standard: CIP-007-3

Requirement: R5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC, TRE, SPP RE

Issue: URE submitted to the three Regional Entities a self-report explaining the following compliance issues. URE reported that it had not changed a password from the factory default on a non-critical Cyber Asset port before placing it into service. URE further reported that within the one-year required time frame, it had not changed eight user account passwords, and it had not reviewed access privileges on user accounts as required for one server and seventeen workstations serving generation dispatch. In addition, during a multi-regional Compliance Audit, URE’s logs of user account access to Cyber Assets failed to include system users, and thus, did not provide logs with enough detail for historical audit trails under R.5.1.2.

Finding: The violation was deemed to pose a moderate risk to BPS reliability which was mitigated by three primary factors. The port at issue did not control any CCAs, was located within an ESP, and a multi-factor authentication requirement protected URE’s system access. In addition, after a system impact assessment, URE confirmed that failing to change passwords to the user accounts did not impact its system and that the annual password change failure was mitigated by the natural expiry of the passwords after a period of time. Lastly, numerous security layers, including redundancy in URE’s server and workstation environments, multiple controls protecting system user accounts and Cyber Assets, and strict physical access controls, protect against cyber attacks. In determining the appropriate penalty and approving the settlement agreement, the Regional Entities considered certain aspects of URE’s internal compliance program as a mitigating factor. In addition, some of the violations were self-reported by URE. URE cooperated during the enforcement process and did not attempt to conceal any of the violations. The violations did not pose a serious or substantial threat to BPS reliability. Finally, URE’s violation history was considered an aggravating factor.

Total Penalty: $90,000 (aggregate for 36 violations)

FERC Order: Issued April 26, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-28-000 (March 27, 2013)

Reliability Standard: CIP-007-3

Requirement: R6

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC, TRE, SPP RE

Issue: URE submitted to the three Regional Entities a self-report after discovering that it had not processed cyber security logs and alerts required by the standard. This occurred when URE failed to implement certain business process controls and communications which prevented its log management and incident alerting system from receiving local security logs. As a result, the Regional Entities found that URE had violated R6 for failing to implement automated tools or organizational process controls to monitor system events that are related to cyber security for all Cyber Assets in its ESP.

Finding: The violation was deemed to pose a moderate risk to BPS reliability which was mitigated by URE’s firewalls, network-based intrusion and detection systems, and antivirus solutions which detect security threats that are constantly monitored by URE’s operations center. The same center also responds to threats detected by many other enterprise-wide security tools and controls, which provide a view of network-based cyber security events and allows the center to identify incidents before they impact any BPS-related systems. In determining the appropriate penalty and approving the settlement agreement, the Regional Entities considered certain aspects of URE’s internal compliance program as a mitigating factor. In addition, some of the violations were self-reported by URE. URE cooperated during the enforcement process and did not attempt to conceal any of the violations. The violations did not pose a serious or substantial threat to BPS reliability. Finally, URE’s violation history was considered an aggravating factor.

Total Penalty: $90,000 (aggregate for 36 violations)

FERC Order: Issued April 26, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-28-000 (March 27, 2013)

Reliability Standard: CIP-007-3

Requirement: R8

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC, TRE, SPP RE

Issue: URE submitted to the three Regional Entities a self-report explaining that it had not performed annual Cyber Vulnerability Assessments of certain ports, services, or default accounts on servers where host applications are used for physical security and port scanning to support file transfers between applications and to provide domain authentication services. URE also reported a failure to perform such assessments on certain servers and workstations used to monitor and dispatch URE’s generation fleet.

Finding: The violation was deemed to pose a moderate risk to BPS reliability and was mitigated by URE’s initial baseline Cyber Vulnerability Assessment performed on all assets at issue. In addition, URE reported that its failure to perform the required annual assessment was limited to one set of servers and workstations, and URE has multiple layers of physical and electronic security to protect against cyber attacks. In determining the appropriate penalty and approving the settlement agreement, the Regional Entities considered certain aspects of URE’s internal compliance program as a mitigating factor. In addition, some of the violations were self-reported by URE. URE cooperated during the enforcement process and did not attempt to conceal any of the violations. The violations did not pose a serious or substantial threat to BPS reliability. Finally, URE’s violation history was considered an aggravating factor.

Total Penalty: $90,000 (aggregate for 36 violations)

FERC Order: Issued April 26, 2013 (no further review)

Unidentified Registered Entity, Docket No. NP13-33 (April 30, 2013)

Reliability Standard: CIP-007-3

Requirement: 3/3.1

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: NPCC

Issue: NPCC determined that URE did not timely document, as required, its assessment of the applicability of security patches and security upgrades for three personal computers and one switch.

Finding: NPCC found that the violation constituted only a minimal risk to BPS reliability. The relevant devices were located in an ESP and PSP (with access restricted to authorized personnel). The devices were also protected by network isolation, which prevented the devices from being exposed to untrusted networks (such as the internet). URE’s compliance program was evaluated as a mitigating factor. URE did not contest the violation.

Total Penalty: $50,000 (aggregate for 5 violations)

FERC Order: Issued May 30, 2013 (no further review)

Unidentified Registered Entity, Docket No. NP13-33 (April 30, 2013)

Reliability Standard: CIP-007-3

Requirement: 5/5.3.3

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: NPCC

Issue: URE self-reported that it had not changed two administrative passwords on an annual basis, as defined by its parent company, for some of its devices.

Finding: NPCC found that the violation constituted only a minimal risk to BPS reliability. URE has a site gatekeeper that is the only person who can authorize access to devices and who is also responsible for issuing passwords to authorized personnel. The relevant devices were also located in an ESP and PSP (with access restricted to authorized personnel). The devices were also protected by network isolation, which prevented the devices from being exposed to untrusted networks (such as the internet). URE’s compliance program was evaluated as a mitigating factor. URE did not contest the violation.

Total Penalty: $50,000 (aggregate for 5 violations)

FERC Order: Issued May 30, 2013 (no further review)

Unidentified Registered Entities 1, 2, 3, 4 (RFC_URE1, RFC_URE2, RFC_URE3, MRO_URE1) (collectively, RFC-MRO_UREs), Docket No. NP13-41-000 (June 27, 2013)

Reliability Standard: CIP-007-3

Requirement: 1, 2

Violation Risk Factor: Medium

Violation Severity Level: Severe Region(s): ReliabilityFirst, MRO

Issue: RFC_URE2 initially self-certified a violation of CIP-003-3 R6, and upon further review self-report further CIP-007-3 Reliability Standards violations. URE found through an internal self-assessment that a CCA router was missing a configuration baseline, which is required by CIP-003-3 R6. URE also did not follow established testing procedures on the router. In particular, URE did not carry out procedures for cybersecurity testing (CIP-007-3 R1.1); did not document that the testing was conducted in a way that reflects the production environment (CIP-007-3 R1.2); and did not document test results (CIP-007-3 R1.3). Lastly, URE did not document that only those ports and services needed for normal or emergency operations were enabled on the router, which left URE unable to show that the ports and services were enabled or disabled as appropriate (CIP-007-3 R2).

Finding: The violation was deemed to pose a moderate, but not serious or substantial, risk to BPS reliability. RFC_URE2 ensured that the router was secured with a domain identification and password, with authorization within the network and with membership requirement within the security group. Additionally, the devices supported by the network are built and operated using management templates to grant access to only the ports and services necessary for normal and emergency operations; though RFC_URE2 did not document that this had occurred for this router. In determining the appropriate penalty, RFC found the RFC-MRO_UREs’ internal compliance program to be a mitigating factor; however, the repeat noncompliance was considered an aggravating factor. The CIP programs at RFC-MRO_UREs had been reviewed and revised after previous CIP violations to ensure compliance; however, the current violations of CIP-003-3 R6, CIP-007-3 R1 and R2 and CIP-004-3 R3 were found to be evidence of a failure of the CIP compliance program, which was an aggravating factor in penalty determination. Several of the violations were self-reported, which RFC found to be a mitigating factor.

Total Penalty: $20,000 (aggregate for 9 violations)

FERC Order: Issued August 26, 2013 (no further review)

Unidentified Registered Entities, FERC Docket No. NP13-47 (July 31, 2013)

Reliability Standard: CIP-007-3

Requirement: 1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC and SERC

Issue: RFC and SERC determined that URE1 had not implemented, for 60.43% of its CCAs and 44.17% of its Cyber Assets within the ESP, its cyber security test procedures designed to verify that new Cyber Assets and significant changes to existing Cyber Assets within the ESP do not adversely affect existing cyber security controls. URE1 did not test for adverse effects on existing cyber security controls or address the testing of ports or services during significant changes. URE1 also did not properly document the test results for the security patches applied at one of its facilities and did not follow the test procedures when an engineer replaced four firewalls.

Finding: SERC and RFC found that URE’s CIP-007-3 R1 violation constituted a moderate risk to BPS reliability since by failing to follow cyber security test procedures, the Cyber Assets could develop security vulnerabilities without URE’s knowledge and without compensating measures in place. But, URE1 did conduct a staged implementation in development environments before production deployments. The equipment manufacturer also verified and functionally tested the security patches before they were used in a production environment. In regards to the firewalls, the engineer reviewed the ports and services to check that they satisfied the enterprise guidelines. URE admitted the violations. In approving the settlement agreement, NERC BOTCC evaluated as aggravating factors URE’s compliance history and the fact that URE did not promptly prepare mitigation plans to remediate many of the violations. But, URE did self-report some of the violations and was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (even though URE only received partial mitigating credit as most of URE’s violations resulted from a lack of execution and coordination of programs). URE committed to perform certain actions that went above and beyond the compliance requirements. The CIP-002-3 R3 violations presented a serious and substantial risk to BPS reliability, whereas the other violations did not present a serious or substantial risk to BPS reliability.

Total Penalty: $350,000, $175,000 for each URE (aggregate for 62 violations)

FERC Order: Issued August 30, 2013 (no further review)

Unidentified Registered Entities, FERC Docket No. NP13-47 (July 31, 2013)

Reliability Standard: CIP-007-3

Requirement: 2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC and SERC

Issue: RFC and SERC determined that URE’s process for identifying baseline ports and services and for testing for significant changes did not properly determine the ports and services required for normal and emergency operations. Thus, URE had unnecessary ports and services that were enabled as it did not disable those ports and services not required for normal and emergency operation prior to the production use of certain Cyber Assets within the ESPs.

Finding: SERC and RFC found that URE’s CIP-007-3 R2 violation constituted a moderate risk to BPS reliability since it increased the risk for unauthorized network traffic to infiltrate into the ESP through those unnecessary ports and services. But, URE had firewall rules that deny by default and specific user account requirements, as well as intrusion detection and prevention system devices (which detect for malicious traffic attempting to gain access to the ESP). URE admitted the violations. In approving the settlement agreement, NERC BOTCC evaluated as aggravating factors URE’s compliance history and the fact that URE did not promptly prepare mitigation plans to remediate many of the violations. But, URE did self-report some of the violations and was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (even though URE only received partial mitigating credit as most of URE’s violations resulted from a lack of execution and coordination of programs). URE committed to perform certain actions that went above and beyond the compliance requirements. The CIP-002-3 R3 violations presented a serious and substantial risk to BPS reliability, whereas the other violations did not present a serious or substantial risk to BPS reliability.

Total Penalty: $350,000, $175,000 for each URE (aggregate for 62 violations)

FERC Order: Issued August 30, 2013 (no further review)

Unidentified Registered Entities, FERC Docket No. NP13-47 (July 31, 2013)

Reliability Standard: CIP-007-3

Requirement: 3 (2 violations – RFC and SERC), 4 (2 violations – RFC and SERC)

Violation Risk Factor: Lower (3), Medium (4)

Violation Severity Level: Severe (3, 4)

Region: RFC and SERC

Issue: RFC and SERC determined that URE did not timely install certain security patches and security upgrades on 60.04% of its CCAs and 43.07% of its Cyber Assets within the ESP as it only reviewed operating system security releases for Cyber Assets within the ESP managed by a systems groups (3). URE also had CCAs and Cyber Assets within the ESP that do not run an operating system capable of using antivirus software or were otherwise incapable of installing antivirus software or malware prevention tools, but did not submit Technical Feasibility Exceptions as required (4).

Finding: SERC and RFC found that URE’s CIP-007-3 R3 and R4 violations constituted a moderate risk to BPS reliability. In regards to the R3 violations, by not timely installing all of the required security patches and security upgrades on the Cyber Assets within the ESP, it increased the risk that unauthorized network traffic would infiltrate the ESP. But, URE had installed the mandated security patches and security upgrades for the Cyber Assets operating systems, whereas the Cyber Assets at issue in the violations have limited software installed and therefore there are few relevant security patches and security upgrades. URE is also an active participant in security forms in which it may become aware of relevant security patches and security patch risks. URE also has intrusion detection and intrusion prevention on the network to protect against malware. The R4 violations increased risk of malware on the Cyber Assets within the ESP. But, the devices at issues, none of which directly connect to the internet, are either firmware devices or focused delivery software-driven devices that have limited user interactions. URE admitted the violations. In approving the settlement agreement, NERC BOTCC evaluated as aggravating factors URE’s compliance history and the fact that URE did not promptly prepare mitigation plans to remediate many of the violations. But, URE did self-report some of the violations and was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (even though URE only received partial mitigating credit as most of URE’s violations resulted from a lack of execution and coordination of programs). URE committed to perform certain actions that went above and beyond the compliance requirements. The CIP-002-3 R3 violations presented a serious and substantial risk to BPS reliability, whereas the other violations did not present a serious or substantial risk to BPS reliability.

Total Penalty: $350,000, $175,000 for each URE (aggregate for 62 violations)

FERC Order: Issued August 30, 2013 (no further review)

Unidentified Registered Entities, FERC Docket No. NP13-47 (July 31, 2013)

Reliability Standard: CIP-007-3

Requirement: 5 (7 violations)

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC and SERC

Issue: RFC and SERC determined that a printer at URE1’s blackstart facility within the PSP and ESP contained an administration account, and that URE1 did not evaluate the printer for accounts that have access to the printer, establish its account management policy, and monitor activity on the printer’s administration account (5). URE1 and URE2 (collectively, URE) did not submit Technical Feasibility Exceptions (TFEs) for its devices managed in accordance with the directory service that are incapable of following the password requirements. URE also did not submit TFEs for 52 CCAs and Cyber Assets that are non-server systems that do not have an operating system able to use sufficiently complex passwords. URE1 also did not properly configure the password controls for two functions on two of its CCAs (5.3). In addition, URE did not properly define the criteria for its passwords for the entire set of its password-protected assets (5.3.2). Furthermore, two of URE’s functions did not enact the corporate-wide policy to have audit trails of account use available for 34 shared accounts (5.2.3). URE1’s procedures for generation logs did not appropriately distinguish between individual and system shared accounts and thus prevented the creation of the required historical audit trails of user account access activity. URE1 did not properly established procedures for generating logs (to be kept for a minimum of 90 days) needed to create historical audit trails of individual user account access activity for 18 CCAs and one non-critical Cyber Asset (5.1.2). URE1 also did not review the access privileges for the user accounts of those 19 assets on an annual basis as required (5.1.3). URE1 also did not establish the required procedures for managing use of shared accounts (such as limiting access to only authorized individuals), developing an audit trail of account use, or securing the account after personnel changes for those 19 assets (5.2.3).

Finding: SERC and RFC found that URE’s CIP-007-3 R5 and R5.3.2 violations only constituted a minimal risk to BPS reliability. In regards to R5, the printer was protected by a PSP and ESP, and only a limited number of URE personnel had access to the facility. For R5.3.2, URE did have in place criteria which resulted in complex passwords, and all password-protected devices are protected by firewalls, routers with restricted remote access and PSPs. SERC and RFC found that URE’s CIP-007-3 R5.3, R5.2.3, 5.1.2 and 5.1.3 violations constituted a moderate risk to BPS reliability. In regards to R5.3, 5.1.2 and 5.1.3, the violation increased the risk that unauthorized system access would occur. But, URE had multiple protective measures in place to protect its devices, such as redundant firewalls and intrusion detection system devices, and monitored the devices with the ESPs for security events. The devices were also protected by PSPs. In regards to R5.2.3, the lack of audit trails means that URE may not be able to track shared account activity back to a specific user in the event a cyber security event occurred. But, in some instances, URE did have procedures in place to manage shared accounts, such as limiting access to authorized individuals and securing the account after personnel changes. URE admitted the violations. In approving the settlement agreement, NERC BOTCC evaluated as aggravating factors URE’s compliance history and the fact that URE did not promptly prepare mitigation plans to remediate many of the violations. But, URE did self-report some of the violations and was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (even though URE only received partial mitigating credit as most of URE’s violations resulted from a lack of execution and coordination of programs). URE committed to perform certain actions that went above and beyond the compliance requirements. The CIP-002-3 R3 violations presented a serious and substantial risk to BPS reliability, whereas the other violations did not present a serious or substantial risk to BPS reliability.

Total Penalty: $350,000, $175,000 for each URE (aggregate for 62 violations)

FERC Order: Issued August 30, 2013 (no further review)

Unidentified Registered Entities, FERC Docket No. NP13-47 (July 31, 2013)

Reliability Standard: CIP-007-3

Requirement: 6 (7 violations)

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC and SERC

Issue: RFC and SERC determined that URE2 (which had automatic logging enabled at a blackstart facility before it was subject to the Reliability Standards) had reassigned IP addresses, which resulted in the inadvertent ceasing of log capture for the Cyber Assets within the ESP (1). URE1 also had a printer at a blackstart facility that was not able to implement automated tools or organizational controls as required to monitor cyber security system events for the other Cyber Assets within the ESP (2). URE1 and URE2 (collectively, URE) also did not file Technical Feasibility Exceptions (TFEs), as required, for 90 CCAs and Cyber Assets within the ESP that are non-server systems that do not run an operating system capable of implementing security status monitoring (3). As 11 of URE’s 17 network switches were not correctly transmitting log information on cyber security system events, URE was not properly maintaining logs of cyber security events, issuing automated or manual alerts for cyber security incidents, retaining the required logs for 90 days, or reviewing the logs of cyber security system events (4). In addition, for one other Cyber Asset within the ESP, URE2 erased and rebuilt the server, and as a result did not retain all of the required logs for 90 days as mandated (5). Also, URE1 replaced an email server, but did not update the changed IP address on the log aggregation server that issues alerts for detected cyber security incidents (6). Furthermore, URE1 did not submit TFEs for two of its Cyber Assets within the ESP that were unable to support security status monitoring (7).

Finding: SERC and RFC found that URE’s CIP-007-3 R6 violations (violations 1-6) constituted a moderate risk to BPS reliability. The violations increased the risk of there being an undetected compromise of the CCAs or other cyber security system event. But, the Cyber Assets were protected by an ESP and PSP, as well as site physical security. In addition, for the second violation, a limited number of personnel had access to the blackstart facility. For the sixth violation, the relevant ESP had an intrusion detection sensor, which blocks suspicious traffic trying to enter the ESP. The operational status was also subject to continuous monitoring, and the plant (which is able to operate locally) is disconnected from URE’s network if the system becomes compromised. SERC and RFC found that the seventh violation constituted only a minimal risk to BPS reliability since upon commissioning of the Cyber Assets, URE had installed compensating measures, such as having alarming contacts back to the security console. URE admitted the violations. In approving the settlement agreement, NERC BOTCC evaluated as aggravating factors URE’s compliance history and the fact that URE did not promptly prepare mitigation plans to remediate many of the violations. But, URE did self-report some of the violations and was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (even though URE only received partial mitigating credit as most of URE’s violations resulted from a lack of execution and coordination of programs). URE committed to perform certain actions that went above and beyond the compliance requirements. The CIP-002-3 R3 violations presented a serious and substantial risk to BPS reliability, whereas the other violations did not present a serious or substantial risk to BPS reliability.

Total Penalty: $350,000, $175,000 for each URE (aggregate for 62 violations)

FERC Order: Issued August 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-18 (December 30, 2013)

Reliability Standard: CIP-007-3

Requirement: 3

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: SERC

Issue: During a compliance audit, SERC found that URE did not timely evaluate 19 security patches for applicability within 30 days of their release. 18 of those patches applied to server software that was introduced to URE’s network, and the remaining missed patch was the result of late notification by a third-party vendor.

Finding: SERC found that the CIP-007-3 R3 violation constituted a moderate risk to BPS reliability as failure to timely assess the security patches caused the Cyber Assets to be susceptible to security vulnerabilities. But, URE had installed firewalls, network address translation and filtering to protect its Cyber Assets. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a partial mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. None of the violations constituted a serious or substantial risk to BPS reliability. In addition, URE engaged in physical security measures that SERC determined to be above-and-beyond what was required.

Total Penalty: $110,000 (aggregate for 15 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-18 (December 30, 2013)

Reliability Standard: CIP-007-3

Requirement: 6

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: URE self-reported that, as a result of a reconfiguration, it was not sending logs to the centralized monitoring, logging and alerting system for three servers and therefore it was not performing security status monitoring for those servers (two of which were CCAs) as required.

Finding: SERC found that the CIP-007-3 R6 violation constituted a moderate risk to BPS reliability as the incomplete monitoring of system events related to cyber security increases the risk of a cyber security breach going undetected and negatively impacting URE’s ability to conduct an appropriate incident response. But, the devices were all located within a PSP and ESP, with access limited to authorized personnel. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a partial mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. None of the violations constituted a serious or substantial risk to BPS reliability. In addition, URE engaged in physical security measures that SERC determined to be above-and-beyond what was required.

Total Penalty: $110,000 (aggregate for 15 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-30 (January 30, 2014)

Reliability Standard: CIP-007-3

Requirement: 8

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: RFC determined that URE’s cyber vulnerability assessment (CVA) procedures did not contain adequate documentation regarding the identification of the CVA process, the review to verify that only those ports and services required for operations at access points to the ESP and for Cyber Assets within the ESP are enabled, the discovery of all ESP access points, the review of default account controls, passwords and network management community strings, and the results of the CVA and the action plan to remediate or mitigate identified vulnerabilities. URE also did not review the controls for network community strings for two years.

Finding: RFC found that the CIP-007-3 R8 violation constituted a moderate risk to BPS reliability since an inadequate CVA increases the risk of URE’s assets being compromised. In addition, the violation lasted for over two years, prolonging URE’s exposure to the risk. But, this violation was primarily a documentation issue as URE was actually conducting the CVAs and was able to provide supporting details on those assessments. URE also configured all of its access points’ network management community strings to be read-only and did not use default values (either public or private). Furthermore, the network management community strings were only accessible by specific internal Cyber Assets. URE neither admits nor denies the violations. In approving the settlement agreement, NERC BOTCC considered URE’s Reliability Standards violation history, which was evaluated as an aggravating factor. But, most of the violations were self-reported and URE did have an internal compliance program in place, which was viewed as a mitigating factor. In addition, URE agreed to perform reliability enhancement activities that were considered above-and-beyond what was required for compliance with the Reliability Standard. URE was also cooperative during the enforcement process and did not conceal the violations. The violations did not constitute a serious or substantial risk to BPS reliability, even though in the aggregate, the violations were found to present an increased risk to URE’s Cyber Assets and to be indicative of programmatic failure.

Total Penalty: $75,000 (aggregate for 13 violations)

FERC Order: Issued February 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-5-000 (October 30, 2014)

Reliability Standard: CIP-007-3

Requirement: R8 (8.2, 8.3, 8.4)

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SPP RE

Issue: URE self-reported that its annual CVA did not include a review of controls for default accounts or a documented action plan. During a compliance audit SPP RE found that URE’s CVA was inadequate for three consecutive years prior to self-reporting its CIP-007-3 violation.

Finding: SPP RE determined that the violation constituted a moderate risk to the BPS reliability as it increased the risk of malicious activity on URE’s EMS due to an insufficient action plan for addressing vulnerabilities. However, URE remained continuously aware of the ports, services and accounts enabled through the use of a network and a vulnerability scanner. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had previously violated six of the standards, which SPP RE considered an aggravating factor. However, URE did have a compliance program in place and it received mitigating credit for self-reporting three of the violations. Moreover, URE agreed to additional corrective actions including: restructuring its CIP compliance program; hiring an additional system administrator; conducting a one day compliance workshop with SPP RE staff; and implementing an asset management system to further secure its EMS. URE was cooperative throughout the enforcement process and did not conceal or attempt to conceal the violations.

Penalty: $45,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)