NERC Case Notes: Reliability Standard CIP-007-3a | White & Case LLP International Law Firm, Global Law Practice
NERC Case Notes: Reliability Standard CIP-007-3a

NERC Case Notes: Reliability Standard CIP-007-3a

White & Case NERC Database

This page contains the NOP (Notice of Penalty) and ACP (Administrative Citation of Penalty) summaries. Click here to read the FFT (Find, Fix and Track) summaries.

Unidentified Registered Entities, FERC Docket No. NP13-47 (July 31, 2013)

Reliability Standard: CIP-007-3a

Requirement: 8 (3 violations)

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC and SERC

Issue: RFC and SERC determined that URE did not review in its annual cyber vulnerability assessment whether 14 switches in RFC (out of 200 Cyber Assets) and 31 Cyber Assets in SERC (out of 700 Cyber Assets) had only those ports and services enabled that were required for operation of the Cyber Assets (1). URE also did not properly document an action plan to remediate or mitigate vulnerabilities identified in the cyber vulnerability assessment (2). URE also did not include three newly commissioned Cyber Assets at one of its facilities in its cyber vulnerability assessment as the router configuration did not allow the scanning tool to reach these devices (3).

Finding: SERC and RFC found that URE’s CIP-007-3a R8 first and second violations constituted a moderate risk to BPS reliability. The violations increased the risk of URE’s system being exposed to unknown vulnerabilities. But, the cyber vulnerability assessment did not discover any issues with the relevant switches and Cyber Assets (which were protected be the firewall rules). SERC and RFC found that URE’s CIP-007-3a R8 third violation only constituted a minimal risk to BPS reliability as the three Cyber Assets at issue were not remotely accessible (as they exist on a non-routable virtual LAN connected to a router within the ESP) and did not have any issues. URE admitted the violations. In approving the settlement agreement, NERC BOTCC evaluated as aggravating factors URE’s compliance history and the fact that URE did not promptly prepare mitigation plans to remediate many of the violations. But, URE did self-report some of the violations and was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (even though URE only received partial mitigating credit as most of URE’s violations resulted from a lack of execution and coordination of programs). URE committed to perform certain actions that went above and beyond the compliance requirements. The CIP-002-3 R3 violations presented a serious and substantial risk to BPS reliability, whereas the other violations did not present a serious or substantial risk to BPS reliability.

Total Penalty: $350,000, $175,000 for each URE (aggregate for 62 violations)

FERC Order: Issued August 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-39-000 (April 30, 2014)

Reliability Standard: CIP-007-3a

Requirement: R2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that the baseline documentation for over 500 devices (approximately 400 CCAs and 100 non-critical Cyber Assets) did not specify, as mandated, the ports and services required for normal and emergency operations. Thus, URE was unable to verify, as required, that only those ports and services required for emergency or normal operations were enabled.

Finding: WECC found that the violation constituted a moderate risk to BPS reliability since it resulted in over 500 devices being vulnerable to exploitation. However, URE employed a signature-based filtered intrusion detection system to protect against attacks and vulnerabilities and URE’s network systems were continuously monitored and logged. In addition, URE affirmed that all of its Cyber Assets were physically secure and protected by access badges, cameras, guards and other measures to prevent unauthorized access. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, URE’s compliance history was viewed as an aggravating factor. But, as mitigating considerations, URE self-reported three of the violations, pursued voluntary corrective actions to remedy the violations and had a compliance program in place. URE was also cooperative during the enforcement process and did not conceal the violations. The violations were also not intentional.

Total Penalty: $155,000 (aggregate for 9 violations)

FERC Order: Issued May 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-39-000 (April 30, 2014)

Reliability Standard: CIP-007-3a

Requirement: R5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that it did not have an adequate policy for determining who used shared accounts at any given time and, therefore, URE could not provide audit trails of shared account use. WECC found that over 500 devices lacked a process for tracking shared account usage, of which URE submitted Technical Feasibility Exceptions for over 380 of those devices. In addition, WECC found that URE did not change shared account password annually, as required, for 13 accounts.

Finding: WECC found that the violation constituted a moderate risk to BPS reliability. However, URE did establish controls for managing the personnel who have access to the shared accounts. URE’s networks were also separated from its corporate environment and the internet. In addition, URE’s network traffic was required to pass through firewalls, which protect against suspected malicious activity. All of the devices at issue in scope were located within physically secure areas with restricted access and monitoring by an intrusion detection system. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, URE’s compliance history was viewed as an aggravating factor. But, as mitigating considerations, URE self-reported three of the violations, pursued voluntary corrective actions to remedy the violations and had a compliance program in place. URE was cooperative during the enforcement process and did not conceal the violations. The violations were also not intentional.

Total Penalty: $155,000 (aggregate for 9 violations)

FERC Order: Issued May 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-39-000 (April 30, 2014)

Reliability Standard: CIP-007-3a

Requirement: R8

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that due to insufficient coordination among business units, it did not conduct an annual cyber vulnerability assessment (CVA) on 18 routers and switches (consisting of 9 CCAs and 9 non-critical Cyber Assets) used to support ESP network functions and therefore, also lacked documentation of a plan to mitigate or remediate any cyber vulnerabilities.

Finding: WECC found that the violation constituted only a minimal risk to BPS reliability. URE conducted a CVA on its other Cyber Assets. Additionally, URE’s ESPs are protected by an intrusion detection system and access point protections, with traffic to and from the ESPs passing through firewalls that protect against suspected malicious activity. The devices at issue are also located within physically secure areas with restricted access. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, URE’s compliance history was viewed as an aggravating factor. But, as mitigating considerations, URE self-reported three of the violations, pursued voluntary corrective actions and had a compliance program in place. URE was cooperative during the enforcement process and did not conceal the violations. The violations were also not intentional.

Total Penalty: $155,000 (aggregate for 9 violations)

FERC Order: Issued May 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)

Reliability Standard: CIP-007-3a Requirements: R3

Violation Risk Factor: Lower Violation Security Level: Severe

Region: SERC

Issue: URE self-reported that it did not timely evaluate and document, as required, three operating system vendor advisories (which were assigned a “high” vulnerability rating) for applicability. This violation affected 20 non-critical Cyber Assets, and the security patches associated with those high vulnerability advisories were not assessed or documented for 6 and 11 months, respectively, after they became available.

Finding: SERC determined that the violation constituted only a minimal risk to BPS reliability as the security patches at issue were applicable to only a limited number of non-critical Cyber Assets. All of URE’s Cyber Assets are protected by an ESP and PSP, with access to the ESP restricted by a two-factor authentication process. In addition, no malicious activity involving the Cyber Assets at issue was detected during the duration of the violation. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that the URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $250,000 (aggregate for 27 violations)

FERC Order: Issued June 27, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)

Reliability Standard: CIP-007-3a Requirements: R8

Violation Risk Factor: Lower Violation Security Level: Severe

Region: SERC

Issue: During a compliance audit, SERC determined that URE did not properly include network switches and routers when it conducted its annual cyber vulnerability assessment (CVA). For example, URE did not review all enabled ports and services on network switches and routers within the ESP or all controls for default accounts on switches and routers within the ESP.

Finding: SERC determined that the violation constituted only a minimal risk to BPS reliability since URE conducted a complete CVA of all electronic access points and verified that ESP’s perimeter defenses was adequately hardened. Furthermore, the relevant ports and services are incapable of logical port filtering. Also URE’s ESP has real-time monitoring provided by a third party vendor, which provides immediate notification of any security events. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $250,000 (aggregate for 27 violations)

FERC Order: Issued June 27, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-45-000 (July 31, 2014)

Reliability Standard: CIP-007-3a

Requirement: R8

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: WECC

Issue: During a compliance audit, WECC determined that URE did not perform an annual cyber vulnerability assessment (CVA) on all of the Cyber Assets within an ESP (as it did not cover four CCAs and two physical access control system devices).

Finding: WECC determined the violation constituted only a minimal risk to the BPS reliability. The assets at issue were contained within a single ESP, which was protected by an intrusion detection system and security incident and events management technology. URE conducted a CVA on the remaining Cyber Assets within the generation management system domain and no actual harm to the BPS occurred. Furthermore, traffic to and from the ESPs is controlled by a firewall and the devices are located in a physically secure area. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history to be an aggravating factor. However, none of the violations posed a serious or substantial risk to BPS reliability. In addition, URE had an internal compliance program in place, which was viewed as a mitigating factor. One of the violations was also self-reported. URE cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $180,000 (aggregate for 7 violations)

FERC Order: Issued August 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-46-000 (July 31, 2014)

Reliability Standard: CIP-007-3a

Requirement: R1/R1.1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE1 self-certified that it failed to test an operating system security patch in a CIP test environment before it was installed on four CCAs to ensure that the patch would not adversely affect any existing cyber security controls.

Finding: RFC determined this violation constituted only a minimal risk to the BPS as the issue was promptly identified and corrected within a week. Additionally, all patches had been approved by third party vendors and testing did not uncover any compatibility issues between the patch and the CCAs. Furthermore, the four CCAs were not needed or used during the course of the violation. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC found that all but two of the violations constituted only a minimal risk to BPS reliability and did not represent any systemic failure (the other two violations posed a moderate risk). However, these violations constituted the URE Companies’ fifth violation of CIP-004 and the second violation of CIP-007, which was considered to be an aggravating factor (although not a substantial aggravating factor). However, the URE Companies were awarded significant mitigating credit for substantial and voluntary improvements to their compliance programs, as demonstrated in subsequent CIP compliance audits. The majority of the violations were also self-reported. The URE Companies cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $50,000 (aggregate for 35 violations)

FERC Order: Issued August 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-46-000 (July 31, 2014)

Reliability Standard: CIP-007-3a

Requirement: R5/R5.3.3

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE7 self-reported, that as a result of its move from a legacy CIP program to a new URE Parent Company CIP Program, it failed to annually update 12 individual user account and 8 shard system account passwords.

Finding: RFC determined that the violation posed only a minimal risk to BPS reliability as the duration of the violation lasted only one month. In addition, the passwords on those accounts were sufficiently complex and available only to authorized users. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC found that all but two of the violations constituted only a minimal risk to BPS reliability and did not represent any systemic failure (the other two violations posed a moderate risk). However, these violations constituted the URE Companies’ fifth violation of CIP-004 and the second violation of CIP-007, which was considered to be an aggravating factor (although not a substantial aggravating factor). However, the URE Companies were awarded significant mitigating credit for substantial and voluntary improvements to their compliance programs, as demonstrated in subsequent CIP compliance audits. The majority of the violations were also self-reported. The URE Companies cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $50,000 (aggregate for 35 violations)

FERC Order: Issued August 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-46-000 (July 31, 2014)

Reliability Standard: CIP-007-3a

Requirement: R7/R7.3

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: URE6 self-reported that it did not properly maintain its records regarding the redeployment of a device that was removed from service and classified as a spare device.

Finding: RFC determined that the violation posed only a minimal risk to BPS reliability as it involved a documentation error. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC found that all but two of the violations constituted only a minimal risk to BPS reliability and did not represent any systemic failure (the other two violations posed a moderate risk). However, these violations constituted the URE Companies’ fifth violation of CIP-004 and the second violation of CIP-007, which was considered to be an aggravating factor (although not a substantial aggravating factor). However, the URE Companies were awarded significant mitigating credit for substantial and voluntary improvements to their compliance programs, as demonstrated in subsequent CIP compliance audits. The majority of the violations were also self-reported. The URE Companies cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $50,000 (aggregate for 35 violations)

FERC Order: Issued August 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-6-000 (October 30, 2014)

Reliability Standard: CIP-007-3a

Requirement: R1/R1.1/R1.2/R1.3

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: Texas RE

Issue: During a compliance audit, Texas RE found that URE could not prove that it followed test procedures or documented test results for change requests for significant changes to its Cyber Assets within an ESP as required by its change control and configuration management process.

Finding: Texas RE determined that the violation constituted only a minimal risk to the BPS reliability. While URE did not retain documentation of test procedures and results for change requests for significant changes to its Cyber Assets, it did document completed change requests. In addition, URE did test significant changes to its Cyber Assets in a development environment that mirrored its production environment before implementing them into production. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the following factors: the URE had an internal compliance program in place; the URE self-reported several of the violations and none posed a serious or substantial risk to the BPS reliability; the URE executed actions beyond those necessary to ensure compliance with the Standard and continues to make several enhancements as part of its self-assessment program; and the URE did not conceal or attempt to conceal the violations. Further, Texas RE did not consider URE's compliance history to be an aggravating factor, and URE was cooperative throughout the duration of the enforcement.

Penalty: $106,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-6-000 (October 30, 2014)

Reliability Standard: CIP-007-3a

Requirement: R3/R3.1/R3.2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: Texas RE

Issue: URE self-certified and self-reported that for two types of servers, on two occasions, it did not assess or document security patches within 30 days of availability as required.

Finding: Texas RE determined that the violation constituted only a minimal risk to the BPS reliability. URE's Cyber Assets were protected through a layered approach utilizing firewalls, access authentications, shared account reviews, training, cyber incident detection, and an intrusion prevention system. URE's firewalls and intrusion prevention system were located in a secure facility, monitored at all times and alerts were sent and investigated for any unfamiliar communications within its ESP. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the following factors: the URE had an internal compliance program in place; the URE self-reported several of the violations and none posed a serious or substantial risk to the BPS reliability; the URE executed actions beyond those necessary to ensure compliance with the Standard and continues to make several enhancements as part of its self-assessment program; and the URE did not conceal or attempt to conceal the violations. Further, Texas RE did not consider URE's compliance history to be an aggravating factor, and URE was cooperative throughout the duration of the enforcement.

Penalty: $106,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-6-000 (October 30, 2014)

Reliability Standard: CIP-007-3a

Requirement: R3/R3.2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: Texas RE

Issue: In the course of a compliance audit, Texas RE found that URE failed to document the implementation of eight security patches installed on a server.

Finding: Texas RE determined that the violation constituted only a minimal risk to the BPS reliability as the violation was limited to a documentation error. Security patches had been applied to the servers and test plan results for cybersecurity controls modifications were verified and signed by testing personnel. Also, URE utilized an intrusion prevention system, firewalls, and network segmentation to provide multi-layered defenses. In addition, URE had significant internal and external defenses against cyber-attacks, viruses, and malware. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the following factors: the URE had an internal compliance program in place; the URE self-reported several of the violations and none posed a serious or substantial risk to the BPS reliability; the URE executed actions beyond those necessary to ensure compliance with the Standard and continues to make several enhancements as part of its self-assessment program; and the URE did not conceal or attempt to conceal the violations. Further, Texas RE did not consider URE's compliance history to be an aggravating factor, and URE was cooperative throughout the duration of the enforcement.

Penalty: $106,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-6-000 (October 30, 2014)

Reliability Standard: CIP-007-3a

Requirement: R4/R4.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: Texas RE

Issue: In the course of a compliance audit, Texas RE found that three of URE's servers did not have current antivirus and malware prevention signatures due to a lost client relationship connection with the managing server that provides virus definition updates.

Finding: Texas RE determined that the violation constituted only a minimal risk to the BPS reliability as URE employed multi-layered defenses that mitigated the risks and had significant internal and external defenses against cyber-attacks, viruses, and malware. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the following factors: the URE had an internal compliance program in place; the URE self-reported several of the violations and none posed a serious or substantial risk to the BPS reliability; the URE executed actions beyond those necessary to ensure compliance with the Standard and continues to make several enhancements as part of its self-assessment program; and the URE did not conceal or attempt to conceal the violations. Further, Texas RE did not consider URE's compliance history to be an aggravating factor, and URE was cooperative throughout the duration of the enforcement.

Penalty: $106,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-10-000 (November 25, 2014)

Reliability Standard: CIP-007-3a

Requirement: R7/R7.1

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: WECC

Issue: During a compliance audit WECC reviewed the disposal, redeployment and media erasure logs of a randomly selected group of Cyber Assets and determined that URE had four non-critical Cyber Assets and one Physical Assess Control System (PACS) device that had been destroyed without first erasing the data storage media. While URE was able to prove that one device had not yet been destroyed, it could not offer proof of the same for the remaining four.

Finding: WECC determined that the violation posed only a minimal but not a serious or substantial risk to the BPS reliability. URE employed in-depth physical security measures including guards, special locks, monitoring through closed circuit television and logical cybersecurity controls including logical perimeters and firewalls. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations and self-reported the CIP-005-3a R1 violation. None of the violations posed a serious or substantial threat to the BPS reliability with two violations posing only a minimal threat and the remaining two posing a moderate threat. However, WECC did consider URE's compliance history an aggravating factor. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.

Penalty: $150,000 (aggregate for 4 violations)

FERC Order: Pending

Unidentified Registered Entity, FERC Docket No. NP15-10-000 (November 25, 2014)

Reliability Standard: CIP-007-3a

Requirement: R7/R7.1

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: WECC

Issue: During a compliance audit WECC reviewed the disposal, redeployment and media erasure/sanitation logs of a randomly selected group of Cyber Assets and discovered that URE had four non-critical Cyber Assets and one Physical Assess Control System (PACS) device that had been destroyed without first erasing the data storage media. While URE was able to prove that one device had not yet been destroyed, it could not offer proof of the same for the remaining four.

Finding: WECC determined that the violation posed only a minimal but not a serious or substantial risk to the BPS reliability. URE employed in-depth physical security measures including guards, special locks, monitoring through closed circuit television and logical perimeters in addition to internal cybersecurity controls including firewalls. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations and self-reported the CIP-005-3a R1 violation. None of the violations posed a serious or substantial threat to the BPS reliability with two violations posing only a minimal threat and the remaining two posing a moderate threat. However, WECC did consider URE's compliance history an aggravating factor. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.

Penalty: $150,000 (aggregate for 4 violations)

FERC Order: Pending

Unidentified Registered Entity, FERC Docket No. NP15-10-000 (November 25, 2014)

Reliability Standard: CIP-007-3a

Requirement: R/R8.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: During a compliance audit WECC reviewed URE's list of steps for performing a CVA review and found that the tasks were optional and not concrete. Instead of reviewing required ports and services for all Cyber Assets, the procedures allowed an assessor to perform a subjective review of enabled ports and services for only a subset of Cyber Assets. The task of reviewing a hardening statement was optional, subjective and circular. The assessor also had the option of reviewing access control lists of access control systems to determine if traffic flow was too lenient. WECC concluded that URE's documented steps for performing a CVA as written would have been deficient in proving compliance. URE failed to conduct a CVA for ports and services on all its Cyber Assets, including CCAs, 20 non-critical Cyber Assets, 20 EACMs, and less than 10 PACs devices.

Finding: WECC determined that the violation posed a moderate risk to the BPS reliability as there was an increased risk that someone could disrupt the operations at any of the URE BPS facilities by gaining access to a critical application or system through an open port that should not have been enabled. However URE employed in-depth physical security measures including guards, special locks and closed circuit television monitoring and logical cybersecurity controls including logical perimeters, firewalls, scanning tools, intrusion detection systems, and a security events management system. The risk of malicious use of the ports was further reduced as the ports were maintained within an ESP that was monitored at all times. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations and self-reported the CIP-005-3a R1 violation. None of the violations posed a serious or substantial threat to the BPS reliability with two posing only a minimal threat and the remaining two posing a moderate threat. However, WECC did consider URE's compliance history an aggravating factor. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.

Penalty: $150,000 (aggregate for 4 violations)

FERC Order: Pending

Unidentified Registered Entity, FERC Docket No. NP15-10-000 (November 25, 2014)

Reliability Standard: CIP-007-3a

Requirement: R/R8.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: During a compliance audit WECC reviewed URE's list of steps for performing a CVA review and found that the tasks were optional and not concrete. Instead of reviewing required ports and services for all Cyber Assets, the procedures allowed an assessor to perform a subjective review of enabled ports and services for only a subset of Cyber Assets. The task of reviewing a hardening statement was optional, subjective and circular. The assessor also had the option of reviewing access control lists of access control systems to determine if traffic flow was too lenient. WECC concluded that URE's documented steps for performing a CVA as written would have been deficient in proving compliance. URE failed to conduct a CVA for ports and services on all its Cyber Assets, including CCAs, 20 non-critical Cyber Assets, 20 EACMs, and less than 10 PACs devices.

Finding: WECC determined that the violation posed a moderate risk to the BPS reliability as there was an increased risk that someone could disrupt the operations at any of the URE BPS facilities by gaining access to a critical application or system through an open port that should not have been enabled. However URE employed in-depth physical security measures including guards, special locks and closed circuit television monitoring and logical cybersecurity controls including logical perimeters, firewalls, scanning tools, intrusion detection systems, and a security events management system. The risk of malicious use of the ports was further reduced as the ports were maintained within an ESP that was monitored at all times. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations and self-reported the CIP-005-3a R1 violation. None of the violations posed a serious or substantial threat to the BPS reliability with two posing only a minimal threat and the remaining two posing a moderate threat. However, WECC did consider URE's compliance history an aggravating factor. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.

Penalty: $150,000 (aggregate for 4 violations)

FERC Order: Pending

Unidentified Registered Entity (URE), FERC Docket No. NP15-13-000 (December 30, 2014)

Reliability Standard: CIP-007-3a

Requirement: R3

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: URE self-reported that it was not applying its security patch management program effectively as one of its supervisors was backdating energy management system (EMS) patch logs. After discovering that a line item was omitted from the workflow list for approximately five (5) months, the supervisor backdated the logs to appear as though the patches had been applied during that time. URE was required to complete the log one month after an assessment; however, the supervisor altered the logs three months after a security patch was assessed to appear as though the patch was assessed on time.

Finding: ReliabilityFirst determined that the violation posed only a minimal risk to the BPS reliability as no new patches were issued during the duration of the violation and URE completed all patch assessments on time. Additionally, URE did not provide the information during the Compliance Audit or to the compliance industry and it was not utilized for Self-Certification to ReliabilityFirst. URE also rectified and self-reported the violation. In addition, ReliabilityFirst determined that this was an isolated incident for which the employee was terminated and not representative of URE's culture. URE also voluntarily informed ReliabilityFirst of the violation during the performance appraisal process. URE admitted that it was in violation of CIP-007-3a R3 and self-reported the violation. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place and clearly demonstrated its commitment to enhancing its internal controls and preventing any future violations. URE voluntarily agreed to a performance appraisal of its management practices and procedures and its compliance history was not considered an aggravating factor. URE was cooperative throughout the duration of the violation, did not conceal the violation, and no other aggravating factors were discovered.

Penalty: $0 (aggregate for 1 violation)

FERC Order: Pending

Unidentified Registered Entity (UREs), FERC Docket No. NP15-17-000 (December 30, 2014)

Reliability Standard: CIP-007-3a

Requirement: R8/R8.4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: During a compliance audit WECC found that for two years URE's action plans for remediating or mitigating vulnerabilities discovered during its CVA of Cyber Assets in its ESP did not include columns to record the executions status of the plans.

Finding: WECC determined that the violation posed only a minimal risk to the BPS reliability as URE has a defense in-depth architecture of physical and logical cybersecurity controls including physical security mechanisms, special locks, closed circuit television and logical perimeter and internal cybersecurity controls, including firewalls, vulnerability scanning tools and a security events management system. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered URE's prior violation history as an aggravating factor. However, WECC gave URE mitigating credit for its compliance program and agreeing to perform voluntary corrective actions. WECC also determined that all violations posed only a minimal, but not a moderate, serious or substantial risk to the reliability of the BPS. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.

Penalty: $120,000 (aggregate for 13 violations)

FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.

Unidentified Registered Entity, FERC Docket No. NP15-24-000 (April 30, 2015)

Reliability Standard: CIP-007-3a

Requirement: R3

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: URE submitted four Self-Reports to ReliabilityFirst, stating it had violations of CIP-007-3a R3, and TOP 006-2 R1, R2 and R5. URE's transmission operation control center (TOCC) experienced ECS failure for a duration of 91 minutes, resulting in loss of monitoring and control. This was a result of URE's failure to assess a released upgrade. The violation of CIP-007 R3a was due to URE's failure to track, evaluate, test and install all software patches, and to identify compensating measures when patches were not installed. The TOP-006-2 R1 violation was the result of URE's failure to monitor and inform the Reliability Coordinator of all available transmission resources. The TOP-006-2 R2 violation was a result of URE's failure to monitor applicable transmission line status, real and reactive power flows, voltage, and status of rotating and static reactive resources. The violation of TOP-006-2 R5 was the result of URE's failure to use monitoring equipment to communicate important changes in operating condition and a need for corrective action to operating staff.

Finding: ReliabilityFirst determined that the violation posed a serious or substantial risk because the inadequately tested patch caused an interruption of 91 minutes. The CIP violation lasted for a prolonged period of time and the TIP violation lasted 91 minutes. URE neither admitted nor denied the violations. In approving the settlement, the NERC considered URE's compliance history and the serious risk of all but one of the violations as aggravating factors. As mitigating factors, the NERC considered URE's (1) pre-violation compliance program, (2) self-reporting of four violations, (3) cooperation throughout the enforcement process, (5) lack of attempts or intentions to conceal the violations, (4) commitment to a comprehensive mitigation plan, (5) improvements in CIP compliance and permission for future ReliabilityFirst spot checks, (6) allowance of on-site risk management and compliance implementation reviews. URE's mitigation plan obliged URE, among other things, to (1) include steps to transfer communication between control centers in the action plan and (2) improve synchrophasor usage.

Penalty: $150,000 (aggregate for 18 violations)

FERC Order: Issued May 29, 2015 (no further review)

Unidentified Registered Entities 1 and 2, FERC Docket No. NP15-26-000 (April 30, 2015)

Reliability Standard: CIP-007-3a

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: URE1 and URE2 self-reported that they did not preserve complete records of test results for changes on CIP Cyber Assets. In addition, ReliabilityFirst found that both UREs did not ensure that new Cyber Assets and changes to current Cyber Assets did not adversely affect cyber security controls.

Finding: ReliabilityFirst found that the violation posed only a minimal, but not a serious or substantial risk, to BPS reliability. The severity of the violations was decreased because the issue was primarily a recording issue, since both UREs performed accurate testing, even though the testing was not complete. Further, both UREs did follow-up testing to ensure that the recording deficiencies did not have adverse effects on the production system. The UREs neither admitted nor denied the violations. In approving the settlement between ReliabilityFirst and five UREs in total, the NERC considered the UREs’ prior violations and the minimal to moderate risk posed by the current violations. As mitigating factors, the NERC found that among the UREs subject to the settlement agreement, individual URES had: (1) implemented pre-violation internal compliance programs, (2) self-reported violations, (3) cooperated throughout the enforcement process, (4) not attempted or intended to conceal the violations, (5) made significant progress in post-violation compliance. ReliabilityFirst found that no penalty was necessary since the violations posed minimal risks, the UREs demonstrated improvements in compliance, and the UREs that had prior violations were fully sanctioned for those violations in an FERC-approved settlement. The UREs’ mitigation plans obliged the UREs, among other things, to meet with employees to review the test recording procedures.

Penalty: $0 (aggregate for 22 violations)

FERC Order: The NERC did not further review the settlement and the settlement entered into effect on May 29th, 2015.

Unidentified Registered Entities 1 and 2, FERC Docket No. NP15-26-000 (April 30, 2015)

Reliability Standard: CIP-007-3a

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: URE1 and URE2 self-reported that they did not preserve complete records of test results for changes on CIP Cyber Assets. In addition, ReliabilityFirst found that both UREs did not ensure that new Cyber Assets and changes to current Cyber Assets did not adversely affect cyber security controls.

Finding: ReliabilityFirst found that the violation posed only a minimal, but not a serious or substantial risk, to BPS reliability. The severity of the violations was decreased because the issue was primarily a recording issue, since both UREs performed accurate testing, even though the testing was not complete. Further, both UREs did follow-up testing to ensure that the recording deficiencies did not have adverse effects on the production system. The UREs neither admitted nor denied the violations. In approving the settlement between ReliabilityFirst and five UREs in total, the NERC considered the UREs’ prior violations and the minimal to moderate risk posed by the current violations. As mitigating factors, the NERC found that among the UREs subject to the settlement agreement, individual URES had: (1) implemented pre-violation internal compliance programs, (2) self-reported violations, (3) cooperated throughout the enforcement process, (4) not attempted or intended to conceal the violations, (5) made significant progress in post-violation compliance. ReliabilityFirst found that no penalty was necessary since the violations posed minimal risks, the UREs demonstrated improvements in compliance, and the UREs that had prior violations were fully sanctioned for those violations in an FERC-approved settlement. The UREs’ mitigation plans obliged the UREs, among other things, to meet with employees to review the test recording procedures.

Penalty: $0 (aggregate for 22 violations)

FERC Order: The NERC did not further review the settlement and the settlement entered into effect on May 29th, 2015.

Unidentified Registered Entity 1, FERC Docket No. NP15-26-000 (April 30, 2015)

Reliability Standard: CIP-007-3a

Requirement: R6

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: URE1 self-reported that it did not retain logs of system events for 90 days, because it did not implement controls to monitor cyber security system events. ReliabilityFirst found that URE1 did not ensure that a Cyber Asset within the ESP implemented automated tools to monitory cyber security events.

Finding: ReliabilityFirst found that the violation posed only a minimal, but not a serious or substantial risk, to BPS reliability. The severity of the violation was decreased because the affected CCA device was situated within the ESP, behind firewalls. Further, the URE had procedures to log access at access points in the ESP. The UREs neither admitted nor denied the violations. In approving the settlement between ReliabilityFirst and five UREs in total, the NERC considered the UREs’ prior violations and the minimal to moderate risk posed by the current violations. As mitigating factors, the NERC found that among the UREs subject to the settlement agreement, individual URES had: (1) implemented pre-violation internal compliance programs, (2) self-reported violations, (3) cooperated throughout the enforcement process, (4) not attempted or intended to conceal the violations, (5) made significant progress in post-violation compliance. ReliabilityFirst found that no penalty was necessary since the violations posed minimal risks, the UREs demonstrated improvements in compliance, and the UREs that had prior violations were fully sanctioned for those violations in an FERC-approved settlement. URE1’s mitigation plan obliged the URE, among other things, to update a CIP server build procedure to highlight procedures for designing the CCA to back up logs and automatically alert after failed login attempts.

Penalty: $0 (aggregate for 22 violations)

FERC Order: The NERC did not further review the settlement and the settlement entered into effect on May 29th, 2015.

Unidentified Registered Entity 2 (FRCC_URE2), FERC Docket No. NP15-29-000 (May 28, 2015)

Reliability Standard: CIP-007-3a

Requirement: R5, R5.2.1, R.5.3

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: FRCC

Issue: FRCC_URE2 self-reported that it failed to complete the yearly password change for 12 software accounts on seven Critical Cyber Assets (CCAs) and that it did not update passwords for three default accounts on one storage array.

Finding: FRCC found that this violation posed a moderate, but not a serious or substantial, risk to BPS reliability because failures to change default passwords and to annually change passwords could have allowed unauthorized electronic access to Critical Cyber Assets (CCAs). However, access of the CCA software required an account on the domain, access to default accounts required a two-factor authorization into the Electronic Security Perimeter (ESP), and the CCAs were located within an ESP and a Physical Security Perimeter. To mitigate the violation, FRCC_URE2 (1) changed the relevant passwords, (2) informed appropriate employees of the requirements for securing default accounts, and (3) improved the process to track default accounts and accounts requiring an annual password change.

Penalty: $50,000 (aggregate for 6 violations)

FERC Order: FERC approved the settlement on June 26th, 2015.

Unidentified Registered Entity 1 (FRCC_URE1), FERC Docket No. NP15-29-000 (May 28, 2015)

Reliability Standard: CIP-007-3a

Requirement: R6

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: FRCC

Issue: FRCC_URE1 self-reported that, for 21 hours, it had failed to review and preserve logs relating to certain Critical Cyber Assets (CCAs) due to the hardware failure of a device that logged and monitored CCAs and sent the information to a central repository.

Finding: FRCC found that this violation posed a minimal, but not a serious or substantial, risk to BPS reliability because the outage only lasted for 21 hours, because the CCAs had continued to record security information locally and because all the CCAs were protected by Physical and Electronic Security Perimeters. To mitigate the violation, FRCC changed its security status monitoring procedure to require manual review of logs when a logging and monitoring device fails.

Penalty: $13,000 (aggregate for 2 violations)

FERC Order: FERC approved the settlement on June 26th, 2015.

Unidentified Registered Entity 2 (FRCC_URE2), FERC Docket No. NP15-29-000 (May 28, 2015)

Reliability Standard: CIP-007-3a

Requirement: R8.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: FRCC

Issue: FRCC_URE2 self-reported that during its cyber vulnerability assessment (CVA) process, it did not adequately review ports and services for Critical Cyber Assets (CCAs) and non-CCAs.

Finding: FRCC found that this violation posed a moderate, but not a serious or substantial, risk to BPS reliability because unauthorized ports and services could have been left open, putting CCAs and non-CCAs at risk. However, during mitigation activities for an earlier violation, FRCC_URE2 had fully reviewed its ports and services, and Electronic and Physical Security Perimeters protected the CCAs and non-CCAs. To mitigate the violation, FRCC_URE2 (1) updated the process and clarified timeframes for assessing ports and services and (2) reviewed the relevant ports and services.

Penalty: $50,000 (aggregate for 6 violations)

FERC Order: FERC approved the settlement on June 26th, 2015.