NERC Case Notes: Reliability Standard CIP-007-3a

Alert
57 min read
White & Case NERC Database
Click here to return to the main page at whitecase.com/nerc

 

Unidentified Registered Entities, FERC Docket No. NP13-47 (July 31, 2013)

Reliability Standard: CIP-007-3a

Requirement: 8 (3 violations)

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC and SERC

Issue: RFC and SERC determined that URE did not review in its annual cyber vulnerability assessment whether 14 switches in RFC (out of 200 Cyber Assets) and 31 Cyber Assets in SERC (out of 700 Cyber Assets) had only those ports and services enabled that were required for operation of the Cyber Assets (1). URE also did not properly document an action plan to remediate or mitigate vulnerabilities identified in the cyber vulnerability assessment (2). URE also did not include three newly commissioned Cyber Assets at one of its facilities in its cyber vulnerability assessment as the router configuration did not allow the scanning tool to reach these devices (3).

Finding: SERC and RFC found that URE’s CIP-007-3a R8 first and second violations constituted a moderate risk to BPS reliability. The violations increased the risk of URE’s system being exposed to unknown vulnerabilities. But, the cyber vulnerability assessment did not discover any issues with the relevant switches and Cyber Assets (which were protected be the firewall rules). SERC and RFC found that URE’s CIP-007-3a R8 third violation only constituted a minimal risk to BPS reliability as the three Cyber Assets at issue were not remotely accessible (as they exist on a non-routable virtual LAN connected to a router within the ESP) and did not have any issues. URE admitted the violations. In approving the settlement agreement, NERC BOTCC evaluated as aggravating factors URE’s compliance history and the fact that URE did not promptly prepare mitigation plans to remediate many of the violations. But, URE did self-report some of the violations and was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (even though URE only received partial mitigating credit as most of URE’s violations resulted from a lack of execution and coordination of programs). URE committed to perform certain actions that went above and beyond the compliance requirements. The CIP-002-3 R3 violations presented a serious and substantial risk to BPS reliability, whereas the other violations did not present a serious or substantial risk to BPS reliability.

Total Penalty: $350,000, $175,000 for each URE (aggregate for 62 violations)

FERC Order: Issued August 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-39-000 (April 30, 2014)

Reliability Standard: CIP-007-3a

Requirement: R2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that the baseline documentation for over 500 devices (approximately 400 CCAs and 100 non-critical Cyber Assets) did not specify, as mandated, the ports and services required for normal and emergency operations. Thus, URE was unable to verify, as required, that only those ports and services required for emergency or normal operations were enabled.

Finding: WECC found that the violation constituted a moderate risk to BPS reliability since it resulted in over 500 devices being vulnerable to exploitation. However, URE employed a signature-based filtered intrusion detection system to protect against attacks and vulnerabilities and URE’s network systems were continuously monitored and logged. In addition, URE affirmed that all of its Cyber Assets were physically secure and protected by access badges, cameras, guards and other measures to prevent unauthorized access. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, URE’s compliance history was viewed as an aggravating factor. But, as mitigating considerations, URE self-reported three of the violations, pursued voluntary corrective actions to remedy the violations and had a compliance program in place. URE was also cooperative during the enforcement process and did not conceal the violations. The violations were also not intentional.

Total Penalty: $155,000 (aggregate for 9 violations)

FERC Order: Issued May 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-39-000 (April 30, 2014)

Reliability Standard: CIP-007-3a

Requirement: R5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that it did not have an adequate policy for determining who used shared accounts at any given time and, therefore, URE could not provide audit trails of shared account use. WECC found that over 500 devices lacked a process for tracking shared account usage, of which URE submitted Technical Feasibility Exceptions for over 380 of those devices. In addition, WECC found that URE did not change shared account password annually, as required, for 13 accounts.

Finding: WECC found that the violation constituted a moderate risk to BPS reliability. However, URE did establish controls for managing the personnel who have access to the shared accounts. URE’s networks were also separated from its corporate environment and the internet. In addition, URE’s network traffic was required to pass through firewalls, which protect against suspected malicious activity. All of the devices at issue in scope were located within physically secure areas with restricted access and monitoring by an intrusion detection system. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, URE’s compliance history was viewed as an aggravating factor. But, as mitigating considerations, URE self-reported three of the violations, pursued voluntary corrective actions to remedy the violations and had a compliance program in place. URE was cooperative during the enforcement process and did not conceal the violations. The violations were also not intentional.

Total Penalty: $155,000 (aggregate for 9 violations)

FERC Order: Issued May 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-39-000 (April 30, 2014)

Reliability Standard: CIP-007-3a

Requirement: R8

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that due to insufficient coordination among business units, it did not conduct an annual cyber vulnerability assessment (CVA) on 18 routers and switches (consisting of 9 CCAs and 9 non-critical Cyber Assets) used to support ESP network functions and therefore, also lacked documentation of a plan to mitigate or remediate any cyber vulnerabilities.

Finding: WECC found that the violation constituted only a minimal risk to BPS reliability. URE conducted a CVA on its other Cyber Assets. Additionally, URE’s ESPs are protected by an intrusion detection system and access point protections, with traffic to and from the ESPs passing through firewalls that protect against suspected malicious activity. The devices at issue are also located within physically secure areas with restricted access. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, URE’s compliance history was viewed as an aggravating factor. But, as mitigating considerations, URE self-reported three of the violations, pursued voluntary corrective actions and had a compliance program in place. URE was cooperative during the enforcement process and did not conceal the violations. The violations were also not intentional.

Total Penalty: $155,000 (aggregate for 9 violations)

FERC Order: Issued May 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)

Reliability Standard: CIP-007-3a Requirements: R3

Violation Risk Factor: Lower Violation Security Level: Severe

Region: SERC

Issue: URE self-reported that it did not timely evaluate and document, as required, three operating system vendor advisories (which were assigned a “high” vulnerability rating) for applicability. This violation affected 20 non-critical Cyber Assets, and the security patches associated with those high vulnerability advisories were not assessed or documented for 6 and 11 months, respectively, after they became available.

Finding: SERC determined that the violation constituted only a minimal risk to BPS reliability as the security patches at issue were applicable to only a limited number of non-critical Cyber Assets. All of URE’s Cyber Assets are protected by an ESP and PSP, with access to the ESP restricted by a two-factor authentication process. In addition, no malicious activity involving the Cyber Assets at issue was detected during the duration of the violation. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that the URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $250,000 (aggregate for 27 violations)

FERC Order: Issued June 27, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)

Reliability Standard: CIP-007-3a Requirements: R8

Violation Risk Factor: Lower Violation Security Level: Severe

Region: SERC

Issue: During a compliance audit, SERC determined that URE did not properly include network switches and routers when it conducted its annual cyber vulnerability assessment (CVA). For example, URE did not review all enabled ports and services on network switches and routers within the ESP or all controls for default accounts on switches and routers within the ESP.

Finding: SERC determined that the violation constituted only a minimal risk to BPS reliability since URE conducted a complete CVA of all electronic access points and verified that ESP’s perimeter defenses was adequately hardened. Furthermore, the relevant ports and services are incapable of logical port filtering. Also URE’s ESP has real-time monitoring provided by a third party vendor, which provides immediate notification of any security events. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $250,000 (aggregate for 27 violations)

FERC Order: Issued June 27, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-45-000 (July 31, 2014)

Reliability Standard: CIP-007-3a

Requirement: R8

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: WECC

Issue: During a compliance audit, WECC determined that URE did not perform an annual cyber vulnerability assessment (CVA) on all of the Cyber Assets within an ESP (as it did not cover four CCAs and two physical access control system devices).

Finding: WECC determined the violation constituted only a minimal risk to the BPS reliability. The assets at issue were contained within a single ESP, which was protected by an intrusion detection system and security incident and events management technology. URE conducted a CVA on the remaining Cyber Assets within the generation management system domain and no actual harm to the BPS occurred. Furthermore, traffic to and from the ESPs is controlled by a firewall and the devices are located in a physically secure area. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history to be an aggravating factor. However, none of the violations posed a serious or substantial risk to BPS reliability. In addition, URE had an internal compliance program in place, which was viewed as a mitigating factor. One of the violations was also self-reported. URE cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $180,000 (aggregate for 7 violations)

FERC Order: Issued August 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-46-000 (July 31, 2014)

Reliability Standard: CIP-007-3a

Requirement: R1/R1.1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE1 self-certified that it failed to test an operating system security patch in a CIP test environment before it was installed on four CCAs to ensure that the patch would not adversely affect any existing cyber security controls.

Finding: RFC determined this violation constituted only a minimal risk to the BPS as the issue was promptly identified and corrected within a week. Additionally, all patches had been approved by third party vendors and testing did not uncover any compatibility issues between the patch and the CCAs. Furthermore, the four CCAs were not needed or used during the course of the violation. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC found that all but two of the violations constituted only a minimal risk to BPS reliability and did not represent any systemic failure (the other two violations posed a moderate risk). However, these violations constituted the URE Companies’ fifth violation of CIP-004 and the second violation of CIP-007, which was considered to be an aggravating factor (although not a substantial aggravating factor). However, the URE Companies were awarded significant mitigating credit for substantial and voluntary improvements to their compliance programs, as demonstrated in subsequent CIP compliance audits. The majority of the violations were also self-reported. The URE Companies cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $50,000 (aggregate for 35 violations)

FERC Order: Issued August 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-46-000 (July 31, 2014)

Reliability Standard: CIP-007-3a

Requirement: R5/R5.3.3

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE7 self-reported, that as a result of its move from a legacy CIP program to a new URE Parent Company CIP Program, it failed to annually update 12 individual user account and 8 shard system account passwords.

Finding: RFC determined that the violation posed only a minimal risk to BPS reliability as the duration of the violation lasted only one month. In addition, the passwords on those accounts were sufficiently complex and available only to authorized users. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC found that all but two of the violations constituted only a minimal risk to BPS reliability and did not represent any systemic failure (the other two violations posed a moderate risk). However, these violations constituted the URE Companies’ fifth violation of CIP-004 and the second violation of CIP-007, which was considered to be an aggravating factor (although not a substantial aggravating factor). However, the URE Companies were awarded significant mitigating credit for substantial and voluntary improvements to their compliance programs, as demonstrated in subsequent CIP compliance audits. The majority of the violations were also self-reported. The URE Companies cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $50,000 (aggregate for 35 violations)

FERC Order: Issued August 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-46-000 (July 31, 2014)

Reliability Standard: CIP-007-3a

Requirement: R7/R7.3

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: URE6 self-reported that it did not properly maintain its records regarding the redeployment of a device that was removed from service and classified as a spare device.

Finding: RFC determined that the violation posed only a minimal risk to BPS reliability as it involved a documentation error. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC found that all but two of the violations constituted only a minimal risk to BPS reliability and did not represent any systemic failure (the other two violations posed a moderate risk). However, these violations constituted the URE Companies’ fifth violation of CIP-004 and the second violation of CIP-007, which was considered to be an aggravating factor (although not a substantial aggravating factor). However, the URE Companies were awarded significant mitigating credit for substantial and voluntary improvements to their compliance programs, as demonstrated in subsequent CIP compliance audits. The majority of the violations were also self-reported. The URE Companies cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $50,000 (aggregate for 35 violations)

FERC Order: Issued August 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-6-000 (October 30, 2014)

Reliability Standard: CIP-007-3a

Requirement: R1/R1.1/R1.2/R1.3

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: Texas RE

Issue: During a compliance audit, Texas RE found that URE could not prove that it followed test procedures or documented test results for change requests for significant changes to its Cyber Assets within an ESP as required by its change control and configuration management process.

Finding: Texas RE determined that the violation constituted only a minimal risk to the BPS reliability. While URE did not retain documentation of test procedures and results for change requests for significant changes to its Cyber Assets, it did document completed change requests. In addition, URE did test significant changes to its Cyber Assets in a development environment that mirrored its production environment before implementing them into production. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the following factors: the URE had an internal compliance program in place; the URE self-reported several of the violations and none posed a serious or substantial risk to the BPS reliability; the URE executed actions beyond those necessary to ensure compliance with the Standard and continues to make several enhancements as part of its self-assessment program; and the URE did not conceal or attempt to conceal the violations. Further, Texas RE did not consider URE's compliance history to be an aggravating factor, and URE was cooperative throughout the duration of the enforcement.

Penalty: $106,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-6-000 (October 30, 2014)

Reliability Standard: CIP-007-3a

Requirement: R3/R3.1/R3.2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: Texas RE

Issue: URE self-certified and self-reported that for two types of servers, on two occasions, it did not assess or document security patches within 30 days of availability as required.

Finding: Texas RE determined that the violation constituted only a minimal risk to the BPS reliability. URE's Cyber Assets were protected through a layered approach utilizing firewalls, access authentications, shared account reviews, training, cyber incident detection, and an intrusion prevention system. URE's firewalls and intrusion prevention system were located in a secure facility, monitored at all times and alerts were sent and investigated for any unfamiliar communications within its ESP. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the following factors: the URE had an internal compliance program in place; the URE self-reported several of the violations and none posed a serious or substantial risk to the BPS reliability; the URE executed actions beyond those necessary to ensure compliance with the Standard and continues to make several enhancements as part of its self-assessment program; and the URE did not conceal or attempt to conceal the violations. Further, Texas RE did not consider URE's compliance history to be an aggravating factor, and URE was cooperative throughout the duration of the enforcement.

Penalty: $106,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-6-000 (October 30, 2014)

Reliability Standard: CIP-007-3a

Requirement: R3/R3.2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: Texas RE

Issue: In the course of a compliance audit, Texas RE found that URE failed to document the implementation of eight security patches installed on a server.

Finding: Texas RE determined that the violation constituted only a minimal risk to the BPS reliability as the violation was limited to a documentation error. Security patches had been applied to the servers and test plan results for cybersecurity controls modifications were verified and signed by testing personnel. Also, URE utilized an intrusion prevention system, firewalls, and network segmentation to provide multi-layered defenses. In addition, URE had significant internal and external defenses against cyber-attacks, viruses, and malware. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the following factors: the URE had an internal compliance program in place; the URE self-reported several of the violations and none posed a serious or substantial risk to the BPS reliability; the URE executed actions beyond those necessary to ensure compliance with the Standard and continues to make several enhancements as part of its self-assessment program; and the URE did not conceal or attempt to conceal the violations. Further, Texas RE did not consider URE's compliance history to be an aggravating factor, and URE was cooperative throughout the duration of the enforcement.

Penalty: $106,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-6-000 (October 30, 2014)

Reliability Standard: CIP-007-3a

Requirement: R4/R4.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: Texas RE

Issue: In the course of a compliance audit, Texas RE found that three of URE's servers did not have current antivirus and malware prevention signatures due to a lost client relationship connection with the managing server that provides virus definition updates.

Finding: Texas RE determined that the violation constituted only a minimal risk to the BPS reliability as URE employed multi-layered defenses that mitigated the risks and had significant internal and external defenses against cyber-attacks, viruses, and malware. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the following factors: the URE had an internal compliance program in place; the URE self-reported several of the violations and none posed a serious or substantial risk to the BPS reliability; the URE executed actions beyond those necessary to ensure compliance with the Standard and continues to make several enhancements as part of its self-assessment program; and the URE did not conceal or attempt to conceal the violations. Further, Texas RE did not consider URE's compliance history to be an aggravating factor, and URE was cooperative throughout the duration of the enforcement.

Penalty: $106,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-10-000 (November 25, 2014)

Reliability Standard: CIP-007-3a

Requirement: R7/R7.1

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: WECC

Issue: During a compliance audit WECC reviewed the disposal, redeployment and media erasure logs of a randomly selected group of Cyber Assets and determined that URE had four non-critical Cyber Assets and one Physical Assess Control System (PACS) device that had been destroyed without first erasing the data storage media. While URE was able to prove that one device had not yet been destroyed, it could not offer proof of the same for the remaining four.

Finding: WECC determined that the violation posed only a minimal but not a serious or substantial risk to the BPS reliability. URE employed in-depth physical security measures including guards, special locks, monitoring through closed circuit television and logical cybersecurity controls including logical perimeters and firewalls. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations and self-reported the CIP-005-3a R1 violation. None of the violations posed a serious or substantial threat to the BPS reliability with two violations posing only a minimal threat and the remaining two posing a moderate threat. However, WECC did consider URE's compliance history an aggravating factor. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.

Penalty: $150,000 (aggregate for 4 violations)

FERC Order: Pending

Unidentified Registered Entity, FERC Docket No. NP15-10-000 (November 25, 2014)

Reliability Standard: CIP-007-3a

Requirement: R7/R7.1

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: WECC

Issue: During a compliance audit WECC reviewed the disposal, redeployment and media erasure/sanitation logs of a randomly selected group of Cyber Assets and discovered that URE had four non-critical Cyber Assets and one Physical Assess Control System (PACS) device that had been destroyed without first erasing the data storage media. While URE was able to prove that one device had not yet been destroyed, it could not offer proof of the same for the remaining four.

Finding: WECC determined that the violation posed only a minimal but not a serious or substantial risk to the BPS reliability. URE employed in-depth physical security measures including guards, special locks, monitoring through closed circuit television and logical perimeters in addition to internal cybersecurity controls including firewalls. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations and self-reported the CIP-005-3a R1 violation. None of the violations posed a serious or substantial threat to the BPS reliability with two violations posing only a minimal threat and the remaining two posing a moderate threat. However, WECC did consider URE's compliance history an aggravating factor. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.

Penalty: $150,000 (aggregate for 4 violations)

FERC Order: Pending

Unidentified Registered Entity, FERC Docket No. NP15-10-000 (November 25, 2014)

Reliability Standard: CIP-007-3a

Requirement: R/R8.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: During a compliance audit WECC reviewed URE's list of steps for performing a CVA review and found that the tasks were optional and not concrete. Instead of reviewing required ports and services for all Cyber Assets, the procedures allowed an assessor to perform a subjective review of enabled ports and services for only a subset of Cyber Assets. The task of reviewing a hardening statement was optional, subjective and circular. The assessor also had the option of reviewing access control lists of access control systems to determine if traffic flow was too lenient. WECC concluded that URE's documented steps for performing a CVA as written would have been deficient in proving compliance. URE failed to conduct a CVA for ports and services on all its Cyber Assets, including CCAs, 20 non-critical Cyber Assets, 20 EACMs, and less than 10 PACs devices.

Finding: WECC determined that the violation posed a moderate risk to the BPS reliability as there was an increased risk that someone could disrupt the operations at any of the URE BPS facilities by gaining access to a critical application or system through an open port that should not have been enabled. However URE employed in-depth physical security measures including guards, special locks and closed circuit television monitoring and logical cybersecurity controls including logical perimeters, firewalls, scanning tools, intrusion detection systems, and a security events management system. The risk of malicious use of the ports was further reduced as the ports were maintained within an ESP that was monitored at all times. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations and self-reported the CIP-005-3a R1 violation. None of the violations posed a serious or substantial threat to the BPS reliability with two posing only a minimal threat and the remaining two posing a moderate threat. However, WECC did consider URE's compliance history an aggravating factor. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.

Penalty: $150,000 (aggregate for 4 violations)

FERC Order: Pending

Unidentified Registered Entity, FERC Docket No. NP15-10-000 (November 25, 2014)

Reliability Standard: CIP-007-3a

Requirement: R/R8.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: During a compliance audit WECC reviewed URE's list of steps for performing a CVA review and found that the tasks were optional and not concrete. Instead of reviewing required ports and services for all Cyber Assets, the procedures allowed an assessor to perform a subjective review of enabled ports and services for only a subset of Cyber Assets. The task of reviewing a hardening statement was optional, subjective and circular. The assessor also had the option of reviewing access control lists of access control systems to determine if traffic flow was too lenient. WECC concluded that URE's documented steps for performing a CVA as written would have been deficient in proving compliance. URE failed to conduct a CVA for ports and services on all its Cyber Assets, including CCAs, 20 non-critical Cyber Assets, 20 EACMs, and less than 10 PACs devices.

Finding: WECC determined that the violation posed a moderate risk to the BPS reliability as there was an increased risk that someone could disrupt the operations at any of the URE BPS facilities by gaining access to a critical application or system through an open port that should not have been enabled. However URE employed in-depth physical security measures including guards, special locks and closed circuit television monitoring and logical cybersecurity controls including logical perimeters, firewalls, scanning tools, intrusion detection systems, and a security events management system. The risk of malicious use of the ports was further reduced as the ports were maintained within an ESP that was monitored at all times. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations and self-reported the CIP-005-3a R1 violation. None of the violations posed a serious or substantial threat to the BPS reliability with two posing only a minimal threat and the remaining two posing a moderate threat. However, WECC did consider URE's compliance history an aggravating factor. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.

Penalty: $150,000 (aggregate for 4 violations)

FERC Order: Pending

Unidentified Registered Entity (URE), FERC Docket No. NP15-13-000 (December 30, 2014)

Reliability Standard: CIP-007-3a

Requirement: R3

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: URE self-reported that it was not applying its security patch management program effectively as one of its supervisors was backdating energy management system (EMS) patch logs. After discovering that a line item was omitted from the workflow list for approximately five (5) months, the supervisor backdated the logs to appear as though the patches had been applied during that time. URE was required to complete the log one month after an assessment; however, the supervisor altered the logs three months after a security patch was assessed to appear as though the patch was assessed on time.

Finding: ReliabilityFirst determined that the violation posed only a minimal risk to the BPS reliability as no new patches were issued during the duration of the violation and URE completed all patch assessments on time. Additionally, URE did not provide the information during the Compliance Audit or to the compliance industry and it was not utilized for Self-Certification to ReliabilityFirst. URE also rectified and self-reported the violation. In addition, ReliabilityFirst determined that this was an isolated incident for which the employee was terminated and not representative of URE's culture. URE also voluntarily informed ReliabilityFirst of the violation during the performance appraisal process. URE admitted that it was in violation of CIP-007-3a R3 and self-reported the violation. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place and clearly demonstrated its commitment to enhancing its internal controls and preventing any future violations. URE voluntarily agreed to a performance appraisal of its management practices and procedures and its compliance history was not considered an aggravating factor. URE was cooperative throughout the duration of the violation, did not conceal the violation, and no other aggravating factors were discovered.

Penalty: $0 (aggregate for 1 violation)

FERC Order: Pending

Unidentified Registered Entity (UREs), FERC Docket No. NP15-17-000 (December 30, 2014)

Reliability Standard: CIP-007-3a

Requirement: R8/R8.4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: During a compliance audit WECC found that for two years URE's action plans for remediating or mitigating vulnerabilities discovered during its CVA of Cyber Assets in its ESP did not include columns to record the executions status of the plans.

Finding: WECC determined that the violation posed only a minimal risk to the BPS reliability as URE has a defense in-depth architecture of physical and logical cybersecurity controls including physical security mechanisms, special locks, closed circuit television and logical perimeter and internal cybersecurity controls, including firewalls, vulnerability scanning tools and a security events management system. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered URE's prior violation history as an aggravating factor. However, WECC gave URE mitigating credit for its compliance program and agreeing to perform voluntary corrective actions. WECC also determined that all violations posed only a minimal, but not a moderate, serious or substantial risk to the reliability of the BPS. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.

Penalty: $120,000 (aggregate for 13 violations)

FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.

Unidentified Registered Entity, FERC Docket No. NP15-24-000 (April 30, 2015)

Reliability Standard: CIP-007-3a

Requirement: R3

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: URE submitted four Self-Reports to ReliabilityFirst, stating it had violations of CIP-007-3a R3, and TOP 006-2 R1, R2 and R5. URE's transmission operation control center (TOCC) experienced ECS failure for a duration of 91 minutes, resulting in loss of monitoring and control. This was a result of URE's failure to assess a released upgrade. The violation of CIP-007 R3a was due to URE's failure to track, evaluate, test and install all software patches, and to identify compensating measures when patches were not installed. The TOP-006-2 R1 violation was the result of URE's failure to monitor and inform the Reliability Coordinator of all available transmission resources. The TOP-006-2 R2 violation was a result of URE's failure to monitor applicable transmission line status, real and reactive power flows, voltage, and status of rotating and static reactive resources. The violation of TOP-006-2 R5 was the result of URE's failure to use monitoring equipment to communicate important changes in operating condition and a need for corrective action to operating staff.

Finding: ReliabilityFirst determined that the violation posed a serious or substantial risk because the inadequately tested patch caused an interruption of 91 minutes. The CIP violation lasted for a prolonged period of time and the TIP violation lasted 91 minutes. URE neither admitted nor denied the violations. In approving the settlement, the NERC considered URE's compliance history and the serious risk of all but one of the violations as aggravating factors. As mitigating factors, the NERC considered URE's (1) pre-violation compliance program, (2) self-reporting of four violations, (3) cooperation throughout the enforcement process, (5) lack of attempts or intentions to conceal the violations, (4) commitment to a comprehensive mitigation plan, (5) improvements in CIP compliance and permission for future ReliabilityFirst spot checks, (6) allowance of on-site risk management and compliance implementation reviews. URE's mitigation plan obliged URE, among other things, to (1) include steps to transfer communication between control centers in the action plan and (2) improve synchrophasor usage.

Penalty: $150,000 (aggregate for 18 violations)

FERC Order: Issued May 29, 2015 (no further review)

Unidentified Registered Entities 1 and 2, FERC Docket No. NP15-26-000 (April 30, 2015)

Reliability Standard: CIP-007-3a

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: URE1 and URE2 self-reported that they did not preserve complete records of test results for changes on CIP Cyber Assets. In addition, ReliabilityFirst found that both UREs did not ensure that new Cyber Assets and changes to current Cyber Assets did not adversely affect cyber security controls.

Finding: ReliabilityFirst found that the violation posed only a minimal, but not a serious or substantial risk, to BPS reliability. The severity of the violations was decreased because the issue was primarily a recording issue, since both UREs performed accurate testing, even though the testing was not complete. Further, both UREs did follow-up testing to ensure that the recording deficiencies did not have adverse effects on the production system. The UREs neither admitted nor denied the violations. In approving the settlement between ReliabilityFirst and five UREs in total, the NERC considered the UREs’ prior violations and the minimal to moderate risk posed by the current violations. As mitigating factors, the NERC found that among the UREs subject to the settlement agreement, individual URES had: (1) implemented pre-violation internal compliance programs, (2) self-reported violations, (3) cooperated throughout the enforcement process, (4) not attempted or intended to conceal the violations, (5) made significant progress in post-violation compliance. ReliabilityFirst found that no penalty was necessary since the violations posed minimal risks, the UREs demonstrated improvements in compliance, and the UREs that had prior violations were fully sanctioned for those violations in an FERC-approved settlement. The UREs’ mitigation plans obliged the UREs, among other things, to meet with employees to review the test recording procedures.

Penalty: $0 (aggregate for 22 violations)

FERC Order: The NERC did not further review the settlement and the settlement entered into effect on May 29th, 2015.

Unidentified Registered Entities 1 and 2, FERC Docket No. NP15-26-000 (April 30, 2015)

Reliability Standard: CIP-007-3a

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: URE1 and URE2 self-reported that they did not preserve complete records of test results for changes on CIP Cyber Assets. In addition, ReliabilityFirst found that both UREs did not ensure that new Cyber Assets and changes to current Cyber Assets did not adversely affect cyber security controls.

Finding: ReliabilityFirst found that the violation posed only a minimal, but not a serious or substantial risk, to BPS reliability. The severity of the violations was decreased because the issue was primarily a recording issue, since both UREs performed accurate testing, even though the testing was not complete. Further, both UREs did follow-up testing to ensure that the recording deficiencies did not have adverse effects on the production system. The UREs neither admitted nor denied the violations. In approving the settlement between ReliabilityFirst and five UREs in total, the NERC considered the UREs’ prior violations and the minimal to moderate risk posed by the current violations. As mitigating factors, the NERC found that among the UREs subject to the settlement agreement, individual URES had: (1) implemented pre-violation internal compliance programs, (2) self-reported violations, (3) cooperated throughout the enforcement process, (4) not attempted or intended to conceal the violations, (5) made significant progress in post-violation compliance. ReliabilityFirst found that no penalty was necessary since the violations posed minimal risks, the UREs demonstrated improvements in compliance, and the UREs that had prior violations were fully sanctioned for those violations in an FERC-approved settlement. The UREs’ mitigation plans obliged the UREs, among other things, to meet with employees to review the test recording procedures.

Penalty: $0 (aggregate for 22 violations)

FERC Order: The NERC did not further review the settlement and the settlement entered into effect on May 29th, 2015.

Unidentified Registered Entity 1, FERC Docket No. NP15-26-000 (April 30, 2015)

Reliability Standard: CIP-007-3a

Requirement: R6

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: URE1 self-reported that it did not retain logs of system events for 90 days, because it did not implement controls to monitor cyber security system events. ReliabilityFirst found that URE1 did not ensure that a Cyber Asset within the ESP implemented automated tools to monitory cyber security events.

Finding: ReliabilityFirst found that the violation posed only a minimal, but not a serious or substantial risk, to BPS reliability. The severity of the violation was decreased because the affected CCA device was situated within the ESP, behind firewalls. Further, the URE had procedures to log access at access points in the ESP. The UREs neither admitted nor denied the violations. In approving the settlement between ReliabilityFirst and five UREs in total, the NERC considered the UREs’ prior violations and the minimal to moderate risk posed by the current violations. As mitigating factors, the NERC found that among the UREs subject to the settlement agreement, individual URES had: (1) implemented pre-violation internal compliance programs, (2) self-reported violations, (3) cooperated throughout the enforcement process, (4) not attempted or intended to conceal the violations, (5) made significant progress in post-violation compliance. ReliabilityFirst found that no penalty was necessary since the violations posed minimal risks, the UREs demonstrated improvements in compliance, and the UREs that had prior violations were fully sanctioned for those violations in an FERC-approved settlement. URE1’s mitigation plan obliged the URE, among other things, to update a CIP server build procedure to highlight procedures for designing the CCA to back up logs and automatically alert after failed login attempts.

Penalty: $0 (aggregate for 22 violations)

FERC Order: The NERC did not further review the settlement and the settlement entered into effect on May 29th, 2015.

Unidentified Registered Entity 2 (FRCC_URE2), FERC Docket No. NP15-29-000 (May 28, 2015)

Reliability Standard: CIP-007-3a

Requirement: R5, R5.2.1, R.5.3

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: FRCC

Issue: FRCC_URE2 self-reported that it failed to complete the yearly password change for 12 software accounts on seven Critical Cyber Assets (CCAs) and that it did not update passwords for three default accounts on one storage array.

Finding: FRCC found that this violation posed a moderate, but not a serious or substantial, risk to BPS reliability because failures to change default passwords and to annually change passwords could have allowed unauthorized electronic access to Critical Cyber Assets (CCAs). However, access of the CCA software required an account on the domain, access to default accounts required a two-factor authorization into the Electronic Security Perimeter (ESP), and the CCAs were located within an ESP and a Physical Security Perimeter. To mitigate the violation, FRCC_URE2 (1) changed the relevant passwords, (2) informed appropriate employees of the requirements for securing default accounts, and (3) improved the process to track default accounts and accounts requiring an annual password change.

Penalty: $50,000 (aggregate for 6 violations)

FERC Order: FERC approved the settlement on June 26th, 2015.

Unidentified Registered Entity 1 (FRCC_URE1), FERC Docket No. NP15-29-000 (May 28, 2015)

Reliability Standard: CIP-007-3a

Requirement: R6

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: FRCC

Issue: FRCC_URE1 self-reported that, for 21 hours, it had failed to review and preserve logs relating to certain Critical Cyber Assets (CCAs) due to the hardware failure of a device that logged and monitored CCAs and sent the information to a central repository.

Finding: FRCC found that this violation posed a minimal, but not a serious or substantial, risk to BPS reliability because the outage only lasted for 21 hours, because the CCAs had continued to record security information locally and because all the CCAs were protected by Physical and Electronic Security Perimeters. To mitigate the violation, FRCC changed its security status monitoring procedure to require manual review of logs when a logging and monitoring device fails.

Penalty: $13,000 (aggregate for 2 violations)

FERC Order: FERC approved the settlement on June 26th, 2015.

Unidentified Registered Entity 2 (FRCC_URE2), FERC Docket No. NP15-29-000 (May 28, 2015)

Reliability Standard: CIP-007-3a

Requirement: R8.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: FRCC

Issue: FRCC_URE2 self-reported that during its cyber vulnerability assessment (CVA) process, it did not adequately review ports and services for Critical Cyber Assets (CCAs) and non-CCAs.

Finding: FRCC found that this violation posed a moderate, but not a serious or substantial, risk to BPS reliability because unauthorized ports and services could have been left open, putting CCAs and non-CCAs at risk. However, during mitigation activities for an earlier violation, FRCC_URE2 had fully reviewed its ports and services, and Electronic and Physical Security Perimeters protected the CCAs and non-CCAs. To mitigate the violation, FRCC_URE2 (1) updated the process and clarified timeframes for assessing ports and services and (2) reviewed the relevant ports and services.

Penalty: $50,000 (aggregate for 6 violations)

FERC Order: FERC approved the settlement on June 26th, 2015.

Registered Entity (Name Redacted), FERC Docket No. NP20-15-000

Please search for this docket no. here ››

Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP18-21-000

Please search for this docket no. here ››

Registered Entity (Name Redacted), FERC Docket No. NP19-10-000

Please search for this docket no. here ››

Unidentified Registered Entity 1 (RFC_URE1), Unidentified Registered Entity 2 (RFC_URE2), Unidentified Registered Entity 3 (RFC_URE3), and Unidentified Registered Entity 4 (RFC_URE4), FERC Docket No. NP18-16-000

Region: ReliabilityFirst Corporation

Entity

Violation ID

Standard

Requirement

VRF/VSL

Discovery Method

RFC_URE1

RFC2016015884

CIP-007-3a

R2

Medium/Severe

Self-Report

RFC_URE1

RFC2016015930

CIP-007-3a

R3

Lower/Severe

Self-Report

RFC_URE1

RFC2015014717

CIP-007-3a

R5

Lower/Severe

Self-Report

RFC_URE1

RFC2015014718

CIP-007-3a

R5

Lower/Severe

Self-Report

RFC_URE2

RFC2016015885

CIP-007-3a

R2

Medium/Severe

Self-Report

RFC_URE2

RFC2016015888

CIP-007-3a

R2

Medium/Severe

Self-Report

RFC_URE2

RFC2016015933

CIP-007-3a

R3

Lower/Severe

Self-Report

RFC_URE2

RFC2015014719

CIP-007-3a

R6

Lower/Severe

Self-Report

RFC_URE2

RFC2017016759

CIP-007-6

R4

Medium/High

Self-Report

RFC_URE3

RFC2016015886

CIP-007-3a

R2

Medium/Severe

Self-Report

RFC_URE3

RFC2016015932

CIP-007-3a

R3

Lower/Severe

Self-Report

RFC_URE3

RFC2015015328

CIP-007-3a

R4

Medium/Severe

Self-Report

RFC_URE3

RFC2015014720

CIP-007-3a

R5

Lower/Severe

Self-Report

RFC_URE3

RFC2015015071

CIP-007-3a

R5

Lower/Severe

Self-Report

RFC_URE3

RFC2015015311

CIP-007-3a

R6

Lower/Severe

Self-Report

RFC_URE4

RFC2016015887

CIP-007-3a

R2

Medium/Severe

Self-Report

RFC_URE4

RFC2015014723

CIP-007-3a

R3

Lower/Severe

Self-Report

RFC_URE4

RFC2016015934

CIP-007-3a

R3

Lower/Severe

Self-Report

RFC_URE4

RFC2015014738

CIP-007-3a

R5

Lower/Severe

Self-Report

RFC_URE4

RFC2015014722

CIP-007-3a

R6

Lower/Severe

Self-Report

RFC_URE4

RFC2017016756

CIP-007-6

R4

Medium/High

Self-Report

Violation Start Dates and End Dates:

Violation ID

Start Date

End Date

RFC2016015884 (RFC_URE1)

when the service at issue was no longer necessary

when the service at issue was disabled across all affected systems

RFC2016015930 (RFC_URE1)

when the server management devices were put into production

Mitigation Plan completion

 

RFC2015014717 (RFC_URE1)

when the entity inadvertently created an account that required a minimum password length of zero characters

when the entity changed the password length configuration to require a minimum password length of eight characters

RFC2015014718 (RFC_URE1)

when the entity was first required to make an annual password change for one of the three assets at issue

when the entity executed the required password changes for all three assets

RFC2016015885 (RFC_URE2)

when the ports were most likely opened

when the ports at issue were closed

RFC2016015888 (RFC_URE2)

when the service at issue was no longer necessary

when the service at issue was disabled across all affected systems

RFC2016015933 (RFC_URE2)

when the server management devices were put into production

Mitigation Plan completion

RFC2015014719 (RFC_URE2)

when the firewall manager's logs were first not being collected by the security event management system

when the entity implemented a manual monitoring process for the logs at issue

 

RFC2017016759 (RFC_URE2)

when the first summary review was missed

when the entity generated the missing summary review reports and conducted the reviews

RFC2016015886 (RFC_URE3)

when the service at issue was no longer necessary

when the service at issue was disabled across all affected systems

RFC2016015932 (RFC_URE3)

when the server management devices were put into production

Mitigation Plan completion

RFC2015015328 (RFC_URE3)

when the entity deployed incorrect virus signatures to Production Assets

when the entity updated all virus signatures which brought all definitions up to current, tested sequence number

RFC2015014720 (RFC_URE3)

when the first password was required to be changed

when the entity disabled all five accounts with expired passwords

RFC2015015071 (RFC_URE3)

when the entity inadvertently installed patches on the wrong server

when the entity removed the inadvertently installed patches from the server

RFC2015015311 (RFC_URE3)

when the entity brought the devices at issue into production

Mitigating activities completion

 

RFC2016015887 (RFC_URE4)

when the service at issue was no longer necessary

when the service at issue was disabled across all affected systems

RFC2015014723 (RFC_URE4)

when the entity was required to assess the patch at issue

when the entity actually assessed the patch

RFC2016015934 (RFC_URE4)

when the server management devices were put into production

Mitigation Plan completion

 

RFC2015014738 (RFC_URE4)

The first date that one of the account's passwords had not been changed in more than one year

when the entity finished changing passwords on all the accounts at issue

RFC2015014722 (RFC_URE4)

when the firewall manager's logs were first not being collected by the security event management system

when the entity successfully implemented a monitoring process for all of the logs and assets at issue

RFC2017016756 (RFC_URE4)

when the first summary review was missed

when the entity generated the missing summary review reports and conducted the reviews

 

Issues: RFC_URE1, RFC_URE2, RFC_URE3 and RFC_URE4 self-reported the violations listed above as per the following:

RFC_URE1 Violations

(a) CIP-007-3a (R2): A violation of R2 occurred when, during its annual review of baseline documentation conducted as part of the Cyber Vulnerability Assessment (CVA), RFC_URE1 discovered that a service not required for normal/emergency operations was incorrectly enabled on 2 devices. The main purpose of that service was to allow the sharing of an internet connection for devices using a modem over dial-up. The systems at issue did not have any internet access.

(b) CIP-007-3a (R3): A violation of R3 occurred when, during regular patch management quality assurance activities related to CIP Version 5 implementation, RFC_URE1 discovered that security patch reviews for 2 server management devices were not conducted within 30 days of their release as required by R3.1 and RFC_URE1's procedures. Additionally, these patches were neither installed nor were compensating measures applied as specified in R3.2 and RFC_URE1's procedures. RFC_URE1 also identified 2 additional patching issues. One related to antivirus patching (where different versions of the antivirus client was installed in the entity business units), and the other involved the late assessment of patches for the operating system of Physical Access Control System devices.

(c) CIP-007-3a (R5): A violation of R5 occurred when following an internal compliance review, RFC_URE1 identified a single user account on its Energy Control System that was not afforded sufficient password complexity controls in accordance with R5.3.1.

(d) CIP-007-3a (R5): A second violation of R5 occurred when following an internal compliance review, RFC_URE1 identified certain accounts that were not afforded sufficient password change controls in accordance with R5.3.3. Specifically, a local account on 3 assets within the Private Network (PN) for which passwords were not changed at least annually.

RFC_URE2 Violations

(e) CIP-007-3a (R2): A violation of R2 occurred when, following a review of its CVA, RFC_URE2 identified open ports on 3 switches that were not required for normal/emergency operations. RFC_URE2 was unable to determine the reason why the ports were open because they were not justified in the device baselines.

(f) CIP-007-3a (R2): The facts for RFC_URE2's violation are similar to those for RFC_URE1 mentioned in (a) above.

(g) CIP-007-3a (R3): The facts for RFC_URE2's violation are similar to those for RFC_URE1 mentioned in (b) above.

(h) CIP-007-3a (R6): A violation of R6 occurred when certain RFC_URE2 Cyber Assets did not perform continuous monitoring and logging functions as required by R6. As part of remediation efforts under a prior mitigation plan, RFC_URE2 brought a number of Electronic Access Control and Monitoring Systems into CIP compliance including a class of firewall managers used to manage checkpoint firewalls. All activity for these checkpoint firewalls was collected and logged to a security event management system either directly, or by way of the firewall managers. RFC_URE2 discovered that logs from the firewall managers were not consistently collected by the security event management system. Upon further investigation and discussion, RFC_URE2 determined a software issue was the apparent cause for the logging issue. Logs with larger file sizes interfered with the firewall agent's ability to process such logs.

(i) CIP-007-6 (R4): A violation of R4 occurred when RFC_URE2's internal compliance self-assessment revealed that stored security event logs had not been consistently reviewed, and, therefore, the reviews were not documented as required by the RFC_URE2's procedure and by R4, Part 4.4 (which requires a review at intervals no greater than 15 calendar days to identify undetected Cyber Security Incidents).

RFC_URE3 Violations

(j) CIP-007-3a (R2): The facts for RFC_URE3's violation are similar to those for RFC_URE1 mentioned in (a) above.

(k) CIP-007-3a (R3): The facts for RFC_URE3's violation are similar to those for RFC_URE1 mentioned in (b) above.

(l) CIP-007-3a (R4): A violation of R4 occurred when, during an internal log review process, RFC_URE3 discovered an instance where an antivirus definitions package was not tested on like devices prior to its installation in the production environment as required by the RFC_URE3's CIP Malicious Software Prevention Procedure. An employee had inadvertently selected the wrong definitions package from the drop down tool to push to the development servers.

(m) CIP-007-3a (R5): A violation of R5 occurred because certain accounts of RFC_URE3 were not afforded sufficient password change controls in accordance with R5.3.3. Specifically, the entity discovered 5 accounts in which passwords for certain accounts were not changed at least annually.

(n) CIP-007-3a (R5): A second violation of R5 was self-reported by RFC_URE3 in 3 instances: In the first instance, due to improperly elevated access, an IT employee inadvertently patched a generation dispatch system terminal server (while intending to install patches on servers and workstations). In the second instance, while reviewing the patching history of the IT employee at issue in the first instance, the same IT employee applied patches to the generation dispatch production system that were not scheduled for production testing and deployment. The third instance occurred when RFC_URE3, while fully reviewing and re-evaluating its patching efforts, identified additional instances of noncompliance pertaining to its patching of the generation dispatch system.

(o) CIP-007-3a (R6): The facts for RFC_URE3's violation are similar to those for RFC_URE2 mentioned in (h) above.

RFC_URE4 Violations

(p) CIP-007-3a (R2): The facts for RFC_URE4's violation are similar to those for RFC_URE1 mentioned in (a) above.

(q) CIP-007-3a (R3): A violation of R3 occurred because RFC_URE4's CIP-Cyber Asset patch was not timely assessed within 30 days of its availability as required by R3.1. The untimely assessment did not result in any security vulnerability because the patch was ultimately deemed to be inapplicable.

(r) CIP-007-3a (R3): The facts for RFC_URE4's violation are similar to those for RFC_URE1 mentioned in (b) above.

(s) CIP-007-3a (R5): A violation of R5 occurred because several accounts of RFC_URE4 were not afforded sufficient password change controls in accordance with R5.3.3. These accounts included shared accounts, user accounts, administrator accounts, and read-only user accounts.

(t) CIP-007-3a (R6): The facts for RFC_URE4's violation are similar to those for RFC_URE2 mentioned in (h) above. In addition, while RFC_URE4 was moving forward with the mitigation involving the security event management system and the checkpoint devices, it discovered issues arising from the deployment of the system to perform monitoring and logging on servers and workstations. While trying to configure the security event management system in the test environment, RFC_URE4 unsuccessfully attempted off-boarding the old devices and on-boarding the new devices to log to the security event management system. Following this unsuccessful attempt, RFC_URE4 relied on manual monitoring to be compliant with R6 when the devices were moved into production. Once in production, however, the default policy size for storage of log files on the devices was too small to hold all necessary security logs to facilitate manual monitoring, and eventually, logs were overwritten once the storage was full. As a result of the technical issues deploying the security event management system and the default log storage size on the devices, logs were not available.

(u) CIP-007-6 (R4): The facts for RFC_URE4's violation are similar to those for RFC_URE2 mentioned in (i) above.

Findings:

RFC_URE1 Violations

(a) CIP-007-3a (R2): The root cause of this violation was the failure to properly review an incorrect justification for the service at issue, which was previously needed under a prior operating system. This violation posed a minimal risk to the reliability of the bulk power system (BPS). The risk posed by leaving the internet connection sharing service enabled could allow threat vectors into an Electronic Security Perimeter via the affected terminal servers.

(b) CIP-007-3a (R3): The root causes of this violation are as follows: (a) with respect to the server management device issue, the names of the devices had not been correctly entered into RFC_URE1's previous patch tracking systems; (b) with respect to the antivirus issue, the major contributing factor was a lack of clarity and specificity in the RFC_URE1's CIP Version 3 patch management procedures; and (c) with respect to the patch management system issue, the major contributing factor was the failure to correctly identify the devices in software/firmware libraries. This violation was found to pose a minimal risk to the BPS's reliability based on several factual circumstances.

(c) CIP-007-3a (R5): The root cause of this violation was that RFC_URE1 uses a phase review process to identify and remediate these types of issues. In this case, the reviewing employee failed to identify this discrepancy and reset the technical control accordingly. This noncompliance involved the management practice of workforce management through ineffective training. It was determined that this violation posed a minimal risk to the BPS's reliability based on several factual circumstances.

(d) CIP-007-3a (R5): The root cause of this violation was the manual oversight performed in the account monitoring process, which resulted in IT infrastructure and operations not identifying the required password changed for these accounts. Based on several factual circumstances, it was determined that this violation posed a minimal risk to the BPS's reliability.

RFC_URE2 Violations

(e) CIP-007-3a (R2): The root cause of this violation was the failure to appropriately apply change management procedures. Based on several factual circumstances, it was determined that this violation posed a minimal risk to the BPS's reliability.

(f) CIP-007-3a (R2): The findings were similar to those for a corresponding violation by RFC_URE1 discussed in (a) above.

(g) CIP-007-3a (R3): The findings were similar to those for a corresponding violation by RFC_URE1 discussed in (b) above.

(h) CIP-007-3a (R6): The root cause of this violation involves the management practice of verification. The RFC_URE2 did not have an effective internal control in place to ensure that the firewall manager's logs were consistently collected and logged as required by R6. Based on several factual circumstances, it was determined that this violation posed a minimal risk to the BPS's reliability.

(i) CIP-007-6 (R4): The root cause of this noncompliance was an insufficient procedure for performing the reviews and a lack of quality control for verifying the completeness of the reviews. Based on several factual circumstances, it was determined that this violation posed a minimal risk to the BPS's reliability.

RFC_URE3 Violations

(j) CIP-007-3a (R2): The findings were similar to those for a corresponding violation by RFC_URE1 discussed in (a) above.

(k) CIP-007-3a (R3): The findings were similar to those for a corresponding violation by RFC_URE1 discussed in (b) above.

(l) CIP-007-3a (R4): The root cause was that RFC_URE3 did not have an effective process in place to ensure that these types of human errors were corrected before any impact came from them. Based on several factual circumstances, it was determined that this violation posed a minimal risk to the BPS's reliability.

(m) CIP-007-3a (R5): The root cause of this violation was that the process associated with password changes did not include a notification to employees who had not logged into an account in over a year. Based on several factual circumstances, it was determined that this violation posed a minimal risk to the BPS's reliability.

(n) CIP-007-3a (R5): The root cause of this violation involves the management practice of workforce management through ineffective training and verification through a lack of effective verification processes and procedures. Based on several factual circumstances, it was determined that this violation posed a minimal risk to the BPS's reliability.

(o) CIP-007-3a (R6): The findings were similar to those for a corresponding violation by RFC_URE2 discussed in (h) above.

RFC_URE4 Violations

(p) CIP-007-3a (R2): The findings were similar to those for a corresponding violation by RFC_URE1 discussed in (a) above.

(q) CIP-007-3a (R3): The root cause of this violation was internal miscommunication between teams regarding the identification of personnel responsible for performing the required assessment, which prevented the patch from being timely assessed. Moreover, the patch management tool relies on a properly configured Master Asset List (MAL). In this case, there was confusion as to the proper formatting and correct methods for data entry into the MAL, which made it difficult for the patch management tool to function optimally. Based on several factual circumstances, it was determined that this violation posed a minimal risk to the BPS's reliability.

(r) CIP-007-3a (R3): The findings were similar to those for a corresponding violation by RFC_URE1 discussed in (b) above.

(s) CIP-007-3a (R5): The root cause of this violation was the fact that RFC_URE4 had gaps in its inventory of local, shared, and administrator accounts, which resulted in the entity not identifying certain accounts for which annual CIP password changes must be applied. Other causal factors included a lack of internal controls for the management of RFC_URE4's Supervisory Control and Data Acquisition system device accounts and required password changes and the failure to configure device accounts to permit password changes and logging prior to the entity putting those accounts into service. Based on several factual circumstances, it was determined that this violation posed a minimal risk to the BPS's reliability.

(t) CIP-007-3a (R6): The findings were similar to those for a corresponding violation by RFC_URE2 discussed in (t) above. For the servers and workstations instance of noncompliance, a contributing cause was also the failure of personnel to follow procedures to continue work to resolve technical issues with the security event management system in the test environment.

(u) CIP-007-6 (R4): The findings were similar to those for a corresponding violation by RFC_URE2 discussed in (i) above.
In its assessment of penalty, (a) each entities' compliance history was considered an aggravating factor; and (b) each entities' internal compliance program, level of cooperation throughout the enforcement process, and the thoroughness of its mitigation were considered to be mitigating factors.

Penalty: $0

FERC Order: No further review (June 28, 2018)

NP19-4-000: Unidentified Registered Entity

Please search for this docket no. here ››

NP18-14-000: Unidentified Registered Entity

Please search for this docket no. here ››

NP20-12-000: Unidentified Registered Entity

Please search for this docket no. here ››

NP19-11-000: Unidentified Registered Entity

Please search for this docket no. here ››

NP18-4-000: Unidentified Registered Entity (URE)

Method of Discovery: Self-Report

Violation ID Standard Requirement VRF/VSL Duration
WECC2017016930 CIP-007-3a R5, 5.2.3 Lower/Severe 5 days
WECC2016016649 CIP-007-6 R2, 2.3 Medium/Lower 6 days

Region: WECC

Issue: The URE violated CIP-007-3a after they granted remote access to a non-critical cyber asset (NCCA) to an unauthorized vendor employee that had used credentials of another employee from the vendor who did have authorized access to that NCCA during work to repair a communication failure between two CIP Cyber assets. The URE violated CIP-007-6 in two instances, once when an automated process to install applicable security patches missed one Protected Cyber Asset (PCA) server and thus did not update the security patches within the 35-day requirement to install applicable patches; and a second time when a tracker log used to assign security patch evaluation and installation listed the wrong individual as responsible for installing security patches on one Physical Access Control System (PACS), and that individual took no action as this was outside of their area of responsibility.

Finding: Each of these violations posed minimal risk and did not pose serious or substantial risk to the reliability of the bulk power system (BPS). The servers in question, including the one accessed by the unauthorized vendor employee, did not have Bulk Electric System (BES) control capability, the PACS in question was located within secure locations with defense in-depth controls to prevent access. Further, the vendor and vendor employee are both known resources for the system and under contract for system support. There were other URE measures taken to reduce the likelihood of harm – two factor token identification, encrypted sessions controls, ingress/egress protocol traffic controls, etc. The duration of the noncompliance in each instance was limited.

Penalty: $22,000

FERC Order: Issued November 30, 2017 (no further review)

NP20-6-000: Unidentified Registered Entity 1 (URE-1)

Please search for this docket no. here ››

NP18-10-000: Unidentified Registered Entity 1 (TRE_URE1)

Region: TRE

NERC Violation ID Standard Requirement VRF/VSL Discovery Method Start Date End Date
TRE2017018149 CIP-007-3a R1 Medium/Severe Compliance Audit N/A N/A

 

Issue: CIP-007-3a

During a Compliance Audit, Texas RE determined that TRE_URE1 was in violation of CIP-010-2 R1, Parts 1.5, 1.5.1, and 1.5.2.  Texas RE subsequently determined that the duration pertaining to TRE_URE1's testing procedure issues started earlier than July 1, 2016.  Accordingly, Texas RE determined that TRE_URE1 was in violation of CIP-007-3a R1, and TRE_URE1 was then in violation of CIP-010-2 R1, Parts 1.5, 1.5.1, and 1.5.2.  Texas RE further determined that, for purposes of this issue, there was no substantive change in TRE_URE1's compliance obligations under the Standards at issue. TRE_URE1 implemented a new Information Technology Change Management (ITCM) tool and related processes to better control its change authorization process, security testing, and baseline configuration tracking as part of its overall efforts to transition to the CIP Version 5/6 Standards. TRE_URE1 personnel implemented changes to a number of Cyber Assets using an incorrect workflow option embedded in the new ITCM tool that did not include a step for performing security controls testing.

The root cause of these noncompliance instances was an insufficient understanding of the new change management process implemented as part of the CIP Version 5/6 transition. In particular, TRE_URE1 failed to implement its new ITCM tool in a manner that would prevent TRE_URE1 employees from choosing a workflow that bypassed required security testing prior to placing changes to Cyber Assets into production.

Finding: CIP-007-3a

This issue posed a moderate risk to the reliability of the bulk power system. Failure to perform security controls testing prior to implementing changes in a production environment could create vulnerabilities in affected systems or cause those systems to fail.  The changes at issue involved less than five percent of the overall changes related to BES Cyber Assets during the issue period.
However, the risk posed by this issue was also mitigated by the following factors. TRE_URE1's established process is to apply any system changes or updates to hardware and/or software in its passive data center first to determine if there are any adverse impacts. This process includes ongoing operational monitoring to identify any failures with the systems and active security event monitoring to identify any security anomalies that would then be investigated, reducing any potential risks that vulnerabilities or adverse impacts could occur on TRE_URE1's system. When TRE_URE1 performed the appropriate security controls testing on all applicable Cyber Assets, it did not identify any adverse effect of security controls with any of the changes to its production systems. In addition, TRE_URE1 had a number of cyber security systems in place, including automated security event monitoring controls, intrusion detection systems, application whitelisting, full packet capture, vulnerability assessments, and antivirus softwareTRE_URE1 personnel also apply various threat analysis perspectives to categorize different advanced actor campaigns to continuously detect and prevent attacks.

Finally, TRE_URE1's established process requires that as part of submission of the production change request, submitters are required to provide information regarding functional testing performed. By providing this information during the change authorization process, TRE_URE1 reduced the potential risk that the changes at issue could have an adverse impact on its system.

Penalty: $45,000 for multiple violations

FERC Order: Issued April 30, 2018
 

Contacts

Daniel Hagan
Daniel Hagan
Partner|Washington, DC
Services
Project Development and Finance, Energy, Regulatory & Compliance, Power, Financial Restructuring and Insolvency, Financial Institutions
Top