NERC Case Notes: Reliability Standard CIP-005-2

Alert

12 min read

 

Unidentified Registered Entity, FERC Docket No. NP11-253-000 (July 29, 2011)

Reliability Standard: CIP-005-2

Requirement: R3.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: NPCC

Issue: NPCC_URE1 self-reported that it had not timely reviewed, within 90 days, its access logs associated with a particular firewall at its back-up control center. In this instance, there was 197 days between reviews of the access logs.

Finding: NPCC found that this violation constituted only a minimal risk to bulk power system reliability since the review of the access logs did not reveal any unauthorized access attempt through the firewall to the back-up control center Electronic Security Perimeter. The relevant firewall was also not connected to the internet or the NPCC_URE1 corporate network.

Penalty: $7,500

FERC Order: Issued August 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)

Reliability Standard: CIP-005-2

Requirement: R1/1.5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: URE self-certified that it was not in compliance with CIP-005-2 R1.5 because it did not use all protective measures detailed in the Standard on two servers used in access control and monitoring of its ESP. ReliabilityFirst confirmed that URE was in violation of CIP-005-2 R1.5 by not affording two CAs used in access control and monitoring of its ESP the protective measures specified in CIP-007 R4, CIP-005 R2.6 and CIP-007 R2.

Finding: ReliabilityFirst found the violation constituted a moderate risk to BPS reliability which was mitigated because some of the protective measures required by CIP-005-2 R1.5 were in use on its CAs used for access control and monitoring of its ESP including those protective measures set forth in CIP-005 R3 and CIP-004 R3. Also, separate security mechanisms such as intrusion prevention systems, anti-virus software, security logging, and defense-in-depth network design are in place to minimize overall cyber security risk. ReliabilityFirst considered certain parts of URE’s compliance program as mitigating factors in determining the appropriate penalty.

Penalty: $55,000 (aggregate for 8 penalties)

FERC Order: Issued March 30, 2012 (no further review)

Unidentified Registered Entity, Docket No. NP12-26-000 (April 30, 2012)

Reliability Standard: CIP-005-2

Requirement: R3

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: NPCC

Issue: URE self-reported that it had not done a manual 90-day review for any unauthorized electronic access to its PSP-associated server.

Finding: The violation was determined to pose minimal risk to BPS reliability because access to the server was secured by dedicated physical security control system PCs located in the ESP and PSP. Also, password controls were in use and any user would have to be listed as an active user of the system in order to have authorization to use the program. In determining the appropriate penalty, NPCC considered URE’s internal compliance program in effect during the violation period to be a mitigating factor.

Penalty: $8,000 (aggregate for 3 violations)

FERC Order: Order issued May 30, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-38 (July 31, 2012)

Reliability Standard: CIP-005-2

Requirement: R1.5

Violation Risk Factor: Medium

Violation Severity Level: Moderate

Region: WECC

Issue: WECC determined that URE did not fully implement appropriate protective measures as it did not place one of its CAs that is used in the monitoring of the facility’s ESP within an identified PSP, as required.

Finding: WECC found that the CIP-005-2 violation only constituted a minimal risk to BPS reliability since URE still employed a range of protective measures to its ESP’s access control and monitoring devices. URE also has an automated access tracking system and on-site security. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were URE’s second or third violation of the relevant Reliability Standards; some of the violations were self-reported; URE was cooperative during the enforcement process and did not conceal the violations; URE had an internal compliance program (which was evaluated as a mitigating factor); the violations did not constitute a serious or substantial risk to BPS reliability; and there were no additional aggravating or mitigating factors.

Penalty: $72,000 (aggregate for 12 violations)

FERC Order: Issued August 30, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-46 (September 28, 2012)

Reliability Standard: CIP-005-2

Requirement: 1, 2, 3, 4

Violation Risk Factor: Medium (1, 2, 3, 4)

Violation Severity Level: Severe (1, 2, 3, 4)

Region: WECC

Issue: URE self-certified the following. (1) It did not have adequate procedures for documenting its ESPs, which resulted in many non-critical systems being designated as CCAs. URE also did not have clear documentation of all of its access points to the ESPs and their associated technical and procedural controls. In addition, URE did not have dial-up security procedures (even though it did not have any dial-up access points) and did not have appropriate policies addressing protective measures for access control and monitoring systems (R1). (2) It had not properly documented the controls at its access points and that it did not properly maintain a list of approved ports and services for each device. URE also did not have procedures for securing dial-up access, as required (R2). (3) Its log monitoring process did not define the alert mechanism as required or specify when the logs were monitored. And, while URE deployed servers to log and monitor its system, it did not consistently review and document them as required (R3). (4) It had not enacted a sufficiently detailed process for documenting cyber vulnerability assessments of the electronic access points to the ESP (as it did not address the services required for normal and emergency operations, the requirement of discovery of access points or review community strings) (R4).

Finding: WECC found that the CIP-005-2 R1 and R4 violations constituted a moderate risk to BPS reliability. In regards to R1, the lack of proper identification and documentation of CIP-compliant ESPs and the defined access points to those ESPS could potentially expose URE's CCA to cyber security risks that would have a negative impact on the reliable operation of the BPS. But, URE did have all of its CCAs within an ESP, as well as some non-critical systems that were incorrectly designated as CCAs. For R4, by not performing an annual cyber vulnerabilities assessment, URE would be unaware of vulnerabilities, and this could potentially lead to undetected unauthorized access at its access points. But, URE did come up with a form for documenting vulnerability assessments. WECC found that the CIP-005-2 2 and 3 violations constituted only a minimal risk to BPS reliability. For R2, URE did have controls for the electronic access (including firewalls and rule sets) at all access points to the ESP. Furthermore, URE has no dial-up access to the ESP. In terms of R3, URE was always using servers to log and monitor its system. URE agreed and stipulated to the facts of the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE's compliance history and that URE had a compliance program in place when the violations occurred (which was viewed as a mitigating factor). URE was also cooperative during the enforcement process and did not conceal the violations. WECC found that the violations did not constitute a serious or substantial risk to BPS reliability and there were no additional aggravating or mitigating factors.

Penalty: $200,000 (aggregate for 17 violations)

FERC Order: Issued October 26, 2012 (no further review)

Unidentified Registered Entities (UREs), Docket No. NP13-17 (December 31, 2012)

Reliability Standard: CIP-005-2

Requirement: 4.2 (3 violations)

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: The UREs, which are three entities that operate from the same control room and share the same energy management system, self-reported that while they had conducted a cyber vulnerability assessment of the electronic access points to the ESP, they did not verify that they only enabled those ports and services needed for operations at the access points to the ESP.

Finding: RFC found that the violations constituted a moderate risk, while NERC found that violations only constituted a minimal risk to BPS reliability. The additional enabled ports and services increased the risk that unauthorized network traffic would infiltrate the ESP. But, the additional ports and services that URE enabled were only open for communications with other trusted corporate networks (that were further protected with additional measures such as firewalls). The protective measures represented a defense-in-depth strategy that guarded URE’s transmission management system. The UREs neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that the violations were self-reported and that these were the UREs first violations of the relevant Reliability Standards. UREs were cooperative during the enforcement process and did not conceal the violations. UREs’ compliance program was also evaluated as mitigating factor.

Total Penalty: $80,000 (aggregate for 21 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-005-2; CIP-005-3

Requirement: R4.3; R4.4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: Further to a Compliance Audit, RFC determined that URE violated R4 when it failed to include evidence showing that it had conducted an assessment to identify all access points to the Electronic Security Perimeter (ESP), and failed to provide evidence that it had reviewed or controls for default accounts, passwords, and network management community strings in its cyber vulnerability assessment.

Finding: RFC determined that the R4 violation posed a moderate risk to the reliability of the BPS, which was mitigated because during the violation period, the company had employed an intrusion prevention system that included logging, alerting and constant monitoring of all access points to the ESP and had thus protected the access points. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to pay a penalty and to undertake other mitigation measures to come into compliance with R4.
RFC considered URE's ICP a mitigating factor in making its penalty determination. The violation began when the company failed to include a review of all access points to the ESP or controls for default accounts, passwords and network management community strings in its cyber vulnerability assessment. The violation ended when the company completed its assessment including the requirements of the Standard. URE neither admits nor denies the R4 violation.

Penalty: $40,000 (aggregate for 8 violations)

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-18 (December 30, 2013)

Reliability Standard: CIP-005-2

Requirement: 3

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: URE self-reported that, as a result of the reconfiguration of two firewalls and a security-related operating system upgrade, certain access points to an ESP were not transferring access logs to the centralized monitoring, logging and alerting system, which is required in order to detect and alert for unauthorized access attempts. Also, as a result of a firewall management server failure to transfer logs for 11 access points, URE did not have the mandated electronic or manual processes in place to continuously monitor the ESP.

Finding: SERC found that the CIP-005-2 R3 violation constituted a moderate risk to BPS reliability since the lack of sufficient monitoring and alerting regarding ESP access points increases the risk of a Cyber Security Incident being undetected. But, no Cyber Security Incidents occurred during the violation and only a limited number of access points were affected for a limited amount of time. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a partial mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. None of the violations constituted a serious or substantial risk to BPS reliability. In addition, URE engaged in physical security measures that SERC determined to be above-and-beyond what was required.

Total Penalty: $110,000 (aggregate for 15 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entities (UREs), FERC Docket No. NP15-15-000 (December 30, 2014)

Reliability Standard: CIP-005-2

Requirement: R1.5 (two violations – one for each URE Company)

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: The UREs self-reported that EACM devices were not protected by a completely enclosed PSP. At one facility EACM devices were not maintained behind a PSP and another facility, where the UREs believed wire mesh covered openings exceeding 96 inches, there were 12 openings greater than 96 square inches (three under a raised floor and nine above a false ceiling).

Finding: SERC determined that the violation posed only a minimal risk to the BPS reliability as there was an increased risk that someone could damage or destroy UREs' EACM devices since some were not protected by a PSP and others were exposed through openings in the perimeter walls. However, only authorized corporate Information Technology personnel had access to the corporate computer rooms where the devices were located and the rooms were guarded 24/7 by security personnel. In addition, the UREs had an intrusion detection system which monitored and triggered alarms for any attempts to access the EACMs. The UREs neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs history of violations an aggravating factor. However, the UREs did have an internal compliance program in place, which SERC considered a mitigating factor. While URE1 self-reported a violation, the UREs did not received mitigating credit since it was reported after it received a compliance audit notice. While three of the violations posed a serious or substantial risk to the BPS reliability, the majority of them (18) posed only a minimal or moderate risk. URE agreed to additional mitigating actions including: adding additional staff (including converting contractors to full-time); conducting human performance training at a cost of $50,000; installing firewall analyzer software at a cost of $485,000; and additional mitigating factors for five of the violations. The UREs were cooperative throughout the enforcement process and there was no evidence that they concealed the violations.

Penalty: $120,000 (aggregate for 21 violations)

FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.

Top