NERC Case Notes: Reliability Standard CIP-005-2a
Reliability Standard: CIP-005-2a
Violation Risk Factor: Medium
Violation Severity Level: Severe
Issue: URE self-reported a violation of R3 when a subset of the devices in a newly-installed log monitoring system were not configured to send logs to the monitoring system or to capture the logs from all devices. While the log monitoring system was intended to store and monitor access logs for Electronic Access and monitoring access point and network switches within the Electronic Security Perimeter, improper configuration resulted in a cyber asset sending information to a server as well as two inactive devices, rather than sending log information to the security monitoring tool. The company therefore did not ensure that this access point detected and alerted unauthorized access attempts at least every 90 days, nor did the company review logs where alerting personnel was not feasible.
Finding: RFC determined that the R3 violation posed a minimal risk to the reliability of the BPS because the server to which the logs were being sent maintained logs for 90 calendar days, even though it didn't provide alerting. Furthermore the configuration of the Critical Cyber Assets was such that eight of the 10 Cyber Assets were not directly accessible from an outside network, including the network that communicates with the energy management system. Additionally, the Critical Cyber Asset protections within the ESPs were compromised during the violation period, and the access point protections were operational. Finally, the Critical Cyber Assets are physically located in an area requiring an electronic badge for entry. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to undertake other mitigation measures to come into compliance with R3.
RFC considered URE's ICP a mitigating factor in making its penalty determination, and applied a mitigating credit because the company had self-reported the violation. The violation began when the company installed the new device and ended when the company configured all missed devices to send security and event logs to the log monitoring system. URE admits the R3 violation.
FERC Order: Issued March 1, 2013 (no further review)