NERC Case Notes: Reliability Standard CIP-006-3a

Alert

8 min read

 

Unidentified Registered Entity (URE), Docket No. NP12-47-000 (September 28, 2012)

Reliability Standard: CIP-006-3a

Requirement: 6

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: TRE

Issue: URE submitted a self-report explaining that a visiting employee responsible for protection system testing, but having no unescorted access rights, left the PSP with two URE employees that did have unescorted physical access rights to the PSP, but neither employee required the visitor to log out.

Finding: The violation was deemed by TRE to pose minimal risk to BPS reliability which was mitigated because although the visitor did not log out of the PSP, the visitor was escorted at all times. In addition, all relevant personnel had taken security training and all had cleared background checks.

Penalty: $0 (for 12 violations)

FERC Order: Issued October 26, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-18 (December 30, 2013)

Reliability Standard: CIP-006-3a

Requirement: 1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: URE self-reported that it did not log, as required, on its manual visitor log sheet the entry and exit time of a visitor to the PSP.

Finding: SERC found that the CIP-006-3a R1 violation constituted only a minimal risk to BPS reliability as the log entry contained information on the visitor’s name, escort, and date of entry and exit to the PSP. The visitor was always with an authorized escort and did not have access to the CCAs. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a partial mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. None of the violations constituted a serious or substantial risk to BPS reliability. In addition, URE engaged in physical security measures that SERC determined to be above-and-beyond what was required.

Total Penalty: $110,000 (aggregate for 15 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-18 (December 30, 2013)

Reliability Standard: CIP-006-3a

Requirement: 6

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: SERC

Issue: In advance of a compliance audit, URE self-reported that one of its custodian contractor’s used the badge of another individual to gain access to a PSP, resulting in one of URE’s recorded logs failing to uniquely identify an individual who entered the PSP.

Finding: SERC found that the CIP-006-3a R6 violation constituted only a minimal risk to BPS reliability as the custodian contractor in question possessed authorized unescorted physical access, had a current personnel risk assessment on file and had received cyber security training. In addition, video camera recording was set up at the PSP access doors. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a partial mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. None of the violations constituted a serious or substantial risk to BPS reliability. In addition, URE engaged in physical security measures that SERC determined to be above-and-beyond what was required.

Total Penalty: $110,000 (aggregate for 15 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity (URE), FERC Docket No. NP14-29 (January 30, 2014)

Reliability Standard: CIP-006-3a

Requirement: 5

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-certified that on six occasions (mostly related to failures of its physical access control and monitoring (PACM) server), it had not properly followed its technical and procedural controls for continuously monitoring physical access at PSP access points.

Finding: WECC found that the CIP-006-3a violation constituted a moderate risk to BPS reliability as it increased the risk of unauthorized and malicious PSP access going unnoticed and unchecked. But, the PACM server failures were unplanned and only ranged from ten minutes to four hours, which decreased the risk that someone would be able to gain malicious access to URE’s Cyber Assets. And for the one instance where a specific cabinet and CCA were not rearmed, only qualified individuals had access to the room where the cabinet was housed and the credentials to access the CCA. URE neither admits nor denies the violations. In approving the settlement agreement, NERC BOTCC considered the fact that URE had prior violations of the Reliability Standards, which were evaluated as aggravating factors. But, URE did have an internal compliance program in place, which was viewed as a mitigating factor. URE also provided WECC with a narrative on its compliance-related improvements. URE was cooperative during the enforcement process and did not conceal the violations. The violations only posed a minimal or moderate risk to BPS reliability.

Total Penalty: $109,000 (aggregate for 5 violations)

FERC Order: Issued February 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)

Reliability Standard: CIP-006-3a Requirements: R4

Violation Risk Factor: Medium Violation Security Level: Severe

Region: SERC

Issue: URE self-reported that, as a result of an oversight related to a fire drill, the doors to its server room and operations centers were left unlocked for over 9 hours and during that time URE did not properly manage physical access to its PSPs. During the violation, two contract individuals without authorized physical access rights entered the PSP, and no one received or responded immediately to the alarm.

Finding: SERC determined that the violation constituted a moderate risk to BPS reliability. The violation resulted in unauthorized access to URE’s PSP, and potentially could have led to unauthorized access to URE’s CCAs. However, there are multiple video cameras that monitor the server room and control area, including during the violation, and URE’s electronic logging was enabled and working. In addition, the contractors at issue had completed background checks and had been approved for general access to the facility. Furthermore, none of URE’s Cyber Assets in the PSP were compromised during the violation. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $250,000 (aggregate for 27 violations)

FERC Order: Issued June 27, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-9-000 (November 25, 2014)

Reliability Standard: CIP-006-3a

Requirement: R2/R2.1/R2.2 (3 violations – one for URE Company)

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: MRO, SPP RE and WECC

Issue: URE1, URE2 and URE3 (collectively UREs) self-reported to MRO, SPP RE and WECC respectively, that they failed to review and analyze Windows security event logs for their Cyber Assets that authorize and/or log access to their PSP. Windows security event logs for Cyber Assets used in the authorization and logging of access to the PSP, had not been reviewed by the UREs and were discovered missing during a quarterly review. After reviewing their current and quarterly logs, the UREs discovered that a Windows log overwrite feature resulted in missing data and gaps in their Windows security event logs. In addition, the UREs determined that test procedures for analyzing adverse effects on security controls were not implemented, shared account passwords were not annually changed and a CVA was not conducted one year for their physical access control system.

Finding: MRO determined that the violation posed a serious or substantial risk to the BPS reliability as the UREs insufficient processes and controls affected all of their PSPs thus increasing the risk of unauthorized access to and possible corruption of a PSP and/or CCAs. A high risk issue related to their system's administrator account went undetected until the UREs conducted a CVA. In addition, the UREs' did not have a list depicting the current state of ports and services required for Cyber Assets used for controlling access and monitoring their PSPs. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations for five of the Standards posed a serious or substantial risk to the BPS reliability. However, several of the violations were self-reported and the remainder of the violations posed only a minimal threat to BPS reliability. The UREs had a compliance program in place and their compliance history was not considered an aggravating factor by MRO. Furthermore, the UREs committed to spending $205,000 to retain a consultant to identify untapped opportunities in their CIP management controls for the current and future CIP versions and they received significant mitigating credit for their commitment to their corporate compliance program. The URE Companies were cooperative throughout the duration of the enforcement and none concealed the violations.

Penalty: $150,000 (aggregate for 19 violations)

FERC Order: Pending

Top