NERC Case Notes: Reliability Standard CIP-002-5.1

Unidentified Registered Entity 1 (Texas RE_URE1), FERC Docket No. NP19-18-000 (September 26, 2019)

NERC Violation ID: TRE2016016184

Reliability Standard: CIP-002-5.1

Requirement: R1

Violation Risk Factor: High

Violation Severity Level: Lower

Region: Texas Reliability Entity, Inc. (Texas RE)

Issue: An unidentified entity submitted a Self-Certification that it was in noncompliance with CIP-002-5.1 R.1. Specifically, the entity noted that it did not have or implement a certain process, and as a result, the entity did not identify each asset that contained a Bulk Electric System (BES) Cyber System. The root cause of this violation was that the entity did not have any process for complying with the reliability standard before or after the reliability standard was implemented.

Finding: Texas RE found the violation constituted a moderate risk and did not pose a serious or substantial risk to bulk power system reliability. By failing to properly identify and classify a BES Cyber System, Texas RE exposed the BES Cyber System to inadequate cyber security protections. The duration of the violation began on July 1, 2016 when the reliability standard became enforceable and is currently ongoing. Texas RE considered the entity’s compliance history and determined there were no relevant instances of noncompliance. To mitigate the violation, the entity created a draft process for reliability standard compliance, approved a documented internal compliance program, established a compliance committee, and conducted training. Additionally, the entity stated in its mitigation plan that by November 7, 2019, it will have finalized and have the Critical Infrastructure Procedures Senior Manager approve of the draft identifications.

Penalty: No penalty

FERC Order: September 26, 2019 (no further review)

Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP19-6-000 (March 28, 2019)

NERC Violation ID: WECC2016016686

Reliability Standard: CIP-002-5.1

Requirement: R1, P1.2

Violation Risk Factor: High

Violation Severity Level: Lower

Region: Western Electricity Coordinating Council (WECC)

Issue: On December 16, 2016, an unidentified entity submitted a Self-Report stating that it was in violation of the Reliability Standard. In November 2014, the entity started its BES Asset analysis utilizing CIP Version 5 criteria. The most comprehensive data sources for the entity’s asset characteristics were identified and used to categorize the BES Assets. Although the first entity-approved cyber system list was published May 12, 2015 to align the entity’s CIP Version 5 transition project, during the entity’s November 2016 BES Cyber System Review, a new preferential data source was identified and used to re-categorize the Low Impact Bulk Electric System (BES) Cyber Systems (LCBS) at a substation to Medium Impact BES Cyber Systems (MIBCS). After evaluating the change, it was determined that the BES Asset information used to initially categorize the LIBCS was unclear and incomplete, which resulted in the incorrect impact rating of the BES Cyber Systems at that substation. The entity had categorized the BES Cyber System at the substation as LIBCS due to an error identifying lines’ connections. Thus the LIBCS should have been identified as MIBCS. The data for all other previously identified BES Cyber Systems was then compared, found to be consistent and did not yield any additional change to impact ratings. Furthermore, the newly categorized MIBCS did not have External Routable Connectivity (ERC). The root causes of the violation were inadequate procedures, documents and records to ensure proper evaluation of BES Assets. Specifically, the entity utilized an evaluation process that relied on outdated information and a manual review, which resulted in the entity overlooking critical information needed for identifying and categorizing the impact rating of a BES Cyber System.

Finding: WECC found the violation constituted a moderate risk and did not pose a serious or substantial risk to bulk power system reliability. Although the MIBCS had no ERC and the number of CIP requirements applicable to MIBCS without ERC is limited and no harm is known to have occurred, there were no additional controls to detect or prevent this violation from occurring or compensate for the potential harm. The violation began on July 1, 2016 when the reliability standard became mandatory and enforceable and ended on May 11, 2017 when the entity completed its mitigation plan. WECC considered the entity’s internal compliance program to be a neutral factor and the entity’s compliancy history to be an aggravating factor in the disposition determination. To mitigate the violation, the entity updated its Cyber System list to include the reclassification of the BES Cyber System in scope, updated its BES Cyber Systems identification process, confirmed compliance or identified deficiencies with other applicable CIP standards, and mitigated all CIP compliance deficiencies resulting from the identification of the MIBCS without ERC.

Penalty: No penalty

FERC Order: March 28, 2019 (no further review)

Registered Entity (Name Redacted), FERC Docket No. NP20-15-000

Region: ReliabilityFirst

Issue: The entity self-reported violations of the CIP standards set out above as following: 

a) CIP-002-5.1 - a violation of CIP-002-5.1 (R1) occurred on account of incorrect categorization; 

b) CIP-004-6 - a violation of CIP-004-6 (R2) occurred on account of the Entity's employee having physical access to an applicable Cyber asset before completing training; a violation of CIP-004-6 (R4) occurred when the Entity's employees didn't follow its process for vendors to obtain remote access to the Entity's [details redacted]; 2 violations of CIP-004-6 (R4) occurred when the Entity's employees had access to the BES Cyber System Information (BCSI) or a shared drive holding BCSI without corresponding authorization records; a violation of CIP-004-6 (R5) occurred on multiple instances when the Entity didn't initiate removal of remote access capabilities of a security contractor's employee within 24 hours of the person's resignation and when the Entity didn't change a password for a shared account within 30 days after an employee who also knew it resigned; 

c) CIP-005-5 - a violation of CIP-005-5 (R2) occurred because the Entity had a group on a jump server that didn't require multi-factor authentication to gain access to an ESP [details redacted]; 

d) CIP-006-6 - a violation of CIP-006-6 (R1) occurred in 3 instances when involved doors were able to be opened regardless of an individual's previously assigned access privileges; a violation of CIP-006-6 (R1) occurred when during testing, alarms weren't triggered when a door was forced open and even though the failures were documented on an inspection form, the contract security personnel didn't create a maintenance ticket and maintain alternate security measures until repairs/retesting were complete; a violation of CIP-006-6 (R1) occurred because [details redacted]; a violation of CIP-006-6 (R1) occurred when the Entity's employee who had unescorted physical access privileges into a particular PSP entered it through a locked door; 

e) CIP-007-3a - a violation of CIP-007-3a (R3) occurred because the Entity didn't evaluate a security patch for applicability within the timeframe required by R3; a violation of CIP-007-3a occurred when the Entity mistakenly believed that patches for certain programs were being tracked by a vendor when, in fact, they were not being tracked, evaluated or installed; 

f) CIP-007-6 - a violation of CIP-007-6 (R2) occurred in 2 instances when (a) the Entity didn't take one of the following actions within 35 calendar days of completing a patch evaluation: (1) apply the patch; (2) create a dated mitigation plan; or (3) revise an existing mitigation plan, and (b) the Entity failed to install 2 patches on 5 systems within the time required; a violation of CIP-007-6 (R2) occurred when the Entity didn't apply software updates for BES Cyber Assets (BCAs); a violation of CIP-007-6 (R2) occurred when the Entity's [details redacted] group patches deployed to their [details redacted] in the test environment weren't deployed in the production environment; a violation of CIP-007-6 (R2) occurred when (a) the Entity installed [details redacted] patches 1 day later and installed [details redacted] patches 28 days later, and (b) the patch evaluation for 1 patch cycle was completed 1 day late; a violation of  CIP-007-6 (R4) occurred in 3 instances i.e. (a) when the Entity discovered that BCAs managing the environment were improperly configured, (b) when [details redacted] identified servers that were configured for local logging, but the logs were not being reviewed in accordance with CIP-007-6 P4.4, and (c) when BCAs were not being monitored for security incidents; a violation of CIP-007-6 (R4) occurred twice when (a) the Entity was unaware that a system it relied upon to review logs and send security alerts had not been receiving logs from an [details redacted] and (b) a [details redacted] stopped communicating with the [details redacted] tool; a violation of CIP-007-6 (R4) occurred when an asset was not sending logs to [details redacted] which resulted in a failure to review logs and an inability to generate alerts for security events; a violation of CIP-007-6 (R4) occurred 4 times when the Entity experienced log collection and alerting issues affecting approximately (43 percent) of its assets and when the Entity experienced log collection issues affecting [details redacted] assets; a violation of CIP-007-6 (R5) occurred when the Entity had 4 shared accounts on [details redacted] assets that did not meet the password complexity requirements in CIP-007-6 P5.5; 

g) CIP-009-6 - a violation of CIP-009-6 (R1) occurred the Entity implemented [details redacted] firewalls [details redacted]. The Entity had an overarching recovery plan that required the creation of certain recovery procedures; however, it did not have recovery procedures for the [details redacted] firewalls; 

h) CIP-010-2 – a violation of CIP-010-2 (R1) occurred in two instances when (a) the Entity discovered that 2 PCAs were deployed to an Electric Security Perimeter (ESP) even though the Entity didn't have a documented baseline configuration as required, and (b) the Entity replaced a server via its urgent change order approved the day after the change due to a lack of a designated manager; a violation of CIP-010-2 (R1) occurred when the Entity did not have a documented baseline configuration for 2 PCAs; a violation of CIP-010-2 (R1) occurred when the Entity's personnel were not documenting the results of required cyber security controls testing and verifications when performing non-routine configuration changes at the [details redacted]; a violation of CIP-010-2 (R1) occurred when the Entity inappropriately installed backup software on 2 PACS servers without proper authorization and testing; a violation of CIP-010-2 (R1) occurred when the Entity did not have documented baselines for the existing [details redacted] servers; a violation of CIP-010-2 (R3) occurred when the Entity didn't perform active vulnerability assessments of [details redacted] assets prior to deploying said assets into a [details redacted] production environment; a violation of CIP-010-2 (R3) was caused when the Entity added assets to the production environment of [details redacted] prior to the performance of active vulnerability assessments; a violation of CIP-010-2 (R3) occurred when the Entity did not complete a paper assessment or an active vulnerability assessment of production assets within the 15 calendar month constraints of CIP-010-2 P3.1; a violation of CIP-010-2 (R4) occurred when the Entity's personnel used an unauthorized laptop to connect to a switch; a violation of CIP-010-2 R4 occurred when the Entity did not follow proper procedures for connecting to a Transient Cyber Asset (TCA) with a protected ESP; and

i) CIP-011-2 – a violation of CIP-011-2 (R1) occurred when the Entity did not identify or adequately protect BCSI in [details redacted] locations.

Finding: The violations were found to be mostly a result of a combination of contributing causes including: issues implementing new assets, tools, and processes; inadequate staff training; insufficient workforce management; unclear or overlapping responsibilities; inadequate planning; administrative oversight; gaps in existing processes, procedures and work instructions; lack of sufficient or effective controls, processes and procedures; and defective equipment. Additionally, ReliabilityFirst found that most violations posed a minimal risk to reliability of the bulk power system (BPS) except the following violations:

The following were considered in the assessment of penalty: (a) the Entity's repeat noncompliance of CIP-006-6 (R1); (b) the Entity's admission/acceptance of responsibility; (c) its self-identification/self-reporting of the violations prior to a compliance audit; (d) its cooperation throughout the compliance enforcement process; (e) no attempt by the Entity to conceal a violation; and (f) the risk posed to the BPS by the violations. 

Penalty: $450,000

FERC Order: Issued May 29, 2020 (no further review)

NP19-4-000: Unidentified Registered Entity

Reliability Standard/Requirement: CIP-002-5.1 (R1); CIP-004-6 (R5); CIP-005-5 (R1, R2); CIP-006-6 (R1, R2); CIP-007-6 (R1, R2, R3, R5); CIP-007-3a (R5); CIP-010-2(R1); CIP-011-2 (R1)

Violation ID: SERC2016015954, SERC2017018136, SERC2017018279, SERC2017018774, SERC2016016548, SERC2017017286, SERC2017018440, SERC2017018441, SERC2016016492, SERC2017018467, SERC2017017236, SERC2017018246, SERC2018019200, SERC2017018548, SERC2016016339, SERC2017016832, SERC2016016321, SERC2018019106, SERC2017017564, SERC2016016379

Method of Discovery: Self-Report

Violation Risk Factor: High (CIP-002-5.1); Medium (all others)

Violation Severity Level: Lower (CIP-002-5.1, CIP-010-2); High (CIP-004-6, CIP-007-6); Severe (all others)

Region: SERC

Issue: The URE self-reported all violations, and entered into a settlement to resolve these violations of the CIP Reliability Standards. SERC determined that: (1) the URE did not properly classify certain medium impact BES Cyber Systems (BCSs) by the July 1, 2016 deadline, in violation of CIP-002-5.1; (2) the URE did not, in two separate instances, initiate removal of an individual's ability for unescorted physical access and Interactive Remote Access (IRA) upon a termination action or complete removals within 24 hours of the termination, in violation of CIP-004-6; (3) the URE did not revoke an individual's authorized electronic access to individual accounts by the end of the next calendar date following the date that the URE determined the access was no longer required, in violation of CIP-004-6; (4) the URE did not ensure an applicable Cyber Asset was connected to a network via a routable protocol, which resided within a defined Electronic Security Perimeter (ESP), in violation of CIP-005-5; (5) the URE allowed IRA to BCSs without using an Intermediate System, and upon investigation found that three employees had been able to bypass the IRA Intermediate System from outside an ESP, in violation of CIP-005-5; (6) the URE did not use at least one physical access control to limit unescorted physical access into each applicable Physical Security Perimeter (PSP) to only individuals who have authorized unescorted physical access, and did not update a CIP Physical Access Control System (PACS) employee badge to remove permissions when an employee reported that they had lost their badge, both in violation of CIP-006-6 R1; (7) the URE did not continuously escort a visitor while inside PSPs, and did not document all required information in their logbooks for visitors who accessed the URE's PSPs in four different instances, in violation of CIP-006-6 R2; (8) the URE enabled two logical network accessible ports when the URE no longer needed them, in violation of CIP-007-6 R1; (9) the URE did not deploy an applicable patch onto two Electronic Access Control or Monitoring Systems (EACMS) servers containing medium impact BES Cyber Systems within 35 calendar days of completion of the patch evaluation, which missed patch addressed security vulnerabilities, security updates, and unsupported hardware not being scanned for, in violation of CIP-007-6 R2; (10) the URE did not deploy a method to deter, detect, or prevent malicious code in one instance wherein a process to enforce whitelisting stopped working properly on some EACMS servers, in violation of CIP-007-6 R3; (11) the URE did not change passwords for some Critical Cyber Asset (CCA) Servers prior to commissioning them into service or change passwords for such accounts annually for nearly five years after commissioning, in violation of CIP-007-3a; (12) in two instances, the URE did not authenticate interactive user access to PACS Cyber Assets where technically feasible, adding unauthorized domains to several PACS workstations and allowing unauthorized users to have remote access to the workstations, in violation of CIP-007-6 R5; (13) the URE did not change known default passwords, per Cyber Asset capability, for several EACMS servers, and did not identify and inventory all known enabled default generic account types for two of those servers, in violation of CIP-007-6 R5; (14) the URE did not change known default passwords for two accounts on a Remote Terminal Unit when it commissioned the device, in violation of CIP-007-6 R5; (15) in one instance, the URE did not implement a password length of at least eight characters for an interactive user access account, which applied to the Cyber Assets and their associated EACMS and PACS, in violation of CIP-007-6 R5; (16) in fifteen instances, the URE did not properly implement documented processes for baseline configuration change management when transitioning from CIP v3 to v5, including developing baseline configurations, authorizing and documenting changes that deviate from the baseline configuration and updating the baseline configuration as necessary and verifying and documenting any changes from that baseline configuration, in violation of CIP-010-2 R1; (17) in fourteen instances, the URE did not implement a  documented process for changes deviating from the existing baseline configuration, determining required security controls in CIP-005 and CIP-007 before a change that could impact such, verifying that security controls were not adversely affected after a change and documenting the results of the verification, in violation of CIP-010-2 R1; the URE did not protect and securely handle BES Cyber System Information (BCSI) in accordance with their information protection system, but rather stored a file containing BCSI on a corporate network shared drive, which was not identified in their information protection program as a BCSI repository, in violation of CIP-011-2.; (18) in six instances the URE failed to handle BSCI in a controlled access repository in  conformance with the documented information protection program, in violation of CIP-011-2; and (19) in several instances, the URE employees stored and transmitted shared account passwords to BCSs in a manner that did not conform to the URE's documented information protection program, which information was classified as BSCI, in violation of CIP-011-2.

Finding: SERC determined that (1) the violations of CIP-002-5.1, CIP-004-6, CIP-006-6, CIP-007-6 R2 and R5, CIP-010-2, CIP-011-2 posed a moderate and not serious or substantial risk to the reliability of the bulk power system (BPS); (2) the violations of CIP-005-5 R1, CIP-007-6 R1, R3 and R5¹ , CIP-011-2² posed a minimal and not serious or substantial risk to the reliability of the BPS; (3) the violation of CIP-005-5 R2, CIP-007-3a, CIP-010-2³ posed a serious risk to the reliability of the BPS. Further, SERC considered the instant violations as repeat noncompliance with the CIP-006-6 R2 and CIP-0073a R5, which served as an aggravating factor. However, the URE self-reported the violations, were cooperative throughout the compliance enforcement process, and admitted to and accepted responsibility for the violations, and there was no evidence of any attempt to conceal a violation nor of intent to do so.

Penalty: $775,000

FERC Order: Issued June 27, 2019 (no further review)

_{¹ NTD:  the CIP -007-6 R5 violations involving the Remote Terminal unit and password length were “minimal,” whereas the R5 violation involving EACMS was “moderate”. 
² NTD:  the CIP-011-2 violation involving storing BCSI on a corporate shared drive was “minimal”, whereas the other violations were “moderate”.
³ NTD:  the CIP-010-2 violation involving developing baseline configurations was “serious”, whereas the R1 violation involving implementing the configuration changes was “moderate”.}

NP20-12-000: Unidentified Registered Entity

Region: RFC

Issues:

These violations arose out of the entity's efforts to improve and advance its approach to CIP compliance after identifying several issues related to its transition to CIP Version 5. After identifying prior issues, which were resolved in a prior Settlement Agreement, the entity sought to mature several of its processes and procedures by, among other things, automating multiple tasks through the implementation of new tools. However, in several cases, the entity was not adequately prepared to deploy these new tools and processes effectively. Consequently, the violations contained in this Settlement Agreement involve implementation challenges the entity faced in this regard, such as failing to properly configure assets or tools prior to deployment, failing to ensure that responsible staff was appropriately trained and prepared to manage assets and tools prior to deployment, and failing to ensure that sufficient processes were in place to support the implementation and operation of new tools and assets.

CIP-002-5.1

The entity identified and classified all of its Bulk Electric System (BES) Cyber Systems prior to its new CIP environment go-live date. During an internal control and reconciliation activity before the go-live date, one virtual server at the primary control center was classified in the asset management system, the entity's system of record, as a high impact device. (The virtual server is used as an device for syslog files and should be classified as a high impact device with a BES type of Electronic Access Control or Monitoring Systems.) However, this device was mistakenly reclassified as a low impact device on March 2, 2016. Consequently, the virtual server did not appear on the entity's CIP-002 Asset Identification list.

CIP-004-3a

As part of the entity's regular quarterly access reviews in the first and second quarters of 2016, the entity discovered 10 instances where it failed to revoke access in a timely manner, with an average duration of 21 days. Additionally, the entity discovered that it failed to update the corresponding Critical Cyber Asset (CCA) access lists within 7 calendar days from when the managers requested access to be removed for these 10 individuals. The entity remediated each of these issues as they were identified. After the entity discovered these failures, it took steps to ensure that authorization records for Bulk Electric System (BES) Cyber Systems were in place as well as to ensure that all authorized access was appropriate. This effort revealed the following additional issues: First, two existing applications had not been included in both the first and second quarter 2016 Access Reviews or 2015 quarterly Access Reviews; Second, two new applications were not included in the second quarter 2016 Access Review; Third, electronic access for a non-shared user account for one application was not removed for a single user within 30 calendar days following termination, although the user was later rehired for a new position; and finally, twelve users did not have authorization records to support all of their access. 

CIP-007-6

Several violations of CIP-007-6 were reported in this period, covering the following instances: (a) instances where applications that were active on Bulk Electric System Cyber Systems or their associated Electronic Access Control or Monitoring Systems, Physical Access Control Systems, or Protected Cyber Assets, were not reviewed for available security patches within the required 35 days; (b) an instance where the URE failed to include in its system security management documentation, and in practice, a process for updating intrusion detection system (IDS) signatures, the immediate notification through malicious code alerts, and the response activities that should be executed when malware is detected; (c) an instance where the URE had not updated the antivirus (AV) definitions on Windows servers and workstations at its alternate operations center for several weeks; (d) a period where network intrusion detection system (IDS) signature reviews and updates were not being performed according to company policy, (e) an improper configuration within a security system located at the AOC which failed to generate alerts for security events and to review the security event logs at the requisite time intervals for certain CIP devices at the AOC, so logs were collected by the secondary instance of but were not forwarded to the POC for review by the appropriate team, (f) failure to include all asset types capable of logging in its implementation, (g) failure to generate immediate notification of alerts for detected malicious code and unsuccessful login attempts, wherein alerting for malicious code by was not being sent to the SIEM but was being presented in a report every 24 hours to for review, (h) failure to consistently configure the log retention periods for asset types which were not reporting through, (i) failure to review the logs from High Impact Bulk Electric System Cyber Systems at intervals no greater than 15 calendar days for the devices that had been misconfigured and for the devices that needed to have logged events reviewed manually, (j) failure to complete required cyber security controls testing or comply with the security event monitoring requirements on certain components such that they were technically capable of logging security events, but had not been configured to send Syslog messages for security event review and to detect the failure of logging events, (k) failure to properly enforce password complexity for two applications, (l) failure to change the default passwords for two service accounts prior to implementation in production, (m) failure to change one service account's password within fifteen calendar months, (n) failure to file Technical Feasibility Exceptions (TFEs) for two components at the Alternate Operations Center (AOC) which are classified as High Impact Bulk Electric System Cyber Assets and are located inside the Electronic Security Perimeter (ESP), which is inside a Physical Security Perimeter (PSP), and do not have the capability to limit the number of unsuccessful attempts and generate alerts, requiring the submittal of a TFE, (o) certain shared account passwords were not identified or inventoried in the password management system while two employees who knew the passwords did not have authorization records for the use of the shared accounts although they both had current CIP background checks, current CIP training, and authorization for physical access and either technical nor procedural controls were in place to enforce password complexity or length requirements, although the passwords did actually meet those requirements (p) changes to passwords were not being technically or procedurally enforced although it was technically feasible and the functionality to limit the number of unsuccessful authentication attempts, or generate corresponding alerts, had not been configured – though the system was logging, it did not have implemented to limit authentication attempts or allow central authentication because the configuration to send authentication alerts to the Syslog was not established, and (q) the existence of unique enabled accounts spread across Cyber Assets that were not previously identified or inventoried and were associated with software applications installed on High Impact Cyber Assets in the entity's CIP environment, some of which were shared accounts capable of interactive user access to software applications, but were not inventoried and tracked in the entity's password management system, which would have identified the account name and authorized users and the existence of another interactive user account on which URE did not technically or procedurally enforce password changes at least once every 15 calendar months.

CIP-007-3a

While reviewing available logs, the entity discovered that the logging and alerting functions on experienced several intermittent outages during April and June 2016. First, on April 2-4, 2016, a certain logging function failed due to higher than expected demand for electronic storage that exceeded the available storage capacity. The entity was not immediately notified of this failure because it had not installed an alerting tool, or a system-health monitoring tool. The component experienced other intermittent outages from April 9-16, 2016, and June 1-6, 2016, due to the fact that was generating significant numbers of event logs that affected performance. The entity had an established manual process to capture event logs and review them. However, the logs could not be retained locally, so the entity was unable to capture and retain applicable event logs during these intermittent outages. Additionally, although the entity was able to recover local logs for the devices, the entity failed to review those logs within 15 calendar days due to a corrupted database and the fact that cyber security personnel were heavily engaged in the recovery of those logs.

CIP-010-2

Prior to implementation tools related to change management and baselines, the entity established configuration baselines in the system through system scans and vendor documentation. The entity then had a third-party contract validate the correct configuration baselines prior to go-live. However, upon implementation of concerns arose over the validity of these records in because of the volume of event records being produced. Essentially, subject matter experts were expected to reconcile all of the change records produced with the baselines. This situation created concern over the validity of the records. Accordingly, the entity conducted reviews of the system and identified several insufficiencies. Specifically, the entity identified the following issues: (a) instances of incorrect or missed ports and services and software in the system; (b) instances of incomplete documentation of deviations from the existing baseline configurations; and (c) instances of missed baseline updates within 30 days of implementing the change, all in violation of CIP-010-2 R1. Further, through a proactive spot check and mock audit, the entity discovered that it failed to load software agents on certain devices and that it lacked documentation to demonstrate whether the devices were capable of hosting the agent. The entity also discovered that it did not have a detailed process in place to consistently monitor the devices without a software agent such that some could not host the software agent, but either could have their baselines monitored by through an automatic process without an Agent or required a manual process to monitor the baseline configurations, in violation of CIP-010-2 R2. Finally, while responding to a 35-day baseline configuration review notice for a different CIP asset, the entity discovered that it failed to monitor the baseline configurations every 35 calendar days for several other components considered Bulk Electric System Cyber Systems, and those components were implemented without the required cyber security controls being completed, as well as failing to collect all required configuration information items on certain components for one 35-day interval.

Finding:

CIP-002-5.1

This violation posed a minimal risk and did not pose a serious or substantial risk to the reliability of the bulk power system based on the following factors. First, this is a documentation issue. Despite being mistakenly classified as a low impact asset, the virtual server in question had been consistently afforded the protections of a high impact BES Cyber System, and the virtual server in question was decommissioned less than a year after it was improperly classified because it was no longer necessary to be in the Electronic Security Perimeter. This fact reduced the time period that the misclassification could have caused any adverse effect on the BES.

CIP-004-3a

This violation posed a moderate risk and did not pose a serious or substantial risk to the reliability of the bulk power system based on the following factors. The risk posed by failing to have accurate and up-to-date access records is that individuals can retain access when they are no longer authorized to have it (which happened here), which increases the likelihood that one of those people could use that access for improper purposes. Moreover, active, but unused accounts, present additional, unnecessary attack vectors for a cyber-attack. This risk was mitigated in this case by the following factors. First, all of the individuals involved, while no longer requiring access, were still qualified to have that access because they had current background checks and CIP training. Second, only two of the individuals involved maintained Interactive Remote Access after they no longer required it. Third, although the applications were missed in the quarterly reviews, all of the personnel with access were determined to have appropriate and continuous authorized access to these applications. Fourth, the single user whose electronic access was not removed from a single non-shared account for one application within 30 calendar days following a voluntary termination was rehired for a new position. Fifth, of the 12 users who did not have authorization records to support all of their access, only two were determined to not be authorized based on need for the specific access, which was removed. In both cases, the users were still qualified to have the access because they had current background checks and CIP training.

CIP-007-6

The CIP-007-6 violations posed either minimal or moderate risk to the reliability  of the BPS, based on a combination of the following factors: the entity's defense-in-depth prevention and detection strategy, multiple layers of protection on affected components, the relatively short duration of the violation, relatively small number of devices affected, the design of the network infrastructure in a way that reduces the risk of unauthorized or malicious traffic, the deployment of software that would alert to any new software or malware installed or any configuration changes to workstations, the small number of security event logs created by the AOC, use of Physical and Electronic Security Perimeters, and complexity of the passwords not replaced on the proper timelines.

CIP-007-3a

This violation posed a moderate risk and did not pose a serious or substantial risk to the reliability of the bulk power system based on the following factors: First, during these intermittent logging outages, alerts were still being sent to the cyber security console and were being reviewed to determine if any were unresolved alerts that would need to be escalated. Second, even though logs were not being captured during these intermittent outages, the themselves were still actively functioning to allow only authorized into the CIP environment. Third, other functions, including configuration monitoring, continued to function during this time and would have identified any changes to the configurations. RFC also notes that the entity's subsequent review of the logs did not identify any unusual events.

CIP-010-2

This violation posed a moderate risk and did not pose a serious or substantial risk to the reliability of the bulk power system based on the balance between the length of time that the issue was present and the broad scope of the issue versus the fact that the entity protects its system using a variety of defense-in-depth tools and multiple layers of physical and electronic protections. Regarding the R1 violation, the URE employed a change management process that included a step to review and authorize change requests and to provide general oversight of the change management program. Regarding the first R2 violation, the tuning issues impeded, but did not prevent, the entity's ability to perform the reconciliations within 35 days. In fact, the entity did complete all of the reconciliations for enrolled assets and identified no anomalous or unapproved changes during the time that this issue persisted.

Penalty: $225,000

FERC Order: Issued March 31, 2020 (no further review)

NP20-6-000: Unidentified Registered Entity 4 (URE-4)

Method of Discovery: Self-Report

Violation ID: WECC2017017676

Standard: CIP-002-5.1

Requirement: R1 (1.1, 1.2)

VRF: High

VSL: Lower

Region: WECC

Issue: During the planning and engineering activities associated with upgrading tone telemetry equipment at a certain control center, URE-4 discovered that a certain Remote Terminal Unit was not considered or identified as a High Impact BES Cyber System as required. After this was discovered, an internal investigation revealed several other RTUs that were improperly identified and assessed as having the incorrect impact rating. These devices had this been inadequately protected for a significant period of time.

Finding: WECC determined this violation posed a moderate risk and did not powe a serious or substantial risk to the reliability of the bulk power system (BPS). The violation could have resulted in the compromise of the RTUs, but as the RTUs were serially connected and had no routable network connectivity, baseline configuration information was maintained on the RTUs, most RTUs did not have control capabilities or were configured only to transmit, not receive information, the impact was mitigated somewhat. Further, all protective measures of CIP-007-6 had been properly applied. 

Duration: 1 July 2016 – 15 March 2019.

Penalty: $65,000

FERC Order: Issued December 30, 2019 (no further review)

NP19-4-000: Unidentified Registered Entity

Region: SERC

NERC Violation ID: Redacted

Issues: These violations were discovered through CIP Compliance Audits and through Self-Reports the URE submitted from 2015 through 2018.

CIP-005-1 and CIP-005-3a

The URE failed to identify and protect various non-critical Cyber Assets (non-CCA) within a defined Electronic Security Perimeter (ESP) – in some cases, the non-CCA was connected to the ESP but was not identified and afforded the required protection, and in others, a security specialist disconnected a network cable from the back of a CCA and plugged it into his laptop. The URE also failed to afford required protection measures to EACM devices not included in the 2014 EACM account verification review. Further, when the URE deployed new access control lists (ACLs) to certain electronic access points on EACM device routers, the routers were misconfigured, causing the electronic access points to block the centralized logging and monitoring server logs associated with the device from being sent to the security incident and event management (SIEM) device.

CIP-005-5

The URE did not deploy deny-access-by-default rules on certain ESP firewalls, did not restrict inbound electronic access to certain ESPs, did not deny inbound or outbound access for unnecessary internet protocol (IP) addresses associated with ESP access points.

CIP-006-3c

The URE did not maintain a proper six-wall Physical Security Perimeter (PSP) after the completion of a facility upgrade, when a contractor left vent openings unsecured for a two week period. Further, the URE failed to properly provision physical access authorization requests (in four instances where employees and contractors were either erroneously granted improper access to secured locations, via mistaken approval or a technical error in the security system) or to document all required information in their logbooks for visitors accessing PSPs. There were at least eight instances where the URE failed to continuously escort visitors within multiple PSPs. Further, The URE did not review individual PACS user accounts to verify that the access permissions were consistent with what employees needed to access and perform their respective functions, or update their CCA access list within seven calendar days of a change in personnel access rights. The URE failed to implement operational or procedural controls to manage physical access to a PSP, when an unauthorized technician used an emergency override key with which they had been provided to access the PSP. The URE failed to immediately review and investigate certain unauthorized physical access attempts at one PSP where seven unauthorized access attempts were made in under one minute, and where one badge reader alarm was mistakenly placed on "bypass mode" for five days and did not alert to unauthorized access attempts. The URE also failed to continuously monitor physical access at several access points to a PSP, (i) when certain doors marked "exit only" were not being monitored for unauthorized entrances, (ii) when there was a delay  between when the PACS issued an alarm and when the alarm appeared on the SOC consoles, and (iii) when the SOC lost power and PACS failed to forward the alarms from the secondary site back to the SOC for action. 

CIP-006-6

The URE failed to implement physical access controls to allow only personnel with authorized unescorted access to access certain PSPs, and failed to monitor for unauthorized access through one physical access point into a PSP (when the URE disabled alarming and monitoring at that access point for five days). The URE also failed to continuously escort at least one visitor while the visitor was inside a PSP, and did not maintain complete access and visitor logs for a several PSPs.

CIP-007-3a

The URE failed to adhere to cyber security testing procedures and implement a cyber security testing plan that minimized adverse effects on the production system and its operation, or to test whether changes to CAs or CCAs in an ESP would have negative impacts on existing cyber security controls before implementation, in five separate instances. The URE also failed to assess certain security patches for some systems within 30 days of their availability, and failed to install a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all CAs within an ESP. In two events of longer duration, (i) the URE failed to document an application account deployed on certain EACMSs that housed high impact BES Cyber Systems and had improperly managed system shared account usage, (ii) factory default passwords were not changed for remotely accessible BCAs and (iii) a service technician shared his username and password with two unauthorized members of the service technician team for over two years of noncompliance. Certain other "read-only" passwords also remained unchanged after the expiration of a mandatory annual password changed deadline. Additionally, the URE misconfigured a certain tool upon implementation, preventing email alerts from being sent to the response personnel for Cyber Security Incidents. The URE failed to implement their internal disposal and redeployment program, which requires the affected device to remain with in the designated PSP until a proper chain of custody process is followed to transport the device in a secured container to the appropriate sanitizing facility. Finally, the URE failed to document a Cyber Vulnerability Assessment action plan to remediate or mitigate vulnerabilities after the CVA was completed, and further failed to document modification sot systems and controls of a CA within an ESP within the 30-calendar-day time frame.

CIP-007-6

The URE failed to enable only the necessary logical network accessible ports in three instances where the URE failed to identify certain devised as EACMS devices. Further, the URE failed to monitor for vendor security patches and vulnerability notifications on certain BCAs, failed to conduct timely evaluations of several security patches, and failed to implement their security patch management program in four instances, where devises were not identified as EACMSs or where the URE failed to apply the security patches or implement compensating measures to mitigate detected vulnerabilities. Further, the URE failed to implement methods to deter, detect, or prevent malicious code, including a lack of any process to update signatures or patterns on programs and devices using these signatures or patterns. The URE also failed to implement security event monitoring for multiple CAs, where those CAs either did not generate alerts for security events or the URE did not review logged events. The URE did not review summations of logged events every 15 calendar days to identify undetected Cyber Security Incidents. Additionally, the URE failed to implement system access controls to certain CAs within ESPs in four instances, and did not request a Technical Feasibility Exception for such systems; the URE also did not identify and inventory enabled default accounts associated with certain communications processors and did not have a correctly functioning Password Management Tool (PMT).

CIP-009-6

The URE failed to include EACMSs in the implementation and subsequent testing of the documented Recovery Plan in two separate instances and also failed to include EACMSs in the reviews and updates to the Recovery Plan in three separate instances, due to misidentification of which systems were EACMSs.

CIP-010-2

The URE failed to maintain an accurate baseline configuration, including devices in the baseline that were no longer a part of the BES Cyber System. The inventory list was not updated to take decommissioned items into account. The baseline configurations developed were also inaccurate, as the URE installed different firmware versions on some PACSs than was documented in the baseline.  The URE failed to include enabled logical network accessible ports in their baseline configuration in several instances, failed to include two security patches in the baseline configuration, and failed to authorize and document changes that deviated from the existing baseline configuration following patch upgrades and software installation. The URE also failed to document cyber security controls that were impacted by a system upgrade or verify that the controls were not impacted after changes were implemented following a baseline deviation. In five instances, the URE failed to fully implement their configuration change management program, through misidentifying PCAs and EACMSs, failing to document EACM devices, or failing to identify possibly impacted cyber security controls before implementation.  

The URE further failed to monitor changes to the baseline configurations at least once every 35 calendar days in two separate instances, affecting several facilities with high impact BCAs EACMSs, PCAs and PACSs. They also failed to monitor baseline configurations in three instances involving two Intrusion Detection/Prevention System (IDS/IPS) devices and certain misidentifies EACMSs. The URE further failed to perform an active vulnerability assessment of certain items before deploying such into the production environment, where (i) the subject matter expert did not complete the assessment as part of change management prior to commissioning the new PCA into an ESP; (ii) the URE placed EACMSs firewall appliances before performing the assessment, and (iii) in four instances of deploying a BCS and multiple BCAs before those systems had proper malicious software prevention tools or had misidentified systems operating as EACMSs. The URE further failed to implement one or more documented plans for Transient Cyber Assets (TCAs) in multiple instances where IT support personnel were granted unauthorized access, software was installed and uninstalled without prior authorization, patches were missing and patch tracking documentation was unavailable; the URE also failed to use an approved TCA when connecting to a BCA to change passwords.

CIP-011-2

The URE failed to protect/securely handle BES Cyber System Information (BCSI) in accordance with their information protection program when: (i) an employee transferred BCSI to a vendor using an unaccepted protocol, (ii) a project manager emailed BCSI without labeling it as BCSI and without using a secure method of transmittal, (iii) a system administrator's access to certain repositories had not been logged, (iv) the URE did not identify a software program that managed protection system testing as a BCS information repository, and (v) the URE did not identify certain systems as EACMSs or Intermediate Systems and thus did not implement proper protections or take action to prevent unauthorized retrieval of BCSI from the CA data storage media.

CIP-014-2

Certain assets were not included in the URE's CIP-014-2 risk assessment due to misidentification of some applicable substations. 

Finding: Though the risk posed to the reliability of the bulk power system (BPS) by the individual violations ranged from minimal to serious (52 minimal, 62 moderate, and 13 serious), the 127 violations collectively posed a serious risk to the security and reliability of the BPS. The Companies' violations posed a higher risk because many involved long durations, multiple instances of non-compliance, and repeated failures to implement physical and cyber security protections. The Companies had an internal compliance program at the time of the violations, but it was determined that, given the difficulties described above, the quality of the compliance program was deficient in facilitating compliance with the CIP Standards and Requirements. Though there was no evidence of any attempt to conceal a violation nor evidence of any intent to do so, the URE's management passively accepted the violations by creating and allowing a culture to exist that permitted these systemic problems to continue for over five years. 

Penalty: $10,000,000

FERC Order: Issued January 25, 2019 (no further review)

NP20-20-000: Unidentified Registered Entity

NERC Violation ID: TRE2018019425

Issue: CIP-002-5.1

On March 21, 2018, the Entity submitted a Self-Report stating that it was in violation of CIP-002-5.1a R1. Specifically, the Entity failed to implement a process that considered its assets. These systems were considered by the Entity as Low Impact. In 2017, the Entity engaged another third-party to conduct an independent study that included the communication networks. The third-party identified items of concern that challenged the low impact rating. The Entity then Self-Reported the noncompliance. This noncompliance began on July 1, 2016, the date CIP-002-5.1a became mandatory and enforceable, and ended on December 26, 2018, when the Entity completed initial and periodic CIP security requirements necessary for compliance.

Finding: CIP-002-5.1

This noncompliance posed a moderate risk and did not pose a serious or substantial risk to the reliability of the bulk power system. The failure to adequately protect the security of applicable BCS and associated Cyber Assets according to their Medium Impact classification poses a risk to the reliability of the bulk power system. However, the risk identified above is mitigated by the fact that the Entity periodically engaged a third party to perform an independent assessment of its system and to identify any unknown changes that had occurred that could have impacted its efforts and low impact ratings. In fact, this noncompliance was discovered during one such assessment conducted by a second, third-party vendor.

Additionally, the to these particular Cyber Assets. Given the security in place, an individual had to be physically present in order to compromise the systems. To prevent such physical access, the Entity limited physical access to those facilities to authorized personnel. In addition, the Entity had physical access revocation procedures in place throughout the issue duration.

Texas RE also considered the fact that even if remote access was possible, the Entity had additional, layered controls in place to reduce risk of a cyber-intrusion. into the system. Finally, the Entity's systems was already appropriately categorized as High Impact and observed the applicable NERC Reliability Standards there.

Penalty: $0

FERC Order: Issued July 30, 2020

NERC Violation ID: TRE2017018017

Issue: CIP-007-6

On July 26, 2017, the Entity submitted a Self-Report stating that it was in violation of CIP-007-6 R2.2 and R2.3. In particular, the Entity failed to evaluate for applicability within 35 calendar days multiple security patches. The Entity also reported that on multiple occasions it failed to apply applicable security patches, create dated mitigation plans, or revise existing mitigation plans within 35 calendar days of the evaluations of applicable security patches. Upon reviewing the Self-Report, Texas RE determined that one of the reported instances of noncompliance was applicable to CIP-007-6 R2.1.

The root cause of this noncompliance is a combination of inadequate patching procedures, a change in personnel performing patch management duties, resource constraints during the transition to CIP- 007-6, and insufficient planning for handling the transition to CIP-007-6.

This noncompliance was noncontiguous and started on July 1, 2016, which is the day CIP-007-6 R2.1 became enforceable and ended on July 5, 2017, when all patch sources had been identified, all applicable security patches had been evaluated, and all patches had been installed or had dated mitigation plans created or modified.

Finding: CIP-007-6

This noncompliance posed a moderate risk and did not pose a serious or substantial risk to the reliability of the bulk power system. Individually, most of the issues represent a minimal risk to the Bulk Power System. Issue #1 and Issue #2 represent a moderate risk to the Bulk Power System due to their duration, scope, or the Cyber Assets affected. In aggregate, these minimal and moderate risk issues indicate programmatic failures that must be addressed in order to ensure the reliability of the Bulk Power System. The risk to the Bulk Power System is increased as five of the instances of noncompliance are related to High Impact BCAs (and in some instances, their associated PCAs), and two instances of non-compliance are related to a PACS Cyber Asset associated with High Impact BES Cyber Systems.

No harm is known to have occurred.

Penalty: $36,750

FERC Order: Issued July 30, 2020

NERC Violation ID: TRE2017018012

Issue: CIP-010-2
On July 25, 2017, the Entity submitted a Self-Report stating that, as a , it was in violation of CIP-010-2 R1. In particular, the entity failed to include CIP-010-2 R1 Rl.1.2 in its baseline documentation for. High Impact BES Cyber Assets (BCA), and failed to include CIP-010-2 Rl.1.5 in its baseline documentation for. BCAs and. Protected Cyber Assets (PCA).

The root cause of this noncompliance was the use of older or insufficient change management processes. This noncompliance started on July 1, 2016, which is the day CIP-010-2 R1 became enforceable, and ended on February 14, 2017, when all required parts of CIP-010-2 R1 were included in the Entity's baseline documentation. 

Finding: CIP-010-2

This violation posed a minimal risk and did not pose a serious or substantial risk to the reliability of the bulk power system. The risks in not including commercially available or open-source application software and installed security patches in the Entity's baseline documentation is that a malicious individual can make unauthorized changes to the software that could subsequently go undetected. If the unauthorized changes are malicious in nature, then this can result in the devices being rendered unavailable, degraded or misused.

No harm is known to have occurred.

Penalty: $36,750

FERC Order: Issued July 30, 2020

NERC Violation ID: TRE2017018012

Issue: CIP-007-6

On July 10, 2017, the Entity submitted a Self-Report stating that it was in violation of CIP-007-6 R1. In particular, the entity failed to enable only the logical network accessible ports that had been determined to be needed by the Entity. Specifically, the Entity reported that one unneeded listening port was identified on a Physical Access Control Systems (PACS) Cyber Asset.

The root cause of this noncompliance was a failure to remove unnecessary software and a failure to make full use of available tools. This noncompliance was due to an unneeded port being in an enabled and listening state. The port was opened by an application that the Entity does not use. If the software had not been present and running on the affected Cyber Asset, then this noncompliance would not have occurred. Additionally, the Entity uses a tool to monitor their baseline configurations. This tool has reporting features that could have alerted the Entity to this noncompliance sooner, however these reporting features were not being used. 

This noncompliance started on July 1, 2016, which is the day CIP-007-6 R1 became enforceable, and ended on May 26, 2017, when all unneeded logically accessible network ports were disabled.

Finding: CIP-007-6

This violation posed a minimal risk and did not pose a serious or substantial risk to the reliability of the bulk power system. Enabled logically accessible network ports represent a potential entry point into a Cyber Asset. A failure to disable enabled logically accessible network ports that are not needed unnecessarily increases the attack surface of the affected Cyber Asset. An attack on a PACS can compromise the implemented physical security protections an entity has deployed, either by allowing unauthorized individuals to enter a Physical Security Perimeter (PSP) or by preventing authorized individuals from entering a PSP when needed.

No harm is known to have occurred.

Penalty: $36,750

FERC Order: Issued July 30, 2020

NERC Violation ID: TRE2017017935

Issue: CIP-007-6

On July 10, 2017, the Entity submitted a Self-Report stating that it was in violation of CIP-007-6 R4. According to the Entity, it discovered that although its logging tool was receiving logs from one of its Physical Access Control System (PACS) Cyber Assets pursuant to CIP-007-6, R4, Parts 4.1.1 and 4.1.2, it was unable to normalize, alert on, and retain logs of detected malicious code on its PACS Cyber Asset in accordance with CIP-007-6 R4, Parts 4.1.3, 4.2.1, and 4.3. Additionally, the Entity stated that it was unable to detect event logging failure of detected malicious code pursuant to CIP-007-6 R4, Part 4.2.2. 

The root cause of this noncompliance was insufficient procedures. The Entity implemented new tools as part of the transition from CIP-007-3a to CIP-007-6. With the transition the Entity's procedures were not in a sufficient state to ensure the Entity would be compliant with newly applicable requirements. 

This noncompliance started on July 1, 2016, which is the day CIP-007-6 R4 became enforceable, and ended on May 15, 2017, when the Entity began using malicious code detection and removal software that was compatible with their logging infrastructure. 

Finding: CIP-007-6

This noncompliance posed a moderate risk and did not pose a serious or substantial risk to the reliability of the bulk power system. A failure to log events of detected malicious code and a failure to generate alerts on detected malicious code can result in cyber security staff being unaware that malicious code is present on one or more systems. Similarly, a failure to generate alerts on the failure of event logging can result in cyber security staff being unaware that logging is not functioning properly and subsequently can result in a failure to log events. A failure to retain event logs for the last 90 consecutive calendar days can impede the forensic analysis of a Cyber Security Incident. 

No harm is known to have occurred.

Penalty: $36,750

FERC Order: Issued July 30, 2020

NERC Violation ID: WECC2018020557

Issue: CIP-011-2

On October 19, 2018, the entity submitted a Self-Log stating that it was in noncompliance with CIP-011-2 R1.
Specifically, one contractor did not adhere to the entity's procedure for protecting and securely handling BES Cyber System Information (BSCI). The contractor was engaged to document the implementation of the entity's systems and was granted electronic access. On five occasions, beginning April 23, 2018, the contractor forwarded documents containing entity information to their personal email account in contravention of the entity's documented information protection program. This issue ended on July 31, 2018, when the contractor removed private information from their personal email account and hardware, for a duration of 100 days. 

The root cause of the issue was attributed to a contractor not following company policy. Specifically, the contractor had received the required cyber security and information protection training in accordance with company policy, but justified their actions based on their preference to use personal tools and technology to complete work.

Finding: CIP-011-2

This violation posed a minimal risk and did not pose a serious and substantial risk to the reliability of the Bulk Power System (BPS). In this instance, the entity failed to adequately implement its documented information protection program for protecting and securely handling private information, including storage, transit, and use as required. 

Failure to adequately protect such information could have resulted in a malicious actor with access to the information selling the data for profit or a benign actor mishandling the information and causing an inadvertent public disclosure of the data. However, the entity reported that it had confirmed via attestation that the contractor did not forward the information to any other third-party individuals.

Additionally, the entity had completed a personnel risk assessment for the contractor and had executed a nondisclosure agreement with the third-party vendor with whom the contractor was employed; the contractor, in turn, had executed a nondisclosure agreement with the third-party vendor. Additionally, the contractor did not mishandle any account login information, instructions regarding how to access the devices, nor information required for authentication. Further, the data associated with this issue included noncritical information; this combination made the critical information indistinguishable to anyone not intricately familiar with the entity's environment. Finally, the entity has a minimal impact footprint and WECC confirmed that all systems were unaltered and remained operational throughout the period associated with this issue, thereby reducing the risk of any potential impact.

Penalty: $0

FERC Order: Issued July 30, 2020

NP19-18-000: International Boundary and Water Commission, US Section

Please search for this docket no. here ››