NERC Case Notes: Reliability Standard CIP-003-2

Alert

10 min read

 

Unidentified Registered Entity, FERC Docket No. NP11-199-000 (May 26, 2011)

Reliability Standard: CIP-003-2

Requirement: R2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: The Unidentified Registered Entity (URE) self-reported that it had improperly assigned two senior managers (instead of only one manager as required) to have responsibility for the implementation of the Cyber Security Reliability Standards.

Finding: SERC found that the violation posed only a minimal risk to bulk power system reliability since the URE, a Load-Serving Entity that does not own or operate any elements of the bulk power system, did not possess any critical assets. In addition, the URE had appointed two senior managers for the task (one of whom was the CEO and one of whom has been assigned responsibility for NERC compliance since March 2009) in order to provide coverage during absences. The duration of the violation was from April 1, 2010 through December 20, 2010.

Penalty: $0

FERC Order: Issued June 24, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-225-000 (June 29, 2011)

Reliability Standard: CIP-003-2

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: As a result of a spot check, RFC determined the Unidentified Registered Entity (URE) violated CIP-003-2 R1 because it failed to remove “acceptance of the risk” exceptions for certain non-compliance in its Cyber Security Policy.

Finding: RFC assessed a $10,000 penalty for this and other violations. This violation did not pose a serious or substantial risk to the reliability of the Bulk Power System because the violation was a documentation error that did not substantially affect the application of URE’s Cyber Security Policy. The NERC BOTCC determined this was the URE’s first occurrence of this type of violation; the URE was cooperative; the URE had a compliance program, which RFC considered a mitigating factor; there was no evidence of any attempt or intent to conceal a violation; and there were no other mitigating or aggravating factors.

Penalty: $10,000 (aggregate for multiple violations)

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-2 (October 31, 2011)

Reliability Standard: CIP-003-2

Requirement: R1

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: WECC

Issue: WECC found that URE’s Cyber Security Plan did not address all of the requirements contained in the CIP Reliability Standards.

Finding: WECC found that the violations constituted only a minimal risk to BPS reliability. WECC noted that it was not clear if URE’s management was sufficiently committed to the security of the CCAs as mandated by the CIP Reliability Standards. But, URE, which has less than 100 miles of transmission lines, did conduct an assessment of its CAs. WECC evaluated URE’s compliance program as a mitigating factor.

Penalty: $27,000 (aggregate for 5 violations)

FERC Order: Issued November 30, 2011 (no further review).

Unidentified Registered Entity, FERC Docket No. NP12-12 (January 30, 2011)

Reliability Standard: CIP-003-2

Requirement: R5

Violation Risk Factor: Lower

Violation Severity Level: Moderate

Region: WECC

Issue: During an on-site audit, it was found that URE was not in compliance with CIP-003-2 because the first Critical Cyber Asset access control program document did not have the annual verifications required by R5.1.2, R5.2, and R5.3. Also, URE was in violation of CIP-003-2 R5 for not documenting the annual reviews and verifications as required by CIP-003-2 R5.1.2, R5.2 and R5.3.

Finding: WECC determined that this violation posed a minimal and not a serious or substantial risk to the reliability of the bulk power system (BPS) because URE had in the first place documented the annual reviews and verifications required by CIP-003-1 R5.1.2, R5.2 and R5.3 in its access control procedure document and URE did conduct the annual reviews and verifications as required, but it had not documented the reviews and verifications for 2010.

Penalty: $55,000 (aggregate for 12 penalties)

FERC Order: Issued March 1, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-38-000 (May 30, 2013)

Reliability Standard: CIP-003-2

Requirement: 1.2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: WECC

Issue: URE self-certified that its cyber security policy was not readily available to all personnel with access to, or responsibility for, CCAs at URE’s generating station, as required. The policy was only available on the company intranet, and was not made available to contractors who did not have access to the intranet.

Finding: WECC found that the CIP-003-2 violation constituted only a minimal risk to BPS reliability. URE had provided the cyber security policy to on-site employees during cyber security training sessions. In addition, only 60 URE personnel did not have access to the policy and those individuals had limited physical access to the CCAs at URE’s generating station. URE’s management also discussed cyber security policy updates and emphasized compliance with the cyber security policy at weekly staff meetings. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact that some of the violations were self-reported and that URE engaged in voluntary corrective action to remediate the violations. URE also had an internal compliance program in place (which was evaluated as a mitigating factor). URE was cooperative during the enforcement process, did not conceal the violations and implemented the applicable WECC compliance directives. But, URE did have prior violations of the Reliability Standards (which was evaluated as an aggravating factor). None of the violations constituted a serious or substantial risk to BPS reliability.

Total Penalty: $291,000 (aggregate for 17 violations)

FERC Order: Issued June 28, 2013 (no further review)

Unidentified Registered Entities, FERC Docket No. NP14-46-000 (July 31, 2014)

Reliability Standard: CIP-003-2

Requirement: R6

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: URE1 self-reported that it did not identify, control and document two completed software configuration changes on its dial-up service devices, as required by its parent company’s change control process.

Finding: RFC determined that the violation constituted a minimal risk to the BPS reliability as URE1 did not have any systemic issues with its configuration management. The violation was an isolated incident that resulted from human error. URE1 conducted configuration testing which ensured the devices would properly communicate with the relays after software configuration changes. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC found that all but two of the violations constituted only a minimal risk to BPS reliability and did not represent any systemic failure (the other two violations posed a moderate risk). However, these violations constituted the URE Companies’ fifth violation of CIP-004 and the second violation of CIP-007, which was considered to be an aggravating factor (although not a substantial aggravating factor). However, the URE Companies were awarded significant mitigating credit for substantial and voluntary improvements to their compliance programs, as demonstrated in subsequent CIP compliance audits. The majority of the violations were also self-reported. The URE Companies cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $50,000 (aggregate for 35 violations)

FERC Order: Issued August 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-9-000 (November 25, 2014)

Reliability Standard: CIP-003-2

Requirement: R5/R5.1.1/R5.1.2/R5.2/R5.3 (3 violations – one for each URE Company)

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: MRO, SPP RE and WECC

Issue: URE1 self-certified to MRO and URE2 and URE3 self-reported to SPP RE and WECC that CIP protected information was stored in electronic file locations and several other repositories that did not have the access controls required by its CIP information protection program. Furthermore, almost 10% of UREs' users did not have the correct access privileges for protected information.

Finding: MRO determined that the violation constituted a serious or substantial risk to the BPS reliability as it increased the risk that unauthorized individuals could gain access to the UREs' CIP information that could lead to malicious disruption of several BPS facilities the URE Companies controlled. Almost 10% of all user accounts and several unauthorized repositories of the URE Companies' were in violation of the Standards for two years. Unprotected repositories included network drives, document sharing sites, and unauthorized document management systems with multiple users that were not part of UREs' CIP program. CIP documents stored in the unprotected repositories at issue, included UREs' CIP policies and procedures; programming information for physical access control systems; security plans and drawings; TFEs and information regarding changes to shared passwords. Overall, the URE Companies' information protection program was inadequate. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations for five of the Standards posed a serious or substantial risk to the BPS reliability. However, several of the violations were self-reported and the remainder of the violations posed only a minimal threat to BPS reliability. The UREs had a compliance program in place and their compliance history was not considered an aggravating factor by MRO. Furthermore, the UREs committed to spending $205,000 to retain a consultant to identify untapped opportunities in their CIP management controls for the current and future CIP versions and they received significant mitigating credit for their commitment to their corporate compliance program. The URE Companies were cooperative throughout the duration of the enforcement and none concealed the violations.

Penalty: $150,000 (aggregate for 19 violations)

FERC Order: Pending

Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP19-12-000 (June 27, 2019)

NERC Violation ID: WECC2017018489

Reliability Standard: CIP-003-2

Requirement: R4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: Western Electricity Coordinating Council (WECC)

Issue: On October 18, 2017, an unidentified entity submitted a Self-Report stating that it was in violation of the Reliability Standard. The entity reported that on September 22, 2010, an employee from an unidentified group uploaded Critical Cyber Asset (CCA) information to the file share. On July 11, 2017, another unidentified group discovered the CCA information and notified the group. The information that was on the file share was examined and was determined that it was CCA information and should have been protected by the entity’s program. On July 12, 2017, the group removed the CCA information from the file share. The root cause of the violation was an individual who did not follow the procedures the entity had in place. Specifically, the individual who had placed the CCA information on the file share did not follow the expectations outlined in the entity’s Information Protection Program.

Finding: WECC found the violation constituted a moderate risk and did not pose a serious or substantial risk to bulk power system reliability. Although the entity failed to implement its program to identify, classify, and protect information associated with CCAs and had weak controls to prevent and/or detect the noncompliance, the entity had compensating controls in place that lessened the risk and no harm is known to have occurred. The violation began on September 22, 2010 and ended on July 12, 2017. WECC considered the entity’s internal compliance program to be a mitigating factor and found that its compliance history was an aggravating factor in determining the penalty disposition. WECC noted that the violation duration is significant and should have been found much sooner had the entity had better internal controls in place especially considering that the entity had implemented later versions of the Reliability Standard and Requirement. To mitigate the violation, the entity evaluated commercial software updates, applicable security patches to the EACMS Cyber Assets in scope, updated its Security Patch Management Program, and provided training to stakeholders on the updates to the Security Patch Management Program.

Penalty: $87,000

FERC Order: June 27, 2019 (no further review)

Top