Publications & Events
Alert

NERC Case Notes: Reliability Standard CIP-004-6

White & Case NERC Database
Click here to return to the main page at whitecase.com/nerc

Unidentified Registered Entity 2 (SERC_URE2), FERC Docket No. NP18-25-000 (August 30, 2018)

NERC Violation ID: SERC2017018072

Reliability Standard: CIP-004-6

Requirement: R4, P4.1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC Reliability Corporation (SERC)

Issue: SERC_URE2 failed to implement a process to authorize access into a Physical Security Perimeter (PSP) after a PSP reconfiguration removed existing controls. SERC_URE2 submitted a Self-Report outlining the initial instance whereby the parent company modified three distinct and physically separated areas, two of which were PSPs, by removing interior fencing and creating one large PSP without interior barriers within. The removal of fencing also led to the removal of the demilitarized zone door previously in the third interior cage, which allowed individuals who had specific access permissions to one of the three original separate areas to potentially have unauthorized physical access to BES Cyber Assets. In total, SERC_URE2 permitted eight individuals unauthorized access to multiple Electronic Access Control and/or Monitoring System Cyber Assets within the firewall cage and 18 individuals unauthorized access to Physical Access Control System Cyber Assets within the access control cage. In the second instance, SERC_URE2 submitted an expansion of scope in which it reported another noncompliance instance that stemmed from SERC_URE2 granting electronic access to a new database administrator, which allowed the contractor unauthorized access to CIP data. SERC_URE2 identified the root cause of the violation to be a manual process that lacked detailed instructions and was co-mingled with non-CIP access requests.

Finding: SERC found the violation constituted a minimal risk and did not pose a serious or substantial risk to the reliability of the bulk power system (BPS). By its failure to sufficiently control access provisions, SERC_URE2 could have permitted unauthorized individuals to access and possibly modify settings and cause operational impacts. Ultimately, all individuals involved in the violation had received cybersecurity training and had a valid Personnel Risk Assessment on file. The duration of the first instance started when SERC_URE2 made PSP modifications that permitted unauthorized access and ended when SERC_URE2 completed a reauthorization process for all individuals who needed access to the now-modified PSP. The duration of the second instance began when SERC_URE2 granted a contractor access to unauthorized information and ended when it removed the unneeded access permissions. SERC considered SERC_URE2’s internal compliance program as a mitigating factor and determined the compliance history of SERC_URE2 and its affiliate did not merit an aggravated penalty. To mitigate the violation, SERC_URE2, among other steps, created a new PSP in the access control system and obtained the appropriate authorizations, completed the PSP inspection, created a configuration item for PSP changes and a server administrator job aid who directs individuals to use the configuration item, and trained individuals.

Penalty: $220,000

FERC Order: Issued August 30, 2018 (no further review)

Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP19-6-000 (March 28, 2019)

NERC Violation ID: WECC2017017204

Reliability Standard: CIP-004-6

Requirement: R4; P4.1, 4.2

Violation Risk Factor: Medium

Violation Severity Level: Moderate

Region: Western Electricity Coordinating Council (WECC)

Issue: During a Compliance Audit, WECC determined that an unidentified entity was in violation of the Reliability Standard when the entity was not able to demonstrate that it implemented its access management program per its documented process. The entity documented that it utilized an Access Request Form and a CIP-004 Management Program spreadsheet when authorizing electronic or unescorted physical access to its Medium Impact Bulk Electric System Cyber System (MIBCS) and their associated Cyber Assets or when authorizing access to designated storage locations. From July 1, 2016 through November 21, 2016, the entity granted electronic and/or unescorted physical access to its MIBCS and associated Cyber Assets to five employees without having completed the Access Request Form per the Access Management and Revocation Program and Procedure. In its Access Management and Revocation Program and Procedure, the entity states that quarterly reviews are conducted by comparing Access Request Forms to its CIP Unescorted Physical Security Perimeter List. However, the entity did not utilize the Access Request Forms; therefore, the entity did not have dated documentation of the verification between the list of employees who have been authorized for access and the list of personnel who have access, at least one each calendar quarter. The root cause of the violation was ill-defined, ill-understood, or ill-enforced management policy guidance or expectations. Specifically, the entity was new to CIP Standards and Requirements and its subject matter experts and compliance staff lacked understanding of required evidence and retention periods.

Finding: WECC found the violation constituted a minimal risk and did not pose a serious or substantial risk to bulk power system reliability. Because the entity failed to document dated authorization records and include a business need for access granting and failed to verify once ever calendar quarter that employees with CIP access had authorization records, such failure could result in unauthorized employees having electronic access, unescorted physical access and/or access to designated storage locations containing BES Cyber System information. However, the entity is a very small municipal power company that employees few staff and has an extremely low turnover. Based on this, WECC determined that the potential likelihood of the harm occurring was low. The violation began on July 1, 2016 for Part 4.1 when the Reliability Standard became mandatory and enforceable and October 1, 2016 for Part 4.2 when the Reliability Standard became mandatory and enforceable and ended on December 8, 2017 when the entity updated document authorization records for access granted, and verified CIP access against authorization records. WECC noted that the entity did not have detective controls in place that could have helped identify the issues sooner and to lessen the violation duration and noted that had there not been a Compliance Audit, the violation duration would have been longer due to the lack of controls. Based on this, WECC applied an aggravating factor and escalated the disposition treatment to an expedited settlement. WECC considered the entity’s internal compliance program to be a neutral factor and found that there were no relevant instances of noncompliance after it reviewed the entity’s compliance history. To mitigate the violation, the entity updated its Access Management and Revocation Program and Procedure to reflect current practices, held monthly meetings to discuss CIP compliance, updated its spreadsheet to document employees that have access and to document the performance of quarterly reviews, annual reviews, and revocations, and provided training.

Penalty: $0

FERC Order: March 28, 2019 (no further review)

Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP19-6-000 (March 28, 2019)

NERC Violation ID: WECC2017017206

Reliability Standard: CIP-004-6

Requirement: R4; P4.1, 4.2

Violation Risk Factor: Medium

Violation Severity Level: Moderate

Region: Western Electricity Coordinating Council (WECC)

Issue: During a Compliance Audit, WECC determined that an unidentified entity was in violation of the Reliability Standard when the entity was not able to demonstrate that it implemented its access management program per its documented process. The entity documented that it utilized an Access Request Form and a CIP-004 Management Program spreadsheet when authorizing electronic or unescorted physical access to its Medium Impact Bulk Electric System (BES) Cyber System (MIBCS) and their associated Cyber Assets or when authorizing access to designated storage locations, but it was not able to provide evidence on the spreadsheet of one employee’s unescorted physical access being revoked, nor did it provide any completed Access Request Programs as stated in its process document. As evidence demonstrating the removal of an employee’s ability for unescorted physical access upon a termination action, the entity reviewed an email dated August 23, 2016, which stated that the employee no longer worked for the City and should no longer have access to the primary and backup Control Centers. However, the email contained no confirmation that the employee’s unescorted physical access had been removed within 24 hours of termination, nor was the entity able to provide system logs to confirm access revocation had occurred within 24 hours of the termination action. However, WECC determined there was a decrease in in scope from the original audit finding. The root cause of the violation was ill-defined, ill-understood, or ill-enforced management policy guidance or expectations.

Finding: WECC found the violation constituted a minimal risk and did not pose a serious or substantial risk to bulk power system reliability. Although the entity exposed itself to unauthorized physical access to BES Cyber Systems and thereby potentially affected the reliability of the BPS, the entity is a very small municipal power company that employees few staff and has an extremely low turnover. Based on this, WECC determined that the potential likelihood of the harm occurring was low. The violation began on August 24, 2016 when the documented process was not followed and ended on December 8, 2017 when the Mitigation Plan was completed. WECC noted that the entity did not have detective controls in place that could have helped identify the issues sooner and to lessen the violation duration and noted that had there not been a Compliance Audit, the violation duration would have been longer due to the lack of controls. Based on this, WECC applied an aggravating factor and escalated the disposition treatment to an expedited settlement. WECC considered the entity’s internal compliance program to be a neutral factor and found that there were no relevant instances of noncompliance after it reviewed the entity’s compliance history. To mitigate the violation, the entity updated its Access Management and Revocation Program and Procedure to reflect current practices, held monthly meetings to discuss CIP compliance, updated its spreadsheet to document employees that have access and to document the performance of quarterly reviews, annual reviews, and revocations, and provided training.

Penalty: $0

FERC Order: March 28, 2019 (no further review)