Publications & Events
Alert

NERC Case Notes: Reliability Standard CIP-004-6

White & Case NERC Database
Click here to return to the main page at whitecase.com/nerc

Unidentified Registered Entity 2 (SERC_URE2), FERC Docket No. NP18-25-000 (August 30, 2018)

NERC Violation ID: SERC2017018072

Reliability Standard: CIP-004-6

Requirement: R4, P4.1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC Reliability Corporation (SERC)

Issue: SERC_URE2 failed to implement a process to authorize access into a Physical Security Perimeter (PSP) after a PSP reconfiguration removed existing controls. SERC_URE2 submitted a Self-Report outlining the initial instance whereby the parent company modified three distinct and physically separated areas, two of which were PSPs, by removing interior fencing and creating one large PSP without interior barriers within. The removal of fencing also led to the removal of the demilitarized zone door previously in the third interior cage, which allowed individuals who had specific access permissions to one of the three original separate areas to potentially have unauthorized physical access to BES Cyber Assets. In total, SERC_URE2 permitted eight individuals unauthorized access to multiple Electronic Access Control and/or Monitoring System Cyber Assets within the firewall cage and 18 individuals unauthorized access to Physical Access Control System Cyber Assets within the access control cage. In the second instance, SERC_URE2 submitted an expansion of scope in which it reported another noncompliance instance that stemmed from SERC_URE2 granting electronic access to a new database administrator, which allowed the contractor unauthorized access to CIP data. SERC_URE2 identified the root cause of the violation to be a manual process that lacked detailed instructions and was co-mingled with non-CIP access requests.

Finding: SERC found the violation constituted a minimal risk and did not pose a serious or substantial risk to the reliability of the bulk power system (BPS). By its failure to sufficiently control access provisions, SERC_URE2 could have permitted unauthorized individuals to access and possibly modify settings and cause operational impacts. Ultimately, all individuals involved in the violation had received cybersecurity training and had a valid Personnel Risk Assessment on file. The duration of the first instance started when SERC_URE2 made PSP modifications that permitted unauthorized access and ended when SERC_URE2 completed a reauthorization process for all individuals who needed access to the now-modified PSP. The duration of the second instance began when SERC_URE2 granted a contractor access to unauthorized information and ended when it removed the unneeded access permissions. SERC considered SERC_URE2’s internal compliance program as a mitigating factor and determined the compliance history of SERC_URE2 and its affiliate did not merit an aggravated penalty. To mitigate the violation, SERC_URE2, among other steps, created a new PSP in the access control system and obtained the appropriate authorizations, completed the PSP inspection, created a configuration item for PSP changes and a server administrator job aid who directs individuals to use the configuration item, and trained individuals.

Penalty: $220,000

FERC Order: Issued August 30, 2018 (no further review)

Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP18-15-000

Reliability Standard: CIP-004-6

Requirement:R5; Part 5.1

Violation ID: WECC2017016850

Violation Risk Factor: Medium

Violation Severity Level: High

Region: Western Electricity Coordinating Council (WECC)

Issue: WECC_URE1 self-reported two instances where it did not adequately implement its process of removing unescorted physical access within 24 hours of a termination action of a service contractor employee. In the first case, WECC_URE1 was not notified by the contract vendor within 4 hours of the termination per its contract with the vendor. Consequently, it processed the termination within 24 hours of being notified but approximately 36 hours after termination action was taken. In the second instance, the contract vendor sent the termination email to an incorrect email address and WECC_URE1's offices were closed for thanksgiving holiday.

Finding: WECC determined that in both instances, WECC_URE1 failed to revoke unescorted physical access to its MIBCS within 24 hours of the termination action. The root cause of the first instance was a vendor contractor not performing according to the contract's language; and for the second instance was an inadequate vendor contract. Specifically, the vendor contract contained an outdated version of a clause which did not specify a method of communicating termination actions to WECC_URE1.

This violation posed a moderate risk to the reliability of the bulk power system. Following a termination action, a disgruntled employee/ contractor who retains unescorted physical access to substations could make unauthorized changes to the transmission facilities and equipment by removing them from service; thereby, potentially disabling the system operator's ability to control the system and disrupting WECC_URE1's ability to fulfill its responsibilities. WECC_URE1 implemented weak controls to prevent non-compliance—the master contracts in its vendor contracts had not been updated to specify the communication process for a termination, and no controls were identified to detect a vendor contractor's non-compliance with notification requirements regarding termination. However, the risk was reduced in both cases since the duration of unauthorized access was short and no badge was used to gain access during the duration violation.

To mitigate its violation, WECC_URE1 (a) updated the applicable revocation clause in its service contracts; (b) established a consistent response to vendor contractors who fail to perform revocation notification requirements; (c) reviewed the applicable WECC_URE1 personnel proposed changes to its purchasing instructions; and (d) updated its policies before the next publication.
WECC_URE1 did not receive mitigating credit for self-reporting because the self-report was submitted 210 days after WECC_URE1 discovered the violation. Credit was also not given for WECC_URE1's internal compliance program (ICP), since WECC_URE1 did not implement its ICP effectively to prevent or detect this violation in a timely manner. Finally, WECC considered WECC_URE1's CIP-004 compliance history to be aggravating in determining the disposition track.

Duration of Violation: The violation commenced the first instance of when unescorted physical access should have been revoked and ended on the date the access was revoked for the last instance.

Penalty: No penalty

FERC Order: Issued June 29, 2018 (no further review)

Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP19-6-000 (March 28, 2019)

NERC Violation ID: WECC2017017204

Reliability Standard: CIP-004-6

Requirement: R4; P4.1, 4.2

Violation Risk Factor: Medium

Violation Severity Level: Moderate

Region: Western Electricity Coordinating Council (WECC)

Issue: During a Compliance Audit, WECC determined that an unidentified entity was in violation of the Reliability Standard when the entity was not able to demonstrate that it implemented its access management program per its documented process. The entity documented that it utilized an Access Request Form and a CIP-004 Management Program spreadsheet when authorizing electronic or unescorted physical access to its Medium Impact Bulk Electric System Cyber System (MIBCS) and their associated Cyber Assets or when authorizing access to designated storage locations. From July 1, 2016 through November 21, 2016, the entity granted electronic and/or unescorted physical access to its MIBCS and associated Cyber Assets to five employees without having completed the Access Request Form per the Access Management and Revocation Program and Procedure. In its Access Management and Revocation Program and Procedure, the entity states that quarterly reviews are conducted by comparing Access Request Forms to its CIP Unescorted Physical Security Perimeter List. However, the entity did not utilize the Access Request Forms; therefore, the entity did not have dated documentation of the verification between the list of employees who have been authorized for access and the list of personnel who have access, at least one each calendar quarter. The root cause of the violation was ill-defined, ill-understood, or ill-enforced management policy guidance or expectations. Specifically, the entity was new to CIP Standards and Requirements and its subject matter experts and compliance staff lacked understanding of required evidence and retention periods.

Finding: WECC found the violation constituted a minimal risk and did not pose a serious or substantial risk to bulk power system reliability. Because the entity failed to document dated authorization records and include a business need for access granting and failed to verify once ever calendar quarter that employees with CIP access had authorization records, such failure could result in unauthorized employees having electronic access, unescorted physical access and/or access to designated storage locations containing BES Cyber System information. However, the entity is a very small municipal power company that employees few staff and has an extremely low turnover. Based on this, WECC determined that the potential likelihood of the harm occurring was low. The violation began on July 1, 2016 for Part 4.1 when the Reliability Standard became mandatory and enforceable and October 1, 2016 for Part 4.2 when the Reliability Standard became mandatory and enforceable and ended on December 8, 2017 when the entity updated document authorization records for access granted, and verified CIP access against authorization records. WECC noted that the entity did not have detective controls in place that could have helped identify the issues sooner and to lessen the violation duration and noted that had there not been a Compliance Audit, the violation duration would have been longer due to the lack of controls. Based on this, WECC applied an aggravating factor and escalated the disposition treatment to an expedited settlement. WECC considered the entity’s internal compliance program to be a neutral factor and found that there were no relevant instances of noncompliance after it reviewed the entity’s compliance history. To mitigate the violation, the entity updated its Access Management and Revocation Program and Procedure to reflect current practices, held monthly meetings to discuss CIP compliance, updated its spreadsheet to document employees that have access and to document the performance of quarterly reviews, annual reviews, and revocations, and provided training.

Penalty: $0

FERC Order: March 28, 2019 (no further review)

Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP19-6-000 (March 28, 2019)

NERC Violation ID: WECC2017017206

Reliability Standard: CIP-004-6

Requirement: R4; P4.1, 4.2

Violation Risk Factor: Medium

Violation Severity Level: Moderate

Region: Western Electricity Coordinating Council (WECC)

Issue: During a Compliance Audit, WECC determined that an unidentified entity was in violation of the Reliability Standard when the entity was not able to demonstrate that it implemented its access management program per its documented process. The entity documented that it utilized an Access Request Form and a CIP-004 Management Program spreadsheet when authorizing electronic or unescorted physical access to its Medium Impact Bulk Electric System (BES) Cyber System (MIBCS) and their associated Cyber Assets or when authorizing access to designated storage locations, but it was not able to provide evidence on the spreadsheet of one employee’s unescorted physical access being revoked, nor did it provide any completed Access Request Programs as stated in its process document. As evidence demonstrating the removal of an employee’s ability for unescorted physical access upon a termination action, the entity reviewed an email dated August 23, 2016, which stated that the employee no longer worked for the City and should no longer have access to the primary and backup Control Centers. However, the email contained no confirmation that the employee’s unescorted physical access had been removed within 24 hours of termination, nor was the entity able to provide system logs to confirm access revocation had occurred within 24 hours of the termination action. However, WECC determined there was a decrease in in scope from the original audit finding. The root cause of the violation was ill-defined, ill-understood, or ill-enforced management policy guidance or expectations.

Finding: WECC found the violation constituted a minimal risk and did not pose a serious or substantial risk to bulk power system reliability. Although the entity exposed itself to unauthorized physical access to BES Cyber Systems and thereby potentially affected the reliability of the BPS, the entity is a very small municipal power company that employees few staff and has an extremely low turnover. Based on this, WECC determined that the potential likelihood of the harm occurring was low. The violation began on August 24, 2016 when the documented process was not followed and ended on December 8, 2017 when the Mitigation Plan was completed. WECC noted that the entity did not have detective controls in place that could have helped identify the issues sooner and to lessen the violation duration and noted that had there not been a Compliance Audit, the violation duration would have been longer due to the lack of controls. Based on this, WECC applied an aggravating factor and escalated the disposition treatment to an expedited settlement. WECC considered the entity’s internal compliance program to be a neutral factor and found that there were no relevant instances of noncompliance after it reviewed the entity’s compliance history. To mitigate the violation, the entity updated its Access Management and Revocation Program and Procedure to reflect current practices, held monthly meetings to discuss CIP compliance, updated its spreadsheet to document employees that have access and to document the performance of quarterly reviews, annual reviews, and revocations, and provided training.

Penalty: $0

FERC Order: March 28, 2019 (no further review)

Registered Entity (Name Redacted), FERC Docket No. NP20-15-000

Please search for this docket no. here ››

Unidentified Registered Entity 2 (SERC_URE2) and Unidentified Registered Entity 3 (SERC_URE3), FERC Docket No. NP18-25-000

Please search for this docket no. here ››

Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP18-25-0001

Region: Western Electricity Coordinating Council (WECC)

Violation ID Standard Requirement VRF/VSL Discovery Method Start Date End Date
SERC2016016030 CIP-004-6 R3; P3.5 Medium/ Severe Self-Report When the first PRA expired When the last PRA was renewed

Issue: WECC_URE1 reported that per its documented procedures, it reviewed a list of personnel due for an updated Personnel Risk Assessment (PRA) and discovered 7 personnel with expired PRAs. These personnel had authorized electronic and/or authorized unescorted physical access to High Impact Bulk Electric System (BES) Cyber Systems (HIBCS) and Medium Impact BES Cyber Systems (MIBCS). The 7 personnel continued to have said access while WECC_URE1 worked on renewing the PRAs.

Finding: WECC determined that WECC_URE1 failed to ensure that personnel with authorized electronic and/or authorized unescorted physical access to its HIBCS and MIBCS had a PRA completed according to CIP-004-6 Part 3.1-3.4 within the last 7 years. The root cause of this violation was a less than adequate process since WECC_URE1 did not have a clear process in place to manage and assess data regarding expiring PRAs. Such failure could cause WECC_URE1 to miss changes in an individual's criminal history, an element of potential risk for safety and security.

That said, all personnel in scope were known to WECC_URE1; were authorized to have either electronic and/or unescorted physical access to the HIBCS and MIBCS; and had an understanding of their roles and responsibilities for protecting these systems. Based on this, WECC determined that the potential harm had a minimal likelihood of occurring. Given the above, WECC determined that this violation posed a minimal risk to the reliability of the bulk power system. WECC reviewed WECC_URE1's internal compliance program and considered it to be a mitigating factor in the penalty determination.

Penalty: No penalty

FERC Order: Issued September 28, 2018 (no further review)

1 Note to Fred: This is the same Docket ID as the one before but the summary is separated since this was a different violation by a different entity in a different region.

Registered Entity (Name Redacted), FERC Docket No. NP19-9-000

Region: Florida Reliability Coordinating Council (FRCC)

Violation ID

Standard

Requirement

VRF/VSL

Discovery Method

Start Date

End Date

FRCC2017017834

CIP-004-6

R4

Medium/ Severe

Self-Report

3/17/2017

7/31/2017

FRCC2017017370

CIP-004-6

R4

Medium/ Severe

Self-Report

10/1/2016

11/20/2017

FRCC2017017454

CIP-004-6

R5

Medium/ Lower

Self-Report

7/1/2016

5/8/2017

FRCC2017017869

CIP-007-6

R1

Medium/ Severe

Self-Report

7/1/2016

3/30/2018

FRCC2017017375

CIP-007-6

R2

Medium/ Moderate

Self-Report

7/1/2016

7/13/2018

FRCC2017017833

CIP-007-6

R4

Medium/ Severe

Self-Report

7/1/2016

4/18/2018

FRCC2017017857

CIP-007-6

R5

Medium/ Severe

Self-Report

7/1/2016

1/15/2018

FRCC2017017376

CIP-010-2

R1

Medium/ High

Self-Report

7/1/2016

11/15/2017

FRCC2017017835

CIP-010-2

R3

Medium/ Severe

Self-Report

12/1/2016

6/27/2017

FRCC2017017696

CIP-011-2

R1

Medium/ Severe

Self-Report

7/1/2016

1/10/2018

Issues: The entity self-reported violations of the CIP standards set out above as per below. The violations were discovered in preparation for a CIP compliance audit.

a) CIP-004-6 (R4): FRCC determined that a violation of CIP-004-6 (R4) occurred in two instances. In the first instance, the Entity failed to authorize electronic access based on need for such access for 3 individuals as required by (Part 4.1). In the second instance, the Entity failed to verify, at least once each calendar quarter, that individuals with active electronic access or unescorted physical access had authorization records as required by R4 (Part 4.2).

b) CIP-004-6 (R5): FRCC determined that the Entity did not revoke an individual's access to the designated storage locations for BES Cyber System Information (BCSI), whether physical or electronic, by the end of the next calendar day following the effective date of the termination action as required by CIP-004-6 R5 (Part 5.3).

c) CIP-007-6 (R1): FRCC determined that the Entity failed to properly determine logical network accessible port ranges or services needed to handle dynamic ports on 7 Electronic Access Control or Monitoring (EACM) Cyber Assets.

d) CIP-007-6 (R2): FRCC determined that the Entity failed to: (1) follow its patch management process for tracking cyber security patches for applicable Cyber Assets as required by R2, Part 2.1; (2) evaluate security patches for applicability that have been released since the last evaluation from the source or sources identified in Part 2.1 at least once every 35 days as required by R2, Part 2.2; and (3) take one of the following actions within 35 calendar days of the evaluation completion: apply the applicable patches, create a dated mitigation plan, or revise an existing mitigation plan as required by R2, Part 2.3.

e) CIP-007-6 (R4): FRCC determined that the Entity failed to log the minimum required events at the BES Cyber System or the Cyber Asset level capability. Specifically, the Entity failed to log events related to successful login attempts, detected failed access attempts and failed login attempts on 17 BES Cyber Asset workstations and 5 Physical Access Control Systems.

f) CIP-007-6 (R5): FRCC determined that the Entity failed to limit unsuccessful authentication attempts, alert for unsuccessful authentication attempts, or file a Technical Feasibility Exception. Specifically, the Entity failed to implement controls to limit the number of unsuccessful authentication attempts or generate alerts after a threshold of unsuccessful authentication attempts on 7 EACM devices as required by R5, Part 5.7.

g) CIP-010-2 (R1): FRCC determined that the Entity failed to develop baseline configurations for 5 Intrusion Protection System Cyber Assets and failed to document changes from the existing baselines on seven Security Information and Event Management devices.

h) CIP-010-2 (R3): FRCC determined that the Entity added 2 switches to manage network isolation of the production environment as Protected Cyber Assets without performing a vulnerability assessment as required by R3 Part 3.3.

i) CIP-011-2 (R1): FRCC determined that the Entity failed to implement one or more documented information protection program(s) that would identify all storage locations that included BCSI as required by CIP-011-2 R1.1.

Findings:

a) CIP-004-6 (R4): FRCC found that the root cause of the first violation was the failure to follow the procedure, lack of internal controls, and insufficient management oversight during the authorization process. The violation posed a moderate risk to the reliability of the Bulk Power System (BPS).

As to the second violation, FRCC found that the causes for this violation were an incorrect interpretation of the procedure by the Subject Matter Expert (SME), lack of internal controls, and insufficient management oversight during the control verification process. FRCC determined that this violation posed a moderate risk to the BPS's reliability.

b) CIP-004-6 (R5): FRCC found that the contributing causes for this violation were the failure to follow the Entity's process for personnel termination, a lack of internal controls, and insufficient management oversight during the revocation process. This posed a minimal risk to the BPS's reliability.

c) CIP-007-6 (R1): FRCC determined that the root causes for this violation were the incorrect interpretation of the procedure by the SME, inadequate internal controls, no documented testing requirements, and insufficient management oversight during the ports and services authentication process. It was determined that this posed a minimal risk to the BPS's reliability.

d) CIP-007-6 (R2): FRCC determined that the causes for this violation were a failure to follow the Entity's process, poorly documented internal controls and lack of internal controls during the verification and periodic review. It was also determined that this violation posed a serious risk to the BPS's reliability.

e) CIP-007-6 (R4): It was determined that the causes for this violation were the SME's failure to follow the process, inadequate internal controls, no testing requirement, no periodic review, and insufficient management oversight. FRCC found that the violation posed a moderate risk to the BPS's reliability.

f) CIP-007-6 (R5): FRCC found that the violation was caused due to the SME's incorrect interpretation of the procedure, lack of internal controls, no documentation of testing requirements, and insufficient management oversight during the access controls process. It was determined that the violation posed a moderate risk to the BPS's reliability.

g) CIP-010-2 (R1): FRCC found that the violation occurred due to an incomplete process and a lack of internal controls to ensure authorization of changes and updates to baselines occurred. This posed a moderate risk to the BPS's reliability.

h) CIP-010-2 (R3): FRCC found that the causes for this violation were an incomplete documented procedure, lack of internal controls, and insufficient management oversight during the configuration change management process. It was concluded that the violation posed a moderate risk to the BPS's reliability.

i) CIP-011-2 (R1): FRCC found that the causes for this violation were the SME's incorrect interpretation of the standard, no documented procedure, lack of internal controls, and insufficient management oversight during the BCSI identification process. It was concluded that this violation posed a moderate risk to the BPS's reliability.

While assessing the penalty, FRCC took the following factors into account: (a) the instant violations were considered as repeat noncompliance with the subject NERC reliability standards and FRCC considered the Entity's compliance history with CIP-007-1 (R2), CIP-007-3a (R2), and CIP-007-6 (R2) as an aggravating factor; (b) FRCC awarded a small mitigating credit for the fact that the Entity had an internal compliance program at the time of the violation that operated successfully until the complex challenges of the transition to CIP Version 5; (c) FRCC awarded a mitigating credit because the Entity self-reported 3 violations before the date that FRCC sent its audit notification (note however, that credit was not awarded for the 7 other self-reports because the Entity submitted those after FRCC sent its audit notification letter); (d) FRCC awarded a small mitigating credit because the Entity was cooperative (especially on the senior management level) throughout the compliance enforcement process; and (e) there was no evidence of any attempt to conceal a violation nor evidence of intent to do so.

Penalty: $301,000

FERC Order: No further review (April 30, 2019)

Registered Entity (Name Redacted), FERC Docket No. NP19-10-000

Region: Name Redacted

Violation ID

Standard

Requirement

VRF/VSL

Discovery Method

Start Date

End Date

Redacted

CIP-004-6

R3; Part 3.4

Medium/ Severe

Compliance Audit (CA)

Redacted

Redacted

Redacted

CIP-004-6

R4; Part 4.1

Medium/ Moderate

CA

Redacted

Redacted

Redacted

CIP-005-5

R1; Part 1.3

Medium/ Severe

CA

Redacted

Redacted

Redacted

CIP-006-6

R1; Part 1.3

Medium/ Severe

CA

Redacted

Redacted

Redacted

CIP-006-3c

R1; R1.6.1

Medium/ Severe

Redacted

Redacted

Redacted

Redacted

CIP-007-3a

R2

Medium/ High

CA

Redacted

Redacted

Redacted

CIP-007-3a

R3

Lower/ High

CA

Redacted

Redacted

Redacted

CIP-007-6

R3

Medium/ Severe

CA

Redacted

Redacted

Redacted

CIP-007-6

R4; Part 4.1

Medium/ Severe

CA

Redacted

Redacted

Redacted

CIP-007-3a

R5; Part 5.2, 5.3, 5.7

Lower/ High

CA

Redacted

Redacted

Redacted

CIP-010-2

R2

Medium/ Severe

CA

Redacted

Redacted

Redacted

CIP-011-2

R1

Medium/ Severe

CA

Redacted

Redacted

Redacted

CIP-005-3a

R2; 2.1, 2.2

Medium/ Severe

CA

Redacted

Redacted

Issue: Most of the violations described below were discovered during a compliance audit:

(a) CIP-004-6 (R3): A violation of R3 occurred because the Entity did not properly retain required documentation of personnel risk assessments (PRA). The Entity did not have an attesting affidavit for one contractor identified in audit team's sample testing. In addition, the company did not verify the performance of attestations (P3.4) associated with PRAs performed by contractors.

(b) CIP-004-6 (R4): A violation of R4 occurred because the Entity didn't have sufficient controls over the distribution of physical keys, which led to the improper provisioning of physical keys to employees without authorization.

(c) CIP-005-5 (R1): A violation of R1 occurred because the Entity permitted Internet Control Message Protocol inbound and outbound communications through an Electronic Access Point (EAP) to its medium and high impact Bulk Electric Cyber Systems without maintaining proper documentation to support the reason for which it granted the communication access.

(d) CIP-006-6 (R1): A violation of R1 occurred because the Entity did not implement 2 or more different physical access controls to restrict unescorted physical access into the foyer of the [details redacted] which was classified by the Entity as a part of a Physical Security Perimeter (PSP).

(e) CIP-006-3c (R1): While reviewing the evidence provided, the audit team discovered several instances where the Entity failed to record the exit time for visitors from the PSP.

(f) CIP-007-3a (R2): A violation of R2 occurred because the Entity did not properly document its need to have logical network accessible ports enabled for certain of its BES Cyber Assets (BCAs). Additionally, the Entity did not properly document that certain of its BCAs did not have a provision for disabling or restricting logical ports nor did it file a Technical Feasibility Exception (TFE) to document the mitigating measures for these BCAs.

(g) CIP-007-3a (R3): A violation of R3 occurred when the Entity's documented processes of cyber security patch management for its BES Cyber Assets did not include procedures for evaluating the applicability of new security patches prior to installation that were consistent with the standard requirements. Specifically, the Entity's process neither appropriately assessed the applicability of new security patches for Cyber Assets nor provided for the retention of tracking records that support the performance of tests of patches.

(h) CIP-007-6 (R3): A violation of R3 occurred because the Entity implemented a network system option through an intrusion detection and prevention system (IDPS) for the Cyber Assets that could not support Cyber Asset-based malware prevention software. In this instance, the 8 Cyber Assets identified by the audit team were outside of the Electronic Security Perimeter (ESP), and thus were not available for protection by the network solution that the Entity had implemented.

(i) CIP-007-6 (R4): A violation of R4 occurred because the Entity implemented a network system option through an intrusion detection and prevention system for the Cyber Assets that could not support Cyber Asset-based malware prevention software. In this instance, the 8 Cyber Assets identified by the audit team were outside of the ESP, and were not available for monitoring and event logging by the network solution that the Entity had implemented.

(j) CIP-007-3a (R5): A violation of R5 occurred because the Entity did not properly identify individuals who had authorized access to shared accounts. In addition, the Entity did not file a TFE for its inability to support alerting for unsuccessful login attempts on a BCA, nor demonstrate its implementation of compensating and/or mitigating measures on the BCA.

(k) CIP-010-2 (R2): A violation of R2 occurred because the Entity didn't have documented processes for investigating detected unauthorized changes to baseline configurations of its BCAs, as required.

(l) CIP-011-2 (R1): A violation of R1 occurred because the Entity didn't properly identify a storage area network Cyber Asset used to store security configurations of its BCAs as a BES Cyber System Information (BCSI) storage location.

(m) CIP-005-3a (R2): A violation of R2 occurred because the Entity's documentation was insufficient to demonstrate that it uses an access control model such that explicit access permissions are specified. Additionally, the Entity's documentation was insufficient to demonstrate (1) that it enabled only ports and services required for operations and for monitoring Cyber Assets within the ESP; and (2) that the Entity documented, individually or by specified grouping, the configuration of those ports and services.

Findings:

(a) CIP-004-6 (R3): The root cause of this violation was inadequate procedures. No Entity staff were actively involved in verifying the assessment criteria or results, and the completion of the PRA was only verified through a signed affidavit by the contractor conducting the assessment. Additionally, the Entity failed to implement the flawed procedure, which required the Entity to obtain and retain signed affidavits for completion of contractor PRAs. The violation was found to pose a minimal risk to the reliability of the Bulk Power System (BPS).

(b) CIP-004-6 (R4): The root cause of the violation was insufficient procedures that lacked specific details on how to manage physical access keys. It was determined that the violation posed a minimal risk to the BPS's reliability.

(c) CIP-005-5 (R1): The root cause of this violation was insufficient procedures that lacked the granularity necessary to ensure that access rules had the need and reason clearly documented. A lack of clear guidance within the procedures allowed for multiple failures of this type, where the subject matter experts would either not address the potential access permissions on EAPs or manage the EAP configurations through their professional judgment and experience. It was determined that the violation posed a moderate risk to the BPS's reliability.

(d) CIP-006-6 (R1): The root cause of this violation was a lack of clarity in the Entity's physical security plan and inadequate procedures for how the Entity should implement access control and management, particularly in unique or complicated facilities. The violation was found to pose a minimal risk to the BPS's reliability.

(e) CIP-006-3c (R1): The root cause of the noncompliance was inadequate processes and internal controls for reviewing logs, and deficient training of escorts. This violation posed a minimal risk to the BPS's reliability.

(f) CIP-007-3a (R2): The root cause for this noncompliance was inadequate processes including a lack of controls to ensure that the Entity enabled only logical network accessible ports and services deemed necessary, gathering of appropriate vendor documentation to support when they could not be technically disabled or filed in an appropriate TFE. The violation was found to pose a serious or substantial risk to the BPS's reliability.

(g) CIP-007-3a (R3): The root cause of the noncompliance was a lack of adequate processes and controls around the evaluation of security patches. The violation was found to pose a serious or substantial risk to the BPS's reliability.

(h) CIP-007-6 (R3): The root cause for this violation was inadequate processes and a lack of controls around the deployment of malware prevention protections. Where the Entity did not utilize Cyber Asset-level malware prevention at the suggestion of device vendors, it also didn't research or utilize a BES Cyber Systems approach for malware prevention. It was determined that the violation posed a serious or substantial risk to the BPS's reliability.

(i) CIP-007-6 (R4): The root cause for this violation was inadequate processes and a lack of controls around the proper identification of a Cyber Assets ability to perform event logging and generation of alerts. It was determined that the violation posed a serious or substantial risk to the BPS's reliability.

(j) CIP-007-3a (R5): The root cause of this violation was inadequate processes and a lack of controls for system access controls, including identifying and documenting shared accounts; and, limiting the number of unsuccessful authentication attempts or generating alerts after a threshold of unsuccessful authentication attempts. It was determined that the violation posed a serious or substantial risk to the BPS's reliability.

(k) CIP-010-2 (R2): The root cause of this violation was a lack of documented steps for documenting or investigating detected unauthorized changes. It was determined that this violation posed a minimal risk to the BPS's reliability.

(l) CIP-011-2 (R1): The root cause for this violation was a lack of documented methodology that included a detailed assessment to account for all violations that may contain BCSI. It was determined that this violation posed a moderate risk to the BPS's reliability.

(m) CIP-005-3a (R2): The root cause for this violation was inadequate processes and a lack of controls around access control such that explicit access permissions are specified. The violation was found to pose a serious or substantial risk to the BPS's reliability.

In its penalty assessment, the following factors were considered: (a) the instant violations were considered to be repeat non-compliance with the subject NERC reliability standards and the Entity's compliance history with CIP-004 R4, CIP-005 R2, CIP-007 R2, R3, R4, R5 and R6 were considered as an aggravating factor; (b) the fact that the Entity had an internal compliance program at the time of the violation was considered a neutral factor; (c) the Entity was cooperative throughout the compliance enforcement process; and (d) there was no evidence of any attempt to conceal a violation nor evidence of intent to do so.

Penalty: $1,000,000

FERC Order: No further review (August 30, 2019)

NP19-4-000: Unidentified Registered Entity

Please search for this docket no. here ››

NP19-11-000: Unidentified Registered Entity

Region: REDACTED

NERC Violation ID Standard Requirement VRF/VSL Discovery Method Start Date End Date
XXX2017018032 CIP-004-6 R3, 3.4 Medium/Severe Compliance Audit 7/1/2016 2/28/2018
XXX2017018036 CIP-004-6 R4, 4.1 Medium/Severe Compliance Audit 7/6/2016 7/6/2016
XXX2017018037 CIP-005-5 R1, 1.3 Medium/Severe Compliance Audit 7/1/2016 9/18/2018
XXX2017018039 CIP-006-3c R1, 1.6.1 Medium/Severe Compliance Audit 3/1/2015 12/15/2017
XXX2017018038 CIP-006-6 R1, 1.3 Medium/Severe Compliance Audit 12/7/2016 10/31/2017
XXX2017018040 CIP-007-3a R2 Medium/Severe Compliance Audit 12/19/2013 8/17/2018
XXX2017018043 CIP-007-3a R3 Lower/Severe Compliance Audit    
XXX2017018044 CIP-007-6 R3 Medium/Severe Compliance Audit    
XXX2017018046 CIP-007-3a R5 Medium/Severe Compliance Audit    
XXX2017018045 CIP-007-6 R4 Lower/Severe Compliance Audit    
XXX2017018047 CIP-010-2 R2 Medium/Severe Compliance Audit    
XXX2017018048 CIP-011-2 R1 Medium/Severe Compliance Audit    

Issues:

It was determined that, in violation of CIP-004-6, (a) the URE had not implemented a personnel risk assessment program (PRA) that included a process or criteria verifying that PRA's performed by contractors were conducted and (b) the URE did not have sufficient controls over the distribution of physical keys which led to the improper provisioning of a physical key to an employee without authorization.

It was further determined that in violation of CIP-005-5, the URE permitted Internet Control Message Protocol (ICMP) inbound and outbound communication through an Electronic Access Point (EAP) to its High and Medium Bulk Electric system Cyber Systems (BCSs) without maintaining documentation supporting the reason it granted the communication access.

It was further determined that (a) in violation of CIP-006-3c, the URE did not maintain complete visitor access control logs for one facility containing high impact BCSs and (b) in violation of CIP-006-6, URE had not implemented two or more different physical access controls to restrict unescorted physical access into a certain Physical Security Perimeter (PSP).

It was further determined that (a) in violation of CIP-007-3a R2, URE did not properly document the need for enabled BES Cyber Asset (BCA) logical network accessible port, and did not provide evidence that a certain devise had no provision for restricting or disabling ports; (b) in violation of CIP-007-3a R3, URE did not assess security patches prior to deployment into the production environment; and (c) in violation of CIP-007-3a R5, did not identify all individuals with access to shared accounts, and, where URE had Cyber Assets which could not limit unsuccessful authentication attempts or generate alerts after a threshold of unsuccessful authentication attempts, URE failed to document compensating measures in a filed technical feasibility exception (TFE).

It was further determined that (a) in violation of CIP-007-6 R3, URE did not implement a documented process to deter, detect, or prevent malicious code on Cyber Assets associated with High Impact BCSs; (b) in violation of CIP-007-6 R4, URE did not implement a process to log events for identification and after-the fact investigations of Cyber Security Incidents on Cyber Assets associated with High Impact BCSs; (c) in violation of CIP-010-2, URE did not have documented processes for investigating detected unauthorized changes to its baseline configurations, and (d) in violation of CIP-011-2, URE did not verify a storage area network (SAN) used to store configurations of its BCAs, as a Bulk Electric Cyber System Information (BCSI) repository.

Finding: The violations of CIP-004-6, CIP-006-6, CIP-006-3c and CIP-010-2 were found to be minimal, and not substantial or serious. The violations of CIP-011-2 and CIP-005-5 were found to be of moderate risk. The violations of CIP-007-3a and CIP-007-6 were found to be of serious risk to the reliability of the Bulk Power System (BPS). The URE undertook an extensive Mitigation Plan outlined in the Notice of Penalty filed with NERC, including preliminary root cause analysis and implementation of updated procedures responsive to the extant weaknesses in the URE's policies.

Penalty: $1,000,000

FERC Order: Issued May 30, 2019 (no further review)

NP19-4-000: Unidentified Registered Entity

Please search for this docket no. here ››

NP18-9-000: Unidentified Registered Entity 1 (RFC_URE1)

Region: MRO

NERC Violation ID Standard Requirement VRF/VSL Discovery Method Start Date End Date
RFC2016016443 CIP-004-6 R4 Medium/High Self-Report N/A N/A
RFC2016016442 CIP-006-3c R1 Medium/Severe Self-Report 10/13/2016 1/26/2018
RFC2016016444 CIP-004-6 R5 Medium/Lower Self-Report 10/2/2017 11/29/2017

 

Issue: CIP-004-6 R4

RFC_URE1 submitted a Self-Report to ReliabilityFirst stating that it was in violation of CIP-004-6 R4. This violation includes six separate instances.
This noncompliance involves the management practices of asset and configuration management, verification, and workforce management. Asset and configuration management is involved because the entity consistently failed to timely remove and grant authorized unescorted physical and electronic access. The entity did not have an effective internal control in place to ensure that access was properly removed and granted and that lack of an effective internal control is a root cause of this noncompliance. The entity was also heavily reliant on the use of manual processes that were subject to human error. Verification is also involved because the entity did not consistently or effectively verify that its access revocations and grants were proper. Workforce management is involved because the entity did not properly train its employees to timely remove and grant authorized unescorted physical and electronic access.

CIP-006-3c

RFC_URE1 submitted a Self-Report to ReliabilityFirst stating that it was in violation of CIP-006-3c R1. The entity discovered during its quarterly review and evaluation of its visitor logs that several visitor log entries were incomplete and missing either an exit time, a date, or an escort name. Although the logs were incomplete, the entity still had the logs which contained all other required information aside from the fact that several entries were incomplete and missing either an exit time, a date, or an escort name. The entity conducted a forensic analysis to see if it could obtain any of the missing or incomplete information and the entity was unable to obtain and verify the missing information.

This noncompliance involves the management practices of verification, validation, and workforce management. Verification is involved because the entity failed to verify that the log entries were being correctly filled out. The entity did not have an effective internal control in place to ensure that the logs were always being correctly filled out. That lack of an effective internal control is a root cause of this noncompliance. Weaknesses in workforce management are also involved because the employees responsible for filling out the logs were not properly trained on how to always correctly fill out the logs.

CIP-004-6 R5

RFC_URE1 submitted a Self-Report to ReliabilityFirst stating that it was in violation of CIP-004-6 R5. An entity employee transferred roles from a market function employee position with authorized unescorted physical access and electronic access to a subset of High Impact Bulk Electric System (BES) Cyber Systems to a transmission function employee with authorized unescorted physical access and electronic access to a different set of High Impact BES Cyber Systems. The individual's prior electronic access which he no longer required in his new position was not removed until approximately three months later. The entity discovered this violation during a Quarterly Review and mitigated it with the implementation of the entity's system tool.

This noncompliance involves the management practices of verification, validation, and workforce management. Verification is involved because the entity failed to verify that employee's prior electronic access was removed once the employee transferred positions. The entity did not have an effective internal control in place to ensure that the employee's prior electronic access was timely removed when he transferred roles. That lack of an effective internal control is a root cause of this noncompliance. Weaknesses in workforce management are broadly involved because multiple violations arose from an inability to properly manage access for employees in temporary or transitional roles.

Finding: CIP-004-6 R4

This violation posed a moderate risk and did not pose a serious or substantial risk to the reliability of the bulk power system (BPS) based on the following factors. The risk posed by this violation is that access by unauthorized personnel could result in harm to the integrity of BES Cyber Systems or the reliability of the BPS as a result of intentional compromise or misuse. Further elevating the risk, several of the violations could have been exploited to cause harm to BES Cyber Assets (BCAs) and thus could have had an impact on the BPS. The two instances that posed the most significant risk were allowing individuals' access to jump hosts that are a defense to prevent unauthorized interactive remote access into an Electronic Security Perimeter and allowing individuals to have administrative access to BCA windows devices. The risk is moderated because each of the six instances were discovered and reported quickly and had relatively short durations. The risk is further moderated because all individuals in each of the six instances had previously completed NERC CIP training and had up to date PRAs. Lastly, there was no actual impact to the BPS. No harm is known to have occurred.

CIP-006-3c

This violation posed a minimal risk and did not pose a serious or substantial risk to the reliability of the bulk power system (BPS) based on the following factors. The risk posed by this violation is the opportunity for a bad actor to physically access Cyber Assets that are not protected by the implementation of a physical security plan and effective logging. The risk is minimized because the violation is mostly a documentation issue. Although some of the logs were missing certain pieces of information, the entity still had the logs and those logs detailed all visitors entering and exiting the Physical Security Perimeter (PSP) (the controlled area). The incomplete logs still reduce the risk that a bad actor could physically access and damage Cyber Assets. Lastly, there is no evidence that there was any unauthorized access or harm caused to any Cyber Assets during the violation.

No harm is known to have occurred.

CIP-004-6 R5

This violation posed a minimal risk and did not pose a serious or substantial risk to the reliability of the bulk power system (BPS) based on the following factors. The risk posed by this violation is allowing an individual to access BES Cyber Systems when that individual is no longer authorized to have such access. The risk is minimized because the individual in question had completed an up to date NERC CIP training and a current Personnel Risk Assessment (PRA). No harm is known to have occurred.

Penalty: $0

FERC Order: Issued March 29, 2018

NP18-9-000: Unidentified Registered Entity 1 (RFC_URE1)

Region: MRO

NERC Violation ID Standard Requirement VRF/VSL Discovery Method Start Date End Date
RFC2016016443 CIP-004-6 R4 Medium/High Self-Report N/A N/A
RFC2016016442 CIP-006-3c R1 Medium/Severe Self-Report 10/13/2016 1/26/2018
RFC2016016444 CIP-004-6 R5 Medium/Lower Self-Report 10/2/2017 11/29/2017

 

Issue: CIP-004-6 R4

RFC_URE1 submitted a Self-Report to ReliabilityFirst stating that it was in violation of CIP-004-6 R4. This violation includes six separate instances.

This noncompliance involves the management practices of asset and configuration management, verification, and workforce management. Asset and configuration management is involved because the entity consistently failed to timely remove and grant authorized unescorted physical and electronic access. The entity did not have an effective internal control in place to ensure that access was properly removed and granted and that lack of an effective internal control is a root cause of this noncompliance. The entity was also heavily reliant on the use of manual processes that were subject to human error. Verification is also involved because the entity did not consistently or effectively verify that its access revocations and grants were proper. Workforce management is involved because the entity did not properly train its employees to timely remove and grant authorized unescorted physical and electronic access.

CIP-006-3c

RFC_URE1 submitted a Self-Report to ReliabilityFirst stating that it was in violation of CIP-006-3c R1. The entity discovered during its quarterly review and evaluation of its visitor logs that several visitor log entries were incomplete and missing either an exit time, a date, or an escort name. Although the logs were incomplete, the entity still had the logs which contained all other required information aside from the fact that several entries were incomplete and missing either an exit time, a date, or an escort name. The entity conducted a forensic analysis to see if it could obtain any of the missing or incomplete information and the entity was unable to obtain and verify the missing information.
This noncompliance involves the management practices of verification, validation, and workforce management. Verification is involved because the entity failed to verify that the log entries were being correctly filled out. The entity did not have an effective internal control in place to ensure that the logs were always being correctly filled out. That lack of an effective internal control is a root cause of this noncompliance. Weaknesses in workforce management are also involved because the employees responsible for filling out the logs were not properly trained on how to always correctly fill out the logs.

CIP-004-6 R5

RFC_URE1 submitted a Self-Report to ReliabilityFirst stating that it was in violation of CIP-004-6 R5. An entity employee transferred roles from a market function employee position with authorized unescorted physical access and electronic access to a subset of High Impact Bulk Electric System (BES) Cyber Systems to a transmission function employee with authorized unescorted physical access and electronic access to a different set of High Impact BES Cyber Systems. The individual's prior electronic access which he no longer required in his new position was not removed until approximately three months later. The entity discovered this violation during a Quarterly Review and mitigated it with the implementation of the entity's system tool.
This noncompliance involves the management practices of verification, validation, and workforce management. Verification is involved because the entity failed to verify that employee's prior electronic access was removed once the employee transferred positions. The entity did not have an effective internal control in place to ensure that the employee's prior electronic access was timely removed when he transferred roles. That lack of an effective internal control is a root cause of this noncompliance. Weaknesses in workforce management are broadly involved because multiple violations arose from an inability to properly manage access for employees in temporary or transitional roles.

Finding: CIP-004-6 R4

This violation posed a moderate risk and did not pose a serious or substantial risk to the reliability of the bulk power system (BPS) based on the following factors. The risk posed by this violation is that access by unauthorized personnel could result in harm to the integrity of BES Cyber Systems or the reliability of the BPS as a result of intentional compromise or misuse. Further elevating the risk, several of the violations could have been exploited to cause harm to BES Cyber Assets (BCAs) and thus could have had an impact on the BPS. The two instances that posed the most significant risk were allowing individuals' access to jump hosts that are a defense to prevent unauthorized interactive remote access into an Electronic Security Perimeter and allowing individuals to have administrative access to BCA windows devices. The risk is moderated because each of the six instances were discovered and reported quickly and had relatively short durations. The risk is further moderated because all individuals in each of the six instances had previously completed NERC CIP training and had up to date PRAs. Lastly, there was no actual impact to the BPS. No harm is known to have occurred.

CIP-006-3c

This violation posed a minimal risk and did not pose a serious or substantial risk to the reliability of the bulk power system (BPS) based on the following factors. The risk posed by this violation is the opportunity for a bad actor to physically access Cyber Assets that are not protected by the implementation of a physical security plan and effective logging. The risk is minimized because the violation is mostly a documentation issue. Although some of the logs were missing certain pieces of information, the entity still had the logs and those logs detailed all visitors entering and exiting the Physical Security Perimeter (PSP) (the controlled area). The incomplete logs still reduce the risk that a bad actor could physically access and damage Cyber Assets. Lastly, there is no evidence that there was any unauthorized access or harm caused to any Cyber Assets during the violation.
No harm is known to have occurred.

CIP-004-6 R5

This violation posed a minimal risk and did not pose a serious or substantial risk to the reliability of the bulk power system (BPS) based on the following factors. The risk posed by this violation is allowing an individual to access BES Cyber Systems when that individual is no longer authorized to have such access. The risk is minimized because the individual in question had completed an up to date NERC CIP training and a current Personnel Risk Assessment (PRA). No harm is known to have occurred.

Penalty: $0

FERC Order: Issued March 29, 2018

NP18-9-000: Unidentified Registered Entity 1 (RFC_URE1)

Please search for this docket no. here ››