NERC Case Notes: Reliability Standard CIP-004-6
NERC Violation ID: SERC2017018072
Reliability Standard: CIP-004-6
Requirement: R4, P4.1
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SERC Reliability Corporation (SERC)
Issue: SERC_URE2 failed to implement a process to authorize access into a Physical Security Perimeter (PSP) after a PSP reconfiguration removed existing controls. SERC_URE2 submitted a Self-Report outlining the initial instance whereby the parent company modified three distinct and physically separated areas, two of which were PSPs, by removing interior fencing and creating one large PSP without interior barriers within. The removal of fencing also led to the removal of the demilitarized zone door previously in the third interior cage, which allowed individuals who had specific access permissions to one of the three original separate areas to potentially have unauthorized physical access to BES Cyber Assets. In total, SERC_URE2 permitted eight individuals unauthorized access to multiple Electronic Access Control and/or Monitoring System Cyber Assets within the firewall cage and 18 individuals unauthorized access to Physical Access Control System Cyber Assets within the access control cage. In the second instance, SERC_URE2 submitted an expansion of scope in which it reported another noncompliance instance that stemmed from SERC_URE2 granting electronic access to a new database administrator, which allowed the contractor unauthorized access to CIP data. SERC_URE2 identified the root cause of the violation to be a manual process that lacked detailed instructions and was co-mingled with non-CIP access requests.
Finding: SERC found the violation constituted a minimal risk and did not pose a serious or substantial risk to the reliability of the bulk power system (BPS). By its failure to sufficiently control access provisions, SERC_URE2 could have permitted unauthorized individuals to access and possibly modify settings and cause operational impacts. Ultimately, all individuals involved in the violation had received cybersecurity training and had a valid Personnel Risk Assessment on file. The duration of the first instance started when SERC_URE2 made PSP modifications that permitted unauthorized access and ended when SERC_URE2 completed a reauthorization process for all individuals who needed access to the now-modified PSP. The duration of the second instance began when SERC_URE2 granted a contractor access to unauthorized information and ended when it removed the unneeded access permissions. SERC considered SERC_URE2’s internal compliance program as a mitigating factor and determined the compliance history of SERC_URE2 and its affiliate did not merit an aggravated penalty. To mitigate the violation, SERC_URE2, among other steps, created a new PSP in the access control system and obtained the appropriate authorizations, completed the PSP inspection, created a configuration item for PSP changes and a server administrator job aid who directs individuals to use the configuration item, and trained individuals.
FERC Order: Issued August 30, 2018 (no further review)