Publications & Events
Alert

NERC Case Notes: Reliability Standard CIP-005-5

White & Case NERC Database
Click here to return to the main page at whitecase.com/nerc

Unidentified Registered Entity 1 (NPCC_URE1), FERC Docket No. NP20-3-000 (October 31, 2019)

NERC Violation ID: NPCC2018019849

Reliability Standard: CIP-005-5

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: Northeast Power Coordinating Council, Inc. (NPCC)

Issue: Following a compliance audit, NPCC determined that an unidentified entity failed to identify the reason for granting inbound and outbound access permissions on Electronic Access Points (EAP) for one Medium Impact Bulk Electric System (BES) Cyber System. Specifically, several firewall rules within two (2) Medium Impact Electronic Access Control and/or Monitoring Systems (EACMS) that provide EAP to Medium Impact BES Cyber Systems either had unknown reasons or were firewall rules that were no longer necessary. The root causes of this violation was a lack of regular review and an undue reliance on a single person, who was responsible for the review of firewall rules.

Finding: NPCC found the violation constituted a moderate risk and did not pose a serious or substantial risk to the reliability of the bulk power system. Although unnecessary EAP rules and unknown active firewall rules can provide paths to the Electronic Security Perimeter (ESP), the firewall did have rules to restrict access to and from the ESP. The duration of the violation was from July 1, 2016 when the entity failed to identify the reason for granting inbound and outbound access permissions and ended on June 6, 2018 when the entity identified the reason for granting the access permissions and updated its firewall rules. NPCC considered the internal compliance program and determined that it was a neutral factor. Additionally, NPCC considered the entity’s compliance history and determined there were no relevant instances of noncompliance. Following the violation, the entity, to mitigate the violation, reviewed and updated its firewall rules and initiated a process to review vulnerability action plans quarterly, which includes additional staffing.

Penalty: $84,000

FERC Order: October 31, 2019

Unidentified Registered Entity 1 (NPCC_URE1), FERC Docket No. NP20-3-000 (October 31, 2019)

NERC Violation ID: NPCC2018019848

Reliability Standard: CIP-005-5

Requirement: R2

Violation Risk Factor: Medium

Violation Severity Level: Moderate

Region: Northeast Power Coordinating Council, Inc. (NPCC)

Issue: During a compliance audit, NPCC determined that an unidentified entity failed to utilize an Intermediate System such that the Cyber Asset initiating Interactive Remote Access did not directly access the entity’s Medium Impact Bulk Electric System (BES) Cyber Assets. The root cause of this violation was misinterpretation of both the standard and the recommended solutions provided by NERC.

Finding: NPCC found the violation constituted a moderate risk and did not pose a serious or substantial risk to the reliability of the bulk power system. Although a failure to utilize an Intermediate System can lead to attacks on and unauthorized access to the entity’s Medium Impact BES Cyber Systems, no harm occurred as a result of this violation. The duration of the violation was November 18, 2016 when the entity failed to utilize the Intermediate System and ended on June 7, 2018 when the entity disabled the interactive remote access. NPCC deemed the entity’s internal compliance program to be a neutral factor in the penalty determination and after reviewing the entity’s compliance history, found that there were no relevant instances of noncompliance. To mitigate the violation, the entity disabled Virtual Private Network connections and designed and implemented a new Interactive Remote Access solution as an alternate system.

Penalty: $84,000

FERC Order: October 31, 2019

Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP19-15-000 (July 31, 2019)

NERC Violation ID: WECC2017017885

Reliability Standard: CIP-005-5

Requirement: R2, P2.3

Violation Risk Factor: Medium

Violation Severity Level: Moderate

Region: Western Electricity Coordinating Council (WECC)

Issue: In a June 30, 2017 Self-Report, an unidentified entity reported that while performing an internal controls assessment in February 2017, it discovered that Information Technology (IT) cybersecurity personnel were using a legacy intermediate device (ID) for Interactive Remote Access (IRA), which did not require multi-factor authentication to remotely access Protected Cyber Assets (PCAs) within various ESPs for High Impact BES Cyber Systems (HIBICS) and Medium Impact BES Cyber Systems (MIBCS). IT cybersecurity personnel had been instructed to utilize the new IRA system, rather than the legacy ID. However, because the entity had not removed the firewall rules that allowed remote access to the various ESPS through the use of the legacy ID, IT cybersecurity personnel continued to use the legacy ID Internet Protocol (IP) to connect to the various ESPs. The root causes of the violation were inadequate internal controls and follow up. Specifically, the entity did not have controls in place to ensure that personnel were using the appropriate and authorized IRA system and that firewall were rules were such that they prevented access to the legacy device.

Finding: WECC found the violation constituted a moderate risk and did not pose a serious or substantial risk to bulk power system reliability. While the entity failed to require multi-factor authentication of all IRA sessions to access HIBCS and MIBCS, it had strong internal controls that lowered the likelihood of a malicious actor gaining access. The violation began on July 1, 2016 when the Reliability Standard and Requirement became mandatory and enforceable and ended on April 4, 2017 when the entity removed the firewall access rules from the source IP that allowed connection to the various ESPs. WECC considered the internal compliance program to be a neutral factor in the penalty determination. Additionally, WECC determined that the entity’s compliance history to be an aggravating factor in the penalty determination. However, the entity did not did not receive mitigating credit for cooperation or self-reporting since the entity did not quickly address the violations, determine the facts, or timely report the mitigation, evident by the 362 days it took for the entity to submit a Self-Report. To mitigate the violation, the entity, among other things, removed user access to the ESPs from the unauthorized ID, developed new rules to improve firewall management and tracking, validated connectivity, and implemented training.

Penalty: $80,000

FERC Order: July 31, 2019 (no further review)

Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP19-15-000 (July 31, 2019)

NERC Violation ID: WECC2018019006

Reliability Standard: CIP-005-5

Requirement: R1, P1.3

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: Western Electricity Coordinating Council (WECC)

Issue: An unidentified entity submitted a Self-Report on January 19, 2018 noting that on April 3, 2017, while working on Transient Cyber Asset Access Control Lists (ACLs), the entity discovered that there were missing reasons for granting Electronic Access Points (EAPs) to the Electronic Security Perimeters (ESPs) of different Medium Impact BES Cyber Systems (MIBCS) at switching stations. On the same day it discovered the violation, the entity remedied it by adding the appropriate reasons for granting access to the ACLs on the ESP and saving the EAP configurations. The root cause of the violation was a lack of written communication. Although the task to review all ACLs and ensure the reason for granting access was properly documented, it was not part of the entity’s CIP Version 5 transaction project plan.

Finding: WECC found the violation constituted a minimal risk and did not pose a serious or substantial risk to bulk power system (BPS) reliability. WECC noted that although the entity failed to include the reason for granting inbound and outbound access, the violation was a documentation issue rather than technical in nature. Furthermore, the entity had implemented strong controls including “hub and spoke” technology, which increased the security posture and provided defense in depth. The violation began on July 1, 2016 when the Reliability Standard and Requirement became mandatory and enforceable and ended on April 3, 2017 when the entity properly documented the reason for granting access within each ACL rule on the EAPs in scope. WECC considered the internal compliance program to be mitigating factor in the penalty determination, and although it did not receive a mitigating credit for self-reporting the violation, it did receive a mitigating credit for admitting to the violation. Additionally, WECC determined that the entity’s compliance history should not serve as a basis for aggravating the penalty because it involved distinct conduct. However, the entity did not did not receive mitigating credit for cooperation or self-reporting since the entity did not quickly address the violations, determine the facts, or timely report the mitigation, evident by the 362 days it took for the entity to submit a Self-Report. WECC also applied mitigating credit for above and beyond improvements, including a System-Wide Transmission Protection Standardization and Upgrade Project, which was not undertaken as the result of a mitigation plan, but as a result of the entity’s systematic corrective action planning program. To mitigate the violation, the entity, among other things, added reasons to each of the EAPs and saved the two EAP configurations, created a Security Interest and Event Management policy test, updated the Reliability Standard’s procedure documents to include peer review of ACLs, and sent an email to applicable personnel to notify them of the new peer review process.

Penalty: $74,000

FERC Order: July 31, 2019 (no further review)

Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP19-15-000 (July 31, 2019)

NERC Violation ID: WECC2017016941

Reliability Standard: CIP-005-5

Requirement: R1, P1.5

Violation Risk Factor: Medium

Violation Severity Level: High

Region: Western Electricity Coordinating Council (WECC)

Issue: On July 7, 2016, an unidentified entity, through an automated alert from the management console, discovered that there was a configuration issue with Cyber Asset pairs that were classified as Electronic Access Points (EAPs), and configured in high availability fail-over configuration mode. Specifically, a critical configuration setting was missed in the Intrusion Detection System (IDS) module for each of the EAPs pairs. While all IDS modules had been configured as of July 1, 2016 except for a single configuration setting, because of the missing setting, the EAPs did not have a method for detecting known or suspected malicious communications for both inbound and outbound communications. After the entity submitted a Self-Report on February 6, 2017, WECC determined that the entity failed to have one or more methods for detecting known or suspected malicious communications for both inbound and outbound communications. The root cause of the violation was inadequate controls for verifying configuration settings.

Finding: WECC found the violation constituted a moderate risk and did not pose a serious or substantial risk to bulk power system (BPS) reliability. Although the entity did not have adequate methods for detecting malicious communications, it had strong controls in place including a Security Information and Event Management (SIEM) and multiple monitoring systems and methods. The violation began on July 1, 2016 when the Reliability Standard and Requirement became mandatory and enforceable and ended on July 14, 2016 when malicious communication detection was reestablished. WECC considered the internal compliance program to be mitigating factor in the penalty determination, and noted that it demonstrates a strong culture of compliance with a focus on improving the reliability and security of the BPS. Additionally, WECC determined that the entity’s compliance history should not serve as a basis for aggravating the penalty because it involved distinct conduct. While the entity received mitigating credit for admitting to the violation and received mitigating credit for improvements that it made on its system, it did not receive mitigating credit for self-reporting. To mitigate the violation, the entity, among other things, added missing IDS module configuration to the EAP pairs, created a SIEM policy test, provided training, and upgraded the software level on the affected EAPs active/standby pairs.

Penalty: $74,000

FERC Order: July 31, 2019 (no further review)