Publications & Events
Alert

NERC Case Notes: Reliability Standard CIP-006-6

White & Case NERC Database
Click here to return to the main page at whitecase.com/nerc

Unidentified Registered Entity 1 (SERC_URE1), FERC Docket No. NP18-25-000 (August 30, 2018)

NERC Violation ID: SERC2016016373

Reliability Standard: CIP-006-6

Requirement: R2, R2.1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC Reliability Corporation (SERC)

Issue: SERC_URE1 filed a Self-Report, and five expansions of scope to the Self-Report, reporting that it had not provided continuous escorted access of a visitor within a Physical Security Perimeter (PSP) on six occasions. SERC_URE1 employees had left contractor(s) alone for durations ranging from seconds to approximately 12 minutes. SERC_URE1 determined the root cause to be inadequate training for employees, which led to human performance errors in which the employees did not comport with internal procedures requiring continuous escorted access of all visitors and contractors within the PSP.

Finding: SERC found the violation constituted a minimal risk and did not pose a serious or substantial risk to bulk power system (BPS) reliability. By allowing visitors and contractors unsupervised access inside a PSP, SERC_URE1 could have been vulnerable to physical damage inflicted to the control house, producing instability in its operations. However, SERC_URE1 employees logged in the visitors and contractors and the timeframe of each violation was short. The duration of the violation started upon the first instance in which SERC_URE1 left a visitor unescorted within a PSP and lasted until the last instance of an unescorted visitor. SERC considered SERC_URE1’s compliance program as a neutral factor and did not deem its compliance history as an aggravating factor because prior noncompliances involved different subrequirements and different root causes. To mitigate the violation, SERC_URE1 performed training for each of the employees involved, instituted and communicated an escalating method of sanctions for SERC_URE1 employees, contract employees, and vendors for repeat violations, and developed and implemented an enhanced visitor control program.

Penalty: $95,000

FERC Order: Issued August 30, 2018 (no further review)

Unidentified Registered Entity 1 (SERC_URE1), FERC Docket No. NP18-25-000 (August 30, 2018)

NERC Violation ID: SERC2016016497

Reliability Standard: CIP-006-6

Requirement: R1, P1.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC Reliability Corporation (SERC)

Issue: After a janitorial contractor was allowed unauthorized unescorted physical access into a Physical Security Perimeter (PSP), SERC_URE1 submitted a Self-Report citing the malfunction of at least one physical access control into the PSP. The door to the PSP, containing one High Impact BES Cyber System, had a broken security latch, was not secured properly upon the last access, and opened after the contractor swiped his/her badge. However, following entry, an immediate forced entry alarm was triggered and SERC_URE1 security staff responded promptly to ensure no malicious activity had occurred and initiated a repair order for the broken security latch on the door. As SERC_URE1 performed its assessment and evaluation of this violation, it reported additional issues as expansions of scope. These issues related to unauthorized unescorted access to PSP areas due to various door failures, ranging from broken security latches to an unauthorized unescorted employee gaining PSP access as another employee with authorized unescorted access permissions exited the facility. SERC_URE1 identified the root causes of these violations to be inadequate training and equipment failure.

Finding: SERC found the violation constituted a minimal risk and did not pose a serious or substantial risk to the reliability of the Bulk Power System. The failure to control and restrict access to unauthorized unescorted visitors could have permitted individuals without proper training, risk assessment, and authorization to damage or alter BES Cyber Assets. However, all instances of the violation were brief, ranging from 13 seconds to 12 minutes, and in each scenario, SERC_URE1 security staff responded immediately upon the activation of forced entry door alarms. The duration of the violation started upon the first instance when SERC_URE1 employees or contractors accessed the PSPs without authorized unescorted physical access and lasted through the final instance. SERC considered SERC_URE1’s compliance program as a neutral factor and determined there were no prior relevant instances of noncompliance that warranted further scrutiny. To mitigate the violation, SERC_URE1, among other steps, assessed and repaired the damaged doors, installed video feeds and alternative measures to ensure continuous monitoring, trained the individuals involved, developed a list of maintenance and testing activities, and reinforced the security requirements at a briefing conducted for all individuals in affected business units.

Penalty: $95,000

FERC Order: Issued August 30, 2018 (no further review)

Unidentified Registered Entity 1 (NPCC_URE1), FERC Docket No. NP18-26-000 (September 27, 2018)

NERC Violation ID: NPCC2017017596

Reliability Standard: CIP-006-6

Requirement: R1: P1.6, P1.7

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: Northeast Power Coordinating Council, Inc. (NPCC)

Issue: Following a compliance concern submitted by NPCC_URE1 staff, an internal investigation was conducted regarding the reported incident in accordance with NPCC_URE’s NERC Reliability Standards compliance program. During the internal investigation, NPCC_URE1 found three instances of potential unauthorized access to one Physical Access Control System (PACS). In each of the three instances, the room door was either propped open or the latch was disabled, therefore potentially enabling unauthorized access to the PACS. The three intervals of noncompliance ranged from 1 hour and 54 minutes to 7 hours and 38 minutes. NPCC found that the violations were largely attributable to a lack of understanding on behalf of NPCC_URE1 technicians whose actions did not comport with established physical security policies and procedures.

Finding: NPCC found the violation constituted a minimal risk and did not pose a serious or substantial risk to the reliability of the bulk power system (BPS). NPCC_URE1 found no evidence of physical tampering or evidence of attempts to gain unauthorized electronic access throughout the duration of the three incidents. While there was a risk of physical damage to the PACS network switch, communication with card reader entry control panels and various PACS servers would have continued to be operational using the last known configuration and an alternate PACS monitoring workstation. The duration of the violation was from the date that NPCC_URE1 failed to follow its NERC CIP Physical Security Plan through the date that NPCC_URE1 resumed following its Physical Security Plan. NPCC considered the internal compliance program and self-report by NPCC_URE1 to be mitigating factors in the penalty determination. Following the violation, NPCC_URE1 management held an oral briefing with technicians to emphasize the importance of maintaining physical security, conducted refresher training with security staff, and implemented various system improvements and refinements including new signage and electronic prompts with instructions for system users.

Penalty: $0

FERC Order: Issued September 27, 2018 (no further review)

Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP19-15-000 (July 31, 2019)

NERC Violation ID: WECC2016015862

Reliability Standard: CIP-006-6

Requirement: R1, P1.1, 1.1, 1.3, 1.4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: Western Electricity Coordinating Council (WECC)

Issue: During a transitional audit of an unidentified entity’s Critical Infrastructure Procedure (CIP) Version 3 to CIP Version 5, WECC auditors provided the entity with an Areas of Concern report in accordance with NERC guidance for CIP Version 5 transition audits. After receiving the audit report, the entity submitted a Self-Report that indicated a wide range of issues identified with the implementation of the reliability standards. These issues included not ensuring that all protective measures required by the reliability standard were met for a room that served both as conference room and Physical Security Perimeter (PSP), and utilizing mechanical locks and keys that were not managed with physical security plan-defined operational or procedural controls. Furthermore, although entry through a number of PSP access doors would be treated as an intrusion and generate a security response, the emergency release handles on those doors did not require any type of authentication to gain access. Other violations included failing to ensure a two-factor authentication to a PSP access point and failing to implement continuous monitoring of windows, glass, and hatches for intrusion detection when PSP motion sensors were disabled. The root cause of these violations was the lack of open and coordinated communication. Specifically, the entity’s different departments were not communicating or collaborating effectively during its implementation of CIP Version 5.

Finding: WECC found the violation constituted a moderate risk and did not pose a serious or substantial risk to bulk power system reliability. WECC noted that the entity failed to define operation or procedural controls to restrict physical access, utilize physical access controls, and monitor for unauthorized access. However, the entity had implemented good internal controls in that all of its Physical Access Control Systems (PACS) were within a designated PSP and monitored, and there was a limited number of people, all of whom had Personnel Risk Assessment, with access to the PSPs. Furthermore, the cabinets that housed the PACS control panels included tamper alarms, which would alert security officers if a cabinet was inappropriately accessed. The access tunnels were monitored around the clock, in addition to the triggering of an alarm if a handle was used. Finally, authentication, logging, and monitoring of physical access was captured for all individuals that entered through the tunnel, which was the only way into the PSPs. There is no noted violation start date, but the violation ended on July 19, 2017, when the entity remediated all the issues. WECC considered the entity’s internal compliance program to be a neutral factor in the penalty determination and found that there were no relevant instances of noncompliance in the entity’s compliance history. To mitigate the violations, the entity, among other things, developed a key control program for alternate access to PACS servers, changed the filed site locations, reviewed each of the site’s tunnels and hatches for conformance to its physical security standards, collected and inventoried all assigned key to the primary Control Center; developed and implemented a procedure for primary Control Center key control, updated the Physical Security Plan, enhanced the training program and procedures between AMS and Dispatch, and implemented a script for contractors to read as part of their enhanced procedures between AMS and Dispatch.

Penalty: No penalty

FERC Order: July 31, 2019 (no further review)