Publications & Events
Alert

NERC Case Notes: Reliability Standard CIP-010-2

White & Case NERC Database
Click here to return to the main page at whitecase.com/nerc

Unidentified Registered Entity 2 (SERC_URE2), FERC Docket No. NP18-25-000 (August 30, 2018)

NERC Violation ID: SERC2017018380

Reliability Standard: CIP-010-2

Requirement: R1, P1.4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC Reliability Corporation (SERC)

Issue: SERC_URE2 failed to realize that mandatory cyber controls could be impacted by a change that deviated from the baseline configuration. Following the change, SERC_URE2 also failed to verify that required cyber security controls were not adversely affected. SERC_URE2 submitted a Self-Report stating the violation was the result of the failure of an information security specialist to determine what CIP security controls could have been impacted before initiating a change that deviated from the baseline configuration for Electronic Access Control and/or Monitoring System servers that provided network authentication services to all CIP networks of SERC_URE2’s parent company. Through interviews and observations, SERC_URE2 conducted an investigation into the matter and determined that the personnel responsible for patching the domain servers relied on prior experience to assume that patching changes would not impact existing cyber security controls, and subsequently, the personnel failed to both document the changes and to verify that no security controls had been affected. SERC_URE2 identified the root causes of the violation to be a lack of comprehensive work procedures and checklists, exacerbated by a lack of management oversight and appropriate internal controls. Further, SERC_URE2 used different cyber security control testing procedures for patching all other assets.

Finding: SERC found the violation constituted a moderate risk and did not pose a serious or substantial risk to the reliability of the bulk power system (BPS). By its failure to document the security controls that could be impacted, SERC_URE2 could have permitted changes to be made, resulting in unforeseen impacts to its security controls. This violation involved a two-person team responsible for patching the specific domain servers. The domain servers did not provide access to any critical applications and only provided network authentication. The duration of the violation started when the Standard became mandatory and enforceable on SERC_URE2 and ended when SERC_URE2 completed training and updated its procedures. SERC considered SERC_URE2’s internal compliance program as a mitigating factor, and the compliance history of SERC_URE2 and its affiliate to be an aggravating factor. To mitigate the violation, SERC_URE2, among other steps, executed cyber security controls validation, improved domain controller procedures, and implemented and trained employees on a central services compliance checklist.

Penalty: $220,000

FERC Order: Issued August 30, 2018 (no further review)

Unidentified Registered Entity 1 (NPCC_URE1), FERC Docket No. NP20-3-000 (October 31, 2019)

NERC Violation ID: NPCC2018019845

Reliability Standard: CIP-010-2

Requirement: R3

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: Northeast Power Coordinating Council, Inc. (NPCC)

Issue: A compliance audit revealed that an unidentified entity failed to document the planned completion date or the status of its 2018 Cyber Vulnerability Assessment (CVA). The root causes of this violation was the lack of regular review by the entity and an undue reliance on a single person, who at the time of the audit, was responsible for the overseeing the vulnerability assessments.

Finding: NPCC found the violation constituted a moderate risk and did not pose a serious or substantial risk to bulk power system reliability. By allowing vulnerabilities to go unmitigated, an attacker could take advantage of technical flaws and configuration errors and ultimately gain control of one Medium Impact Bulk Electric System Cyber System. The duration of the violation started on July 1, 2016 when the entity failed to document the planned completion date and/or the status of the CVA findings and ended on June 6, 2018 when the entity documented the completion date and/or the status of the CVA findings. NPCC reviewed the entity’s internal compliance program and considered it to be a neutral factor in the penalty determination. Additionally, NPCC considered the entity’s compliance history and determined there were no relevant instances of noncompliance. To mitigate the violation, the entity updated its mitigation plans before the audit was complete and initiated a process to review vulnerability assessment action plans quarterly with additional staffing.

Penalty: $84,000

FERC Order: October 31, 2019

Unidentified Registered Entity 1 (MRO_URE1), FERC Docket No. NP19-17-00 (August 29, 2019)

NERC Violation ID: MRO2017018150

Reliability Standard: CIP-010-2

Requirement: R1.1.2

Violation Risk Factor: Medium

Violation Severity Level: Lower

Region: Midwest Reliability Organization (MRO)

Issue: A compliance audit and a subsequent condition analysis identified multiple Cyber Assets that did not have baselines that had all installed commercially available software. On two devices, an unidentified entity did not include the software on the document baseline, and although it would typically document its baselines in either its baseline tool or patch management system, the entity did not sufficiently or specifically identify the software for numerous devices. The references in the patch management system were not specific enough to identify the unique or incremental software version that was installed on each Cyber Asset. As a result of the insufficient details, the entity did not detect the noncompliance during its vulnerability assessment. The root cause of the noncompliance was the entity’s deficient process for developing baselines and detecting errors or omissions.

Finding: MRO found the violation constituted a minimal risk and did not pose a serious or substantial risk to bulk power system (BPS) reliability. For almost all of the affected Cyber Assets, the noncompliance was limited to a lack of sufficient detail regarding the software, rather than an omission of the software. Furthermore, the entity’s software change process and change form reduced the risk of an inadvertent or unapproved change. Additionally, the software was also well managed by the entity’s Subject Matter Experts, which reduced the risk of an unexpected change to the software. As a result, no harm is known to have occurred. he duration of the violation was from July 1, 2016 when the reliability standard became mandatory and enforceable and ended on May 11, 2018 when the entity updated the existing baselines to include all intentionally installed software. MRO considered the scope of the noncompliance and the discovery method to be an aggravating factor in the disposition. MRO determined that the noncompliance did not warrant a financial penalty given the minimal impact of the noncompliance upon the BPS. Additionally, MRO considered the entity’s compliance history and determined there were no relevant issues of noncompliance. To mitigate the violation, the entity conducted an extent of condition analysis, corrected baselines, improved the process to identify any commercially available software, and validated the new process of identifying any commercially available or intentionally installed software.

Penalty: $0

FERC Order: August 29, 2019 (no further review)

Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP19-15-000 (July 31, 2019)

NERC Violation ID: WECC2017016926

Reliability Standard: CIP-010-2

Requirement: R1; P1.1.1, P1.1.2, P1.1.4, P1.1.5

Violation Risk Factor: Medium

Violation Severity Level: High

Region: Western Electricity Coordinating Council (WECC)

Issue: An unidentified entity submitted a Self-Report that it was in violation of the Reliability Standard. On August 4, 2016, during its first performance of a bookend review of baseline configurations, subject matter experts became concerned that some baseline elements might be missing from some Cyber Asset baseline configuration details. At the time, the entity believed it may or may not have complete baseline configuration captured for only a few Cyber Assets since port scanning could not be accomplished due to connectivity problems between its configuration monitoring tool and the Cyber Assets. However, to examine the scope of the issue and to perform the necessary due diligence, on August 25, 2016, each Cyber Asset in its Cyber Asset inventory to ensure that all required and applicable baseline elements were captured for each applicable Cyber Asset. The root cause of the violation was inadequate procedures. While the entity had a procedure to meet objectives of the Requirements, the procedure did not contain complete and accurate information to meet these objectives. Additionally, the entity had no procedure in place to address configuration and communication issues with the Security Information and Event Management.

Finding: WECC found the violation constituted a moderate risk and did not pose a serious or substantial risk to bulk power system reliability. Although the entity did not implement controls to prevent this violation from occurring, it did employ defective controls that identified the violation and employed multiple monitoring systems and methods to log, detect, and alert on the overall health of the affected Cyber Assets. The violation began on July 1, 2016 when the Standard and Requirement became mandatory and enforceable and ended on May 1, 2017 when baseline configurations were developed and captured for the Cyber Assets in scope. WECC considered the entity’s internal compliance program to be a mitigating factor and the entity’s compliance history to be an aggravating factor in the penalty determination. While the entity received mitigating credit for admitting to the violation, it did not receive mitigating credit for self-reporting. WECC applied mitigating credit for improvements that the entity was making on its system. These improvements include a System-Wide Transmission Protection Standardization and Upgrade Project, which was not undertaken as a result of a mitigation plan, but rather was the result of the entity’s systematic post-event root cause analysis and corrective action planning program. To mitigate the violation, the entity, among other things, collected the number and names of devices missing baseline elements and completed baseline configurations on the Cyber Assets in scope, documented a process to capture cyber security controls on all new Cyber Assets and/or new device types at Transmission facilities, upgraded applicable configuration monitoring tool device profilers to compatible firmware versions, provided training, and updated baseline reports to include only the required information.

Penalty: $74,000

FERC Order: July 31, 2019 (no further review)

Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP19-15-000 (July 31, 2019)

NERC Violation ID: WECC2017016929

Reliability Standard: CIP-010-2

Requirement: R2; P2.1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: Western Electricity Coordinating Council (WECC)

Issue: An unidentified entity submitted a February 3, 2017 Self-Report that it is was in violation of the Reliability Standard. On November 1, 2016, the entity’s subject matter experts (SMEs) discovered a misconfiguration with its configuration monitoring tool used to monitor the entity’s Cyber Asset baseline configurations, which caused an Electronic Access Control and Monitoring Systems associated with the High Impact Bulk Electric System Cyber Systems not to have its baseline configuration monitored from August 6, 2016 to November 1, 2016. During the entity’s investigation, it discovered additional Cyber Assets whose baseline configurations from August 6, 2016 to January 26, 2017 were not being monitored at least once every thirty-five days. The root cause of the violation was inadequate procedures.

Finding: WECC found the violation constituted a moderate risk and did not pose a serious or substantial risk to bulk power system reliability. Although the entity failed to monitor for changes to the baseline configuration, as well as document and investigate detected unauthorized changes, the entity implemented strong controls that included an asset management system. The violation began on August 6, 2016 when changes to baseline configurations were not being monitored and ended on May 11, 2017, when monitoring of changes to baseline configurations commenced on the Cyber Assets in scope. WECC considered the entity’s internal compliance program to be a mitigating factor, and the entity’s compliance history to be an aggravating factor in the penalty determination. While the entity received mitigating credit for admitting to the violation, it did not receive mitigating credit for self-reporting. WECC applied mitigating credit for improvements that the entity was making on its system. These improvements included a System-Wide Transmission Protection Standardization and Upgrade Project, which was not undertaken as a result of a mitigation plan, but rather was the result of the entity’s systematic post-event root cause analysis and corrective action planning program. To mitigate the violation, the entity, among other things, worked with its Security Information and Event Management vendor to develop and implement a solution that tracks the number of days since an asset was last monitored, implemented new configuration monitoring tool rules, policy tests, and reports, upgraded applicable configuration monitoring tool device profilers to compatible firmware versions, and provided training.

Penalty: $74,000

FERC Order: July 31, 2019 (no further review)

Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP19-6-000 (March 28, 2019)

NERC Violation ID: WECC2017017208

Reliability Standard: CIP-010-2

Requirement: R1; P1.1, 1.2, 1.3, and 1.4

Violation Risk Factor: Medium

Violation Severity Level: High

Region: Western Electricity Coordinating Council (WECC)

Issue: During a Compliance Audit, WECC determined that an unidentified entity was in violation of the Reliability Standard. The entity failed to include unidentified items in its baseline configurations for unidentified entities which were classified as Protected Cyber Assets, one Physical Access Control Systems (PACS) sever, one supervisory control and data acquisition (SCADA), a Bulk Electric System (BES) Cyber Asset, Electronic Access Control or Monitoring Systems (EACMS), all associated with its Medium Impact Bulk Electric Cyber System (MIBCS). WECC auditors also identified a PACS server that had a security patch update installed after the mandatory and enforceable date of July 1, 2016, that was not included on the device’s baseline configuration. The entity was also not able to provide evidence that any of the required change management activities had been performed during an installation on January 30, 2017. The installation of this software would have caused a deviation from the device’s baseline configuration. The root cause of the violation was the entity not following the documented process.

Finding: WECC found the violation constituted a moderate risk and did not pose a serious or substantial risk to bulk power system reliability. Because the entity failed to maintain baseline configurations to include logical network accessible ports and security patches applied to assets and failed to perform required change management activities for BES Cyber Assets, EACMS, and PACS, such failure could result in a lack of protective measures for those ports due to not knowing which ports were accessible, which could lead to cyber security vulnerabilities in those network devices. However, even though the entity did not implement internal controls, because it was a small municipal power company, WECC determined that the likelihood of the potential harm occurring was low. The violation began on July 1, 2016 when the Reliability Standard became mandatory and enforceable and ended on May 31, 2017 when baseline configurations were updated. WECC noted that the entity did not have defective controls in place that could have helped identify the issues sooner and to lessen the violation duration and noted that had there not been a Compliance Audit, the violation duration would have been longer due to the lack of controls. Based on this, WECC applied an aggravating factor and escalated the disposition treatment to an expedited settlement. WECC considered the entity’s internal compliance program to be a neutral factor and found that there were no relevant instances of noncompliance after it reviewed the entity’s compliance history. To mitigate the violation, the entity, among other things, updated its baseline configurations for the devices in scope, updated its Change of Control and Configuration Management Procedure, held a meeting to discuss the changes to the procedure, included baseline changes as a standing item for discussion and reinforcement at monthly CIP compliance meetings and will review all baselines, on an annual basis at the minimum, to ensure that they are accurate and up to date.

Penalty: $0

FERC Order: March 28, 2019 (no further review)