Publications & Events
Client Alert
Alert

NERC Case Notes: Reliability Standard CIP-011-2

White & Case NERC Database
Click here to return to the main page at whitecase.com/nerc

Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP19-12-000 (June 27, 2019)

NERC Violation ID: WECC2017017229

Reliability Standard: CIP-011-2

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: Western Electricity Coordinating Council (WECC)

Issue: On January 30, 2017, an unidentified entity submitted a Self-Report stating that it was in violation of the Reliability Standard. Specifically, the entity utilized an application as a patching tool for the Microsoft devices in its High Impact Bulk Electric System (BES) Cyber Systems (HIBCS) and associated Electronic Access Control and Monitoring System devices (EACMS). The first sever contained all pertinent information about Microsoft devices that required patched and updates. The second server was fully control by personnel and also contained pertinent information about Microsoft devices that required patches and updates. The third server did not contain any IP addresses or host names that would be considered BES Cyber System Information (BCSI). In the spring of 2016, the entity began experiencing technical issues with the application at which time they reinstalled the application and completed a reconfiguration. The reconfiguration was completed on August 12, 2016. However, on August 26, 2016, the entity’s group took immediate steps to correct the issue by deleting the server’s database and on August 31, 2016, they deleted all of the backups of the server’s database that had been created since the reinstall from August 12, 2016 to August 26, 2016. The root cause of the violation was a less than adequate review of work. Specifically, due to a configuration error in the application, BCSI was replicated outside the secured Critical Infrastructure Procedures environment, and the entity had no peer review process in place to ensure the application was setup correctly.
Finding: WECC found the violation constituted a moderate risk and did not pose a serious or substantial risk to bulk power system reliability. Although the entity failed to protect and securely handle its BCSI while in storage and had weak controls to prevent the noncompliance, the entity had compensating controls that lessened the risk, including the limited exposure of the BCSI to only internal employees who had elevated privileges. No harm is known to have occurred. The violation began on August 12, 2016 and ended on August 31, 2016. WECC considered the entity’s internal compliance program to be a mitigating factor and found that there were no relevant instances of noncompliance. To mitigate the violation, the entity deleted database files and associated backups, implemented an automated system in order to avoid manual configuration errors and the need for manual reviews of work and implemented a third-party patching solution that prevents BCSI from being replicated outside of the ESP or that avoids future issues with manual patching.

Penalty: $87,000

FERC Order: June 27, 2019 (no further review)

Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP19-12-000 (June 27, 2019)

NERC Violation ID: WECC2018020044

Reliability Standard: CIP-011-2

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: Western Electricity Coordinating Council (WECC)

Issue: On January 30, 2017, an unidentified entity submitted a Self-Report stating that it was in violation of the Reliability Standard. Specifically, the entity reported that it utilized a baselining tool to scan devices within its Physical Access Control Systems (PACS) environment to gather information related to baseline configurations, device ports, services, accounts and other information used to meet CIP compliance. The scan engine, which was part of the baselining tool, was used to run scans against PACS assets and reports the results back to the baselining tool management console. The baselining tool management console controls the scan engine by telling it where, when, and what to scan for. On September 28, 2016, during a review of its systems, the entity discovered that both the baselining tool database and management console were not designated as BES Cyber System Information (BCSI) repositories; therefore, they did not have the protective Critical Infrastructure Procedure controls that would normally be applied to BCSI. The root cause of the violation was the entity’s oversight of a critical device which led to the misidentification of the information contained within the device that should have been classified as restricted, and therefore protected as BCSI.

Finding: WECC found the violation constituted a moderate risk and did not pose a serious or substantial risk to bulk power system reliability. Although the entity failed to appropriately identify BCSI associated with its PACS, which in turn resulted in the entity failing to provide the appropriate the authorized electronic and physical access controls, the entity had some compensating controls in place that lessened the risk. These controls include the limited exposure of the BCSI to internal employees, which was restricted to those who had elevated privilege. No harm is known to have occurred. The violation began on July 1, 2016 and ended on January 25, 2017. WECC considered the entity’s internal compliance program to be a mitigating factor and found that there were no relevant instances of noncompliance after it reviewed the entity’s compliance history. To mitigate the violation, the entity, among other things, identified the PACS data as BCSI, added the baselining tool database and management console servers and designated them as BCSI repositories, updated processes, and added access controls.

Penalty: $87,000

FERC Order: June 27, 2019 (no further review)

Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP19-12-000 (June 27, 2019)

NERC Violation ID: WECC2018020045

Reliability Standard: CIP-011-2

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: Western Electricity Coordinating Council (WECC)

Issue: On May 1 2017, an unidentified entity submitted a Self-Report stating that it was in violation of the Reliability Standard. The entity reported that on January 12, 2017, an unidentified group was notified of an event related to an employee potentially sending unidentified Bulk Electric System (BCS) Cyber System Information (BCSI) to an external company earlier that day. Because errors began occurring with a server, the employee contacted the Customer Support group for a resolution. The Customer Support group requested the employee send the entity’s configuration database to them so that they could troubleshoot the issues. As the employee did not think there was an issue with sending the entity’s configuration database to the Customer Support group because the entity had a signed Mutual Nondisclosure & Confidentiality Agreement, the information was typical configuration database information for a vendor to have, and the employee believed that the configuration database file would not be human readable, the employee sent the configuration database over email. Although the employee was aware of the requirement to encrypt BCSI sent externally, the employee, at the time, did not know that the information within the database file was a BCSI. The root cause of the violation was an omission of steps based on an assumption.

Finding: WECC found the violation constituted a moderate risk and did not pose a serious or substantial risk to bulk power system reliability. Although the entity failed to securely handle its BCSI during transit and had implemented weak controls to prevent noncompliance, the entity had compensating controls in place that lessoned the risk, including the limited exposure of the BCSI to only internal employees who had elevated privileges. No harm is known to have occurred. The violation began and ended on January 12, 2017. WECC considered the entity’s internal compliance program to be a mitigating factor and found that there were no relevant instances of noncompliance during a review of the entity’s compliance history. To mitigate the violation, the entity destroyed all copies of the BCSI that was emailed and provided additional training.

Penalty: $87,000

FERC Order: June 27, 2019 (no further review)