FERC on Wednesday approved a settlement between WECC and an unnamed entity in the Western Interconnection for violations of NERC’s Critical Infrastructure Protection (CIP) reliability standards (NP20-21). The settlement does not involve a monetary penalty. NERC notified the commission of the agreement Aug. 30 in a Notice of Penalty (NOP), which FERC indicated in a notice that it would not review.

The NOP was submitted prior to NERC and FERC’s decision last month to end public disclosures of CIP violations and therefore follows the previous practice of redacting from public filings data considered to be critical energy/electric infrastructure information (CEII). (See FERC, NERC to End CIP Violation Disclosures.) Going forward, the organizations will treat CIP noncompliance information filed to the commission as CEII in its entirety (AD19-18); it is unclear whether NERC will continue to provide public information about CIP violations in any form.

Security Gaps in Remote Access Measures

WECC’s settlement with the unnamed utility involves two infringements of CIP-005-5 (Cybersecurity — Electronic security perimeter(s)) and one infringement of CIP-007-6 (Cybersecurity — Systems security management).

Both of the CIP-005-5 violations relate to requirement R2, mandating that entities “allowing interactive remote access to [high- and medium-impact bulk electric system] cyber systems” must implement two-factor authentication (2FA) and that intermediaries that ensure remote access programs do not come in direct contact with the BES cyber systems themselves. The entity made WECC aware of the violations via self-report in February and March 2017.

In the February incident, after multiple users reported lost or damaged security devices, the utility allowed those users to bypass its 2FA system before a planned replacement system had been activated. As a result, cyber assets covered by CIP-005-5 were accessible by passwords alone for some employees. In a few cases, even some users who had not reported issues were still not asked to verify their identities via 2FA. WECC determined the root case of the violation to be failure to assess the risks or consequences of bypassing 2FA and described the risk level as “serious and substantial.”

Details on the March case are less clear because of redactions, but WECC indicated that the entity was not using an intermediate system to block access to applicable cyber assets, although in this case, 2FA was not breached. Staff were also aware of the potential vulnerability and implemented several alleviation measures, including active monitoring of failed login attempts and regular patching of computers used to access the affected systems. As a result, WECC assessed the risk level as moderate, identifying the root cause as failure to clearly understand the compliance requirements or validate them for completeness.

Mitigation measures in the first case include developing a new process for creating, issuing, tracking and revoking hardware tokens, and training staff in their use; the entity also removed any previously granted password-only access. For the second instance, the entity changed its electronic access policies to ensure all interactive remote access goes through the same intermediary and revised its system architecture to ensure consistent policies are followed in future hardware deployment. WECC certified completion of the plans in September and October 2019, respectively.

Patch System Review Finds Holes

The entity’s violation of CIP-007-6 arose from requirement R2 of the standard; specifically, the utility reported in October 2017 that it had discovered “significant gaps in evidence to confirm compliance” with provisions related to high- and medium-impact cyber assets. The identified gaps include:

• an inaccurate and incomplete control center patch source list;
• patch evaluations not completed every 35 days;
• patch installation or mitigation plans not completed within 35 days of patch evaluations; and
• procedures ensuring that mitigation plans were completed on schedule not established and administered.

According to the entity’s records, the issues dated back at least to July 1, 2016, when the standard became enforceable. WECC attributed the violation to the entity “underestimating the resources and effort required to establish and operate a compliant security patch program” under the new standard, and determined that the issues posed a serious and substantial risk to BES reliability.

To address the violation, the entity consolidated patch source lists and updated them to include all software and firmware that might be covered by the relevant standard, and implemented standardized manual patch processes for all applicable cyber assets, among other measures. WECC verified completion of the mitigation plan in January 2020.

To justify its argument that no monetary penalty was needed, WECC cited the fact that the entity was cooperative through the process, reported all violations in a timely manner and made no effort to conceal the violations. The regional entity also observed that there was no indication the infringements were intentional.

While WECC acknowledged previous compliance issues with both CIP-005-5 and CIP-007-6, it argued that they did not serve as a basis for aggravating the penalty. The earlier CIP-005-5 violation was of minimal risk and occurred in 2011, and therefore was “not indicative of broader compliance issues,” while the current CIP-007-6 infringement was related to a lack of resources rather than flawed implementation of the patch management program, as in the earlier violation.