NERC/CIP Fine Case Study
(Originally posted on February 24, 2019)
Happy Sunday from the great frozen North!
Maybe reading about CIP standards and fines will warm things up, eh?
Last time I promised to cover electronic access protections; however, I thought this would be a timely topic to cover since the new low impact standards are enforceable in less than 11 months.
NERC Levies $10M Against Unidentified Registered Entity for Cyber Security Failures
On Feb 2nd, 2019 the power industry magazines and websites were blowing up with their own headline of the record NERC fine.
I know that the Unidentified Registered Entity (URE) has been unofficially identified, but we are not here to poke fun at anyone, so I will refer to them only as the URE.
This fine is important to the rest of us for several reasons; including but not limited to the following:
1. It shows that NERC is not messing around. They will fine for infractions that include self reports.
2. It proves the importance of budgeting money and resources to your NERC/CIP teams. How many companies can afford a $10M fine?
3. It is an example on how to implement your program. The URE is a large utility that has a long running program. While they did some things wrong their remedies to mitigate the violations are worth reading.
4. The CIP-002-5.1 requirements were enforceable on July 1, 2016; which means they are currently enforceable for low impact assets!
The entire NERC Enforcement Action can be found here. It is very long, very detailed, and for cyber security reasons very redacted.
I recommend reading and studying the Enforcement Action, especially for standards that your company is struggling with.
Please note the NERC findings as the primary cause of most, if not all, of the violations:
The primary cause of the violations was managerial oversight. The contributing causes included a deficient process, inadequate training, and lack of internal controls.
Today I will look at the 4 violations for CIP-002-5.1a. These were all self reported by the URE and were found by NERC to have minimal impact to the Bulk Power System.
1. The URE discovered two BES Cyber Assets (BCAs) were missing from their BCA list. This was discovered when the URE compared the BCA list to their overall asset database. They were utilizing a database query to pull assets that were “In Service”; this query missed the two devices that were entered as “In-Service”.
2. The URE discovered BCAs missing from their compliance inventory list. This was caused by using a different classification process for these assets. Even though they were missing from the inventory list, the security controls mandated by NERC for BCAs were still applied.
3. The URE discovered BCAs missing from their Cyber Asset Inventory. The entire description of this violation is redacted. The missing devices were not remotely accessible and physical access controls were in place to protect the devices.
4. The URE discovered a Blackstart Resource had been incorrectly shown on the BES Asset Inventory. The details specific details of the violation have been redacted. It did note that this BES Asset did not contain any BCAs.
There are many lessons to be learned here. Read the violation descriptions for requirements that would apply to your company, understand why there is a violation and how the URE implemented the remedy.
To quote Otto Von Bismarck:
“Only a fool learns from his own mistakes. The wise man learns from the mistakes of others.”