Unidentified Registered Entity, Docket No. NP12-22-000 (March 30, 2012)
Reliability Standard: CIP-002-2
Requirement: R3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: NPCC
Issue: URE self-reported and NPCC found that URE’s list of CCAs critical to the operation of CAs did not list the continuous emissions monitoring system, as required. That system, which is needed for compliance with government air emission policies, is connected to the CA and therefore should be identified as a CCA.
Finding: The violation constituted a minimal risk to BPS reliability because URE does have a list of associated CCAs necessary for the operation of CAs, which is yearly reviewed and updated as needed. The relevant system has physical control measures and access to it is maintained thereby providing additional security. And further, there were no reported incidents related to this violation. In determining the appropriate penalty, NPCC took certain aspects of URE’s compliance program into consideration as mitigating factors.
Penalty: $10,000 (aggregate for 4 penalties)
FERC Order: Issued April 30, 2012 (no further review)
Unidentified Registered Entity (URE), FERC Docket No. NP14-37 (March 31, 2014)
Reliability Standard: CIP-002-2
Requirement: 3
Violation Risk Factor: High
Violation Severity Level: High
Region: WECC
Issue: While conducting an on-site compliance audit of URE that included facility site tours, WECC’s Audit Team found that URE did not have up-to-date CCA lists. WECC confirmed the audit findings that the CCA list in use by URE had nine CCAs that had been removed from service but which were still included on the current list of CCAs. URE was found in violation of the requirement to update CCA lists when changes to the assets occur.
Finding: WECC determined the violation posed a moderate risk to BPS reliability, but did not pose a serious or substantial risk. By URE failing to update its list of current CCAs, the devices may be vulnerable to cyber attacks or misuse. The assets at issue are located across several substations, which WECC determined demonstrated a weak asset management program at URE. BPS risk was mitigated, however, by the fact that the nine CCAs at issue have many protective measures in place such as that the devices are all inside a PSP, and access to the PSP is limited to only those individuals with current PRAs on file and cyber security training. URE staff would have been alerted to any unauthorized access attempt by installed alarms, and physical and electronic access was logged and monitored. In approving the settlement agreement, WECC considered that although the violation of CIP-006-1 R1 is URE’s third violation of that Reliability Standard, the current violation is distinct because it relates to a separate sub-requirement, and therefore WECC determined it was not recurring conduct and aggravation was not warranted for the instant violation. Also, the CIP-007-1 R1 violation is URE’s fourth violation of that Reliability Standard, however, the prior violations were concurrent with the instant violations, and therefore WECC did not consider them as an aggravating factor in the penalty determination. However, the CIP-007-1 R2 violation was URE’s second violation of that Reliability Standard, which WECC determined was an aggravating factor in the penalty determination. URE has a compliance program in place which was given mitigating credit, and URE was cooperative during the compliance enforcement process. There was no evidence of any attempt or intent to conceal a violation, and the violations did not pose a serious or substantial risk to BPS reliability. No other mitigating or aggravating factors or extenuating circumstances affecting the assessed penalty were noted.
Total Penalty: $465,000 (aggregate for 8 violations)
FERC Order: Issued April 30, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)
Reliability Standard: CIP-002-2
Requirement: R2
Violation Risk Factor: Medium
Violation Severity Level: High
Region: SERC
Issue: URE self-reported that it did not timely update its list of Critical Assets after it commissioned a new substation identified as a Critical Asset.
Finding: SERC determined the violation constituted only a minimal risk to the BPS reliability since URE commissioned and secured the substation according to the NERC Implementation Schedule for Critical Assets. URE also followed its documents risk-based assessment methodology and the substation at issue did not contain any CCAs (which reduced the risk of cyber compromise). In addition, it was determined that the violation resulted from a misunderstanding of the relevant Reliability Standard. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.
Total Penalty: $250,000 (aggregate for 27 violations)
FERC Order: Issued June 27, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP15-10-000 (November 25, 2014)
Reliability Standard: CIP-002-2
Requirement: R3
Violation Risk Factor: High
Violation Severity Level: Severe
Region: WECC
Issue: During a compliance audit, WECC determined that URE failed to include relays as Critical Cyber Assets on their list of Critical Assets as they were deemed essential to the operation of eleven Critical Assets by URE's own CCA methodology.
Finding: WECC determined that the violation constituted a moderate risk to the BPS reliability as URE's failure to identify all CCA increased the risk that someone could intentionally or unintentionally trip transmission lines through the dial-up capability of the relaying devices. However through a review of URE's logs, WECC was able to confirm that dial-up access would have been denied by the authentication servers and dial-up gateway devices. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations and self-reported the CIP-005-3a R1 violation. None of the violations posed a serious or substantial threat to the BPS reliability with two violations posing only a minimal threat and the remaining two posing a moderate threat. However, WECC did consider URE's compliance history an aggravating factor. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.
Penalty: $150,000 (aggregate for 4 violations)
FERC Order: Pending
Unidentified Registered Entity, FERC Docket No. NP15-10-000 (November 25, 2014)
Reliability Standard: CIP-002-2
Requirement: R3
Violation Risk Factor: High
Violation Severity Level: Severe
Region: WECC
Issue: During a compliance audit, WECC determined that URE failed to include relays that were identified by URE's CCA methodology as essential to the operation of eleven Critical Assets as Critical Cyber Assets on their list of Critical Assets.
Finding: WECC determined that the violation constituted a moderate risk to the BPS reliability as URE's failure to identify and protect all CCA increased the risk that someone could intentionally or unintentionally trip transmission lines through the dial-up capability of the relaying devices. However through a review of URE's logs, WECC was able to confirm that dial-up access would have been denied by the authentication servers and dial-up gateway devices. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations and self-reported the CIP-005-3a R1 violation. None of the violations posed a serious or substantial threat to the BPS reliability with two violations posing only a minimal threat and the remaining two posing a moderate threat. However, WECC did consider URE's compliance history an aggravating factor. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.
Penalty: $150,000 (aggregate for 4 violations)
FERC Order: Pending
