NERC Registered Entity, FERC Docket No. NP10-136-000 (July 6, 2010)
Reliability Standard: CIP-004-1
Requirement: R2.3, R3
Violation Risk Factor: Lower with respect to R2.3, Medium with respect to R3
Violation Severity Level: Not provided
Region: WECC
Issue: Certain personnel of the NERC Registered Entity received authorized cyber or authorized unescorted physical access to Critical Cyber Assets (CCAs) without receiving cyber security training within the annual timeframe required. In addition, the NERC Registered Entity self-reported that it had not completed a personnel risk assessment (PRA) for an employee within 30 days of the employee receiving authorized unescorted physical access to CCAs, although a PRA was performed within two months of such access.
Finding: The NERC Registered Entity mitigated the violation by providing the required training and improving its training documentation and tracking program, and by requiring written and signed confirmation of PRA completion.
Penalty: $7,000
FERC Order: Issued August 5, 2010 (no further review)
NERC Registered Entity, FERC Docket No. NP10-131-000 (July 6, 2010)
Reliability Standard: CIP-004-1
Requirement: R4
Violation Risk Factor: Lower
Violation Severity Level: Not provided
Region: SERC
Issue: It was determined that the Registered Entity had not properly maintained the lists of personnel who had authorized cyber and/or unescorted physical access rights to Critical Cyber Assets and did not remove within seven days the access for personnel who no longer needed such access. While updating its software in the spring and summer of 2008 in order to comply with physical security requirements, the Registered Entity ended up with one person who had physical access to its physical security perimeter, even though this person did not have a current personnel risk assessment. After a corporate-wide review of its access control systems, the Registered Entity also discovered another individual who had physical access to Critical Cyber Assets, but did not possess the required training or personnel risk assessment, and that certain members of its security staff unintentionally had unescorted access to its back-up control center.
Finding: This violation was resolved by a settlement agreement and a mitigation plan has been completed. Upon discovery of the violations, the Registered Entity: (1) immediately terminated access for the unauthorized individuals and performed the relevant personnel risk assessment; (2) immediately replaced the key core at the access point where the violations took place; (3) verified all of the access lists; (4) evaluated the design of the Critical Cyber Asset physical access report; (5) updated the relevant procedures to show control measures; (6) revised the access control software and database structure; and (7) hired someone who has enterprise-wide responsibility to manage the access control system. Additional details concerning the violation were removed due to the confidential nature of the violation.
Penalty: $5,000
FERC Order: Issued August 5, 2010 (no further review)
NERC Registered Entity, FERC Docket No. NP10-130-000 (July 6, 2010)
Reliability Standard: CIP-004-1
Requirement: R4
Violation Risk Factor: Medium
Violation Severity Level: Not provided
Region: SERC
Issue: It was determined that the Registered Entity had not properly maintained the lists of personnel who had authorized unescorted physical access to Critical Cyber Assets and did not remove within seven days the physical access rights for personnel who no longer needed such access. During a routine review of its access list, the Registered Entity found an instance where an individual had authorized unescorted physical access to the backup control center, even after that access was supposed to have been revoked. An administrative error caused the individual in question to lose access to the stairwell adjacent to the backup control center, instead of access to the backup control center itself as intended. The relevant individual did not attempt to access the backup control center after the date his access was supposed to have been revoked.
Finding: This violation was resolved by a settlement agreement and a mitigation plan has been completed. In response to the violation, the Registered Entity: (1) immediately terminated access to the backup control center for the relevant individual; (2) implemented a computer program to process, on a daily basis, the physical access requests; (3) verified, on a weekly basis, the list of personnel who had authorized unescorted physical access with the list from the computer program; and (4) performed an internal review to ensure that the access requests matched the accesses that were granted. Additional details concerning the violation were removed due to the confidential nature of the violation.
Penalty: $0
FERC Order: Issued August 5, 2010 (no further review)
NERC Registered Entity, FERC Docket No. NP10-138-000 (July 6, 2010)
Reliability Standard: CIP-004-1
Requirement: R4.2
Violation Risk Factor: Medium
Violation Severity Level: Not provided
Region: RFC
Issue: The NERC Registered Entity self-reported that it failed to revoke physical access rights to Critical Cyber Assets within seven days with respect to nine personnel who no longer needed access. Managers of the nine terminated personnel failed to notify the appropriate office to revoke such access rights, and an automated system for synchronizing HR employment records with access rights failed to properly synchronize for two periods of time during which the failures occurred. Instead of being revoked within seven days as required, the access rights were revoked within one to three months of employment termination.
Finding: The NERC Registered Entity mitigated the violation by providing additional training to its personnel regarding procedures for revoking access rights, improving procedures and software used for tracking and revoking access rights, and automatically synchronizing its badge access lists with HR records twice daily. No further publicly available information was provided.
Penalty: $5,000
FERC Order: Issued August 5, 2010 (no further review)
NERC Registered Entity, FERC Docket No. NP10-140-000 (July 6, 2010)
Reliability Standard: CIP-004-1
Requirement: R3.2, R4
Violation Risk Factor: Lower
Violation Severity Level: Not provided
Region: RFC
Issue: The NERC Registered Entity self-reported that in three instances it failed to maintain its access list and revoke physical access rights to Critical Cyber Assets within seven days for personnel who no longer needed such access. First, due to administrative errors, an employee's access rights were not revoked within seven days of the date on which he no longer needed access to two Cyber Assets; later his access rights were revoked but in the meantime his manager had reauthorized access, which was not captured in the NERC Registered Entity's access management system. Second, an employee was granted access to Cyber Assets not included on his access authorization forms. Third, an employee was provided unauthorized access to a protected system. The NERC Registered Entity also did not complete personnel risk assessments for five contractors within seven years of initial personnel risk assessments being completed for those individuals, in violation of R3.2.
Finding: The NERC Registered Entity mitigated the violation by increasing the human resources personnel handling access matters, correcting and removing unauthorized access, implementing software to control changes to Cyber Assets, implementing a daily account authorization reconciliation and peer review process for access authorizations, and providing additional training regarding these requirements. The NERC Registered Entity also completed the required personnel risk assessments, documented a procedure for administering the seven-year background checks, and designated secondary and tertiary personnel responsible for handling personnel risk assessments. No further publicly available information was provided.
Penalty: $5,600
FERC Order: Issued February 28, 2011 (no further review)
NERC Registered Entity, FERC Docket No. NP10-134-000 (July 6, 2010)
Reliability Standard: CIP-004-1
Requirement: R3.2
Violation Risk Factor: Medium
Violation Severity Level: Not discussed
Region: SPP
Issue: The NERC Registered Entity conducted background checks of its employees at the time of employment, however, it failed to update each personnel risk assessment at least every seven years after the initial personnel risk assessments were conducted for personnel with authorized cyber or authorized unescorted physical access rights to Critical Cyber Assets.
Finding: The NERC Registered Entity mitigated the violation by completing the updated personnel risk assessments for the applicable federal and government contract employees. The NERC Registered Entity created a policy which prohibits personnel from working until completing a personnel risk assessment. The NERC Registered Entity created a list of positions that required the updated personnel risk assessment. In addition, it created a reminder system to ensure employees requiring updated personnel risk assessments are identified and a subsequent personnel risk assessment is timely performed. No further publicly available information was provided.
Penalty: $0
FERC Order: Issued August 5, 2010 (no further review)
NERC Registered Entity, FERC Docket No. NP10-137-000 (July 6, 2010)
Reliability Standard: CIP-004-1
Requirement: R3
Violation Risk Factor: Medium
Violation Severity Level: Not discussed
Region: WECC
Issue: The NERC Registered Entity failed to conduct seven-year criminal checks and identity verifications for all of its employees with authorized cyber or authorized unescorted physical access to Critical Cyber Assets. In addition, it failed to prepare employee release forms for the seven-year background checks. As such, NERC Registered Entity could not perform the personnel risk assessment according to the timing requirements in CIP-004-1 R3. No one without the requisite background check entered the area unescorted.
Finding: The NERC Registered Entity mitigated the violation by conducting background and identity verification checks on all employees with authorized cyber or authorized unescorted physical access to Critical Cyber Assets and preparing employee release forms to execute the seven-year background checks. No further publicly available information was provided.
Penalty: $39,000 (aggregate for multiple violations)
FERC Order: Issued August 5, 2010 (no further review)
NERC Registered Entity, FERC Docket No. NP10-159-000 (July 30, 2010)
Reliability Standard: CIP-004-1
Requirement: R4
Violation Risk Factor: Lower
Violation Severity Level: Not provided
Region: WECC
Issue: The Registered Entity self-reported that while it had a rigorous authorization process for access to Critical Cyber Assets (CCA), it did not generate a list of personnel with access to CCA as required by the Reliability Standard. Moreover, it had not performed the required quarterly review of such lists.
Finding: Duration of the violation was from July 1, 2008 through February 27, 2009. This was the Registered Entity's first violation of the Reliability Standard.
Penalty: $109,000 (aggregate for multiple violations)
FERC Order: Issued August 27, 2010 (no further review)
NPCC-1, FERC Docket No. NP11-104-000 (February 1, 2011)
Reliability Standard: CIP-004-1
Requirement: R3
Violation Risk Factor: Lower
Violation Severity Level: Moderate
Region: NPCC
Issue: During a preliminary review process in 2010, NPCC found that 3 employees of an Unidentified Registered Entity (URE-NPCC1) who possessed unescorted physical access to URE-NPCC1's Critical Cyber Assets (CCAs) did not have their personnel risk assessments (PRAs) updated within the seven-year requirement.
Finding: NPCC found that the violation constituted a minimal risk to bulk power system reliability as the 3 relevant employees had continuously worked for URE-NPCC1 for many years and had all worked in their current positions without incident and with no disciplinary actions reported. When URE-NPCC1 became aware of the violation, the relevant employees' access to the CCAs was suspended until the PRAs were finished (which showed no clearance issues or any other adverse results).
Penalty: $5,000 (aggregate for multiple violations)
FERC Order: Issued March 3, 2011 (no further review)
Southwestern Power Administration, FERC Docket No. NP11-238-000 (July 28, 2011)
Reliability Standard: CIP-004-1
Requirement: R2.1, R3.2, R4
Violation Risk Factor: Medium (R2.1), Lower (R3.3, R4)
Violation Severity Level: N/A
Region: SPP
Issue: Southwestern Power Administration (SPA) self-reported that during an internal review it discovered that two employees on its authorized unescorted access list did not receive physical security training within 90 days of obtaining authorization in violation of R2.1; two employees were authorized unescorted physical access to the Critical Cyber Assets (CCA) area without a criminal background check being performed within the past seven years in violation of R3.2; and two contractors were improperly included in the list of personnel with authorized, unescorted physical access to the CCA area in violation of R4.
Finding: SPP assessed a $19,500 penalty for these and other Reliability Standards violations. The violations all posed a minimal risk to the bulk power system (BPS) but not a serious or substantial risk. The violation of R2.1 involved two long-term employees in good standing and both received the physical security training 37 and 49 days, respectively, after the 90-day due date. The violation of R3.2 also involved two long-term employees in good standing. Both passed a background investigation and were qualified to hold a DOE “L” security clearance. SPA immediately revoked the employees’ access when the violations were discovered. One employee never accessed the CCA area, and the other only accessed it twice, and each time was properly escorted. The violation of R4 consisted of a documentation error and neither contractor had access privileges to any CCAs, nor did they have physical or electronic access to the CCAs during the violation period. The error was corrected the day it was discovered. The NERC BOTCC considered the following factors: the violations constituted SPA’s second violation of one of the Reliability Standards; SPA self-reported some but not all of the violations; SPA was cooperative; SPA had a compliance program in place, but SPP did not consider it a mitigating factor; there was no evidence of an attempt or intent to conceal the violations; SPP determined the violations posed a minimal risk but did not pose a serious or substantial risk to the BPS; there were no other aggravating or mitigating factors.
Penalty: $19,500 (aggregated for 4 violations)
FERC Order: Order on Review of Notice of Penalty, Issued July 19, 2012, 140 FERC ¶ 61,048
SPP-1, FERC Docket No. NP11-104-000 (February 1, 2011)
Reliability Standard: CIP-004-1
Requirement: R3
Violation Risk Factor: Medium
Violation Severity Level: Moderate
Region: SPP
Issue: It was determined that an Unidentified Registered Entity (URE-SPP1) had two instances where it did not perform a personnel risk assessment (PRA), as required, within thirty days of granting unescorted physical access to a Critical Cyber Asset (CCA). The incidents occurred when URE-SPP1 provided two employees unescorted physical access to the dispatch arena (a CCA) on August 19, 2009 and August 25, 2009 respectively, but did not perform the PRA for the employees until October 7, 2009.
Finding: SPP found that the violation constituted a minimal risk to bulk power system reliability. Both of the relevant employees had worked for URE-SPP1 for at least fifteen years, and had received the necessary cyber security training when they were granted access to the dispatch arena (which was also the only CCA they were granted physical access to). In addition, URE-SPP1's dispatch arena is always staffed and, during the violation, other personnel were conducting some supervision and observation.
Penalty: $600
FERC Order: Issued March 3, 2011 (no further review)
SPP-2, FERC Docket No. NP11-104-000 (February 1, 2011)
Reliability Standard: CIP-004-1
Requirement: R4.1, R4.2
Violation Risk Factor: Medium
Violation Severity Level: Lower
Region: SPP
Issue: An Unidentified Registered Entity (URE-SPP2) self reported a violation of CIP-004-1 R4.1 and R4.2 because although it conducted quarterly reviews of physical access lists of personnel with authorized unescorted physical access to Critical Cyber Assets, the reviews did not incorporate an evaluation to determine whether continued access was necessary for each individual on the list. In addition, URE-SPP2 was in violation of R4.2 because physical access was not revoked within seven days for one retired employee and two employees who failed to complete the required training within the time frame mandated by URE-SPP2's CIP Cyber Security Policy.
Finding: SPP determined that the violation posed a minimal risk to the reliability of the bulk power system because URE-SPP2 was periodically reviewing its physical access lists and an internal review confirmed that no current employees with access should have had their access revoked. Moreover, the retired employee had no access to any of URE-SPP2's facilities once he retired, and the two personnel that failed to complete the training within the specified time-frame had previously completed the required training.
Penalty: $0
FERC Order: Issued March 3, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-1-000 (October 7, 2010)
Reliability Standard: CIP-004-1
Requirement: R2.1, R2.3, R3, R4.2
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: WECC
Issue: An Unidentified Registered Entity (URE) self reported violations because it (1) discovered in the course of a quarterly personnel review that certain employees with access to Critical Cyber Assets did not have cyber security training or documented personnel risk assessments, (2) failed to maintain documentation that it conducts annual training, and failed to record the date of at least one employee's last training, and (3) failed to timely revoke access rights for personnel who changed job duties and no longer required access to Critical Cyber Assets
Finding: The violations did not pose a serious or substantial risk to the reliability of the bulk power system because the relevant employees either never actually accessed the Critical Cyber Assets or had worked for the company for a long time and had good employment histories.
Penalty: $106,000 (aggregate for multiple violations)
FERC Order: Issued November 5, 2010 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-22-000 (November 5, 2010)
Reliability Standard: CIP-004-1
Requirement: R4.2
Violation Risk Factor: Lower
Violation Severity Level: Not provided
Region: SERC
Issue: During a spot check and a subsequent self-report by the Unidentified Registered Entity (URE), it was determined that the URE had not revoked, within the required seven calendar days, the physical access rights to its Critical Cyber Assets for three employees who no longer required such access.
Finding: SERC and the URE entered into a settlement agreement to resolve all outstanding issues, whereby the URE agreed to pay a penalty of $5,000 and to undertake other mitigation measures to resolve the violations. SERC found that the violation did not constitute a serious or substantial risk to bulk power system reliability since one of the relevant employees had passed away (making it unlikely that a third party would use his badge to access the Critical Cyber Assets) and the other two employees had their access card badges confiscated. Furthermore, the URE was following the standards for personal background checks and training, as well as other precautions meant to prevent employees from misusing their access. The duration of the violation was from July 29, 2008 (when access to the Critical Cyber Assets should have been revoked) through October 23, 2008 (when access was finally revoked). In deciding on the penalty amount, SERC considered the fact that this was the URE's first violation of this Reliability Standard; the URE self-reported additional instances of the violation after the spot check; the URE was cooperative during the enforcement process and did not attempt to conceal the violation; the URE had a compliance program in place; and there were no additional mitigating or aggravating factors.
Penalty: $5,000
FERC Order: Issued December 3, 2010 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-3-000 (October 7, 2010)
Reliability Standard: CIP-004-1
Requirement: R2.1, R3
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: SERC
Issue: During a spot check, SERC determined an Unidentified Registered Entity (URE) failed to provide appropriate cyber security training to fifteen employees within ninety days of granting them access to Critical Cyber Assets, and for failing to timely conduct personnel risk assessments on forty-seven contract employees.
Finding: The violations did not pose a serious or substantial risk to the reliability of the bulk power system because (1) all of the seven untrained personnel were familiar with the cyber assets, (2) only seven of the forty-seven contractors without personnel risk assessments had access to Critical Cyber Assets, and each of these seven contractors could only access the cyber assets for within a physical security perimeter which was both monitored and protected by other devices such as a badge reader. Moreover, the URE's electronic security perimeter was secured with firewalls, was continuously monitored, and only remote access was allowed through the ESP. In addition, the contractors were well known to the URE and had provided services for years.
Penalty: $6,000 (aggregate for multiple violations)
FERC Order: Issued January 7, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-4-000 (October 7, 2010)
Reliability Standard: CIP-004-1
Requirement: R4
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: FRCC
Issue: An Unidentified Registered Entity (URE) self-reported a violation for failing to maintain lists of personnel with authorized cyber or authorized unescorted physical access to Critical Cyber Assets. Further, security staff without required training and personnel risk assessments had unescorted access through possession of a master key to the primary and back-up Energy Control Centers from July 1, 2008 to October 30, 2008.
Finding: The violation lasted from July 1, 2008 (the date the standard became enforceable), until January 23, 2009 (the date the mitigation plan was completed). The violation did not pose a serious or substantial risk to the reliability of the bulk power system because the personnel with access had background checks and were experienced in the physical protection of the equipment to which they had access. None of the relevant personnel had the credentials necessary to log into the Energy Control Center systems.
Penalty: $250,000 (aggregate for multiple violations)
FERC Order: Issued November 5, 2010 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-5-000 (October 7, 2010)
Reliability Standard: CIP-004-1
Requirement: R2, R3, R4
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: SERC
Issue: An Unidentified Registered Entity (URE) self-reported violations for failing to establish, maintain and document a cyber security training program, implement and document a personnel risk assessment program, and maintain lists of personnel with access rights to Critical Cyber Assets. In addition, SERC discovered during a spot check that although the URE had trained new personnel, it had not trained its existing staff.
Finding: The violations did not pose a serious or substantial risk to the reliability of the bulk power system because the URE is a small Balancing Authority with a low estimated summer peak and its Control Center cyber assets had only one external communications link, which was with the Reliability Coordinator. Moreover, the employees that were not timely trained were experienced with the URE's Critical Cyber Assets.
Penalty: $16,000 (aggregate for multiple violations)
FERC Order: Issued January 7, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-59-000 (December 22, 2010)
Reliability Standard: CIP-004-1
Requirement: R3 (R3.2, R3.3)
Violation Risk Factor: Lower
Violation Severity Level: Lower
Region: RFC
Issue: Unidentified Registered Entity (URE) failed to conduct or update personnel risk assessments on nine occasions for seven employees and two contract workers having authorized cyber access or authorized unescorted physical access to Critical Cyber Assets.
Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a penalty in the amount of $7,000 for this violation. In reaching this determination, the NERC BOTCC considered the following facts: the violation constituted URE's first violation of this Reliability Standard; URE self-reported the violation; URE cooperated during the compliance enforcement process; URE did not have a formal compliance program at the time of the violation; URE did not attempt to conceal a violation or intend to do so; the violation did not create a serious or substantial risk to the bulk power system; and there were no other mitigating or aggravating factors or extenuating circumstances.
Penalty: $7,000
FERC Order: Issued February 17, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-64-000 (December 22, 2010)
Reliability Standard: CIP-004-1
Requirement: R2, R3, R4
Violation Risk Factor: Medium (for R2, R3), Lower (R4)
Violation Severity Level: Not provided
Region: WECC
Issue: In January 2009, a Registered Entity self-reported that it had not: (a) provided the required cyber-security training to four of its employees (who represented 5% of the Registered Entity's employees) within 90 days of granting those employees physical access to Critical Cyber Assets, (b) conducted personnel risk assessment within 30 days of granting eight of its employees access to its Critical Cyber Assets, and (c) appropriately updated its list of personnel who were authorized to access the Registered Entity's Critical Cyber Assets as required.
Finding: The Registered Entity agreed to pay a penalty of $38,500 and to undertake other mitigation measures to resolve multiple violations. WECC found that the violation of CIP-004-1 R2 did not constitute a serious or substantial risk to bulk power system reliability since the four employees who had not completed the required training within the required time frame were not physically located in the same facility as the relevant Critical Cyber Assets and they received the required cyber security training within 14 days after they were supposed to. The duration of the CIP-004-1 R2 violation was from July 1, 2008 through October 8, 2008. In regards to the violation of CIP-004-1 R3, WECC found that the violation did not constitute a serious or substantial risk to bulk power system reliability since only a small number of the Registered Entity's relevant employees had not received the required personnel risk assessment within the required time frame. The duration of CIP-004-1 R3 violation was from July 1, 2008 through December 14, 2009. For the violation of CIP-004-1 R4, WECC found that the violation did not pose a serious or substantial risk to bulk power system reliability since the Registered Entity had updated its list of personnel who have access to Critical Cyber Assets during the third quarter of 2008 and the first quarter of 2009 (even though it did not perform an update in the fourth quarter of 2008). The duration of the CIP-004-1 R4 violation was from October 1, 2008 through December 16, 2009. In determining the penalty amount, WECC considered the fact these were the Registered Entity's first assessed violations of the relevant Reliability Standards; the violations were self-reported; and the Registered Entity was cooperative during the enforcement process and did not attempt to conceal the violations.
Penalty: $38,500 (aggregate for multiple violations)
FERC Order: Issued January 21, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-70-000 (December 22, 2010)
Reliability Standard: CIP-004-1
Requirement: R3, R4
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: WECC
Issue: Unidentified Registered Entity (URE) self-reported that three of its personnel with authorized cyber or authorized unescorted physical access to Critical Cyber Assets did not have personnel risk assessments completed within 30 days of gaining access in accordance with CIP-004-1 R3. Such risk assessments were completed within 35 days of gaining access. URE also self-reported the following violations of R4: three of its employees retired or were terminated but URE did not remove them from its Master Access List in a timely fashion; seven of its employees had access to Critical Cyber Assets but were not listed on the Master Access List; and seventy one of its employees were listed on the Master Access List without also listing which Critical Cyber Assets each employee had access to.
Finding: It was determined by WECC that the R3 violation did not pose a serious or substantial risk to the reliability of the bulk power system because of the small number of employees involved and the fact that the URE was only five days late. WECC determined that the R4 violation posed a moderate risk to the reliability of the bulk power system because even though the URE had a Master Access List of its personnel with access to Critical Cyber Assets, it was not maintaining the list within the timeframes required. The duration of both violations was July 1, 2008, when the Reliability Standard became enforceable, through September 22, 2008.
Penalty: $55,000 (aggregate with other violations)
FERC Order: Issued January 21, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-76-000 (December 22, 2010)
Reliability Standard: CIP-004-1
Requirement: R4
Violation Risk Factor: Lower
Violation Severity Level: High
Region: SERC
Issue: During a spot-check audit, SERC found two incidents in which Unidentified Registered Entity (URE) failed to properly maintain its list of employees, contracts and service vendors who have authorized cyber or authorized unescorted physical access to Critical Cyber Assets and also failed to include in the list each individual's specific access rights.
Finding: It was determined by SERC that the violation did not pose a serious or substantial risk to the reliability of the bulk power system because URE trained and performed background checks on all employees with cyber and unescorted physical access and kept records of the access granted to employees, contractors and service providers (these records were not made part of the master list, leading to the violation). The existence of a robust internal compliance program was given credit in the zero penalty determination. The duration of the violation was April 1, 2009 through November 14, 2009.
Penalty: $0
FERC Order: Issued January 21, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-79-000 (December 22, 2010)
Reliability Standard: CIP-004-1
Requirement: R4
Violation Risk Factor: Lower
Violation Severity Level: High
Region: FRCC
Issue: Unidentified Registered Entity (URE) self-reported a violation of CIP-004-1 R1, R2, R3 and R4 for failing to include a contractor on its master list of personnel with access rights to critical cyber assets.
Finding: Upon review, FRCC determined there was no violation of R1 and dismissed the violations of R2 and R3. The violation of R4 did not pose a serious or substantial threat to reliability of the bulk power system because the contractor had conducted pre-employment background checks, had activities in place to protect customer system information, and had training related to cyber security.
Penalty: $100,000 (aggregate for multiple violations)
FERC Order: Issued January 21, 2011 (no further review)
Unidentified Registered Entities 1 and 2, FERC Docket No. NP11-81-000 (December 22, 2010)
Reliability Standard: CIP-004-1
Requirement: R3, R4
Violation Risk Factor: Lower
Violation Severity Level: Lower
Region: MRO (URE-1), SPP (URE-2)
Issue: Two Unidentified Registered Entities (URE), both wholly owed subsidiaries of the same Parent Company, self-reported violations of CIP-004-1 R3 and R4 for failing to complete risk assessments for certain personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets (R3) and for failing to maintain a complete and accurate list of personnel with such access (R4).
Finding: MRO determined the violation of R3 did not pose a serious or substantial threat to reliability of the bulk power system because less than 1% of personnel were missing personnel risk assessments, access was immediately suspended until personnel risk assessments were completed, and the relevant personnel were long-term employees in good standing. In addition, MRO and SPP determined the violation of R4 did not pose a serious or substantial threat to the reliability of the bulk power system because most of the employees that were mistakenly not on the Critical Cyber Assets access lists had received cyber security training and background checks to ensure they would not abuse access rights to the Critical Cyber Assets.
Penalty: $50,000 (aggregate for multiple violations)
FERC Order: Issued January 21, 2011 (no further review)
Unidentified Registered Entity, MRO-1, FERC Docket No. NP11-104-000 (February 1, 2011)
Reliability Standard: CIP-004-1
Requirement: R2. R3, R4
Violation Risk Factor: Medium (R2), Lower (R3), Lower (R4)
Violation Severity Level: Lower (R2), High (R3), Severe (R4)
Region: MRO
Issue: Unidentified Registered Entity, MRO-1 (URE-MRO1) self-certified it was not compliant with CIP-004-1 R2 because evidence of cyber security training (CST) was not available for all employees as required by the Reliability Standard. Further, URE-MRO1 self-certified it was not compliant with CIP-004-1 R3 because some individuals who were authorized to have cyber and/or unescorted physical access to Critical Cyber Assets (CCA) did not have evidence in their personnel files of a completed personnel risk assessment (PRA). In addition, URE-MRO1 self-certified it was not compliant with CIP -004-1 R4 because it did not have sufficient documentation evidencing that it had updated its NERC CIP Personnel List (Access List) within the required 7 day or 24 hour time frames for certain individuals who no longer required cyber or unescorted physical access to Critical Cyber Assets (CCAs).
Finding: MRO determined that the violations posed a minimal risk to the reliability of the bulk power system for the following reasons. The 9 individuals represent less than 3% of the individuals on URE-MRO1's CCA Access List. URE-MRO1 instituted new CST and PRA policies which require evidence that personnel complete the required training programs prior to being granted authorized cyber and/or authorized unescorted physical access to CCAs. With regard to the 3 individuals whose access was not revoked within 7 days of no longer requiring access to CCAs, it was noted that the individuals' primary work facility included a terminal for URE-MRO1's Energy Management System and on January 22, 2009, the terminal was removed from the facility, and the individuals could no longer physically or electronically access the CCA. Additionally, MRO did not find any additional instances of access being revoked without the Access List being updated within the required 7 day or 24 hour time frames and URE-MRO1 provided evidence of conducting quarterly reviews of the Access List.
Penalty: $0
FERC Order: Issued March 3, 2011 (no further review)
Unidentified Registered Entity, MRO-2, FERC Docket No. NP11-104-000 (February 1, 2011)
Reliability Standard: CIP-004-1
Requirement: R2, R4
Violation Risk Factor: Medium (R2), Lower (R4)
Violation Severity Level: Lower (R2), Lower (R4)
Region: MRO
Issue: MRO determined that Unidentified Registered Entity, MRO-2 (URE-MRO2) was unable to provide evidence to confirm that annual cyber security training had been provided to contractor personnel, specifically SCADA vendor personnel, as required by CIP-004-1 R2.3, and it failed to provide any training records for its SCADA vendor personnel. It was further found by MRO that URE-MRO2 did not have sufficient evidence to show it properly maintained a list of SCADA vendor personnel with Critical Cyber Assets access as required by CIP-004-1 R4.1.
Finding: MRO determined that the violations posed minimal risk to the reliability of the bulk power system because even though there was no evidence that the SCADA vendor personnel received cyber security training or were on the authorized access list, the vendor personnel had received cyber security training from their employer and URE-MRO2 closely monitored the SCADA vendor personnel while on-site and during remote interactive troubleshooting sessions.
Penalty: $0
FERC Order: Issued March 3, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-106-000 (February 23, 2011)
Reliability Standard: CIP-004-1
Requirement: R4
Violation Risk Factor: Lower
Violation Severity Level: Moderate
Region: RFC
Issue: Unidentified Registered Entity (URE) self reported that it had not performed a fourth quarter 2009 review of the list of individuals having key cards granting authorized unescorted physical access to Critical Cyber Assets. URE also had not conducted third and fourth quarter 2009 review of a key manifest.
Finding: RFC and URE entered into a Settlement Agreement in which URE neither admitted nor denied the violations, but agreed to the assessed penalty. RFC determined the violation did not pose a serious or substantial risk to the reliability of the bulk power system. The NERC Board of Trustees Compliance Committee considered the following in determining the penalty: the violation of CIP-004-1 R4 was a repeat occurrence, which was an aggravating factor since URE completed a mitigation plan associated with the previous violation that should have prevented a reoccurrence; URE was cooperative during the compliance enforcement process; URE's compliance program; there was no evidence of any attempt or intent to conceal a violation; and there were no additional mitigating or aggravating factors that would affect the penalty amount.
Penalty: $15,000 (aggregate for multiple violations)
FERC Order: Issued March 25, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-116-000 (February 23, 2011)
Reliability Standard: CIP-004-1
Requirement: R3
Violation Risk Factor: Medium
Violation Severity Level: Moderate
Region: FRCC
Issue: In September 2008, a Registered Entity self-reported that it provided three employees (who were granted unescorted physical access to the Critical Cyber Assets) with physical cardkey access to its Physical Security Perimeter, even though it had not conducted backgrounds checks on those employees within the seven-year time frame as required.
Finding: FRCC and the Registered Entity entered into a settlement agreement to resolve multiple violations, whereby the Registered Entity agreed to pay a penalty of $75,000 and to undertake other mitigation measures to resolve multiple violations. FRCC found that the CIP-004-1 violation did not constitute a serious or substantial risk to bulk power system reliability since the Registered Entity had actually previously conducted personnel risk assessments on the relevant employees (even though the assessments were no longer up to date). In addition, the relevant employees were all long-term employees who had access to the Physical Security Perimeter before the Reliability Standards came into effect. The duration of the CIP-004-1 violation was from July 1, 2008 through August 25, 2008. In approving the settlement agreement, NERC considered the fact that these were the Registered Entity's first violations of the relevant Reliability Standards; the Registered Entity self-reported some of the violations; the Registered Entity was cooperative during the enforcement process and did not conceal the violations; there was a compliance program in place; and there were no additional mitigating or aggravating factors.
Penalty: $75,000 (aggregate for multiple violations)
FERC Order: Issued March 25, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-124-000 (February 23, 2011)
Reliability Standard: CIP-004-1
Requirement: R4, R4.1, R4.2, R2.1, 2.3, R3, R3.1, R3.3, R4.1
Violation Risk Factor: Medium (R4.1, R4.2, R2.1, R2.3, R3, R3.1, R3.3), Lower (R4.1)
Violation Severity Level: High (R4, R4.1, R.4.2), Lower (R2.1, R2.3), Moderate (R3, R3.1, R3.3), Lower (R4.1)
Region: RFC
Issue: RFC found that the Unidentified Registered Entity (URE) failed to: (a) ensure that all employees with access to Systems Operations had completed training and personal risk assessments (PRAs) (R4); (b) revoke access within seven calendar days for personnel who did not require access to System Operations (R4.2); (c) have a comprehensive list of all personnel with access to Critical Cyber Assets (R4.1); (d) conduct quarterly reviews of a complete access list in the third quarter of 2008 and the first quarter of 2009 (R4.2); or (e) perform a quarterly review in the fourth quarter of 2008 (R4.2). RFC also found that the URE failed to ensure that all personnel with access to Critical Cyber Assets were trained within 90 days of being granted that access and the URE did not maintain documentation of annual training for 47 out of 83 personnel (R2.1, R.2.3). Further, RFC found that the URE failed to conduct PRAs for 21 of its 83 employees, contractors and service providers who had authorized cyber or authorized unescorted physical access within 30 days of the employees, contractors and service providers being granted such access (R3.1, R3.3). In addition, RFC found that the URE failed to ensure that it had a completed PRA on file within 30 days of unintentionally granting a contract worker unescorted physical access to Critical Cyber Assets (R3). The URE also failed to update its master list of personnel with authorized cyber or unescorted physical access rights to a Critical Cyber Asset within seven days of granting access to the contract employee (R4.1).
Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a settlement agreement which included a penalty in the amount of $100,000 for these and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: the violations constituted the URE's first violation of the subject NERC Reliability Standards; the URE self-reported 11 of the 16 violations; the URE cooperated during the compliance enforcement process; the URE's compliance program; the URE did not attempt to conceal a violation or intend to do so; the violation did not create a serious or substantial risk to the bulk power system; and there were no other mitigating or aggravating factors or extenuating circumstances.
Penalty: $100,000 (aggregate for multiple violations)
FERC Order: Issued March 25, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-125-000 (February 23, 2011)
Reliability Standard: CIP-004-1
Requirement: R2.1, R3
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: RFC
Issue: RFC found that the Unidentified Registered Entity (URE) did not ensure that all personnel having access to Critical Cyber Assets were trained within 90 calendar days of such authorization and/or were subject to personnel risk assessments conducted pursuant to that program within 30 days of such personnel being granted such access.
Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a settlement agreement which included a penalty in the amount of $65,000 for these and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: the violations constituted the URE's first violations of the subject NERC Reliability Standard; the URE self-reported the violations; the URE cooperated during the compliance enforcement process; the URE's compliance program; the violations did not create a serious or substantial risk to the bulk power system; and there were no other mitigating or aggravating factors or extenuating circumstances.
Penalty: $65,000 (aggregate for multiple violations)
FERC Order: Issued March 25, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-125-000 (February 23, 2011)
Reliability Standard: CIP-004-1
Requirement: R2.1, R3
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: SPP
Issue: SPP found that the Unidentified Registered Entity (URE) did not ensure that all personnel having access to Critical Cyber Assets were trained within 90 calendar days of such authorization and/or were subject to personnel risk assessments conducted pursuant to that program within 30 days of such personnel being granted such access.
Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a settlement agreement which included a penalty in the amount of $12,000 for these and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: the violation sconstituted the URE's first violations of the subject NERC Reliability Standard; the URE self-reported the violations; the URE cooperated during the compliance enforcement process; the URE's compliance program; the violations did not create a serious or substantial risk to the bulk power system; and there were no other mitigating or aggravating factors or extenuating circumstances.
Penalty: $12,000 (aggregate for multiple violations)
FERC Order: Issued March 25, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-127-000 (February 23, 2011)
Reliability Standard: CIP-004-1
Requirement: R4
Violation Risk Factor: Lower
Violation Severity Level: High for first violation; Lower for second violation
Region: FRCC
Issue: With respect to the first violation of CIP-004-1, Unidentified Registered Entity (URE) self-reported that its personnel access list for contract and service personnel with unescorted physical access to Critical Cyber Assets was not complete because it did not include a list of personnel from its provider of secure hosting facilities for URE's Critical Cyber Assets. URE self-reported prior to R4 becoming enforceable. Duration of violation was from July 1, 2008, when the Standard became enforceable, through July 28, 2008, when the violation was mitigated. With respect to the second violation, URE self-reported that its procedures were not sufficient to ensure that its access lists of personnel who have Critical Cyber Asset access are updated within the required seven calendar days, and on four occasions the access lists were not updated within the time required. Duration of violation was from August 18, 2008 through February 13, 2009, when the violation was mitigated.
Finding: FRCC Enforcement determined that the violation did not create a serious or substantial risk to the bulk power system because (1) with respect to the first violation, the secure hosting facilities of the provider at issue are located at a major telecommunication company's facility, protected by armed security, electronic access control and video monitoring; and (2) with respect to the second violation, URE revoked or suspended access prior to updating the access list(s), so no personnel had access that should not have had such access. Further, the NERC Board of Trustees Compliance Committee concluded the penalty appropriate because, with one exception, this was URE's first violation of the Standards, URE self reported several of the violations, numerous violations of a single standard were considered to be four instances of a single violation as opposed to separate violations, and URE was cooperative during the investigation.
Penalty: $55,000 (aggregate for multiple violations)
FERC Order: Issued March 25, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-128-000 (February 23, 2011)
Reliability Standard: CIP-004-1
Requirement: R2, R3, R4
Violation Risk Factor: Lower (R2, R4), Medium (R3)
Violation Severity Level: Not provided
Region: WECC
Issue: Unidentified Registered Entity (URE) self-reported a violation of CIP-004-1 R2, R3 and R4. WECC determined URE had not established a training program for personnel with authorized access to Critical Cyber Assets and consequently did not maintain a corresponding training record in violation of R2. URE also did not have a personnel risk assessment program and did not conduct appropriate background checks per R3. In addition, URE did not have procedures and records concerning physical access to its Critical Cyber Assets per R4.
Finding: The violations of R2 and R3 posed a moderate threat to the reliability of the bulk power system (BPS) because, even though URE is a small entity and did have a cyber security policy and a list of critical facilities in place, it did not have a training program for personnel with authorized access to the Critical Cyber Assets and did not have a compliant personnel risk assessment program that included background checks for personnel that had access to Critical Cyber Assets. The violation of R4 did not pose a serious or substantial risk to the BPS because URE had security procedures such as card readers and security guards in place to control access to Critical Cyber Assets. In determining the penalty amount, the NERC Board of Trustees Compliance Committee considered the following factors: this was URE's first occurrence of this type of violation; URE was cooperative; and the number and nature of the violations.
Penalty: $450,000 (aggregated for multiple violations)
FERC Order: Issued March 25, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-133-000 (February 28, 2011)
Reliability Standard: CIP-004-1
Requirement: R4
Violation Risk Factor: Medium
Violation Severity Level: Moderate
Region: NPCC
Issue: The entity self-reported that pursuant to its quarterly review of the list of personnel with unescorted physical access to the System Operations Control Room, its systems operations personnel identified 6 employees as no longer requiring access. They notified security via a paper request to revoke access, of which security confirmed receipt. However, security did not revoke access within 7 days as required by R4. Duration of violation was May 14, 2010 through June 4, 2010.
Finding: NPCC determined this violation posed a minimal risk to the reliability of the bulk power system because there were no attempts to access either the physical security perimeter or the electronic security perimeter due to the lapse, and the issue was discovered in less than three weeks during regular review of access.
Penalty: $2,500
FERC Order: Issued March 25, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-133-000 (February 28, 2011)
Reliability Standard: CIP-004-1
Requirement: R4
Violation Risk Factor: Medium
Violation Severity Level: Moderate
Region: TRE
Issue: The entity self-reported that one employee with authorized unescorted physical access, retired but the authorized unescorted physical access rights for this employee were not revoked within the 7 calendar day requirement. In addition, the list of personnel with access to Critical Cyber Assets was updated outside the 7 calendar day requirement. Duration of violation was March 7, 2010 through March 9, 2010.
Finding: TRE determined that the violation posed a minimal risk to the reliability of the bulk power system because the employee never accessed the privileges after his voluntary retirement date and only had physical (not cyber) access.
Penalty: $9,000
FERC Order: Issued March 25, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-137-000 (March 30, 2011)
Reliability Standard: CIP-004-1
Requirement: R2, R3, R4
Violation Risk Factor: Medium (R2, R4); Lower (R3)
Violation Severity Level: N/A
Region: WECC
Issue: Prior to the effective date of the Standard, URE self-reported that it would not be compliant with R2 through R4 at the time the Standard became effective because it did not have (1) a cyber security training program that met the requirements of R2; (2) a personnel risk assessment for personnel with authorized cyber or unescorted physical access to critical cyber assets as required by R3; or (3) lists of personnel with authorized cyber or unescorted physical access as required by R4. URE had hired an independent contractor to review its compliance and assist with mitigation. Duration of violation was July 1, 2008, when the Standard became enforceable for Table 1 entities, through December 16, 2008, when the violations were mitigated.
Finding: WECC Enforcement determined that the violations did not pose a serious or substantial risk to the bulk power system, even though the settlement agreement assessed the violation as a high risk. Further, the NERC BOTCC concluded the penalty appropriate because this was URE's first violation of most of the Standards involved, URE self-reported 28 of 30 violations, and URE was cooperative during the investigation.
Penalty: $106,000 (aggregate for 30 violations)
FERC Order: Issued April 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-140-000 (March 30, 2011)
Reliability Standard: CIP-004-1
Requirement: R2, R3, R4
Violation Risk Factor: Medium (R2), Lower (R3, R4)
Violation Severity Level: N/A
Region: WECC
Issue: The Unidentified Registered Entity (URE) failed to train at least two of its employees within 90 days of their being given authorized access to Critical Cyber Assets, as required by R2.1; failed to update personnel risk assessments every seven years for at least 64 employees, as required by R3.2; and failed to update its Critical Cyber Assets access list within seven calendar days of any change of personnel with such access to Critical Cyber Assets or any change in the access rights of such personnel, as required by R4.1.
Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a Settlement Agreement, including a penalty in the amount of $27,000 for these and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: the violations constituted URE's first violations of the subject NERC Reliability Standard; URE self-reported some of the violations; URE cooperated during the compliance enforcement process; URE's compliance program; URE did not attempt to conceal a violation or intend to do so; the violations did not create a serious or substantial risk to the bulk power system; and there were no other mitigating or aggravating factors or extenuating circumstances.
Penalty: $27,000 (aggregate for 7 violations)
FERC Order: Issued April 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-143-000 (March 30, 2011)
Reliability Standard: CIP-004-1
Requirement: R2.1, R2.3
Violation Risk Factor: Lower (R2.3), Medium (R2.1)
Violation Severity Level: N/A
Region: SERC
Issue: During a spot check, SERC found that at least one of the Unidentified Registered Entity's (URE) employees who had authorized cyber access had not fulfilled his annual cyber security training requirement according to the timeframe specified in the URE's cyber security training procedures (R2.3). In addition, in August 2009, the URE self-reported that one of its employees who had authorization for unescorted physical access to a Critical Cyber Asset within the physical security perimeter had not been given cyber security training within 90 days of being granted access, as required (R2.1).
Finding: SERC and the URE entered into a settlement agreement to resolve the violations, whereby the URE agreed to pay a penalty of $5,000 and to undertake other mitigation measures. SERC found that the violations constituted only a minimal risk to bulk power system reliability since all existing employees received their initial cyber security training in May 2007 and then again in June 2009. And, while there was a two-year period without annual training, there were no known instances that result from the lack of cyber security training. In addition, the one relevant employee who did not receive the initial cyber security training, all other new employees received the mandated cyber security training within 90 days of obtaining access to the Critical Cyber Assets. For that one relevant employee (who only had physical access rights), the employee was never alone in the physical security boundary and had already received a personnel risk assessment. The duration of the violations was from July 1, 2008 through June 18, 2009 for R2.3 and from September 30, 2009 through May 26, 2009 for R2.1. In determining the penalty amount, NERC considered the fact that these were the URE's first violations of the relevant Reliability Standards; one of the violations was self-reported; there was a compliance program in place (even though this was only evaluated as a neutral factor); the URE was cooperative during the enforcement process and did not attempt to conceal the violations; and there were no additional mitigating or aggravating factors.
Penalty: $5,000 (aggregate for 2 violations)
FERC Order: Issued April 29, 2011 (no further review)
Unidentified Registered Entities, FERC Docket No. NP11-146-000 (March 30, 2011)
Reliability Standard: CIP-004-1
Requirement: R2 (two violations), R3 (three violations), R4 (three violations)
Violation Risk Factor: Lower (R4), Medium (R2, R3)
Violation Severity Level: N/A
Region: RFC
Issue: In April 2009, Unidentified Registered Entity 1 (URE1) and Unidentified Registered Entity 2 (URE2) self-reported that they had not properly trained three contractors who had authorized unescorted physical access to Critical Cyber Assets (R2.1). In October 2009, URE1, URE2 and Unidentified Registered Entity 3 (URE3, collectively UREs) self-reported that they had not properly performed personnel risk assessments of certain contract workers and employees who were granted authorized unescorted physical access to Critical Cyber Assets within 30 days as required (R3). In addition, during a spot check, RFC found that the UREs were not properly maintaining the lists of personnel who possessed authorized cyber access or unescorted physical access to the Critical Cyber Assets.
Finding: RFC entered into a settlement agreement with the UREs to resolve multiple violations, whereby the UREs agreed to pay a penalty of $52,500 and to undertake other mitigation measures. With regard to the CIP-004-1 R2 (sub-requirement 2.1) violations, RFC found that the violations did not constitute a serious or substantial risk to bulk power system reliability since the violations only involved three of URE1 and URE2's contractors (out of 199 contractors who had authorized cyber or unescorted physical access to Critical Cyber Assets). The relevant contractors also had their access privileges revoked until they completed the needed training. Regarding the CIP-004-1 R3 violations, RFC found that the violations did not constitute a serious or substantial risk to bulk power system reliability since the access records demonstrated that all of the locations accessed by the relevant contractors had a series of security measures in place to monitor individual's movements. For the CIP-004-1 R4 violations, RFC found that the violations did not constitute a serious or substantial risk to bulk power system reliability since the relevant personnel had already received cyber security training and a personnel risk assessment. The duration of the CIP-004-1 violations was January 29, 2009 through June 5, 2009 for R2.1 (URE1 and URE2), August 7, 2009 through September 8, 2009 for R3 (UREs), and August 29, 2008 through July 1, 2009 for R4 (UREs). In determining the penalty amount, NERC considered the fact that these were the UREs' first violations of the relevant Reliability Standards; some violations were self-reported, while others were revealed during an RFC spot check; the UREs were cooperative during the enforcement process and did not attempt to conceal the violations; the UREs had a compliance program in place (which was evaluated as a mitigating factor); the mitigation plan for CIP-004-1 R3 violation was completed late; and there were no additional mitigating or aggravating factors.
Penalty: $52,500 (aggregate for 14 violations and for 8 entities)
FERC Order: Issued April 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-157-000 (March 30, 2011)
Reliability Standard: CIP-004-1
Requirement: R2/2.3, 3
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: SERC
Issue: Following a spot-check, SERC determined that URE violated R2 because it did not maintain annual cyber security training documentation for approximately 7% of employees and vendors that had access to Critical Cyber Assets, and URE violated R3 because it could not produce evidence that it conducted personnel risk assessment within 7 years for 6.6% of employees and vendors.
Finding: SERC determined the violations posed a minimal risk and did not pose a serious or substantial risk to the reliability of the Bulk Power System because the URE had documentation proving the 7% of employees/vendors that missed annual training in 2008 attended the required training in 2007, and all but one of the employees/vendors that did not have personnel risk assessments within the last 7 years had PRAs in 2002. Moreover, the one employee at issue was a long-term employee in good standing and had a background check when hired. The NERC BOTCC considered the following factors: this was URE's first violation of this Standard; URE was cooperative; URE had a compliance procedure in place, which SERC considered a mitigating factor; there was not evidence of any attempt or intent to conceal the violations; and there were no other mitigating or aggravating factors.
Penalty: $7,000 (aggregated for 2 violations)
FERC Order: Issued April 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-161-000 (March 30, 2011)
Reliability Standard: CIP-004-1
Requirement: R2/2.3, R3
Violation Risk Factor: Lower (R2); Medium (R3)
Violation Severity Level: N/A
Region: WECC
Issue: An Unidentified Registered Entity ("URE”) self-reported a violation of R2/2.3 and R3 after purchasing a facility. WECC determined that the URE violated R2.3 because it did not maintain and document an annual cyber security-training program for one individual who had physical access to a physical security perimeter surrounding Critical Cyber Assets at the facility. WECC determined URE violated R3 because it did not follow its personnel risk assessment program for several people with access to Critical Cyber Assets at the facility.
Finding: WECC Enforcement determined the violation did not pose a serious or substantial risk to the Bulk Power System because the individual that did not receive annual cyber security training had been trained on cyber security, and the person's authorized access was revoked within 72 hours of the missed annual training deadline. Moreover, URE conducted personnel risk assessments on all covered personnel according to an informal revised policy that had not been incorporated into the formal, documented program. The NERC BOTCC considered the following factors: URE self-reported the violations; URE was cooperative; URE had a compliance procedure in place, which WECC considered a mitigating factor; there was not evidence of any attempt or intent to conceal the violations; and there were no other mitigating or aggravating factors.
Penalty: $35,000 (aggregated for 8 violations)
FERC Order: Issued April 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-162-000 (March 31, 2011)
Reliability Standard: CIP-004-1
Requirement: R4
Violation Risk Factor: Medium
Violation Severity Level: Moderate
Region: TRE
Issue: URE self-reported that a retired employee had indirect cyber-access to certain Critical Cyber Assets for several months after his last day of employment before access was revoked. Duration of violation was February 6, 2010 through April 5, 2010, when access was revoked.
Finding: TRE Enforcement determined that the violation did not pose a serious or substantial risk to the bulk power system because the inappropriate access was indirect and would have required Control Room Operator approval to use, and TRE was able to determine by review of control room logs that the retired employee had not accessed any systems after his retirement.
Penalty: $8,000
FERC Order: Issued April 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-166-000 (April 29, 2011)
Reliability Standard: CIP-004-1
Requirement: R2/2.2.2
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: SPP
Issue: Unidentified Registered Entity (URE) did not include instructional information pertaining to the use of physical and electronic access controls to Critical Cyber Assets in its annual cyber security training program.
Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a settlement agreement which included a penalty in the amount of $50,000 for this and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: the violation constituted URE's first violation of the subject Reliability Standard; URE self-reported some of the violations; URE cooperated during the compliance enforcement process; URE did not attempt to conceal a violation or intend to do so; the violation did not create a serious or substantial risk to the bulk power system; and there were no other mitigating or aggravating factors or extenuating circumstances.
Penalty: $50,000 (aggregate for 14 violations)
FERC Order: Issued May 27, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-167-000 (April 29, 2011)
Reliability Standard: CIP-004-1
Requirement: R4
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: WECC
Issue: Unidentified Registered Entity (URE) did not maintain lists of personnel with authorized cyber or authorized unescorted physical access to Critical Cyber Assets (CCAs), including their specific electronic and physical access rights to CCAs.
Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a settlement agreement which included a penalty in the amount of $89,000 for this and other violations. In reaching this determination, the NERC BOTCC considered the following facts: the violation constituted URE's first violation of the subject Reliability Standard; URE self-reported the violation; URE cooperated during the compliance enforcement process; URE's compliance program; URE did not attempt to conceal a violation or intend to do so; the violation did not create a serious or substantial risk to the bulk power system; URE implemented compliance procedures that led to the discovery of the violations and there were no other mitigating or aggravating factors or extenuating circumstances.
Penalty: $89,000 (aggregate for 13 violations)
FERC Order: Issued May 27, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-174-000 (April 29, 2011)
Reliability Standard: CIP-004-1
Requirement: R2, R4
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: RFC
Issue: The Unidentified Registered Entity ("URE”) violated R2/2.3 and R4/4.2 because it did not provide evidence that a contractor with cyber access to Critical Cyber Assets completed annual cyber security training one year, nor did it provide evidence that it had revoked access to cyber security assets for three individuals within seven calendar days after the date they no longer required such access.
Finding: The violations posed a moderate risk to the reliability of the bulk power system because, with respect to R2.3, the contractor at issue passed a Personnel Risk Assessment, completed the initial cyber security training a year earlier, and only had restricted access rights. With respect to R4.2, none of the three individuals at issue had full access to the Cyber Security Assets beyond the time period it was needed, and access was fully revoked no later than 12 calendar days after it was no longer required. Moreover, two of the three individuals retired and therefore did not have either physical or remote electronic access to the assets. The NERC BOTCC determined this was the URE's first occurrence of a violation of the subject Reliability Standard, the URE was cooperative; the URE had a compliance program, which RFC considered a mitigating factor; there was no evidence of any attempt or intent to conceal a violation; and there were no other mitigating or aggravating factors.
Penalty: $15,000 (aggregated for 3 violations)
FERC Order: Issued May 27, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-175-000 (April 29, 2011)
Reliability Standard: CIP-004-1
Requirement: R2, R3
Violation Risk Factor: Medium (R2), Lower (R3)
Violation Severity Level: N/A
Region: WECC
Issue: In March 2009, the Unidentified Registered Entity (URE) self-reported that it did not have proper documentation showing that it had conducted training for all of its employees, contractors and service vendors as required within 90 days of granting authorized access to Critical Cyber Assets (R2). The URE also self-reported that it did not possess proper documentation showing that it had performed the required seven-year background check for around 5% of its employees, contractors and service vendors who had authorized access to the control centers which held the Critical Cyber Assets (R3). In addition, the URE had not conducted all of the required annual training (R2/R3).
Finding: WECC and the URE entered into a settlement agreement to resolve multiple violations, whereby the URE agreed to pay a penalty of $32,000 and to undertake other mitigation measures. WECC found that the violations of CIP-004-1 constituted a moderate risk to bulk power system reliability since untrained personnel could have posed a risk to the URE's Critical Cyber Assets. But, the URE had performed training and background checks for over 95% of its relevant personnel. The duration of the CIP-004-1 violations was from July 1, 2008 through April 30, 2009. In approving the settlement agreement and the penalty determination, NERC considered the fact that the violations were the URE's first violations of the relevant Reliability Standards; some of the violations were self-reported; the URE was cooperative during the enforcement process and did not conceal the violations; the URE had a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.
Penalty: $32,000 (aggregate for 6 violations)
FERC Order: Issued May 27, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-176-000 (April 29, 2011)
Reliability Standard: CIP-004-1
Requirement: R2, R3, R4
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: WECC
Issue: In June 2009, the Unidentified Registered Entity (URE) self-reported that it had not trained one contractor within 90 days of his receiving access to the URE's Critical Cyber Assets (CCAs), as required (R2). In October 2009, the URE filed an additional self-report, stating that it had not performed a personnel risk assessment within 30 days for four individuals receiving authorized cyber or unescorted physical access to the URE's CCAs (R3). In addition, in September 2009, the URE self-reported that it had not withdrawn access to its CCAs within the required seven days for five personnel who no longer needed access (and therefore had not properly updated its list of personnel with CCA access within seven days of the changes).
Finding: WECC and the URE entered into a settlement agreement to resolve multiple violations, whereby the URE agreed to pay a penalty of $80,000 and to undertake other mitigation measures. Regarding CIP-004-1 R2, WECC found that the violation only constituted a minimal risk to bulk power system reliability since the URE did actually have a cyber security training program in place and the violation only involved one contractor (who already had an established relationship with the URE). Regarding CIP-004-1 R3, WECC also found that violation only constituted a minimal risk to bulk power system reliability since the URE did have a personnel risk assessment program in place (even though in this instance, the background checks on the four relevant employees did not provide a sufficient risk determination). For CIP-004-1 R4, WECC found that the violation only posed a minimal risk since the URE did have procedures to properly revoke access to its CCAs, even though it failed to follow those procedures in this instance. None of the relevant individuals was terminated for cause and each had received proper training and was in good standing with the URE. The duration of the CIP-004-1 violations was from April 13, 2009 through May 18, 2009 (R2), July 1, 2008 through March 1, 2010 (R3), and July 1, 2008 through June 12, 2009 (R4). In approving the settlement agreement and the penalty determination, NERC considered the fact that the violations were self-reported; the URE was cooperative during the enforcement process and did not conceal the violations; the URE had a compliance program in place (which was evaluated as a mitigating factor); the violations of IRO-005-2 R13 and TOP-004-2 R1 resulted from a single noncompliance occurrence; and there were no additional aggravating or mitigating factors.
Penalty: $80,000 (aggregate for 7 violations)
FERC Order: Issued May 27, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-180-000 (April 29, 2011)
Reliability Standard: CIP-004-1
Requirement: R2, R3
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: WECC
Issue: The Unidentified Registered Entity (URE) self-reported that one employee with authorized access to the Critical Cyber Assets (CCAs) had not received the required annual training (R2). In addition, the URE self-reported that it had not properly enacted its personnel risk assessment program (R3). For example, there were documentation errors in some of the background investigation reports; one (out of 375) of the employees who possessed authorized access to the CCAs had not received a background check before commencing employment; and three other employees had not received the needed background check within the required seven year period.
Finding: WECC and the URE entered into a settlement agreement to resolve multiple violations, whereby the URE agreed to pay a penalty of $71,500 and to undertake other mitigation measures. WECC found that the violation of CIP-004-1 R2 only constituted a minimal risk to bulk power system reliability since the URE had conducted the required training for all but one of its employees. There was also a strong security culture at the URE, and the relevant employee had received the required training the previous year. WECC also found that the violation of CIP-004-1 R3 only constituted a minimal risk to bulk power system reliability since the URE did actually have a personnel risk assessment program in place and the violation was of small scope (as the relevant employees were all able to clear the background check). The duration of the CIP-004-1 violations was from July 20, 2009 through October 9, 2009 (R2) and from July 1, 2008 through August 12, 2009 (R3). In approving the settlement agreement and the penalty determination, NERC considered the fact that the violations were the URE's first violations of the relevant Reliability Standards; most of the violations were self-reported; the URE was cooperative during the enforcement process and did not conceal the violations; the URE had a compliance program in place (which was evaluated as a mitigating factor); the penalty for the violation of IRO-STD-006-0 WR1 was based on a specified Sanction Table; the violations of IRO-005-2 R13 and TOP-008-1 R2 resulted from a single noncompliance occurrence; and there were no additional aggravating or mitigating factors.
Penalty: $71,500 (aggregate for 9 violations)
FERC Order: Issued May 27, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-181-000 (April 29, 2011)
Reliability Standard: CIP-004-1
Requirement: R2/2.1
Violation Risk Factor: Lower
Violation Severity Level: Lower
Region: FRCC
Issue: Unidentified Registered Entity ("URE”) could not provide evidence that 132 personnel completed appropriate training within 90 days of obtaining authorized unescorted physical or cyber access to Critical Cyber Assets.
Finding: The violation posed minimal risk but not serious or substantial risk to the reliability of the bulk power system, because all employees at issue were long-term employees in good standing, and URE stated it had conducted the training.
Penalty: $23,000 (aggregated for 11 violations)
FERC Order: Issued May 27, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-181-000 (April 29, 2011)
Reliability Standard: CIP-004-1
Requirement: R2/2.3
Violation Risk Factor: Lower
Violation Severity Level: Lower
Region: FRCC
Issue: Unidentified Registered Entity ("URE”) could not provide evidence that it timely conducted annual training for 25 employees with authorized access to Critical Cyber Assets. Training occurred 1-7 days late.
Finding: The violation posed minimal risk but did not pose a serious or substantial risk to the reliability of the bulk power system, because all employees at issue were long-term employees in good standing and the longest delay was only 7 days.
Penalty: $23,000 (aggregated for 11 violations)
FERC Order: Issued May 27, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-181-000 (April 29, 2011)
Reliability Standard: CIP-004-1
Requirement: R2.1
Violation Risk Factor: Medium
Violation Severity Level: Lower
Region: NPCC
Issue: Unidentified Registered Entity (URE) self reported that it could not provide evidence of timely cyber security training for a contractor that had unescorted physical access rights to certain Critical Cyber Assets within the Physical Security Perimeter (PSP).
Finding: The violation posed minimal risk, but did not pose a serious or substantial risk to the reliability of the bulk power system, because it only involved one contractor who was in good standing with his employer, and the contractor did not make any attempt at unescorted PSP access within the relevant time-frame.
Penalty: $7,500 (aggregated for 4 violations)
FERC Order: Issued May 27, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-181-000 (April 29, 2011)
Reliability Standard: CIP-004-1
Requirement: R2, R3, R4
Violation Risk Factor: Medium
Violation Severity Level: Lower (R2); High (R3); Moderate (R4)
Region: NPCC
Issue: Unidentified Registered Entity (URE) self-reported that it did not revoke unescorted physical access to the Physical Security Perimeter (PSP) and authorized cyber access to the Electronic Security Perimeter (ESP) within the required timeframes on six occasions, in violation of R4/4.1 and R4.2; and could not provide evidence that it conducted a personnel risk assessment nor timely conducted cyber security training for a contractor that had unescorted physical access rights to certain Critical Cyber Assets within the PSP in violation of R2/2.1 and R3.
Finding: The violations posed minimal risk, but did not pose a serious or substantial risk, to the reliability of the bulk power system because no attempts were made by any of the individuals at issue to obtain relevant access to the PSP or ESP, as applicable, and all employees and contractors at issue were in good standing.
Penalty: $2,500 (aggregated for 3 violations)
FERC Order: Issued May 27, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-181-000 (April 29, 2011)
Reliability Standard: CIP-004-1
Requirement: R3
Violation Risk Factor: Lower
Violation Severity Level: Moderate
Region: FRCC
Issue: Unidentified Registered Entity ("URE”) could not provide evidence that it conducted personnel risk assessments on 8 employees within 30 days of acquiring authorized access to Critical Cyber Assets.
Finding: The violation posed minimal risk but did not pose a serious or substantial risk to the reliability of the bulk power system, because all employees at issue were long-term employees, and all the relevant contractors were from a trusted vendor.
Penalty: $23,000 (aggregated for 11 violations)
FERC Order: Issued May 27, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-181-000 (April 29, 2011)
Reliability Standard: CIP-004-1
Requirement: R3, R4.1, R4.2
Violation Risk Factor: Medium
Violation Severity Level: High, Moderate, Moderate
Region: NPCC
Issue: A contractor had unescorted physical access rights at various substations to Critical Cyber Assets (CCAs) within the Physical Security Perimeter (PSP) but a Personnel Risk Assessment (PRA) had not been performed. The individual began working for Unidentified Registered Entity (URE) as a contractor prior to July 1, 2009. On July 21, 2010, his unescorted access to CCAs within the PSP was revoked, and records showed he never attempted access. In addition, an employee had unescorted physical access rights at various substations to CCAs in the PSP without a PRA ever having been performed. Further, for certain employees and contractors, the access list updates to the PSP and the Electronic Security Perimeter (ESP) did not occur within seven calendar days. For other employees and contractors, the access list updates (PSP and ESP) and revocation of access (PSP and ESP) did not occur within seven calendar days.
Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a settlement agreement which included a penalty in the amount of $7,500 for this and other violations. In reaching this determination, among other facts, the NERC BOTCC considered that the violations posed a minimal risk and did not pose a serious or substantial risk to the reliability of the bulk power system.
Penalty: $7,500 (aggregate for 4 violations)
FERC Order: Issued May 27, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-181-000 (April 29, 2011)
Reliability Standard: CIP-004-1
Requirement: R4/4.1
Violation Risk Factor: Lower
Violation Severity Level: Lower
Region: FRCC
Issue: Unidentified Registered Entity ("URE") could not provide evidence that it reviewed and updated its list of users with authorized access to Critical Cyber Assets.
Finding: The violation posed minimal risk but not serious or substantial risk to the reliability of the bulk power system, because URE maintained a list of authorized users; it just failed to document quarterly reviews of the list.
Penalty: $23,000 (aggregated for 11 violations)
FERC Order: Issued May 27, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-182-000 (May 26, 2011)
Reliability Standard: CIP-004-1
Requirement: R2, R3, R4
Violation Risk Factor: Medium, Medium, Lower
Violation Severity Level: N/A
Region: WECC
Issue: The Unidentified Registered Entity (URE) failed to produce evidence that personnel were trained within 90 days of being given authorized access to Critical Cyber Assets (CCAs). URE’s training materials prior to May 14, 2009 did not include any of the sub-requirements of CIP-004-1 R2.2. URE further failed to have evidence showing that personnel risk assessments had been performed on certain personnel within 30 days of being granted access to CCAs as required by CIP-004-1 R3. In addition, URE failed to produce evidence that it had updated its access lists and removed access in the time periods allotted by CIP-004-1 R4.
Finding: The NERC Board of Trustees Compliance Committee (BOTCC) approved a settlement agreement which included a penalty of $59,000 for these and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: the violations constituted URE’s first violations of the subject Reliability Standards; URE self-reported some of the violations; URE cooperated during the compliance enforcement process; URE did not attempt to conceal a violation or intend to do so; the violations did not create a serious or substantial risk to the bulk power system; and there were no other mitigating or aggravating factors or extenuating circumstances.
Penalty: $59,000 (aggregate for 6 violations)
FERC Order: Issued June 24, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-184-000 (May 26, 2011)
Reliability Standard: CIP-004-1
Requirement: R2, R3, R4
Violation Risk Factor: Medium (R2, R3), Lower (R4)
Violation Severity Level: N/A
Region: RFC
Issue: Unidentified Registered Entity (URE) violated CIP-004-1 R2 because it did not train 32 individuals with authorized cyber or authorized unescorted physical access to Critical Cyber Assets within 90 days of their access authorizations, and it failed to complete personnel risk assessments for 32 individuals with access to Critical Cyber Assets within 30 days of granting such access in violation of CIP-004-1 R3. With regard to CIP-004-1 R4, URE did not include 20 individuals with “passcard” access to Critical Cyber Assets on its list of personnel with authorized cyber or authorized unescorted physical access because it mistakenly considered these individuals as having escorted physical access to Critical Cyber Assets.
Finding: The NERC Board of Trustees Compliance Committee (BOTCC) approved a settlement agreement which included a penalty of $70,000 for these and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: additional, non-related violations of the other Reliability Standards were either self reported or discovered during a compliance audit; URE has an Internal Compliance Program which seeks to ensure compliance with all applicable Reliability Standards; URE agreed to take actions that exceed those actions that would be expected to achieve and maintain baseline compliance.
Penalty: $70,000 (aggregate for 26 violations)
FERC Order: Issued September 9, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-188-000 (May 26, 2011)
Reliability Standard: CIP-004-1
Requirement: R3.2 and R4
Violation Risk Factor: Lower for R3.2 and Medium for R4
Violation Severity Level: N/A
Region: SPP
Issue: During a spot check, SPP determined that URE did not update two individuals' personnel risk assessments within seven years as required by R3.2 (thought the updates were completed within six and seven months of the deadline, respectively). URE also self-reported that it failed to revoke the Critical Cyber Asset access of forty-four personnel within seven calendar days of the termination of their employment in violation of R4. Duration of the R3.2 violation was July 1, 2008 when URE was required to be compliant with the standard through January 1, 2010, when the violation was mitigated. Duration of the R4 violation was July 1, 2008 when URE was required to be compliant with the standard through November 3, 2009 when the violation was mitigated.
Finding: SPP determined that the violation posed a minimal risk to the bulk power system because with respect to R3.2 the personnel risk assessments were completed and the personnel involved were long-time employees, and with respect to R4 the terminated employees were not terminated for cause, and they had no physical access to Cyber Assets nor remote access privileges (except for two individuals) or cyber administrative privileges (except for three individuals). The NERC BOTCC also considered that the URE self-reported certain of the violations, and this was the URE's first occurrence of violations of the standards.
Penalty: $16,860 (aggregate for 7 violations)
FERC Order: Issued June 24, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-189-000 (May 26, 2011)
Reliability Standard: CIP-004-1
Requirement: R2.1 and R3
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: FRCC
Issue: During a spot check, FRCC determined that the URE did not provide adequate evidence demonstrating that one of its employees with authorized cyber access to Critical Assets received training within ninety calendar days of when access was authorized in violation of R2.1 (training was provided 105 days later). URE also self-reported that two contract employees were approved for NERC access to the Physical Security Perimeter, but background checks had only been performed on one of the contractors (the contractors were a father and son with the same first and last names) in violation of R3. Duration of the R2.1 violation was September 7, 2009 when the ninety day period for conducting training began through December 14, 2009, when the violation was mitigated. Duration of the R3 violation was June 7, 2009 when the background check was required to occur through July 23, 2009 when the violation was mitigated.
Finding: FRCC determined that the violation posed a minimal risk to the bulk power system because with respect to the violation of R2.1, training was completed for the employee before granting access under URE's program for compliance with the Urgent Action 1200 standards; with respect to the violation of R3, access was immediately disabled until the background check was completed upon discovery of the error. The NERC BOTCC also considered that the URE self-reported the violation.
Penalty: $17,000 (aggregate for 5 violations)
FERC Order: Issued June 24, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-192-000 (May 26, 2011)
Reliability Standard: CIP-004-1
Requirement: R4
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: WECC
Issue: Following a Self-Report by URE, WECC determined that URE did not timely revoke an individual's authorized unescorted physical access to Critical Cyber Assets pursuant to R4. Access should have been revoked no later than Sept. 18, 2009, but it was not revoked until May 5, 2010. The individual was working at the URE as a security guard of a security contractor. The contractor transferred the individual without notifying URE because the individual could be recalled to the URE's facility. URE revoked authorization as soon as it learned the security guard had been transferred.
Finding: WECC determined that the violation posed a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS because the violation only involved one individual who had completed both a personnel risk assessment and CIP training, and that person could be recalled to URE's facilities. In approving the settlement between URE and WECC, the NERC BOTCC considered the following factors: this violation was URE's first violation of the Reliability Standards at issue; URE self-reported the violations; URE was cooperative; URE had a compliance program, which WECC considered a mitigating factor; there was no evidence of an attempt or intent to conceal the violation; WECC determined the violations did not pose a serious or substantial risk to the BPS; there were no other aggravating or mitigating factors.
Penalty: $12,200 (aggregated for 3 violations)
FERC Order: Issued June 24, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-193-000 (May 26, 2011)
Reliability Standard: CIP-004-1
Requirement: R3
Violation Risk Factor: Medium
Violation Severity Level: Lower
Region: WECC
Issue: A week before a CIP Spot-Check, URE self-reported a violation of R3. WECC determined that URE did not conduct personal risk assessments on two employees that had authorized cyber or authorized unescorted physical access to Critical Cyber Assets, which constituted 2% of the required personnel.
Finding: WECC determined that the violation posed a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS because the violation only concerned less than 2% of persons with access to Critical Cyber Assets, one of which was a company vice president with limited physical access to a facility several hundred miles from the individual's office, and another individual that had read-only electronic access to CCAs. In approving the settlement between URE and WECC, the NERC BOTCC considered the following factors: this violation was URE's first violation of all but one of the Reliability Standards at issue in this NOP; URE self-reported three of the violations; URE was cooperative; URE had a compliance program, which WECC considered a mitigating factor; there was no evidence of an attempt or intent to conceal the violation; WECC determined the all but one of the violations posed a minimal risk, one violation posed a moderate risk, and none posed a serious or substantial risk to the BPS; there were no other aggravating or mitigating factors.
Penalty: $60,000 (aggregated for 5 violations)
FERC Order: Issued June 24, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-198-000 (May 26, 2011)
Reliability Standard: CIP-004-1
Requirement: R4 (R4.2)
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: SPP
Issue: During a spot check, SPP discovered that the Unidentified Registered Entity did not revoke access to its Critical Cyber Assets for 44 of its personnel within seven days of their employment termination as required.
Finding: SPP and the URE entered into a settlement agreement to resolve multiple violations, whereby the URE agreed to pay a penalty of $17,860 and to undertake other mitigation measures. SPP found that the CIP-004-1 violation only posed a minimal risk to bulk power system reliability since none of the 44 personnel were terminated for cause. Furthermore, none of the relevant personnel possessed physical access privileges to the Cyber Assets; only two of the personnel possessed remote access privileges; and only three of the personnel possessed cyber administrative privileges. The duration of the CIP-004-1 violation was from July 1, 2008 through November 3, 2009. In approving the settlement agreement, NERC found that these violations were the URE's first violations of the relevant Reliability Standards; the PRC-005-1 violation was self-reported; the URE was cooperative during the enforcement process and did not conceal the violations; the URE had a compliance program in place when the violations occurred (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.
Penalty: $17,860 (aggregate for 7 violations)
FERC Order: Issued June 24, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-199-000 (May 26, 2011)
Reliability Standard: CIP-004-1
Requirement: R2.3
Violation Risk Factor: Lower
Violation Severity Level: Lower
Region: MRO
Issue: During a spot check, MRO discovered that the Unidentified Registered Entity (URE) did not possess all of the required cyber security training records for one of its employees (who was missing documentation related to the 2008 annual cyber security training).
Finding: MRO found that the violation posed only a minimal risk to bulk power system reliability since the relevant employee underwent cyber security training in 2005 before receiving access and had also satisfied the annual training requirement in 2009 and 2010. The other 267 employees and contractors of the URE had satisfied all of their cyber security training requirements. The duration of the violation was from October 1, 2008 through July 17, 2008.
Penalty: $0
FERC Order: Issued June 24, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-205-000 (June 29, 2011)
Reliability Standard: CIP-004-1
Requirement: R4
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: WECC
Issue: The Registered Entity self-certified that it had not conducted quarterly reviews of its list of personnel that had access to its Critical Cyber Assets as required.
Finding: WECC and the Registered Entity entered into a settlement agreement to resolve multiple violations, whereby the Registered Entity agreed to pay a penalty of $22,000 and to undertake other mitigation measures. WECC found that the CIP-004-1 violation constituted only a minimal risk to bulk power system reliability since the Registered Entity was actually performing periodic reviews of the relevant list (even though not at the required frequency). Furthermore, the Registered Entity missed the review period for 4th Quarter 2008 by only eight days. The duration of the CIP-004-1 violation was from January 1, 2009 through January 7, 2009. In approving the settlement agreement, NERC found that the violation of MOD-010-0 was self-reported; the Registered Entity was cooperative during the enforcement proceeding and did not conceal the violations; there was a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.
Penalty: $22,000 (aggregate for 4 violations)
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entities 1 and 2, FERC Docket No. NP11-206-000 (June 29, 2011)
Reliability Standard: CIP-004-1
Requirement: R4.2 (8 violations), R4.1 (2 violations), R3 (1 violation), R2.1 (1 violation)
Violation Risk Factor: Medium (for all of the R4.2, R3 and R2.1 violations), Lower (for the R4.1 violations)
Violation Severity Level: N/A (for all of the violations)
Region: NPCC
Issue: Registered Entity 1 self-reported that it had not revoked physical access rights to its Critical Cyber Assets (CCAs), within seven days as required, for four substation employees that were transferred to a new positions (R4.2, 4 violations) and for two Control Center employees that were also transferred to a new jobs (R4.2, 2 violations). In addition, Registered Entity 1 had not revoked physical access rights to its CCAs, within 24 hours as required, for a Control Center employee who was fired for cause (R4.2, 1 violation). Registered Entity 1 also self-reported that it had not conducted for five of its employees with read-only access to the Emergency Management System (EMS), a CCA, the required CIP training within 90 days of the employees’ authorization (R2.1) and that it did not do the mandated personnel risk assessment for one of its employees within 30 days of granting him read-only access to the EMS (R3). Registered Entity 1 also had incomplete lists of its personnel that possessed authorized unescorted physical access rights to the CCAs and their accompanying physical access rights (R4.1, 1 violation). Furthermore, Registered Entity 2 self-reported that it also had not revoked physical access rights to its CCAs, within seven days as required, for an employee who had moved to a new job and therefore no longer needed physical access rights to the CCAs (R4.2, 1 violation) and that it maintained an incomplete access list of personnel who had authorized unescorted access to the CCAs and their accompanying physical access rights (R4.1, 1 violation).
Finding: NPCC and the Registered Entities’ parent company entered into a settlement agreement to resolve multiple violations, whereby the Registered Entities’ parent company agreed to pay a penalty of $80,000 and to undertake other mitigation measures. The duration of the CIP-004-1 R4.2 violations was from July 1, 2009 through July 20, 2009 (1 violation), July 21, 2009 (3 violations) and September 8, 2009 (1 violation); October 11, 2009 though October 21, 2009 (1 violation); October 8, 2009 through October 13, 2009 (1 violation); July 27, 2009 through August 20, 2010 (1 violation). The duration of the CIP-004-1 R2.1 violation was from July 1, 2009 through February 18, 2010 and the R3 violation was from July 1, 2009 through September 30, 2009. The duration of the CIP-004-1 R4.1 violations was from October 1, 2009 through May 15, 2009 and May 30, 2010. NPCC found that the violations of CIP-004-1 R2.1 and R3 only constituted a minimal risk to bulk power system reliability since the relevant employees did not have operational control over any of the bulk power system equipment and were only able to view EMS information remotely. The violation of CIP-004-1 R4.1 constituted a minimal risk to bulk power system reliability since there were no instances of physical access to the CCAs that were not properly authorized and also documented by the access approvers. The violations of CIP-004-1 R4.2 only constituted a minimal risk to bulk power system reliability since access records verified that none of the relevant employees accessed the CCAs after their access rights were supposed to be revoked and, in a number of the violations, the relevant employee’s key card was taken away. In approving the settlement agreement, NERC found that these violations were the Registered Entities’ parent company’s first violations of the relevant Reliability Standards; the violations were self-reported; the Registered Entities’ parent company was cooperative during the enforcement proceeding and did not conceal the violations; and there were no additional aggravating or mitigating factors.
Penalty: $80,000 (aggregate for 21 violations)
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-211-000 (June 29, 2011)
Reliability Standard: CIP-004-1
Requirement: R4
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: WECC
Issue: During a spot check, WECC found that the Registered Entity had not conducted, in the fourth quarter of 2008, a review of its list of personnel who had access rights to its Critical Cyber Assets.
Finding: WECC and the Registered Entity entered into a settlement agreement to resolve multiple violations, whereby the Registered Entity agreed to pay a penalty of $14,000 and to undertake other mitigation measures. WECC found that the CIP-004-1 violation constituted only a minimal risk to bulk power system reliability since the Registered Entity was actually conducting periodic reviews of its personnel list, just not as frequently as required. The duration of the CIP-004-1 violation was from January 1, 2009 through November 17, 2009. In approving the settlement agreement, NERC found that these were the Registered Entity’s first violations of the relevant Reliability Standards; the Registered Entity was cooperative during the enforcement proceeding and did not conceal the violations; there was a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.
Penalty: $14,000 (aggregate for 4 violations)
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-212-000 (June 29, 2011)
Reliability Standard: CIP-004-1
Requirement: R2, R3
Violation Risk Factor: Lower (R2), Medium (R3)
Violation Severity Level: Severe (for R2, R3)
Region: WECC
Issue: The Registered Entity self-reported that it had not been maintaining proper documentation regarding annual training for its personnel (as the Registered Entity was lacking evidence on the date the training was completed as well as the attendance records for four of its employees) (R2). The Registered Entity also self-reported that it had not performed the required Personnel Risk Assessments within 30 days of certain (9%) of its employees and contractors receiving authorized cyber or unescorted physical access rights to its Critical Cyber Assets (R3).
Finding: The Registered Entity agreed to pay a penalty of $381,600 and to undertake other mitigation measures to resolve multiple violations. WECC found that the CIP-004-1 R3 violation constituted a moderate risk to bulk power system reliability since the Registered Entity did not properly investigate the identity and criminal history of its personnel and therefore it was possible that people with an inappropriate background could have accessed the Critical Cyber Assets essential to the operation of the bulk power system. But, the Registered Entity did have additional security measures in place to mitigate any potential security threats. WECC found that the CIP-004-1 R2 violation constituted only a minimal risk to bulk power system reliability since the relevant employees had been on the job for a while and had received initial training. The duration of the CIP-004-1 violations was from December 30, 2009 through November 1, 2010 (R2) and from July 1, 2009 through March 19, 2010 (R3). In approving the penalty amount, NERC found that these were the Registered Entity’s first violations of the relevant Reliability Standards; three of the violations were self-reported and three of the violations were the result of self-certifications; the Registered Entity was cooperative during the enforcement proceeding and did not conceal the violations; there was a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.
Penalty: $381,600 (aggregate for 6 violations)
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-213-000 (June 29, 2011)
Reliability Standard: CIP-004-1
Requirement: R2, R3, R4
Violation Risk Factor: Medium (for R2, R3, R4)
Violation Severity Level: Not provided
Region: WECC
Issue: During a spot check, WECC determined that the Registered Entity had not conducted all of the mandated training, within 90 days, for all of its personnel (including contractors and service vendors) who had authorized cyber or unescorted physical access rights to its Critical Cyber Assets and failed to establish a Cyber Security Training Program for this purpose (R2). In addition, WECC found that the Registered Entity had not performed, within 30 days as required, Personnel Risks Assessments for certain of its personnel who received authorized cyber or unescorted physical access to the Critical Cyber Assets (R3). WECC also determined that the Registered Entity was not properly maintaining a list of its personnel who possess electronic access rights to its Critical Cyber Assets as required (R4).
Finding: WECC and the Registered Entity entered into a settlement agreement to resolve multiple violations, whereby the Registered Entity agreed to pay a penalty of $143,500 and to undertake other mitigation measures. WECC found that the CIP-004-1 R2 violation constituted a severe risk to bulk power system reliability since the Registered Entity’s failure to provide adequate training to its personnel could have led to an insecure environment for its Critical Cyber Assets if the relevant personnel were unable to implement the required procedures correctly. The Registered Entity did implement secondary detection measures. WECC found that the violation of CIP-004-1 R3 constituted a moderate risk to bulk power system reliability since the lack of Personnel Risk Assessments could make the Critical Cyber Assets vulnerable to attack. But, the relevant employees had long histories on the job. WECC found that the violation of CIP-004-1 R4 constituted only a minimal risk to bulk power system reliability as the Registered Entity had properly maintained physical access right and had a small staff, all of who knew who possessed electronic access rights to the Critical Cyber Assets. The duration of the CIP-004-1 violations was from July 1, 2008 through March 1, 2010 (R2), March 9, 2010 (R3) and April 28, 2010 (R4). In approving the settlement agreement, NERC found that the Registered Entity was cooperative during the enforcement proceeding and did not conceal the violations and there were no additional aggravating or mitigating factors.
Penalty: $143,500 (aggregate for 10 violations)
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-218-000 (June 29, 2011)
Reliability Standard: CIP-004-1
Requirement: R3 (two violations), R4
Violation Risk Factor: Lower (for all violations)
Violation Severity Level: N/A
Region: WECC
Issue: The Registered Entity self-reported that it did not possess the background investigation report for one of its employees who had access rights to its Critical Cyber Assets (R3 – one violation). WECC also found the Registered Entity did not perform full Personnel Risk Assessments for all of its contract and service personnel with cyber or unescorted physical access rights to its Critical Cyber Assets (R3 – one violation). In addition, the Registered Entity self-reported that it had not updated, as required, its access list to its Critical Cyber Assets within seven days of providing improper access rights to certain of its contract personnel (R4).
Finding: WECC and the Registered Entity entered into a settlement agreement to resolve multiple violations, whereby the Registered Entity agreed to pay a penalty of $130,000 and to undertake other mitigation measures. WECC found that the CIP-004-1 violations constituted a moderate risk to bulk power system reliability. In regards to the first violation of R3, only one long-term employee (representing less than 1% of employees who had access rights to the Critical Cyber Assets) was missing his Personnel Risk Assessment and the Registered Entity performed the background check as soon as it discovered that it was missing. In regards to the second violation of R3, only one contractor from one service vendor (representing less than 1% of the Registered Entity’s contractors) had an incomplete Personnel Risk Assessment. In regards to the violation of R4, improper access cards were only give to 19 contractors (who had not received the proper training or Personnel Risk Assessments), a small percentage of the Registered Entity’s contractors. In addition, the Registered Entity was constantly monitoring the physical security perimeters around the Critical Cyber Assets and has security stations at the Critical Cyber Assets. The duration of the CIP-004-1 R3 violations was from July 1, 2008 through February 27, 2009 and October 30, 2009. The duration of the CIP-004-1 R4 violation was from November 13, 2008 through March 31, 2009. In approving the settlement agreement, NERC found that there were three instances of noncompliance with Regional Reliability Standard PRC-STD-005-1 WR1 (which was evaluated as an aggravating factor); some of the violations were self-reported; the Registered Entity was cooperative during the enforcement process and did not conceal the violations; the Registered Entity had a compliance program in place (which was evaluated as a mitigating factor); the penalties for the violations of Reliability Standards EOP-001-0 R6 and EOP-005-1 R2 were aggregated since both penalties were based on a single act of noncompliance; the penalties for the violations of Reliability Standards PRC-STD-005-1 WR1 and VAR-STD-002b-1 WR1 were based on the respective Sanction Tables; and there were no additional aggravating or mitigating factors.
Penalty: $130,000 (aggregate for 27 violations)
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-226-000 (July 28, 2011)
Reliability Standard: CIP-004-1
Requirement: R4.2
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: RFC
Issue: Unidentified Registered Entity (URE) did not revoke unauthorized physical access to Critical Cyber Assets (CCA) for three employees within seven days of those employees being transferred to positions that did not require physical access to CCAs.
Finding: RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to pay a penalty of $85,000 violations, and to undertake other mitigation measures. RFC determined the violation did not pose a serious or substantial threat to the bulk power system as all three employees had completed a personnel risk assessment and had received CIP training. In approving the penalty amount, NERC found that the violations involving CIP-006 were repeat violations, which was evaluated as an aggravating factor when determining the penalty, the violations were self-reported; the URE was cooperative during the enforcement process and did not conceal the violations; the URE had a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.
Penalty: $85,000 (aggregate for 12 violations)
FERC Order: Issued August 29, 2011 (no further review)
Unidentified Registered Entity 2, FERC Docket No. NP11-228-000 (June 30, 2011)
Reliability Standard: CIP-004-1
Requirement: R2
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SPP
Issue: SPP determined that the Registered Entity had not provided the proper training on its policies and procedures, access controls, and vendor roles and responsibilities regarding its Critical Cyber Assets to its SCADA/EMS vendor.
Finding: SPP found that the violation constituted only a minimal risk to bulk power system reliability since the vendor support personnel were receiving general training on the CIP Reliability Standards and recognized their impact on the Registered Entity’s system. The duration of the violation was from July 1, 2008 through May 13, 2010.
Penalty: $4,000
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entity 2, FERC Docket No. NP11-228-000 (June 30, 2011)
Reliability Standard: CIP-004-1
Requirement: R4
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SPP
Issue: SPP determined that the Registered Entity had not properly documented the electronic and physical access rights available to its SCADA/EMS vendor support personnel.
Finding: SPP found that the violation constituted only a minimal risk to bulk power system reliability since the vendor support personnel only had temporary user accounts to the SCADA/EMS. The Registered Entity also kept a list of who had authorized cyber or unescorted physical access to its Critical Cyber Assets, which did not include the SCADA/EMS vendor support personnel. The duration of the violation was from July 1, 2008 through May 13, 2010.
Penalty: $700
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entities, FERC Docket No. NP11-237-000 (July 28, 2011)
Reliability Standard: CIP-004-1, CIP-004-2, CIP-004-3
Requirement: R2, R3, R4
Violation Risk Factor: Medium
Violation Severity Level: N/A (for CIP-004-1 R4); Lower (for CIP-004-2 R2); Moderate (for CIP-004-2 R4); and High (for CIP-004-2 and CIP-004-3 R3)
Region: ReliabilityFirst
Issue: Unidentified Registered Entities 1, 2 and 3 (URE 1, URE 2 and URE 3) reported several Reliability Standards violations. With regard to CIP-004-1 R2.1, URE 1 and URE 2 self-reported that two of their security command center operators allowed a new security officer to enter unescorted a physical security perimeter (PSP) housing critical cyber assets (CCAs) on 18 occasions before he had finished cyber security training. With regard to CIP-004-1 R4.2, URE 1 and URE 2 self-reported that they had not revoked the physical access rights of an individual who no longer required access within the time required. With respect to CIP-004-2 R2, URE 1 and URE 2 self-reported that they did not train an individual with unescorted access to CCAs prior to his gaining access. With respect to CIP-004-2 R3, URE 1 and URE 2 self-reported that they failed to conduct a personnel risk assessment (PRA) for an individual before he received unescorted access to CCAs. With respect to CIP-004-2 R4, URE 1 and URE 2 self-reported that they failed to timely revoke physical access rights of an individual who no longer required such access. With regard to CIP-004-3 R3, URE 3 self-reported that by mistake it granted an individual unescorted physical access to a PSP prior to that person having completed a PRA. Duration of the violations was: June 16, 2010-June 22, 2010 (for CIP-004-1 R2.1); January 1, 2010-June 28, 2010 (for CIP-004-1 R4.2); July 20, 2010-July 21, 2010 (for CIP-004-2 R2); June 16, 2010-November 22, 2010 (for CIP-004-2 R4); and November 18, 2010-November 22, 2010 (for CIP-004-3 R3).
Finding: ReliabilityFirst determined that the violations did not pose a serious or substantial risk to the reliability of the bulk power system because for violation CIP-004-1 R2.1, the security officer had a valid PRA at the time of the violation; for violation CIP-004-1 R4.2, the individual did not try to access the location containing CCAs after changing jobs, and he remained employed by the UREs; for violation CIP-004-2 R2 and R3, there was no security event during the time of the violations, the personnel involved had previously been granted access to certain noncritical areas since September 2007, and the UREs had a process in place to verify correct access authorization promptly before access occurred; for violation CIP-004-2 R4, the individual concerned had valid PRA and cyber security training, had worked with the UREs for nearly 33 years, and did not try to access the PSP after he no longer required access; and for violation CIP-004-3 R3, the individual had current cyber security training and URE 3 approved his PRA four days after granting access. However, ReliabilityFirst noted that it found an aggravating factor in that some of the violations constituted repetitive conduct attributable to the same compliance program. The NERC BOTCC also considered that the UREs self-reported the violations; the UREs were cooperative during the investigation; the UREs had a compliance program at the time of the violations; and there was no evidence that the UREs attempted to conceal a violation.
Penalty: $180,000 (aggregate for multiple violations)
FERC Order: Issued August 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-247-000 (July 28, 2011)
Reliability Standard: CIP-004-1
Requirement: R4
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: RFC
Issue: RFC found that the Unidentified Registered Entity had not properly configured an access badge reader (in a freight elevator which stops at a floor hosting Critical Cyber Assets (CCAs)), which allowed 20 unauthorized personnel to have unescorted physical access to the CCAs. These individuals were not included on the Unidentified Registered Entity’s list of people with unescorted physical access rights to the CCAs. The Unidentified Registered Entity also did not include on this list seven other people who possessed unescorted physical access to the CCAs (one of which did not have his access reviewed in the first and second quarters of 2010).
Finding: RFC and the Unidentified Registered Entity entered into a settlement agreement to resolve multiple violations, whereby the Unidentified Registered Entity agreed to pay a penalty of $15,000 and to undertake other mitigation measures. RFC found that the CIP-004-1 violation did not constitute a serious or substantial risk to bulk power system reliability since all of the relevant individuals who could have gained access to the CCA floor had received personnel risk assessments and four of them had completed NERC CIP training. In addition, none of the relevant individuals accessed the floor with the CCAs. The duration of the CIP-004-1 violation was from January 1, 2010 through August 23, 2010. In approving the settlement agreement, NERC found that these were the Unidentified Registered Entity’s first violations of the relevant Reliability Standards; the violations were self-reported; the Unidentified Registered Entity was cooperative during the enforcement process and did not conceal the violations; the Unidentified Registered Entity had a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.
Penalty: $15,000 (aggregate for 9 violations)
FERC Order: Issued August 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-253-000 (July 29, 2011)
Reliability Standard: CIP-004-1
Requirement: R2 (2.1, 2.3), R3
Violation Risk Factor: Medium (for R2, R3)
Violation Severity Level: Lower (R2), Moderate (R3)
Region: FRCC
Issue: FRCC_URE1 self-reported that it did not possess adequate documentation showing that it had timely conducted the required training, within 90 days, for 16 employees (out of 288) and 2 contractors (out of 8) (R2). FRCC_URE1 also did not have adequate documentation showing that it conducted the required Personnel Risk Assessments for 16 of its employees and 4 of its contractors (R3).
Finding: FRCC found that these violations constituted only a minimal risk to bulk power system reliability since the relevant employees were all long-term employees who only possessed physical access rights. In terms of the contractors, the relevant contractors were either security guards or trusted vendors who had been vetted, and the security guards had already received state level Personnel Risk Assessments.
Penalty: $14,000 (aggregate for 4 violations)
FERC Order: Issued August 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-261-000 (August 31, 2011)
Reliability Standard: CIP-004-1
Requirement: R2; R3; R4.2
Violation Risk Factor: Medium
Violation Severity Level: Lower (R2); Severe (R3); Moderate (4.2)
Region: RFC
Issue: Following a Self-Report, RFC determined that after improperly granting control system access to an unauthorized contractor, URE failed to train the contractor employee within 90 days of granting access in violation of R2 and failed to conduct a Personal Risk Assessment within 30 days of granting access in violation of R3. In addition, URE failed to revoke physical access within 7 days of receiving notice that a subcontractor employee no longer required physical access to URE’s facility in violation of R4.2.
Finding: SPP determined that the violations did not pose a serious or substantial risk to the reliability of the bulk power system because the violations stemming from unauthorized access only involved one individual and only covered a 24-hour period. URE was also familiar with the individual who previously assisted with designing the security system. The employee whose access URE failed to revoke was properly screened and trained prior to receiving access and did not attempt to access the facility after the work was complete. In approving the settlement agreement, NERC found this was not URE’s first violation of the subject Reliability Standards, URE self-reported seven of the eight violations; RFC considered it an aggravating factor that it discovered one of the violations in a Compliance Spot Check; URE was cooperative; URE had a compliance program, which RFC considered to be a mitigating factor; RFC determined URE’s parent company operated the CIP compliance program and therefore should investigate and review all Self-Reports and violations of the URE; there was no evidence of an intent or attempt to conceal a violation; and there were no other mitigating or aggravating factors.
Penalty: $70,000 (aggregate for 8 violations)
FERC Order: Issued September 30, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-262-000 (August 31, 2011)
Reliability Standard: CIP-004-1
Requirement: R2
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: SPP
Issue: During a spot-check, SPP determined the Unidentified Registered Entity (URE) violated R2.2.2 for providing inadequate annual cyber security training to personnel with authorized cyber or unescorted physical access to Critical Cyber Assets (CCAs). Specifically, the training did not address URE's policies and procedures regarding physical access to CCAs.
Finding: SPP determined that the violations posed a minimal risk, but did not pose a serious or substantial risk, to the reliability of the bulk power system because URE's annual training provided comprehensive coverage of all other required elements and did have one slide regarding protection of employee asset badges, which emphasized the importance of guarding access to particular locations and facilities. In addition, URE's procedures regarding physical access to CCAs was available to all employees. In approving the settlement agreement, NERC found this was URE's first violation of the subject Reliability Standards; URE was cooperative; URE had a compliance program, which SPP considered to be a mitigating factor; there was no evidence of an intent or attempt to conceal a violation; and there were no other mitigating or aggravating factors.
Penalty: $12,000 (aggregate of multiple violations)
FERC Order: Issued September 30, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-263-000 (August 31, 2011)
Reliability Standard: CIP-004-1
Requirement: R2.2.4, R3, R4
Violation Risk Factor: Lower (R2.2.4, R4), Medium (R3)
Violation Severity Level: Moderate (R2.2.4, R3), High (R4)
Region: TRE
Issue: During a spot check, TRE found that the Unidentified Registered Entity (URE) did not conduct training, as required, on plans and procedures for recovering or reestablishing Critical Cyber Assets (CCAs) and access to these CCAs after a Cyber Security Incident (R2.2.4). In addition, the URE self-reported that it had not timely updated its personnel risk assessment after seven years for one of its contract workers, as required (R3). The URE also self-reported that it had not updated the access list to its CCAs, as required, after one of its relevant employees switched jobs (R4).
Finding: TRE and the URE entered into a settlement agreement to resolve multiple violations, whereby the URE agreed to pay a penalty of $11,000 and to undertake other mitigation measures. TRE found that the CIP-004-1 violations did not constitute a serious or substantial risk to the bulk power system. For R2.2.4, TRE found that there were action plans and procedures in place for the recovery and reestablishment of CCAs. Although the actions plans and procedures were not available to all personnel with access to CCAs, employees in the department responsible for recovering or reestablishing the CCAs had received training and review on the action plans and procedures. For R3, the URE performed the required personnel risk assessment on the relevant contractor, who passed the background investigation requirements. For R4, the relevant employee who switched jobs still was required to have access to the CCAs and was current on his personnel risk assessment and required training. In approving the settlement agreement, NERC found that these were the URE's first violations of the relevant Reliability Standards; some violations were self-reported; the URE was cooperative during the enforcement process and did not conceal the violations; the URE had a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.
Penalty: $11,000 (aggregate for 5 violations)
FERC Order: Issued September 30, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-264-000 (August 31, 2011)
Reliability Standard: CIP-004-1
Requirement: R2, R3, R4
Violation Risk Factor: Medium (R2, R3), Lower (R4)
Violation Severity Level: N/A
Region: SPP
Issue: During a spot check, SPP found that the Unidentified Registered Entity (URE) did not conduct training on its cyber security policies for its Energy Management System (EMS)/Supervisory Control and Data Acquisition (SCADA) vendor as required (R2). SPP also discovered that the URE had not performed personnel risk assessments within 30 days of the grant of authorized cyber or authorized unescorted physical access to Critical Cyber Assets (CCAs) or prior to personnel receiving authorized cyber or authorized unescorted physical access per its documented personnel risk assessment program. Furthermore, the URE had not properly documented whether each of its EMS/SCADA vendors were conducting the required personnel risk assessments (R3). The URE had also not been maintaining a complete list of personnel who possessed authorized cyber or authorized unescorted physical access to the CCAs (including the specific access rights that each person had). The URE also did not possess documentation showing that the EMS/SCADA vendor access list was being reviewed quarterly as mandated (R4).
Finding: SPP and the URE entered into a settlement agreement to resolve multiple violations, whereby the URE agreed to pay a penalty of $8,000 and to undertake other mitigation measures. SPP found that the CIP-004-1 violations did not constitute a serious or substantial risk to bulk power system reliability. The URE revised its Risk Based Assessment Methodology to include modified procedures and evaluation criteria for identifying Critical Assets. Under the modified procedures and evaluation criteria, the URE does not own or operate any systems or facilities that have the potential to affect bulk power system reliability or operability. Therefore, the URE does not (and did not previously) possess any Critical Assets. As a result of the new finding, the violations of CIP-004-1 became moot. The duration of the violations was from July 1, 2008 through April 13, 2010. In approving the settlement agreement, NERC found that these were the URE's first violations of the relevant Reliability Standards; the URE was cooperative during the enforcement process and did not conceal the violations; and there were no additional aggravating or mitigating factors or other extenuating circumstances.
Penalty: $8,000 (aggregate for 9 violations)
FERC Order: Issued September 30, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-266-000 (August 31, 2011)
Reliability Standard: CIP-004-1
Requirement: R1, R2.1, R3
Violation Risk Factor: Lower (R1), Medium (R2.1, R3)
Violation Severity Level: Lower (R1, R2.1), Moderate (R3)
Region: FRCC
Issue: FRCC_URE1 self-reported that it had not removed 19 of its employees, who switched jobs and no longer needed access to the Critical Cyber Assets (CCAs) in the new jobs, from its CCAs access list within 7 days as required (R1). FRCC_URE1 also self-reported that it had not conducted the proper training for 24 of its employees within 90 days of them gaining access to the CCAs (R2.1). FRCC also discovered that FRCC_URE1 was unable to verify that it had conducted the required personnel risk assessment for six of its employees (R3).
Finding: FRCC found that the violations did not constitute a serious or substantial risk to bulk power system reliability since the relevant employees were all long-term employees of FRCC_URE1. In terms of R1, the relevant employees, as part of their prior jobs, had satisfied all of the prerequisites for access to the CCAs. In terms of R2.1 and R3, the relevant employees already had knowledge about the FRCC_URE1's cyber security controls. The duration of the violations was from October 30, 2008 through April 15, 2010 (R1), July 1, 2008 through April 15, 2010 (R2.1), and July 1, 2008 through January 19, 2010 (R3).
Penalty: $38,000 (aggregate for 11 violations)
FERC Order: Issued September 30, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-266-000 (August 31, 2011)
Reliability Standard: CIP-004-1
Requirement: R2.2, R4.1
Violation Risk Factor: Medium (R2.2), Lower (R4.1)
Violation Severity Level: Moderate (R2.2, R4.1)
Region: SPP/RFC
Issue: During a joint spot check, SPP and RFC determined that SPP_URE1/RFC_URE1's Cyber Security Training Program did not incorporate instructions on the proper use of the Critical Cyber Assets (CCAs) (only general references) and that those general references did not provide authorized personnel with sufficient guidance on using the CCAs (R2.2). SPP and RFC also found that SPP_URE1/RFC_URE1's quarterly review of its lists of personnel with authorized cyber or unescorted physical access to the CCAs did not incorporate a review of the personnel's specific access rights to the CCAs (R4.1).
Finding: SPP and RFC found that the violations constituted only a minimal risk to bulk power system reliability. In terms of R2.2, SPP_URE1/RFC_URE1's Cyber Security Training Program did incorporate instructions for other elements of the CCAs, such as physical and electronic access controls, proper handling of CCA information, and procedures for recovering the CCAs after a Cyber Security Incident. In terms of R4.1, SPP_URE1/RFC_URE1 was evaluating the access rights each time an individual on the list had a status change. As a result of adding the review of the specific access rights to SPP_URE1/RFC_URE1's quarterly review, no personnel access rights were affected. The duration of the violations was from July 1, 2008 through December 29, 2009 (R2.2) and from July 21, 2008 through September 9, 2009 (R4.1).
Penalty: $10,000 (aggregate for 7 violations)
FERC Order: Issued September 30, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-269-000 (September 30, 2011)
Reliability Standard: CIP-004-1
Requirement: R2 and R4
Violation Risk Factor: Lower
Violation Severity Level: Severe (for R2) and N/A (for R4)
Region: WECC
Issue: In a self-report submitted after WECC notified URE of an upcoming spot check, URE reported a violation of R2 because it failed to conduct annual training in 2009 for 17% of its employees with authorized cyber or unescorted physical access to CCAs. During the spot check, WECC found a violation of R4 because URE failed to include certain personnel's specific electronic and physical access rights to CCAs and failed to conduct quarterly reviews of its list of personnel with such access.
Finding: WECC determined that the violation posed a moderate risk to the BPS because URE's violation might have led to cyber security oversights or incidents; however, the employees did receive initial training in 2008 when they were granted access, and participated in quarterly cyber security reviews. Duration of the violation of R2 was January 1, 2009 through April 10, 2010; duration of the violation of R4 was from the date the Standard became enforceable through April 22, 2010. WECC and the NERC BOTCC took into consideration that URE had a compliance program as a particular mitigating factor; they also gave only partial credit for the self-report of the violation of R2 because it was made after WECC announced its upcoming spot check.
Penalty: $225,000 (aggregate for 11 violations)
FERC Order: Issued October 28, 2011 (no further review)
Unidentified Registered Entity, Docket No. NP11-270-000 (September 30, 2011)
Reliability Standard: CIP-004-1
Requirement: R3, 4/4.2
Violation Risk Factor: Medium
Violation Severity Level: High (R3), Moderate (R4/4.2)
Region: RFC
Issue: RFC_URE5 self-reported that it provided three employees with no PRAs authorized unescorted physical access to a PSP. RFC_URE5 also self-reported that after it had designated one of its employees as inactive, it did not remove his Critical Cyber Asset (CCA) electronic access or update its electronic access list in the timeframe required. There was also another employee that resigned from RFC_URE5, but was not removed from the CCA Physical Access List in the required timeframe. In addition, another employee was granted temporary access to the Physical Security Perimeter for three days, but was not timely removed from the CCA access list once his temporary access had expired.
Finding: RFC found that the violation constituted a moderate risk to bulk power system reliability. For the violation of R3, once the PRAs were completed, there were no issues found. Two employees did not enter the PSP during the violation period, and the third had no key access to the perimeter gate surrounding the PSP and did not attempt access to the PSP. For the violation of R4/4.2, the first employee did not possess physical access to the PSP during the violation, and he could not electronically access the CCAs from outside the PSP. In addition, the second employee (who had received CIP training and a personnel risk assessment) did not have access to the PSP since RFC_URE5 retrieved all of his access devices the day he resigned. For the third employee (who also had received CIP training and a personnel risk assessment), he did not possess key card access to the perimeter gate surrounding the PSP. RFC_URE5’s parent company had a compliance program in place and there was no evidence that the entire holding company system was involved (which RFC evaluated as mitigating factors). RFC did, however, view the repetitive nature of the violations as an aggravating factor.
Penalty: $30,000 (aggregate for 3 violations)
FERC Order: Issued October 28, 2011 (no further review)
Unidentified Registered Entities, FERC Docket No. NP12-1 (October 31, 2011)
Reliability Standard: CIP-004-1
Requirement: R4.1 (3 violations)
Violation Risk Factor: Lower (for R4.1 violations)
Violation Severity Level: Not provided
Region: RFC
Issue: Three UREs, all subsidiaries of the same Parent Company, self-reported that they did not properly document, for two consecutive quarters, the quarterly reviews of their lists of personnel who possess authorized cyber access to the CCAs.
Finding: RFC found that the CIP-004-1 violations constituted only a minimal risk to BPS reliability since the UREs only granted authorized cyber or unescorted physical access rights to the CCAs to personnel who have received a PRA and cyber security training and who need cyber or unescorted physical access to the CCAs. In addition, the UREs reviewed and updated their access list within the required timeframe whenever there was a relevant personnel change. The violations were all self-reported. In determining the aggregate penalty amount, NERC BOTCC considered, among other factors, that the Parent Company manages a uniform compliance program among all of its subsidiaries, which is communicated through multiple channels (such as compliance calls, software tools, and training programs). But, the mitigating credit for the compliance program was partially offset by there being insufficient checks on the terminated Supervisor who was responsible for CIP compliance, as the UREs did not notice that the Supervisor was not fulfilling his obligations for the duration of the violations. NERC BOTCC favorably evaluated the fact that the UREs did take corrective action against the Supervisor once the problems were discovered and also initiated a system-wide compliance review.
Penalty: $275,000 (aggregate for 31 violations)
FERC Order: Issued November 30, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-2 (October 31, 2011)
Reliability Standard: CIP-004-1
Requirement: R2/2.1
Violation Risk Factor: Medium
Violation Severity Level: Lower
Region: FRCC
Issue: URE self-reported that it granted a contractor electronic access to its CCAs before he completed required training.
Finding: FRCC found that the violation constituted a moderate risk to BPS reliability. But, the contractor, who was employed with a trusted vendor, had received a PRA and completed all but one of the required training courses. URE had a compliance program in place, but it was only evaluated as a neutral factor.
Penalty: $55,000 (aggregate for 11 violations)
FERC Order: Issued November 30, 2011 (no further review).
Unidentified Registered Entity, FERC Docket No. NP12-2 (October 31, 2011)
Reliability Standard: CIP-004-1
Requirement: R4
Violation Risk Factor: Medium
Violation Severity Level: High
Region: RFC
Issue: URE self-reported that, on six occasions, it had not timely updated its Access Control List to reflect changes in access rights and, on six separate occasions, it had not revoked the access rights of terminated employees within seven days of the personnel changes
Finding: RFC found that the violation constituted a moderate risk to BPS reliability. But, the relevant employees had all received PRAs and training on the CIP Reliability Standards prior to the violation. Certain parts of URE’s compliance program were evaluated as a partial mitigating factor.
Penalty: $17,000 (aggregate for 2 violations)
FERC Order: Issued November 30, 2011 (no further review).
Unidentified Registered Entity, FERC Docket No. NP12-2 (October 31, 2011)
Reliability Standard: CIP-004-1
Requirement: R2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: WECC found URE’s cyber security training program, prior to the effective date, did not fully satisfy all of the requirements of the Reliability Standard and therefore URE did not have an adequate cyber security training program.
Finding: WECC found that the violation constituted a minimal risk to BPS reliability since there was a program in place that served to promote reliable and safe operations and to reduce risk to the BPS. In addition, URE owns less than 100 miles of transmission lines, minimizing any impact the violation would have on the BPS. WECC evaluated URE’s compliance program as a mitigating factor.
Penalty: $27,000 (aggregate for 5 violations)
FERC Order: Issued November 30, 2011 (no further review).
Unidentified Registered Entity, FERC Docket No. NP12-4-000 (November 30, 2011)
Reliability Standard: CIP-004-1
Requirement: R2, R3 and R4
Violation Risk Factor: Lower (R1) and Medium (R3 and R4)
Violation Severity Level: Not provided
Region: WECC
Issue: URE self-reported that (1) in violation of R2, between five and ten percent of all URE personnel having access to CCAs, including third-party contractors and vendors, were not trained within 90 calendar days of receiving access, and URE did not maintain documentation that it conducted training for these individuals on at least an annual basis; (2) in violation of R3, three of URE’s personnel did not receive PRAs after a seven-year renewable period, and URE employees with access to access control and monitoring devices (ACMs) did not receive a PRA within 30 days of gaining such access; and (3) in violation of R4, URE failed to revoke access to CCAs within 24 hours of terminating certain personnel for cause and within seven calendar days for a change in personnel or change in access rights.
Finding: WECC determined that the R2 and R3 violations did not pose a serious or substantial risk to the reliability of the BPS because with regard to R2, the violation was limited to a small percentage of URE’s personnel who were experienced in handling CCAs; and with regard to R3, the violation was limited to personnel who had experience in handling CCAs. WECC determined that the violation of R4 posed a minimal and not serious or substantial risk to the reliability of the BPS because there were physical and electronic controls in place that provided a barrier to unauthorized access to CCAs. Duration of the violations was from the date the Standard became enforceable through October 29, 2010. WECC and the NERC BOTCC took into consideration the following mitigating factors: URE self-reported certain of the violations, URE had an internal compliance program in place at the time of the violations, and URE’s compliance history.
Penalty: $160,000 (aggregate for 16 violations of 6 CIP standards)
FERC Order: Issued December 30, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-9 (December 30, 2011)
Reliability Standard: CIP-004-1
Requirement: R4
Violation Risk Factor: Lower
Violation Severity Level: Not provided
Region: RFC
Issue: During a spot check, RFC found that URE had not been properly reviewing the access lists for its CCAs on a quarterly basis as required. For three quarters, URE was focusing its review on its lists of individuals who have access to applications and not on the lists of individuals who have access to particular devices.
Finding: RFC found that the CIP-004-1 violation constituted a moderate risk to BPS reliability. URE had maintained primary access controls for the provision and termination of access rights for all of its CCAs and had performed all of the quarterly access reviews for its applications. Furthermore, even though URE did not fully perform the quarterly reviews at the device level, this review functions as a secondary control as the application level access serves as URE’s predominant access type. In determining the aggregate penalty amount, NERC BOTCC considered the fact that certain of the violations were self-reported; URE was cooperative during the enforcement process and did not conceal the violations; URE had a compliance program in place (which was evaluated as a mitigating factor); URE adopted additional efforts to improve reliability (such as updates to its software for effective CA access management) that went beyond the requirements in the mitigation plan; the violations did not pose a serious or substantial risk to BPS reliability; and there were no additional aggravating or mitigating factors.
Penalty: $60,000 (aggregate for 6 violations)
FERC Order: Issued January 27, 2012 (no further review)
Unidentified Registered Entity 1, FERC Docket No. NP12-10 (December 30, 2011)
Reliability Standard: CIP-004-1
Requirement: R1, R4
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: NPCC
Issue: NPCC_URE1 self-reported it had not reviewed quarterly, as required, its CCA list of personnel with authorized cyber or authorized unescorted physical access having keys allowing PSP substation access when the card reader was inoperable. NPCC_URE1 also did not revoke access in the time period required (seven days) for employees no longer needing those keys. It was determined 30-50 keys were unaccounted for from the date of required compliance until the installation of new locks and keys (R4). In addition, no physical security plan was in place to set forth procedures which would document the distribution and return of those keys enabling PSP substation access or what to do should a key be lost (R1).
Finding: NPCC found the violations constituted a minimal risk to BPS reliability. During the relevant time period, NPCC_URE1 had security measures in place to monitor PSP substation access. Employees undergo background checks for gate access and general access requires a swipe card. NPCC_URE1 issued the keys in the event the card reader system was inoperable, which did not happen during the time period. Further, alarms would alert security personnel to any attempt to bypass the card reader with a key. NPCC considered NPCC_URE1’s internal compliance program a mitigating factor in determining the appropriate penalty.
Penalty: $15,000 (aggregate for two violations)
FERC Order: Issued January 27, 2012 (no further review)
Unidentified Registered Entity 2, FERC Docket No. NP12-10 (December 30, 2011)
Reliability Standard: CIP-004-1
Requirement: R1, R4
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: NPCC
Issue: NPCC_URE2 self-reported it had not reviewed quarterly, as required, its CCA list of personnel with authorized cyber or authorized unescorted physical access having keys allowing PSP substation access when the card reader was inoperable. NPCC_URE2 also did not revoke access in the time period required (seven days) for employees no longer needing those keys. It was determined 30-50 keys were unaccounted for from the date of required compliance until the installation of new locks and keys (R4). In addition, no physical security plan was in place to set forth procedures which would document the distribution and return of those keys enabling PSP substation access or what to do should a key be lost (R1).
Finding: NPCC found the violations constituted a minimal risk to BPS reliability. During the relevant time period, NPCC_URE2 had security measures in place to monitor PSP substation access. Employees undergo background checks for gate access and general access requires a swipe card. NPCC_URE2 issued the keys in the event the card reader system was inoperable, which did not happen during the time period. Further, alarms would alert security personnel to any attempt to bypass the card reader with a key. NPCC considered NPCC_URE2’s internal compliance program a mitigating factor in determining the appropriate penalty.
Penalty: $5,000 (aggregate for two violations)
FERC Order: Issued January 27, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-11 (January 31, 2011)
Reliability Standard: CIP-004-1
Requirement: R4
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: WECC
Issue: URE self-reported that it did not revoke the unescorted physical access rights to the CCAs of an employee within seven calendar days, as required, of him being transferred to a new position (that did not require CCA access). URE’s facility operations manager took 14 days to revoke the employee’s access rights.
Finding: WECC found that the CIP-004-1 violation constituted only a minimal risk to the BPS since the relevant employee had been authorized to have access to the CCAs and had just changed positions within URE. Furthermore, the access revocation was only seven days late. In determining the penalty amount, the NERC BOTCC evaluated URE’s violation history; some of the violations were self-reported; URE was cooperative during the enforcement process and did not conceal the violations; URE has a compliance program in place (which was evaluated as a mitigating factor); the violations did not constitute a serious or substantial risk to BPS reliability; and there were no additional aggravating or mitigating factors.
Penalty: $135,000 (aggregate for 20 violations)
FERC Order: Issued March 1, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-12 (January 31, 2011)
Reliability Standard: CIP-004-1
Requirement: R2/2.1.3/2.3
Violation Risk Factor: Lower
Violation Severity Level: Lower
Region: RFC
Issue: Following a Self-Report, RFC determined that URE did not train 39 individuals (employees and contractors) with cyber or unescorted physical access to CCAs within 90 calendar days of receiving authorization in violation of R2. Of the 39 individuals, 33 did not timely receive training; the remainder did not receive any CIP training. RFC also found that URE did not provide annual CIP training sessions for 183 individuals (employees and contractors) as required by R2.3. This violation was due to URE’s failure to integrate its list of individuals with access to CCAs with its roster of individuals requiring CIP training.
Finding: RFC found that this violation posed a moderate risk, but did not pose a serious or substantial risk, to the reliability of the BPS because of the nature of the violation, offset by the mitigating factors. Specifically, all of the individuals at issue in the violation of R2 had successfully completed PRAs and had received either CIP training or corporate cyber awareness training in advance of URE granting them access to CCAs; URE’s corporate cyber awareness training, while not a substitute for formal CIP training, includes basic information on cyber risks; of the 183 individuals who did not receive annual training pursuant to R2.3, 54 of the individuals with cyber access had read-only access and could not effect a change in the EMS, and the remaining 15 individuals with cyber access had all completed initial CIP training; the remaining 122 individuals with physical access who had not received annual training all had previously completed either CIP training or URE’s corporate cyber awareness training; and the violation of R2.1 involved less than 5% of the total employees and contractors with access to CCAs.
In assessing the penalty, RFC favorably considered aspects of URE’s compliance program and remedial measures URE took to improve its CIP training and CCA access monitoring systems.
Penalty: $25,000 (aggregate for 6 violations)
FERC Order: Issued March 1, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-12 (January 30, 2011)
Reliability Standard: CIP-004-1
Requirement: R2/2.3
Violation Risk Factor: Lower
Violation Severity Level: High
Region: WECC
Issue: URE submitted a self-report of possible non-compliance with the Standard when it found that four employees had not timely received the required annual training. All employees received the required training within fourteen months, and once it was discovered that those employees had not received the training, CCA access right was terminated until the training was complete. The violation occurred as URE did not maintain an annual cyber security training program, and URE let the training of four of its employees with access to CCAs to lapse.
Finding: The violation constituted a minimal risk to BPS reliability because it involved only four employees missing their training dates by two months. Furthermore, the employees involved had received training and had been authorized previously to access the CCAs. URE’s self-report was not given credit in terms of assessing the penalty because it was submitted during a self-certification process.
Penalty: $55,000 (aggregate for 12 penalties)
FERC Order: Issued March 1, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-12 (January 30, 2012)
Reliability Standard: CIP-004-1
Requirement: R2.1/R2.3
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported a violation of CIP-004-1 for failing to ensure that, in all non-emergency situations, all personnel with CCA access, including contractors and vendors, received training prior to being granted such access. As part of the problem, URE failed to document that training was conducted annually or maintain a record of attendance at such events. As part of its follow-up review, WECC determined that one individual did not receive annual training. Based on the record, WECC determined that URE violated CIP-004-1 R2.1 for failure to ensure that all individuals with CCA access were trained before being given such access, and violated CIP-004-1 R2.3 for not documenting that training occurred at least once a year.
Finding: This violation posed only a minimal risk to the reliability of the BPS because while URE failed to ensure and document proper training, the individuals at issue did have current Personnel Risk Assessments and their electronic access was read-only. Second, although the individuals had access to six PSPs and one ESP, all containing CCAs, each PSP and ESP had logging and monitoring systems in place.
Penalty: $45,000 (aggregate for 7 penalties)
FERC Order: Issued March 1, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-12 (January 31, 2011)
Reliability Standard: CIP-004-1
Requirement: R3/3.2
Violation Risk Factor: Medium
Violation Severity Level: High
Region: RFC
Issue: Following a Self-Report, RFC determined that URE did not perform initial PRAs or updated PRAs for a total of 109 individuals with cyber or unescorted physical access to CCAs in violation of R3 and R3.2. Of the 109 individuals, 107 individuals (employees and contractors) did not have an initial PRA within 30 days from the date URE granted them access to CCAs, and URE did not perform an updated PRA for two employees within seven years of their previous PRAs as required by R3.2. URE identified the cause of this violation as insufficient monitoring of the process for updating PRAs and incomplete PRA document maintenance.
Finding: RFC found that this violation posed a moderate risk, but did not pose a serious or substantial risk, to the reliability of the BPS because of the nature of the violation, offset by the mitigating factors. Specifically, individuals with cyber access and missing PRAs had read-only access and could not effect a change to the EMS; the location to which 57 of the individuals had unescorted physical access is staffed and monitored 24 hours a day, seven days a week and has procedural controls for monitoring physical access at all access points that uniquely identifies the individuals involved and records when the individuals accessed the location.
In assessing the penalty, RFC favorably considered aspects of URE’s compliance program and remedial measures URE took to improve its PRA procedures.
Penalty: $25,000 (aggregate for 6 violations)
FERC Order: Issued March 1, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-12 (January 31, 2011)
Reliability Standard: CIP-004-1
Requirement: R4; R3
Violation Risk Factor: Lower (R4); Medium (R3)
Violation Severity Level: Lower (R4); High (R3)
Region: RFC
Issue: Following a Self-Report, RFC determined that URE violated R4 because it could not produce documentation of unescorted physical access to its system for a group of 64 individuals and therefore failed to maintain its CCA access list for those 64 individuals. In addition, following a Request for Information issued by RFC, URE self-reported that it could not produce evidence that it conducted a PRA for an employee within 30 days of that employee having physical access to CCAs, in violation of R3.
Finding: RFC found that the violations posed a moderate risk, but did not pose a serious or substantial risk, to the reliability of the BPS because the system has limited control over power levels. Therefore, unqualified or unauthorized individuals did not have the ability to use the system to monitor or control any of the parent company’s power plants, and 54 of the individuals at issue in the violation of R4 had no logical access to the system. All 64 individuals that had unescorted physical access completed CIP training, and PRAs were conducted on 63 of the 64 individuals. The remaining individual would have qualified for CIP qualification, and never actually accessed the PSP.
RFC favorably considered certain aspects of URE’s compliance program and also gave Self-Reporting credit for the violation of R4.
Penalty: $7,500
FERC Order: Issued March 1, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-12 (January 30, 2011)
Reliability Standard: CIP-004-1
Requirement: R4
Violation Risk Factor: Lower
Violation Severity Level: Moderate
Region: WECC
Issue: During an on-site audit, it was found that the quarterly review of URE’s list of personnel with unescorted physical cyber access to CCAs did not include a review of the electronic access rights to CCAs given to personnel in violation of CIP-004-1 R4. .
Finding: The violation constituted a minimal risk to BPS reliability because, even though URE was not reviewing the electronic access rights on a quarterly basis, which could have led to its CCAs being unprotected against intended malicious acts, URE had other measures which allowed for sufficient electronic security for its CCAs. Rights to the CCAs are tied to job requirements, and URE undertook quarterly reviews of job functions requiring electronic access rights to CCAs, plus the list of personnel with unescorted physical access was reviewed quarterly. WECC determined that although the quarterly review of job functions was not sufficient enough to make URE compliant with CIP-004-1, it was an indirect review of access rights.
WECC found it appropriate to assess one penalty for URE’s violations of CIP-004-1 R4 and CIP-007-1 R5.1.3. Not performing the required reviews of electronic access rights is one incidence of noncompliance causing a violation of CIP-007-1 R5.1.3. Therefore, the penalty assessed for CIP-004-1 R4 is a single penalty representative of the aggregate of the related violations.
Penalty: $55,000 (aggregate for 12 penalties)
FERC Order: Issued March 1, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-12 (January 30, 2011)
Reliability Standard: CIP-004-1
Requirement: R4
Violation Risk Factor: Lower
Violation Severity Level: Moderate
Region: WECC
Issue: During an on-site audit, it was discovered that for 20 minutes, on one day, URE was not operating in the Automatic Time Error Correction (ATEC), and it did not alert all other Balancing Authorities (BAs) of its operating mode. The ATEC was out of service for 20 minutes during the time URE switched to its Tie Line Bias (TLB) AGC mode. URE took that action because the ATEC was sending values that were wrong to one of its neighboring BAs.
Finding: The violation constituted a minimal risk to BPS reliability because of the short time period involved when URE was operating in an AGC mode other than ATEC. Also, in order to prevent future violations of this kind, URE developed a system to alert WECC immediately when the AGC system is functioning in any mode except ATEC mode.
Penalty: $55,000 (aggregate for 12 penalties)
FERC Order: Issued March 1, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-12 (January 31, 2011)
Reliability Standard: CIP-004-1
Requirement: R4/4.1/4.2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: RFC
Issue: Following a Self-Report, RFC determined that URE violated R4 by not maintaining its CCA access list, not reviewing its CCA access list on a quarterly basis, and not removing 67 individuals who no longer required access to the CCAs from its CCA access lists within the required timeframes. Specifically, during a quarterly review conducted for the period 18 months after the effective compliance enforcement date, URE could not locate evidence that it had granted access to 105 individuals with unescorted physical access to CCAs. Therefore, URE did not maintain a list of authorized personnel in violation of R4. URE also failed to perform reviews of its physical access lists for CCAs during the required first 12 months of mandatory compliance in violation of R4.1. Finally, URE did not revoke cyber or physical access to CCAs for 67 individuals within the required timeframe in violation of R4.1 and R4.2.
Finding: RFC found that this violation posed a moderate risk, but did not pose a serious or substantial risk, to the reliability of the BPS because of the nature of the violation, offset by the mitigating factors. Specifically, URE performed CIP training and PRAs for the 105 individuals with CCA access, URE just could not produce evidence of authorized access; and URE confirmed that 64 of the 67 individuals that did not have their access timely revoked did not access the CCAs beyond the prescribed time period and the remaining three individuals continued to be employees of URE and had read-only access and therefore could not modify any CCAs.
In assessing the penalty, RFC favorably considered aspects of URE’s compliance program and remedial measures URE took to improve its CCA access authorization and monitoring systems.
Penalty: $25,000 (aggregate for 6 violations)
FERC Order: Issued March 1, 2012 (no further review)
Unidentified Registered Entities, Docket No. NP12-12 (January 30, 2012)
Reliability Standard: CIP-004-1
Requirement: R4/4.1/4.2
Violation Risk Factor: Lower
Violation Security Level: High
Region: RFC
Issue: After internal audits, three subsidiaries of URE self-reported to ReliabilityFirst violations of CIP-004-1 R4 because the subsidiaries discovered that they had failed to stage a quarterly review of their access lists to designate which personnel have authorized cyber or unescorted physical access to CCAs. As a consequence, all three subsidiaries violated CIP-004-1 R4.2 and R4.1, respectively, in failing to timely revoke authorized cyber or unescorted physical access for 23 individuals and in not updating their access lists within seven calendar days of personnel changes. Specifically, RFC_UREa failed to revoke the access of five individuals to their transmission assets, RFC_UREb failed to revoke access to seven individuals to their transmission assets and RFC_UREc failed to revoke access of eleven individuals to their generation assets.
Finding: RFC determined all instances posed only a moderate risk to the reliability of the bulk power system (BPS) for four reasons. First, at all times, all CCAs at issue required card key access, and were under either human or electronic surveillance. Second, all individuals at issue had received the requisite personnel risk assessments and NERC CIP training. Third, with the exception of one employee for RFC_UREb, all employees were transferred internally and remain in good standing. The one employee from RFC_UREb that was terminated had his employee badge promptly confiscated and his network login information disabled. Fourth, none of the individuals at issue attempted to access the CCAs.
Penalty: $15,000 for each URE (aggregate for 3 penalties)
FERC Order: Issued March 1, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-16 (February 29, 2012)
Reliability Standard: CIP-004-1
Requirement: R2, R3, R4
Violation Risk Factor: Medium (R2, R3, R4) Violation Severity Level: Lower (R2, R3), Moderate (R4)
Region: WECC
Issue: URE self-reported (in anticipation of a spot check) that it did not possess sufficient documentation verifying that all individuals with authorized unescorted access rights to the CCAs (both currently and in the past) had received the required training. WECC determined that URE had granted three individuals authorization to access the CCAs who had not received the training (R2). URE also self-reported that it did not have sufficient documentation showing that all individuals who have been granted unescorted access rights to the CCAs (both currently and in the past) had received a PRA as mandated (R3). In addition, URE self-reported that it had not been properly maintaining lists of personnel who possessed authorized cyber or unescorted physical access rights to the CCAs. URE also did not terminate the cyber access for 11 personnel within seven days of them no longer requiring access to the CCAs (as they were reassigned to other roles at URE) (R4).
Finding: WECC found that the CIP-004-1 violations only constituted a minimal risk to the BPS. In regards to R2, URE did have a training program in place and approximately 96% of its personnel who had been granted access to the CCAs had received the required training. For R3, URE did have a PRA program in place that met the requirements of the Reliability Standard and approximately 95% of its personnel with access rights to the CCAs had received a PRA. In regards to R4, there are greater risks of unauthorized access when an employee is terminated than when an employee is reassigned (as was the case with the relevant URE personnel) and therefore URE’s violation was of limited scope. URE had also taken away the access badges of the relevant personnel, which further reduced the chance of the relevant personnel gaining access to the CCAs. In addition, URE has enacted a strong compliance program and its employees receive cyber security training. In approving the settlement agreement, WECC evaluated URE’s violation history; the violations were self-reported; URE was cooperative during the enforcement process and did not conceal the violations; URE had a compliance program in place; and the violations did not constitute a serious or substantial risk to BPS reliability.
Penalty: $80,000 (aggregate for 6 violations)
FERC Order: Issued March 30, 2012 (no further review)
Unidentified Registered Entity, Docket No. NP12-17 (February 29, 2012)
Reliability Standard: CIP-004-1
Requirement: R2; R3; R4
Violation Risk Factor: Lower (R2, R4); Medium (R3)
Violation Severity Level: High (R2); N/A (R3); Moderate (R4)
Region: SPP
Issue: SPP determined URE violated R2, R3, and R4 during a spot check. URE violated R2 due to deficient evidence of cyber security training. Specifically, URE’s cyber security training historically consisted of emailing cyber security policy documents to relevant personnel and collecting read-receipts, which SPP concluded was insufficient to prove the policies were read. URE also failed to produce any evidence that it provided certain employees any applicable required training. URE violated R3 because it failed to provide evidence that PRAs for six employees had been completed within thirty days of being granted unescorted physical access and/or cyber access to CCAs. URE violated R4 because it failed to adequately maintain lists of personnel with authorized cyber or authorized unescorted physical access to CCAs.
Finding: SPP determined that the violations posed a minimal risk, but did not pose a serious or substantial risk, to the reliability of the BPS. The violation of R2 was mitigated because URE implemented an on-line training program nine months prior to the Spot-Check. Moreover, the specific personnel at issue did not pose a significant risk for other reasons such as they were long-time trusted employees, they had PRAs, or they were law enforcement officers. The violation of R3 was mitigated because the six individuals without evidence of timely PRAs represented less than 5% of the individuals on URE’s approved access list and were either long-time trusted employees or a certified law enforcement officer. The violation of R4 was mitigated because redundant security measures were in place to secure CCAs and no evidence was located of improper attempts to gain access to the CCAs.
Penalty: $40,000 (aggregate for 14 violations)
FERC Order: Issued March 30, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)
Reliability Standard: CIP-004-1
Requirement: R1.8
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self certified that it had not listed two employees, a vendor and a consultant having access to CCAs on its authorized access list.
Finding: WECC found the violation constituted a minimal risk to BPS reliability because even though not all individuals with CCA access were on its list of authorized personnel, the individuals had up-to-date training and PRAs. Also, the consultant assisted in creating many of the information technology systems in the CCA. The individuals were trained to handle CCAs and their PRAs did not reveal any adverse information.
Penalty: $2,000
FERC Order: Issued March 30, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)
Reliability Standard: CIP-004-1
Requirement: R2/2.1/2.3; R3/3.1/3.3; R4/4.1/4.2
Violation Risk Factor: Medium, Lower (R2/2.1/2.3); Lower (R3/3.1/3.3); Lower, Medium (R4/4.1/4.2)
Violation Severity Level: Severe (all)
Region: ReliabilityFirst
Issue: In preparation for a compliance audit, URE self-reported its finding that it had not correctly implemented its CIP-004 compliance program causing violations of CIP-004-1 R2.1, R2.3; R3.1, R3.3; R4.1, and R4.2. Regarding the R2 violations, URE found that access to CCAs had been granted many times for employees and contractors prior to having either cyber security training or PRAs. URE had lists of personnel with authorized cyber access, but they were not maintained as required. Upon review, URE found that more than 56% of URE’s long-term employees and contractors had CCA access before URE implemented its CIP compliance program and the CIP Standards. ReliabilityFirst found that URE was in violation of the requirements of CIP-004-1 R2 because it failed to implement its annual cyber security training program for all personnel having authorized cyber or authorized unescorted physical access to CCAs. Regarding R3, URE violated CIP-004-1 R3 by not conducting PRAs for all individuals having authorized cyber or authorized unescorted physical access to CCAs. Regarding R4, URE violated CIP-004-1 R4 by not maintaining list(s) of personnel with authorized cyber or authorized unescorted physical access to CCAs.
Finding: ReliabilityFirst found the violations constituted a moderate risk to BPS reliability which was mitigated because the relevant individuals were long-term employees or contractors who had received background checks and/or other verifications when they started their employment. No individuals with access to CCAs had any concerns once the PRAs were completed. The relevant employees’ average time on the job is more than 21 years, all had received formal or on-the-job informal training in the treatment of CCAs, and all are now in compliance with the Standard. ReliabilityFirst considered URE’s compliance program as a mitigating factor in determining the appropriate penalty.
Penalty: $65,000 (aggregate for 6 penalties)
FERC Order: Issued March 30, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)
Reliability Standard: CIP-004-1
Requirement: R2.1, R3, R4
Violation Risk Factor: Medium (all)
Violation Severity Level: Severe (R2.1); High (R3); Moderate (R4)
Region: SPP RE
Issue: While conducting a spot check, SPP RE found violations of CIP-004-1 R2.1, R3 and R4. Regarding 2.1, URE was not in compliance with the Standard because all personnel with authorized access to CCA’s located in URE’s primary control center and/or backup control center were not trained within the 90-day requirement. Regarding R3, SPP RE found that URE’s employment procedure did not require background checks (PRAs) for certain managers and directors having CCA access, and it was not until nearly a year after the requirement that URE informed its personnel department that PRAs were required. With respect to R4, URE’s list of employees with authorized unescorted physical access to CCAs was not being updated and maintained to remove employees who no longer need access. CIP-004-1 requires revocation of CCA access to occur within seven days of an individual no longer needing access, but one retired employee of URE was on the access list four months after leaving URE.
Finding: SPP RE found the R2.1 and R4 violations constituted a minimal risk to BPS reliability and the R3 violation was found to pose a moderate risk to BPS reliability. In terms of R2.1, operators in the control center did finish the training, many employees were removed from the authorized access list as their job duties did not require CCA access which left only a small number of untrained employees, and those employees were eventually trained. Regarding R3, the majority of the managers and directors without PRAs on-file were incumbent employees and many were long-term employees of URE as well. PRAs were completed with eight months, the majority having been completed within six months of the revised policy. None of the employees had issues of concern once the PRAs were completed. With respect to R4, the retired employee had turned in his badge upon departure and his access information was removed from the control system, however, URE failed to remove him from the authorized access list in the required time frame. Also, URE is a small entity and so its size lessened any possible BPS impact. SPP RE took URE’s internal compliance program into consideration when determining the appropriate penalty.
Penalty: $20,800 (aggregate for 7 penalties)
FERC Order: Issued March 30, 2012 (no further review)
Unidentified Registered Entity, Docket No. NP12-22-000 (March 30, 2012)
Reliability Standard: CIP-004-1
Requirement: R2/2.2.1/2.2.4/2.3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SPP RE
Issue: While performing a Spot Check, SPP RE found that URE’s cyber security training (CST) did not address the appropriate use of CCAs, as prescribed in R2.2.1, plus it did not have recovery procedure training for CCAs, as required by R2.2.4. URE also could not show that its janitorial staff having authorized, unescorted access to CCAs had received appropriate training. Although URE reported that the three janitorial staff members had received the required training, it could not produce evidence to back its statement.
Finding: The violation constituted a minimal risk to BPS reliability because the training performed based upon R2.2 was only missing the requirements of R2.2.1, until the CST was updated in 2009. URE staff was also familiar with the correct use of long-standing CCAs. All employees granted CCA access received the recovery procedure training during the previous year. In terms of the janitorial staffs’ alleged lack of training, only three janitors had been granted unescorted access and each had PRAs on file. In determining the appropriate penalty, SPP RE considered URE’s internal compliance program a neutral factor.
Penalty: $12,000 (aggregate for 10 penalties)
FERC Order: Issued April 30, 2012 (no further review)
Unidentified Registered Entity, Docket No. NP12-22-000 (March 30, 2012)
Reliability Standard: CIP-004-1
Requirement: R4/4.2
Violation Risk Factor: Lower
Violation Severity Level: Moderate
Region: SPP RE
Issue: While performing a Spot Check, SPP RE found that URE was not properly documenting cyber access granted to its SCADA/EMS vendor support team through a privileged shared user account (R4). Also, URE could not show that it had revoked physical access to CCAs within seven days of an employee’s transfer to a position not requiring such access (R4.2).
Finding: The violation constituted a minimal risk to BPS reliability because, regarding R4, no SCADA/EMS vendor staff had logged into the shared account since prior to the Standard’s date of enforcement, and the line to connect to UREs system was not continuously available, adding physical security to the line. URE would be informed if a vendor accessed the line because it would need to plug in the line for the vendor to access the system. Regarding R4.2, the relevant employee’s access was revoked the day after the employee transferred to the new position; however, URE could not show that that particular employee’s access rights had been terminated because the badge system used by URE only showed a change took place, but did not show which employee the change affected. In addition, access logs showed that the relevant employee never attempted to access the area from which his access had been revoked. In determining the appropriate penalty, SPP RE considered URE’s internal compliance program a neutral factor.
Penalty: $12,000 (aggregate for 10 penalties)
FERC Order: Issued April 30, 2012 (no further review)
Unidentified Registered Entity (URE), FERC Docket No. NP12-27 (May 30, 2012)
Reliability Standard: CIP-004-1
Requirement: R4.1
Violation Risk Factor: Lower
Violation Severity Level: Moderate
Region: MRO
Issue: During a spot check, MRO concluded that URE failed to exhibit a list of sufficient detail is maintained that documents individuals’ specific electronic and physical access rights. MRO found only a limited number of URE personnel were aware of which privileges were actually granted through membership in various active directory groups. Moreover, the privileges assigned to these groups were not clearly documented, and URE failed to demonstrate that quarterly reviews are sufficient to verify the relevance of individuals’ physical and cyber access privileges
Finding: MRO determined the violation posed a minimal risk to the reliability of the bulk power system (BPS) because URE had documented procedures and was conducting reviews to ensure that its CIP personnel list was revised and updated as required, which mitigated risk resulting from inadequate management of access privileges. In addition, individuals on the list were properly qualified even though the list failed to identify specific electronic access rights. As a result, URE modified existing procedures used to assign and review electronic access rights, including reviews of active directory accounts, active directory group privileges and verification of information.
Penalty: $12,000 (aggregate for 9 violations)
FERC Order: Issued June 29, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-36-000 (June 30, 2012)
Reliability Standard: CIP-004-1
Requirement: R4
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: Upon finding that WECC was beginning the semi-annual CIP Self-Certification process, URE submitted to WECC that it was “Substantially Compliant” with CIP-004-1 R4 and submitted a self-report stating that it had failed to keep a list stating exact rights for electronic and physical access for employees having authorized cyber or authorized physical access to CCAs. WECC discovered URE kept no list detailing 26 individuals’ specific authorized cyber or authorized unescorted physical access rights.
Finding: The violation was deemed to pose minimal risk to BPS reliability as the 26 individuals, comprising 21.14% of URE’s workforce, had current PRAs on file and had received CIP training. Any access to URE’s CCAs could be confirmed by Windows Active Directory. URE also reported that the CCAs in question had up-to-date security software installed. In determining the appropriate penalty, WECC gave mitigating credit for URE’s internal compliance program, but no self-report credit was given since URE reported the violations during the Self-Certification submission process. URE agreed/stipulated to WECC’s findings.
Penalty: $67,500 (aggregate for 9 violations)
FERC Order: Issued July 27, 2012 (no further review)
Unidentified Registered Entity, Docket No. NP12-37 (July 31, 2012)
Reliability Standard: CIP-004-1
Requirement: 2
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: WECC
Issue: An Unidentified Registered Entity (URE) self-certified, and later self-reported, noncompliance with R2 because a total of 11 employees did not receive cyber security training within 90 days of being granted accessed to CCAs. URE did not have a central training database, which lead to an administrative oversight that caused the violation.
Finding: WECC determined that the violation posed a minimal risk, and did not pose a serious or substantial risk, to the reliability of the BPS because the violation only involved less than 1% of its personnel, all of whom had current PRAs.
Penalty: $134,350 (aggregate for 10 violations among 4 UREs)
FERC Order: Issued August 30, 2012 (no further review)
Unidentified Registered Entity, Docket No. NP12-37 (July 31, 2012)
Reliability Standard: CIP-004-1
Requirement: 3
Violation Risk Factor: Medium
Violation Severity Level: N/A
Region: WECC
Issue: An Unidentified Registered Entity (URE) self-reported that it was in violation of R3 because in the course of an internal review it discovered that an employee did not have a Personal Risk Assessment (PRA) conducted within 30 days of obtaining unescorted physical access rights to a control center. URE revoked the employee’s access upon discovery and only reinstated it after the PRA was complete. WECC determined the duration of the violation was approximately two months; from the date access was granted to the date it was revoked.
Finding: WECC determined that the violation posed a minimal risk, and did not pose a serious or substantial risk, to the reliability of the BPS because the violation only involved one employee, and that employee never accessed the CCAs located within the PSP that the employee was authorized to access.
Penalty: $134,350 (aggregate for 10 violations among 4 UREs)
FERC Order: Issued August 30, 2012 (no further review)
Unidentified Registered Entity, Docket No. NP12-37 (July 31, 2012)
Reliability Standard: CIP-004-1
Requirement: 4
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: WECC
Issue: An Unidentified Registered Entity (URE) self-certified that it failed to revoke the access of 11 individuals to CCAs within seven days from the date they no longer required access in violation of R4.
Finding: WECC determined that the violation posed a moderate risk, and did not pose a serious or substantial risk, to the reliability of the BPS. The risk that the security of CCAs could be compromised was mitigated because each of the 11 employees had current PRAs, and there was no evidence that the employees engaged in suspicious or malicious behavior.
Penalty: $134,350 (aggregate for 10 violations among 4 UREs)
FERC Order: Issued August 30, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-38 (July 31, 2012)
Reliability Standard: CIP-004-1
Requirement: R2.1/2.3, R3, R4
Violation Risk Factor: Medium (R2, R3, R4)
Violation Severity Level: Lower (R2, R3), High (R4)
Region: WECC
Issue: During a compliance audit, WECC determined that URE had two employees with unescorted physical access rights to URE’s CCAs who had not undergone the required cyber security training and an additional employee with unescorted physical access who did not timely complete his 2009 annual training (R2). URE also did not conduct PRAs on those three employees, as required (R3). In addition, as a result of a software problem, the electronic personnel forms failed to initiate the revocation of access rights, as it was supposed to. Therefore, in six instances, URE employees were terminated for cause, but their access rights were not revoked and, as a result, URE did not properly update its access list of personnel with logical or physical access to CCAs (R4).
Finding: WECC found that the CIP-004-1 violations only constituted a minimal risk to BPS reliability since approximately 95% of URE’s personnel who have access rights to the CCAs received the required training and PRAs. In addition, the three relevant employees did not have cyber access rights to the CCAs and did not even have unescorted physical access rights to all of URE’s CCAs. URE had also revoked the three employees’ unescorted physical access rights and none of the relevant employees had improper access rights to the CCAs for greater than two weeks. For the employees terminated for cause, URE had collected each employee’s access mechanisms (such as card keys) and escorted him off of URE’s premises. URE also has an automated access tracking system and on-site security. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were URE’s second or third violation of the relevant Reliability Standards; some of the violations were self-reported; URE was cooperative during the enforcement process and did not conceal the violations; URE had an internal compliance program (which was evaluated as a mitigating factor); the violations did not constitute a serious or substantial risk to BPS reliability; and there were no additional aggravating or mitigating factors.
Penalty: $72,000 (aggregate for 12 violations)
FERC Order: Issued August 30, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-45-000 (September 28, 2012)
Reliability Standard: CIP-004-1
Requirement: 4
Violation Risk Factor: Lower
Violation Severity Level: High
Region: FRCC
Issue: Prior to a scheduled Spot Check, URE self-reported a violation of R4 because it found in the course of an internal investigation that 33 individuals who did not have authorized cyber or authorized unescorted physical access to CCAs were on URE's list of authorized personnel with access to the CCAs. The violation involved 10% to 15% of the total number of URE's employees with access to the CCAs.
Finding: FRCC determined that the violation posed a moderate risk to the reliability of the BPS because the inaccurate list of authorized personnel could have compromised the security of the ESPs and PSPs. The risk was mitigated because URE had strong authentication controls and promptly revoked the unauthorized access upon discovery. In addition, 51.5% of the personnel did not access the PSPs during the violation's duration. The majority of the remaining personnel had completed PRAs and training, and those that had not were trusted individuals that had access prior to the effective date of the standard. Other factors FRCC considered were that three of the violations were credited with being self-reported, one violation is a repeat violation, URE cooperated, there was no indication or evidence that URE attempted to conceal the violations, URE's compliance program was a neutral factor, and there were no other mitigating or aggravating factors.
Penalty: $150,000 (aggregate for 12 violations)
FERC Order: Issued October 26, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-46 (September 28, 2012)
Reliability Standard: CIP-004-1
Requirement: 2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self-certified that it had not properly established and maintained an annual cyber security training program, including with annual reviews and updates, for personnel who have authorized cyber or unescorted physical access to its CCAs. While URE did host cyber security training, URE was unable to demonstrate that the training occurred within the required time frame of personnel receiving access or that the training occurred annually, as required.
Finding: WECC found that the CIP-004-1 violation constituted only a minimal risk to BPS reliability since the majority of URE's personnel with access received grandfathered access and were experienced with CCAs. In addition, URE's personnel (except one) were only 20 days outside of the mandated time frame in completing their cyber security training. URE agreed and stipulated to the facts of the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE's compliance history and that URE had a compliance program in place when the violations occurred (which was viewed as a mitigating factor). URE was also cooperative during the enforcement process and did not conceal the violations. WECC found that the violations did not constitute a serious or substantial risk to BPS reliability and there were no additional aggravating or mitigating factors.
Penalty: $200,000 (aggregate for 17 violations)
FERC Order: Issued October 26, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-47-000 (September 28, 2012)
Reliability Standard: CIP-004-1
Requirement: 2/2.1
Violation Risk Factor: Medium
Violation Severity Level: Lower
Region: WECC
Issue: After receiving a notice of an on-site compliance audit, URE submitted a self-report explaining a violation of CIP-004-1 R2. WECC Enforcement confirmed the self-report and WECC Audit Team findings and determined that URE had a violation of CIP-004-1 R2.1 for failing to train four of its contractors prior to granting them access to Critical Cyber Assets (CCAs).
Finding: The violation was deemed to pose minimal risk to BPS reliability because the relevant individuals are employees of contractor that has been providing URE with monitoring and optimization of the generation control software on URE's supervisory control and data acquisition (SCADA) system for many years. The subject individuals perform similar services for other NERC-registered entities and receive ongoing cyber security training from these entities. Personnel risk assessments were conducted on the individuals per CIP-004 R3, and were verified by URE personnel prior to adding the subject individuals to the approved CCA access list. In determining the appropriate penalty, URE was given mitigating credit for its internal compliance program.
Penalty: $65,000 (for 11 violations)
FERC Order: Issued October 26, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-47-000 (September 28, 2012)
Reliability Standard: CIP-004-1
Requirement: 3/3.1
Violation Risk Factor: Lower
Violation Severity Level: High
Region: TRE
Issue: URE submitted a self-report explaining that it found one employee having access to CCAs had not received a seven-year criminal check as part of his PRA, even though the PRA was reported as complete. URE stated that it uses an automated process through an outside vendor to process background check reports. URE found that the vendor only returned a partial background check for the relevant employee.
Finding: The violation was deemed by TRE to pose minimal risk to BPS reliability because only one employee with access to CCAs was affected by the issue in the PRA program. The individual involved had an updated, compliant background check performed immediately upon discovery. No issues were uncovered after such check or a subsequent PRA. Additionally, the individual in question began employment with URE about 30 years ago and was in good standing.
Penalty: $0 (for 12 violations)
FERC Order: Issued October 26, 2012 (no further review)
Unidentified Registered Entity (URE), Docket No. NP12-47-000 (September 28, 2012)
Reliability Standard: CIP-004-1
Requirement: 4/4.1
Violation Risk Factor: Lower
Violation Severity Level: Moderate
Region: WECC
Issue: URE was found to be in violation of CIP-004-1 R4 because URE had no documentation that it had undertaken quarterly reviews of employees having access to the Critical Cyber Assets (CCAs). WECC found that URE had performed some level of review, but URE could not show the dates, times and signatures indicating how the lists were reviewed.
Finding: The violation was deemed to pose minimal risk to BPS reliability because URE had performed some level of review but could not show dates, times, and signatures indicating how the lists were reviewed. While the violation was ongoing, the list was reviewed more often than quarterly because requests to allow or deny access occurred more frequently during the time period. In determining the appropriate penalty, URE was given mitigating credit for its internal compliance program.
Penalty: $65,000 (for 11 violations)
FERC Order: Issued October 26, 2012 (no further review)
Unidentified Registered Entity, Docket No. NP13-1 (October 31, 2012)
Reliability Standard: CIP-004-1
Requirement: 1
Violation Risk Factor: Lower
Violation Severity Level: High
Region: WECC
Issue: Following a self-report, WECC determined URE violated R1 because URE failed to include contractors and vendors in its program for on-going reinforcement in security awareness.
Finding: WECC determined that the violation posed a minimal risk to the reliability of the BPS because the contractors and vendors at issue had received annual cyber security training, had current PRAs, had been a part of the prior security program, only comprised 17% of personnel with physical access to CCAs, and were aware of the security awareness program mechanisms. Moreover, URE has in place 24-hour monitoring systems that would detect unauthorized access attempts or alarms. In approving the Settlement Agreement between WECC and URE, NERC BOTCC considered the following: URE's violation history, 11 of the 12 violations were self-reported, URE was cooperative, URE had a compliance program in place at the time of the violation, which was considered a mitigating factor, and there was no evidence of any attempt or intent to conceal a violation, nor that the violation was intentional.
Penalty: $200,000 (aggregate for 12 violations)
FERC Order: Issued November 29, 2012 (no further review)
Reliability Standard: CIP-004-1
Requirement: 1 (three violations, one for each URE)
Violation Risk Factor: Lower (1)
Violation Severity Level: Severe (1)
Region: RFC
Issue: Based on a self-report, RFC determined that URE1, URE2 and URE3 did not have formal procedures for verifying that vendors and contractors who had remote access to the CCAs received the required security awareness reinforcements on a quarterly basis.
Finding: RFC found that the CIP-004-1 R1 violations constituted only a minimal risk to BPS reliability, especially as the UREs provided a security awareness program for its employees and offered security awareness reinforcements to its on-site contractors and vendors. In addition, the UREs ensured that all personnel who had cyber access to the CCAs had the required annual cyber security training and personnel received the quarterly reinforcement on sound security practices during onsite visits to the Parent Company office or when accessing the UREs' network. In approving the settlement agreement, the NERC BOTCC found that, in the aggregate, the violations constituted a serious or substantial risk to BPS reliability because of the potential for compromised integrity of the CCAs. UREs did not have a culture of compliance for the CIP Reliability Standards and they were not familiar with their CIP processes and procedures (especially as compliance was divided between six executives, leading to inconsistent application of the compliance process and reduced ownership responsibility). But, the UREs were cooperative during the enforcement process, including working with RFC to remedy the violations and enacting measure, in collaboration with RFC, to foster an improved compliance program and to undertake compliance initiatives (which were evaluated as a mitigating factor). In addition, some of the violations were repeat violations and some of the violations were self-reported.
Penalty: $725,000 (aggregate for 73 violations)
FERC Order: Issued November 29, 2012 (no further review)
Reliability Standard: CIP-004-1
Requirement: 3.2 (three violations, one for each URE)
Violation Risk Factor: Lower (3.2)
Violation Severity Level: High (3.2)
Region: RFC
Issue: RFC determined that URE1, URE2 and URE3's PRA programs did not contain, as required, a requirement for the UREs to update a personnel's PRA for cause.
Finding: RFC found that the CIP-004-1 R3.2 violations constituted only a minimal risk to BPS reliability since the UREs' PRA programs were otherwise in compliance with the Reliability Standard and the UREs were, in practice, updating their PRAs for cause. In addition, there were no occurrences during the violations when the UREs would have been required to update a PRA for cause. In approving the settlement agreement, the NERC BOTCC found that, in the aggregate, the violations constituted a serious or substantial risk to BPS reliability because of the potential for compromised integrity of the CCAs. UREs did not have a culture of compliance for the CIP Reliability Standards and they were not familiar with their CIP processes and procedures (especially as compliance was divided between six executives, leading to inconsistent application of the compliance process and reduced ownership responsibility). But, the UREs were cooperative during the enforcement process, including working with RFC to remedy the violations and enacting measure, in collaboration with RFC, to foster an improved compliance program and to undertake compliance initiatives (which were evaluated as a mitigating factor). In addition, some of the violations were repeat violations and some of the violations were self-reported.
Penalty: $725,000 (aggregate for 73 violations)
FERC Order: Issued November 29, 2012 (no further review)
Reliability Standard: CIP-004-1
Requirement: 4 (three violations, one for each URE)
Violation Risk Factor: Lower (4)
Violation Severity Level: Severe (4)
Region: RFC
Issue: URE1 self-reported that while it had documented that it granted one of its personnel cyber access rights, it had not actually authorized the grant of those authorized rights. Therefore, URE1 was not properly maintaining its list of personnel with authorized access rights to the CCAs. URE1 had also not updated its access list within seven days of providing one of its employees with authorized cyber access to the Parent Company's access control system. In addition, URE1 was not conducting quarterly reviews of its lists of personnel who had authorized cyber or unescorted physical access to the CCAs, as required. Furthermore, URE2 and URE3 had provided an individual with access rights, but they did not document this change on their access lists. URE2 and URE3 also did not revoke the access rights of one of its employees within seven days of him no longer needing the access as required. In addition, URE2 and URE3 did not properly document and describe the specific access rights of its employees who had access to the CCAs.
Finding: RFC found that the CIP-004-1 R4 violations constituted a moderate risk to BPS reliability since personnel could potentially have access to CCAs they were not supposed to have access to, which could harm the integrity of the CCAs. But, the violations only involved limited number of individuals – only four employees at URE2 and URE3 and two employees at URE1 – and the violations were of relatively short duration. All of the employees had received cyber security training and five of the relevant employees had PRAs on file. None of the employees made any unauthorized cyber or physical access attempts. In approving the settlement agreement, the NERC BOTCC found that, in the aggregate, the violations constituted a serious or substantial risk to BPS reliability because of the potential for compromised integrity of the CCAs. UREs did not have a culture of compliance for the CIP Reliability Standards and they were not familiar with their CIP processes and procedures (especially as compliance was divided between six executives, leading to inconsistent application of the compliance process and reduced ownership responsibility). But, the UREs were cooperative during the enforcement process, including working with RFC to remedy the violations and enacting measure, in collaboration with RFC, to foster an improved compliance program and to undertake compliance initiatives (which were evaluated as a mitigating factor). In addition, some of the violations were repeat violations and some of the violations were self-reported.
Penalty: $725,000 (aggregate for 73 violations)
FERC Order: Issued November 29, 2012 (no further review)
Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)
Reliability Standard: CIP-004-1
Requirement: 2.1, 2.2.1, 2.3
Violation Risk Factor: Medium
Violation Severity Level: High
Region: SPP RE
Issue: While conducting a CIP Spot Check, SPP RE determined that URE1 had violations of CIP-004-1 R2.1, CIP-004-1 R2.2.1 and CIP-004-1 R2.3. Regarding R2.1, URE1 did not train one employee with unescorted physical access to CCAs inside the 90-day training window for initial CCA access in accordance with V.1 of CIP-004, nor inside the 30-day training window as set forth in V.2 of CIP-004. Regarding R2.2.1, URE1’s training program for vendors and contractors was found to be incomplete as it did not include instruction on the proper use of URE1’s CCAs. Regarding 2.3, it was discovered during a random sampling of employees with authorized electronic and/or authorized, unescorted physical access to CCAs that two of URE1’s contractor employees had not completed the required annual cyber security training. Also, URE1 had no evidence to show that an additional employee received annual recurring training, but URE1 could show that the subject employee had received the training, but there was a 19-month gap between training sessions.
Finding: SPP RE found that the violations posed a minimal risk to BPS reliability, but not a serious or substantial risk. The one employee with no training on CCA use represented less that 1% of URE1 staff. The employee with the 19-month gap in training had received training in the years surrounding the gap. Regarding the contractor employees missing annual cyber security training, the two individuals received training covering where the CCAs were located and had completed PRAs on file. URE1 neither admitted to nor denied the violation. In determining the appropriate penalty, SPP RE found URE’s written ICP to be a neutral factor.
Total Penalty: $15,000 (aggregate for 6 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity (URE), Docket No. NP13-16 (December 31, 2012)
Reliability Standard: CIP-004-1
Requirement: 2, 4
Violation Risk Factor: Medium
Violation Severity Level: Moderate
Region: WECC
Issue: URE self-reported that 31 people did not complete training within 90 days of receiving electronic access to CCAs, in violation of R2. In reviewing the self-report, WECC discovered that URE’s training program for personnel with only unescorted physical access to CCAs trained individuals in a way that did not meet all the requirements of R2. URE also failed to properly document its training program per R2. URE self-reported that for an 11-day period, it had not included all applicable employees in its access list per R4. In addition, URE discovered that access rights held by an interconnected party’s employee were not revoked when the employee retired as required by R4. Separately, the URE self-reported another incident of an employee with access being left off the access list inadvertently. WECC further determined that URE failed to keep access lists for contractors and service vendors as required by R4. Separately, WECC found that URE failed to terminate access for personnel who were only granted temporary access in violation of R4.2.
Finding: WECC determined that the violation posed a minimal and not a serious or substantial risk to the reliability of the BPS because URE ensured that all personnel with access to a CCA completed a PRA, and URE did provide training even if it did not strictly comply with the requirements. Moreover, while access lists were not properly and timely updated, URE did ultimately remove personnel from the access lists after their need for access ended. Duration of violation of R2 was from the date the Standard became mandatory and enforceable against URE through the date URE completed its mitigation plan. Duration of R4 violations was from the date the Standard become mandatory and enforceable to URE until the date URE corrected its personnel access lists. Duration of R4.2 violation was from the date the personnel access was to terminate through the date URE revoked their access.
Total Penalty: $ 207,000 (aggregate for 12 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-19 (December 31, 2012)
Reliability Standard: CIP-004-1
Requirement: 2.1
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SERC
Issue: During a spot check, SERC determined that, as a result of severe weather that led to evacuations or immediate storm restoration work, 7% of URE's personnel with access to the CCAs had not finished their required cyber security training within 90 days of being granted access to the CCAs.
Finding: SERC found that the CIP-004-1 R2.1 violation only constituted a minimal risk to BPS reliability since only 7% of URE's personnel with access to the CCAs completed their required cyber security training outside of the required 90-day timeframe. In addition, all of the relevant individuals had PRAs on file and eventually completed their training (or had their access revoked). URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (which SERC evaluated as a mitigating factor). SERC determined that over half of the violations constituted a serious or substantial risk to BPS reliability. URE was unprepared, compliance-wise, when the CIP requirements became mandatory and enforceable. As URE had problems identifying CCAs, Cyber Assets and access points, URE was not providing the mandated protections to all of the required devices, thereby greatly increasing the risk of CCAs becoming comprised or rendered inoperable and causing a loss of monitoring or control of the BPS. SERC found that URE's CIP program failure constituted a serious risk to BPS reliability as URE's CIP procedures were not sufficiently detailed and its personnel had a general lack of awareness about the CIP procedures (including a dependence on manual processes).
Penalty: $950,000 (aggregate for 24 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-19 (December 31, 2012)
Reliability Standard: CIP-004-1
Requirement: 4
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SERC
Issue: URE self-reported that, while it collected the physical access cards, it did not remove, within the required seven days, six of its personnel who left the company (two were interns, one part-time employee who resigned and three retired) from its CCA physical access list. URE also did not timely revoke the CCA electronic access of an employee who transferred to a position within URE that did not require access to the CCAs.
Finding: SERC found that the CIP-004-1 R4 violations only constituted a minimal risk to BPS reliability since the relevant personnel, all of which were in good standing with URE, had received the mandated CIP training and had PRAs on file. In addition, the personnel had their physical access cards collected when they left and, for two of the people, URE revoked the electronic access within a couple days of the missed deadline. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (which SERC evaluated as a mitigating factor). SERC determined that over half of the violations constituted a serious or substantial risk to BPS reliability. URE was unprepared, compliance-wise, when the CIP requirements became mandatory and enforceable. As URE had problems identifying CCAs, Cyber Assets and access points, URE was not providing the mandated protections to all of the required devices, thereby greatly increasing the risk of CCAs becoming comprised or rendered inoperable and causing a loss of monitoring or control of the BPS. SERC found that URE's CIP program failure constituted a serious risk to BPS reliability as URE's CIP procedures were not sufficiently detailed and its personnel had a general lack of awareness about the CIP procedures (including a dependence on manual processes).
Penalty: $950,000 (aggregate for 24 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entities 1, 2 (UREs), Docket No. NP13-30-000 (March 27, 2013)
Reliability Standard: CIP-004-1
Requirement: 2
Violation Risk Factor: Medium
Violation Severity Level: High
Region: RFC
Issue: While conducting a compliance audit, RFC found that URE 1 and URE 2 had allowed employees of a third-party company, who had not received training meeting NERC’s requirements, authorized cyber and authorized unescorted physical access to CCAs. The outside company’s training program did not have instruction on the appropriate use of CCAs nor CCA recovery action plans and procedures in the event of a Cyber Security incident. UREs 1 and 2 were found to have violated CIP-004-1 R2’s requirement that all NERC-registered entities have a cyber security training program for personnel with authorized cyber or authorized physical access to CCA.
Finding: The violations were deemed to pose a moderate risk to BPS reliability, but not a serious or substantial risk. All personnel with cyber or unescorted physical access to the CCAs are required to have completed approved training prior to such access. The relevant employees had received cyber security training with their employer, but that training did not meet all of NERC’s cyber security training requirements. And, most of the individuals involved had received training and had PRAs on file. In determining the appropriate penalty and approving the settlement agreement, RFC considered UREs’ internal compliance program (ICP) as a mitigating factor, and in addition, the UREs committed to improve their existing ICP, which RFC afforded significant mitigating credit. None of the violations posed serious or substantial risk to BPS reliability. However, UREs’ violation history was considered an aggravating factor.
Total Penalty: $120,000 (aggregate for 24 violations)
FERC Order: Issued April 26, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-004-1
Requirement: 1
Violation Risk Factor: Lower
Violation Severity Level: High
Region: WECC
Issue: URE self-reported that it did not provide the required quarterly security awareness update for contractors from one company since the spreadsheet used to track vendor awareness was inadvertently deleted when the employee responsible for the spreadsheet retired from the company.
Finding: WECC found that the violation only constituted a minimal risk to BPS reliability. All of URE’s relevant devices are contained in PSPs and ESPs and all of URE’s personnel with access to the devices had received the required training on the CIP Standards. URE’s compliance program was evaluated as a mitigating factor. URE stipulated to the violation.
Total Penalty: $53,000 (aggregate for 13 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-004-1
Requirement: 1
Violation Risk Factor: Lower
Violation Severity Level: High
Region: WECC
Issue: URE self-reported that it did not provide the required quarterly security awareness update for certain of its contractors.
Finding: WECC found that the violation only constituted a minimal risk to BPS reliability. All of URE’s relevant devices are contained in PSPs and ESPs and all of URE’s personnel with access to the devices had received the required training on the CIP Standards. URE’s compliance program was evaluated as a mitigating factor. URE stipulated to the violation.
Total Penalty: $58,000 (aggregate for 14 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-004-1
Requirement: 3
Violation Risk Factor: Medium
Violation Severity Level: High
Region: WECC
Issue: URE self-reported that it one employee had received authorized unescorted physical access to a PSP prior to completing a PRA.
Finding: WECC found that the violation only constituted a minimal risk to BPS reliability because the individual had received CIP training and the relevant PSP was continuously manned and monitored by URE’s security operations center. URE’s compliance program was evaluated as a mitigating factor. URE stipulated to the violation.
Total Penalty: $58,000 (aggregate for 14 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-34 (May 30, 2013)
Reliability Standard: CIP-004-1
Requirement: 4
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: TRE
Issue: During a compliance audit, TRE determined that URE did not possess adequate documentation showing that it conducted quarterly reviews of personnel with electronic access rights to its CCAs.
Finding: TRE found that the CIP-004-1 R4 violation constituted a moderate risk to BPS reliability. But, URE was actually reviewing its personnel with electronic access rights (even though not on a quarterly basis as required). URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact the violations were URE's first violations of the relevant Reliability Standards and that none of the violations constituted a serious or substantial risk to BPS reliability. URE had a compliance program in place, but it was only evaluated as a neutral factor. URE was also cooperative during the enforcement process and did not conceal the violations.
Total Penalty: $137,000 (aggregate for 24 violations)
FERC Order: Issued June 28, 2013 (no further review)
Unidentified Registered Entity, Docket No. NP13-36, May 30, 2013
Reliability Standard: CIP-004-1
Requirement: 4
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: Texas RE
Issue: During a compliance audit, URE was unable to show that it (1) kept a list of employees having authorized cyber or authorized unescorted physical access to CCAs and (2) reviewed quarterly the list of electronic access rights to CCAs.
Finding: The violation was deemed to pose moderate risk because URE was reviewing its CCA access list, but not quarterly as required. URE and Texas RE entered into a Settlement Agreement to resolve the issues. In determining the appropriate penalty, Texas RE considered URE’s internal compliance program as a neutral factor. The violations were the first by URE and URE cooperated during the enforcement process. Texas RE determined URE did not attempt (or intend) to conceal any violations.
Total Penalty: $137,000 (aggregate for 24 violations)
FERC Order: Issued June 28, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-38-000 (May 30, 2013)
Reliability Standard: CIP-004-1
Requirement: 2, 4
Violation Risk Factor: Medium (2), Lower (2)
Violation Severity Level: Severe (2, 4)
Region: WECC
Issue: URE self-certified that 120 personnel were granted access to the CCAs without timely completing the required training (as a result of the terms of an existing collective bargaining agreement). URE’s training program for its generating station did not address the proper use of CCAs or action plans for the recovery of re-establishment of CCAs after a cyber security incident. Two of URE’s personnel also did not receive in 2010 the required annual training (2). In addition, URE self-certified that it had not properly maintain lists detailing the specific electronic and physical access rights granted to personnel at URE’s generating station. URE also did not review its access lists on a quarterly basis or timely update the access lists for its generating station to incorporate changes in personnel or access rights (4).
Finding: WECC found that the CIP-004-1 R2 violation constituted a moderate risk to BPS reliability. But, URE regularly hosted on-site staff meeting in which information on URE’s training program was provided. The relevant personal had also been granted unescorted physical access rights to the CCAs at URE’s generating station and had PRAs on file. This violation did not involve URE’s control center. WECC found that the CIP-004-2 R4 violation constituted only a minimal risk to BPS reliability. URE has created and properly maintained its access lists for CCAs associated with its control center. In addition, the access lists at its generating station identified those personnel who had physical access right to the CCAs. URE also has physical security measures in place to protect access to the control center and generating station. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact that some of the violations were self-reported and that URE engaged in voluntary corrective action to remediate the violations. URE also had an internal compliance program in place (which was evaluated as a mitigating factor). URE was cooperative during the enforcement process, did not conceal the violations and implemented the applicable WECC compliance directives. But, URE did have prior violations of the Reliability Standards (which was evaluated as an aggravating factor). None of the violations constituted a serious or substantial risk to BPS reliability.
Total Penalty: $291,000 (aggregate for 17 violations)
FERC Order: Issued June 28, 2013 (no further review)
Reliability Standard: CIP-004-1
Requirement: 3
Violation Risk Factor: Medium
Violation Severity Level: Severe Region(s): ReliabilityFirst, MRO
Issue: RFC-MRO_UREs submitted self-reports (MRO_URE1 self-certified) disclosing that the personnel risk assessment (PRA) for one individual was conducted seven days outside of the seven-year renewal required by the Standard. The issue was uncovered when the security manager checked PRA statuses. Subsequently, RFC-MRO_UREs found they had no formal and documented PRA program.
Finding: The violation was deemed to pose a moderate risk but not a serious or substantial risk because a violation of CIP-004 R3 has the potential to jeopardize the security of the BPS by allowing unauthorized individuals to access CCAs, which in turn could result in damage to the integrity of the CCAs. However, these risks were mitigated by the fact that the individual at hand had completed cybersecurity training and was a trusted employee. In determining the appropriate penalty, RFC found the RFC-MRO_UREs’ internal compliance program to be a mitigating factor; however, the repeat noncompliance was considered an aggravating factor. The CIP programs at RFC-MRO_UREs had been reviewed and revised after previous CIP violations to ensure compliance; however, the current violations of CIP-003-3 R6, CIP-007-3 R1 and R2 and CIP-004-3 R3 were found to be evidence of a failure of the CIP compliance program, which was an aggravating factor in penalty determination. Several of the violations were self-reported, which RFC found to be a mitigating factor.
Total Penalty: $20,000 (aggregate for 9 violations)
FERC Order: Issued August 26, 2013 (no further review)
Unidentified Registered Entity (URE), FERC Docket No. NP13-45 (July 31, 2013)
Reliability Standard: CIP-004-1
Requirement: 4
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that it was non-compliant with CIP-004-1 R4 because it discovered individuals having access to shared accounts were not included on the list of individuals with electronic access to CCAs, including remote terminal units, database servers, energy management systems, domain controllers, filer servers and virtual desktops used to control SCADA. WECC’s review determined that URE did not have up-to-date access lists, did not undertake required quarterly reviews for all employees and did not have an accurate list of individuals with CCA access.
Finding: The violation was deemed to pose a moderate, but not serious or substantial, risk to BPS reliability, which was mitigated by several facts including that the individuals with access to individual accounts all had current PRAs on file and had been trained in cybersecurity. The subject CCAs are protected both physically and electronically. Passwords are required to electronically access CCAs. In addition, URE records and monitors all access to the CCAs, which are also designed to signal any cybersecurity event. URE and WECC reached a settlement whereby URE agreed/stipulated to the facts of the violations and agreed to pay a penalty of $198,000. In determining the appropriate penalty, WECC considered URE’s internal compliance program as a mitigating factor. The violations were self-reported. URE cooperated during the enforcement investigation, and WECC found no evidence that URE tried to or intended to conceal a violation. URE’s violation history was not found to be an aggravating factor in the penalty determination.
Total Penalty: $198,000 (aggregate for ten violations)
FERC Order: Issued August 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-55 (September 30, 2013)
Reliability Standard: CIP-004-1
Requirement: 4
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: Unidentified Registered Entity (URE) self-reported that it did not perform quarterly reviews of its lists of personnel who had specific electronic and physical access to the CCAs. URE also did not timely revoke the access rights, within seven days, of four of its terminated personnel.
Finding: WECC found that the violation constituted a moderate risk to BPS reliability since the lack of quarterly reviews and failure to timely revoke access rights may have caused URE to not timely notice unauthorized access to the Cyber Assets. But, the relevant personnel (who were not terminated for cause) all had PRAs on file and were up to date on their cyber security training when they left URE. In addition, the personnel’s badges were collected and their active directory access was removed. In addition, URE’s facilities were under continuous monitoring, including through the use of a host-based intrusion detection system. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact that the CIP-002-3 R1 violation was self-reported and that URE had a compliance program in place when the violations occurred. URE’s prior violations of the Reliability Standards were not considered as an aggravating factor, as they were not similar to the instant violations and did not implicate broader corporate issues. URE was also cooperative during the enforcement process and did not conceal the violations. The violations did not present a serious or substantial risk to BPS reliability.
Total Penalty: $150,000 (aggregate for 16 violations)
FERC Order: Issued October 30, 3013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-20 (December 30, 2013)
Reliability Standard: CIP-004-1
Requirement: 4/4.1, 4.2
Violation Risk Factor: Lower (4/4.1), Medium (4.2)
Violation Severity Level: Moderate (4/4.1)
Region: SERC
Issue: URE self-reported that it did not timely revoke the CCA access of a service vendor employee upon his departure from the vendor (as URE was not informed of his departure until a month later). URE also did not timely update the list of personnel with authorized cyber access to CCAs for 88 of its employees and, on two occasions, did not properly maintain and update its CCA access lists within seven days of any change. In addition, URE erroneously granted a custodial contractor access to one of its PSPs without the required approved authorization.
Finding: SERC found that the CIP-004-1 R4 violation constituted only a minimal risk to BPS reliability as all of the personnel at issue had received the required cyber security training, had a personnel risk assessment on file, and were in good standing or had not been terminated for cause. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. Certain of the violations constituted a serious or substantial risk to BPS reliability. URE also engaged in mitigating measures that SERC determined to be above-and-beyond what was required.
Total Penalty: $198,000 (aggregate for 21 violations)
FERC Order: Issued January 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)
Reliability Standard: CIP-004-1
Requirement: R3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: SERC
Issue: URE self-reported that it granted an employee unescorted physical access to a PSP prior to completing a PRA, as required. The employee at issue did not require physical access as part of his job duties.
Finding: SERC determined the violation constituted only a minimal risk to the BPS reliability. The employee at issue (who was in good standing with URE) was not granted electronic access rights to the CCAs and had completed the required annual CIP training prior to gaining physical access rights. He also did not physically enter the PSP during the course of the violation URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.
Total Penalty: $250,000 (aggregate for 27 violations)
FERC Order: Issued June 27, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)
Reliability Standard: CIP-004-1
Requirement: R4
Violation Risk Factor: Medium
Violation Severity Level: High
Region: SERC
Issue: URE self-reported that it did not timely remove a local user account (with administrative privileges) from two network devices after the relevant individual no longer needed electronic access to URE’s CCAs. In addition, SERC determined that URE did not adequately maintain and update its CCA access lists regarding authorized electronic access rights and unescorted physical access rights. URE also failed to timely revoke the physical access rights to a PSP of an individual who retired.
Finding: SERC determined the violation constituted only a minimal risk to the BPS reliability. The URE personnel involved had completed the required CIP training and had PRAs on file. The personnel also were in good standing and the access privileges were not revoked for cause. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.
Total Penalty: $250,000 (aggregate for 27 violations)
FERC Order: Issued June 27, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-45-000 (July 31, 2014)
Reliability Standard: CIP-004-1
Requirement: R3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported its failure to perform a personnel risk assessment (PRA) for 6 employees who had either physical access or unescorted physical access to a PSP.
Finding: WECC determined the violation constituted a moderate risk to the BPS reliability since it increased the possibility of unauthorized access to URE’s CCAs. However, URE’s CCAs were protected by electronic access, logging and monitoring controls and its PSP is continuously monitored. Additionally, five of the employees at issue had completed the required NERC CIP training, and the sixth employee did not access the PSP during the duration of the violation. Furthermore, subsequent PRAs indicated no adverse issues and all six employees are still employed and in good standing. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history to be an aggravating factor. However, none of the violations posed a serious or substantial risk to BPS reliability. In addition, URE had an internal compliance program in place, which was viewed as a mitigating factor. One of the violations was also self-reported. URE cooperated throughout the enforcement process and did not conceal the violations.
Total Penalty: $180,000 (aggregate for 7 violations)
FERC Order: Issued August 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-46-000 (July 31, 2014)
Reliability Standard: CIP-004-1
Requirement: R2/R2.1/R2.3 (2 violations – one for URE4 and one for URE6)
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: RFC
Issue: During a compliance audit, RFC found that URE4 and URE6 failed to conduct CIP training for four individuals prior to granting them physical access to their CCAs. URE4 also did not conduct the required 2010 annual CIP training for one individual.
Finding: RFC determined the violations constituted only a minimal risk to the BPS reliability. The four individuals at issue had undergone non-NERC cyber awareness training, which covered a similar subject matter as the required CIP training. In addition, URE4 and URE6 also had PRAs on file for the relevant individuals and there was nothing in the PRAs that would have prevented those individuals from gaining physical access to the CCAs. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC found that all but two of the violations constituted only a minimal risk to BPS reliability and did not represent any systemic failure (the other two violations posed a moderate risk). However, these violations constituted the URE Companies’ fifth violation of CIP-004 and the second violation of CIP-007, which was considered to be an aggravating factor (although not a substantial aggravating factor). However, the URE Companies were awarded significant mitigating credit for substantial and voluntary improvements to their compliance programs, as demonstrated in subsequent CIP compliance audits. The majority of the violations were also self-reported. The URE Companies cooperated throughout the enforcement process and did not conceal the violations.
Total Penalty: $50,000 (aggregate for 35 violations)
FERC Order: Issued August 29, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)
Reliability Standard: CIP-004-1
Requirement: R3
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: RFC
Issue: URE2 self-reported that it did not timely update, as required, the Personnel Risk Assessment (PRA) for one contractor and four employees and that it did not revoke the contractor’s access after the expiration of the PRA. In addition, during a compliance audit, RFC found that URE2’s PRA program did not specify that URE must update PRAs “for cause.”
Finding: RFC determined the violation only constituted a minimal risk to the BPS reliability. In regards to the relevant URE2 contractor (a trusted vendor with no PRA-disqualifying factors), the updated PRA was only 31 days late and the issue was immediately escalated. URE2 mandated PRAs for all contractors and employees who needed access to CCAs and had no “for cause” situations since the Reliability Standards became mandatory. As soon as an expired PRA was identified, the URE Companies removed access and updated each PRA. The URE Companies (URE1, URE2 and URE3) neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.
Total Penalty: $625,000 (aggregate for 77 violations)
FERC Order: Issued September 26, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)
Reliability Standard: CIP-004-1
Requirement: R4 (3 violations – one for each URE Company)
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: RFC
Issue: The URE Companies self-reported that they did not maintain accurate lists of personnel with either cyber or unescorted physical access to their CCA as the access lists did not include all of the necessary information technology (IT) administrators. In addition, during a compliance audit, RFC found that URE2 did not have adequate documentation showing that it performed quarterly reviews of its list of personnel with access to CCA or that it timely updated such list as required. In addition, URE1 and URE3’s CCA access lists did not specify the specific access rights granted to personnel, and URE3 did not timely remove an individual from its CCA access list
Finding: RFC determined the violations only constituted a minimal risk to the BPS reliability. The URE Companies did have CCA access lists (with some of the required information in place) and had enacted authorization criteria for everyone accessing the CCAs and recorded basic access information. The URE Companies also had PRAs on file for all of the IT administrators. Although it did not timely update the access list, URE3 did revoke the access badge from the individual no longer requiring physical access to the CCAs. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.
Total Penalty: $625,000 (aggregate for 77 violations)
FERC Order: Issued September 26, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP15-5-000 (October 30, 2014)
Reliability Standard: CIP-004-1
Requirement: R4 (4.1)
Violation Risk Factor: Lower
Violation Severity Level: Moderate
Region: SPP RE
Issue: During a compliance audit SPP RE determined that URE did not review, on a quarterly basis, the specific authorized cyber access rights for personnel who had access rights to its CCA.
Finding: SPP RE determined that the violation constituted only a minimal risk to the BPS reliability as URE did maintain an access list containing specific access rights that URE reviewed and updated each time a person on the list’s status changed. Access to its CCA was only granted to personnel who had completed cyber security training and had a PRA. Moreover, URE’s quarterly review of its access list included verifying each individual’s status, their annual cyber security training and the status of their PRA; all of which were accurate. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had previously violated six of the standards, which SPP RE considered an aggravating factor. However, URE did have a compliance program in place and it received mitigating credit for self-reporting three of the violations. Moreover, URE agreed to additional corrective actions including: restructuring its CIP compliance program; hiring an additional system administrator; conducting a one day compliance workshop with SPP RE staff; and implementing an asset management system to further secure its EMS. URE was cooperative throughout the enforcement process and did not conceal or attempt to conceal the violations.
Penalty: $45,000 (aggregate for 20 violations)
FERC Order: Issued November 28, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP15-6-000 (October 30, 2014)
Reliability Standard: CIP-004-1
Requirement: R4/ R4.1
Violation Risk Factor: Lower
Violation Severity Level: Moderate
Region: Texas RE
Issue: URE self-certified and later self-reported that it incorrectly reviewed a list of personnel who had access to an application that is on most CCA instead of reviewing a list of personnel who had access to the CCAs.
Finding: Texas RE determined that the violation constituted only a minimal risk to the BPS reliability since URE's Cyber Assets were protected by a strong system that utilized many layers of protection including: firewalls, group user authentication, shared account and infrastructure reviews, employee training, cyber incident detection,and ESP/PSP access authentication. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the following factors: the URE had an internal compliance program in place; the URE self-reported several of the violations and none posed a serious or substantial risk to the BPS reliability; the URE executed actions beyond those necessary to ensure compliance with the Standard and continues to make several enhancements as part of its self-assessment program; and the URE did not conceal or attempt to conceal the violations. Further, Texas RE did not consider URE's compliance history to be an aggravating factor, and URE was cooperative throughout the duration of the enforcement.
Penalty: $106,000 (aggregate for 20 violations)
FERC Order: Issued November 28, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP15-9-000 (November 25, 2014)
Reliability Standard: CIP-004-1
Requirement: R4/R4.1
Violation Risk Factor: Lower
Violation Severity Level: High
Region: MRO, SPP RE and WECC
Issue: During a compliance audit MRO determined that URE1 did not update its list of personnel who had authorized cyber or unescorted physical access to its CCAs within seven calendar days of a change. URE1 did not update its list for over 20 days for one employee, six months for a second employee and almost a year for a contractor whose responsibilities changed.
Finding: MRO determined that the violation posed only a minimal risk to the BPS reliability. The three employees remained employees at URE1 and kept their access privileges. All of the employees at issue had current cybersecurity training and PRAs throughout the duration of the violation. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations for five of the Standards posed a serious or substantial risk to the BPS reliability. However, several of the violations were self-reported and the remainder of the violations posed only a minimal threat to BPS reliability. The UREs had a compliance program in place and their compliance history was not considered an aggravating factor by MRO. Furthermore, the UREs committed to spending $205,000 to retain a consultant to identify untapped opportunities in their CIP management controls for the current and future CIP versions and they received significant mitigating credit for their commitment to their corporate compliance program. The URE Companies were cooperative throughout the duration of the enforcement and none concealed the violations.
Penalty: $150,000 (aggregate for 19 violations)
FERC Order: Pending
Unidentified Registered Entity (UREs), FERC Docket No. NP15-17-000 (December 30, 2014)
Reliability Standard: CIP-004-1
Requirement: R2/R2.2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: WECC
Issue: URE self-certified that it did not conduct cybersecurity training for one year as required and its training materials failed to include training materials that addressed: (1) the proper use of CCAs; (2) physical and electronic access controls to CCAs; (3) the proper handling of CCA information; and (4) action plans and procedures to recover, re-establish or access CCAs after a cybersecurity incident. However, this material was included in separate URE awareness training.
Finding: WECC determined that the violation posed only a minimal risk to the BPS reliability as URE had conducted cybersecurity training the year before and the year after. Furthermore, URE provided cybersecurity training for all personnel who had authorized unescorted physical or logical access to CCA and educated them on CIP language and procedures. In addition, training materials for standards CIP-002 through CIP-009 were included in URE's training material, which also included URE's policies and procedures related to the standards. URE's cybersecurity awareness training did include the materials that were required by the standard, but omitted from its cybersecurity training program. Security practices were further reinforced through quarterly awareness activities URE conducted. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered URE's prior violation history as an aggravating factor. However, WECC gave URE mitigating credit for its compliance program and agreeing to perform voluntary corrective actions. WECC also determined that all violations posed only a minimal, but not a moderate, serious or substantial risk to the reliability of the BPS. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.
Penalty: $120,000 (aggregate for 13 violations)
FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.
Unidentified Registered Entity (UREs), FERC Docket No. NP15-17-000 (December 30, 2014)
Reliability Standard: CIP-004-1
Requirement: R4/R4.1
Violation Risk Factor: Lower
Violation Severity Level: High
Region: WECC
Issue: URE self-reported and WECC later determined, through a compliance audit of URE's self-report, that on one occasion URE updated its list of employees with authorized access to CCA 21 days prior to granting access and 7 days prior to authorizing access instead of seven days prior to granting access. On another occasion, URE updated the list one month after access was granted.
Finding: WECC determined that the violation posed only a minimal risk to the BPS reliability as the individuals at issue had completed Personal Risk Assessments and had received CIP training. In addition, the employees had "need to know" local access to CCA and no unauthorized personnel were given access to CCA. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered URE's prior violation history as an aggravating factor. However, WECC gave URE mitigating credit for its compliance program and agreeing to perform voluntary corrective actions. WECC also determined that all violations posed only a minimal, but not a moderate, serious or substantial risk to the reliability of the BPS. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.
Penalty: $120,000 (aggregate for 13 violations)
FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.
