NERC Case Notes: Reliability Standard CIP-004-2 | White & Case LLP International Law Firm, Global Law Practice
NERC Case Notes: Reliability Standard CIP-004-2

NERC Case Notes: Reliability Standard CIP-004-2

White & Case NERC Database

This page contains the NOP (Notice of Penalty) and ACP (Administrative Citation of Penalty) summaries. Click here to read the FFT (Find, Fix and Track) summaries.

Unidentified Registered Entity, FERC Docket No. NP11-162-000 (March 31, 2011)

Reliability Standard: CIP-004-2

Requirement: R4.2

Violation Risk Factor: N/A

Violation Severity Level: Moderate

Region: NPCC

Issue: URE self-reported that an employee with unescorted physical access and authorized cyber access retired without relinquishing his badge. The access rights were later electronically revoked, but not within the 7 days required by the Standard. Duration of violation was July 7, 2010 through August 5, 2010, when access was revoked.

Finding: NPCC Enforcement determined that the violation posed a minimal risk to the bulk power system because a check of access records indicated that the retired individual did not attempt to physically access any systems after retirement.

Penalty: $2,500 (aggregate for 3 violations)

FERC Order: Issued April 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-162-000 (March 31, 2011)

Reliability Standard: CIP-004-2

Requirement: R4.2

Violation Risk Factor: N/A

Violation Severity Level: Moderate

Region: NPCC

Issue: URE self-reported that a contractor with unescorted physical access left her employer and while her employer took possession her access badge, access was not electronically revoked within the required 7 day period. Duration of violation was July 2, 2010 through August 3, 2010, when access was revoked.

Finding: NPCC Enforcement determined that the violation posed a minimal risk to the bulk power system because the contractor’s employer immediately took possession of the badge, so there were no attempts to access systems with the badge at issue.

Penalty: $2,500 (aggregate for 3 violations)

FERC Order: Issued April 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-162-000 (March 31, 2011)

Reliability Standard: CIP-004-2

Requirement: R4.2

Violation Risk Factor: N/A

Violation Severity Level: Moderate

Region: NPCC

Issue: URE self-reported that a contractor with unescorted physical access left his employer and while his employer took possession of his access badge, access was not electronically revoked within the required 7 day period. Duration of violation was June 8, 2010 through June 14, 2010, when access was revoked.

Finding: NPCC Enforcement determined that the violation posed a minimal risk to the bulk power system because the contractor’s employer immediately took possession of the badge, so there were no attempts to access systems with the badge at issue.

Penalty: $2,500 (aggregate for 3 violations)

FERC Order: Issued April 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-189-000 (May 26, 2011)

Reliability Standard: CIP-004-2

Requirement: R3

Violation Risk Factor: Medium

Violation Severity Level: High

Region: FRCC

Issue: URE self-reported that two individuals were given authorized unescorted physical access or authorized cyber access to Cyber Assets without valid personnel risk assessments (PRA). Duration of the violation was April 29, 2010 when employees were granted access without a PRA through June 8, 2010, when the violation was mitigated.

Finding: FRCC determined that the violation posed a minimal risk to the bulk power system because the employees did not exercise unescorted physical access to Cyber Assets during the time they had such rights. The NERC BOTCC also considered that the URE self-reported the violation.

Penalty: $17,000 (aggregate for 5 violations)

FERC Order: Issued June 24, 2011 (no further review)

Unidentified Registered Entity 3, FERC Docket No. NP11-206-000 (June 29, 2011)

Reliability Standard: CIP-004-2

Requirement: R4/4.2 (2 violations)

Violation Risk Factor: Medium (for both violations)

Violation Severity Level: Moderate (for both violations)

Region: NPCC

Issue: Registered Entity 3 self-reported that it had not revoked access rights within seven days, as required, of a contractor employee’s retirement and of another contractor no longer requiring unescorted physical access rights to its Critical Cyber Assets (CCAs).

Finding: NPCC and the Registered Entities’ parent company entered into a settlement agreement to resolve multiple violations, whereby the Registered Entities’ parent company agreed to pay a penalty of $80,000 and to undertake other mitigation measures. The duration of the CIP-004-2 violations was from June 8, 2010 through June 14, 2010 and from July 7, 2010 through August 5, 2010. NPCC found that the CIP-004-2 violations only constituted a minimal risk to bulk power system reliability since the relevant employee and contractor did not access any area containing CCAs after their access rights were supposed to have been revoked. In approving the settlement agreement, NERC found that these violations were the Registered Entities’ parent company’s first violations of the relevant Reliability Standards; the violations were self-reported; the Registered Entities’ parent company was cooperative during the enforcement proceeding and did not conceal the violations; and there were no additional aggravating or mitigating factors.

Penalty: $80,000 (aggregate for 21 violations)

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entities, FERC Docket No. NP11-237-000 (July 28, 2011)

Reliability Standard: CIP-004-1, CIP-004-2, CIP-004-3

Requirement: R2, R3, R4

Violation Risk Factor: Medium

Violation Severity Level: N/A (for CIP-004-1 R4); Lower (for CIP-004-2 R2); Moderate (for CIP-004-2 R4); and High (for CIP-004-2 and CIP-004-3 R3)

Region: ReliabilityFirst

Issue: Unidentified Registered Entities 1, 2 and 3 (URE 1, URE 2 and URE 3) reported several Reliability Standards violations. With regard to CIP-004-1 R2.1, URE 1 and URE 2 self-reported that two of their security command center operators allowed a new security officer to enter unescorted a physical security perimeter (PSP) housing critical cyber assets (CCAs) on 18 occasions before he had finished cyber security training. With regard to CIP-004-1 R4.2, URE 1 and URE 2 self-reported that they had not revoked the physical access rights of an individual who no longer required access within the time required. With respect to CIP-004-2 R2, URE 1 and URE 2 self-reported that they did not train an individual with unescorted access to CCAs prior to his gaining access. With respect to CIP-004-2 R3, URE 1 and URE 2 self-reported that they failed to conduct a personnel risk assessment (PRA) for an individual before he received unescorted access to CCAs. With respect to CIP-004-2 R4, URE 1 and URE 2 self-reported that they failed to timely revoke physical access rights of an individual who no longer required such access. With regard to CIP-004-3 R3, URE 3 self-reported that by mistake it granted an individual unescorted physical access to a PSP prior to that person having completed a PRA. Duration of the violations was: June 16, 2010-June 22, 2010 (for CIP-004-1 R2.1); January 1, 2010-June 28, 2010 (for CIP-004-1 R4.2); July 20, 2010-July 21, 2010 (for CIP-004-2 R2); June 16, 2010-November 22, 2010 (for CIP-004-2 R4); and November 18, 2010-November 22, 2010 (for CIP-004-3 R3).

Finding: ReliabilityFirst determined that the violations did not pose a serious or substantial risk to the reliability of the bulk power system because for violation CIP-004-1 R2.1, the security officer had a valid PRA at the time of the violation; for violation CIP-004-1 R4.2, the individual did not try to access the location containing CCAs after changing jobs, and he remained employed by the UREs; for violation CIP-004-2 R2 and R3, there was no security event during the time of the violations, the personnel involved had previously been granted access to certain noncritical areas since September 2007, and the UREs had a process in place to verify correct access authorization promptly before access occurred; for violation CIP-004-2 R4, the individual concerned had valid PRA and cyber security training, had worked with the UREs for nearly 33 years, and did not try to access the PSP after he no longer required access; and for violation CIP-004-3 R3, the individual had current cyber security training and URE 3 approved his PRA four days after granting access. However, ReliabilityFirst noted that it found an aggravating factor in that some of the violations constituted repetitive conduct attributable to the same compliance program. The NERC BOTCC also considered that the UREs self-reported the violations; the UREs were cooperative during the investigation; the UREs had a compliance program at the time of the violations; and there was no evidence that the UREs attempted to conceal a violation.

Penalty: $180,000 (aggregate for 4 violations)

FERC Order: Issued August 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-243-000 (July 28, 2011)

Reliability Standard: CIP-004-2

Requirement: R2.1, R3, R4

Violation Risk Factor: Medium (R2.1, R3), Lower (R4)

Violation Severity Level: Moderate (R2.1, R4), High (R3)

Region: RFC

Issue: The Unidentified Registered Entity self-reported that it had not provided adequate training to five individuals who were granted access to a Physical Security Perimeter (PSP), as well as to four individuals with authorized access to the Critical Cyber Assets (CCAs) (R2.1). The Unidentified Registered Entity also did not perform the required Personnel Risk Assessment (PRA) within 30 days of one of its employees receiving authorized cyber or unescorted physical access to the CCAs (R3). In addition, the Unidentified Registered Entity improperly left five individuals who had electronic access to its CCAs off of its list of personnel with authorized cyber or unescorted physical access to the CCAs (R4).

Finding: RFC and the Unidentified Registered Entity entered into a settlement agreement to resolve the violations, whereby the Unidentified Registered Entity agreed to pay a penalty of $20,000 and to undertake other mitigation measures. RFC found that the R2.1 and R3 violations did not constitute a serious or substantial risk to bulk power system reliability. In terms of R2.1, all nine of the relevant individuals had received their PRA and none of them accessed the CCAs within the PSP during the violation (even though three did access the PSP). In terms of R3, the one employee who was missing his PRA did not access the PSP during the violation and is a long-term employee who had received all of the necessary training. For the R4 violation, RFC found that the violation constituted a moderate risk to bulk power system reliability. But, the Unidentified Registered Entity had performed PRAs on the relevant individuals (and some had completed the required training) and none of them accessed the CCAs during the violation. The duration of the violations was from April 1, 2010 through May 14, 2010 (R2.1), from February 1, 2010 through May 14, 2010 (R3), and from January 1, 2010 through May 14, 2010 (R4). In approving the settlement agreement, NERC found that these were the Unidentified Registered Entity’s first violations of this Reliability Standard; the violations were self-reported; the Unidentified Registered Entity was cooperative during the enforcement process and did not conceal the violations; the compliance culture of the Unidentified Registered Entity’s parent company was evaluated as a mitigating factor; the violations were not evaluated as repeated conduct since they arose out of the same set of facts and circumstances; and there were no additional aggravating or mitigating factors.

Penalty: $20,000 (aggregate for 8 violations)

FERC Order: Issued August 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-250-000 (July 28, 2011)

Reliability Standard: CIP-004-2

Requirement: R2

Violation Risk Factor: Medium

Violation Severity Level: Lower

Region: WECC

Issue: The Unidentified Registered Entity reported that one employee (out of 332) had not received the required Cyber Security Training before being granted access to one Physical Security Perimeter that contained Critical Cyber Assets. Also, two other employees had not completed an annual retraining course.

Finding: The Unidentified Registered Entity agreed to pay a penalty of $12,600 and to undertake other mitigation measures. WECC found that the CIP-004-2 violation constituted only a minimal risk to bulk power system reliability since the one employee had some cyber security training and had a completed personnel risk assessment. Unidentified Registered Entity was able to show that the employee did not gain or attempt to gain access to Critical Cyber Assets. The other two employees had completed the cyber security training during the previous year. In approving the penalty amount, NERC found that these were the Unidentified Registered Entity’s first violations of the relevant Reliability Standards; the violations were self-reported; the Unidentified Registered Entity was cooperative during the enforcement process and did not conceal the violations; the Unidentified Registered Entity had a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.

Penalty: $12,600 (aggregate for 9 violations)

FERC Order: Issued August 29, 2011 (no further review)

Unidentified Registered Entity, Docket No. NP11-270-000 (September 30, 2011)

Reliability Standard: CIP-004-2

Requirement: R4/4.1

Violation Risk Factor: Lower

Violation Severity Level: High

Region: RFC

Issue: RFC_URE2 self-reported that it had not updated its list of personnel with access to its Critical Cyber Assets (CCAs) within seven days, as required, of terminating an employee (who had access rights) for cause.

Finding: RFC found that the violation posed a moderate risk to bulk power system reliability. But, RFC_URE2 had properly revoked the relevant employee’s access control cards, passwords, and appropriate accounts within 24 hours of the employee’s termination. In addition, the relevant employee, even before his termination, did not have electronic access or control privileges to the SCADA system or other CCAs. In addition, RFC found no evidence that there were any broader corporate issues involved.

Penalty: $1,000

FERC Order: Issued October 28, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-2 (October 31, 2011)

Reliability Standard: CIP-004-2

Requirement: R2.1

Violation Risk Factor: Medium

Violation Severity Level: Lower

Region: RFC

Issue: URE self-reported that it had granted unescorted physical access rights to an employee (who needed access to perform job tasks related to coordinating distribution system restoration activities) before he had completed all of the required cyber security training.

Finding: RFC found that the violation constituted a moderate risk to BPS reliability. The relevant employee had already received a PRA and completed part of the cyber security training. In addition, the relevant employee did not take any action regarding the energy control system outside of his job responsibilities. Certain parts of URE’s compliance program were evaluated as a partial mitigating factor.

Penalty: $17,000 (aggregate for 2 violations)

FERC Order: Issued November 30, 2011 (no further review).

Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)

Reliability Standard: CIP-004-2

Requirement: R3

Violation Risk Factor: Medium

Violation Severity Level: High

Region: NPCC

Issue: URE self-reported that, while conducting an internal review of PRA documentation, it found one employee had been granted authorized unescorted physical access to CCAs located at a power station for approximately six months before having a completed PRA on file. A PRA had been requested for the employee three months prior to the required access date, but the manager in charge of granting such access did not confirmed that the PRA had been conducted prior to granting the access.

Finding: NPCC found the violation constituted a minimal risk to BPS reliability because it involved only one employee who did not access the CCA PSP during the time there was no PRA on file. In addition, the particular work location requires government-approved credentials, which was completed two years prior to the violation. NPCC considered URE’s internal compliance program and violation history as mitigating factors in determining the appropriate penalty.

Penalty: $3,800

FERC Order: Issued March 30, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-25 (April 30, 2012)

Reliability Standard: CIP-004-2

Requirement: R4.2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE self-reported that on two occasions it had not timely revoked an individual’s access to the CCAs. In one instance, a contract security officer, with authorized unescorted physical access, was terminated (not for cause), but his access rights were not revoked until a month and a half later. In the second instance, a contract security officer was terminated for cause (unrelated to the CIP Standards) and, while his access badge was confiscated immediately, his access rights were not terminated until two days later.

Finding: RFC found that the CIP-004-2 R4.2 violation constituted a moderate risk to BPS reliability. But, the security officer terminated for cause did not have his access badge during the violation. Neither security officer would have been able to physically access URE’s CIP areas and they did not physically access any areas containing URE’s CCAs after they were terminated. In approving the settlement agreement, the NERC BOTCC considered certain of URE’s violations to be proof of broad deficiencies in URE’s compliance program (even though other aspects of the compliance program were evaluated as mitigating factors); some of the violations were self-reported (even though only partial credit was granted for certain self-reports that occurred right before the compliance audit); URE was cooperative during the enforcement process and promptly submitted effective mitigation plans; and these violations were URE’s first violations of the relevant Reliability Standard.

Penalty: $115,000 (aggregate for 17 violations)

FERC Order: Issued April 30, 2012 (no further review)

Unidentified Registered Entity 1, Unidentified Registered Entity 2, and Unidentified Registered Entity 3, FERC Docket No. NP13-4 (October 31, 2012)

Reliability Standard: CIP-004-2

Requirement: 2.1 (three violations, one for each URE)

Violation Risk Factor: Medium (2.1)

Violation Severity Level: Severe (2.1)

Region: RFC

Issue: Based on a self-report, RFC determined that URE1, URE2 and URE3 had improperly granted an employee authorized unescorted physical access to CCAs prior to that employee receiving the required physical security training.

Finding: RFC found that the CIP-004-2 R2.1 violations constituted only a minimal risk to BPS reliability since the violations only involved one employee (a trusted manager who had a PRA on file and had received some cyber security training) and were of relatively short duration. In addition, the relevant employee did not try to physically access the CCAs. The UREs also had security awareness programs in place, as well as training reinforcements for on-site contractors and vendors. In approving the settlement agreement, the NERC BOTCC found that, in the aggregate, the violations constituted a serious or substantial risk to BPS reliability because of the potential for compromised integrity of the CCAs. UREs did not have a culture of compliance for the CIP Reliability Standards and they were not familiar with their CIP processes and procedures (especially as compliance was divided between six executives, leading to inconsistent application of the compliance process and reduced ownership responsibility). But, the UREs were cooperative during the enforcement process, including working with RFC to remedy the violations and enacting measure, in collaboration with RFC, to foster an improved compliance program and to undertake compliance initiatives (which were evaluated as a mitigating factor). In addition, some of the violations were repeat violations and some of the violations were self-reported.

Penalty: $725,000 (aggregate for 73 violations)

FERC Order: Issued November 29, 2012 (no further review)

Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)

Reliability Standard: CIP-004-2

Requirement: 2, 3

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: Texas RE

Issue: URE1 filed a self-report explaining that it could not provide documentation to show that all personnel had received cyber security training. URE1 found during a self-assessment that it could not show for 32.2% of affected employees that training had been completed in a timely manner (R2). URE1 also reported that it could not show for 35.8% of all personnel that it conducted PRAs as required by CIP-004-1 R3.

Finding: Texas RE determined that the R2 violation posed a moderate risk to the reliability of the BPS, but not a serious or substantial risk, because it was found to be primarily documentation related versus performance related. Upon discovery of the non-compliance, URE1 provided all affected employees training and documentation as required within four months. All of the relevant employees had clear PRAs on file, and URE1 had adequate layers of protection for system security, which also lessened any risk to BPS reliability. URE1 neither admitted nor denied the violation. Texas RE considered URE1’s ICP a neutral factor in determining the appropriate penalty. .

Total Penalty: $51,000 (aggregate for 5 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)

Reliability Standard: CIP-004-2

Requirement: 3; 3.1

Violation Risk Factor: Lower

Violation Severity Level: High

Region: MRO

Issue: URE1 self-certified a violation of R3 after discovering that it had not properly verified the identification of 9% of its contractors and 1% of its employees that have authorized access to Critical Cyber Assets (CCAs).

Finding: MRO determined that the R3 violation posed a moderate risk to the reliability of the BPS because the personnel risk assessments for a total of 10% of individuals subject to the Standard did not have their identity properly verified either by the entity or an independent third party. Furthermore, in one instance, an individual was given unescorted access to the physical security perimeter without verification of his/her identity for 14 months. The entity confirmed, however, that after all identity and background checks were properly completed, there were no issues with the personnel. MRO considered URE1’s violation history to be an aggravating factor and URE1’s ICP to be a mitigating factor in making its penalty determination. The violation began when the first individual was granted access to the PSP without proper identity verification and ended when the identity verifications were completed. URE1 admitted to the violation.

Total Penalty: $20,000 (aggregate for 3 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-004-2; CIP-004-3

Requirement: R2.1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: Further to a Compliance Audit, RFC determined that URE violated R2 when it granted two employees unescorted access to Critical Cyber Assets (CCAs) without those employees having completed cyber security training.

Finding: Whereas RFC and URE agreed and stipulated that the R2 violation posed a moderate risk to the reliability of the BPS, NERC determined that the violation posed only a minimal risk. The risk was mitigated by the personnel risk assessments undertaken by both employees prior to access being granted, which revealed no criminal history or other issues that would otherwise have precluded access to the CCAs. Furthermore, the employees were not provided with key cards that would have allowed for unescorted access to the company's Physical Security Perimeter (PSP), nor have the employees at issue ever entered the PSP without an escort. Finally, the employees did not access the CCAs during the violation period. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to pay a penalty and to undertake other mitigation measures to come into compliance with R2.
RFC considered RFC_URE1's ICP a mitigating factor in making its penalty determination. The violation began when the company first allowed the employees with access to the CCAs and ended when the employees completed their cyber security training. URE neither admits nor denies the R2 violation.

Penalty: $40,000 (aggregate for 8 violations)

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-004-2; CIP-004-3

Requirement: R3

Violation Risk Factor: Medium

Violation Severity Level: High

Region: RFC

Issue: Further to a Compliance Audit, RFC determined that URE violated R3 when it granted one employee, the company's FERC compliance manager, unescorted physical access to Critical Cyber Assets prior to completing a personnel risk assessment for the employee.

Finding: RFC determined that the R3 violation posed a minimal risk to the reliability of the BPS. The risk was mitigated because the employee at issue had completed the CIP training before access was granted, and when the personnel risk assessment was completed, it revealed no criminal history or other issues that would have precluded access to the CCAs. Furthermore, the employee was not provided with a key card that would have allowed for unescorted access to the company's Physical Security Perimeter (PSP), nor did the employee ever enter the PSP without an escort during the violation. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to pay a penalty and to undertake other mitigation measures to come into compliance with R3.
RFC considered URE's ICP a mitigating factor in making its penalty determination. The violation began when the company first allowed the employee unescorted physical access to CCAs and ended when the company completed the personnel risk assessment for the employee. URE neither admits nor denies the R2 violation.

Penalty: $40,000 (aggregate for 8 violations)

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-34 (May 30, 2013)

Reliability Standard: CIP-004-2

Requirement: 3

Violation Risk Factor: Lower

Violation Severity Level: Moderate

Region: TRE

Issue: During a compliance audit, TRE determined that URE's background investigation policy did not contain the required language (in the updated Reliability Standard) that a PRA must be completed prior to an individual being granted authorized cyber or unescorted physical access to the CCAs.

Finding: TRE found that the CIP-004-2 R3 violation only constituted a minimal risk to BPS reliability. URE had updated its background investigation policy during the course of the violation to specify that all relevant employees and vendors must complete a background investigation before starting their employment. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact the violations were URE's first violations of the relevant Reliability Standards and that none of the violations constituted a serious or substantial risk to BPS reliability. URE had a compliance program in place, but it was only evaluated as a neutral factor. URE was also cooperative during the enforcement process and did not conceal the violations.

Total Penalty: $137,000 (aggregate for 24 violations)

FERC Order: Issued June 28, 2013 (no further review)

Unidentified Registered Entity, Docket No. NP13-36, May 30, 2013

Reliability Standard: CIP-004-2

Requirement: 3

Violation Risk Factor: Lower

Violation Severity Level: Moderate

Region: Texas RE

Issue: URE’s CCA access policy did not have the requirement that PRAs must be completed prior to CCA access being granted.

Finding: The violation was deemed to pose minimal risk because URE did not grant access until after a PRA was completed; however, it failed to document the policy. URE and Texas RE entered into a Settlement Agreement to resolve the issues. In determining the appropriate penalty, Texas RE considered URE’s internal compliance program as a neutral factor. The violations were the first by URE and URE cooperated during the enforcement process. Texas RE determined URE did not attempt (or intend) to conceal any violations.

Total Penalty: $137,000 (aggregate for 24 violations)

FERC Order: Issued June 28, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-9-000 (November 25, 2014)

Reliability Standard: CIP-004-2

Requirement: R3/R3.1/R3.2 (2 violations – one for URE1 and one for URE3)

Violation Risk Factor: Medium

Violation Severity Level: High

Region: MRO, SPP RE and WECC

Issue: During a compliance audit MRO determined that URE1 failed to confirm that all employees with authorized cyber access and unescorted physical access to CCA had undergone identification verification as part of their PRAs. One of URE1's employees had a PRA that did not include identification verification for 5 months. URE3 also reported the same violation to WECC. The URE companies revoked the access of four employees whose PRAs had not been updated for seven years. Two were reinstated, one no longer needing access, and another informed of the screening process. In addition, the UREs' identified seven employees whose identities had not been verified. Three of the seven had high level access to the CCA; two had freezes on their Social Security numbers; and one was a foreign national, whose passport was not verified.

Finding: MRO determined that the violation posed a serious or substantial risk to the BPS reliability as URE companies worked in various capacities at several BPS facilities. Moreover three individuals without identification verification had high level access rights to CCA and one employee was a foreign national whose passport had not been checked. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations for five of the Standards posed a serious or substantial risk to the BPS reliability. However, several of the violations were self-reported and the remainder of the violations posed only a minimal threat to BPS reliability. The UREs had a compliance program in place and their compliance history was not considered an aggravating factor by MRO. Furthermore, the UREs committed to spending $205,000 to retain a consultant to identify untapped opportunities in their CIP management controls for the current and future CIP versions and they received significant mitigating credit for their commitment to their corporate compliance program. The URE Companies were cooperative throughout the duration of the enforcement and none concealed the violations.

Penalty: $150,000 (aggregate for 19 violations)

FERC Order: Pending