NERC Case Notes: Reliability Standard CIP-008-3 | White & Case LLP International Law Firm, Global Law Practice
NERC Case Notes: Reliability Standard CIP-008-3

NERC Case Notes: Reliability Standard CIP-008-3

White & Case NERC Database

This page contains the NOP (Notice of Penalty) and ACP (Administrative Citation of Penalty) summaries. Click here to read the FFT (Find, Fix and Track) summaries.

Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-008-2; CIP-008-3

Requirement: R1.1; R1.2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: Further to a Compliance Audit, RFC determined that URE violated R1 because the company failed to include procedures to characterize and classify events as reportable Cyber Security Incidents in its Cyber Response Plan (Plan). Furthermore, despite describing the roles and responsibilities of its Cyber Security Incident response team in Plan, the company failed show how the communication plan that had been presented during the Compliance Audit was triggered, executed, or related to its Plan.

Finding: RFC determined that the R1 violation posed a moderate risk to the reliability of the BPS. The risk was mitigated because the company does indeed have a Plan which details and categorizes the severity of potential incidents. In addition, the company undertook a tabletop test of its response process before discovering this violation, and the test yielded successful characterization of an event and notification of proper individuals. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to pay a penalty and to undertake other mitigation measures to come into compliance with R1.
RFC considered URE's ICP a mitigating factor in making its penalty determination. The violation began when the company was required to comply with the standards at issue, and ended when URE revised its Cyber Response Plan. URE neither admits nor denies the R1 violation.

Penalty: $40,000 (aggregate for 8 violations)

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entities, FERC Docket No. NP13-47 (July 31, 2013)

Reliability Standard: CIP-008-3

Requirement: 1 (2 violations – RFC and SERC)

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC and SERC

Issue: RFC and SERC determined that URE’s enterprise-level cyber security incident response plan did not cover, as required, the procedures for characterizing and classifying when a cyber security incident is reportable.

Finding: SERC and RFC found that URE’s CIP-008-3 R1 violations constituted a moderate risk to BPS reliability since it increased the chance of delay in URE’s ability to respond, resolve and recover from a cyber security incident. But, URE had provided its relevant personnel with training on the cyber security incident response plan, including annual drills on the plan. In addition, no cyber security incidents occurred during the course of the violations. The devices were also protected by an ESP and PSP, as well as site physical security. URE admitted the violations. In approving the settlement agreement, NERC BOTCC evaluated as aggravating factors URE’s compliance history and the fact that URE did not promptly prepare mitigation plans to remediate many of the violations. But, URE did self-report some of the violations and was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (even though URE only received partial mitigating credit as most of URE’s violations resulted from a lack of execution and coordination of programs). URE committed to perform certain actions that went above and beyond the compliance requirements. The CIP-002-3 R3 violations presented a serious and substantial risk to BPS reliability, whereas the other violations did not present a serious or substantial risk to BPS reliability.

Total Penalty: $350,000, $175,000 for each URE (aggregate for 62 violations)

FERC Order: Issued August 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-20 (December 30, 2013)

Reliability Standard: CIP-008-3

Requirement: 1

Violation Risk Factor: Lower

Violation Severity Level: High

Region: SERC

Issue: URE self-reported that, when one of its managers transferred to a new role, it did not remove the manager’s name from the Cyber Security Incident response plan (CSIRP) and replace it with new contact information or ensure that the CSIRP had the correct contact information specific to the manager role. URE also did not timely update the CSIRP within 30 days to reflect changes made to its sabotage and cyber incident detection, analysis, and reporting process.

Finding: SERC found that the CIP-008-3 R1 violation constituted only a minimal risk to BPS reliability. The CSIRP still contained the correct phone number for the relevant manager. Furthermore, URE’s personnel responsible for updating the cyber incident detection, analysis, and reporting process are the same personnel who would be involved in executing the process in the event of an emergency. In addition, no cyber security incidents occurred during the violation. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. Certain of the violations constituted a serious or substantial risk to BPS reliability. URE also engaged in mitigating measures that SERC determined to be above-and-beyond what was required.

Total Penalty: $198,000 (aggregate for 21 violations)

FERC Order: Issued January 29, 2014 (no further review)