Unidentified Registered Entity (UREs), FERC Docket No. NP15-17-000 (December 30, 2014)
Reliability Standard: CIP-009-2
Violation Risk Factor: Lower
Violation Severity Level: Severe
Issue: URE self-reported that its backup and restoration processes and procedures were insufficient as they did not include detailed information needed to effectively restore network switches, firewalls, terminal servers and controls panels. While the procedures referred to a vendor's recovery documentation, they did not indicate where the documentation was located.
Finding: WECC determined that the violation posed only a minimal risk to the BPS reliability as URE had redundancy on the devices and located them within an ESP with restricted access that was monitored and logged continuously. URE also contracted with third party vendors who would notify URE and restore CCA within eight hours of an event. Backup and restoration procedures on URE's Windows devices provided for regularly recorded backup tapes that could be utilized in the event of a failure. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered URE's prior violation history as an aggravating factor. However, WECC gave URE mitigating credit for its compliance program and agreeing to perform voluntary corrective actions. WECC also determined that all violations posed only a minimal, but not a moderate, serious or substantial risk to the reliability of the BPS. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.
Penalty: $120,000 (aggregate for 13 violations)
FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.