NERC Case Notes: Reliability Standard CIP-004-3

Alert

49 min read

 

Unidentified Registered Entities, FERC Docket No. NP11-237-000 (July 28, 2011)

Reliability Standard: CIP-004-1, CIP-004-2, CIP-004-3

Requirement: R2, R3, R4

Violation Risk Factor: Medium

Violation Severity Level: N/A (for CIP-004-1 R4); Lower (for CIP-004-2 R2); Moderate (for CIP-004-2 R4); and High (for CIP-004-2 and CIP-004-3 R3)

Region: ReliabilityFirst

Issue: Unidentified Registered Entities 1, 2 and 3 (URE 1, URE 2 and URE 3) reported several Reliability Standards violations. With regard to CIP-004-1 R2.1, URE 1 and URE 2 self-reported that two of their security command center operators allowed a new security officer to enter unescorted a physical security perimeter (PSP) housing critical cyber assets (CCAs) on 18 occasions before he had finished cyber security training. With regard to CIP-004-1 R4.2, URE 1 and URE 2 self-reported that they had not revoked the physical access rights of an individual who no longer required access within the time required. With respect to CIP-004-2 R2, URE 1 and URE 2 self-reported that they did not train an individual with unescorted access to CCAs prior to his gaining access. With respect to CIP-004-2 R3, URE 1 and URE 2 self-reported that they failed to conduct a personnel risk assessment (PRA) for an individual before he received unescorted access to CCAs. With respect to CIP-004-2 R4, URE 1 and URE 2 self-reported that they failed to timely revoke physical access rights of an individual who no longer required such access. With regard to CIP-004-3 R3, URE 3 self-reported that by mistake it granted an individual unescorted physical access to a PSP prior to that person having completed a PRA. Duration of the violations was: June 16, 2010-June 22, 2010 (for CIP-004-1 R2.1); January 1, 2010-June 28, 2010 (for CIP-004-1 R4.2); July 20, 2010-July 21, 2010 (for CIP-004-2 R2); June 16, 2010-November 22, 2010 (for CIP-004-2 R4); and November 18, 2010-November 22, 2010 (for CIP-004-3 R3).

Finding: ReliabilityFirst determined that the violations did not pose a serious or substantial risk to the reliability of the bulk power system because for violation CIP-004-1 R2.1, the security officer had a valid PRA at the time of the violation; for violation CIP-004-1 R4.2, the individual did not try to access the location containing CCAs after changing jobs, and he remained employed by the UREs; for violation CIP-004-2 R2 and R3, there was no security event during the time of the violations, the personnel involved had previously been granted access to certain noncritical areas since September 2007, and the UREs had a process in place to verify correct access authorization promptly before access occurred; for violation CIP-004-2 R4, the individual concerned had valid PRA and cyber security training, had worked with the UREs for nearly 33 years, and did not try to access the PSP after he no longer required access; and for violation CIP-004-3 R3, the individual had current cyber security training and URE 3 approved his PRA four days after granting access. However, ReliabilityFirst noted that it found an aggravating factor in that some of the violations constituted repetitive conduct attributable to the same compliance program. The NERC BOTCC also considered that the UREs self-reported the violations; the UREs were cooperative during the investigation; the UREs had a compliance program at the time of the violations; and there was no evidence that the UREs attempted to conceal a violation.

Penalty: $180,000 (aggregate for 4 violations)

FERC Order: Issued August 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-266-000 (August 31, 2011)

Reliability Standard: CIP-004-3

Requirement: R4.2

Violation Risk Factor: Medium

Violation Severity Level: Moderate

Region: NPCC

Issue: NPCC_URE1 self-reported that three contractors with access credentials to the Physical Security Perimeters for the Critical Cyber Assets left the property without returning their access credentials upon their retirement.

Finding: NPCC found that the violation constituted a minimal risk to bulk power system reliability since the contractors were former employees and there were no unauthorized access attempts. The contractors had also received cyber security training and had Personnel Risk Assessments on file. The duration of the violation was from December 31, 2010 through March 3, 2011.

Penalty: $3,500

FERC Order: Issued September 30, 2011 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-36-000 (June 30, 2012)

Reliability Standard: CIP-004-3

Requirement: R2.1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that during an internal spot check it discovered that an individual had been given PSP access before completing CIP cyber security training. The individual had access for several days before the mistake was discovered and access was revoked. After further review, URE found the individual had not accessed the PSP and was not aware he had access to the PSP. The individual also had a current personnel risk assessment (PRA) on file. As a result, URE was in violation of the Reliability Standard by its failure to only provide access to CCAs to by trained individuals.

Finding: WECC deemed the issue posed minimal risk to BPS reliability because the relevant individual was not aware he could have accessed the PSP, and in addition, he had no account access and, as such, logging into any of the CCAs in the PSP would have been blocked. The CCAs contained in the PSP cannot be manipulated through hardware communication by design. The PSP has 24/7 monitoring by video and security guards. In determining the appropriate penalty, WECC considered URE’s internal compliance program and compliance history. URE did not contest WECC’s findings.

Penalty: $7,000

FERC Order: Issued July 27, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-36-000 (June 30, 2012)

Reliability Standard: CIP-004-3

Requirement: R4.1/4.2

Violation Risk Factor: Lower

Violation Severity Level: Lower

Region: WECC

Issue: URE filed a self-report with WECC reporting that it had not updated its CCA access list to reflect a status change for 11 individuals: a retired employee, two transferred employees and 8 contractors who no longer needed access. The relevant individuals had physical, not electronic, access to CCAs. The access rights had been revoked; however, URE failed to update its CCA access list. WECC determined that URE was in violation of the Standard for not updating its CCA authorized access list (R4.1) and for not revoking access within 24 hours to individuals no longer requiring such access (R4.2).

Finding: WECC deemed the violation to pose minimal risk to BPS reliability for the following reasons: (1) URE not updating its CCA access list is documentation related and all access had been revoked to the individuals; however, the CCA access list did not reflect that. (2) None of the contractors accessed the CCAs. (3) The CCAs are contained in an ESP within a PSP that is continuously monitored and any login attempts – authorized or unauthorized – are recorded. (4) The violation involved less than 5% of URE’s employees or contractors lessening any risk to BPS operations. In determining the appropriate penalty, WECC gave mitigating credit for URE’s internal compliance program. URE did not contest WECC’s findings.

Penalty: $14,900 (aggregate for violations of CIP-004-3 R4 and PER-002-0 R4; URE received no penalty for a violation of PER-002-0 R1, which WECC reported was a separate enforcement action)

FERC Order: Issued July 27, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-38 (July 31, 2012)

Reliability Standard: CIP-004-3

Requirement: R4.1/4.2

Violation Risk Factor: Lower

Violation Severity Level: High

Region: WECC

Issue: URE self-reported that for one of its employees who had been transferred to another department, it revoked his physical access rights to the CCAs, but his logical access rights were not revoked within seven days as required. URE also did not update its access lists within seven days of changes of personnel with access rights to the CCAs.

Finding: WECC found that the CIP-004-3 violation only constituted a minimal risk to BPS reliability since the relevant employee did not have physical access rights to the CCAs (only logical). In addition, the employee was current on his CIP training, had received a PRA, and remained an employee of URE. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were URE’s second or third violation of the relevant Reliability Standards; some of the violations were self-reported; URE was cooperative during the enforcement process and did not conceal the violations; URE had an internal compliance program (which was evaluated as a mitigating factor); the violations did not constitute a serious or substantial risk to BPS reliability; and there were no additional aggravating or mitigating factors.

Penalty: $72,000 (aggregate for 12 violations)

FERC Order: Issued August 30, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-40 (July 31, 2012)

Reliability Standard: CIP-004-3

Requirement: R2/2.1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-certified noncompliance with R2 because 0.45% of employees with authorized unescorted physical access to CCAs within 21 PSPs did not receive annual training required by R2.

Finding: WECC found the violation posed a minimal risk to the reliability of the BPS because the employee at issue had a valid PRA and training. Moreover, the PSPs had redundant security features including 24-hour monitoring. WECC considered URE’s internal compliance program a mitigating factor.

Penalty: $5,000

FERC Order: Issued August 30, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-40 (July 31, 2012)

Reliability Standard: CIP-004-3

Requirement: R3/3.2

Violation Risk Factor: Lower

Violation Severity Level: Moderate

Region: WECC

Issue: Following a Self-Report, WECC determined that URE failed to update PRAs for two employees with unescorted physical access to several PSPs within the seven-year time period required by R3.

Finding: WECC found the violation posed a minimal risk to the reliability of the BPS because the two employees at issue had initial PRAs, were current on relevant training, and URE promptly revoked access rights upon discovery. WECC considered URE’s internal compliance program a mitigating factor and also considered URE’s and its affiliates’ compliance history.

Penalty: $12,600 (aggregate for 2 violations)

FERC Order: Issued August 30, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-40 (July 31, 2012)

Reliability Standard: CIP-004-3

Requirement: R4

Violation Risk Factor: Lower

Violation Severity Level: Moderate

Region: WECC

Issue: Following a Self-Report, WECC determined that URE failed to revoke electronic access to CCAs within seven days after an individual retired.

Finding: WECC found the violation posed a minimal risk to the reliability of the BPS because the employee at issue had a current PRA and cyber security training. URE also uses a two-factor authentication system that allows URE to monitor the use of CCAs. WECC considered URE’s internal compliance program a mitigating factor and also considered URE’s and its affiliates’ compliance history.

Penalty: $12,600 (aggregate for 2 violations)

FERC Order: Issued August 30, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-43-000 (August 31, 2012)

Reliability Standard: CIP-004-3

Requirement: 4

Violation Risk Factor: Low

Violation Severity Level: N/A

Region: WECC

Issue: URE self-reported a violation of R4 for failing, on two separate occasions, to revoke physical access within seven calendar days for a total of three employees who no longer required access to Critical Cyber Assets (CCAs). Regarding the first instance, after a project was completed, URE failed to process an access revocation ticket, allowing an employee to have continued access to the CCAs for eight months after his access status was supposed to be changed. Similarly, in the second instance, URE once again failed to process the status change revoking CCA access for two employees, allowing them continued physical access for two months. In determining the appropriate penalty, WECC and the NERC BOTCC took the following under consideration as mitigating factors: URE was cooperative during the enforcement process; the CIP violation was self-reported; URE's internal compliance program; the violation was not a result of URE failing to abide by compliance directives; URE did not attempt to conceal a violation nor was there evidence of any intent to do so; and the subject violations did not pose serious or substantial risk to BPS reliability. One violation was a repeat violation and so URE's prior compliance history was considered an aggravating factor.

Finding: WECC determined this issue posed only a minimal risk to the BPS for two reasons. First, the employees at issue had only physical access to the CCAs and each had current personnel risk assessments and training. Second, URE's plant uses a dual authentication procedure requiring operators to verify and allow access into the PSP. Third, while the access rights were not timely updated, the affected personnel did not try to access the CCAs after their access expired.

Penalty: $70,000 (aggregate for two penalties)

FERC Order: Issued September 28, 2012 (no further review)

Unidentified Registered Entities (UREs), Docket No. NP12-44-000 (August 31, 2012)

Reliability Standard: CIP-004-3

Requirement: 3.1

Violation Risk Factor: Lower

Violation Severity Level: High

Region: RFC

Issue: Two UREs self-reported that some security personnel having authorized unescorted physical access to CCAs had not been subject to criminal checks encompassing a seven-year period. The individuals had received PRAs, but only for the time period in which they resided in the United States, which was not more than seven years. In another instance, the individual had not been 18 for seven years and so no full security check had been provided. The UREs contracted with another company for security services, and that company had certified that the security personnel had undergone seven-year background checks; however, further investigation led to the discovery that that was not accurate. For twenty-two months, URE was not aware that certain security personnel had not been subject to seven-year criminal background checks.

Finding: RFC deemed the violation posed a moderate risk to BPS reliability. UREs had attempted to employ security personnel who had been subject to a seven-year criminal check. The issue lied with the entity with which UREs had contracted services and did not represent a failure by UREs to have in force a compliant PRA program. RFC noted that UREs became aware of the issue through a URE corporate security employee questioning the criminal check process. Once UREs became aware of the problem, they revoked access until the seven-year criminal checks were performed at which time access was reinstated. In determining the appropriate penalty, RFC considered UREs' compliance programs as well as the fact that UREs self-reported the issue and the issue came to light by an employee of URE questioning whether URE was compliant with CIP-004-3 based on the circumstances. UREs were cooperative during the enforcement process.

Penalty: $0

FERC Order: Issued September 28, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-44-000 (August 31, 2012)

Reliability Standard: CIP-004-3

Requirement: 4

Violation Risk Factor: Medium

Violation Severity Level: Moderate

Region: WECC

Issue: URE self-reported to WECC that it had not revoked access to CCAs within seven days for four employees no longer requiring such access. Also, URE did not have up-to-date lists to show what rights to CCAs had been given to URE's employees.

Finding: The violation was deemed by WECC to pose minimal risk to BPS reliability because URE had lists to show which individuals had access to CCAs; however, the lists did not distinguish between physical and cyber access. The relevant individuals had all received cyber security training and had PRAs on file. In determining the appropriate penalty, WECC considered as a mitigating factor that the violation had been self-reported.

Penalty: $27,800 (aggregate for two violations)

FERC Order: Issued September 28, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-44-000 (August 31, 2012)

Reliability Standard: CIP-004-3

Requirement: 4.2

Violation Risk Factor: Lower

Violation Severity Level: Moderate

Region: FRCC

Issue: URE submitted a self-report explaining that it had not revoked access to CCAs within seven days for four employees no longer needing such access. Each employee had an up-to-date personnel risk assessment on file with URE.

Finding: FRCC determined the violation posed a minimal risk to BPS reliability because all of the employees related to this violation were trusted, long-term and trained. None of the individuals had been fired, but had retired or transferred to other positions within URE. In determining the appropriate penalty, FRCC gave credit to URE's internal compliance program as well as credit for cooperating through the audit process.

Penalty: $75,000 (aggregate for 10 violations)

FERC Order: Issued September 28, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-47-000 (September 28, 2012)

Reliability Standard: CIP-004-3

Requirement: 4/4.2

Violation Risk Factor: Lower

Violation Severity Level: Moderate

Region: TRE

Issue: URE submitted a self-report explaining that it had not taken away a contractor's electronic access to Critical Cyber Assets (CCAs) within seven calendar days after the contractor left his position.

Finding: The violation was deemed by TRE to pose minimal risk to BPS reliability because URE revoked the contractor's access 19 days after he resigned and less than two weeks from the seven-day deadline established by CIP-004-3 R4.2. Also, the contractor had no physical access to CCAs and could not electronically access any CCAs because URE was provided his network identification token, laptop and company identification upon his resignation.

Penalty: $0 (for 12 violations)

FERC Order: Issued October 26, 2012 (no further review)

Unidentified Registered Entity (URE), FERC Docket No. NP13-11 (December 31, 2012)

Reliability Standard: CIP-004-3

Requirement: 2.1, 3, 4.1, 4.2

Violation Risk Factor: Medium (2.1, 3), Lower (4.1, 4.2)

Violation Severity Level: Severe (2.1, 3), Lower (4.1, 4.2)

Region: SPP

Issue: URE self-certified that one of its security officers inadvertently provided CCA access privileges to a contractor through a key card. URE discovered the error through its bi-weekly audit and revoked the contractor’s access promptly. The contractor did not use his CCA privileges to access URE’s PSPs or CCAs (2.1). As the contractor was inadvertently granted CCA access rights, he did not have a PRA on file (3). In addition, URE self-reported that, as a result of an oversight and an incorrect employee ID number, it had not timely revoked, within seven days, the physical and electronic access rights of two employees who were transferred to different working groups (and no longer required CCA access) (4.2). As a result, URE also did not timely update its list of personnel having CCA access (4.1).

Finding: SPP found that the R2.1/3 violations constituted a moderate risk to BPS reliability as the contractor should not have been granted access to URE’s CCAs. But, the contractor never attempted to access the PSP, which contained the CCAs and was continuously monitored, and his access rights were revoked within three days. SPP found that the R4.1/4.2 violations constituted only a minimal risk to BPS reliability since the personnel at issue remained employed at URE. The employees did not attempt to access the PSP after their transfers, and they did not have remote access to the CCAs. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE’s violation history (which was considered as an aggravating factor for some of the violations), URE’s internal compliance program (which was not viewed as a mitigating factor) and the fact that some of the violations were self-reported. URE was cooperative during the enforcement process and did not conceal the violations.

Total Penalty: $107,000 (aggregate for 16 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity (URE), FERC Docket No. NP13-11 (December 31, 2012)

Reliability Standard: CIP-004-3

Requirement: 4.2

Violation Risk Factor: Lower

Violation Severity Level: Moderate

Region: SPP

Issue: URE self-reported that it had not removed the access rights, within the mandated seven days, of one of its EMS engineers who was transferred to a different working group that did not require CCA access. URE did not revoke the engineer’s access rights until two and a half months after he was transferred.

Finding: SPP found that the violation constituted only a minimal risk to BPS reliability since the relevant engineer was still an employee of URE and had completed the required cyber security training and had a PRA on file. In addition, after his transfer date, the employee did not attempt to access the CCAs. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE’s violation history (which was considered as an aggravating factor for some of the violations), URE’s internal compliance program (which was not viewed as a mitigating factor) and the fact that some of the violations were self-reported. URE was cooperative during the enforcement process and did not conceal the violations.

Total Penalty: $107,000 (aggregate for 16 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-18 (December 31, 2012)

Reliability Standard: CIP-004-3

Requirement: 2.1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SPP

Issue: URE self-certified that a security officer mistakenly provided CCA access privileges to two contractors for several days.

Finding: SPP found that the CIP-004-3 R2.1 violation constituted a moderate risk to BPS reliability. But, the contractors only had the improper access for three and four days, respectively, and they never tried to gain access to the PSP which housed the CCAs. In addition, the relevant facility was continuously monitored by security personnel. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE's Internal Compliance Program (even though the compliance program was not viewed as a mitigating factor) and its violation history (which was viewed as an aggravating factor for some of the violations). NERC BOTCC also considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations.

Penalty: $153,000 (aggregate for 16 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-18 (December 31, 2012)

Reliability Standard: CIP-004-3

Requirement: 3

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SPP

Issue: URE self-reported that for two of its contractors who mistakenly were granted CCA access privileges, it had not performed the required PRAs.

Finding: SPP found that the CIP-004-3 R3 violation constituted a moderate risk to BPS reliability. But, the contractors only had the improper access for three and four days, respectively, and they never tried to gain access to the PSP which housed the CCAs. In addition, while the lack of PRAs increased the risk that URE's CCAs would be exposed to high risk personnel, the relevant facility was continuously monitored by security personnel. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE's Internal Compliance Program (even though the compliance program was not viewed as a mitigating factor) and its violation history (which was viewed as an aggravating factor for some of the violations). NERC BOTCC also considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations.

Penalty: $153,000 (aggregate for 16 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-18 (December 31, 2012)

Reliability Standard: CIP-004-3

Requirement: 4.1/4.2

Violation Risk Factor: Lower

Violation Severity Level: Moderate

Region: SPP

Issue: URE self-reported that, for almost two years, it had not conducted the mandated quarterly reviews of its list of personnel with access rights to the CCAs (4.1). URE also self-reported that it had not revoked, within the required seven days, the access rights of one of its employees (a system engineer in the Energy Management System group) when he was transferred to a different working group that did not require CCA access (4.2).

Finding: SPP found that the CIP-004-3 R4.14.2 violations only constituted a minimal risk to BPS reliability. Even though there were some terminated employees who should have been removed from URE's access lists, URE had revoked those employees' physical, domain and remote access rights at the end of their employment. In regards to the transferred system engineer, he continued to work for URE and did not attempt to gain access to the CCAs after his access rights should have been rescinded. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE's Internal Compliance Program (even though the compliance program was not viewed as a mitigating factor) and its violation history (which was viewed as an aggravating factor for some of the violations). NERC BOTCC also considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations.

Penalty: $153,000 (aggregate for 16 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-18 (December 31, 2012)

Reliability Standard: CIP-004-3

Requirement: 4.1/4.2

Violation Risk Factor: Lower

Violation Severity Level: High

Region: SPP

Issue: URE self-reported that it did not timely revoke, within seven days, the physical and electronic access rights of one of its employees that was transferred to a different access group where he no longer required access to the CCAs (4.2). As a result, URE also did not update its list of personnel with CCA access within seven days of a change, as required (4.1). In addition, URE did not timely revoke the physical and electronic access rights of an employee after a revocation request was submitted, because of an incorrect employee ID that was included with the request (4.2).

Finding: SPP found that the CIP-004-3 R4.1/4.2 violations only constituted a minimal risk to BPS reliability. The relevant employees continued to work for URE and, thus, remained subject to the corporate policies on Cyber Asset protection. In addition, the employees did not access any of the PSPs after their authorization should have been revoked and they had no remote access to the CCAs. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE's Internal Compliance Program (even though the compliance program was not viewed as a mitigating factor) and its violation history (which was viewed as an aggravating factor for some of the violations). NERC BOTCC also considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations.

Penalty: $153,000 (aggregate for 16 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-004-2; CIP-004-3

Requirement: R2.1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: Further to a Compliance Audit, RFC determined that URE violated R2 when it granted two employees unescorted access to Critical Cyber Assets (CCAs) without those employees having completed cyber security training.

Finding: Whereas RFC and URE agreed and stipulated that the R2 violation posed a moderate risk to the reliability of the BPS, NERC determined that the violation posed only a minimal risk. The risk was mitigated by the personnel risk assessments undertaken by both employees prior to access being granted, which revealed no criminal history or other issues that would otherwise have precluded access to the CCAs. Furthermore, the employees were not provided with key cards that would have allowed for unescorted access to the company's Physical Security Perimeter (PSP), nor have the employees at issue ever entered the PSP without an escort. Finally, the employees did not access the CCAs during the violation period. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to pay a penalty and to undertake other mitigation measures to come into compliance with R2.

RFC considered RFC_URE1's ICP a mitigating factor in making its penalty determination. The violation began when the company first allowed the employees with access to the CCAs and ended when the employees completed their cyber security training. URE neither admits nor denies the R2 violation.

Penalty: $40,000 (aggregate for 8 violations)

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-004-2; CIP-004-3

Requirement: R3

Violation Risk Factor: Medium

Violation Severity Level: High

Region: RFC

Issue: Further to a Compliance Audit, RFC determined that URE violated R3 when it granted one employee, the company's FERC compliance manager, unescorted physical access to Critical Cyber Assets prior to completing a personnel risk assessment for the employee.

Finding: RFC determined that the R3 violation posed a minimal risk to the reliability of the BPS. The risk was mitigated because the employee at issue had completed the CIP training before access was granted, and when the personnel risk assessment was completed, it revealed no criminal history or other issues that would have precluded access to the CCAs. Furthermore, the employee was not provided with a key card that would have allowed for unescorted access to the company's Physical Security Perimeter (PSP), nor did the employee ever enter the PSP without an escort during the violation. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to pay a penalty and to undertake other mitigation measures to come into compliance with R3.

RFC considered URE's ICP a mitigating factor in making its penalty determination. The violation began when the company first allowed the employee unescorted physical access to CCAs and ended when the company completed the personnel risk assessment for the employee. URE neither admits nor denies the R2 violation.

Penalty: $40,000 (aggregate for 8 violations)

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-004-3

Requirement: R4

Violation Risk Factor: Lower

Violation Severity Level: Lower

Region: RFC

Issue: URE self-reported a violation of R4 after discovering that it had improperly added an employee (Employee 1) to a list of personnel with authorized unescorted physical access rights to a Physical Security Perimeter (PSP), and when it failed to revoke the same rights of another employee (Employee 2) within seven calendar days of his resignation.

Finding: RFC determined that the R4 violation posed a minimal risk to the reliability of the BPS because Employee 1 had already fulfilled the underlying requirements for unauthorized physical access to the PSP prior to the violation. Furthermore, as Employee 2 had handed in his access badge on the date of his resignation and did not have electronic access to Cyber Assets, he was unable to physically access the PSP without an escort during the violation period. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to undertake other mitigation measures to come into compliance with R4.

RFC considered URE's ICP a mitigating factor in making its penalty determination, and applied a mitigating credit because the company had self-reported six of the violations covered by the settlement agreement. The violation began when the company should have removed Employees and 1 and 2 from its access list and ended when the company revoked the employees' unescorted physical access rights. URE neither admits nor denies the R6 violation.

Penalty: $0 (for an aggregate of 12 violations)

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-004-3

Requirement: R4

Violation Risk Factor: Lower

Violation Severity Level: Lower

Region: RFC

Issue: URE self-reported a violation of R4 after discovering that an employee (Employee 1) had been inadvertently added to a list of personnel with unescorted physical access rights to the Physical Security Perimeters (PSPs) without having completed the required CIP training, due to the similarity of the employee's name to that of an employee who should have properly been added to the list. The company discovered that a second employee (Employee 2) had also been added to a similar list without having completed CIP training.

Finding: RFC determined that the R4 violation posed a minimal risk to the reliability of the BPS because the employees at issue had current personnel risk assessments prior to the violation and during the violation period, neither employee attempted to access the PSPs to which they had been improperly given access. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to undertake other mitigation measures to come into compliance with R4.

RFC considered URE's ICP a mitigating factor in making its penalty determination, and applied a mitigating credit because the company had self-reported six of the violations covered by the settlement agreement. The violation began when the company improperly added the employees to the access list, and ended when the company removed the employees from the access list. URE neither admits nor denies the R6 violation.

Penalty: $0 (for an aggregate of 12 violations)

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entities 1, 2 and 3, Docket No. NP13-24 (February 28, 2012)

Reliability Standard: CIP-004-3

Requirement: 3.2

Violation Risk Factor: Lower

Violation Severity Level: Moderate

Region: WECC

Issue: URE2 self-reported that it had not timely updated the PRA for one of its employees.

Finding: WECC found that URE2's CIP-004-3 R3.2 violation constituted a minimal risk to BPS reliability since the relevant employee only had physical access rights to one CCA within a PSP used in URE2's management system. The CCA was protected by electronic access, logging and monitoring controls and was staffed by at least three operators. The UREs stipulated to the facts of the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs' compliance history and that the UREs had followed all applicable compliance directives. UREs' compliance program was also evaluated as a mitigating factor, as well as the fact that the UREs undertook voluntary corrective actions to remediate some of the violations. Some of the violations were also self-reported, and the UREs were cooperative during the enforcement process and did not conceal any of the violations. None of the violations constituted a serious or substantial risk to BPS reliability.

Penalty: $151,500 (aggregate for 9 violations)

FERC Order: Issued March 29, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-28-000 (March 27, 2013)

Reliability Standard: CIP-004-3

Requirement: R3

Violation Risk Factor: Lower

Violation Severity Level: High

Region: RFC, TRE, SPP RE

Issue: URE submitted to the three Regional Entities a self-report explaining that it had incorrectly verified a seven-year criminal check for twelve employees. As a result, certain of these employees had been improperly granted access to CCAs in each of the regions. This error arose after URE received only partial background check data for the employees from its third-party vendor and after URE’s automated system erroneously deemed these reports complete.

Finding: The violation was deemed to pose a moderate risk to BPS reliability which was mitigated because most of the employees at issue were long-time personnel, some of which had recently undertaken paper-based background checks before URE implemented its automated background check system. In addition, the background checks had been partially completed at the time, and after completion, revealed no issues. Finally, all employees at issue completed CIP training prior to being granted access to the CCAs. In determining the appropriate penalty and approving the settlement agreement, the Regional Entities considered certain aspects of URE’s internal compliance program as a mitigating factor. In addition, some of the violations were self-reported by URE. URE cooperated during the enforcement process and did not attempt to conceal any of the violations. The violations did not pose a serious or substantial threat to BPS reliability. Finally, URE’s violation history was considered an aggravating factor.

Total Penalty: $90,000 (aggregate for 36 violations)

FERC Order: Issued April 26, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-28-000 (March 27, 2013)

Reliability Standard: CIP-004-3

Requirement: R4

Violation Risk Factor: Lower

Violation Severity Level: Moderate

Region: RFC, TRE, SPP RE

Issue: URE submitted to the three Regional Entities a self-report explaining that within seven days of an IT contractor’s resignation, URE had not removed the IT contractor’s electronic access to CCAs.

Finding: The violation was deemed to pose a minimal risk to BPS reliability which was mitigated by URE revoking the contractor’s access nineteen days following his resignation (less than two weeks from the seven-day deadline imposed by R4.2). In addition, the contractor had no physical access to the CCAs and could not electronically access the CCAs without the network ID token, laptop and company identification, all of which had been revoked upon his resignation. In determining the appropriate penalty and approving the settlement agreement, the Regional Entities considered certain aspects of URE’s internal compliance program as a mitigating factor. In addition, some of the violations were self-reported by URE. URE cooperated during the enforcement process and did not attempt to conceal any of the violations. The violations did not pose a serious or substantial threat to BPS reliability. Finally, URE’s violation history was considered an aggravating factor.

Total Penalty: $90,000 (aggregate for 36 violations)

FERC Order: Issued April 26, 2013 (no further review)

Unidentified Registered Entity, Docket No. NP13-33 (April 30, 2013)

Reliability Standard: CIP-004-3

Requirement: 4/4.1

Violation Risk Factor: Lower

Violation Severity Level: Moderate

Region: NPCC

Issue: URE self-reported that it did not timely revoke an employee’s CCA access within seven days of his last day of employment, as required. The employee had retired and his CCA access was revoked within nine days.

Finding: NPCC found that the violation constituted only a minimal risk to BPS reliability since the relevant employee returned his access and ID card on his last day of work and therefore was unable to access URE’s PSP that contained the CCAs. In addition, URE was only two days late in revoking the employee’s CCA access. URE’s compliance program was evaluated as a mitigating factor. URE did not contest the violation.

Total Penalty: $50,000 (aggregate for 5 violations)

FERC Order: Issued May 30, 2013 (no further review)

Unidentified Registered Entity 1 (URE1), Docket No. NP13-39-000 (May 30, 2013)

Reliability Standard: CIP-004-3

Requirement: 3

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE1 filed a self-report disclosing that it had allowed one employee without a PRA on file unescorted physical access to CCAs (the control center) for one day.

Finding: The violation was deemed to pose a minimal risk to BPS reliability, but not a serious or substantial risk because the individual involved had been a contractor for URE1 for seven years and had participated in cyber security training. In addition, it was a one-day event involving one individual. In determining the appropriate penalty, WECC gave mitigating credit for URE1’s ICP. URE1 had previous violations of this same standard; however, the circumstances were not the same or similar to this violation so WECC determined that should not be a basis for aggravating the penalty.

Total Penalty: $62,500 (aggregate for seven violations)

FERC Order: Issued June 28, 2013 (no further review)

Unidentified Registered Entities, FERC Docket No. NP13-47 (July 31, 2013)

Reliability Standard: CIP-004-3

Requirement: 4 (4 violations)

Violation Risk Factor: Medium

Violation Severity Level: Moderate

Region: RFC and SERC

Issue: URE2 self-reported that it had mistakenly granted CCA access to an employee that had not been approved for authorized cyber or unescorted physical access to the CCA. URE2 also did not timely revoke the unescorted physical access rights of an employee who resigned and a cleaning contract employee who relocated to a different URE facility and thus no longer needed the access rights. URE1 also self-reported that it did not timely revoke the access rights of an employee who changed job responsibilities and therefore no longer required cyber access rights. URE1 did not timely revoke the unescorted physical access rights of a student and intern after their assignments ended. In addition, URE1 and URE2 (collectively, URE) did not conduct the required quarterly review of the specific access rights of individuals and did not properly update the access lists across all of its business units within seven calendar days of a change.

Finding: SERC and RFC found that the CIP-004-3 R4 violations only constituted a minimal risk to BPS reliability since all the relevant individual had valid PRAs on file and had received cyber security training. In addition, none of the individuals attempted to access the CCAs after their access rights should have been revoked. URE admitted the violations. In approving the settlement agreement, NERC BOTCC evaluated as aggravating factors URE’s compliance history and the fact that URE did not promptly prepare mitigation plans to remediate many of the violations. But, URE did self-report some of the violations and was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (even though URE only received partial mitigating credit as most of URE’s violations resulted from a lack of execution and coordination of programs). URE committed to perform certain actions that went above and beyond the compliance requirements. The CIP-002-3 R3 violations presented a serious and substantial risk to BPS reliability, whereas the other violations did not present a serious or substantial risk to BPS reliability.

Total Penalty: $350,000, $175,000 for each URE (aggregate for 62 violations)

FERC Order: Issued August 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-18 (December 30, 2013)

Reliability Standard: CIP-004-3

Requirement: 2, 4

Violation Risk Factor: Lower (2, 4)

Violation Severity Level: Severe (2), Lower (4)

Region: SERC

Issue: URE self-reported that it had granted two contractors remote electronic access to a shared account (which accessed an application that resided on four CCAs) prior to providing the contractors with the required cyber security training (2). URE also self-reported that it did not timely revoke the physical access rights at one PSP for three contractors who no longer had a business need for such access (4).

Finding: SERC found that the CIP-004-3 R2 and R4 violations only constituted a minimal risk to BPS reliability. In regards to the R2 violation, the relevant contractors only had read-only access and both had personnel risk assessments on file. For the R4 violation, the relevant contractors (who only had their access rights revoked because they were no longer working on a project at the PSP) had completed the required cyber security training and had personnel risk assessments on file. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a partial mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. None of the violations constituted a serious or substantial risk to BPS reliability. In addition, URE engaged in physical security measures that SERC determined to be above-and-beyond what was required.

Total Penalty: $110,000 (aggregate for 15 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-19-000 (December 30, 2013)

Reliability Standard: CIP-004-3

Requirement: R4

Violation Risk Factor: Lower

Violation Severity Level: Moderate

Region: WECC

Issue: URE self-reported that it did not timely terminate CCA access rights within seven days for three employees who had been retired and thus no longer needed access to URE’s CCAs.

Finding: WECC determined that the violation constituted only a minimal risk to BPS reliability. The retired employees at issue had completed PRAs and training and left URE in good-standing. Furthermore, URE timely revoked the individuals’ CCA physical access rights within seven days of their respective retirement dates and electronic access to URE’s CCAs is continuously monitored. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, this was URE’s second violation of CIP-004-3 R4, which was viewed as an aggravating factor. URE cooperated throughout the compliance process and did not conceal the violations. URE also committed to engage in additional actions to mitigate the violations and ensure future compliance.

Penalty: $185,000 (aggregate for 11 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-19-000 (December 30, 2013)

Reliability Standard: CIP-004-3

Requirement: R4

Violation Risk Factor: Lower

Violation Severity Level: Moderate

Region: WECC

Issue: URE self-reported that it did not timely terminate CCA access rights within seven days for three employees who had been retired and thus no longer needed access to URE’s CCAs.

Finding: WECC determined that the violation constituted only a minimal risk to BPS reliability. The retired employees at issue had completed PRAs and training and left URE in good-standing. Furthermore, URE timely revoked the individuals’ CCA physical access rights within seven days of their respective retirement dates and electronic access to URE’s CCAs is continuously monitored. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, this was URE’s second violation of CIP-004-3 R4, which was viewed as an aggravating factor. URE cooperated throughout the compliance process and did not conceal the violations. URE also committed to engage in additional actions to mitigate the violations and ensure future compliance.

Total Penalty: $185,000 (aggregate for 11 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-42-000 (May 29, 2014)

Reliability Standard: CIP-004-3 Requirements: R4

Violation Risk Factor: Lower Violation Security Level: Lower

Region: SERC

Issue: URE self-reported that it had improperly granted two individuals access to a PSP who did not complete the required online request form or obtain approval from designated officials as required by URE’s internal access policy. As a result, URE also did not adequately maintain its list of personnel with authorized cyber or unescorted physical access rights to the CCAs.

Finding: SERC determined the violation constituted only a minimal risk to the BPS reliability since the two individuals at issue were the chief executive offer and a vice president, both of whom had completed PRAs and were qualified to receive CCA and PSP access. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC determined that two of the violations posed a serious or substantial risk to BPS reliability, which was considered an aggravating factor. However, URE self-reported the majority of the violations and had an internal compliance program throughout the duration of the violations. Furthermore, SERC also considered that URE agreed to implement “above and beyond” compliance measures, including certain physical security measures and a training and awareness program that exceed the NERC requirements. URE also cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $250,000 (aggregate for 27 violations)

FERC Order: Issued June 27, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-46-000 (July 31, 2014)

Reliability Standard: CIP-004-3

Requirement: R4/R4.2 (2 violations – one for URE4 and one for URE3)

Violation Risk Factor: Lower

Violation Severity Level: Moderate

Region: RFC

Issue: URE4 self-certified that it failed to revoke physical access rights to one of its PSPs in a timely manner for six non-URE Parent Company workers. Subsequently, URE3 self-reported that it had failed to revoke physical access rights in a timely manner for one of its administrative assistance who no longer required such access.

Finding: RFC determined the violations constituted only a minimal risk to the BPS reliability as none of the seven employees at issue was terminated for cause or had accessed the URE Parent Company’s CCAs. In addition, the employees at issue had all received CIP training and had PRAs on file. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC found that all but two of the violations constituted only a minimal risk to BPS reliability and did not represent any systemic failure (the other two violations posed a moderate risk). However, these violations constituted the URE Companies’ fifth violation of CIP-004 and the second violation of CIP-007, which was considered to be an aggravating factor (although not a substantial aggravating factor). However, the URE Companies were awarded significant mitigating credit for substantial and voluntary improvements to their compliance programs, as demonstrated in subsequent CIP compliance audits. The majority of the violations were also self-reported. The URE Companies cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $50,000 (aggregate for 35 violations)

FERC Order: Issued August 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-5-000 (October 30, 2014)

Reliability Standard: CIP-004-3

Requirement: R4.2

Violation Risk Factor: Lower

Violation Severity Level: High

Region: SPP RE

Issue: URE self-reported that it did not revoke an employee’s access to its CCAs within seven days as required after the employee no longer required access.

Finding: SPP RE determined that the violation constituted only a minimal risk to the BPS reliability since the employee had completed CCA related training and remained employed by URE throughout the violation. In addition, the employee’s access to the PSP would have been recorded by his badge, which was required to access the PSP. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had previously violated six of the standards, which SPP RE considered an aggravating factor. However, URE did have a compliance program in place and it received mitigating credit for self-reporting three of the violations. Moreover, URE agreed to additional corrective actions including: restructuring its CIP compliance program; hiring an additional system administrator; conducting a one day compliance workshop with SPP RE staff; and implementing an asset management system to further secure its EMS. URE was cooperative throughout the enforcement process and did not conceal or attempt to conceal the violations.

Penalty: $45,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-9-000 (November 25, 2014)

Reliability Standard: CIP-004-3

Requirement: R4/R4.1/R4.2 (3 violations – one for each URE Company)

Violation Risk Factor: Lower

Violation Severity Level: High

Region: MRO, SPP RE and WECC

Issue: The URE Companies self-reported to MRO, SPP RE and WECC that they did not review their list of personnel with access to their CCA on a quarterly basis nor did they update the lists to reflect personnel changes or revoke access for personnel who no longer needed access within seven calendar days as required. UREs had five employees (less than 1%) without authorized unescorted access to CCA who were not removed from the list between 11-50 days. However, none accessed any facility with CCA following their change in status. URE3 did not remove access privileges to substations for four individuals hired from a third party for ten days and up to seven months after a change in their status. But none were terminated for cause. In addition, URE1 and URE3 had substations containing CCAs with unreliable connectivity between the physical access control system and the card readers which resulted in six individuals (two for URE1 and four for URE3) having continued access to the substations for twelve days and up to six months because their names were taken of the physical and not the master access list. The UREs also noted that they did not change an employee's access privileges when notified by email that the employee had transferred.

Finding: MRO determined that the violation posed only a minimal risk to the BPS reliability as the violation did not last long and the individuals at issue had valid PRAs and had completed cybersecurity training. In addition, the violations were limited to employees who transferred and the required information was included in the notifications for personnel with other status changes. Furthermore, the compromised transmission between the card readers and the access control systems occurred only on substations with low bandwidth. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations for five of the Standards posed a serious or substantial risk to the BPS reliability. However, several of the violations were self-reported and the remainder of the violations posed only a minimal threat to BPS reliability. The UREs had a compliance program in place and their compliance history was not considered an aggravating factor by MRO. Furthermore, the UREs committed to spending $205,000 to retain a consultant to identify untapped opportunities in their CIP management controls for the current and future CIP versions and they received significant mitigating credit for their commitment to their corporate compliance program. The URE Companies were cooperative throughout the duration of the enforcement and none concealed the violations.

Penalty: $150,000 (aggregate for 19 violations)

FERC Order: Pending

Unidentified Registered Entity, FERC Docket No. NP15-11-000 (November 25, 2014)

Reliability Standard: CIP-004-3

Requirement: R2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: ReliabilityFirst, MRO and SERC (collectively, "Regions")

Issue: URE self-reported that upon an annual review of its cybersecurity training program, it determined two new employees and six new contractors were trained under URE's current cybersecurity training program which failed to include the proper use of, electronic access controls to, and recovery plans for CCAs. In addition, URE's process for converting training materials into the proper format for training was deficient.

Finding: ReliabilityFirst determined that the violation constituted only a minimal risk to the BPS reliability as the employees and contractors at issue had valid PRAs and were later trained on all aspects of the required standards. In addition URE's quarterly cybersecurity training tips for preventing and defending against cybersecurity incidents covered the areas that were deficient in its cybersecurity training program. Through the implementation of its internal control program, URE was able to catch the deficiencies and limit the duration of the violation. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations. While none of the violations independently posed a serious or substantial threat to the BPS reliability, collectively they represented a significant risk to BPS reliability. Eighteen of the violations posed only a minimal or moderate risk to the BPS reliability and only one posed a serious or substantial risk to the BPS reliability. URE did have a history of prior violations; however, this was their first comprehensive CIP audit so the Regions did not consider their prior history an aggravating factor. URE self-reported several of the violations, performed several reliability enhancements and outreach programs and agreed to above and beyond compliance measures, including the implementation of an improvement program that is focused on improving its compliance with CIP standards and cybersecurity efforts. However, due to the duration of several of URE's violations, the Regions considered this risk negatively. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations. There were no additional mitigating factors that affected the penalty.

Penalty: $75,000 (aggregate for 19 violations)

FERC Order: Issued December 23, 2014 (no further review)

Unidentified Registered Entities (UREs), FERC Docket No. NP15-15-000 (December 30, 2014)

Reliability Standard: CIP-004-3

Requirement: R4

Violation Risk Factor: Lower

Violation Severity Level: High

Region: SERC

Issue: URE1 self-reported that due to staff's failure to follow revocation procedures, it did not update its list of personnel with access to CCA or revoke physical access to CCA for two employees (one who retired, the other who resigned) for eight days instead of seven as required by its access revocation procedures.

Finding: SERC determined that the violation posed only a minimal risk to the BPS reliability as the employees were in good standing before and after their employment terminated and could only have gained access by asking their former supervisor for a key to the facility and using their employee badge to gain access to the PSP. Furthermore, the employees did not use their access badge after their employment terminated. UREs neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs history of violations an aggravating factor. However, the UREs did have an internal compliance program in place, which SERC considered a mitigating factor. While URE1 self-reported a violation, the UREs did not received mitigating credit since it was reported after it received a compliance audit notice. While three of the violations posed a serious or substantial risk to the BPS reliability, the majority of them (18) posed only a minimal or moderate risk. URE agreed to additional mitigating actions including: adding additional staff (including converting contractors to full-time); conducting human performance training at a cost of $50,000; installing firewall analyzer software at a cost of $485,000; and additional mitigating factors for five of the violations. The UREs were cooperative throughout the enforcement process and there was no evidence that they concealed the violations.

Penalty: $120,000 (aggregate for 21 violations)

FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.

Unidentified Registered Entity 1, FERC Docket No. NP15-26-000 (April 30, 2015)

Reliability Standard: CIP-004-3

Requirement: R4

Violation Risk Factor: Lower

Violation Severity Level: Lower

Region: ReliabilityFirst

Issue: URE1 self-reported that access to four Physical Access Control Systems (PACS) was not authorized and recorded through URE1’s access database for certain employees and contractors, as a result of human error. ReliabilityFirst found that URE1 failed to maintain list(s) of employees with cyber or physical access to the CCAs.

Finding: Reliability first found that the violation posed only a minimal, but not a serious or substantial risk, to BPS reliability. The severity of the violation was decreased because the individuals had completed CIP training and were subject to personnel risk assessments (PRAs). Additionally, even though access was not granted through the right access database, it was granted through an approval process with the right asset owner. Finally, URE1 had an otherwise strong access control program and a post-violation compliance audit found no other CIP-004 violations. The UREs neither admitted nor denied the violations. In approving the settlement between ReliabilityFirst and five UREs in total, the NERC considered the UREs’ prior violations and the minimal to moderate risk posed by the current violations. As mitigating factors, the NERC found that among the UREs subject to the settlement agreement, individual URES had: (1) implemented pre-violation internal compliance programs, (2) self-reported violations, (3) cooperated throughout the enforcement process, (4) not attempted or intended to conceal the violations, (5) made significant progress in post-violation compliance. ReliabilityFirst found that no penalty was necessary since the violations posed minimal risks, the UREs demonstrated improvements in compliance, and the UREs that had prior violations were fully sanctioned for those violations in an FERC-approved settlement. URE1’s mitigation plan obligated URE1 to (1) remove access for the individuals, (2) define access through the proper database and (3) train relevant employees on the new access database configuration.

Penalty: $0 (aggregate for 22 violations)

FERC Order: The NERC did not further review the settlement and the settlement entered into effect on May 29th, 2015.

Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP15-28-000 (April 30, 2015)

Reliability Standard: CIP-004-3a

Requirement: R4

Violation Risk Factor: Lower

Violation Severity Level: High

Region: WECC

Issue: WECC_URE1 self-reported that it failed to update access lists for Cyber Critical Assets within seven days of personnel changes and that it hadn’t cancelled access for two employees within seven days of their retirement.

Finding: WECC found that this issue posed a moderate, but not a serious or substantial, risk to BPS reliability. The unauthorized individuals could have maliciously disrupted operations. However, all the individuals with unauthorized access had completed training and personnel risk assessments, and some departing employees had returned their access cards to WECC_URE1. WECC viewed WECC_URE1’s internal compliance program as a mitigating factor in the determination of the penalty. To further mitigate this violation, WECC_URE1 updated its CCA access list and began using a program to automatically trigger review of the access list and requirements for access revocation.

Penalty: $30,000 (aggregate for 2 violations)

FERC Order: FERC approved the settlement on May 29, 2015.

Top