Reliability Standard: CIP-004-3a
Requirement: R3 (2 violations – one for URE1 and one for URE3)
Violation Risk Factor: Medium
Violation Severity Level: High
Issue: URE1 did not timely update the PRAs for six employees, and URE3 did not timely update the PRAs for five employees
Finding: RFC determined the violations only constituted a minimal risk to the BPS reliability. As soon as an expired PRA was identified, the URE Companies immediately withdrew access privileges and updated the relevant PRAs. The URE Companies also verified that none of the individuals with expired PPAs engaged in any inappropriate activities. The URE Companies (URE1, URE2 and URE3) neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.
Total Penalty: $625,000 (aggregate for 77 violations)
FERC Order: Issued September 26, 2014 (no further review)