Unidentified Registered Entity 1 (URE1), Docket No. NP13-41-000 (June 27, 2013)
Reliability Standard: CIP-006-2a
Requirement: 2, 2.2
Violation Risk Factor: Medium
Violation Severity Level: Severe Region(s): WECC
Issue: WECC_URE1 self-reported a violation of CIP-006-a R2.2 upon discovering that a workstation considered a Cyber Asset and used in the access control and monitoring of one PSP, did not have all protections mandated by CIP-006 R2.2. In particular, WECC_URE1 neglected to confirm access authorizations for certain employees were consistent with their work requirements. Furthermore, WECC_URE1 neglected to confirm that user accounts were assigned and approved by the appropriate personnel. And, as required by CIP-007 R5.1.2, WECC_URE1 neglected to ensure that a record audit trail of user activity was available.
Finding: This violation was deemed to pose a minimal, but not a serious or substantial, risk to BPS reliability. In order to perform their jobs, the relevant individuals needed some level of access. The individuals had participated in NERC CIP training and had up-to-date PRAs on file. Additionally, each PSP has many controls in place for system access. Finally, the subject PSP is alarmed to alert WECC_URE1 in the event of unauthorized or invalid access. In determining the appropriate penalty, WECC_URE1’s internal compliance program was viewed as a mitigating factor.
Total Penalty: $60,000 (aggregate for 6 violations)
FERC Order: Issued August 26, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP15-5-000 (October 30, 2014)
Reliability Standard: CIP-006-2a
Requirement: R6
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: SPP RE
Issue: URE self-reported that to allow access to its PSP in the event of an emergency, it improperly stored an emergency access badge in a less secure environment where access was not logged in a manner that would uniquely identify individuals and access times to its PSP.
Finding: SPP RE determined that the violation constituted only a minimal risk to the BPS reliability as the facility where the badge was kept required corporate badge access and entry would be logged in URE’s physical log files creating an audit trail. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had previously violated six of the standards, which SPP RE considered an aggravating factor. However, URE did have a compliance program in place and it received mitigating credit for self-reporting three of the violations. Moreover, URE agreed to additional corrective actions including: restructuring its CIP compliance program; hiring an additional system administrator; conducting a one day compliance workshop with SPP RE staff; and implementing an asset management system to further secure its EMS. URE was cooperative throughout the enforcement process and did not conceal or attempt to conceal the violations.
Penalty: $45,000 (aggregate for 20 violations)
FERC Order: Issued November 28, 2014 (no further review)
