NERC Registered Entity, FERC Docket No. NP10-159-000 (July 30, 2010)
Reliability Standard: CIP-008-1
Requirement: R1
Violation Risk Factor: Lower
Violation Severity Level: Not provided
Region: WECC
Issue: The Registered Entity self-reported that its Cyber Security Incident Response Plan did not include all of the processes required for satisfying the sub-requirements of R1.
Finding: Duration of the violation was from July 1, 2008 through September 19, 2008. This was the Registered Entity's first violation of the Reliability Standard.
Penalty: $109,000 (aggregate for multiple violations)
FERC Order: Issued August 27, 2010 (no further review)
SPP-1, FERC Docket No. NP11-104-000 (February 1, 2011)
Reliability Standard: CIP-008-1
Requirement: R1 (R1.2, R1.6)
Violation Risk Factor: Lower
Violation Severity Level: High
Region: SPP
Issue: During a Spot Check, SPP found that an Unidentified Registered Entity's (URE-SPP1) Cyber Security Incident Response Plan was in violation of CIP-008-1 R1.2 and R1.6. Specifically, the plan did not include procedures for handling cyber security incidents, and the incident response testing procedures failed to include triggering events to invoke other aspects of the Incident Response Plan, resulting in inadequate testing of the plan.
Finding: SPP determined that the violation posed a minimal risk to the reliability of the bulk power system because URE-SPP1 had an Incident Response Plan in place, and the incident response team is very experienced in appropriately identifying and handling incidents. Moreover, the actual impact was minimal because there had not been any reported cyber security incidents.
Penalty: $500
FERC Order: Issued March 3, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-5-000 (October 7, 2010)
Reliability Standard: CIP-008-1
Requirement: R1
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: SERC
Issue: An Unidentified Registered Entity (URE) self-reported a violation for failing to develop and maintain a Cyber Incident response plan.
Finding: The violation did not pose a serious or substantial risk to the reliability of the bulk power system because the URE is a small Balancing Authority with a low estimated summer peak. Moreover, its Cyber Control Center cyber assets only had one external link, which was with its Reliability Coordinator.
Penalty: $16,000 (aggregate for multiple violations)
FERC Order: Issued January 7, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-63-000 (December 22, 2010)
Reliability Standard: CIP-008-1
Requirement: R1
Violation Risk Factor: Lower
Violation Severity Level: Not discussed
Region: WECC
Issue: Unidentified Registered Entity (URE) did not have: (1) a process for updating its Cyber Security Incident response plan within 90 calendar days of any changes; (2) a process for ensuring that its Cyber Security Incident response plan is reviewed at least annually; and (3) a process for ensuring its Cyber Security Incident response plan is tested at least annually.
Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a penalty in the amount of $80,000 for this and other Reliability Standards violations. In reaching this determination, the NERC BOTCC considered the following facts: the violation constituted URE’s first violation of the subject Reliability Standard; URE self-reported the violation; URE cooperated during the compliance enforcement process; URE’s compliance program; URE did not attempt to conceal a violation or intend to do so; and the violation did not create a serious or substantial risk to the bulk power system.
Penalty: $80,000 (aggregate for multiple violations)
FERC Order: Issued January 21, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-124-000 (February 23, 2011)
Reliability Standard: CIP-008-1
Requirement: R1
Violation Risk Factor: Lower
Violation Severity Level: High
Region: RFC
Issue: RFC found that the Unidentified Registered Entity's (URE) cyber security incident response plan, failed to address the URE's process for updating the cyber security incident response plan (Plan) within 90 calendar days of any changes, ensuring that the Plan is reviewed at least annually, and ensuring that the Plan is tested at least annually.
Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a settlement agreement which included a penalty in the amount of $100,000 for this and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: the violation constituted the URE's first violation of the subject NERC Reliability Standard; the URE self-reported 11 of the 16 violations; the URE cooperated during the compliance enforcement process; the URE’s compliance program; the URE did not attempt to conceal a violation or intend to do so; the violation did not create a serious or substantial risk to the bulk power system; and there were no other mitigating or aggravating factors or extenuating circumstances.
Penalty: $100,000 (aggregate for multiple violations)
FERC Order: Issued March 25, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-128-000 (February 23, 2011)
Reliability Standard: CIP-008-1
Requirement: R1
Violation Risk Factor: Lower
Violation Severity Level: Not provided
Region: WECC
Issue: Unidentified Registered Entity (URE) self-reported a violation of CIP-008-1 R1. WECC Enforcement found that URE’s cyber security incident reporting and response plan did not include all of the information required by R1. Moreover, because the plan was incomplete, URE could not properly update and annually review the plan as required.
Finding: The violation did not pose a serious or substantial threat to the reliability of the bulk power system because URE had applicable incident management procedures in place; they just did not fully comply with all the requirements of CIP-008-1. In determining the penalty amount, the NERC Board of Trustees Compliance Committee considered the following factors: this was URE’s first occurrence of this type of violation; URE was cooperative; and the number and nature of the violations.
Penalty: $450,000 (aggregated for multiple violations)
FERC Order: Issued March 25, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-136-000 (March 30, 2011)
Reliability Standard: CIP-008-1
Requirement: R1
Violation Risk Factor: Lower
Violation Severity Level: High
Region: WECC
Issue: The Unidentified Registered Entity (URE) did not include a process for ensuring annual testing in its Cyber Security incident response plan.
Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a penalty in the amount of $14,500 for this and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: the violation constituted URE’s second violation of the subject NERC Reliability Standard; URE self-reported one of the violations; URE cooperated during the compliance enforcement process; URE’s compliance program; URE did not attempt to conceal a violation or intend to do so; the violation did not create a serious or substantial risk to the bulk power system; and there were no other mitigating or aggravating factors or extenuating circumstances.
Penalty: $14,500 (aggregate for 3 violations)
FERC Order: Issued April 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-137-000 (March 30, 2011)
Reliability Standard: CIP-008-1
Requirement: R1
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: WECC
Issue: Prior to the effective date of the Standard for Table 1 entities with respect to system control center assets, URE self-reported that it would be in violation of the Standard on its effective date because it did not have sufficient procedures to correctly classify and characterize, respond to and report cyber security incidents. URE had hired an independent contractor to review its compliance and assist with mitigation. Duration of violation was July 1, 2008, when the Standard became enforceable for Table 1 entities, through November 25, 2008, when the violations were mitigated.
Finding: WECC Enforcement determined that the violation did not pose a serious or substantial risk to the bulk power system because URE the documentation gap was short-term and was due to an administrative error. Further, the NERC BOTCC concluded the penalty appropriate because this was URE’s first violation of most of the Standards involved, URE self-reported 28 of 30 violations, and URE was cooperative during the investigation.
Penalty: $106,000 (aggregate for 30 violations)
FERC Order: Issued April 29, 2011 (no further review)
Unidentified Registered Entities, FERC Docket No. NP11-146-000 (March 30, 2011)
Reliability Standard: CIP-008-1
Requirement: R1 (three violations)
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: RFC
Issue: During a spot check, RFC found that Unidentified Registered Entity 1 (URE1), Unidentified Registered Entity 2 (URE2) and Unidentified Registered Entity 3 (URE3, collectively UREs) had not properly developed and maintained their Cyber Security Incident Response Plans to incorporate procedures to characterize and classify events that are reportable Cyber Security Incidents or a process to update the response plans within 90 days of relevant changes.
Finding: RFC entered into a settlement agreement with the UREs to resolve multiple violations, whereby the UREs agreed to pay a penalty of $52,500 and to undertake other mitigation measures. RFC found that the CIP-008-1 R1 violations did not constitute a serious or substantial risk to bulk power system reliability since the UREs did actually have Cyber Security Incident Response Plans in place that specified the actions the UREs would take in response to a relevant incident (even though the plans did not contain all of the required elements). The duration of the CIP-008-1 R1 violations was from July 1, 2008 through October 28, 2009. In determining the penalty amount, NERC considered the fact that these were the UREs’ first violations of the relevant Reliability Standards; some violations were self-reported, while others were revealed during a RFC spot check; the UREs were cooperative during the enforcement process and did not attempt to conceal the violations; the UREs had a compliance program in place (which was evaluated as a mitigating factor); the mitigation plan for CIP-004-1 R3 violation was completed late; and there were no additional mitigating or aggravating factors.
Penalty: $52,500 (aggregate for 14 violations and for 3 entities)
FERC Order: Issued April 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-161-000 (March 30, 2011)
Reliability Standard: CIP-008-1
Requirement: R1/1.3
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: WECC
Issue: An Unidentified Registered Entity (“URE”) self-reported a violation of R1/1.3 after purchasing a facility. WECC determined that the URE violated R1.3 because it failed to appropriately initiate its Cyber Security Incident response plan during a reportable event.
Finding: WECC Enforcement determined the violation did not pose a serious or substantial risk to the Bulk Power System because the URE had an adequate Cyber Security Incident Response Plan and did respond to the reportable event, even though the response was not pursuant to its Plan. The NERC BOTCC considered the following factors: URE self-reported the violations; URE was cooperative; URE had a compliance procedure in place, which WECC considered a mitigating factor; there was not evidence of any attempt or intent to conceal the violations; and there were no other mitigating or aggravating factors.
Penalty: $35,000 (aggregated for 8 violations)
FERC Order: Issued April 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-166-000 (April 29, 2011)
Reliability Standard: CIP-008-1
Requirement: R1/1.6
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: SPP
Issue: Unidentified Registered Entity (URE) did not perform an annual test of its Cyber Security Incident response plan as required.
Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a settlement agreement which included a penalty in the amount of $50,000 for this and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: the violation constituted URE’s first violation of the subject Reliability Standard; URE self-reported some of the violations; URE cooperated during the compliance enforcement process; URE did not attempt to conceal a violation or intend to do so; the violation did not create a serious or substantial risk to the bulk power system; and there were no other mitigating or aggravating factors or extenuating circumstances.
Penalty: $50,000 (aggregate for multiple violations)
FERC Order: May 27, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-167-000 (April 29, 2011)
Reliability Standard: CIP-008-1
Requirement: R1
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: WECC
Issue: Unidentified Registered Entity (URE) failed to maintain a Cyber Security Incident response plan which included procedures to characterize and classify events as reportable Cyber Security Incidents, response actions, reporting incidents, response plan annual review and a process for testing the plan.
Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a settlement agreement which included a penalty in the amount of $89,000 for this and other violations. In reaching this determination, the NERC BOTCC considered the following facts: the violation constituted URE’s first violation of the subject Reliability Standard; URE self-reported the violation; URE cooperated during the compliance enforcement process; URE’s compliance program; URE did not attempt to conceal a violation or intend to do so; the violation did not create a serious or substantial risk to the bulk power system; URE implemented compliance procedures that led to the discovery of the violations and there were no other mitigating or aggravating factors or extenuating circumstances.
Penalty: $89,000 (aggregate for multiple violations)
FERC Order: May 27, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-182-000 (May 26, 2011)
Reliability Standard: CIP-008-1
Requirement: R1
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: WECC
Issue: Unidentified Registered Entity (URE) failed to maintain a Cyber Security Incident (CSI) response plan that completely addressed the creation of a process for updating the CSI plan within 90 calendar days of changes or ensuring the CSI plan is reviewed and tested at least annually.
Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a settlement agreement which included a penalty of $59,000 for these and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: the violations constituted URE’s first violations of the subject Reliability Standard; URE self-reported some of the violations; URE cooperated during the compliance enforcement process; URE did not attempt to conceal a violation or intend to do so; the violation did not create a serious or substantial risk to the bulk power system; and there were no other mitigating or aggravating factors or extenuating circumstances.
Penalty: $59,000 (aggregate for 6 violations)
FERC Order: Issued June 24, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-184-000 (May 26, 2011)
Reliability Standard: CIP-008-1
Requirement: R1
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: RFC
Issue: Two versions of Unidentified Registered Entity’s (URE) Cyber Security Policy contained minimal reporting procedures for cyber security incidents, and neither version contained procedures to characterize and classify events as reportable Cyber Security Incidents in accordance with CIP-008-1 R1/1.1. Both versions failed to address: (i) response actions, including roles and responsibilities of incident response teams, incident handling procedures and internal communication plans in accordance with R1.2; (ii) a process for updating the Cyber Security Incident response plan within 90 calendar days of any changes in accordance with R1.4; (iii) a process for ensuring that the Cyber Security Incident response plan is reviewed (R1.5) or tested (R1.6) at least annually in accordance with the Reliability Standard.
Finding: The NERC Board of Trustees Compliance Committee (BOTCC) approved a settlement agreement which included a penalty of $70,000 for these and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: additional, non-related violations of other Reliability Standards were either self reported or discovered during a compliance audit; URE has an Internal Compliance Program which seeks to ensure compliance with all applicable Reliability Standards; URE agreed to take actions that exceed those actions that would be expected to achieve and maintain baseline compliance.
Penalty: $70,000 (aggregate for 26 violations)
FERC Order: Issued September 9, 2011 (no further review)
Unidentified Registered Entity 1, FERC Docket No. NP11-228-000 (June 30, 2011)
Reliability Standard: CIP-008-1
Requirement: R1.6
Violation Risk Factor: Lower
Violation Severity Level: High
Region: SPP
Issue: SPP found that the Registered Entity’s Incident Response Plan had not been properly tested, prior to July 1, 2008, as the documentation did not incorporate a triggering incident for the response plan, a characterization of which incidents were reportable, details on the incident response team, detailed incident response steps to follow, procedures for the collection of forensic evidence, and protocols for communications with other departments, companies and agencies
Finding: SPP found that the violation constituted only a minimal risk to bulk power system reliability since the Registered Entity had actually conducted cyber security exercises before July 1, 2008 and tested its Incident Response Plan on August 29, 2008. In addition, no relevant situations involving the Incident Response Plan occurred during the course of the violation. The duration of the violation was from July 1, 2008 through August 29, 2008.
Penalty: $0
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entity 1, FERC Docket No. NP11-228-000 (June 30, 2011)
Reliability Standard: CIP-008-1
Requirement: R1.6
Violation Risk Factor: Lower
Violation Severity Level: High
Region: RFC
Issue: The Registered Entity self-reported that it had not timely conducted a required test of its Cyber Security Incident Response Plan.
Finding: RFC found that the violation constituted only a minimal risk to bulk power system reliability since the Registered Entity performed the required test within a year of the required date. The Registered Entity had also updated its Cyber Security Incident Response Plan in December 2010 as a result of an incident response drill. The duration of the violation was from December 31, 2009 through November 8, 2010.
Penalty: $0
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entity 2, FERC Docket No. NP11-228-000 (June 30, 2011)
Reliability Standard: CIP-008-1
Requirement: R1.6
Violation Risk Factor: Lower
Violation Severity Level: High
Region: RFC
Issue: The Registered Entity self-reported that it had not timely conducted a required test of its Cyber Security Incident Response Plan.
Finding: RFC found that the violation constituted only a minimal risk to bulk power system reliability since the Registered Entity performed the required test within a year of the required date. The Registered Entity had also updated its Cyber Security Incident Response Plan in December 2010 as a result of an incident response drill. The duration of the violation was from December 31, 2009 through November 8, 2010.
Penalty: $0
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entity 3, FERC Docket No. NP11-228-000 (June 30, 2011)
Reliability Standard: CIP-008-1
Requirement: R1.6
Violation Risk Factor: Lower
Violation Severity Level: High
Region: RFC
Issue: The Registered Entity self-reported that it had not timely conducted a required test of its Cyber Security Incident Response Plan.
Finding: RFC found that the violation constituted only a minimal risk to bulk power system reliability since the Registered Entity performed the required test within a year of the required date. The Registered Entity had also updated its Cyber Security Incident Response Plan in December 2010 as a result of an incident response drill. The duration of the violation was from December 31, 2009 through November 8, 2010.
Penalty: $0
FERC Order: Issued July 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-264-000 (August 31, 2011)
Reliability Standard: CIP-008-1
Requirement: R1
Violation Risk Factor: Lower
Violation Severity Level: N/A
Region: SPP
Issue: During a spot check, SPP found that the Unidentified Registered Entity (URE) had not properly defined the roles and responsibilities of its incident response team members. In addition, the URE did not possess sufficient documentation showing that it properly reviewed its incident response plan in 2008 or that it was annually testing its incident response plan.
Finding: SPP and the URE entered into a settlement agreement to resolve multiple violations, whereby the URE agreed to pay a penalty of $8,000 and to undertake other mitigation measures. SPP found that the CIP-008-1 violation did not constitute a serious or substantial risk to bulk power system reliability. The URE revised its Risk Based Assessment Methodology to include modified procedures and evaluation criteria for identifying Critical Assets. Under the modified procedures and evaluation criteria, the URE does not own or operate any systems or facilities that have the potential to affect bulk power system reliability or operability. Therefore, the URE does not (and did not previously) possess any Critical Assets. As a result of the new finding, the violation of CIP-008-1 became moot. The duration of the violation was from July 1, 2008 through April 13, 2010. In approving the settlement agreement, NERC found that this was the URE's first violation of the relevant Reliability Standards; the URE was cooperative during the enforcement process and did not conceal the violations; and there were no additional aggravating or mitigating factors or other extenuating circumstances.
Penalty: $8,000 (aggregate for 9 violations)
FERC Order: Issued September 30, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP11-266-000 (August 31, 2011)
Reliability Standard: CIP-008-1
Requirement: R1 (R1.1/R1.4)
Violation Risk Factor: Lower
Violation Severity Level: High
Region: SPP/RFC
Issue: During a joint spot check, SPP and RFC determined that SPP_URE1/RFC_URE1's Cyber Security Incident Response Plan did not have documented procedures regarding the classification of events as reportable Cyber Security Incidents (as the plan only required SPP_URE1/RFC_URE1's incident manager to consult with senior management to decide if an incident was reportable). In addition, the Incident Response Plan contained a discrepancy on how often the Incident Response Plan would be updated to reflect changes to procedures.
Finding: SPP and RFC found that the violation constituted only a minimal risk to bulk power system reliability. SPP_URE1/RFC_URE1 would evaluate potential reportable events and, if an event was found to be reportable, SPP_URE1/RFC_URE1 had documented reporting procedures in place that it would follow. In addition, the discrepancy in the Incident Response Plan was the result of a typographical error. The duration of the violation was from July 1, 2008 through April 28, 2010.
Penalty: $10,000 (aggregate for 7 violations)
FERC Order: Issued September 30, 2011 (no further review)
Unidentified Registered Entity, Docket No. NP11-270-000 (September 30, 2011)
Reliability Standard: CIP-008-1
Requirement: R1.6
Violation Risk Factor: Lower
Violation Severity Level: High
Region: RFC
Issue: During a spot check, RFC found that RFC_URE4 was unable to verify that it had been annually testing its cyber security incident response plan as required.
Finding: RFC found that the violation posed a moderate risk to bulk power system reliability. Despite the lack of corroborating documentation, RFC_URE4 attested that it was actually testing its cyber security incident response plan. Furthermore, RFC_URE4 had a compliance program in place (which RFC evaluated as a mitigating factor).
Penalty: $16,500 (aggregate for 3 violations)
FERC Order: Issued October 28, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-12 (January 30, 2011)
Reliability Standard: CIP-008-1
Requirement: R1/1.8
Violation Risk Factor: Lower
Violation Severity Level: High
Region: WECC
Issue: During an on-site audit, it was found that URE was not in compliance with CIP-008-1 R1.8 because its Cyber Security Incident response plan did not include personnel roles and responsibilities or a communication plan. Further, URE was in violation of CIP-008-2 R1 for not updating its Cyber Security Incident response plan within 30 days.
Finding: WECC determined that this violation posed a minimal risk to BPS reliability because URE’s Cyber Security Incident response plan did have personnel identified to be contacted if a Cyber Security Incident did occur.
Penalty: $55,000 (aggregate for 12 penalties)
FERC Order: Issued March 1, 2012 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)
Reliability Standard: CIP-008-1
Requirement: R1/1.5/1.6
Violation Risk Factor: Lower
Violation Severity Level: High
Region: SPP RE
Issue: While conducting a spot check, SPP RE found that URE was not in compliance with the requirements of CIP-008-1 R1.5 and R1.6. With respect to R1.5, even though an informal procedure was in place for reviewing URE’s Cyber Security Incident response plan 15 months prior to SPP RE’s spot check, no formal process was included in URE’s Cyber Security Incident response plan until 3 months after that review, which was 1 year after the compliance enforcement date. With respect to R1.6, URE did not test its Cyber Security Incident response plan until approximately 9 months after the enforceable date.
Finding: SPP RE found the violation constituted a minimal risk to BPS reliability because URE had an informal review process for its response plan and URE had reviewed the plan. URE’s response plan now in effect includes the annual review process. Plus, the individuals responsible for responding to incidents all had been trained on CIP Standards and have significant experience in CCA support so any cyber security events would have been responded to in an appropriate manner. In addition, no cyber security events have been reported since the plan was put in place. SPP RE took URE’s internal compliance program into consideration when determining the appropriate penalty.
Penalty: $8,800 (aggregate for 4 penalties)
FERC Order: Issued March 30, 2012 (no further review)
Unidentified Registered Entity, Docket No. NP12-22-000 (March 30, 2012)
Reliability Standard: CIP-008-1
Requirement: R1
Violation Risk Factor: Lower
Violation Severity Level: High
Region: SPP RE
Issue: While performing a Spot Check, SPP RE found that URE did not include a defined process in its Cyber Security Incident Response Plan (CSIRP) to ensure that incidents were properly reported to the Electricity Sector Information Sharing and Analysis Center (ES-ISAC), as required by R1.3. URE’s CSIRP in place prior to the Standards effective date, but used after the mandatory compliance date, did not have the following: adequate procedures to recognize reportable incidents per R1.1; incident handling procedures per R1.2; a documented process for reporting to the ES-ISAC per R1.3; or requirements to update within 90 days of any changes to the response plan per R1.4. In addition, URE had not tested its CSIRP as required by CIP-008-1 R1.6 by the Reliability Standards compliance date. URE self-reported the violation of R1.6.
Finding: The violations constituted a minimal risk to BPS reliability because URE’s CSIRP did provide that CCA incidents at specified security levels (described in the CSIRP) were reportable to the ES-ISAC, but the CSIRP had no contact information or details stating how to actually report incidents. URE ultimately developed a compliant plan; however, the prior plan in use lacked sufficient procedures to recognize and respond to reportable incidents. The plan did provide examples of cyber security incidents and instructions to notify an operations supervisor who would be responsible for actions in response to the incident. URE’s operations supervisor is an electrical engineer with 20 years experience, including 12 in a supervisory position. This individual was also responsible for the implementation of URE’s existing SCADA/EMS system. Further, URE provided guidelines to be used in the event of a cyber attack, although specific procedures were not stated. Regarding the violation of R1.6, URE had tried to put in place a response plan test, but no formal incident response plan was followed. URE made a second attempt to test its procedure, and documentation shows that a review of the process was undertaken and various scenarios were tested, but they were not documented to show that the plan had been tested using an incident involving CCAs. In determining the appropriate penalty, SPP RE considered URE’s internal compliance program a neutral factor. The self-report of R1.6 was given no credit since it was discovered during the Spot Check and was a small part of the overall violation.
Penalty: $12,000 (aggregate for 10 penalties)
FERC Order: Issued April 30, 2012 (no further review)
Reliability Standard: CIP-008-1
Requirement: 1 (three violations, one for each URE)
Violation Risk Factor: Lower (1)
Violation Severity Level: High (1)
Region: RFC
Issue: During the compliance audit, RFC determined that URE1's Cyber Security Incident response plan did not properly classify events as reportable Cyber Security Incidents, did not sufficiently specify the responsibilities of the incident response team, incident handling procedures and communication plans and did not have procedures in place for reporting incidents to the Electricity Sector Information Sharing and Analysis Center (ES ISAC). In addition, RFC found that URE2 and URE3 had not been testing, as required, their Cyber Security Incident response plan on a yearly basis.
Finding: RFC found that the CIP-008-1 R1 violations constituted a moderate risk to BPS reliability since the violations may have caused a delay in the UREs ability to respond, resolve and recover from a Cyber Security Incident. But, no Cyber Security Incidents occurred during the course of the violations and the UREs had protective measures in place to safeguard its CCAs from Cyber Security Incidents. In addition, URE2 and URE3 did perform annual reviews of their Cyber Security Incident response plan. In approving the settlement agreement, the NERC BOTCC found that, in the aggregate, the violations constituted a serious or substantial risk to BPS reliability because of the potential for compromised integrity of the CCAs. UREs did not have a culture of compliance for the CIP Reliability Standards and they were not familiar with their CIP processes and procedures (especially as compliance was divided between six executives, leading to inconsistent application of the compliance process and reduced ownership responsibility). But, the UREs were cooperative during the enforcement process, including working with RFC to remedy the violations and enacting measure, in collaboration with RFC, to foster an improved compliance program and to undertake compliance initiatives (which were evaluated as a mitigating factor). In addition, some of the violations were repeat violations and some of the violations were self-reported.
Penalty: $725,000 (aggregate for 73 violations)
FERC Order: Issued November 29, 2012 (no further review)
Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)
Reliability Standard: CIP-008-1
Requirement: 1
Violation Risk Factor: Lower
Violation Severity Level: Moderate
Region: SPP RE
Issue: While conducting a CIP Spot Check, SPP RE determined that URE1 had not annually tested its cyber security incident response plan. URE1 was unable to show that reportable scenario incidents were correctly identified or that URE1 was conducting communications and responses simulations on a yearly basis. URE1 did not conduct its first scenario incident until 17 months after the Standard became mandatory and enforceable.
Finding: SPP RE found that the violation posed a minimal risk to BPS reliability, but not a serious or substantial risk because URE1 was able to provide documentation to show that training on the Plan had taken place and the Plan was tested. URE1 neither admitted to nor denied the violation. In determining the appropriate penalty, SPP RE found URE’s written ICP to be a neutral factor.
Total Penalty: $15,000 (aggregate for 6 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)
Reliability Standard: CIP-008-1
Requirement: 1
Violation Risk Factor: Lower
Violation Severity Level: Moderate
Region: SPP RE
Issue: While conducting a CIP Spot Check, SPP RE determined that URE1 had not annually tested its cyber security incident response plan. URE1 was unable to show that reportable scenario incidents were correctly identified or that URE1 was conducting communications and responses simulations on a yearly basis. URE1 did not conduct its first scenario incident until 17 months after the Standard became mandatory and enforceable.
Finding: SPP RE found that the violation posed a minimal risk to BPS reliability, but not a serious or substantial risk because URE1 was able to provide documentation to show that training on the Plan had taken place and the Plan was tested. URE1 neither admitted to nor denied the violation. In determining the appropriate penalty, SPP RE found URE’s written ICP to be a neutral factor.
Total Penalty: $15,000 (aggregate for 6 violations)
FERC Order: Issued January 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-008-1
Requirement: 1/1.4/1.5/1.6
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that its incident response plan did not meet all the requirements of the Standard in that it was updated annually versus every quarter.
Finding: WECC found that the violation constituted a minimal risk to BPS reliability since the plan was tested annually and a small group of individuals are users of the plan and they are familiar with incident response procedures. URE’s compliance program was evaluated as a mitigating factor. URE stipulated to the violation.
Total Penalty: $53,000 (aggregate for 13 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)
Reliability Standard: CIP-008-1
Requirement: 1/1.4/1.5/1.6
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: URE self-reported that its incident response plan did not meet all the requirements of the Standard in that it was updated annually versus every quarter.
Finding: WECC found that the violation constituted a minimal risk to BPS reliability since the plan was tested annually and a small group of individuals are users of the plan and they are familiar with incident response procedures. URE’s compliance program was evaluated as a mitigating factor. URE stipulated to the violation.
Total Penalty: $58,000 (aggregate for 14 violations)
FERC Order: Issued May 30, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-34 (May 30, 2013)
Reliability Standard: CIP-008-1
Requirement: 1
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: TRE
Issue: During a compliance audit, TRE determined that URE's parent company's CIP-008 and URE's cyber security incident response plan were insufficient. The plans had not been subject to periodic reviews and management-level approvals, as required, and there was no evidence that URE's incident response plan was annually tested. In addition, the plans were not timely updated in response to process changes or lessons learned from the annual test or from an actual incident.
Finding: TRE found that the CIP-008-1 R1 violation constituted a moderate risk to BPS reliability as URE's failure to maintain a complete cyber-security incident response plan could have caused the plan to become dated and risked URE's personnel providing ineffective response and management of a cyber-security incident. But, the plan satisfied the substantive requirements of the Reliability Standard. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact the violations were URE's first violations of the relevant Reliability Standards and that none of the violations constituted a serious or substantial risk to BPS reliability. URE had a compliance program in place, but it was only evaluated as a neutral factor. URE was also cooperative during the enforcement process and did not conceal the violations.
Total Penalty: $137,000 (aggregate for 24 violations)
FERC Order: Issued June 28, 2013 (no further review)
Unidentified Registered Entity, Docket No. NP13-36, May 30, 2013
Reliability Standard: CIP-008-1
Requirement: 1
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: Texas RE
Issue: During a compliance audit, Texas RE found that cybersecurity incident response plan used by URE and its parent company was lacking and no evidence could be found to prove the policy had been reviewed and approved on a periodic basis or in compliance with the time standards set forth in CIP-008.
Finding: The violation was deemed to pose a moderate risk to BPS reliability, but not a serious or substantial risk. Texas RE found that URE did have in place a cybersecurity incident response plan that was compliant with the substantive parts of the Standard, but URE was not reviewing and maintaining the plan as required. The failure to update the plan could have resulted in URE staff not having up-to-date response information. In determining the appropriate penalty, Texas RE considered URE’s internal compliance program as a neutral factor. The violations were the first by URE and URE cooperated during the enforcement process. Texas RE determined URE did not attempt (or intend) to conceal any violations.
Total Penalty: $137,000 (aggregate for 24 violations)
FERC Order: Issued June 28, 2013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP13-55 (September 30, 2013)
Reliability Standard: CIP-008-1
Requirement: 1
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: WECC
Issue: Unidentified Registered Entity (URE) self-reported that it did not adequately document in its Cyber Security Incident response plan the specific roles and responsibilities of its response team, including which actions and participants would respond to various Cyber Security Incidents. URE also did not annually test its Cyber Security Incident response plan as required.
Finding: WECC found that the violation only constituted a minimal risk to BPS reliability. URE did have a Cyber Security Incident response plan in place. URE’s CCAs were also continuously protected through electronic monitoring and logging, antivirus and malware prevention tools, weekly back-ups, and restrictive networks. URE also properly documented the ports and services that were enabled on the devices. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact that certain of the violation were self-reported and that URE had a compliance program in place when the violations occurred. URE’s prior violations of the Reliability Standards were not considered as an aggravating factor, as they were not similar to the instant violations and did not implicate broader corporate issues. URE was also cooperative during the enforcement process and did not conceal the violations. The violations did not present a serious or substantial risk to BPS reliability.
Total Penalty: $150,000 (aggregate for 16 violations)
FERC Order: Issued October 30, 3013 (no further review)
Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)
Reliability Standard: CIP-008-1
Requirement: R1 (3 violations – one for each URE Company)
Violation Risk Factor: Lower
Violation Severity Level: High
Region: RFC
Issue: During a compliance audit, RFC determined that URE2 did not adequately ensure that its Cyber Security incident response plan was reviewed on at least an annual basis. URE1 and URE3 self-reported the same violation.
Finding: RFC determined the violations posed a minimal risk to the BPS reliability as the URE Companies had established a stand-alone process for an annual review of their Cyber Security incident response plans. The violations involved documentation deficiencies and no Cyber Security incidents occurred during the course of the violations. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.
Total Penalty: $625,000 (aggregate for 77 violations)
FERC Order: Issued September 26, 2014 (no further review)
Unidentified Registered Entity, FERC Docket No. NP15-11-000 (November 25, 2014)
Reliability Standard: CIP-008-1
Requirement: R1
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: ReliabilityFirst, MRO and SERC (collectively, "Regions")
Issue: During a compliance audit ReliabilityFirst determined that URE did not include procedures for identifying and classifying events as reportable Cyber Security Incidents as part of its Cyber Security Incident handling procedures.
Finding: ReliabilityFirst determined that the violation constituted a moderate risk to the BPS reliability as it increased the likelihood that there would be a delay in responding to a cyber- attack due to URE's lack of cyber security incident procedures. The duration of the violation further increased the risk. However, URE had procedures that complied with all other requirements of CIP-008-1 and a cyber-security incident did not occur throughout the duration of the violation. In addition, URE's systems were protected by its defense in-depth strategies including the ability to monitor, identify and respond to disruptive network events through its network operations center; the use of a rigorous change management program; implementation of current patches; antivirus and malware prevention software; account and access management processes; and user and system logging and monitoring. Furthermore URE located its Cyber Assets in a facility that controlled and protected access physically and electronically utilizing guards, and account management and access control. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations. While none of the violations independently posed a serious or substantial threat to the BPS reliability, collectively they represented a significant risk to BPS reliability. Eighteen of the violations posed only a minimal or moderate risk to the BPS reliability and only one posed a serious or substantial risk to the BPS reliability. URE did have a history of prior violations; however, this was their first comprehensive CIP audit so the Regions did not consider their prior history an aggravating factor. URE self-reported several of the violations, performed several reliability enhancements and outreach programs and agreed to above and beyond compliance measures, including the implementation of an improvement program that is focused on improving its compliance with CIP standards and cybersecurity efforts. However, due to the duration of several of URE's violations, the Regions considered this risk negatively. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations. There were no additional mitigating factors that affected the penalty.
Penalty: $75,000 (aggregate for 19 violations)
FERC Order: Issued December 23, 2014 (no further review)
