NERC Case Notes: Reliability Standard CIP-009-1

Alert

59 min read

 

NERC Registered Entity, FERC Docket No. NP10-159-000 (July 30, 2010)

Reliability Standard: CIP-009-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Not provided

Region: WECC

Issue: The Registered Entity self-reported that while it had a recovery plan for its new Energy Management System (EMS), the recovery plan did not specify the required actions in response to events or conditions of varying duration and severity in the required detail.

Finding: Duration of the violation was from August 26, 2008 through April 10, 2009. This was the Registered Entity's first violation of the Reliability Standard.

Penalty: $109,000 (aggregate for multiple violations)

FERC Order: Issued August 27, 2010 (no further review)

SPP-1, FERC Docket No. NP11-104-000 (February 1, 2011)

Reliability Standard: CIP-009-1

Requirement: R5

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: SPP

Issue: An Unidentified Registered Entity (URE-SPP1) self-reported that even though it had tested the backup devices on its servers, it had not tested (nor did it have documentation of such tests) the other backup media devices (e.g., media switches) on its other Critical Cyber Assets.

Finding: SPP found that the violation only caused a minimal risk to bulk power system reliability as URE-SPP1 was actually testing its Emergency Management System server backup devices (even though it was not testing the backup media devices for some of its Critical Cyber Assets).

Penalty: $0

FERC Order: Issued March 3, 2011 (no further review)

SPP-1, FERC Docket No. NP11-104-000 (February 1, 2011)

Reliability Standard: CIP-009-1

Requirement: R1 (R1.2, R1.6)

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: SPP

Issue: During a Spot Check, SPP RE determined that SPP_URE1 was non-compliance with CIP-009-1 R2 because it failed to test its recovery plans by the required date of compliance (July 1, 2008).

Finding: SPP RE has determined that SPP_URE1’s violation of CIP-009-1 R2 posed a minimal risk to the reliability of the bulk power system (BPS). SPP_URE1 did have a recovery plan in place, even though it was not tested until seven months beyond the required date of compliance. Further, the entity support staff is very experienced in the support of the Critical Cyber Assets and can be reasonably expected to perform the appropriate recovery steps for a wide variety of incidents.

Penalty: $700

FERC Order: Issued March 3, 2011 (no further review)

SPP-1, FERC Docket No. NP11-104-000 (February 1, 2011)

Reliability Standard: CIP-009-1

Requirement: R2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: SPP

Issue: During a Spot Check, SPP found that an Unidentified Registered Entity (URE-SPP1) was non-compliant with CIP-009-1 R2 because it failed to test its recovery plans until seven months after the required date of compliance.

Finding: SPP determined that the violation posed a minimal risk to the reliability of the bulk power system because URE-SPP1 had an Incident Response Plan in place, and the incident response team is very experienced in appropriately identifying and handling incidents.

Penalty: $700

FERC Order: Issued March 3, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-2-000 (October 7, 2010)

Reliability Standard: CIP-009-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: N/A

Region: WECC

Issue: An Unidentified Registered Entity (URE) self-reported a violation for failing to include in its recovery plan an application that provides scheduling data to the URE’s Energy Management System, a Critical Cyber Asset.

Finding: The violation posed a moderate risk to the reliability of the bulk power system because although the URE had a disaster recovery plan for the application and could ultimately recover the assets, the plan did not provide for an automated exchange of data and it was determined that such failure could lead to an inadequate recovery.

Penalty: $9,000 (aggregate for multiple violations)

FERC Order: Issued November 5, 2010 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-5-000 (October 7, 2010)

Reliability Standard: CIP-009-1

Requirement: R1, R2

Violation Risk Factor: Medium (R1); Lower (R2)

Violation Severity Level: N/A

Region: SERC

Issue: An Unidentified Registered Entity (URE) self-reported violations for failing to create and annually review and exercise a Critical Cyber Asset recovery plan.

Finding: The violations did not pose a serious or substantial risk to the reliability of the bulk power system because the URE is a small Balancing Authority with a low estimated summer peak. Moreover, its Cyber Control Center cyber assets only had one external link, which was with its Reliability Coordinator.

Penalty: $16,000 (aggregate for multiple violations)

FERC Order: Issued January 7, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-128-000 (February 23, 2011)

Reliability Standard: CIP-009-1

Requirement: R1, R2

Violation Risk Factor: Medium (R1), Lower (R2)

Violation Severity Level: Not provided

Region: WECC

Issue: Unidentified Registered Entity (URE) self-reported a violation of CIP-009-1 R1 and R2 after determining that it did not have recovery plans for its Critical Cyber Assets per R1 and therefore could not review and test the plans annually per R2.

Finding: WECC Enforcement determined the violation posed a moderate risk to the bulk power system because URE did not have formal recovery plans for its Critical Cyber Assets. In determining the penalty amount, the NERC Board of Trustees Compliance Committee considered the following factors: this was URE’s first occurrence of this type of violation; URE was cooperative; and the number and nature of the violations.

Penalty: $450,000 (aggregated for multiple violations)

FERC Order: Issued March 25, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-137-000 (March 30, 2011)

Reliability Standard: CIP-009-1

Requirement: R1, R2

Violation Risk Factor: Medium (R1); Lower (R2)

Violation Severity Level: N/A

Region: WECC

Issue: Prior to the effective date of the Standard for Table 1 entities, URE self-reported that it would be in violation of the Standard on its effective date because it did not have sufficient recovery plans that specified required actions in response to events or conditions of varying duration and severity, and also failed to define the roles of responders for recover of critical cyber assets in violation of R1. Because of the violation of R1, URE could not exercise its plans as required by R2. URE had hired an independent contractor to review its compliance and assist with mitigation. Duration of violation was July 1, 2008, when the Standard became enforceable for Table 1 entities, through November 24, 2008, when the violations were mitigated.

Finding: WECC Enforcement determined that the violation did not pose a serious or substantial risk to the bulk power system because the issue was documentary in nature. Further, the NERC BOTCC concluded the penalty appropriate because this was URE’s first violation of most of the Standards involved, URE self-reported 28 of 30 violations, and URE was cooperative during the investigation.

Penalty: $106,000 (aggregate for 30 violations)

FERC Order: Issued April 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-167-000 (April 29, 2011)

Reliability Standard: CIP-009-1

Requirement: R2, R5

Violation Risk Factor: Lower

Violation Severity Level: N/A

Region: WECC

Issue: Unidentified Registered Entity (URE) did not exercise its recovery plan(s) for CCAs as required by the CIP-009-1 R2 and had not tested information essential to recovery that is stored on backup media as of July 1, 2009 when URE was required to be compliant with CIP-009-1 (R5).

Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a settlement agreement which included a penalty in the amount of $89,000 for this and other violations. In reaching this determination, the NERC BOTCC considered the following facts: the violations constituted URE’s first violations of the subject Reliability Standard; URE self-reported the violations; URE cooperated during the compliance enforcement process; URE’s compliance program; URE did not attempt to conceal a violation or intend to do so; the violations did not create a serious or substantial risk to the bulk power system; URE implemented compliance procedures that led to the discovery of the violations and there were no other mitigating or aggravating factors or extenuating circumstances.

Penalty: $89,000 (aggregate for multiple violations)

FERC Order: May 27, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-182-000 (May 26, 2011)

Reliability Standard: CIP-009-1

Requirement: R1, R2

Violation Risk Factor: Medium, Lower

Violation Severity Level: N/A

Region: WECC

Issue: Unidentified Registered Entity (URE) failed to maintain a recovery plan specifically addressing Critical Cyber Assets or the roles and responsibilities of responders as required by CIP-009-1 R1. URE also failed to test its recovery plan at least annually as required by R2.

Finding: The NERC Board of Trustees Compliance Committee (BOTCC) approved a settlement agreement which included a penalty of $59,000 for these and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: the violations constituted URE’s first violations of the subject Reliability Standards; URE self-reported some of the violations; URE cooperated during the compliance enforcement process; URE did not attempt to conceal a violation or intend to do so; the violations did not create a serious or substantial risk to the bulk power system; and there were no other mitigating or aggravating factors or extenuating circumstances.

Penalty: $59,000 (aggregate for 6 violations)

FERC Order: Issued June 24, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-184-000 (May 26, 2011)

Reliability Standard: CIP-009-1

Requirement: R1, R3, R4

Violation Risk Factor: Medium (R1), Lower (R3, R4)

Violation Severity Level: N/A

Region: RFC

Issue: Unidentified Registered Entity (URE) violated CIP-009-1 R1 by failing to specify the actions that would be required to respond to events or conditions of varying duration and severity that would activate its Critical Cyber Asset recovery plan. The Cyber Security plan indicated generally that URE would switch to its fully redundant backup control center in the event that a cyber security incident resulted in the loss of Critical Cyber Assets at the primary control center but the policy failed to specify the required actions URE must take in order to recover the lost Critical Cyber Assets. URE further failed to update its recovery plan to reflect changes or lessons learned from exercises or actual incidents by failing to note that the exercises performed on URE’s previous recovery plan demonstrated no necessary changes or lessons learned as required by R3. Lastly, URE failed to include processes and procedures for the backup and storage of information required to successfully restore Critical Cyber Assets in the recovery plan provisions of its Cyber Security policy as required by R4.

Finding: The NERC Board of Trustees Compliance Committee (BOTCC) approved a settlement agreement which included a penalty of $70,000 for these and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: additional, non-related violations of other Reliability Standards were either self reported or discovered during a compliance audit; URE has an Internal Compliance Program which seeks to ensure compliance with all applicable Reliability Standards; URE agreed to take actions that exceed those actions that would be expected to achieve and maintain baseline compliance.

Penalty: $70,000 (aggregate for 26 violations)

FERC Order: Issued September 9, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-213-000 (June 29, 2011)

Reliability Standard: CIP-009-1

Requirement: R1, R2

Violation Risk Factor: Medium (R1), Lower (R2)

Violation Severity Level: Not provided

Region: WECC

Issue: During a spot check, WECC determined that the Registered Entity had not sufficiently detailed the actions it would take in response to events or conditions that would trigger its recovery plan (R1). In addition, the Registered Entity was not updating its recovery plan annually, as required (R2).

Finding: WECC and the Registered Entity entered into a settlement agreement to resolve multiple violations, whereby the Registered Entity agreed to pay a penalty of $143,500 and to undertake other mitigation measures. WECC found that the CIP-009-1 R1 violation constituted a moderate risk to bulk power system reliability since the lack of detail may have caused its personnel to not be able to adequately respond to situations that demand the recovery of Critical Cyber Assets. But, the Registered Entity did have a recovery plan and had trained its staff to be able to respond and restore equipment. WECC found that the CIP-009-1 R2 constituted only a minimal risk to bulk power system reliability since the recovery plan was actually tested within a year of the Reliability Standard going into effect. The duration of the CIP-009-1 violations was from July 1, 2008 through June 26, 2009 (R1) and June 23, 2009 (R2). In approving the settlement agreement, NERC found that the Registered Entity was cooperative during the enforcement proceeding and did not conceal the violations and there were no additional aggravating or mitigating factors.

Penalty: $143,500 (aggregate for 10 violations)

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity 1, FERC Docket No. NP11-228-000 (June 30, 2011)

Reliability Standard: CIP-009-1

Requirement: R2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: The Registered Entity self-reported that it had not timely conducted an exercise of its Recovery Plan.

Finding: RFC found that the violation constituted only a minimal risk to bulk power system reliability since the Registered Entity performed the required exercise within a year of the required date. The Registered Entity had also enacted its Recovery Plan before it was required to do so. The duration of the violation was from December 31, 2009 through December 17, 2010.

Penalty: $0

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity 1, FERC Docket No. NP11-228-000 (June 30, 2011)

Reliability Standard: CIP-009-1

Requirement: R2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: SPP

Issue: SPP found that the Registered Entity’s Critical Cyber Assets (CCA) Recovery Plan had not been properly tested prior to July 1, 2008. In addition, the Registered Entity did not possess adequate documentation showing that it evaluated its disaster recovery/continuity of business plans at that time.

Finding: SPP found that the violation constituted only a minimal risk to bulk power system reliability since the Registered Entity had actually conducted cyber security exercises before July 1, 2008 and properly tested its CCA Recovery Plan on September 12, 2008. The duration of the violation was from July 1, 2008 through September 12, 2008.

Penalty: $0

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity 1, FERC Docket No. NP11-228-000 (June 30, 2011)

Reliability Standard: CIP-009-1

Requirement: R5

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: The Registered Entity self-reported that it had not timely conducted a required test concerning backup media containing information needed for recovery.

Finding: RFC found that the violation constituted only a minimal risk to bulk power system reliability since the Registered Entity performed the required test within a year of the required date. The Registered Entity had also enacted its Recovery Plan before it was required to do so. The duration of the violation was from December 31, 2009 through December 17, 2010.

Penalty: $0

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity 2, FERC Docket No. NP11-228-000 (June 30, 2011)

Reliability Standard: CIP-009-1

Requirement: R1, R1.1

Violation Risk Factor: Medium (for R1, R1.1)

Violation Severity Level: High (for R1, R1.1)

Region: SPP

Issue: SPP found that the Registered Entity’s Recovery Plan did not include all of its Critical Cyber Assets as required (R1). In addition, the Recovery Plan did not provide different scenarios for various types of events and conditions that had varying durations and severity. For example, the Recovery Plan always called for the restoration of the servers, even though that action would be inappropriate for quick-fix events such as a hardware component failure without data loss (R1.1).

Finding: SPP found that the violations constituted only a minimal risk to bulk power system reliability since the Registered Entity did actually have a Recovery Plan and its support staff would be able to support the Critical Cyber Assets and follow the necessary steps during a recovery. The duration of the violation was from July 1, 2008 through June 1, 2010.

Penalty: $3,000

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity 2, FERC Docket No. NP11-228-000 (June 30, 2011)

Reliability Standard: CIP-009-1

Requirement: R2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: The Registered Entity self-reported that it had not timely conducted an exercise of its Recovery Plan.

Finding: RFC found that the violation constituted only a minimal risk to bulk power system reliability since the Registered Entity performed the required exercise within a year of the required date. The Registered Entity had also enacted its Recovery Plan before it was required to do so. The duration of the violation was from December 31, 2009 through December 17, 2010.

Penalty: $0

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity 2, FERC Docket No. NP11-228-000 (June 30, 2011)

Reliability Standard: CIP-009-1

Requirement: R5

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: The Registered Entity self-reported that it had not timely conducted a required test concerning backup media containing information needed for recovery.

Finding: RFC found that the violation constituted only a minimal risk to bulk power system reliability since the Registered Entity performed the required test within a year of the required date. The Registered Entity had also enacted its Recovery Plan before it was required to do so. The duration of the violation was from December 31, 2009 through December 17, 2010.

Penalty: $0

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity 3, FERC Docket No. NP11-228-000 (June 30, 2011)

Reliability Standard: CIP-009-1

Requirement: R2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: The Registered Entity self-reported that it had not timely conducted an exercise of its Recovery Plan.

Finding: RFC found that the violation constituted only a minimal risk to bulk power system reliability since the Registered Entity performed the required exercise within a year of the required date. The Registered Entity had also enacted its Recovery Plan before it was required to do so. The duration of the violation was from December 31, 2009 through December 17, 2010.

Penalty: $0

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity 3, FERC Docket No. NP11-228-000 (June 30, 2011)

Reliability Standard: CIP-009-1

Requirement: R5

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: The Registered Entity self-reported that it had not timely conducted a required test concerning backup media containing information needed for recovery.

Finding: RFC found that the violation constituted only a minimal risk to bulk power system reliability since the Registered Entity performed the required test within a year of the required date. The Registered Entity had also enacted its Recovery Plan before it was required to do so. The duration of the violation was from December 31, 2009 through December 17, 2010.

Penalty: $0

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-229-000 (July 28, 2011)

Reliability Standard: CIP-009-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: N/A

Region: WECC

Issue: Following the Unidentified Registered Entity’s (URE) self-report and self-certification, WECC determined that URE did not have a recovery plan for one of its Critical Cyber Assets, a generating station, for a period of nine days.

Finding: WECC assessed a $75,000 penalty for this and other Reliability Standards violations. WECC determined that the violation posed a moderate risk, but did not pose a serious or substantial risk to the reliability of the bulk power system (BPS) because the violation was only for a period of nine days, URE had recovery plans for Cyber Security Assets at other locations, and URE personnel would have been able to recover the Cyber Security Asset. In approving the settlement between URE and WECC, the NERC BOTCC considered the following factors: the violation was not a repeat violation; URE was cooperative; URE self-reported one of the violations; there was no evidence of an attempt or intent to conceal the violation; WECC determined the violation did not pose a serious or substantial risk to the BPS; there were no other aggravating or mitigating factors.

Penalty: $75,000 (aggregated for multiple violations)

FERC Order: Issued August 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-264-000 (August 31, 2011)

Reliability Standard: CIP-009-1

Requirement: R2

Violation Risk Factor: Lower

Violation Severity Level: N/A

Region: SPP

Issue: During a spot check, SPP found that the Unidentified Registered Entity (URE) did not possess sufficient documentation showing that it conducted an annual exercise of its recovery plan.

Finding: SPP and the URE entered into a settlement agreement to resolve multiple violations, whereby the URE agreed to pay a penalty of $8,000 and to undertake other mitigation measures. SPP found that the CIP-009-1 violation did not constitute a serious or substantial risk to bulk power system reliability. The URE revised its Risk Based Assessment Methodology to include modified procedures and evaluation criteria for identifying Critical Assets. Under the modified procedures and evaluation criteria, the URE does not own or operate any systems or facilities that have the potential to affect bulk power system reliability or operability. Therefore, the URE does not (and did not previously) possess any Critical Assets. As a result of the new finding, the violation of CIP-009-1 became moot. The duration of the violation was from July 1, 2008 through April 13, 2010. In approving the settlement agreement, NERC found that this was the URE's first violation of the relevant Reliability Standards; the URE was cooperative during the enforcement process and did not conceal the violations; and there were no additional aggravating or mitigating factors or other extenuating circumstances.

Penalty: $8,000 (aggregate for 9 violations)

FERC Order: Issued September 30, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-266-000 (August 31, 2011)

Reliability Standard: CIP-009-1

Requirement: R1.1, R2

Violation Risk Factor: Medium (R1.1), Lower (R2)

Violation Severity Level: High (R1.1, R2)

Region: SPP/RFC

Issue: During a joint spot check, SPP and RFC determined that SPP_URE1/RFC_URE1's Recovery Plan for its Critical Cyber Assets (CCAs) did not include a recovery phase for impacted facilities or assets following a mid- or long-term event (R1.1). SPP and RFC also found that SPP_URE1/RFC_URE1 did not possess sufficient documentation showing that it conducted an annual exercise of its Recovery Plan for its CCAs (R2).

Finding: SPP and RFC found that the violations did not constitute a serious or substantial risk to bulk power system reliability. In terms of R1.1, SPP_URE1/RFC_URE1 did maintain a "hot" disaster recovery site that would become the primary operation site in the event a disaster makes the current site inoperable, as well as redundant systems regarding its Transmission Operator function and critical transmission SCADA network assets. In terms of R2, SPP_URE1/RFC_URE1 did have disaster recovery plans and performed actual recoveries after failure events. The duration of the violations was from July 1, 2008 through June 21, 2010 (R1.1) and from July 1, 2008 through July 1, 2010 (R2).

Penalty: $10,000 (aggregate for 7 violations)

FERC Order: Issued September 30, 2011 (no further review)

Unidentified Registered Entity, Docket No. NP11-270-000 (September 30, 2011)

Reliability Standard: CIP-009-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: During a compliance audit, RFC found that RFC_URE1’s recovery plan did not detail events of varying duration and severity that would activate the recovery plan, describe the roles and responsibilities of responders, or address all of RFC_URE1’s Critical Cyber Asset (CCAs).

Finding: RFC found that the violation posed a moderate risk to bulk power system reliability. RFC_URE1 did address responding to events of varying duration and severity and the roles and responsibilities of its responders in its cyber security incident response plan. In regards to the information missing from the recovery plan on the CCAs, RFC_URE1 verified that the information would be readily available to authorized personnel working to recover the CCAs. In addition, there was a compliance program in place (which was evaluated as a mitigating factor).

Penalty: $30,000 (aggregate for 6 violations)

FERC Order: Issued October 28, 2011 (no further review)

Unidentified Registered Entity, Docket No. NP12-17, February 29, 2012

Reliability Standard: CIP-009-1

Requirement: R1.2; R5

Violation Risk Factor: Medium (R1.2), Lower (R5)

Violation Severity Level: High (R1.2); Severe (R5)

Region: SPP

Issue: During a spot-check, SPP determined that URE violated R1.2 because its CCA recovery plan did not define the roles and responsibilities of incident responders. SPP also determined URE violated R5 because media used to back-up essential CCA restoration information on a daily basis was not tested to verify that all essential information was available.

Finding: SPP determined that the violations posed a minimal risk, but did not pose a serious or substantial risk, to the reliability of the BPS. The violation of R1.2 was mitigated because URE had a recovery procedure in place, experienced staff, and communications procedures that had a callout progression list with contact names and numbers and that defined roles and responsibilities pertaining to specific events. The violation of R5 was mitigated because URE used software to automatically run backups of its CCAs and print reports that were regularly reviewed to ensure operation.

Penalty: $40,000 (aggregate for 14 violations)

FERC Order: Issued March 30, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)

Reliability Standard: CIP-009-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SPP RE

Issue: While conducting a spot check, SPP RE found that URE’s CCA recovery plan did not discuss how to recover CCAs in the event of an actual incident.

Finding: SPP RE found the violation constituted a minimal risk to BPS reliability because URE had a recovery plan, plus a business continuity plan, which discuss long-term recovery plans. Also, URE has a backup control center which would allow URE to continue to operate until the primary control center could be restored. Also, URE’s staff has experience in CCA support and could have responded to many types of incidents. SPP RE took URE’s internal compliance program into consideration when determining the appropriate penalty.

Penalty: $8,800 (aggregate for 4 penalties)

FERC Order: Issued March 30, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)

Reliability Standard: CIP-009-1

Requirement: R1, R2

Violation Risk Factor: Medium (R1); Lower (R2)

Violation Severity Level: Severe (both)

Region: SPP RE

Issue: While conducting a spot check, SPP RE found that earlier versions of URE’s recovery plans did not address the recovery of all CCAs like remote terminal units, server hardware, and other networking assets. The plans also did not discuss recovery situations involving varying duration and severity as required by the Standard. Previous recovery plans only covered the restoration of backed-up data and information from tape. Regarding R2, URE’s exercise of its recovery plans in the two prior years both involved actual occurrences of hardware failure; however, neither recovery scenario was covered in the existing recovery plans. The two prior versions of the recovery plans were found to be non-compliant. In order to be in compliance with the Standard, URE was required to test the recovery plan that was in place, which it did not. Rather, URE followed undocumented recovery procedures for assets not covered in the recovery plan.

Finding: SPP RE found the violations constituted a minimal risk to BPS reliability because, regarding R1, URE has a backup control center available and a standby unit for all CCA hardware leaving URE the option to use the standby unit if needed. With respect to R2, even though URE’s in place recovery plan did not address actual hardware failures, the exercises of its recovery plans in the two previous versions did outline how to recover from the loss of a hard drive and the loss of a motherboard. URE is a small entity and so its size lessened any possible BPS impact. SPP RE took URE’s internal compliance program into consideration when determining the appropriate penalty.

Penalty: $20,800 (aggregate for 7 penalties)

FERC Order: Issued March 30, 2012 (no further review)

Unidentified Registered Entity, Docket No. NP12-22-000 (March 30, 2012)

Reliability Standard: CIP-009-1

Requirement: R1, R2

Violation Risk Factor: Medium (R1); Lower (R2)

Violation Severity Level: High (R1); Severe (R2)

Region: SPP RE

Issue: While performing a Spot Check, SPP RE found that URE did not set forth the roles and responsibilities of responders in its recovery plan. In addition, the recovery plan was not tested in a way that would be compliant with the Standard. Specifically, the test that was performed did not include the process to bring failed systems back to normal operation. URE self reported that it had not undertaken a test prior to the date URE was required to be compliant with CIP-009-1 R2.

Finding: The violations constituted a minimal risk to BPS reliability because URE did have an acceptable plan for the recovery of CCAs and a small enough staff that failing to list the roles and responsibilities of responders would not affect URE’s ability to put its recovery plan into action if needed. URE employs an experienced operations supervisor who would coordinate recovery actions for cyber incidents. Regarding the violation of R2, URE does have a recovery plan in place, it just had not been completely tested to include restoring a failed system to normal operation. In determining the appropriate penalty, SPP RE considered URE’s internal compliance program a neutral factor; however, URE did receive credit for self-reporting the R2 violation.

Penalty: $12,000 (aggregate for 10 penalties)

FERC Order: Issued April 30, 2012 (no further review)

Unidentified Registered Entity, Docket No. NP12-26-000 (April 30, 2012)

Reliability Standard: CIP-009-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: MRO

Issue: While conducting a CIP Spot Check, MRO found that URE could not provide proof of recovery plans for all CCAs. URE had evidence that a general recovery plan for all assets was in place, and that plan included steps for general system disaster recovery, but it did not include plans and procedures for recovering each CCA.

Finding: The violation was determined to pose a minimal risk to BPS reliability. MRO found that even though URE’s recovery plan did not contain individual procedures for CCA disaster recovery, it did generally address system recovery and backup control center use. URE also has an agreement in place with an established EMS vendor for recovery support. Also, URE was testing its plan yearly through table top exercises. In determining the appropriate penalty, MRO considered URE’s internal compliance program in effect during the violation period to be a mitigating factor.

Penalty: $6,000

FERC Order: Order issued May 30, 2012 (no further review)

Unidentified Registered Entity, Docket No. NP12-26-000 (April 30, 2012)

Reliability Standard: CIP-009-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: URE self-reported that it had failed to include 46% of its CCAs in its recovery plan. Also, URE’s recovery plan did not state what events or conditions would call for activation of the recovery plan nor did it set forth responders roles and responsibilities.

Finding: RFC found the violation constituted a moderate risk to BPS reliability which was mitigated because URE had addressed responding to events of varying duration and severity in its Cyber Security Incident response plan, and its cyber security policy set forth roles and responsibility. URE stated that although information was not specifically stated in its recovery plan, that information was readily available to personnel responding to a CCA recovery event. In determining the appropriate penalty, RFC considered certain aspects of URE’s compliance program as a mitigating fact. Also, credit was given for the self-report.

Penalty: $12,000 (aggregate for 4 violations)

FERC Order: Order issued May 30, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-36-000 (June 30, 2012)

Reliability Standard: CIP-009-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Moderate

Region: WECC

Issue: URE self-reported that it had not strictly complied with the requirements of CIP-009-1 R1 by its failure to have each CCA included in its Recovery Plan, in particular, four switches located in an ESP. URE’s Recovery Plan requires that all CCAs be included in the Plan. URE did have procedures for restoring the switches, but per the Recovery Plan, all CCAs must be included and considered and the four switches were not.

Finding: The violation was deemed to pose minimal risk to BPS reliability because even though URE did not have a Recovery Plan that included all of its CCAs, risk was mitigated because the four switches are redundant pairs and one pair’s failure would have no significant impact. In determining the appropriate penalty, WECC considered URE’s internal compliance program. URE agreed/stipulated to WECC’s findings.

Penalty: $67,500 (aggregate for 9 violations)

FERC Order: Issued July 27, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-46 (September 28, 2012)

Reliability Standard: CIP-009-1

Requirement: 1, 3

Violation Risk Factor: Medium (1), Lower (3)

Violation Severity Level: Severe (1, 3)

Region: WECC

Issue: URE self-certified that its CCA recovery plan did not contain sufficient information needed to ensure a timely and effective recovery of CCAs after an event as the plan did not clearly detail required actions in response to events or conditions of varying duration and severity that would activate the recovery plans or define the roles and responsibilities of responders (R1). URE also self-certified that it had not updated its recovery plan to incorporate changes or lessons learned from exercises or recovery from an actual incident and did not properly communicate its lessons learned to its personnel responsible for the activation and implementation of its recovery plan within 90 days of the change (R3).

Finding: WECC found that the CIP-009-1 violations constituted only a minimal risk to BPS reliability. In regards to R1, URE did actually have a recovery plan in place (even though it was incomplete). For R3, even though it was not properly implementing the lessons learned, URE did have a process, through its recovery plan, for capturing the lessons learned. URE agreed and stipulated to the facts of the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE's compliance history and that URE had a compliance program in place when the violations occurred (which was viewed as a mitigating factor). URE was also cooperative during the enforcement process and did not conceal the violations. WECC found that the violations did not constitute a serious or substantial risk to BPS reliability and there were no additional aggravating or mitigating factors.

Penalty: $200,000 (aggregate for 17 violations)

FERC Order: Issued October 26, 2012 (no further review)

Unidentified Registered Entity 1, Unidentified Registered Entity 2, and Unidentified Registered Entity 3, FERC Docket No. NP13-4 (October 31, 2012)

Reliability Standard: CIP-009-1

Requirement: 1 (three violations, one for each URE)

Violation Risk Factor: Medium (1)

Violation Severity Level: Severe (URE1), High (URE2, URE3)

Region: RFC

Issue: URE1 self-reported that the recovery plan for its previous EMS system only specified that URE1 must switch to the EBS (instead of discussing the recovery of individual CCAs in the EMS as required). URE1's substation recovery plan also did not sufficiently detail the responsive actions to events or conditions of varying duration and severity that would activate the recovery plan or describe the roles and responsibilities of responders. In addition, URE2 and URE3's recovery plan also did not cover the recovery of individual CCAs in the EMS or sufficiently describe the responsive actions to events or conditions of varying duration and severity that would activate the recovery plan.

Finding: RFC found that the CIP-009-1 R1 violations constituted a moderate risk to BPS reliability since the violations may have caused a delay in the UREs ability to recover a failed CCA. But, using the backup EMS and the disaster backup EMS and having access to the vendor's instructions of recovering individual Cyber Assets, UREs had the information that would be needed to restore its CCAs. URE2 and URE3 have already used the vendor's instructions to restore failed assets. The UREs also had protective measures in place to safeguard their CCAs against system events. In approving the settlement agreement, the NERC BOTCC found that, in the aggregate, the violations constituted a serious or substantial risk to BPS reliability because of the potential for compromised integrity of the CCAs. UREs did not have a culture of compliance for the CIP Reliability Standards and they were not familiar with their CIP processes and procedures (especially as compliance was divided between six executives, leading to inconsistent application of the compliance process and reduced ownership responsibility). But, the UREs were cooperative during the enforcement process, including working with RFC to remedy the violations and enacting measure, in collaboration with RFC, to foster an improved compliance program and to undertake compliance initiatives (which were evaluated as a mitigating factor). In addition, some of the violations were repeat violations and some of the violations were self-reported.

Penalty: $725,000 (aggregate for 73 violations)

FERC Order: Issued November 29, 2012 (no further review)

Unidentified Registered Entity 1, Unidentified Registered Entity 2, and Unidentified Registered Entity 3, FERC Docket No. NP13-4 (October 31, 2012)

Reliability Standard: CIP-009-1

Requirement: 2, 3

Violation Risk Factor: Lower (2, 3)

Violation Severity Level: Severe (2, 3)

Region: RFC

Issue: URE1 self-reported that, since it did not create a proper recovery plan, it also did not exercise its recovery plan on a yearly basis as required (2). URE1 also did not update its recovery plan for its legacy EMS to incorporate changes or lessons learned from exercises or recovery from an actual incident, or formally communicate such changes or lessons to the appropriate personnel (3).

Finding: RFC found that the CIP-009-1 R2 and R3 violations constituted a moderate risk to BPS reliability since the violations increased the risk that there would be a delay in URE1's ability to respond to an actual incident or recovery of a failed CCA. But, for R2, URE1 was actually performing restoration exercises for its entire EMS, including the EMS Backup System. In terms of R3, URE1 was, in practice, notifying the necessary personnel on an informal basis about changes in the recovery plan. URE1 also made revisions to its draft recovery plan to incorporate changes and lessons learned. In approving the settlement agreement, the NERC BOTCC found that, in the aggregate, the violations constituted a serious or substantial risk to BPS reliability because of the potential for compromised integrity of the CCAs. UREs did not have a culture of compliance for the CIP Reliability Standards and they were not familiar with their CIP processes and procedures (especially as compliance was divided between six executives, leading to inconsistent application of the compliance process and reduced ownership responsibility). But, the UREs were cooperative during the enforcement process, including working with RFC to remedy the violations and enacting measure, in collaboration with RFC, to foster an improved compliance program and to undertake compliance initiatives (which were evaluated as a mitigating factor). In addition, some of the violations were repeat violations and some of the violations were self-reported.

Penalty: $725,000 (aggregate for 73 violations)

FERC Order: Issued November 29, 2012 (no further review)

Unidentified Registered Entity 1, Unidentified Registered Entity 2, and Unidentified Registered Entity 3, FERC Docket No. NP13-4 (October 31, 2012)

Reliability Standard: CIP-009-1

Requirement: 4 (three violations, one for each URE)

Violation Risk Factor: Lower (4)

Violation Severity Level: Severe (4)

Region: RFC

Issue: During the compliance audit, RFC determined that URE1's recovery plan did not incorporate procedures for the backup and storage of the information needed to successfully restore its CCAs. In addition, while URE1 had a standalone backup and restoration process for the EMS (which did not include the required information), it did not have a formal recovery plan. Furthermore, RFC found that URE2 and URE3 also did not have sufficient procedures in its recovery plan for the backup and storage of the information needed to successfully restore their two backup servers.

Finding: RFC found that the CIP-009-1 R4 violations constituted a moderate risk to BPS reliability since the violations increased the risk that there would be a delay in the UREs' ability to restore their CCAs. But, URE1 did have a standalone backup and restoration procedure for its EMS and kept paper copies of the CCA configuration files and other backup information that would be used to restore the CCAs. For URE2 and URE3, the two backup servers, which are behind firewalls and powered off when not in use, are not connected to the Internet and are only used approximately 4-5 times a year for restoration operations. The servers are also redundant as only one is needed to recover a system device. URE2 and URE3 also had documentation from the servers' vendor that described the restoration process and URE2 and URE3's support staff received training on how to recover the devices. In approving the settlement agreement, the NERC BOTCC found that, in the aggregate, the violations constituted a serious or substantial risk to BPS reliability because of the potential for compromised integrity of the CCAs. UREs did not have a culture of compliance for the CIP Reliability Standards and they were not familiar with their CIP processes and procedures (especially as compliance was divided between six executives, leading to inconsistent application of the compliance process and reduced ownership responsibility). But, the UREs were cooperative during the enforcement process, including working with RFC to remedy the violations and enacting measure, in collaboration with RFC, to foster an improved compliance program and to undertake compliance initiatives (which were evaluated as a mitigating factor). In addition, some of the violations were repeat violations and some of the violations were self-reported.

Penalty: $725,000 (aggregate for 73 violations)

FERC Order: Issued November 29, 2012 (no further review)

Unidentified Registered Entity 1, Unidentified Registered Entity 2, and Unidentified Registered Entity 3, FERC Docket No. NP13-4 (October 31, 2012)

Reliability Standard: CIP-009-1

Requirement: 5 (three violations, one for each URE)

Violation Risk Factor: Lower (5)

Violation Severity Level: Severe (5)

Region: RFC

Issue: URE1 self-reported that it did not test its backup media on a yearly basis in order to verify that the information needed for the recovery of the CCAs was available. RFC found that URE2 and URE3 also had not tested their backup media in 2010.

Finding: RFC found that the CIP-009-1 R5 violations constituted a moderate risk to BPS reliability since the violations increased the risk that there would be a delay in the UREs' ability to restore their CCAs. But, URE2 and URE3 had protective measures (such as firewalls, anti-virus software and access controls to the ESPs) in place to safeguard their Cyber Assets. In addition, URE1 had tapes from the EMS and the disaster backup EMS which contained the information needed to successfully restore the CCAs. In approving the settlement agreement, the NERC BOTCC found that, in the aggregate, the violations constituted a serious or substantial risk to BPS reliability because of the potential for compromised integrity of the CCAs. UREs did not have a culture of compliance for the CIP Reliability Standards and they were not familiar with their CIP processes and procedures (especially as compliance was divided between six executives, leading to inconsistent application of the compliance process and reduced ownership responsibility). But, the UREs were cooperative during the enforcement process, including working with RFC to remedy the violations and enacting measure, in collaboration with RFC, to foster an improved compliance program and to undertake compliance initiatives (which were evaluated as a mitigating factor). In addition, some of the violations were repeat violations and some of the violations were self-reported.

Penalty: $725,000 (aggregate for 73 violations)

FERC Order: Issued November 29, 2012 (no further review)

Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)

Reliability Standard: CIP-009-1

Requirement: 1.1

Violation Risk Factor: Medium

Violation Severity Level: High

Region: Texas RE

Issue: URE1 filed a self-report explaining that its disaster recovery plan for CCAs did not set forth all required actions for event response.

Finding: Texas RE determined that the violation posed a moderate risk to the reliability of the BPS, but not a serious or substantial risk. The disaster recovery plan was not as specific as required by the Standard, but it did have roles and responsibility outlined for events or conditions of varying duration and severity as required. URE1 neither admitted nor denied the violation. Texas RE considered URE1’s ICP as a mitigating factor.

Total Penalty: $51,000 (aggregate for 5 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)

Reliability Standard: CIP-009-1

Requirement: 2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: SPP RE

Issue: While conducting a CIP Spot Check, SPP RE determined that URE1 could not show that it tested its CCA Recovery Plan (Plan) pursuant to the requirements of the Standard. The exercises provided in the Plan did not set forth the procedure to recover and restore failed CCAs to normal operation.

Finding: SPP RE found that the violation posed a minimal risk to BPS reliability, but not a serious or substantial risk because URE1 was able to show that the existing Plan had been in place during the entire period of non-compliance and was the subject of annual training, including the undocumented recover and restore procedures. URE1 neither admitted to nor denied the violation. In determining the appropriate penalty, SPP RE found URE’s written ICP to be a neutral factor.

Total Penalty: $15,000 (aggregate for 6 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-19 (December 31, 2012)

Reliability Standard: CIP-009-1

Requirement: 1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: URE self-reported that it had not created recovery plans for four CCA device types that were not included in its Cyber Assets database.

Finding: SERC found that the CIP-009-1 R1 violation (which lasted for almost two years) constituted a serious and substantial risk to BPS reliability. By not having recovery plans for those device types, URE could have experienced delays in recovering its CCAs, which would have increase the period of time needed to recover from an incident. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (which SERC evaluated as a mitigating factor). SERC determined that over half of the violations constituted a serious or substantial risk to BPS reliability. URE was unprepared, compliance-wise, when the CIP requirements became mandatory and enforceable. As URE had problems identifying CCAs, Cyber Assets and access points, URE was not providing the mandated protections to all of the required devices, thereby greatly increasing the risk of CCAs becoming comprised or rendered inoperable and causing a loss of monitoring or control of the BPS. SERC found that URE's CIP program failure constituted a serious risk to BPS reliability as URE's CIP procedures were not sufficiently detailed and its personnel had a general lack of awareness about the CIP procedures (including a dependence on manual processes).

Penalty: $950,000 (aggregate for 24 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-34 (May 30, 2013)

Reliability Standard: CIP-009-1

Requirement: 1, 2, 4, 5

Violation Risk Factor: Lower (2, 4, 5), Medium (1)

Violation Severity Level: Moderate (1), Severe (2, 4, 5)

Region: TRE

Issue: During a compliance audit, TRE determined that URE's parent company did not review its disaster recovery plan annually, as required, and that the disaster recovery plan still included units that had already been decommissioned (1). The disaster recovery plan also did not adequately describe the responsible person or group, media, and locations in the backup and restoration process and did not include sufficiently detailed backup and restoration procedures for each critical system and necessary documentation regarding its equipment configuration settings or spare components (4). In addition, URE did not conduct an annual exercise of the disaster recovery plan (2) or an annual testing of its backup media (5).

Finding: TRE found that the CIP-009-1 R1, 2, 4 and 5 violations constituted a moderate risk to BPS reliability. The lack of senior management review and approval of the disaster recovery plan could have compromised BPS reliability. In addition, the lack of policy updates could have caused the disaster recovery plan to be dated and, as a result, URE's personnel may have been ineffective in the response and management of a disaster. But, the disaster recovery plan had been in effect since the Reliability Standard became enforceable, and URE was prepared to utilize the disaster recovery plan to deal with potential reportable events. Also, URE was storing the essential data, and there were no incidents of lost or corrupted data. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact the violations were URE's first violations of the relevant Reliability Standards and that none of the violations constituted a serious or substantial risk to BPS reliability. URE had a compliance program in place, but it was only evaluated as a neutral factor. URE was also cooperative during the enforcement process and did not conceal the violations.

Total Penalty: $137,000 (aggregate for 24 violations)

FERC Order: Issued June 28, 2013 (no further review)

Unidentified Registered Entity, Docket No. NP13-36, May 30, 2013

Reliability Standard: CIP-009-1

Requirement: 1, 2, 4, 5

Violation Risk Factor: Medium (R1); Lower (R2, R4, R5)

Violation Severity Level: Moderate (R1); Severe (R2, R4, R5)

Region: Texas RE

Issue: During a compliance audit, Texas RE found that the disaster recovery plan provided by URE’s parent company was not being reviewed on an annual basis (R1). URE could not show that it was conducting an annual exercise of its disaster recovery plan (R2). The disaster recovery plan did not contain all procedures as required by R4. Finally, URE could not show that it tested is backup media on a yearly basis (R5). URE noted that the plan was only in effect eight months until URE’s facility was determined not to be a Critical Asset.

Finding: The violations were deemed to pose a moderate risk to BPS reliability, but not a serious or substantial risk. In determining the appropriate penalty, Texas RE considered URE’s internal compliance program as a neutral factor. The violations were the first by URE and URE cooperated during the enforcement process. Texas RE determined URE did not attempt (or intend) to conceal any violations.

Total Penalty: $137,000 (aggregate for 24 violations)

FERC Order: Issued June 28, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-38-000 (May 30, 2013)

Reliability Standard: CIP-009-1

Requirement: 5

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: WECC

Issue: WECC determined that URE had not conducted the required annual testing of information for power operations stored on its hard drives and on its DVDs for two years.

Finding: WECC found that the CIP-009-1 R5 violation only constituted a minimal risk to BPS reliability as URE was testing information, on an annual basis, for power operations stored on tapes. In addition, the violation did not encompass all systems and devices essential to the operation of URE’s control center. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact that some of the violations were self-reported and that URE engaged in voluntary corrective action to remediate the violations. URE also had an internal compliance program in place (which was evaluated as a mitigating factor). URE was cooperative during the enforcement process, did not conceal the violations and implemented the applicable WECC compliance directives. But, URE did have prior violations of the Reliability Standards (which was evaluated as an aggravating factor). None of the violations constituted a serious or substantial risk to BPS reliability.

Total Penalty: $291,000 (aggregate for 17 violations)

FERC Order: Issued June 28, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-55 (September 30, 2013)

Reliability Standard: CIP-009-1

Requirement: 1, 2, 4, 5

Violation Risk Factor: Medium (1), Lower (2, 4, 5)

Violation Severity Level: Severe (1, 2, 4, 5)

Region: WECC

Issue: Unidentified Registered Entity (URE) self-reported that it did not create or annually review its CCA recovery plan. URE only had a shell of a high-level recovery plan that was not specific to the CCAs. The plan did not describe the actions to be taken in response to events or conditions of varying duration and severity that would activate the recovery plan or define the roles and responsibilities of the responders with sufficient detail (1). URE also did not conduct an annual exercise of the recovery plan or use it in response to an actual incident (2). URE also did not incorporate into its recovery plan the procedures for the backup and recovery of the information needed to restore the CCAs. URE did not have formal backup procedures, including alternative measures, for its CAAs (4). In addition, URE did not annually test the availability of information essential to recovery that is stored on backup media (5).

Finding: WECC found that the CIP-009-1 violations constituted a moderate risk to BPS reliability. By not having a complete recovery plan in place or appropriate procedures (including backup media testing) for the backup and storage of information for the restoration of CCAs, there is an increased risk that CCAs deemed essential to the BPS would become irrecoverable and non-operational in the event of a cyber security incident. An annual exercise of the recovery plan is needed to determine the proficiency and effectiveness of the plan. But, URE had installed antivirus and malware prevention tools and the CCAs were contained within restrictive boundaries and protected by a PSP. The CCAs are continuously monitored (with a maintenance and recovery team always available) and any device outage would have been detected. In addition, URE had operating procedures in place that contained information on the personnel to contact in the event of a device outage. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact that certain of the violation were self-reported and that URE had a compliance program in place when the violations occurred. URE’s prior violations of the Reliability Standards were not considered as an aggravating factor, as they were not similar to the instant violations and did not implicate broader corporate issues. URE was also cooperative during the enforcement process and did not conceal the violations. The violations did not present a serious or substantial risk to BPS reliability.

Total Penalty: $150,000 (aggregate for 16 violations)

FERC Order: Issued October 30, 3013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-18 (December 30, 2013)

Reliability Standard: CIP-009-1

Requirement: 5

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: SERC

Issue: SERC found that URE did not conduct the required testing for 64 CCAs on the availability of information necessary for recovery that is stored on backup media.

Finding: SERC found that the CIP-009-1 R5 violation constituted only a minimal risk to BPS reliability as URE backed up the devices on a daily basis. In addition, URE monitored the backup system. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a partial mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. None of the violations constituted a serious or substantial risk to BPS reliability. In addition, URE engaged in physical security measures that SERC determined to be above-and-beyond what was required.

Total Penalty: $110,000 (aggregate for 15 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-20 (December 30, 2013)

Reliability Standard: CIP-009-1

Requirement: 1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: URE self-reported that its recovery plan inadvertently omitted four servers. URE also did not include domain controllers in its recovery plan as URE deemed them to be non-essential for recovery of core systems.

Finding: SERC found that the CIP-009-1 R1 violation constituted only a minimal risk to BPS reliability since URE’s core system was able to be restored without the domain controllers and four servers at issue. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. Certain of the violations constituted a serious or substantial risk to BPS reliability. URE also engaged in mitigating measures that SERC determined to be above-and-beyond what was required.

Total Penalty: $198,000 (aggregate for 21 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-46-000 (July 31, 2014)

Reliability Standard: CIP-009-1

Requirement: R1 (3 violations – one for URE4, URE5 and URE6)

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: During a compliance audit, RFC determined that URE4, URE5 and URE6 failed to have sufficiently comprehensive Recovery Plans for some of their devices as the Recovery Plans did not detail required actions in response to events or conditions of varying duration and severity or the roles and responsibilities of responders.

Finding: RFC determined that the violations constituted only a minimal risk to BPS reliability. The Recovery Plans covered procedures for the loss of communication processors and identified certain responders. In addition, the insufficiencies in the Recovery Plans did not indicate any systemic issues with the Recovery Plans. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC found that all but two of the violations constituted only a minimal risk to BPS reliability and did not represent any systemic failure (the other two violations posed a moderate risk). However, these violations constituted the URE Companies’ fifth violation of CIP-004 and the second violation of CIP-007, which was considered to be an aggravating factor (although not a substantial aggravating factor). However, the URE Companies were awarded mitigating credit for substantial and voluntary improvements to their compliance programs. The majority of the violations were also self-reported. The URE Companies cooperated throughout the enforcement process and did not conceal the violations.

Total Penalty: $50,000 (aggregate for 35 violations)

FERC Order: Issued August 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)

Reliability Standard: CIP-009-1

Requirement: R1 (3 violations – one for each URE Company)

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: RFC

Issue: During a compliance audit, RFC determined that URE2 did not create and review on an annual basis, as required, sufficient recovery plans for all its CCAs. URE1 and URE3 self-reported the same violation. URE2’s recovery plan for a certain system was also incomplete as it did not detail required actions in response to specified events or conditions that would activate the recovery plan.

Finding: RFC determined the violation posed a moderate risk to the BPS reliability since it increased the risk of a delay in recovering a CCA due to a failure or compromising event. But, the URE Companies had established processes for backup operations at an alternate site to protect their CCAs in the event of a system event or failure. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.

Total Penalty: $625,000 (aggregate for 77 violations)

FERC Order: Issued September 26, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-5-000 (October 30, 2014)

Reliability Standard: CIP-009-1

Requirement: R1 (1.1 and 1.2)

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SPP RE

Issue: URE self-reported that it did not have a recovery plan for several physical system components. During a compliance audit SPP RE also found that one of URE’s electronic access control and monitoring (EACM) devices failed when new hardware was installed and the recovery plan for the device lacked steps for responding to various events in duration or severity or the roles and responsibilities of first responders to such events.

Finding: SPP RE determined that the violation constituted only a minimal risk to the BPS reliability since URE designed its system components to default to a secure mode. In addition, URE was able to restore the EACM device and it performed a manual review of the log throughout duration of the failure. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had previously violated six of the standards, which SPP RE considered an aggravating factor. However, URE did have a compliance program in place and it received mitigating credit for self-reporting three of the violations. Moreover, URE agreed to additional corrective actions including: restructuring its CIP compliance program; hiring an additional system administrator; conducting a one day compliance workshop with SPP RE staff; and implementing an asset management system to further secure its EMS. URE was cooperative throughout the enforcement process and did not conceal or attempt to conceal the violations.

Penalty: $45,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-11-000 (November 25, 2014)

Reliability Standard: CIP-009-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: ReliabilityFirst, MRO and SERC (collectively, "Regions")

Issue: During a compliance audit ReliabilityFirst discovered that URE's disaster recovery plan for CCAs was insufficient for recovery purposes since it used replicated backup ("hot site").

Finding: ReliabilityFirst determined that the violation constituted a moderate risk to the BPS reliability as it reduced URE's ability to properly restore its CCAs since any data required to backup CCA would be replicated on URE's only backup files including corrupted CCA. However, URE was able to restore failed assets and data and they were able to successfully back-up the information required to restore its CCA. While URE's recovery process would not have been able to properly restore its CCA, it was able to maintain daily business operations. Events that potentially could have disrupted the BPS would have been detected through URE's network operations center which monitors and implements corrective measures for enterprise-wide system performance and events. URE's CCA were also protected through its use of firewalls; change management practices; current patches; antivirus and malware software; account and access management practices; and user and system event monitoring and logging. All CCA were also located in a secure facility with physical and multi-layered electronic access controls. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations. While none of the violations independently posed a serious or substantial threat to the BPS reliability, collectively they represented a significant risk to BPS reliability. Eighteen of the violations posed only a minimal or moderate risk to the BPS reliability and only one posed a serious or substantial risk to the BPS reliability. URE did have a history of prior violations; however, this was their first comprehensive CIP audit so the Regions did not consider their prior history an aggravating factor. URE self-reported several of the violations, performed several reliability enhancements and outreach programs and agreed to above and beyond compliance measures, including the implementation of an improvement program that is focused on improving its compliance with CIP standards and cybersecurity efforts. However, due to the duration of several of URE's violations, the Regions considered this risk negatively. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations. There were no additional mitigating factors that affected the penalty.

Penalty: $75,000 (aggregate for 19 violations)

FERC Order: Issued December 23, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-11-000 (November 25, 2014)

Reliability Standard: CIP-009-1

Requirement: R5

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: ReliabilityFirst, MRO and SERC (collectively, "Regions")

Issue: During a compliance audit ReliabilityFirst discovered that URE did not annually test its backup media.

Finding: ReliabilityFirst determined that the violation constituted only a minimal risk to the BPS reliability as URE implemented several protective measures that reduced the risk of failure or threats to its Cyber Assets. Specifically URE utilized secure access points to guard Cyber Assets, firewalls to limit network traffic, change management processes to test changes to existing security controls, electronic and physical access controls to prevent unauthorized access, antivirus software to prevent malicious intrusion; and activity logs for monitoring events on access points and Cyber Assets. In addition, URE backed up and stored information needed to restore its CCA and was able to confirm through several restoration processes that its network operations backup media contained all the required information. URE employed additional measures to ensure a successful restoration of information and recovery of its CCA in the event of a disruption. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations. While none of the violations independently posed a serious or substantial threat to the BPS reliability, collectively they represented a significant risk to BPS reliability. Eighteen of the violations posed only a minimal or moderate risk to the BPS reliability and only one posed a serious or substantial risk to the BPS reliability. URE did have a history of prior violations; however, this was their first comprehensive CIP audit so the Regions did not consider their prior history an aggravating factor. URE self-reported several of the violations, performed several reliability enhancements and outreach programs and agreed to above and beyond compliance measures, including the implementation of an improvement program that is focused on improving its compliance with CIP standards and cybersecurity efforts. However, due to the duration of several of URE's violations, the Regions considered this risk negatively. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations. There were no additional mitigating factors that affected the penalty.

Penalty: $75,000 (aggregate for 19 violations)

FERC Order: Issued December 23, 2014 (no further review)

Unidentified Registered Entities (UREs), FERC Docket No. NP15-15-000 (December 30, 2014)

Reliability Standard: CIP-009-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: URE1 self-reported that two recovery plans for CCA for different groups failed to include enough detail for recovering failed CCA. One recovery planned did not provide instructions for managing hardware changes and upgrades required after recovering CCA nor did it provide the roles and responsibilities of responders or specific response actions for various degrees of failure incidents. While URE1 had a document that outlined procedures for testing, documenting and updating hardware changes, it was not tied to the recovery plan itself. URE1's second recovery plan, written for recovering high level facilities and systems, did not include procedures for recovering from the complete loss of specific CCA, roles and responsibilities of responders, or action responses in line with various levels of asset failure. While URE1 had a supplemental recovery process document that included procedures for locating replacement CCA and returning Cyber Assets to service using previously approved settings, it did not include system or application details needed to return Cyber Assets to normal operation.

Finding: SERC determined that the violation posed only a minimal risk to the BPS reliability. URE1 had trained personnel, who were aware of its procedures and who were able to recover the CCA throughout the duration of the violation based on their skill level and experience. In addition, back-up redundant systems, created weekly through URE1's weekly failover procedures, would have been available to should a CCA or multiple CCA fail. UREs neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs history of violations an aggravating factor. However, the UREs did have an internal compliance program in place, which SERC considered a mitigating factor. While URE1 self-reported a violation, the UREs did not received mitigating credit since it was reported after it received a compliance audit notice. While three of the violations posed a serious or substantial risk to the BPS reliability, the majority of them (18) posed only a minimal or moderate risk. URE agreed to additional mitigating actions including: adding additional staff (including converting contractors to full-time); conducting human performance training at a cost of $50,000; installing firewall analyzer software at a cost of $485,000; and additional mitigating factors for five of the violations. The UREs were cooperative throughout the enforcement process and there was no evidence that they concealed the violations.

Penalty: $120,000 (aggregate for 21 violations)

FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.

Unidentified Registered Entity (UREs), FERC Docket No. NP15-17-000 (December 30, 2014)

Reliability Standard: CIP-009-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that it did not include the required actions for responding to specific events and conditions of various levels of severity and duration for CCA or include plans for networking CCA or non-critical Cyber Assets in its recovery plans.

Finding: WECC determined that the violation posed only a minimal risk to the BPS reliability as URE had agreements with third party responsible for recovering CCA in the event of a failure. Furthermore, URE's operations would have not been affected by a single CCA failing as many of their non-Windows devices had redundancy in place. URE's IT personnel also had the experience and knowledge to recover CCA had there been a security event that disrupted or caused CCA to fail. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered URE's prior violation history as an aggravating factor. However, WECC gave URE mitigating credit for its compliance program and agreeing to perform voluntary corrective actions. WECC also determined that all violations posed only a minimal, but not a moderate, serious or substantial risk to the reliability of the BPS. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.

Penalty: $120,000 (aggregate for 13 violations)

FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.

Unidentified Registered Entity, FERC Docket No. NP15-24-000 (April 30, 2015)

Reliability Standard: CIP-009-1

Requirement: R5

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: During its compliance audit, ReliabilityFirst found that URE did not show its annual testing of backup media containing essential CCA recovery information.

Finding: ReliabilityFirst determined that the violation posed a serious or substantial risk because URE did not test the backup media annually and thus did not have any assurance that the backup media could be used to recover CCAs if necessary. The severity of the violation was increased because URE had no compensating measures in place and the violation lasted for a prolonged period of time. URE neither admitted nor denied the violations. In approving the settlement, the NERC considered URE's compliance history and the serious risk of all but one of the violations as aggravating factors. As mitigating factors, the NERC considered URE's (1) pre-violation compliance program, (2) self-reporting of four violations, (3) cooperation throughout the enforcement process, (5) lack of attempts or intentions to conceal the violations, (4) commitment to a comprehensive mitigation plan, (5) improvements in CIP compliance and permission for future ReliabilityFirst spot checks, (6) allowance of on-site risk management and compliance implementation reviews. URE's mitigation plan obliged URE, among other things, to conduct and clearly record the annual testing of the backup media that contained CCA recovery information.

Penalty: $150,000 (aggregate for 18 violations)

FERC Order: Issued May 29, 2015 (no further review)

Top