NERC Case Notes: Reliability Standard CIP-009-3
Reliability Standard: CIP-009-3
Requirement: 5 (2 violations – RFC and SERC)
Violation Risk Factor: Lower
Violation Severity Level: Severe
Region: RFC and SERC
Issue: RFC and SERC determined that URE’s testing of its backup media did not include procedures to determine that that the information stored on such backup media was available, as required.
Finding: SERC and RFC found that URE’s CIP-009-3 R5 violations constituted a moderate risk to BPS reliability since it increased the chance of delaying or preventing URE’s ability to restore the CCAs. But, URE previously used a tape backup system and a program that automatically backed up the system and stored the back-up for easy recovery. In addition, URE installed redundant devices with real-time failover capability that could be used to replace a device that needs restoration. URE admitted the violations. In approving the settlement agreement, NERC BOTCC evaluated as aggravating factors URE’s compliance history and the fact that URE did not promptly prepare mitigation plans to remediate many of the violations. But, URE did self-report some of the violations and was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (even though URE only received partial mitigating credit as most of URE’s violations resulted from a lack of execution and coordination of programs). URE committed to perform certain actions that went above and beyond the compliance requirements. The CIP-002-3 R3 violations presented a serious and substantial risk to BPS reliability, whereas the other violations did not present a serious or substantial risk to BPS reliability.
Total Penalty: $350,000, $175,000 for each URE (aggregate for 62 violations)
FERC Order: Issued August 30, 2013 (no further review)