NERC Case Notes: Reliability Standard CIP-004-3a
Reliability Standard: CIP-004-3a
Requirement: R3 (2 violations – one for URE1 and one for URE3)
Violation Risk Factor: Medium
Violation Severity Level: High
Issue: URE1 did not timely update the PRAs for six employees, and URE3 did not timely update the PRAs for five employees
Finding: RFC determined the violations only constituted a minimal risk to the BPS reliability. As soon as an expired PRA was identified, the URE Companies immediately withdrew access privileges and updated the relevant PRAs. The URE Companies also verified that none of the individuals with expired PPAs engaged in any inappropriate activities. The URE Companies (URE1, URE2 and URE3) neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.
Total Penalty: $625,000 (aggregate for 77 violations)
FERC Order: Issued September 26, 2014 (no further review)
NERC Violation ID: SERC2015015285
Reliability Standard: CIP-004-3a
Requirement: R4, R4.1
Violation Risk Factor: Lower
Violation Severity Level: Lower
Region: SERC Reliability Corporation (SERC)
Issue: In fifteen separate instances, SERC_URE1 did not update its list of personnel with access to Critical Cyber Assets (CCAs) or revoke access no longer required within seven days of personnel changes.SERC_URE1 submitted a Self-Report indicating noncompliance with CIP-004-3a R4.1, and four months later, submitted a second Self-Report involving a violation of CIP-004-3a R4, which SERC consolidated into the original Self-Report as an expansion of scope.While SERC was performing its assessment to evaluate the nature and facts of the violation, SERC_URE1 submitted four additional scope expansions.During its quarterly access reviews in the timeframe of the self-reported violations, SERC_URE1 did not remove electric access or update the access list of employees that either were no longer with the company or had transitioned to a new role internally.SERC_URE1 identified the root causes of the consolidated violations stemmed from insufficient documentation, insufficient training regarding procedures, software malfunctions, and human error.
Finding: SERC found the violation constituted a moderate risk and did not pose a serious or substantial risk to the reliability of the bulk power system (BPS).By its repeated failure to revoke access to CCAs, SERC_URE1 may have inadvertently allowed individuals the opportunity to compromise or modify CCAs and affect the SERC_URE1’s energy management system or the BPS.However, SERC_URE1 monitors physical and electronic access for unauthorized attempts and had provided adequate training for all involved employees.Ultimately, SERC_URE1 found that none of the employees involved attempted to use their access privileges after the access should have been revoked.The duration of the violation was from eight days after the first individual should have no longer had access through the point in which SERC_URE1 revoked access for the final two individuals in the third scope expansion.SERC considered SERC_URE1’s compliance history to be an aggravating factor in determining the penalty while its internal compliance program was deemed a neutral factor.To mitigate the violation, SERC_URE1 performed a number of steps including, but not limited to, establishment of an access management team that centralizes physical and electronic access for employees, development of a report to monitor a known system issue that prevents communication regarding access items, and review and revision of relevant procedures and processes.SERC_URE1 also deployed a new identity management system in the third quarter of 2018 that will perform reconciliation against the system and identify and report on any entries that do not correlate to an individual.
FERC Order: Issued August 30, 2018 (no further review)