Publications & Events
Alert

NERC Case Notes: Reliability Standard CIP-004-3a

White & Case NERC Database
Click here to return to the main page at whitecase.com/nerc

Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)

Reliability Standard: CIP-004-3a

Requirement: R3 (2 violations – one for URE1 and one for URE3)

Violation Risk Factor: Medium

Violation Severity Level: High

Region: RFC

Issue: URE1 did not timely update the PRAs for six employees, and URE3 did not timely update the PRAs for five employees

Finding: RFC determined the violations only constituted a minimal risk to the BPS reliability. As soon as an expired PRA was identified, the URE Companies immediately withdrew access privileges and updated the relevant PRAs. The URE Companies also verified that none of the individuals with expired PPAs engaged in any inappropriate activities. The URE Companies (URE1, URE2 and URE3) neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.

Total Penalty: $625,000 (aggregate for 77 violations)

FERC Order: Issued September 26, 2014 (no further review)

Unidentified Registered Entity 1 (SERC_URE1), FERC Docket No. NP18-25-000 (August 30, 2018)

NERC Violation ID: SERC2015015285

Reliability Standard: CIP-004-3a

Requirement: R4, R4.1

Violation Risk Factor: Lower

Violation Severity Level: Lower

Region: SERC Reliability Corporation (SERC)

Issue: In fifteen separate instances, SERC_URE1 did not update its list of personnel with access to Critical Cyber Assets (CCAs) or revoke access no longer required within seven days of personnel changes.SERC_URE1 submitted a Self-Report indicating noncompliance with CIP-004-3a R4.1, and four months later, submitted a second Self-Report involving a violation of CIP-004-3a R4, which SERC consolidated into the original Self-Report as an expansion of scope.While SERC was performing its assessment to evaluate the nature and facts of the violation, SERC_URE1 submitted four additional scope expansions.During its quarterly access reviews in the timeframe of the self-reported violations, SERC_URE1 did not remove electric access or update the access list of employees that either were no longer with the company or had transitioned to a new role internally.SERC_URE1 identified the root causes of the consolidated violations stemmed from insufficient documentation, insufficient training regarding procedures, software malfunctions, and human error.

Finding: SERC found the violation constituted a moderate risk and did not pose a serious or substantial risk to the reliability of the bulk power system (BPS).By its repeated failure to revoke access to CCAs, SERC_URE1 may have inadvertently allowed individuals the opportunity to compromise or modify CCAs and affect the SERC_URE1’s energy management system or the BPS.However, SERC_URE1 monitors physical and electronic access for unauthorized attempts and had provided adequate training for all involved employees.Ultimately, SERC_URE1 found that none of the employees involved attempted to use their access privileges after the access should have been revoked.The duration of the violation was from eight days after the first individual should have no longer had access through the point in which SERC_URE1 revoked access for the final two individuals in the third scope expansion.SERC considered SERC_URE1’s compliance history to be an aggravating factor in determining the penalty while its internal compliance program was deemed a neutral factor.To mitigate the violation, SERC_URE1 performed a number of steps including, but not limited to, establishment of an access management team that centralizes physical and electronic access for employees, development of a report to monitor a known system issue that prevents communication regarding access items, and review and revision of relevant procedures and processes.SERC_URE1 also deployed a new identity management system in the third quarter of 2018 that will perform reconciliation against the system and identify and report on any entries that do not correlate to an individual.

Penalty: $95,000

FERC Order: Issued August 30, 2018 (no further review)

Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP19-15-000 (July 31, 2019)

NERC Violation ID: WECC2018020039

Reliability Standard: CIP-004-3a

Requirement: R3

Violation Risk Factor: Medium

Violation Severity Level: High

Region: Western Electricity Coordinating Council (WECC)

Issue: As part of a mitigation related to two previous violations and a realized gap in adherence to its procedures for ensuring that a Personnel Risk Assessment (PRA) was conducted for individuals authorized for electronic access to Critical Cyber Assets (CCAs), an unidentified entity conducted an October 2017 internal audit. While implementing one of the internal controls put in place after a January 2018 meeting to discuss the violations and realized gap, the entity identified an employee who, on August 6, 2015, was authorized and granted electronic access to software on a CCA, without first having completed a PRA. Because the entity did not perform a PRA on the employee, he/she was not in the PRA tracking database, which the entity used to help reconcile employees with Critical Infrastructure Procedures electronic and physical access. The entity submitted a Self-Report on July 17, 2018. The root cause of this violation was the entity’s personnel not following documented procedures.

Finding: WECC found the violation constituted a moderate risk and did not pose a serious or substantial risk to bulk power system reliability. The entity had no internal controls implemented to detect or prevent this violation. Had the employee had malicious intent, he/she could have caused significant harm. However, the employee was authorized to have electronic access and was sufficiently trained to use the software to perform his/her job. Furthermore, the internal control, which was implemented after the discussion of the previous violations and realized gap, identified the individual that did not have the PRA and would have identified other individuals who had a missing PRA. The violation began on August 6, 2015 when the individual received electronic access without a PRA and ended on May 3, 2018 when a PRA was performed. WECC considered the internal compliance program to be a mitigating factor in the penalty determination. Additionally, WECC considered the entity’s compliance history and determined that it was an aggravating factor in the disposition determination. To mitigate the violation, the entity completed a PRA for the employee, re-circulated its PRA verification procedure to applicable personnel, and conducted a meeting with applicable personnel to discuss and train for the compliance procedures and processes.

Penalty: No penalty

FERC Order: July 31, 2019 (no further review)