Publications & Events
Alert

NERC Case Notes: Reliability Standard CIP-008-3

White & Case NERC Database
Click here to return to the main page at whitecase.com/nerc

 

Unidentified Registered Entity (URE), Docket No. NP13-23-000, January 31, 2013

Reliability Standard: CIP-008-2; CIP-008-3

Requirement: R1.1; R1.2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: Further to a Compliance Audit, RFC determined that URE violated R1 because the company failed to include procedures to characterize and classify events as reportable Cyber Security Incidents in its Cyber Response Plan (Plan). Furthermore, despite describing the roles and responsibilities of its Cyber Security Incident response team in Plan, the company failed show how the communication plan that had been presented during the Compliance Audit was triggered, executed, or related to its Plan.

Finding: RFC determined that the R1 violation posed a moderate risk to the reliability of the BPS. The risk was mitigated because the company does indeed have a Plan which details and categorizes the severity of potential incidents. In addition, the company undertook a tabletop test of its response process before discovering this violation, and the test yielded successful characterization of an event and notification of proper individuals. RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to pay a penalty and to undertake other mitigation measures to come into compliance with R1.
RFC considered URE's ICP a mitigating factor in making its penalty determination. The violation began when the company was required to comply with the standards at issue, and ended when URE revised its Cyber Response Plan. URE neither admits nor denies the R1 violation.

Penalty: $40,000 (aggregate for 8 violations)

FERC Order: Issued March 1, 2013 (no further review)

Unidentified Registered Entities, FERC Docket No. NP13-47 (July 31, 2013)

Reliability Standard: CIP-008-3

Requirement: 1 (2 violations – RFC and SERC)

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC and SERC

Issue: RFC and SERC determined that URE’s enterprise-level cyber security incident response plan did not cover, as required, the procedures for characterizing and classifying when a cyber security incident is reportable.

Finding: SERC and RFC found that URE’s CIP-008-3 R1 violations constituted a moderate risk to BPS reliability since it increased the chance of delay in URE’s ability to respond, resolve and recover from a cyber security incident. But, URE had provided its relevant personnel with training on the cyber security incident response plan, including annual drills on the plan. In addition, no cyber security incidents occurred during the course of the violations. The devices were also protected by an ESP and PSP, as well as site physical security. URE admitted the violations. In approving the settlement agreement, NERC BOTCC evaluated as aggravating factors URE’s compliance history and the fact that URE did not promptly prepare mitigation plans to remediate many of the violations. But, URE did self-report some of the violations and was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (even though URE only received partial mitigating credit as most of URE’s violations resulted from a lack of execution and coordination of programs). URE committed to perform certain actions that went above and beyond the compliance requirements. The CIP-002-3 R3 violations presented a serious and substantial risk to BPS reliability, whereas the other violations did not present a serious or substantial risk to BPS reliability.

Total Penalty: $350,000, $175,000 for each URE (aggregate for 62 violations)

FERC Order: Issued August 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-20 (December 30, 2013)

Reliability Standard: CIP-008-3

Requirement: 1

Violation Risk Factor: Lower

Violation Severity Level: High

Region: SERC

Issue: URE self-reported that, when one of its managers transferred to a new role, it did not remove the manager’s name from the Cyber Security Incident response plan (CSIRP) and replace it with new contact information or ensure that the CSIRP had the correct contact information specific to the manager role. URE also did not timely update the CSIRP within 30 days to reflect changes made to its sabotage and cyber incident detection, analysis, and reporting process.

Finding: SERC found that the CIP-008-3 R1 violation constituted only a minimal risk to BPS reliability. The CSIRP still contained the correct phone number for the relevant manager. Furthermore, URE’s personnel responsible for updating the cyber incident detection, analysis, and reporting process are the same personnel who would be involved in executing the process in the event of an emergency. In addition, no cyber security incidents occurred during the violation. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. Certain of the violations constituted a serious or substantial risk to BPS reliability. URE also engaged in mitigating measures that SERC determined to be above-and-beyond what was required.

Total Penalty: $198,000 (aggregate for 21 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity 1 (MRO_URE1), FERC Docket No. NP19-5-000 (February 28, 2019)

NERC Violation ID: SPP2017018137

Reliability Standard: CIP-008-3

Requirement: R1

Violation Risk Factor: Lower

Violation Severity Level: High

Region: Midwest Reliability Organization (MRO)

Issue: On August 10, 2017, an unidentified entity submitted a Self-Report stating that it was not in compliance with the Reliability Standard when it failed to perform an adequate test of its Cyber Security Incident response plan between December 17, 2014 and September 26, 2017. Furthermore, the entity reported that although it performed a test on March 28, 2017, the test did not meet standards in that the test was more general than expected and did not include specific steps for implementing a response to a Cyber Security Incident. The entity detected the noncompliance after a new CIP Senior Manager was designated and conducted a full review of the entity’s compliance activities. The root cause of the violation was inadequate internal controls to provide oversight.

Finding: MRO found the violation constituted a minimal risk and did not pose a serious or substantial risk to bulk power system reliability. Because the risk due to the noncompliance was essentially for conducting an incomplete test, albeit eleven days late, as opposed to not conducting any type of testing, the risk of noncompliance was reduced. Furthermore, the employees were trained, which included response and recovery to Cyber Security Incidents. No harm is known to have occurred. The violation began on March 17, 2016, fifteen months after the entity had transitioned to CIP Version 5 after a successful completion of the last test and ended on September 26, 2017 when the test was successfully completed. MRO considered the entity’s internal compliance program and positive cooperation as mitigating factors when determining the penalty. MRO reviewed the entity’s internal compliance program and considered it to be a neutral factor in the penalty determination. Furthermore, MRO considered the entity’s compliance history in determining the disposition track and found a relevant instances of noncompliance. Thus, the entity’s compliance history was an aggravating factor in the disposition track. To mitigate the violation, the entity, performed the required test, reviewed and revised Cyber Security Incident response plan, and scheduled the next required execution of the Cyber Security Incident response plan to occur within 11 months of the last test.

Penalty: $0

FERC Order: February 28, 2019 (no further review)