Publications & Events
Client Alert
Alert

NERC Case Notes: Reliability Standard CIP-014-2

White & Case NERC Database
Click here to return to the main page at whitecase.com/nerc

NP18-14-000: Unidentified Registered Entity

Please search for this docket no. here ››

NP20-18-000: Unidentified Registered Entity

Region: WECC

NERC Violation ID Standard Requirement VRF/VSL Discovery Method Start Date End Date
WECC2017017388 CIP-014-2 R5 High/Lower Compliance Audit 6/27/2016 1/21/2020

 

Issue: CIP-014-2

During a Compliance Audit WECC determined that the entity was in violation of CIP-014-2 R5 Part 5.1. The entity did not develop physical security plans that included resiliency or security measures designed collectively to deter, detect, delay, assess, communicate, and respond to potential physical threats and vulnerabilities that the entity had identified during its evaluation conducted pursuant to CIP-014-2 R4. Specifically, the entity's physical security plans lacked specific mitigating measures for many of the threats identified in its R4 threat & vulnerability evaluation. At critical facility, an identified top threat was not listed in the physical security plan with a corresponding measure of protection against said threat. Additionally, some recommended mitigating measures could not clearly be linked to which critical BES assets within a critical facility would be protected, or the identified threat that would be countered. WECC Enforcement concurred with the audit findings as described above. The root cause of this violation was a less than adequate understanding of how to document mitigating activities to specifically address identified vulnerabilities and threats pursuant to CIP-014-2 R5 Part 5.1.

Finding: CIP-014-2

This violation posed a moderate risk and did not pose a serious and substantial risk to the Bulk Power System. In this instance, the entity failed to appropriately develop physical security plans that included resiliency or security measures designed collectively to deter, detect, delay, assess, communicate, and respond to potential physical threats and vulnerabilities identified during the evaluation conducted pursuant to CIP-014-2 R4. Failure to effectively counter identified critical facility and Critical Asset threats increased the risk of an unauthorized individual degrading or destroying a facility and/or Cyber Assets vital to the reliability of the BES. As CIP-014 critical facilities, these facilities are deemed necessary to the continuity of the entity's grid operations. However, the likelihood of the risk occurring was reduced by the controls the entity had implemented.

Penalty: $0

FERC Order: Issued May 28, 2020

NP19-4-000: REDACTED

Region: WECC

NERC Violation ID Standard Requirement VRF/VSL Discovery Method Start Date End Date
WECC2016016712 CIP-014-2 R1 High/Severe Self-Report N/A N/A

 

Issue: CIP-014-2

The Regional Entities (RE) determined that the companies failed to include all applicable systems in the CIP-014-2 risk assessment. The companies also removed a system from the substation list because of a mistaken determination regarding accessibility. The violation started when the system was not included in their CIP-014-2 risk assessment, and ended when the companies completed the risk assessment reflecting the missed substation for approximately 10 months of noncompliance.

The primary cause of the violation was a misapplication of the standard when reviewing the systems and therefore not applying the relevant criteria. The REs determined that the violation posed a moderate risk to the reliability of the BPS.

Finding: CIP-014-2

The REs considered the violations as repeat noncompliance and the companies compliance history was an aggravating factor. The companies had a deficient internal compliance program. The collective risk of the 127 violations posed a serious risk to the reliability of the BPS. The lack of management involved of the companies was also considered an aggravating factor by creating and allowing a culture of systemic noncompliance to exist.

Penalty: $10,000,000

FERC Order: Issued January 25, 2018