Publications & Events
Alert

NERC FFT Reports: Reliability Standard CIP-002-5.1

White & Case NERC Database
Click here to return to the main page at whitecase.com/nerc

Unidentified Registered Entity 1 (Texas RE_URE1), FERC Docket No. NP19-18-000 (September 26, 2019)

NERC Violation ID: TRE2016016184

Reliability Standard: CIP-002-5.1

Requirement: R1

Violation Risk Factor: High

Violation Severity Level: Lower

Region: Texas Reliability Entity, Inc. (Texas RE)

Issue: An unidentified entity submitted a Self-Certification that it was in noncompliance with CIP-002-5.1 R.1. Specifically, the entity noted that it did not have or implement a certain process, and as a result, the entity did not identify each asset that contained a Bulk Electric System (BES) Cyber System. The root cause of this violation was that the entity did not have any process for complying with the reliability standard before or after the reliability standard was implemented.

Finding: Texas RE found the violation constituted a moderate risk and did not pose a serious or substantial risk to bulk power system reliability. By failing to properly identify and classify a BES Cyber System, Texas RE exposed the BES Cyber System to inadequate cyber security protections. The duration of the violation began on July 1, 2016 when the reliability standard became enforceable and is currently ongoing. Texas RE considered the entity’s compliance history and determined there were no relevant instances of noncompliance. To mitigate the violation, the entity created a draft process for reliability standard compliance, approved a documented internal compliance program, established a compliance committee, and conducted training. Additionally, the entity stated in its mitigation plan that by November 7, 2019, it will have finalized and have the Critical Infrastructure Procedures Senior Manager approve of the draft identifications.

Penalty: No penalty

FERC Order: September 26, 2019 (no further review)

Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. NP19-6-000 (March 28, 2019)

NERC Violation ID: WECC2016016686

Reliability Standard: CIP-002-5.1

Requirement: R1, P1.2

Violation Risk Factor: High

Violation Severity Level: Lower

Region: Western Electricity Coordinating Council (WECC)

Issue: On December 16, 2016, an unidentified entity submitted a Self-Report stating that it was in violation of the Reliability Standard. In November 2014, the entity started its BES Asset analysis utilizing CIP Version 5 criteria. The most comprehensive data sources for the entity’s asset characteristics were identified and used to categorize the BES Assets. Although the first entity-approved cyber system list was published May 12, 2015 to align the entity’s CIP Version 5 transition project, during the entity’s November 2016 BES Cyber System Review, a new preferential data source was identified and used to re-categorize the Low Impact Bulk Electric System (BES) Cyber Systems (LCBS) at a substation to Medium Impact BES Cyber Systems (MIBCS). After evaluating the change, it was determined that the BES Asset information used to initially categorize the LIBCS was unclear and incomplete, which resulted in the incorrect impact rating of the BES Cyber Systems at that substation. The entity had categorized the BES Cyber System at the substation as LIBCS due to an error identifying lines’ connections. Thus the LIBCS should have been identified as MIBCS. The data for all other previously identified BES Cyber Systems was then compared, found to be consistent and did not yield any additional change to impact ratings. Furthermore, the newly categorized MIBCS did not have External Routable Connectivity (ERC). The root causes of the violation were inadequate procedures, documents and records to ensure proper evaluation of BES Assets. Specifically, the entity utilized an evaluation process that relied on outdated information and a manual review, which resulted in the entity overlooking critical information needed for identifying and categorizing the impact rating of a BES Cyber System.

Finding: WECC found the violation constituted a moderate risk and did not pose a serious or substantial risk to bulk power system reliability. Although the MIBCS had no ERC and the number of CIP requirements applicable to MIBCS without ERC is limited and no harm is known to have occurred, there were no additional controls to detect or prevent this violation from occurring or compensate for the potential harm. The violation began on July 1, 2016 when the reliability standard became mandatory and enforceable and ended on May 11, 2017 when the entity completed its mitigation plan. WECC considered the entity’s internal compliance program to be a neutral factor and the entity’s compliancy history to be an aggravating factor in the disposition determination. To mitigate the violation, the entity updated its Cyber System list to include the reclassification of the BES Cyber System in scope, updated its BES Cyber Systems identification process, confirmed compliance or identified deficiencies with other applicable CIP standards, and mitigated all CIP compliance deficiencies resulting from the identification of the MIBCS without ERC.

Penalty: No penalty

FERC Order: March 28, 2019 (no further review)