NERC Case Notes: Reliability Standard CIP-002-1

Alert

80 min read

 

NERC Registered Entity, FERC Docket No. NP10-159-000 (July 30, 2010)

Reliability Standard: CIP-002-1

Requirement: R3

Violation Risk Factor: High

Violation Severity Level: Not provided

Region: WECC

Issue: The Registered Entity self-reported that it had not updated its list of Critical Cyber Assets to include new equipment associated with its new Energy Management System.

Finding: Duration of the violation was from August 26, 2008 through December 9, 2008. This was the Registered Entity's first violation of the Reliability Standard.

Penalty: $109,000 (aggregate for multiple violations)

FERC Order: Issued August 27, 2010 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-3-000 (October 7, 2010)

Reliability Standard: CIP-002-1

Requirement: R3

Violation Risk Factor: High

Violation Severity Level: N/A

Region: SERC

Issue: During a spot check, SERC determined an Unidentified Registered Entity (URE) failed to include in its list of Critical Cyber Assets a time/frequency device located in its Control Center.

Finding: The violation did not pose a serious or substantial risk to the reliability of the bulk power system because the device was inside a secure perimeter. The URE treats all devices within the perimeter as Critical Cyber Assets, so the device was treated properly even though it was not on the official list of Critical Cyber Assets.

Penalty: $6,000 (aggregate for multiple violations)

FERC Order: Issued January 7, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-5-000 (October 7, 2010)

Reliability Standard: CIP-002-1

Requirement: R1, R2, R3

Violation Risk Factor: Medium (R1), High (R2, R3)

Violation Severity Level: N/A

Region: SERC

Issue: An Unidentified Registered Entity (URE) self-reported a violation for failing to have a risked-based methodology to identify Critical Assets. Accordingly, the URE also did not have a list of Critical Assets, nor did it have a list of associated Critical Cyber Assets.

Finding: The duration of the violations extended from July 1, 2008 (the date the Standard became enforceable) to September 12, 2008 (the date the URE mitigated the violation). The violations did not pose a serious or substantial risk to the reliability of the bulk power system because the URE is a small Balancing Authority with a low estimated summer peak and once it conducted an evaluation pursuant to a risk-based methodology, it determined it did not have any critical assets.

Penalty: $16,000 (aggregate for multiple violations)

FERC Order: Issued January 7, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-56-000 (November 30, 2010)

Reliability Standard: CIP-002-1

Requirement: R2, R4

Violation Risk Factor: High (R2); Lower (R4)

Violation Severity Level: High (R2, R4)

Region: SERC

Issue: The Unidentified Registered Entity ("URE") self-reported in response to a SERC inquiry that it completed a risk-based assessment of its Critical Assets that was approved by senior management on June 30, 2008, but it failed to review, update or approve the assessment in 2009 in violation of R2 and R4.

Finding: It was determined by SERC that the violation did not pose a serious or substantial risk to the reliability of the bulk power system because the URE had completed the required assessment for 2008 and the system configuration had not changed during 2009. The duration of violation was January 1, 2010 through May 31, 2010. In determining the penalty, consideration was given to the fact that this was the URE's first occurrence of violation of the Reliability Standards.

Penalty: $0

FERC Order: Issued December 30, 2010 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-136-000 (March 30, 2011)

Reliability Standard: CIP-002-1

Requirement: R2

Violation Risk Factor: High

Violation Severity Level: Severe

Region: WECC

Issue: The Unidentified Registered Entity (URE) did not properly update its list of Critical Assets.

Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a penalty in the amount of $14,500 for this and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: the violation constituted URE’s first violation of the subject NERC Reliability Standard; URE self-reported one of the violations; URE cooperated during the compliance enforcement process; URE’s compliance program; URE did not attempt to conceal a violation or intend to do so; the violation did not create a serious or substantial risk to the bulk power system; and there were no other mitigating or aggravating factors or extenuating circumstances.

Penalty: $14,500 (aggregate for 3 violations)

FERC Order: Issued April 29, 2011 (no further review)

Unidentified Registered Entities, FERC Docket No. NP11-146-000 (March 30, 2011)

Reliability Standard: CIP-002-1

Requirement: R3 (three violations)

Violation Risk Factor: Lower

Violation Severity Level: N/A

Region: RFC

Issue: During a spot check, RFC found that Unidentified Registered Entity 1 (URE1), Unidentified Registered Entity 2 (URE2) and Unidentified Registered Entity 3 (URE3, collectively UREs) had improperly removed 13 operator consoles from their lists of Critical Cyber Assets. The UREs incorrectly believed that the operator consoles were not considered essential to the operation of Critical Cyber Assets.

Finding: RFC entered into a settlement agreement with the UREs to resolve multiple violations, whereby the UREs agreed to pay a penalty of $52,500 and to undertake other mitigation measures. RFC found that the violations did not constitute a serious or substantial risk to bulk power system reliability since the UREs were still providing the operator consoles with the same protection given to Critical Cyber Assets. The duration of the violations was from June 30, 2009 through December 17, 2009. In determining the penalty amount, NERC considered the fact that these were the UREs’ first violations of the relevant Reliability Standards; some violations were self-reported, while others were revealed during a RFC spot check; the UREs were cooperative during the enforcement process and did not attempt to conceal the violations; the UREs had a compliance program in place (which was evaluated as a mitigating factor); the mitigation plan for CIP-004-1 R3 violation was completed late; and there were no additional mitigating or aggravating factors.

Penalty: $52,500 (aggregate for 14 and for 3 entities)

FERC Order: Issued April 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-178-000 (April 29, 2011)

Reliability Standard: CIP-002-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: N/A

Region: WECC

Issue: The Unidentified Registered Entity (URE) had not properly evaluated its systems and facilities that are critical to system restoration (such as blackstart generators and substations in the electrical path of transmission lines used for initial system restoration) as part of its risk-based assessment methodology, as required.

Finding: WECC and the URE entered into a settlement agreement to resolve multiple violations, whereby the URE agreed to pay a penalty of $35,000 and to undertake other mitigation measures. WECC found that the violation of CIP-002-1 constituted a minimal risk to bulk power system reliability since the URE did possess a methodology that applied to the other critical assets and the relevant plant only has a small blackstart facility. The plant constituted one-third of the URE’s generating capacity (even though it was not specified as a critical asset). The duration of the CIP-002-1 violation was from July 1, 2008 through August 27, 2009. In approving the settlement agreement and the penalty determination, NERC considered the fact that the CIP-002-1 violation was the URE’s first violation of that Reliability Standard; the COM-002-2 violation was self-reported; the URE was cooperative during the enforcement process and did not conceal the violations; the URE had a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.

Penalty: $35,000 (aggregate for multiple violations)

FERC Order: May 27, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-184-000 (May 26, 2011)

Reliability Standard: CIP-002-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: N/A

Region: RFC

Issue: Unidentified Registered Entity (URE) could not provide documentation describing its risk-based assessment methodology for the period of July 1, 2008 through July 14, 2008.

Finding: The NERC Board of Trustees Compliance Committee (BOTCC) approved a settlement agreement which included a penalty of $70,000 for this and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: additional, non-related violations of the other Reliability Standards were either self reported or discovered during a compliance audit; URE has an Internal Compliance Program which seeks to ensure compliance with all applicable Reliability Standards; and URE agreed to take actions that exceed those actions that would be expected to achieve and maintain baseline compliance.

Penalty: $70,000 (aggregate for 26 violations)

FERC Order: Issued September 9, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-205-000 (June 29, 2011)

Reliability Standard: CIP-002-1

Requirement: R1

Violation Risk Factor: Lower

Violation Severity Level: N/A

Region: WECC

Issue: During a spot check, WECC found that the Registered Entity had not been incorporating a risk-based assessment methodology for its blackstart generators and special protection systems as required.

Finding: WECC and the Registered Entity entered into a settlement agreement to resolve multiple violations, whereby the Registered Entity agreed to pay a penalty of $22,000 and to undertake other mitigation measures. WECC found that the CIP-002-1 violation constituted a moderate risk to bulk power system reliability since the Registered Entity’s failure to have evaluation criteria for blackstart generation units and special protection systems in its risk-based assessment methodology could have resulted in those assets being overlooked. But, the Registered Entity did at least possess declaratory statements as to the degree of criticality of the blackstart generators and special protection systems (even though those statements were insufficient to meet the requirements of the Reliability Standard). The duration of the CIP-002-1 violation was from July 1, 2008 through January 6, 2010. In approving the settlement agreement, NERC found that the violation of MOD-010-0 was self-reported; the Registered Entity was cooperative during the enforcement proceeding and did not conceal the violations; there was a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.

Penalty: $22,000 (aggregate for 4 violations)

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-211-000 (June 29, 2011)

Reliability Standard: CIP-002-1

Requirement: R1

Violation Risk Factor: Lower

Violation Severity Level: N/A

Region: WECC

Issue: During a spot check, WECC found that the Registered Entity had not sufficiently evaluated its blackstart generators or special protection systems in developing its risk-based assessment methodology.

Finding: WECC and the Registered Entity entered into a settlement agreement to resolve multiple violations, whereby the Registered Entity agreed to pay a penalty of $14,000 and to undertake other mitigation measures. WECC found that the CIP-002-1 violation constituted a moderate potential risk to bulk power system reliability since the lack of evaluation criteria for blackstart generation units and special protection systems in the risk-based assessment methodology might lead to those assets not receiving the protection required for Critical Cyber Assets. The duration of the CIP-002-1 violation was from July 1, 2008 through January 15, 2010. In approving the settlement agreement, NERC found that these were the Registered Entity’s first violations of the relevant Reliability Standards; the Registered Entity was cooperative during the enforcement proceeding and did not conceal the violations; there was a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.

Penalty: $14,000 (aggregate for 4 violations)

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-218-000 (June 29, 2011)

Reliability Standard: CIP-002-1

Requirement: R2, R3

Violation Risk Factor: High (for R2, R3)

Violation Severity Level: N/A

Region: WECC

Issue: WECC found that the Registered Entity did not fully use its risk-based assessment methodology to develop its list of Critical Assets, as the Registered Entity did not include a specific substation as a Critical Asset even though it was incorporated into the Registered Entity’s restoration plan and the Registered Entity’s risk-based assessment methodology mandates that the Registered Entity list as Critical Assets all assets that are part of the system restoration plan (R2). In addition, the Registered Entity did not include its 21 Distribution Dispatcher consoles and its 3 Windows domain controllers as Critical Cyber Assets as required (R3).

Finding: WECC and the Registered Entity entered into a settlement agreement to resolve multiple violations, whereby the Registered Entity agreed to pay a penalty of $130,000 and to undertake other mitigation measures. WECC found that the CIP-002-1 violations constituted a moderate risk to bulk power system reliability. In regards to CIP-002-1 R2, there are alternate lines that the Registered Entity can use for restoration that do not involve the relevant substation that was not listed as a Critical Asset. And while the loss of that substation might cause an impact on localized load area within the Registered Entity’s system, it would not have a broader impact on the reliability of the bulk power system. In regards to CIP-002-1 R3, the Registered Entity was taking measures to protect the relevant workstations with measures similar to what is used to protect its Critical Cyber Assets (such as Electronic and Physical Security Perimeters that are constantly monitored). The duration of the CIP-002-1 violations was from June 18, 2009 through May 11, 2010 (R2) and from July 6, 2009 through May 24, 2010 (R3). In approving the settlement agreement, NERC found that there were three instances of noncompliance with Regional Reliability Standard PRC-STD-005-1 WR1 (which was evaluated as an aggravating factor); some of the violations were self-reported; the Registered Entity was cooperative during the enforcement process and did not conceal the violations; the Registered Entity had a compliance program in place (which was evaluated as a mitigating factor); the penalties for the violations of Reliability Standards EOP-001-0 R6 and EOP-005-1 R2 were aggregated since both penalties were based on a single act of noncompliance; the penalties for the violations of Reliability Standards PRC-STD-005-1 WR1 and VAR-STD-002b-1 WR1 were based on the respective Sanction Tables; and there were no additional aggravating or mitigating factors.

Penalty: $130,000 (aggregate for 27 violations)

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-225-000 (June 29, 2011)

Reliability Standard: CIP-002-1

Requirement: R2

Violation Risk Factor: High

Violation Severity Level: N/A

Region: RFC

Issue: As a result of a spot check, RFC determined the Unidentified Registered Entity (URE) violated CIP-002-1 R2 because it could not produce evidence that it documented the assessment of three generators to determine whether they were Critical Assets.

Finding: RFC assessed a $10,000 penalty for this and other violations. This violation did not pose a serious or substantial risk to the reliability of the Bulk Power System because the violation was a documentation error that did not affect the outcome of the URE’s Critical Asset Analysis. The NERC BOTCC determined this was the URE’s first occurrence of this type of violation; the URE was cooperative; the URE had a compliance program, which RFC considered a mitigating factor; there was no evidence of any attempt or intent to conceal a violation; and there were no other mitigating or aggravating factors.

Penalty: $10,000 (aggregate for 3 violations)

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-229-000 (July 28, 2011)

Reliability Standard: CIP-002-1

Requirement: R1, R3

Violation Risk Factor: Medium (R1); High (R3)

Violation Severity Level: N/A

Region: WECC

Issue: During a spot-check, WECC determined that the Unidentified Registered Entity’s (URE) Risk-Based Assessment Methodology (RBAM) did not document procedures and evaluation criteria and their application to systems and facilities critical to system restoration or its consideration of Special Protection Systems in violation of R1. WECC also determined URE failed to appropriately designate its energy management system operator consoles as Critical Cyber Assets in violation of R3.

Finding: WECC assessed a $75,000 penalty for these and other Reliability Standards violations. WECC determined that the violation of R1 posed a moderate risk, but did not pose a serious or substantial risk to the reliability of the bulk power system (BPS) because although its failure to specifically consider the facilities that could affect reliable operations, URE had an RBAM that it applied on an annual basis to create its list of Critical Assets. The violation of R3 posed a minimal risk, but did not pose a serious or substantial risk to the reliability of the BPS because the asset was redundant and any single device would not have had operational impacts. Moreover, the violation was limited and the Critical Cyber Assets were protected. In approving the settlement between URE and WECC, the NERC BOTCC considered the following factors: the violations did not constitute repeat violations; URE self reported one of the violations, URE was cooperative; there was no evidence of an attempt or intent to conceal the violations; WECC determined the violations did not pose a serious or substantial risk to the BPS; there were no other aggravating or mitigating factors.

Penalty: $75,000 (aggregated for multiple violations)

FERC Order: Issued August 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-253-000 (July 29, 2011)

Reliability Standard: CIP-002-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: In December 2010, SERC_URE1, as a Load-Serving Entity, self-reported that it had not properly documented its risk-based assessment methodology (RBAM) for identifying its Critical Assets.

Finding: SERC found that this violation constituted only a minimal risk to bulk power system reliability since SERC_URE1 does not possess any Critical Assets (nor does it own or operate any facilities that would satisfy the Critical Assets’ criteria). Although SERC_URE1 evaluated its assets in coming to the conclusion that it does not have any Critical Assets, it did not document its RBAM, and its application, as required. SERC_URE1 (a small distribution utility that only has a peak load of 6 MW) is only on the NERC Compliance Registry since it owns and operates an underfrequency load shedding system.

Penalty: $0 (aggregate for 4 violations)

FERC Order: Issued August 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-253-000 (July 29, 2011)

Reliability Standard: CIP-002-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: In November 2010, SERC_URE2, as a Load-Serving Entity, self-reported that it had not properly documented its risk-based assessment methodology (RBAM) for identifying its Critical Assets.

Finding: SERC found that this violation constituted only a minimal risk to bulk power system reliability since SERC_URE2 does not possess any Critical Assets (nor does it own or operate any facilities that would satisfy the Critical Assets’ criteria). Although SERC_URE2 evaluated its assets in coming to the conclusion that it does not have any Critical Assets, it did not document its RBAM, and its application, as required. SERC_URE2 (a small distribution utility that has a load of only 12 MW) is only on the NERC Compliance Registry since it owns and operates an automatic underfrequency load shedding system.

Penalty: $0 (aggregate for 6 violations)

FERC Order: Issued August 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-253-000 (July 29, 2011)

Reliability Standard: CIP-002-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: In December 2010, SERC_URE3, as a Load-Serving Entity, self-reported that it had not properly documented its risk-based assessment methodology (RBAM) for identifying its Critical Assets.

Finding: SERC found that this violation constituted only a minimal risk to bulk power system reliability since SERC_URE3 does not possess any Critical Assets (nor does it own or operate any facilities that would satisfy the Critical Assets’ criteria). Although SERC_URE3 evaluated its assets in coming to the conclusion that it does not have any Critical Assets, it did not document its RBAM, and its application, as required. SERC_URE3 (a small distribution utility that has a peak load of only 5 MW) is only on the NERC Compliance Registry since it owns and operates an underfrequency load shedding system.

Penalty: $0 (aggregate for 6 violations)

FERC Order: Issued August 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-261-000 (August 31, 2011)

Reliability Standard: CIP-002-1

Requirement: R3.1

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: Following a Spot Check, RFC determined that the Unidentified Registered Entity (URE) violated R3.1 because it failed to identify as Critical Cyber Assets 12 remote workstations that connect to the Energy Management System (EMS) and allow for remote monitoring and control of URE’s transmission system.

Finding: SPP determined that the violation did not pose a serious or substantial risk to the reliability of the bulk power system because the URE had additional control systems in place to protect these workstations. For example, URE blocks outside access to its EMS application, requires three or more levels of authentication to access the EMS from the workstations, the workstations are within URE’s Physical Security Perimeter, and has restrictions on copying, pasting, printing, and mapping. In approving the settlement agreement, NERC found this was not URE’s first violation of the subject Reliability Standards, URE self-reported seven of the eight violations; RFC considered it an aggravating factor that it discovered one of the violations in a Compliance Spot Check; URE was cooperative; URE had a compliance program, which RFC considered to be a mitigating factor; RFC determined URE’s parent company operated the CIP compliance program and therefore should investigate and review all Self-Reports and violations of the URE; there was no evidence of an intent or attempt to conceal a violation; and there were no other mitigating or aggravating factors.

Penalty: $70,000 (aggregate for 8 violations)

FERC Order: Issued September 30, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-262-000 (August 31, 2011)

Reliability Standard: CIP-002-1

Requirement: R1, R3

Violation Risk Factor: Lower

Violation Severity Level: N/A

Region: SPP

Issue: During a spot-check, SPP determined the Unidentified Registered Entity (URE) violated R1.1 for failing to include procedures or evaluation criteria pertaining to the evaluation of system restoration assets for purposes of identifying Critical Assets in its Risked Based Assessment Methodology. SPP also found URE violated R3.2 for failing to include an essential operator console at its backup control system as a Critical Cyber Asset.

Finding: SPP determined that the violations posed a minimal risk, but did not pose a serious or substantial risk, to the reliability of the bulk power system because URE's Risk Based Assessment Methodology stated that restoration resources were considered for inclusion in the Critical Asset list, and proper evaluation criteria existed for all other required asset classes. In addition, the backup console at issue was located in an area that was protected by physical electronic access and continuously monitored. In approving the settlement agreement, NERC found this was URE's first violation of the subject Reliability Standards; URE was cooperative; URE had a compliance program, which SPP considered to be a mitigating factor; there was no evidence of an intent or attempt to conceal a violation; and there were no other mitigating or aggravating factors.

Penalty: $12,000 (aggregate for 4 violations)

FERC Order: Issued September 30, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-263-000 (August 31, 2011)

Reliability Standard: CIP-002-1

Requirement: R3

Violation Risk Factor: High

Violation Severity Level: High

Region: TRE

Issue: During a spot check, TRE found that the Unidentified Registered Entity (URE) did not possess a complete list of its Critical Cyber Assets, as the URE's list only contained software applications and not the hardware and data associated with the cyber operations of the Critical Assets.

Finding: TRE and the URE entered into a settlement agreement to resolve multiple violations, whereby the URE agreed to pay a penalty of $11,000 and to undertake other mitigation measures. TRE found that the CIP-002-1 violation did not constitute a serious or substantial risk to the bulk power system since the URE had already applied the relevant Cyber Security Reliability Standards to the required hardware associated with the cyber operations. In approving the settlement agreement, NERC found that this was the URE's first violation of the relevant Reliability Standards; some violations were self-reported; the URE was cooperative during the enforcement process and did not conceal the violations; the URE had a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.

Penalty: $11,000 (aggregate for 5 violations)

FERC Order: Issued September 30, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-264-000 (August 31, 2011)

Reliability Standard: CIP-002-1

Requirement: R1, R3

Violation Risk Factor: Lower (R1), High (R3)

Violation Severity Level: N/A

Region: SPP

Issue: During a spot check, SPP found that the Unidentified Registered Entity's (URE) Risk Based Assessment Methodology (RBAM) did not incorporate the evaluation criteria used to identify Critical Assets nor did it evaluate each of the mandated asset categories as required (R1). In addition, SPP discovered that the URE had not removed a laptop computer from its Critical Cyber Assets (CCA) List after the laptop had been repurposed (and therefore no longer considered a CCA) (R3).

Finding: SPP and the URE entered into a settlement agreement to resolve multiple violations, whereby the URE agreed to pay a penalty of $8,000 and to undertake other mitigation measures. SPP found that the CIP-002-1 violations did not constitute a serious or substantial risk to bulk power system reliability. In terms of R1, the URE revised its RBAM to include modified procedures and evaluation criteria for identifying Critical Assets. Under the modified procedures and evaluation criteria, the URE does not own or operate any systems or facilities that have the potential to affect bulk power system reliability or operability. Therefore, the URE does not (and did not previously) possess any Critical Assets. As a result of this new finding, the violation of R3 became moot. The duration of the violations was from July 1, 2008 through April 13, 2010. In approving the settlement agreement, NERC found that these were the URE's first violations of the relevant Reliability Standards; the URE was cooperative during the enforcement process and did not conceal the violations; and there were no additional aggravating or mitigating factors or other extenuating circumstances.

Penalty: $8,000 (aggregate for 9 violations)

FERC Order: Issued September 30, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-266-000 (August 31, 2011)

Reliability Standard: CIP-002-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: SERC_URE1, as a Load Serving Entity, self-reported that its risk-based assessment methodology (RBAM) did not specifically address all of the asset types as required.

Finding: SERC found that the violation constituted only a minimal risk to bulk power system reliability since SERC_URE1, a small distribution utility, did not own or operate any Critical Assets nor any elements of the bulk power system. The duration of the violation was from December 31, 2009 through June 1, 2011.

Penalty: $0

FERC Order: Issued September 30, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-266-000 (August 31, 2011)

Reliability Standard: CIP-002-1

Requirement: R3

Violation Risk Factor: High

Violation Severity Level: Lower

Region: FRCC

Issue: FRCC determined that FRCC_URE1 had not properly identified 12 of its Cyber Assets as Critical Cyber Assets.

Finding: FRCC found that the violation did not constitute a serious or substantial risk to bulk power system reliability since the relevant Cyber Assets were protected by the general company security control practices that applied to logical and physical access. In addition, the portable Cyber Assets were stored in protective custody in the control center. The duration of the violation was from July 1, 2008 through June 1, 2011.

Penalty: $38,000 (aggregate for 11 violations)

FERC Order: Issued September 30, 2011 (no further review)

Unidentified Registered Entity, Docket No. NP11-270-000 (September 30, 2011)

Reliability Standard: CIP-002-1

Requirement: R1, R2, R3, R4

Violation Risk Factor: Medium (R1), High (R2, R3), Lower (R4)

Violation Severity Level: Severe (R1, R2, R3, R4)

Region: WECC

Issue: Based on WECC_URE1’s self-certification response that it had not started complying with Reliability Standard CIP-002-1, WECC found that WECC_URE1 had not documented a risk-based assessment methodology (RBAM) for identifying its Critical Assets (R1). WECC_URE1 also did not develop a list of Critical Assets identified by the RBAM (R2) or a list of its associated Critical Cyber Assets that are essential to the operation of the Critical Assets (R3). In addition, WECC_URE1 did not appoint a senior manager to approve, on an annual basis, the list of Critical Assets or Critical Cyber Assets (R4).

Finding: WECC found that the CIP-002-1 violations constituted a moderate risk to bulk power system reliability. WECC_URE1 operates a facility with a nameplate capacity of less than 30 MW and has only one interconnection with the bulk power system. In addition, WECC_URE1 sells all of its output to one entity (and does not have a significant impact on the purchaser’s electricity supply). After WECC_URE1 incorporated its RBAM, it was determined that WECC_URE1 did not have any Critical Assets or Critical Cyber Assets (and therefore there was no actual risk to the bulk power system). WECC_URE1 developed a compliance program to manage its future compliance efforts (which was evaluated as a mitigating factor). However, WECC_URE1 was not cooperative during the compliance audit process and did not timely complete the required self-certifications (which were evaluated as aggravating factors).

Penalty: $90,000 (aggregate for 14 violations)

FERC Order: Issued October 28, 2011 (no further review)

Unidentified Registered Entity, Docket No. NP11-270-000 (September 30, 2011)

Reliability Standard: CIP-002-1

Requirement: R3

Violation Risk Factor: High

Violation Severity Level: Severe

Region: RFC

Issue: During a spot check, RFC found that RFC_URE4 had not properly identified six of its Cyber Assets that use a routable protocol to communicate outside the Electronic Security Perimeter (ESP) (four of the workstations) or within a control center (two of the workstations) as Critical Cyber Assets (CCAs).

Finding: RFC found that the violation posed a moderate risk to bulk power system reliability. All of the users at the relevant workstations had received personnel risk assessments and had authorizations to access the CCAs. In addition, the four workstations outside the ESP had three levels of password protection, and the two workstations within the control center remained within the ESP and the Physical Security Perimeter (thereby receiving the same protection as the CCAs). Furthermore, RFC_URE4 had a compliance program in place (which RFC evaluated as a mitigating factor).

Penalty: $16,500 (aggregate for 3 violations)

FERC Order: Issued October 28, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-2 (October 31, 2011)

Reliability Standard: CIP-002-1

Requirement: R3

Violation Risk Factor: High

Violation Severity Level: Lower

Region: FRCC

Issue: URE self-reported that it had six CCA devices (two monitoring racks and four control racks) that were not identified in its CCA list as required.

Finding: FRCC found that the violation constituted a moderate risk to BPS reliability. The relevant devices were misclassified for 26 days and were contained within a locked 6-wall boundary inside a fenced site with armed guards and card access. The devices also could not be accessed remotely. URE had a compliance program in place, but it was only evaluated as a neutral factor.

Penalty: $55,000 (aggregate for 11 violations)

FERC Order: Issued November 30, 2011 (no further review).

Unidentified Registered Entity, FERC Docket No. NP12-2 (October 31, 2011)

Reliability Standard: CIP-002-1

Requirement: R2, R4

Violation Risk Factor: High (R2), Lower (R4)

Violation Severity Level: Severe (R2), High (R4)

Region: WECC

Issue: URE self-reported that it verbally completed its Critical Asset Assessment, but did not have written documentation as required, and that it had erroneously labeled certain assets as “Critical” (R2). URE also self-reported that it did not have its Critical Asset Assessment list approved by a senior manager (R4).

Finding: WECC found that the violations constituted only a minimal risk to BPS reliability since URE, which has less than 100 miles of transmission lines, only misidentified three Critical Assets. In addition, URE had actually performed a Critical Asset Assessment verbally. WECC evaluated URE’s compliance program as a mitigating factor.

Penalty: $27,000 (aggregate for 5 violations)

FERC Order: Issued November 30, 2011 (no further review).

Unidentified Registered Entity, FERC Docket No. NP12-4-000 (November 30, 2011)

Reliability Standard: CIP-002-1

Requirement: R1, R2 and R3

Violation Risk Factor: Lower (R1), High (R2 and R3)

Violation Severity Level: Not provided

Region: WECC

Issue: During an audit, WECC determined that URE (1) violated R1 because it failed to state how it considered all generation resources that support the reliable operation of the BPS in its RBAM; (2) violated R2 because it did not identify a substation as a CA in accordance with the blackstart capability/connectivity evaluation criteria in its RBAM; and (3) violated R3 because it failed to identify certain CAs as CCAs.

Finding: WECC determined that the R1 violation did not pose a serious or substantial risk to the BPS because URE is a net importer of energy, and URE does not have specific generating resources that support the reliable operation of the BPS other than certain blackstart units. WECC determined that the R2 violation did not pose a serious or substantial risk to the BPS because URE protected the substation in the same manner as its other CA substations that were properly identified, and proper classification of the substation did not uncover any additional CCAs. WECC determined that the R3 violation did not pose a serious or substantial risk to the BPS because URE did provide certain protections to the devices even though they were not identified as CCAs. Duration of the violations was from the date the Standard became enforceable through October 6, 2010 (R1 and R2) and September 3, 2010 (R3). WECC and the NERC BOTCC took into consideration the following mitigating factors: URE self-reported certain of the violations (though not the CIP-002-1 violations), URE had an internal compliance program in place at the time of the violations, and URE’s compliance history.

Penalty: $160,000 (aggregate for 16 violations of 6 CIP standards)

FERC Order: Issued December 30, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-11 (January 31, 2011)

Reliability Standard: CIP-002-1

Requirement: R1, R3

Violation Risk Factor: Medium (R1), High (R3)

Violation Severity Level: N/A (R1, R3)

Region: WECC

Issue: During a spot check, WECC found that the evaluation criteria in URE’s risk-based assessment methodology (RBAM) incorporated subjective evaluation criteria (such as personnel loss, customer confidence and environmental impact) that are unrelated to the measurement of the criticality of the assets with regard to the BPS and that could potentially lead to the misidentification of CAs. URE’s RBAM also improperly considered the likelihood of threats, rather than a measurement of the impact of a loss of a CA. (R1) WECC also determined that URE did not properly develop and review a list of its CCAs (including a list of the individual components associated with the identified CCAs) essential to the operation of its identified CAs. (R3)

Finding: WECC found that the CIP-002-1 violations only constituted a minimal risk to the BPS. In regards to the R1 violation, deleting the subjective evaluation criteria from the RBAM did not result in any changes to the CAs identified. For the R3 violation, URE did have diagrams showing all assets that were included in URE’s identified CCA system (even though it did not have a component-by-component list labeled as CCAs). In determining the penalty amount, the NERC BOTCC evaluated URE’s violation history; some of the violations were self-reported; URE was cooperative during the enforcement process and did not conceal the violations; URE has a compliance program in place (which was evaluated as a mitigating factor); the violations did not constitute a serious or substantial risk to BPS reliability; and there were no additional aggravating or mitigating factors.

Penalty: $135,000 (aggregate for 20 violations)

FERC Order: Issued March 1, 2012 (no further review)

Unidentified Registered Entity, Docket No. NP12-17 (February 29, 2012)

Reliability Standard: CIP-002-1

Requirement: R1.1; R3.1

Violation Risk Factor: Lower

Violation Severity Level: High (R1.1); N/A (R3.1)

Region: SPP

Issue: During a spot check, SPP determined URE had a violation of R1.1 because its documented risk-based assessment methodology for evaluating criteria used to identify Critical Assets was too vague to be effective. SPP also determined URE violated R3.1 because it had not identified and developed a complete list of CCAs. Specifically, the list did not include operator consoles and Inter-Control Center Communications Protocol (“ICCP”) systems because URE did not deem them “critical.”

Finding: SPP determined that the violations posed a minimal risk, but did not pose a serious or substantial risk, to the reliability of the BPS. The risk caused by the violation of R1.1 was found to be a documentation error because URE had a process for evaluating criteria and no new CCAs were identified once the violation was remedied. The violation of R3.1 posed minimal risk because URE had a list of CCAs that included most of its CCAs, and the ICCP and operator consoles were afforded the same protective measures as the documented CCAs. The ICCP and consoles were also protected by extra layers of security by virtue of their location within a secure area.

Penalty: $40,000 (aggregate for 14 violations)

FERC Order: Issued March 30, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-20 (March 30, 2012)

Reliability Standard: CIP-002-1

Requirement: R1, R2, R3, R4

Violation Risk Factor: Medium (R1), High (R2, R3), Lower (R4)

Violation Severity Level: Severe (R1, R2, R3, R4)

Region: WECC

Issue: URE self-certified that while it had determined that it did not possess any Critical Assets, it had not properly documented, as required, its risk-based assessment methodology for identifying Critical Assets (R1). Therefore, URE was also unable to provide the required list of Critical Assets (R2) or the list of CCAs needed for the Critical Assets (R3) when requested by WECC. Furthermore, URE did not maintain a signed and dated record of a senior manager approving its lists of Critical Assets and CCAs (R4).

Finding: WECC found that the CIP-002-1 violations constituted only a minimal risk to BPS reliability since URE had already determined that it did not possess any Critical Assets. URE also has a peak demand of less than 150 MW, and it is not responsible for generation reservations. In addition, URE does not operate systems or facilities that are needed for system restoration. In approving the settlement agreement, NERC BOTCC considered the fact that these were URE’s first violations of the relevant Reliability Standards; URE was cooperative during the enforcement process and did not conceal the violations; and the violations did not constitute a serious or substantial risk to BPS reliability.

Penalty: $60,000 (aggregate for 13 violations)

FERC Order: Issued April 30, 2012 (no further review)

Unidentified Registered Entity, Docket No. NP12-22-000 (March 30, 2012)

Reliability Standard: CIP-002-1

Requirement: R2

Violation Risk Factor: High

Violation Severity Level: High

Region: SPP RE

Issue: While performing a Spot Check, SPP RE found that URE had not identified two substations correctly as CAs. The substations provide critical regional blackstart services and URE’s risk-based assessment methodology (RBAM) indicated that the substations should be considered CAs. URE had the combustion turbine that is connected to one of the substations and the transmission line between the two substations properly classified, but not the substations.

Finding: The violations constituted a minimal risk to BPS reliability because once the substations were included on the critical asset list, URE ultimately determined that the two substations contained no associated CCAs. In determining the appropriate penalty, SPP RE considered URE’s internal compliance program a neutral factor.

Penalty: $12,000 (aggregate for 10 penalties)

FERC Order: Issued April 30, 2012 (no further review)

Unidentified Registered Entity (URE), FERC Docket No. NP12-27 (May 30, 2012)

Reliability Standard: CIP-002-1

Requirement: R3

Violation Risk Factor: High

Violation Severity Level: Severe

Region: WECC

Issue: URE submitted a self-reported a violation of R3, stating that its Critical Cyber Asset (CCA) inventory was incomplete because it did not include primary PC-integrated devices. URE also indicated that it failed to identify one Cyber Asset (essential to the operation of another Critical Asset) as a CCA.

Finding: WECC determined this violation posed a minimal risk to the reliability of the bulk power system (BPS) because the device in scope was located inside of an ESP and Physical Security Perimeter (PSP), and thus subject to the protections required by CIP-005 and CIP-006. In addition, only authorized personnel are granted access to these devices. URE completed a review and assessment of the Critical Asset inventory and configuration for their devices (per CIP-002 R3). The missing device was also added to the inventory one week after the Self-Report and updated six weeks later. Unique device identifiers were created for tracking data collection and oversight in compliance activities.

Penalty: $21,000 (aggregate for 3 violations)

FERC Order: Issued June 29, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-38 (July 31, 2012)

Reliability Standard: CIP-002-1

Requirement: R1/1.1

Violation Risk Factor: Lower

Violation Severity Level: High

Region: WECC

Issue: WECC found that URE’s Risk Based Assessment Methodology (RBAM), Versions 0 and 1, did not properly establish and document all of the criteria used by URE to identify assets as Critical Assets. URE was using additional criteria to identify Critical Assets (such as EOP-005 system process documentation, Transmission Planning studies based on facility loss or incapacity, and regional documental like the WECC Path Rating Catalog and Northwest Power Pool Documentation) that was not included in URE’s RBAM process documents. Version 2 of URE’s RBAM identified all of the evaluation criteria.

Finding: WECC found that the CIP-002-1 violation only constituted a minimal risk to BPS reliability since URE did have an undocumented process in place pursuant to which it performed risk analyses, threat analyses, or business impact analyses as a factor to be used in the identification of Critical Assets (which reduced the risk of an asset being identified incorrectly). WECC also found that URE’s verification process for identifying Critical Assets functioned as a compensating measure. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were URE’s second or third violation of the relevant Reliability Standards; some of the violations were self-reported; URE was cooperative during the enforcement process and did not conceal the violations; URE had an internal compliance program (which was evaluated as a mitigating factor); the violations did not constitute a serious or substantial risk to BPS reliability; and there were no additional aggravating or mitigating factors.

Penalty: $72,000 (aggregate for 12 violations)

FERC Order: Issued August 30, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-44-000 (August 31, 2012)

Reliability Standard: CIP-002-1

Requirement: 3

Violation Risk Factor: High

Violation Severity Level: Severe

Region: FRCC

Issue: URE submitted a self-report explaining that it had not identified three virtual servers and three workstations as Critical Cyber Assets.

Finding: FRCC determined the violation posed a moderate risk to BPS reliability because the unidentified assets were all inside URE's ESP and PSP. In determining the appropriate penalty, FRCC gave credit to URE's internal compliance program as well as credit for cooperating through the audit process.

Penalty: $75,000 (aggregate for 10 violations)

FERC Order: Issued September 28, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-47-000 (September 28, 2012)

Reliability Standard: CIP-002-1

Requirement: 3

Violation Risk Factor: High

Violation Severity Level: Severe

Region: WECC

Issue: URE was found to be in violation of CIP-002-1 R3 because three switches were not identified as Critical Cyber Assets (CCAs) even though they directly support URE's primary control center. WECC found that the three switches were CCAs because they were used to configure, provide access to, and monitor the primary control center, which is an identified URE Critical Asset.

Finding: The violation was deemed to pose minimal risk to BPS reliability because URE provided some level of protection to these three switches as they are co-located and co-managed with URE's other primary control center CCAs. The relevant PSP is within a URE-operated controlled access area, where URE had security measures in place as prescribed by the Standard. In determining the appropriate penalty, URE was given mitigating credit for its internal compliance program.

Penalty: $65,000 (for 11 violations)

FERC Order: Issued October 26, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-47-000 (September 28, 2012)

Reliability Standard: CIP-002-1

Requirement: 2

Violation Risk Factor: High

Violation Severity Level: High

Region: SPP

Issue: While performing a CIP Spot Check of URE, SPP found that URE had not applied its risk based assessment methodology (RBAM) correctly so that it identified all of URE's CAs. In particular, URE's RBAM failed to identify a substation essential for the restoration of URE's system as a CA.

Finding: The violation was deemed by SPP to pose minimal risk to BPS reliability because URE's transmission system resides within a larger loop with many ties to the Eastern Interconnect. The amount of surrounding ties lessens any chance that power could not be restored to URE's system in the event the substation was not available. SPP review of the substation found it would not be critical to BPS reliability beyond restoring URE's system, and as such, its risk to BPS reliability would only be in the event of a blackout during which URE's system restoration was delayed because the substation was unavailable. In determining the appropriate penalty, SPP considered URE's compliance program as a mitigating factor. URE did not contest SPP's findings.

Penalty: $5,500

FERC Order: Issued October 26, 2012 (no further review)

Unidentified Registered Entity, Docket No. NP13-1 (October 31, 2012)

Reliability Standard: CIP-002-1

Requirement: 3

Violation Risk Factor: High

Violation Severity Level: Severe

Region: WECC

Issue: Following a self-report, WECC determined URE violated R3 because it failed to identify 13 CCAs that are essential to the operation of its CAs in its list of CCAs. Specifically, the 13 CCAs are essential to the operation of the substation, EMS and emergency operations center ESPs.

Finding: WECC determined that the violation posed a moderate risk to the reliability of the BPS because URE's failure to include the CCAs could cause them to be vulnerable to a cyber attack and they could be misused or inoperable during CA recovery efforts. The risk was mitigated because the CCAs at issue are located within ESPs and are subject to redundant protective measures such as intrusion detection systems. In approving the Settlement Agreement between WECC and URE, NERC BOTCC considered the following: URE's violation history, 11 of the 12 violations were self-reported, URE was cooperative, URE had a compliance program in place at the time of the violation, which was considered a mitigating factor, and there was no evidence of any attempt or intent to conceal a violation, nor that the violation was intentional.

Penalty: $200,000 (aggregate for 12 violations)

FERC Order: Issued November 29, 2012 (no further review)

Unidentified Registered Entity 1, Unidentified Registered Entity 2, and Unidentified Registered Entity 3, FERC Docket No. NP13-4 (October 31, 2012)

Reliability Standard: CIP-002-1

Requirement: 1, 2, 3, 4

Violation Risk Factor: Medium (1), High (2, 3), Lower (4)

Violation Severity Level: Severe (1, 2, 3, 4)

Region: RFC

Issue: During a compliance audit, RFC found URE1's methodology for identifying Critical Assets did not specify how it was risk-based, as required, or properly document the risk basis that was used for 2 (out of the 8) criteria in the methodology. Thus, URE's risk-based assessment methodology (RBAM) was not in compliance with the Reliability Standard (R1). RFC also determined that URE1 did not properly follow its RBAM since it did not list and review all of its substation as possible Critical Assets (as URE1's list of possible substation CCAs included a substation which was not included in URE1's list of possible Critical Assets) (R2). URE1 also did not properly develop its previous list of CCAs as the list included five substations that were not part of URE1's Critical Assets list. In addition, according to URE1's procedure, its personnel were directed to eliminate a category of Cyber Assets before identifying the associated CCAs (instead of reviewing all Cyber Assets in order to identify all associated CCAs as required). Also, while implementing its mitigation plan, URE1 failed to include two CCAs on its CCA list (R3). URE1 also did not have a signed and dated record of a senior manager's approval of there being no CCAs for the four substations identified as Cyber Assets. In addition, URE1 provided RFC with inconsistent evidence of its approval of its Critical Asset list and the CCA list and, thus, RFC determined that URE1 was unable to demonstrate annual approval of its Critical Asset list or CCA list. URE1 also did not have its RBAM timely approved by a senior manager and did not have a signature sheet documenting the senior manager's approval (R4).

Finding: RFC found that the CIP-002-1 R1, R2 and R3 violations constituted only a minimal risk to BPS reliability. For R1, URE1 did have protections in place for the identification and documentation of the CAs needed to support the operation of the BPS. URE1 had already identified a set of CAs, and it did not have to change any of its criteria or CA designations upon revising its RBAM to be in compliance with the Reliability Standard. In regards to R2, URE1 had conducted a review and analysis of CAs and the relevant substation did not actually contain any CAs. For R3, URE1 had actually developed a complete set of CCAs (and the inclusion of the MW criteria in the URE1 methodology did not impact its list of identified CCAs). Furthermore, while URE1 did not include the two CCAs on its list, it was still providing all the relevant devices with the required CCA protections. RFC found that the CIP-002-1 R4 violation constituted a moderate risk since URE1's management was not very involved in CIP compliance and did not review and approve the required procedures. But, URE1 had actually performed an annual assessment of its Critical Assets and CCAs and, once the processes were updated, URE1 did not identify any additional Critical Assets or CCAs. In approving the settlement agreement, the NERC BOTCC found that, in the aggregate, the violations constituted a serious or substantial risk to BPS reliability because of the potential for compromised integrity of the CCAs. UREs did not have a culture of compliance for the CIP Reliability Standards and they were not familiar with their CIP processes and procedures (especially as compliance was divided between six executives, leading to inconsistent application of the compliance process and reduced ownership responsibility). But, the UREs were cooperative during the enforcement process, including working with RFC to remedy the violations and enacting measure, in collaboration with RFC, to foster an improved compliance program and to undertake compliance initiatives (which were evaluated as a mitigating factor). In addition, some of the violations were repeat violations and some of the violations were self-reported.

Penalty: $725,000 (aggregate for 73 violations)

FERC Order: Issued November 29, 2012 (no further review)

Unidentified Registered Entity (URE), FERC Docket No. NP13-11 (December 31, 2012)

Reliability Standard: CIP-002-1

Requirement: 2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: SPP

Issue: During a compliance audit, SPP found that URE did not identify one of its substations (which is in the electrical path of transmission lines used for initial system restoration for blackstart power) as a Critical Asset.

Finding: SPP found that the violation constituted only a minimal risk to BPS reliability since the substation did not contain any CCAs. URE also had built in redundancies as part of the blackstart portion of URE’s system restoration path, so URE would have been able to use another power station for blackstart initiation if there was a loss of the substation at issue. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE’s violation history (which was considered as an aggravating factor for some of the violations), URE’s internal compliance program (which was not viewed as a mitigating factor) and the fact that some of the violations were self-reported. URE was cooperative during the enforcement process and did not conceal the violations.

Total Penalty: $107,000 (aggregate for 16 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)

Reliability Standard: CIP-002-1

Requirement: 3

Violation Risk Factor: High

Violation Severity Level: Severe

Region: SPP RE

Issue: While conducting a CIP Spot Check, SPP RE determined that URE1 had not identified switches needed for reliable operation of its control center as CCAs and, thus, the switches were not included on URE1’s CCA list. The unidentified switches use a protocol within the control center and are considered CCAs.

Finding: SPP RE found that the violation posed a minimal risk to BPS reliability, but not a serious or substantial risk; however, NERC determined the violation to be moderate risk to BPS reliability based on similar violations in other regions. SPP RE determined that even though the switches were not identified CCAs, they were within both the ESP and PSP of URE1’s primary control center and protected against possible cyber attack. The violation began on November 4, 2010, and ended on November 8, 2010, when URE1 completed its Mitigation Plan. URE1 neither admitted to nor denied the violation. In determining the appropriate penalty, SPP RE found URE’s written ICP to be a neutral factor.

Total Penalty: $15,000 (aggregate for 6 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity 2 (URE2), Docket No. NP13-12-000 (December 31, 2012)

Reliability Standard: CIP-002-1

Requirement: 3

Violation Risk Factor: High

Violation Severity Level: High

Region: WECC

Issue: In preparation for a CIP audit of URE2 and an affiliate’s facilities, URE2 found six CCAs were not on the CA list. URE2 updated the list in preparation for the audit, but it was found that URE2 violated CIP-002-1 R3 for failing to develop a complete list of CCAs essential to the operation of its Critical Assets.

Finding: WECC determined that the violation posed a minimal risk to BPS reliability, but not a serious or substantial risk. All of URE1’s CCAs were adequately protected although not identified on the CA list. All devices had the following security protections: an original port scan; enabling of only necessary ports and services; a vulnerability assessment; user authentication using strong passwords; appropriate use banner; antivirus protection; location within an electronic security perimeter and within a physical security perimeter with no external electrical connectivity beyond the access points; and appropriate access requirements (including business need for access, annual CIP training and up-to-date Personnel Risk Assessments) met for all individuals with access to these devices. In determining the appropriate penalty, WECC considered URE2’s ICP as a mitigating factor.

Total Penalty: $15,000

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity 2 (URE2), Docket No. NP13-12-000 (December 31, 2012)

Reliability Standard: CIP-002-1

Requirement: 3.1

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: While conducting a CIP Compliance Audit, RFC determined that URE2 did not include all CAs that use a protocol to communicate outside the ESP within its list of CCAs. Some of URE2’s operator consoles are operated remotely and communicate outside of an ESP using a protocol, but URE2 did not classify the CAs as CCAs.

Finding: RFC determined that the violation posed a moderate risk to the reliability of the BPS, but not a serious or substantial risk, because remote access into the ESP was protected by two levels of authentication requirements meaning URE2 had systems in place to guard against unauthorized access. RFC considered some aspects of URE2’s ICP to be mitigating factors in making its penalty determination. The violation began on December 17, 2010 and ended on May 31, 2011 when the Mitigation Plan was completed. URE2 neither admitted nor denied the violation.

Total Penalty: $65,000 (aggregate for 6 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-16 (December 31, 2012)

Reliability Standard: CIP-002-1

Requirement: 1, 3

Violation Risk Factor: Medium (R1); High (R3)

Violation Severity Level: Severe (both)

Region: WECC

Issue: Based on a compliance audit, WECC determined that URE’s risk-based assessment methodology (RBAM) did not consider all assets as required by R1.2, and the RBAM did not provide enough detail regarding procedures and criteria used to identify Critical Assets as required by R1.1. WECC also determined that URE failed to identify ten Critical Cyber Assets (CCAs) associated with an identified Critical Asset in violation of R3.

Finding: WECC determined that the violations posted a minimal and not a serious or substantial risk to the reliability of the BPS because the violations were documentation failures, and URE’s corporate security policy provides sufficient protections to compensate for the documentation failures. Also, the CCAs that were not identified were both physically and electronically secured during the violation period. URE self-reported some of the violations. Duration of violations from the date the Standard became mandatory and enforceable to URE through the date URE completed its mitigation plan.

Total Penalty: $207,000 (aggregate for 12 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-18 (December 31, 2012)

Reliability Standard: CIP-002-1

Requirement: 2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: SPP

Issue: During a compliance audit, SPP found that URE failed to identify a substation in the electrical path of transmission lines used for initial blackstart system restoration as a Critical Asset, as required.

Finding: SPP found that the CIP-002-1 R2 violation only constituted a minimal risk to BPS reliability. The substation did not contain any CCAs. In addition, URE's blackstart restoration plan had built-in redundancies, including having both a primary and alternate system restoration paths. Therefore, even if URE were to lose the substation, URE would be able to rely on an alternate power station to complete the blackstart initiation. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE's Internal Compliance Program (even though the compliance program was not viewed as a mitigating factor) and its violation history (which was viewed as an aggravating factor for some of the violations). NERC BOTCC also considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations.

Penalty: $153,000 (aggregate for 16 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-19 (December 31, 2012)

Reliability Standard: CIP-002-1

Requirement: 2

Violation Risk Factor: High

Violation Severity Level: High

Region: SERC

Issue: During a spot check, SERC determined that URE did not associate all of its Critical Cyber Assets (CCAs) with Critical Assets (CAs) as URE included its control centers in its annual CA list but not in its annual CCA list.

Finding: SERC found that the CIP-002-1 R2 violation constituted a moderate risk to BPS reliability as there could potentially be inadequate protection of the CCAs as a result of a failure to properly identify CAs and CCAs. But, the control systems were part of the CCA list and were, thus, receiving the proper protections. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (which SERC evaluated as a mitigating factor). SERC determined that over half of the violations constituted a serious or substantial risk to BPS reliability. URE was unprepared, compliance-wise, when the CIP requirements became mandatory and enforceable. As URE had problems identifying CCAs, Cyber Assets and access points, URE was not providing the mandated protections to all of the required devices, thereby greatly increasing the risk of CCAs becoming comprised or rendered inoperable and causing a loss of monitoring or control of the BPS. SERC found that URE's CIP program failure constituted a serious risk to BPS reliability as URE's CIP procedures were not sufficiently detailed and its personnel had a general lack of awareness about the CIP procedures (including a dependence on manual processes).

Penalty: $950,000 (aggregate for 24 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-19 (December 31, 2012)

Reliability Standard: CIP-002-1

Requirement: 3

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: SERC

Issue: SERC found that URE had multiple violations of this Reliability Standard. First, URE self-reported that it had eight control center workstations which should have been designated as Critical Cyber Assets (CCAs) but that were omitted from URE's CCA List. URE originally developed its list from a manual compilation of its physical asset inventory, and only identified the missing CCAs when a reconciliation was made against a list of Cyber Assets that were identified by an automated reporting tool. URE also had four switch devices that were improperly excluded from the CCA list. In addition, URE included an entire system as a single asset on its CCA list, even though it was required to be listed by system subcomponents (terminal servers for URE's supervisory control and data acquisition system (SCADA) Management Platform) as other CIP Standards applied to those subcomponents. URE also self-reported that a communication processor was improperly excluded from the CCA list as it was not part of URE's database (which was the source of URE's CCA list). Furthermore, URE had 16 servers and emergency management system servers CCAs that had been misclassified as non-critical Cyber Assets. Thus, URE did not have a complete CCA list for three years.

Finding: SERC found that the CIP-002-1 R3 violations constituted a serious and substantial risk to BPS reliability. In regards to CIP-002-1 R3, by not having a complete list of CCAs, all of URE's may not have received the required protective measures, resulting in those devices being vulnerable to being comprised or rendered inoperable. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (which SERC evaluated as a mitigating factor). SERC determined that over half of the violations constituted a serious or substantial risk to BPS reliability. URE was unprepared, compliance-wise, when the CIP requirements became mandatory and enforceable. As URE had problems identifying CCAs, Cyber Assets and access points, URE was not providing the mandated protections to all of the required devices, thereby greatly increasing the risk of CCAs becoming comprised or rendered inoperable and causing a loss of monitoring or control of the BPS. SERC found that URE's CIP program failure constituted a serious risk to BPS reliability as URE's CIP procedures were not sufficiently detailed and its personnel had a general lack of awareness about the CIP procedures (including a dependence on manual processes).

Penalty: $950,000 (aggregate for 24 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)

Reliability Standard: CIP-002-1

Requirement: 3/3.2/3.3

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that it had not identified all components of its storage area network solution as CCAs (such as fiber switches, a phone switch, a modem-connected processor).

Finding: WECC found that the violation constituted a minimal risk to BPS reliability because each component had security protections in place such as being located in a PSP, among other protections.

Total Penalty: $4,250

FERC Order: Issued May 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-34 (May 30, 2013)

Reliability Standard: CIP-002-1

Requirement: 3, 4

Violation Risk Factor: High (3), Lower (4)

Violation Severity Level: High (3), Severe (4)

Region: TRE

Issue: During a compliance audit, TRE determined that URE did not review or update annually, as required, its list of CCAs essential to the operation of its Critical Assets (3). URE also did not have a designated senior manager sign and date its risk-based assessment methodology (RBAM) and its lists of Critical Assets and CCAs, as required (4).

Finding: TRE found that the CIP-002-1 R3 and R4 violations constituted a moderate risk to BPS reliability. But, the risk was mitigated by the fact that URE had actually implemented the documents at issue and was only missing documentation regarding the annual review, signatures and dates. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact the violations were URE's first violations of the relevant Reliability Standards and that none of the violations constituted a serious or substantial risk to BPS reliability. URE had a compliance program in place, but it was only evaluated as a neutral factor. URE was also cooperative during the enforcement process and did not conceal the violations.

Total Penalty: $137,000 (aggregate for 24 violations)

FERC Order: Issued June 28, 2013 (no further review)

Unidentified Registered Entity, Docket No. NP13-36, May 30, 2013

Reliability Standard: CIP-002-1

Requirement: 3, 4

Violation Risk Factor: High (R3); Lower (R4)

Violation Severity Level: High (R3); Severe (R4)

Region: Texas RE

Issue: While conducting a CIP compliance audit of URE, Texas RE found that URE could not show that its list of CCAs had been updated or reviewed annually as required (R3). URE provided a list of CCAs, but the senior manager responsible for CIP compliance had not signed the document until after the compliance audit had started (R4). Further, URE’s risk-based assessment methodology and cyber assets lists presented to Texas RE also had not been signed or dated by the responsible senior manager prior to the audit (R4). The duration of the violation was from the date the Reliability Standards became enforceable until URE completed its Mitigation Plans to correct the CIP violations.

Finding: The violations were deemed to pose moderate risk to BPS reliability, but not serious or substantial risk. The risk was mitigated because URE did have the documents in place; however, they lacked the required review schedule and signatures and dates of review. URE and Texas RE entered into a Settlement Agreement to resolve the issues. In determining the appropriate penalty, Texas RE considered URE’s internal compliance program as a neutral factor. The violations were the first by URE, and URE cooperated during the enforcement process. Texas RE determined URE did not attempt (or intend) to conceal any violations.

Total Penalty: $137,000 (aggregate for 24 violations)

FERC Order: Issued June 28, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-38-000 (May 30, 2013)

Reliability Standard: CIP-002-1

Requirement: 3

Violation Risk Factor: High

Violation Severity Level: Severe

Region: WECC

Issue: URE self-certified that it did not properly update its CCA list for its generating station, as the list included 16 CCAs that were removed from service. URE also did not identify dial-up accessible Cyber Assets associated with the generating station’s automatic voltage regulator as CCAs as required.

Finding: WECC found that the CIP-002-1 violation constituted only a minimal risk to BPS reliability. URE had properly maintained its CCA list at its control center and, besides the one dial-up accessible device, the CCA list at the generating station was over-inclusive. In regards to the dial-up accessible device, the device actually had limited dial-up connectivity. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact that some of the violations were self-reported and that URE engaged in voluntary corrective action to remediate the violations. URE also had an internal compliance program in place (which was evaluated as a mitigating factor). URE was cooperative during the enforcement process, did not conceal the violations and implemented the applicable WECC compliance directives. But, URE did have prior violations of the Reliability Standards (which was evaluated as an aggravating factor). None of the violations constituted a serious or substantial risk to BPS reliability.

Total Penalty: $291,000 (aggregate for 17 violations)

FERC Order: Issued June 28, 2013 (no further review)

Unidentified Registered Entities 1 and 2 (UREs), Docket No. NP13-39-000 (May 30, 2013)

Reliability Standard: CIP-002-1

Requirement: 1; 1.1

Violation Risk Factor: Lower

Violation Severity Level: High

Region: SERC

Issue: URE 1 and URE 2 submitted a self-report describing a violation of CIP-002-1 R1 because the risk-based assessment methodology (RBAM) used to identify Critical Assets was not specific enough to determine in each instance whether the asset was a Critical Asset. In particular, the UREs classified their control center as a Critical Asset, but after revising the RBAM, in fact, the control center was not a Critical Asset. SERC found the UREs’ RBAM to be deficient in that it failed to include evaluation criteria to determine if an asset considered pursuant to CIP-002-1 R1.2 was in fact a “Critical Asset,” as that term is defined in the NERC Glossary of Terms.

Finding: The violation was deemed to pose a minimal risk to BPS reliability, but not a serious or substantial risk. Because the RBAM in use was overly broad, more assets were classified as Critical Assets even though they were not, and those assets thus had more protections than required. Ultimately, the UREs were found to have no Critical Assets. In determining the appropriate penalty, SERC considered the UREs’ ICPs as a mitigating factor.

Total Penalty: $0

FERC Order: Issued June 28, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP14-17-000 (December 30, 2013)

Reliability Standard: CIP-002-1

Requirement: 3

Violation Risk Factor: High

Violation Severity Level: Severe

Region: WECC

Issue: URE self-certified that it was in violation of the requirements of CIP-002-3 R3 because URE had not properly identified a routable protocol used to communicate outside its ESP as a Critical Cyber Asset essential for operating a Critical Asset. URE reported that the device had been disconnected but at some point was reconnected to the corporate environment without the proper steps and precautions found in the CIP Reliability Standards. WECC auditors ultimately determined the violation was actually to CIP-002-1 R3 for URE’s failure to properly identify all CCAs.

Finding: This violation was deemed by WECC to pose a moderate risk to BPS reliability, but not serious or substantial risk. The failure to identify devices as CCAs leaves such devices exposed and unprotected by the measures set forth in the CIP Reliability Standards. Risk was mitigated by several factors, including that the devices were remotely accessible through the corporate network, and URE owns all communication channels, so no internet or public wires were connected. Also, the devices are housed in substation control centers with restricted access. In determining the appropriate penalty, WECC considered that URE had two previous violations of CIP-002 R3, which was an aggravating factor; but URE has a compliance program in place that was given mitigating credit. URE followed all compliance orders; was cooperative during the enforcement process; and did not attempt to or intend to conceal a violation.

Total Penalty: $144,000 (aggregate for two violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-19-000 (December 30, 2013)

Reliability Standard: CIP-002-1

Requirement: R3

Violation Risk Factor: High

Violation Severity Level: Severe

Region: WECC

Issue: During a compliance audit, WECC determined that URE failed to properly identify numerous Critical Assets as CCAs and therefore did not assess several Critical Asset substations (each of which housed a Remedial Action Scheme (RAS)) for associated CCAs essential to substation operations.

Finding: WECC determined that the violation constituted a moderate risk to BPS reliability. However, while URE did identify CCAs at a few control centers, it was determined that there were no CCAs at the substations as the RAS equipment at the substations consisted of serial connections found not to be essential to the function of the facilities. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, this was URE’s second violation of CIP-004-3 R4, which was viewed as an aggravating factor. URE cooperated throughout the enforcement process and did not conceal the violations. URE also committed to engage in additional actions to mitigate the violations and ensure future compliance.

Penalty: $185,000 (aggregate for 11 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-19-000 (December 30, 2013)

Reliability Standard: CIP-002-1

Requirement: R3

Violation Risk Factor: High

Violation Severity Level: Severe

Region: WECC

Issue: During a compliance audit, WECC determined that URE failed to properly identify numerous Critical Assets as CCAs and therefore did not assess several Critical Asset substations (each of which housed a Remedial Action Scheme (RAS)) for associated CCAs essential to substation operations.

Finding: WECC determined that the violation constituted a moderate risk to BPS reliability. However, while URE did identify CCAs at a few control centers, it was determined that there were no CCAs at the substations as the RAS equipment at the substations consisted of serial connections found not to be essential to the function of the facilities. In approving the settlement agreement, the NERC BOTCC found that the violations did not constitute a serious or substantial risk to BPS reliability. However, this was URE’s second violation of CIP-004-3 R4, which was viewed as an aggravating factor. URE cooperated throughout the enforcement process and did not conceal the violations. URE also committed to engage in additional actions to mitigate the violations and ensure future compliance.

Total Penalty: $185,000 (aggregate for 11 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-20 (December 30, 2013)

Reliability Standard: CIP-002-1

Requirement: 3

Violation Risk Factor: High

Violation Severity Level: High

Region: SERC

Issue: URE self-reported that in the course of preparing for its annual Cyber Vulnerability Assessment, it found two switches located in an ESP that were essential to the operation of Critical Assets but were not included, as required, on the CCA list.

Finding: SERC found that the CIP-002-1 R3 violation constituted a moderate risk to BPS reliability as the two switches at issue did not receive all of the required CCA protective measures and thus there was an increased risk the switches would become compromised. URE did have a procedure in place for identifying CCAs, even though the procedure was not sufficiently detailed and led to the exclusion of the two switches from the CCA list. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. Certain of the violations constituted a serious or substantial risk to BPS reliability. URE also engaged in mitigating measures that SERC determined to be above-and-beyond what was required.

Total Penalty: $198,000 (aggregate for 21 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-32 (February 27, 2014)

Reliability Standard: CIP-002-1

Requirement: 2

Violation Risk Factor: High

Violation Severity Level: Moderate

Region: SPP

Issue: During a spot check, SPP determined that, in identifying Critical Assets, URE had not properly applied the evaluation criteria contained in its risk-based assessment methodology (RBAM). As URE did not correctly answer questions regarding its blackstart generator and its primary and backup control centers in the consequence analysis part of its RBAM, URE did not identify these assets as Critical Assets, as required.

Finding: SPP found that the violation constituted a moderate risk to BPS reliability. As they were not identified as Critical Assets, the primary and backup control centers (which are designated as Medium impact under the bright-line criteria) may not have received the required protections and may have been vulnerable to being destroyed, degraded, misused or otherwise rendered unavailable as a result of a cyber-attack. But, URE’s failure to identify a blackstart unit and its associated substation (which are designated as Low impact under the bright-line criteria) as Critical Assets is moot since there are no CCAs associated with the blackstart unit. URE also had implemented other corporate physical and electronic cyber security measures. In addition, URE’s size and location was viewed as a mitigating factor. URE stipulates and agrees to the fact of the violation. In approving the settlement agreement, NERC BOTCC considered the fact that this was URE’s first violation of the relevant Reliability Standards. In response to the violation, URE agreed to have its control centers identified as Critical Assets and to bring any associated CCAs into compliance with the Reliability Standards. URE has a compliance program in place, which was evaluated as a mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violation. In addition, the violation did not constitute a serious or substantial risk to BPS reliability.

Total Penalty: $0

FERC Order: Issued March 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)

Reliability Standard: CIP-002-1

Requirement: R2

Violation Risk Factor: High

Violation Severity Level: Severe

Region: RFC

Issue: During a compliance audit, RFC discovered that URE2 did not have sufficient evidence showing that it conducted a power flow analysis to develop its list of Critical Assets, as required by its risk-based assessment methodology.

Finding: RFC determined that this violation constituted only a minimal risk to the BPS reliability. URE2 did have a procedure requiring other criteria for identifying Critical Assets. URE2 was not required to use a power flow analysis to identify Critical Assets and the power flow analysis was only included in URE2’s risk-based methodology by mistake. In fact, the power flow analysis was only intended to be used by third-parties to confirm URE2’s asset classification. URE2 (along with URE1 and URE3) neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.

Total Penalty: $625,000 (aggregate for 77 violations)

FERC Order: Issued September 26, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)

Reliability Standard: CIP-002-1

Requirement: R3

Violation Risk Factor: High

Violation Severity Level: Severe

Region: RFC

Issue: During a compliance audit, RFC determined that URE2 did not possess sufficient documentation showing that it had evaluated all of its Cyber Assets associated with a Critical Asset in developing its list of CCAs.

Finding: RFC determined that this violation constituted a moderate risk to BPS reliability as the failure to develop a complete CCA list increased the risk that URE2 would not be able to identify and provide the required protections to all of its CCAs. But, RFC considered this violation to relate to a documentation error as URE2 did actually conduct the required annual review. URE2 (along with URE1 and URE3) neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.

Total Penalty: $625,000 (aggregate for 77 violations)

FERC Order: Issued September 26, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)

Reliability Standard: CIP-002-1

Requirement: R4

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: During a compliance audit, RFC found that URE2 did not have sufficient evidence showing senior management or delegate approval of its Critical Assets list, CCA list, and risk-based assessment methodology on an annual basis as required.

Finding: RFC determined that this violation constituted only a minimal risk to BPS reliability as URE2 was actually obtaining the required senior management or delegate approval on an annual basis. URE2 (along with URE1 and URE3) neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.

Total Penalty: $625,000 (aggregate for 77 violations)

FERC Order: Issued September 26, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-6-000 (October 30, 2014)

Reliability Standard: CIP-002-1

Requirement: R2

Violation Risk Factor: High

Violation Severity Level: Severe

Region: Texas RE

Issue: URE self-reported that its list of Critical Assets incorrectly included or omitted substations due to errors made when transferring data from lists and maps.

Finding: Texas RE found that the violation constituted only a minimal risk to the BPS reliability as the errors on URE's Critical Asset list were transcription and the information on the originating lists was correct. URE correctly applied its risk-based methodology and the omitted substations were provided the same protections required for Critical Assets. In addition, URE provided the same safeguards, procedures, processes and security measures to all its station-based Cyber Assets. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the following factors: the URE had an internal compliance program in place; the URE self-reported several of the violations and none posed a serious or substantial risk to the BPS reliability; the URE executed actions beyond those necessary to ensure compliance with the Standard and continues to make several enhancements as part of its self-assessment program; and the URE did not conceal or attempt to conceal the violations. Further, Texas RE did not consider URE's compliance history to be an aggravating factor, and URE was cooperative throughout the duration of the enforcement.

Penalty: $106,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-6-000 (October 30, 2014)

Reliability Standard: CIP-002-1

Requirement: R3/R3.1/R3.2

Violation Risk Factor: High

Violation Severity Level: Severe

Region: Texas RE

Issue: URE self-reported that for several years its list of Critical Assets incorrectly included or omitted substations and their associated CCAs and did not list switches with routable protocols (connected to two backup inter-control center protocol devices) as CCAs.

Finding: Texas RE determined that the violation constituted only a minimal risk to the BPS reliability as the CCAs that were not on URE's list of Critical Assets were located within a secured ESP and the required protections of Standards CIP-003-1 through CIP-009-1 were met. The CCAs at issue were kept behind URE's firewall and protected by an intrusion protection system that monitored and sent alerts for unknown communications within URE's ESP that were investigated. In addition, all of URE's primary CCAs, considered the "core network", were located in a secure facility that was continuously monitored. URE provided the same safeguards, procedures, processes, and security measures to all relevant Critical Assets. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the following factors: the URE had an internal compliance program in place; the URE self-reported several of the violations and none posed a serious or substantial risk to the BPS reliability; the URE executed actions beyond those necessary to ensure compliance with the Standard and continues to make several enhancements as part of its self-assessment program; and the URE did not conceal or attempt to conceal the violations. Further, Texas RE did not consider URE's compliance history to be an aggravating factor, and URE was cooperative throughout the duration of the enforcement.

Penalty: $106,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-11-000 (November 25, 2014)

Reliability Standard: CIP-002-1

Requirement: R3

Violation Risk Factor: High

Violation Severity Level: High

Region: ReliabilityFirst, MRO and SERC (collectively, "Regions")

Issue: During a compliance audit, ReliabilityFirst determined that URE did not classify time and frequency devices as Critical Cyber Assets as well as certain laptop computers that URE erroneously allowed remote access to.

Finding: ReliabilityFirst determined that the violation constituted a moderate risk to the BPS reliability as the two assets at issue could have led to significant harm to the BPS due to URE's inadequate process for identifying CCA. Specifically, URE's process for identify Critical Cyber Assets failed to review Cyber Assets related to each CCA, but instead identified essential functions first, then applications to support those functions, and lastly Cyber Assets to support those applications. This could have resulted in missing CCAs. However, regarding the time and frequency devices at issue, the risk was mitigated by URE's strong defense-in-depth security strategies including physical and electronic access controls, a change management process, redundant configurations, and account and access management controls which provide strong protections against any unauthorized attempt to reach URE's data systems and Cyber Assets. Additionally, any action using the laptops that would have affected the BPS required one to be physically present and to log in to the system, therefore, that risk was eliminated. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had a compliance program in place at the time of the violations. While none of the violations independently posed a serious or substantial threat to the BPS reliability, collectively they represented a significant risk to BPS reliability. Eighteen of the violations posed only a minimal or moderate risk to the BPS reliability and only one posed a serious or substantial risk to the BPS reliability. URE did have a history of prior violations; however, this was their first comprehensive CIP audit so the Regions did not consider their prior history an aggravating factor. URE self-reported several of the violations, performed several reliability enhancements and outreach programs and agreed to above and beyond compliance measures, including the implementation of an improvement program that is focused on improving its compliance with CIP standards and cybersecurity efforts. However, due to the duration of several of URE's violations, the Regions considered this risk negatively. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations. There were no additional mitigating factors that affected the penalty.

Penalty: $75,000 (aggregate for 19 violations)

FERC Order: Issued December 23, 2014 (no further review)

Unidentified Registered Entities (UREs), FERC Docket No. NP15-15-000 (December 30, 2014)

Reliability Standard: CIP-002-1

Requirement: R3

Violation Risk Factor: High

Violation Severity Level: Severe

Region: SERC

Issue: URE1 self-reported that it failed to correctly identify all CCA essential to the operation of Critical Assets when it misclassified workstations in its ESP, that if compromised could have adversely affected its emergency management system (EMS) and the bulk power system, as Critical Assets instead of Cyber Critical Assets.

Finding: SERC determined that the violation posed only a minimal risk to the BPS reliability as URE1 provided the misclassified Critical Assets the same protections as it does its Cyber Critical Assets. The workstations at issue could only be accessed physically as remote access was disabled. In addition, operators, support staff and on-site security officers were located at 90% of the workstations 24/7. The remaining 10% of workstations had real-time security monitoring, with physical and logical access alarms and security cameras. URE's utilized two intrusion detection systems: one for monitoring port scans or pings against its EMS and another on the workstations ESP access point firewalls. A Physical Security Perimeter (PSP) surrounded the workstations at issue and the workstations were maintained in a protected ESP. UREs neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the UREs history of violations an aggravating factor. However, the UREs did have an internal compliance program in place, which SERC considered a mitigating factor. While URE1 self-reported a violation, the UREs did not received mitigating credit since it was reported after it received a compliance audit notice. While three of the violations posed a serious or substantial risk to the BPS reliability, the majority of them (18) posed only a minimal or moderate risk. URE agreed to additional mitigating actions including: adding additional staff (including converting contractors to full-time); conducting human performance training at a cost of $50,000; installing firewall analyzer software at a cost of $485,000; and additional mitigating factors for five of the violations. The UREs were cooperative throughout the enforcement process and there was no evidence that they concealed the violations.

Penalty: $120,000 (aggregate for 21 violations)

FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.

Unidentified Registered Entity (UREs), FERC Docket No. NP15-17-000 (December 30, 2014)

Reliability Standard: CIP-002-1

Requirement: R3

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: WECC

Issue: URE self-certified that three devices, used to convert remote terminal unit (RTU) data from transmission control protocol/internet protocol into serial communication data and back, classified as Critical Assets, were not identified as having routable protocol and therefore were not included on URE's list of Critical Cyber Assets.

Finding: WECC determined that the violation posed only a minimal risk to the BPS reliability as the devices remained inside Physical and Electronic Security Perimeters where access was restricted to authorized staff with the required authorizations to access each individual device. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered URE's prior violation history as an aggravating factor. However, WECC gave URE mitigating credit for its compliance program and agreeing to perform voluntary corrective actions. WECC also determined that all violations posed only a minimal, but not a moderate, serious or substantial risk to the reliability of the BPS. URE was cooperative throughout the enforcement process and did not attempt to conceal the violations.

Penalty: $120,000 (aggregate for 13 violations)

FERC Order: Order on Review of Notice of Penalty, issued January 29, 2015. 150 FERC 61,051.

Unidentified Registered Entity (UREs), FERC Docket No. NP15-20-000 (February 26, 2015)

Reliability Standard: CIP-002-1

Requirement: R3

Violation Risk Factor: High

Violation Severity Level: Severe

Region: SERC

Issue: During a compliance audit SERC determined that URE did not identify network switches, within its Energy Management System (EMS), that provide real-time operational decision-making information and situational awareness as Critical Cyber Assets.

Finding: SERC found that the violation posed only a minimal, but not a serious or substantial risk, to the BPS reliability. However the switches were protected by URE as if they were classified as CCA and they were behind firewalls within an Electronic Security Parameter (ESP). In addition, a six-wall enclosed Physical Security Perimeter (PSP) surrounded the ESP where the switches were located and URE had Technical Feasibility Exceptions on file for devices that were not able to comply with NERC requirements. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered URE’s past history of violations an aggravating factor. However, URE did have a compliance program in place, which SERC considered a mitigating factor. Eleven of the violations were self-reported by URE, two of which were reported after receiving a notice of an upcoming compliance audit. However one violation, while self-reported, did pose a serious or substantial risk to the BPS reliability. URE was cooperative throughout the enforcement period and did not attempt to conceal any of the violations. There were no other mitigating or aggravating factors associated with URE’s violations.

Penalty: $70,000 (aggregate for 12 violations)

FERC Order: Pending

Unidentified Registered Entities 3, 4 and 5, FERC Docket No. NP15-26-000 (April 30, 2015)

Reliability Standard: CIP-002-1

Requirement: R3.1

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: During a compliance audit ReliabilityFirst found that URE3, URE4, and URE5 failed to identify Cyber Assets, namely remote terminal units (RTU) that were allowed to connect to the EACM and communicate outside an ESP, as Critical Cyber Assets (CCAs).

Finding: ReliabilityFirst found that the violation posed a minimal, but not a serious or substantial risk, to BPS reliability. However, despite the violation, the UREs did largely protect the CCAs by using advanced secure access tools and rigorous change controls under CIP-004 and the protections of CIP-006. The UREs neither admitted nor denied the violations. In approving the settlement between ReliabilityFirst and five UREs in total, the NERC considered the UREs’ prior violations and the minimal to moderate risk posed by the current violations. As mitigating factors, the NERC found that among the UREs subject to the settlement agreement, individual URES had: (1) implemented pre-violation internal compliance programs, (2) self-reported violations, (3) cooperated throughout the enforcement process, (4) not attempted or intended to conceal the violations, (5) made significant progress in post-violation compliance. ReliabilityFirst found that no penalty was necessary since the violations posed minimal risks, the UREs demonstrated improvements in compliance, and the UREs that had prior violations were fully sanctioned for those violations in an FERC-approved settlement. The UREs’ mitigation plan included (1) developing a new Cyber Systems Identification Methodology for Bulk Electric System (BES) assets to identify serially connected Cyber Assets and (2) ensuring that RTUs meet the standards for Medium BES Cyber Systems.

Penalty: $0 (aggregate for 22 violations)

FERC Order: The NERC did not further review the settlement and the settlement entered into effect on May 29th, 2015.

Unidentified Registered Entities 3, 4 and 5, FERC Docket No. NP15-26-000 (April 30, 2015)

Reliability Standard: CIP-002-1

Requirement: R3.1

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: During a compliance audit ReliabilityFirst found that URE3, URE4, and URE5 failed to identify Cyber Assets, namely remote terminal units (RTU) that were allowed to connect to the EACM and communicate outside an ESP, as Critical Cyber Assets (CCAs).

Finding: ReliabilityFirst found that the violation posed a minimal, but not a serious or substantial risk, to BPS reliability. However, despite the violation, the UREs did largely protect the CCAs by using advanced secure access tools and rigorous change controls under CIP-004 and the protections of CIP-006. The UREs neither admitted nor denied the violations. In approving the settlement between ReliabilityFirst and five UREs in total, the NERC considered the UREs’ prior violations and the minimal to moderate risk posed by the current violations. As mitigating factors, the NERC found that among the UREs subject to the settlement agreement, individual URES had: (1) implemented pre-violation internal compliance programs, (2) self-reported violations, (3) cooperated throughout the enforcement process, (4) not attempted or intended to conceal the violations, (5) made significant progress in post-violation compliance. ReliabilityFirst found that no penalty was necessary since the violations posed minimal risks, the UREs demonstrated improvements in compliance, and the UREs that had prior violations were fully sanctioned for those violations in an FERC-approved settlement. The UREs’ mitigation plan included (1) developing a new Cyber Systems Identification Methodology for Bulk Electric System (BES) assets to identify serially connected Cyber Assets and (2) ensuring that RTUs meet the standards for Medium BES Cyber Systems.

Penalty: $0 (aggregate for 22 violations)

FERC Order: The NERC did not further review the settlement and the settlement entered into effect on May 29th, 2015.

Unidentified Registered Entities 3, 4 and 5, FERC Docket No. NP15-26-000 (April 30, 2015)

Reliability Standard: CIP-002-1

Requirement: R3.1

Violation Risk Factor: High

Violation Severity Level: Severe

Region: ReliabilityFirst

Issue: During a compliance audit ReliabilityFirst found that URE3, URE4, and URE5 failed to identify Cyber Assets, namely remote terminal units (RTU) that were allowed to connect to the EACM and communicate outside an ESP, as Critical Cyber Assets (CCAs).

Finding: ReliabilityFirst found that the violation posed a minimal, but not a serious or substantial risk, to BPS reliability. However, despite the violation, the UREs did largely protect the CCAs by using advanced secure access tools and rigorous change controls under CIP-004 and the protections of CIP-006. The UREs neither admitted nor denied the violations. In approving the settlement between ReliabilityFirst and five UREs in total, the NERC considered the UREs’ prior violations and the minimal to moderate risk posed by the current violations. As mitigating factors, the NERC found that among the UREs subject to the settlement agreement, individual URES had: (1) implemented pre-violation internal compliance programs, (2) self-reported violations, (3) cooperated throughout the enforcement process, (4) not attempted or intended to conceal the violations, (5) made significant progress in post-violation compliance. ReliabilityFirst found that no penalty was necessary since the violations posed minimal risks, the UREs demonstrated improvements in compliance, and the UREs that had prior violations were fully sanctioned for those violations in an FERC-approved settlement. The UREs’ mitigation plan included (1) developing a new Cyber Systems Identification Methodology for Bulk Electric System (BES) assets to identify serially connected Cyber Assets and (2) ensuring that RTUs meet the standards for Medium BES Cyber Systems.

Penalty: $0 (aggregate for 22 violations)

FERC Order: The NERC did not further review the settlement and the settlement entered into effect on May 29th, 2015.

Top