NERC Case Notes: Reliability Standard CIP-002-5.1a

Alert

10 min read

Unidentified Registered Entity 1 (NPCC_URE1), FERC Docket No. NP19-15-000 (July 31, 2019)

NERC Violation ID: NPCC2018020347

Reliability Standard: CIP-002-5.1a

Requirement: R1.1, R1.2, R1.3

Violation Risk Factor: High

Violation Severity Level: Lower

Region: Northeast Power Coordinating Council, Inc. (NPCC)

Issue: After a third party contractor evaluated its compliance program, an unidentified entity submitted a September 5, 2018 Self-Report when it discovered that in June 2017, it was not in compliance with the reliability standard. The entity had not realized that there was a new version of the Critical Infrastructure Procedures standards. The root cause of this violation was a lack of awareness of several NERC reliability standard requirement obligations. Specifically, the entity did not incorporate NERC reliability standard amendments into its compliance program.

Finding: NPCC found the violation constituted a minimal risk and did not pose a serious or substantial risk to bulk power system (BPS) reliability. By failing to identify the impact level of its assets, the entity exposed Cyber Assets to unauthorized use. However, the facility in scope has been classified as a Low Impact Asset that runs a few times a year. Furthermore, the entity’s process information system monitors and would send information if the connection were interrupted. Furthermore, the Low Impact Asset was further protected from unauthorized physical access. The violation began on March 29, 2017 when the entity failed to implement a process to identify its Bulk Electric System (BES) Cyber Systems and ended on September 4, 2018 when the entity developed a process to identify and rate its BES Cyber Systems. NPCC considered the internal compliance program to be a neutral factor in the penalty determination. Additionally, NPCC considered the entity’s compliance history and determined there were no relevant instances of noncompliance. NPCC noted that the compliance exception treatment was not appropriate based on the entity’s lack of due diligence and overall lack of NERC compliance awareness. To mitigate the violation, the entity contracted a third party to create a compliance program and developed and implemented a process for identifying the impact level of assets.

Furthermore, to prevent recurrence, the entity implemented an automated system and tasks to ensure NERC activities are tracked and completed.

Penalty: $10,000

FERC Order: July 31, 2019 (no further review)

Unidentified Registered Entity 1 (NPCC_URE1), FERC Docket No. NP19-15-000 (July 31, 2019)

NERC Violation ID: NPCC2018020348

Reliability Standard: CIP-002-5.1a

Requirement: R2.1, R2.2

Violation Risk Factor: Lower

Violation Severity Level: High

Region: Northeast Power Coordinating Council, Inc. (NPCC)

Issue: On September 5, 2018, after a third party contractor evaluated its compliance program, an unidentified entity submitted a Self-Report when it discovered that in June 2017, it was not in compliance with the reliability standard. The entity failed to implement a process to identify its Bulk Electric System (BES) Cyber Systems, and thus did not review or have Critical Infrastructure Procedures (CIP) Senior Manager approval of the identified impact levels. The entity had not realized that there was a new version of the CIP standards. The root cause of this violation was a lack of awareness of several NERC reliability standard requirement obligations. Specifically, the entity did not incorporate NERC reliability standard amendments into its compliance program.

Finding: NPCC found the violation constituted a minimal risk and did not pose a serious or substantial risk to bulk power system reliability. By failing to identify the impact level of its assets, the entity exposed Cyber Assets to unauthorized use. However, the facility in scope had been classified as a Low Impact Asset that runs a few times a year. Furthermore, the entity’s process information system monitors and would send information if the connection were interrupted. Furthermore, the Low Impact Asset was further protected from unauthorized physical access. The violation began on March 29, 2017 when the entity failed to implement a process to identify its Bulk Electric System (BES) Cyber Systems and ended on September 4, 2018 when the entity developed a process for identifying and rating its BES Cyber Systems, designated a CIP Senior Manager, and reviewed and approved its identified impact level. NPCC considered the internal compliance program to be a neutral factor in the penalty determination. Additionally, NPCC considered the entity’s compliance history and determined there were no relevant instances of noncompliance. NPCC noted that the compliance exception treatment was not appropriate based on the entity’s lack of due diligence and overall lack of NERC compliance awareness. To mitigate the violation, the entity contracted a third party to create a compliance program, developed and implemented a process for identifying the impact level of assets, designated a CIP Senior Manager, and reviewed and obtained CIP Senior Manager approval of the identified impact level. Furthermore, to prevent recurrence, the entity implemented an automated system and tasks to ensure NERC activities are tracked and completed.

Penalty: $10,000

FERC Order: July 31, 2019 (no further review)

Unidentified Registered Entity 1 (NPCC_URE1), FERC Docket No. NP19-12-000 (June 27, 2019)

NERC Violation ID: NPCC2018020060

Reliability Standard: CIP-002-5.1a

Requirement: R2 (2.1, 2.2)

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: Northeast Power Coordinating Council, Inc. (NPCC)

Issue: After a Compliance Audit, NPCC determined that an unidentified entity was not in compliance with the Reliability Standard and Requirement. Specifically, the entity’s procedures were based on older standards, and the entity did not update its procedures when the new version of the Critical Infrastructure Procedure (CIP) Standards went into effect. In July 2018, the entity conducted an internal audit and discovered procedures were not updated, but did not see it as a major violation. The entity stated that it was fully aware that the asset was low impact and that is why they failed to update the documentation. The root causes of the violation were lack of accountability and management oversight.

Finding: NPCC found the violation constituted a minimal risk and did not pose a serious or substantial risk to bulk power system reliability. By failing to identify Bulk Electric System Cyber Systems that are applicable to the CIP Standards, the entity may fail to ensure CIP protections are afforded and maintained, which could expose applicable Cyber Assets to unauthorized use. However, the entity reduced the risk of Cyber Assets being compromised by affording physical and electronic protections. Furthermore, no harm is known to have occurred as a result of the noncompliance. The violation began on July 1, 2016, when the entity failed to review the identifications in requirement R1 and have its CIP Senior Manager or delegate approve the identifications and ended on July 13, 2018 when the entity implemented a process to identify its Impact Rating of its Assets and had its CIP Senior Manager approve the identifications. NPCC determined that the entity’s internal compliance program was a neutral factor in the penalty determination and that the entity’s compliance history revealed no relevant instances of noncompliance. The Compliance Exception treatment was deemed not appropriate based on the entity’s deliberate underlying conduct. To mitigate the violation, the entity updated and implemented its CIP-002 procedure to Version 5. To prevent recurrence, the entity implemented software to create and track tasks.

Penalty: $0

FERC Order: June 27, 2019 (no further review)

Unidentified Registered Entity 1 (NPCC_URE1), FERC Docket No. NP19-12-000 (June 27, 2019)

NERC Violation ID: NPCC2018020063

Reliability Standard: CIP-002-5.1a

Requirement: R1 (1.1, 1.2, 1.3)

Violation Risk Factor: High

Violation Severity Level: Lower

Region: Northeast Power Coordinating Council, Inc. (NPCC)

Issue: After a Compliance Audit, NPCC determined that an unidentified entity was not in compliance with the Reliability Standard and Requirement. Specifically, the entity’s procedures were based on older standards, and the entity did not update its procedures when the new version of the Critical Infrastructure Procedure (CIP) Standards went into effect. In July 2018, the entity conducted an internal audit and discovered procedures were not updated, but did not see it as a major violation. The entity stated that it was fully aware that the asset was low impact and that is why they failed to update the documentation. The root causes of the violation were lack of accountability and management oversight.

Finding: NPCC found the violation constituted a minimal risk and did not pose a serious or substantial risk to bulk power system reliability. By failing to identify Bulk Electric System (BES) Cyber Systems that are applicable to the CIP Standards, the entity may fail to ensure CIP protections are afforded and maintained, which could expose applicable Cyber Assets to unauthorized use. However, the entity reduced the risk of Cyber Assets being compromised by affording physical and electronic protections. Furthermore, no harm is known to have occurred as a result of the noncompliance. The violation began on July 1, 2016, when the entity failed to implement a process to assess applicable assets for BES Cyber Systems and ended on July 13, 2018 when the entity implemented a process to identify its Impact Rating of its Assets. NPCC determined that the entity’s internal compliance program was a neutral factor in the penalty determination and that the entity’s compliance history revealed no relevant instances of noncompliance. The Compliance Exception treatment was deemed not appropriate based on the entity’s deliberate underlying conduct. To mitigate the violation, the entity updated and implemented its CIP-002 procedure to Version 5. To prevent recurrence, the entity implemented software to create and track tasks.

Penalty: $0

FERC Order: June 27, 2019 (no further review)

Unidentified Registered Entity 1 (NPCC_URE1), FERC Docket No. NP19-12-000 (June 27, 2019)

NERC Violation ID: NPCC2018020064

Reliability Standard: CIP-002-5.1a

Requirement: R2 (2.1, 2.2)

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: Northeast Power Coordinating Council, Inc. (NPCC)
Issue: After a Compliance Audit, NPCC determined that an unidentified entity was not in compliance with the Reliability Standard and Requirement. Specifically, the entity’s procedures were based on older standards, and the entity did not update its procedures when the new version of the Critical Infrastructure Procedure (CIP) Standards went into effect. In July 2018, the entity conducted an internal audit and discovered procedures were not updated, but did not see it as a major violation. The entity stated that it was fully aware that the asset was low impact and that is why they failed to update the documentation. The root causes of the violation were lack of accountability and management oversight.

Finding: NPCC found the violation constituted a minimal risk and did not pose a serious or substantial risk to bulk power system reliability. By failing to identify Bulk Electric System Cyber Systems that are applicable to the CIP Standards, the entity may fail to ensure CIP protections are afforded and maintained, which could expose applicable Cyber Assets to unauthorized use. However, the entity reduced the risk of Cyber Assets being compromised by affording physical and electronic protections. Furthermore, no harm is known to have occurred as a result of the noncompliance. The violation began on July 1, 2016, when the entity failed to review the identifications in requirement R1 and have its CIP Senior Manager or delegate approve the identifications and ended on July 13, 2018 when the entity implemented a process to identify its Impact Rating of its Assets and had its CIP Senior Manager approve the identifications. NPCC determined that the entity’s internal compliance program was a neutral factor in the penalty determination and that the entity’s compliance history revealed no relevant instances of noncompliance. The Compliance Exception treatment was deemed not appropriate based on the entity’s deliberate underlying conduct. To mitigate the violation, the entity updated and implemented its CIP-002 procedure to Version 5. To prevent recurrence, the entity implemented software to create and track tasks.

Penalty: $0

FERC Order: June 27, 2019 (no further review)

Top