NERC Case Notes: Reliability Standard CIP-003-1

Alert

101 min read

 

NERC Registered Entity, FERC Docket No. NP10-139-000 (July 6, 2010)

Reliability Standard: CIP-003-1

Requirement: R2

Violation Risk Factor: Medium

Violation Severity Level: Not provided

Region: WECC

Issue: The NERC Registered Entity failed to finalize a document or procedure to assign a senior manager to lead its implementation of, and adherence to, the CIP standards.

Finding: The NERC Registered Entity mitigated the violation by finalizing a formal document and procedure identifying a senior manager to lead its CIP standards compliance efforts.

Penalty: $3,000

FERC Order: Issued August 5, 2010 (no further review)

NERC Registered Entity, FERC Docket No. NP10-159-000 (July 30, 2010)

Reliability Standard: CIP-003-1

Requirement: R3

Violation Risk Factor: Lower

Violation Severity Level: Not provided

Region: WECC

Issue: The Registered Entity self-reported that certain aspects of its new Energy Management System (EMS) were not fully compatible with its Cyber Security Policy and that it was not technically feasible for the EMS to conform to the policy. The Registered Entity did not have a documented exception for each instance in which the EMS could not conform to the policy.

Finding: Duration of the violation was from August 26, 2008 through January 29, 2009. This was the Registered Entity's first violation of the Reliability Standard.

Penalty: $109,000 (aggregate for multiple violations)

FERC Order: Issued August 27, 2010 (no further review)

SPP-1, FERC Docket No. NP11-104-000 (February 1, 2011)

Reliability Standard: CIP-003-1

Requirement: R1 (R1.1, R1.2)

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SPP

Issue: During a spot check, SPP found that an Unidentified Registered Entity's (URE-SPP1) Cyber Security Policy did not address all of the required elements as mandated by Reliability Standards CIP-002 through CIP-009 (R1.1). In addition, URE-SPP1 did not make its Cyber Security Policy readily available to its SCADA and Energy Management System (EMS) vendor support personnel who had remote electronic access to the Critical Cyber Assets.

Finding: SPP found that the violations only caused a minimal risk to bulk power system reliability. In terms of R1.1, URE-SPP1 did actually have a Cyber Security Policy that showed the management's commitment to institute a compliance program concerning the CIP Reliability Standards. For R1.2, URE-SPP1's SCADA and EMS vendor support personnel did actually have limited and controlled electronic access to the Critical Cyber Assets and were trained regarding the CIP-002 and CIP-009 Reliability Standards.

Penalty: $1,800

FERC Order: Issued March 3, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP10-160-000 (September 13, 2010)

Reliability Standard: CIP-003-1

Requirement: R1

Violation Risk Factor: Lower

Violation Severity Level: Not provided

Region: WECC

Issue: In June 2008, an Unidentified Registered Entity (URE) self-reported that its Cyber Security Policy did not meet all of the requirements of the CIP Reliability Standards.

Finding: WECC found that this violation did not pose a serious or substantial risk to the bulk power system since the URE did actually have a Cyber Security Policy in place, even though the policy did not contain all of the required elements. The duration of the violation was from July 1, 2008 through October 16, 2009. Furthermore, the violation was self-reported and this was the URE's first violation of this Reliability Standard. Even though the URE completed its mitigation plan late, WECC decided not to impose a penalty.

Penalty: $0

FERC Order: Issued October 13, 2010 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-5-000 (October 7, 2010)

Reliability Standard: CIP-003-1

Requirement: R1, R2, R3

Violation Risk Factor: Medium (R1, R2); Lower (R3)

Violation Severity Level: N/A

Region: SERC

Issue: An Unidentified Registered Entity (URE) self-reported a violation for failing to have a risked-based methodology to identify Critical Assets. Accordingly, the URE also did not have a list of Critical Assets, nor did it have a list of associated Critical Cyber Assets.

Finding: The duration of the violations extended from July 1, 2008 (the date the Standard became enforceable) to September 12, 2008 (the date the URE mitigated the violation). The violations did not pose a serious or substantial risk to the reliability of the bulk power system because the URE is a small Balancing Authority with a low estimated summer peak. Moreover, once it conducted an evaluation pursuant to a risk-based methodology, it determined it did not have any critical assets.

Penalty: $16,000 (aggregate for multiple violations)

FERC Order: Issued January 7, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-47-000 (November 30, 2010)

Reliability Standard: CIP-003-1

Requirement: R2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: SERC

Issue: An Unidentified Registered Entity ("URE") self-reported that it had failed to include in its cyber security policy the name, title, business phone, business address, and date of designation of its designated senior manager responsible for compliance with the NERC Reliability Standards.

Finding: NERC issued a Deficiency Notice of Penalty, which it explained is appropriate for violations that are administrative, minor or documentation in nature. In this case, the URE had designated a senior manager as the primary contact; it just failed to fully identify the individual.

Penalty: $0

FERC Order: Issued December 30, 2010 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-98-000 (January 31, 2011)

Reliability Standard: CIP-003-1

Requirement: R6

Violation Risk Factor: Lower

Violation Severity Level: Lower

Region: WECC

Issue: The Unidentified Registered Entity (URE) self-reported a violation of CIP-003-1 R6 after discovering that seven anti-virus software application updates were installed without the authorization of the URE senior manager in contravention of the URE's change control process.

Finding: The violation did not pose a serious or substantial threat to the reliability of the bulk power system because although the software updates were not pre-approved by the senior manager, they were pre-approved by the Critical Cyber Assets owner and the senior manager approved the updates shortly after they were implemented. The URE has since revised its procedures so that antivirus software applications may be updated without the senior manager's approval. The NERC BOTCC determined this was the URE's first occurrence of this type of violation, the URE had a compliance program in place at the time of the violation, the URE was cooperative, and there was no evidence of an attempt or intent to conceal the violation.

Penalty: $5,000 (aggregated for multiple violations)

FERC Order: Issued March 2, 2011 (no further review)

Unidentified Registered Entity, MRO-2, FERC Docket No. NP11-104-000 (February 1, 2011)

Reliability Standard: CIP-003-1

Requirement: R1

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: MRO

Issue: During a spot check of Unidentified Registered Entity, MRO-2 (URE-MRO2), MRO determined that URE-MRO2 has not maintained evidence sufficient to confirm that the URE Cyber Security Policy was made readily available to contracted SCADA vendor personnel.

Finding: MRO determined that the violation posed minimal risk to the reliability of the bulk power system because despite no evidence that the SCADA vendor personnel had access to URE-MRO2's Cyber Security Policy, they were closely monitored while on-site and during remote interactive troubleshooting sessions.

Penalty: $0

FERC Order: Issued March 3, 2011 (no further review)

Unidentified Registered Entity, NPCC-1, FERC Docket No. NP11-104-000 (February 1, 2011)

Reliability Standard: CIP-003-1

Requirement: R2.3

Violation Risk Factor: Lower

Violation Severity Level: High

Region: NPCC

Issue: Unidentified Registered Entity, NPCC1 (URE-NPCC1) was unable to provide evidence that annual re-training for cyber security had been completed by 20 of its staff with authorized cyber or unescorted physical access to Critical Cyber Assets.

Finding: NPCC determined that the alleged violation created minimal risk to the reliability of the bulk power system because the personnel who had not had the required re-training performed in the timeframe required by NERC's Reliability Standard, CIP-004-1 – "Cyber Security – Personnel and Training", had previously received and completed the required cyber awareness training as recently as November 2008 and retraining for all 20 staff members was completed by January 28, 2010.

Penalty: $5,000 (aggregate for multiple violations)

FERC Order: Issued March 3, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-124-000 (February 23, 2011)

Reliability Standard: CIP-003-1

Requirement: R4

Violation Risk Factor: Medium

Violation Severity Level: Moderate

Region: RFC

Issue: RFC found that the Unidentified Registered Entity (URE) failed to classify information associated with Critical Cyber Assets based on the sensitivity of the Critical Cyber Asset information.

Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a settlement agreement which included a penalty in the amount of $100,000 for this and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: the violation constituted the URE's first violation of the subject NERC Reliability Standard; the URE self-reported 11 of the 16 violations; the URE cooperated during the compliance enforcement process; the URE's compliance program; the URE did not attempt to conceal a violation or intend to do so; the violation did not create a serious or substantial risk to the bulk power system; and there were no other mitigating or aggravating factors or extenuating circumstances.

Penalty: $100,000 (aggregate for multiple violations)

FERC Order: Issued March 25, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-128-000 (February 23, 2011)

Reliability Standard: CIP-003-1

Requirement: R1, R3

Violation Risk Factor: Medium (R1), Lower (R3)

Violation Severity Level: Not provided

Region: WECC

Issue: Unidentified Registered Entity (URE) self-reported a violation of CIP-003-1 R1 and R3 after determining that its Cyber Security Policy did not adequately address the requirements of the CIP-002 through CIP-009 Reliability Standards in violation of R1; and, because its Cyber Security Policy was incomplete, URE could not document any exceptions for the inability to conform to the policy per R3. Moreover, URE did not have a procedure in place for the senior manager to review and approve exceptions to the Cyber Security Policy on an annual basis.

Finding: The violation did not pose a serious or substantial threat to the reliability of the bulk power system because URE had security policies in place, they just did not fully comport with all the requirements of CIP-003-1. Moreover, URE had evidence that most of the personnel in URE's critical facilities received training on cyber security. In determining the penalty amount, the NERC Board of Trustees Compliance Committee considered the following factors: this was URE's first occurrence of this type of violation; URE was cooperative; and the number and nature of the violations.

Penalty: $450,000 (aggregated for multiple violations)

FERC Order: Issued March 25, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-140-000 (March 30, 2011)

Reliability Standard: CIP-003-1

Requirement: R1, R2

Violation Risk Factor: Lower

Violation Severity Level: N/A

Region: WECC

Issue: The Unidentified Registered Entity (URE) could not provide evidence that its cyber security policy was reviewed and approved annually by the senior manager, as required by CIP-003-1 R1.3, and failed to demonstrate that its senior manager was identified by business phone and business address prior to June 11, 2009, as required by CIP-003-1 R2.1.

Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a Settlement Agreement, including a penalty in the amount of $27,000 for these and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: the violations constituted URE's first violations of the subject NERC Reliability Standard; URE self-reported some of the violations; URE cooperated during the compliance enforcement process; URE's compliance program; URE did not attempt to conceal a violation or intend to do so; the violations did not create a serious or substantial risk to the bulk power system; and there were no other mitigating or aggravating factors or extenuating circumstances.

Penalty: $27,000 (aggregate for 7 violations)

FERC Order: Issued April 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-145-000 (March 30, 2011)

Reliability Standard: CIP-003-1

Requirement: R1

Violation Risk Factor: Lower

Violation Severity Level: N/A

Region: WECC

Issue: During a spot check, WECC found that the Unidentified Registered Entity (URE) had not properly documented and enacted a cyber security policy which incorporated all of the required elements (especially the mandate to implement a security awareness program designed to provide reinforcement on security practices to personnel with authorized access to Critical Cyber Assets).

Finding: WECC and the URE entered into a settlement agreement to resolve multiple violations, whereby the URE agreed to pay a penalty of $13,000 and to undertake other mitigation measures. WECC found that the violation did not constitute a serious or substantial risk to bulk power system reliability since the URE was not required to establish a security awareness program until a specific date. The duration of the violation was from July 1, 2008 through June 22, 2009. In determining the penalty amount, NERC considered the fact that these were the URE's first violations of the relevant Reliability Standards; the URE was cooperative during the enforcement process and did not attempt to conceal the violations; and there were no additional mitigating or aggravating factors.

Penalty: $13,000 (aggregate for 4 violations)

FERC Order: Issued April 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-155-000 (March 30, 2011)

Reliability Standard: CIP-003-1

Requirement: R2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: WECC

Issue: URE self-certified that it was only "substantially compliant" with R2 by December 31, 2008, when it was required to be "compliant" with the Standard, because it had not assigned a senior manager with overall responsibility to lead and manage implementation and adherence to CIP-002 through CIP-009. URE's attempt to later retract its self-certification was rejected because WECC determined a violation had occurred. Duration of violation was December 31, 2008, when the Standard became enforceable against URE, through November 30, 2009.

Finding: WECC Enforcement determined that the violation did not pose a serious or substantial risk to the bulk power system because URE was not required to be compliant with the remainder of the requirements of CIP-002 through CIP-009 until December 31, 2009. Further, the NERC BOTCC concluded the penalty appropriate because this was URE's first violation of the Standards involved, and URE was cooperative during the investigation.

Penalty: $2,000

FERC Order: Issued April 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-166-000 (April 29, 2011)

Reliability Standard: CIP-003-1

Requirement: R1/1.1

Violation Risk Factor: Lower

Violation Severity Level: N/A

Region: SPP

Issue: Unidentified Registered Entity (URE), as a Responsible Entity, failed to document and implement a cyber security policy that addressed all of the requirements in CIP-002 through CIP-009.

Finding: The NERC Board of Trustees Compliance Committee (NERC BOTCC) approved a settlement agreement which included a penalty in the amount of $50,000 for this and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: the violation constituted URE's first violation of the subject Reliability Standard; URE self-reported some of the violations; URE cooperated during the compliance enforcement process; URE did not attempt to conceal a violation or intend to do so; the violation did not create a serious or substantial risk to the bulk power system; and there were no other mitigating or aggravating factors or extenuating circumstances.

Penalty: $50,000 (aggregate for multiple violations)

FERC Order: May 27, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-184-000 (May 26, 2011)

Reliability Standard: CIP-003-1

Requirement: R1, R4, R5, R6

Violation Risk Factor: Medium (R1, R4), Lower (R5, R6)

Violation Severity Level: N/A

Region: RFC

Issue: Unidentified Registered Entity (URE) violated CIP-003-1 R1 because it failed to address certain requirements of CIP-002-1 through CIP-009-1 in its cyber security policy. In violation of CIP-003-1 R4, URE failed to implement and document a program to identify, classify and protect information associated with Critical Cyber Assets; which resulted in a failure to document the protections afforded the types of information listed in CIP-003-1 R4.1. URE failed to keep a list of personnel responsible for authorizing access in accordance with CIP-003-1 R5.1; review its access privileges to protected information consistent with CIP-003-1 R5.2; and assess and document at least annually its processes for controlling access privileges to protected information consistent with CIP-003-1 R5.3. In addition, URE failed to establish and document a process of change control and configuration management for adding, modifying or removing Critical Cyber Asset hardware or software and implementing supporting configuration management activities to identify, control and document all entity or vendor related changes to hardware and software components of Critical Cyber Assets pursuant to the change control process as required by CIP-003-1 R6.

Finding: The NERC Board of Trustees Compliance Committee (BOTCC) approved a settlement agreement which included a penalty of $70,000 for these and other violations. In reaching this determination, the NERC BOTCC considered the following facts, among others: additional, non-related violations of the other Reliability Standards were either self reported or discovered during a compliance audit; URE has an Internal Compliance Program which seeks to ensure compliance with all applicable Reliability Standards; URE agreed to take actions that exceed those actions that would be expected to achieve and maintain baseline compliance.

Penalty: $70,000 (aggregate for 26 violations)

FERC Order: Issued September 9, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-188-000 (May 26, 2011)

Reliability Standard: CIP-003-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: N/A

Region: SPP

Issue: During a spot check, SPP concluded that URE's Cyber Security Policy did not address all the requirements of CIP-002 through CIP-009, relying instead on a blanket statement in its code of ethics. Moreover, URE did not make the policy documents available to all personnel it was required to under the standard. In addition, the Cyber Security Policy was approved by the CEO/Chairman of the Board instead of the Executive Vice President of Human Resources who had been designated as the senior manager pursuant to the standard. Duration of the violation was July 1, 2008 when the standard became enforceable through June 30, 2010 when the violation was mitigated.

Finding: SPP determined that the violation posed a minimal risk to the bulk power system because URE expressed clear intent to comply with the Cyber Security Policy and had based its security policies on the same standards upon which the CIP cyber security standards were originally based. In addition, the personnel who did not receive copies of the Cyber Security Policy received excerpts applicable to their job requirements. Last, the Executive Vice President of Human Resources reported to the CEO/Chairman of the Board who approved the Cyber Security Policy, even though he was not designated as the senior manager under the standard. The NERC BOTCC also considered that the URE self-reported certain of the violations, and this was the URE's first occurrence of violations of the standards.

Penalty: $16,860 (aggregate for 7 violations)

FERC Order: Issued June 24, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-193-000 (May 26, 2011)

Reliability Standard: CIP-003-1

Requirement: R1

Violation Risk Factor: Lower

Violation Severity Level: N/A

Region: WECC

Issue: During a CIP Spot-Check, WECC determined that URE did not document and implement a cyber security policy compliant with R1 prior to its effective date because the cyber security policy did not address all of the requirements in Standards CIP-002 through CIP-009 in the first three versions of the document.

Finding: WECC determined that the violation posed a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS because URE's policy and training were designed to support all of the requirements in Standards CIP-002 through CIP-009. In approving the settlement between URE and WECC, the NERC BOTCC considered the following factors: this violation was URE's first violation of all but one of the Reliability Standards at issue in this NOP; URE self-reported three of the violations; URE was cooperative; URE had a compliance program, which WECC considered a mitigating factor; there was no evidence of an attempt or intent to conceal the violation; WECC determined the all but one of the violations posed a minimal risk, one violation posed a moderate risk, and none posed a serious or substantial risk to the BPS; there were no other aggravating or mitigating factors.

Penalty: $60,000 (aggregated for 5 violations)

FERC Order: Issued June 24, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-198-000 (May 26, 2011)

Reliability Standard: CIP-003-1

Requirement: R1 (R1.1/R1.2/R1.3)

Violation Risk Factor: Medium

Violation Severity Level: N/A

Region: SPP

Issue: During a spot check, SPP discovered that the Unidentified Registered Entity (URE) did not possess a Cyber Security Policy that addressed all of the required elements nor was it approved by an authorized senior manager as mandated. In addition, the URE did not have all of its Cyber Security Policy documents available to all of its personnel who possessed authorized electronic or unescorted physical access to the Critical Cyber Assets.

Finding: SPP and the URE entered into a settlement agreement to resolve multiple violations, whereby the URE agreed to pay a penalty of $17,860 and to undertake other mitigation measures. SPP found that the CIP-003-1 violation only posed a minimal risk to bulk power system reliability since the URE's Cyber Security Policy was based on the same standards that the CIP cyber security standards were originally based on and the Cyber Security Policy stated its intent to comply with the cyber security policies. In addition, the Cyber Security Policy was actually approved by the CEO/Chairman of the Board, who is the person that the authorized senior manager reports to. Furthermore, the Cyber Security Policy was posted to the company intranet, and hard copies (specific to individual roles and responsibilities) were distributed to those personnel who did not have access to the company intranet. The duration of the CIP-003-1 violation was from July 1, 2008 through June 30, 2010. In approving the settlement agreement, NERC found that these violations were the URE's first violations of the relevant Reliability Standards; the PRC-005-1 violation was self-reported; the URE was cooperative during the enforcement process and did not conceal the violations; the URE had a compliance program in place when the violations occurred (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.

Penalty: $17,860 (aggregate for 7 violations)

FERC Order: Issued June 24, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-204-000 (June 29, 2011)

Reliability Standard: CIP-003-1

Requirement: R3

Violation Risk Factor: Lower

Violation Severity Level: N/A

Region: WECC

Issue: A Registered Entity self-certified that, in four instances, it had not properly documented when its Cyber Assets could not conform to its Cyber Security Policy and did not provide evidence that those instances were exceptions authorized by senior management.

Finding: WECC and the Registered Entity entered into a settlement agreement to resolve multiple violations, whereby the Registered Entity agreed to pay a penalty of $37,500 and to undertake other mitigation measures. WECC found that the CIP-003-1 violation only constituted a minimal risk to bulk power system reliability since the relevant instances that were the subject of the violation were not directly related to the security controls for the Critical Cyber Assets. The duration of the CIP-003-1 violation was from July 1, 2008 through August 21, 2009. In approving the settlement agreement, NERC found that the Registered Entity was cooperative during the enforcement proceeding and did not conceal the violations; there was a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.

Penalty: $37,500 (aggregate for 4 violations)

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-205-000 (June 29, 2011)

Reliability Standard: CIP-003-1

Requirement: R1

Violation Risk Factor: Lower

Violation Severity Level: N/A

Region: WECC

Issue: During a spot check, WECC found that the Registered Entity had not properly documented and implemented a Cyber Security Policy that satisfied all of the requirements of the Reliability Standard.

Finding: WECC and the Registered Entity entered into a settlement agreement to resolve multiple violations, whereby the Registered Entity agreed to pay a penalty of $22,000 and to undertake other mitigation measures. WECC found that the CIP-003-1 violation constituted only a minimal risk to bulk power system reliability since the Registered Entity did actually have a Cyber Security Policy in place that generally addressed the relevant cyber security components and was continuously making improvements to the policy. The duration of the CIP-003-1 violation was from July 1, 2008 through October 4, 2009. In approving the settlement agreement, NERC found that the violation of MOD-010-0 was self-reported; the Registered Entity was cooperative during the enforcement proceeding and did not conceal the violations; there was a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.

Penalty: $22,000 (aggregate for 4 violations)

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-211-000 (June 29, 2011)

Reliability Standard: CIP-003-1

Requirement: R1

Violation Risk Factor: Lower

Violation Severity Level: N/A

Region: WECC

Issue: During a spot check, WECC found that the Registered Entity’s Cyber Security Policy did not contain all of the required elements mandated by the Reliability Standard.

Finding: WECC and the Registered Entity entered into a settlement agreement to resolve multiple violations, whereby the Registered Entity agreed to pay a penalty of $14,000 and to undertake other mitigation measures. WECC found that the CIP-003-1 violation constituted only a minimal risk to bulk power system reliability since the Registered Entity’s Cyber Security Policy did actually address, in a general manner, all of the required components and the Registered Entity was complying with the requirements. The duration of the CIP-003-1 violation was from July 1, 2008 through October 14, 2009. In approving the settlement agreement, NERC found that these were the Registered Entity’s first violations of the relevant Reliability Standards; the Registered Entity was cooperative during the enforcement proceeding and did not conceal the violations; there was a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.

Penalty: $14,000 (aggregate for 4 violations)

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-213-000 (June 29, 2011)

Reliability Standard: CIP-003-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Not provided

Region: WECC

Issue: During a spot check, WECC determined that the Registered Entity’s Cyber Security Policy did not meet all of the requirements of the Reliability Standard.

Finding: WECC and the Registered Entity entered into a settlement agreement to resolve multiple violations, whereby the Registered Entity agreed to pay a penalty of $143,500 and to undertake other mitigation measures. WECC found that the CIP-003-1 violation constituted a moderate risk to bulk power system reliability since the Registered Entity’s Control Area Operations Department only provided a high-level framework for cyber systems security. The duration of the CIP-003-1 violation was from July 1, 2008 through June 29, 2009. In approving the settlement agreement, NERC found that the Registered Entity was cooperative during the enforcement proceeding and did not conceal the violation and there were no additional aggravating or mitigating factors.

Penalty: $143,500 (aggregate for 10 violations)

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-218-000 (June 29, 2011)

Reliability Standard: CIP-003-1

Requirement: R1, R4

Violation Risk Factor: Lower (for R1, R4)

Violation Severity Level: N/A

Region: WECC

Issue: WECC found that the Registered Entity did not possess a Cyber Security Policy that met all of the requirements of the Reliability Standard (R1). In addition, the Registered Entity had not been categorizing certain of its documents according to its Critical Cyber Asset Information Protection Program as required (R4).

Finding: WECC and the Registered Entity entered into a settlement agreement to resolve multiple violations, whereby the Registered Entity agreed to pay a penalty of $130,000 and to undertake other mitigation measures. WECC found that the CIP-003-1 R1 violation constituted only a minimal risk to bulk power system reliability since the Registered Entity’s Cyber Security Policy covered (including through reference to other documents) many of the Reliability Standard’s requirements. In regards to CIP-003-1 R4, WECC found that the violation constituted a moderate risk to bulk power system reliability. The duration of the CIP-003-1 violations was from July 1, 2008 through May 10, 2010 (R1) and April 15, 2010 (R4). In approving the settlement agreement, NERC found that there were three instances of noncompliance with Regional Reliability Standard PRC-STD-005-1 WR1 (which was evaluated as an aggravating factor); some of the violations were self-reported; the Registered Entity was cooperative during the enforcement process and did not conceal the violations; the Registered Entity had a compliance program in place (which was evaluated as a mitigating factor); the penalties for the violations of Reliability Standards EOP-001-0 R6 and EOP-005-1 R2 were aggregated since both penalties were based on a single act of noncompliance; the penalties for the violations of Reliability Standards PRC-STD-005-1 WR1 and VAR-STD-002b-1 WR1 were based on the respective Sanction Tables; and there were no additional aggravating or mitigating factors.

Penalty: $130,000 (aggregate for 27 violations)

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-223-000 (June 29, 2011)

Reliability Standard: CIP-003-1

Requirement: 1

Violation Risk Factor: Lower

Violation Severity Level: N/A

Region: SPP

Issue: During a spot check, SPP determined the Unidentified Registered Entity’s (URE) cyber security policy did not document and implement all of the relevant CIP requirements. Specifically, it did not conform to the password requirements in CIP-007-1 R5.3.2.

Finding: SPP assessed a $30,000 penalty for this and other violations. This violation did not pose a serious or substantial risk to the reliability of the Bulk Power System because URE developed strong passwords. The NERC BOTCC determined this was URE’s first occurrence of this type of violation; URE was cooperative; there was no evidence of any attempt or intent to conceal a violation; and there were no other mitigating or aggravating factors.

Penalty: $30,000 (aggregate for 3 violations)

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity 1, FERC Docket No. NP11-228-000 (June 30, 2011)

Reliability Standard: CIP-003-1

Requirement: R5.2/R5.3

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: The Registered Entity self-reported that it did not timely perform an annual evaluation of its authorized access privileges nor its processes and documentation for controlling access, as required.

Finding: RFC found that the violation constituted only a minimal risk to bulk power system reliability since the Registered Entity conducted the required evaluation within a year of the required date. The Registered Entity had also enacted the mandated access lists in a timely manner. The duration of the violation was from December 31, 2009 through December 30, 2010.

Penalty: $0

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity 2, FERC Docket No. NP11-228-000 (June 30, 2011)

Reliability Standard: CIP-003-1

Requirement: R5.2/R5.3

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: The Registered Entity self-reported that it did not timely perform an annual evaluation of its authorized access privileges nor its processes and documentation for controlling access, as required.

Finding: RFC found that the violation constituted only a minimal risk to bulk power system reliability since the Registered Entity conducted the required evaluation within a year of the required date. The Registered Entity had also enacted the mandated access lists in a timely manner. The duration of the violation was from December 31, 2009 through December 30, 2010.

Penalty: $0

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity 3, FERC Docket No. NP11-228-000 (June 30, 2011)

Reliability Standard: CIP-003-1

Requirement: R5.2/R5.3

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: The Registered Entity self-reported that it had not timely performed an evaluation of the authorized access privileges it had granted nor provided an assessment and documentation regarding controlling the access privileges.

Finding: RFC found that the violation constituted only a minimal risk to bulk power system reliability since the Registered Entity performed the required tasks within a year of the required date. The Registered Entity had developed all of the access privilege lists as required. The duration of the violation was from December 31, 2009 through December 30, 2010.

Penalty: $0

FERC Order: Issued July 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-229-000 (July 28, 2011)

Reliability Standard: CIP-003-1

Requirement: R1, R2, R3

Violation Risk Factor: Medium (R1, R2); Lower (R3)

Violation Severity Level: N/A

Region: WECC

Issue: During a spot-check, WECC determined that the Unidentified Registered Entity (URE) failed to document in its cyber security policy 30 Reliability Standards requirements in violation of R1, its senior manager’s title, business phone and business address in violation of R2, and exceptions to its cyber security policy within 30 days of those exceptions being approved by the senior manager in violation of R3.

Finding: WECC assessed a $75,000 penalty for these and other Reliability Standards violations. WECC determined that the violations posed a minimal risk, but did not pose a serious or substantial risk to the reliability of the bulk power system (BPS) because URE’s Critical Cyber Assets were protected by physical and electronic security measures and the violations were largely documentation violations. In approving the settlement between URE and WECC, the NERC BOTCC considered the following factors: the violations did not constitute repeat violations; URE self-reported one of the violations; URE was cooperative; there was no evidence of an attempt or intent to conceal the violations; WECC determined the violations did not pose a serious or substantial risk to the BPS; there were no other aggravating or mitigating factors.

Penalty: $75,000 (aggregated for multiple violations)

FERC Order: Issued August 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-253-000 (July 29, 2011)

Reliability Standard: CIP-003-1

Requirement: R1.2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: NPCC

Issue: NPCC_URE2, as a Generator Operator and Owner, self-reported that it had not made its cyber security policy readily available to contractors who had access to or responsibility for Critical Cyber Assets (CCAs) as required.

Finding: NPCC found that this violation constituted only a minimal risk to bulk power system reliability since the relevant contractors had undergone NPCC_URE2’s CIP training (which covered the treatment and handling of the CCAs) and had received Personnel Risk Assessments before being granted access to the CCAs.

Penalty: $5,000

FERC Order: Issued August 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-253-000 (July 29, 2011)

Reliability Standard: CIP-003-1

Requirement: R2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: SERC

Issue: In December 2010, SERC_URE1, as a Load-Serving Entity, self-reported that it had not assigned a senior manager to have overall responsibility and authority for managing SERC_URE1’s compliance with the CIP Reliability Standards.

Finding: SERC found that this violation constituted only a minimal risk to bulk power system reliability since SERC_URE1 does not possess any Critical Assets (nor does it own or operate any facilities that would satisfy the Critical Assets’ criteria). In addition, SERC_URE1 had appointed a senior manager to be responsible for approving SERC_URE1’s risk-based methodology and its list of Critical Assets. The duration of the violation was from December 31, 2008 through February 7, 2011.

Penalty: $0 (aggregate for 4 violations)

FERC Order: Issued August 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-253-000 (July 29, 2011)

Reliability Standard: CIP-003-1

Requirement: R2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: SERC

Issue: In December 2010, SERC_URE2, as a Load-Serving Entity, self-reported that it had not assigned a senior manager to have overall responsibility and authority for managing SERC_URE1’s compliance with the CIP Reliability Standards.

Finding: SERC found that this violation constituted only a minimal risk to bulk power system reliability since SERC_URE2 had appointed a senior manager to be responsible for approving SERC_URE2’s risk-based methodology and its list of Critical Assets. In addition, SERC_URE2 (a small distribution utility that has a load of only 12 MW) is only on the NERC Compliance Registry since it owns and operates an automatic underfrequency load shedding system.

Penalty: $0 (aggregate for 6 violations)

FERC Order: Issued August 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-253-000 (July 29, 2011)

Reliability Standard: CIP-003-1

Requirement: R2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: SERC

Issue: In December 2010, SERC_URE3, as a Load-Serving Entity, self-reported that it had not assigned a senior manager to have overall responsibility and authority for managing SERC_URE1’s compliance with the CIP Reliability Standards.

Finding: SERC found that this violation constituted only a minimal risk to bulk power system reliability since SERC_URE3 had appointed a senior manager to be responsible for approving SERC_URE3’s risk-based methodology and its list of Critical Assets. In addition, SERC_URE3 does not possess any Critical Assets (nor does it own or operate any facilities that would satisfy the Critical Assets’ criteria).

Penalty: $0 (aggregate for 6 violations)

FERC Order: Issued August 29, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-261-000 (August 31, 2011)

Reliability Standard: CIP-003-1

Requirement: R5

Violation Risk Factor: Lower

Violation Severity Level: High

Region: RFC

Issue: Following a Self-Report, RFC determined that the Unidentified Registered Entity (URE) violated R5 because it improperly granted access to the URE’s power plant to a contractor working on the development of cyber security controls on the plant’s control system.

Finding: SPP determined that the violation did not pose a serious or substantial risk to the reliability of the bulk power system because the violation only involved one individual and only covered a 24-hour period. URE was also familiar with the individual who previously assisted with designing the security system. In approving the settlement agreement, NERC found this was not URE’s first violation of the subject Reliability Standards, URE self-reported seven of the eight violations; RFC considered it an aggravating factor that it discovered one of the violations in a Compliance Spot Check; URE was cooperative; URE had a compliance program, which RFC considered to be a mitigating factor; RFC determined URE’s parent company operated the CIP compliance program and therefore should investigate and review all Self-Reports and violations of the URE; there was no evidence of an intent or attempt to conceal a violation; and there were no other mitigating or aggravating factors.

Penalty: $70,000 (aggregate for 8 violations)

FERC Order: Issued September 30, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-262-000 (August 31, 2011)

Reliability Standard: CIP-003-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: N/A

Region: SPP

Issue: During a spot-check, SPP determined the Unidentified Registered Entity (URE) violated R1.1 for failing to address all of the requirements of CIP-002 through CIP-009 in its cyber security policy. SPP also found URE violated R1.2 for failing to make the cyber security policy readily available to janitorial staff with unescorted physical access or to its Energy Management System (EMS) vendor support staff with electronic access to Critical Cyber Assets.

Finding: SPP determined that the violations posed a minimal risk, but did not pose a serious or substantial risk, to the reliability of the bulk power system because URE had a cyber security policy and training program in place and a compliance policy indicating managements' commitment to comply with the Reliability Standards. Moreover, URE conducted personnel risk assessments on the janitorial staff and the EMS vendor support staff, provided them cyber security training, and properly maintained their access rights. In approving the settlement agreement, NERC found this was URE's first violation of the subject Reliability Standards; URE was cooperative; URE had a compliance program, which SPP considered to be a mitigating factor; there was no evidence of an intent or attempt to conceal a violation; and there were no other mitigating or aggravating factors.

Penalty: $12,000 (aggregate for 4 violations)

FERC Order: Issued September 30, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-264-000 (August 31, 2011)

Reliability Standard: CIP-003-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: N/A

Region: SPP

Issue: During a spot check, SPP found that the Unidentified Registered Entity's (URE) Cyber Security Policy did not address emergency situations as required and was not readily available to its Energy Management System (EMS)/Supervisory Control and Data Acquisition (SCADA) vendor as mandated. In addition, the Cyber Security Policy did not reflect changes from Version 1 to Version 2 of the CIP Reliability Standards as it continued to allow for acceptance of risk, training within 90 days of personnel receiving access to the Critical Cyber Assets (CCAs), and performance of Personnel Risk Assessments within 30 days of personnel receiving access to the CCAs.

Finding: SPP and the URE entered into a settlement agreement to resolve multiple violations, whereby the URE agreed to pay a penalty of $8,000 and to undertake other mitigation measures. SPP found that the CIP-003-1 violation did not constitute a serious or substantial risk to bulk power system reliability. The URE revised its Risk Based Assessment Methodology to include modified procedures and evaluation criteria for identifying Critical Assets. Under the modified procedures and evaluation criteria, the URE does not own or operate any systems or facilities that have the potential to affect bulk power system reliability or operability. Therefore, the URE does not (and did not previously) possess any Critical Assets. As a result of this new finding, the violation of CIP-003-1 became moot. The duration of the violation was from July 1, 2008 through April 13, 2010. In approving the settlement agreement, NERC found that this was the URE's first violation of the relevant Reliability Standards; the URE was cooperative during the enforcement process and did not conceal the violations; and there were no additional aggravating or mitigating factors or other extenuating circumstances.

Penalty: $8,000 (aggregate for 9 violations)

FERC Order: Issued September 30, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-266-000 (August 31, 2011)

Reliability Standard: CIP-003-1

Requirement: R1.1, R2

Violation Risk Factor: Lower (R1.1), Medium (R2)

Violation Severity Level: Severe (R1.1, R2)

Region: SPP/RFC

Issue: During a joint spot check, SPP and RFC determined that SPP_URE1/RFC_URE1's Cyber Security Policy referenced a company standard that did not comply with the requirements of the CIP Reliability Standards. For example, although the Reliability Standards require a password to consist of a combination of three elements, SPP_URE1/RFC_URE1's Cyber Security Policy only mandated two elements. The Cyber Security Policy was also missing the required linkages with the company standards and procedures (R1.1). SPP_URE1/RFC_URE1 also designated three managers with shared responsibility for managing SPP_URE1/RFC_URE1's compliance with the Cyber Security Reliability Standards, instead of having only one as required (R2).

Finding: SPP and RFC found that the violations constituted only a minimal risk to bulk power system reliability. In terms of R1.1, SPP_URE1/RFC_URE1 had implemented robust policies to guard the security of its cyber security assets, including policies addressing the Cyber Security Reliability Standard (even though it did not reference those policies in its Cyber Security Policy). There were also no unauthorized access attempts. In terms of R2, the three managers provided strict oversight regarding SPP_URE1/RFC_URE1's compliance with the Cyber Security Reliability Standards with the managers being assigned to specific operating areas. The duration of the violations was from July 1, 2008 through December 31, 2009 (R1.1) and from July 1, 2008 through December 21, 2009 (R2).

Penalty: $10,000 (aggregate for 7 violations)

FERC Order: Issued September 30, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-266-000 (August 31, 2011)

Reliability Standard: CIP-003-1

Requirement: R1.2 (2 violations)

Violation Risk Factor: Lower (for both)

Violation Severity Level: Lower (for both)

Region: FRCC

Issue: FRCC determined that FRCC_URE1 had not made its cyber security policy readily available to 12 of its remote contractors that possessed logical access to the Critical Cyber Assets (CCAs) (one violation) and 19 of its contractors that had authorized access to the CCAs (one violation).

Finding: FRCC found that the violations did not constitute a serious or substantial risk to bulk power system reliability since the relevant contractors were knowledgeable of the cyber security controls and were from reputable companies that worked with cyber systems. In addition, the relevant contractors remotely accessed the system. The duration of the violations was from July 1, 2008 through March 24, 2010 and December 31, 2009 through August 27, 2010.

Penalty: $38,000 (aggregate for 11 violations)

FERC Order: Issued September 30, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-266-000 (August 31, 2011)

Reliability Standard: CIP-003-1

Requirement: R2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: SERC_URE1, as a Load Serving Entity, self-reported that it had not assigned a senior manager to have overall responsibility for maintaining compliance with the Cyber Security Reliability Standards.

Finding: SERC found that the violation constituted only a minimal risk to bulk power system reliability since SERC_URE1 did not own or operate any Critical Assets. In addition, SERC_URE1 had tasked a senior manager with approving the risk-based methodology and developing the lists of critical assets and critical cyber assets. The duration of the violation was from December 31, 2008 through December 10, 2010.

Penalty: $0

FERC Order: Issued September 30, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-266-000 (August 31, 2011)

Reliability Standard: CIP-003-1

Requirement: R2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: SERC_URE1, as a Load Serving Entity, self-reported that it had not assigned a senior manager to have overall responsibility for maintaining compliance with the Cyber Security Reliability Standards.

Finding: SERC found that the violation constituted only a minimal risk to bulk power system reliability since SERC_URE1 did not own or operate any Critical Assets. In addition, SERC_URE1 had tasked a senior manager with approving the risk-based methodology and developing the lists of critical assets and critical cyber assets. The duration of the violation was from December 31, 2008 through December 10, 2010.

Penalty: $0

FERC Order: Issued September 30, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP11-269-000 (September 30, 2011)

Reliability Standard: CIP-003-1

Requirement: R1

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: WECC

Issue: During a spot check, WECC determined that URE failed to provide evidence that its cyber security policy addressed all requirements in CIP-002 through CIP-009, did not include provisions for emergency situations in its cyber security policy, and did not provide evidence that it made its cyber security policy available to all vendor personnel.

Finding: WECC determined that the violation did not pose a serious or substantial risk to the BPS because URE provided training to its personnel as well as the vendor that did not receive the cyber security policy. Duration of violation was June 18, 2007 through April 15, 2010. WECC and the NERC BOTCC took into consideration that URE had a compliance program as a particular mitigating factor.

Penalty: $225,000 (aggregate for 11 violations)

FERC Order: Issued October 28, 2011 (no further review)

Unidentified Registered Entities, FERC Docket No. NP12-1 (October 31, 2011)

Reliability Standard: CIP-003-1

Requirement: R4.1 (3 violations)

Violation Risk Factor: Medium (for R4.1 violations)

Violation Severity Level: Not provided

Region: RFC

Issue: Three UREs, all subsidiaries of the same Parent Company, self-reported that their information protection program did not include sufficiently clear instructions on classifying CA substations engineering documents and, therefore, the UREs’ personnel did not know the appropriate classification for those engineering documents or how to store or archive those documents.

Finding: RFC found that the CIP-003-1 violations constituted only a minimal risk to BPS reliability since the UREs classified all information related to the CA Substation as CAs. As this designation is the most stringent protection level under the UREs’ information protection program, the UREs’ CA information was fully protected. In determining the aggregate penalty amount, NERC BOTCC considered, among other factors, that the Parent Company manages a uniform compliance program among all of its subsidiaries, which is communicated through multiple channels (such as compliance calls, software tools, and training programs). But, the mitigating credit for the compliance program was partially offset by there being insufficient checks on the terminated Supervisor who was responsible for CIP compliance, as the UREs did not notice that the Supervisor was not fulfilling his obligations for the duration of the violations. NERC BOTCC favorably evaluated the fact that the UREs did take corrective action against the Supervisor once the problems were discovered and also initiated a system-wide compliance review.

Penalty: $275,000 (aggregate for 31 violations)

FERC Order: Issued November 30, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-2 (October 31, 2011)

Reliability Standard: CIP-003-1

Requirement: R2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that it did not possess the required documentation showing that it had assigned a senior manager to be responsible for implementing and managing compliance with certain CIP Reliability Standards.

Finding: WECC found that the violation constituted a minimal risk to BPS reliability since URE had actually designated a senior manager with responsibility for the CIP Reliability Standards (even though it did not have the required supporting documentation). In addition, URE owns less than 100 miles of transmission lines, minimizing any impact the violation would have on the BPS. WECC evaluated URE’s compliance program as a mitigating factor.

Penalty: $27,000 (aggregate for 5 violations)

FERC Order: Issued November 30, 2011 (no further review).

Unidentified Registered Entity, FERC Docket No. NP12-3 (November 30, 2011)

Reliability Standard: CIP-003-1

Requirement: R4, R5

Violation Risk Factor: Medium (R4), Lower (R5)

Violation Severity Level: Severe (R4, R5)

Region: WECC

Issue: URE self-reported (right before its self-certifications were due) that it had not properly developed and documented an information protection program designed to identify, classify, protect and control access to its CCA information (R4). URE also self-reported that it had not properly enacted and documented a program for managing access to its protected CCA information and did not have a list of its designated personnel that were responsible for granting logical and/or physical access to the CCA information (R5).

Finding: WECC found that the CIP-003-1 R4 violation constituted a moderate risk to BPS reliability. URE did have a cyber security training program in place that was focused on teaching people with access to URE’s CCAs about security controls on the CCA information. In regards to the CIP-003-1 R5 violation, WECC found that the violation only constituted a minimal risk to bulk power system reliability because of this cyber security training program. In approving the settlement agreement, the NERC BOTCC evaluated the following mitigating factors: URE’s PRC violations were self-reported; URE had a compliance program in place; URE was cooperative during the enforcement process and did not conceal the violations; and the violations did not constitute a serious or substantial risk to BPS reliability. But, NERC BOTCC considered URE’s violation history as an aggravating factor.

Penalty: $125,000 (aggregate for 5 violations)

FERC Order: Issued December 30, 2011 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-4-000 (November 30, 2011)

Reliability Standard: CIP-003-1

Requirement: R1 and R4

Violation Risk Factor: Lower (R1) and Medium (R4)

Violation Severity Level: Not provided

Region: WECC

Issue: During an audit, WECC determined that URE violated R1 because it did not specifically and fully address each of the requirements of CIP-002 through CIP-009 in its cyber security policy. WECC determined that URE also violated R4 because it failed to follow its information protection program for document classification in some instances, and did not implement its program to identify, classify and protect information associated with CCAs.

Finding: WECC determined that the violations posed a minimal and not serious or substantial risk to the reliability of the BPS because with regard to R1, URE demonstrated a high-level commitment to cyber security and its senior manager did conduct an annual review of its cyber security policy in 2009 and 2010, and with regard to R4, URE had a documented information protection program and took steps to protect such information, it merely failed to accurately label certain documents in accordance with its program. Duration of the violations was from the date the Standard became enforceable through June 29, 2009 (R1) and February 2, 2011 (R4). WECC and the NERC BOTCC took into consideration the following mitigating factors: URE self-reported certain of the violations (though not the CIP-003-1 violations), URE had an internal compliance program in place at the time of the violations, and URE’s compliance history.

Penalty: $160,000 (aggregate for 16 violations of 6 CIP standards)

FERC Order: Issued December 30, 2011 (no further review)

Unidentified Registered Entity 1, FERC Docket No. NP12-10 (December 30, 2011)

Reliability Standard: CIP-003-1

Requirement: R1/1.1

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: SPP RE

Issue: SPP RE discovered during a spot check that SPP RE_URE1’s Cyber Security Policy (Policy) did not address the requirements of CIP-002-1 through CIP-009-1 as required by CIP-003-1 R1.1. For instance, the Policy did not address the requirement for authentication of access into the ESP required by CIP-005-1 R2.5 nor did the Policy reference the vulnerability review required by CIP-005-1 R4. SPP RE_URE1 had not updated its Policy to reflect Version 2 of the CIP Standards that were in effect at the time of the spot check. For instance, changes to the Incident Response Reporting Procedure should be reported within 30 days as required by CIP-008-2 R1.4, but the Policy provided for a 90-day period, which was consistent with the earlier version of CIP-008-1 R1.4.

Finding: The violation of CIP-003-1 R1.1 constituted a minimal risk to BPS reliability because it was found to be a documentation issue, and SPP RE_URE1’s Policy did address most of the CIP-002 through CIP-009 requirements. SPP RE considered SPP RE_URE1’s compliance programs a mitigating factor in determining the appropriate penalty.

Penalty: $68,000 (aggregate for 12 violations)

FERC Order: Issued January 27, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-11 (January 31, 2011)

Reliability Standard: CIP-003-1

Requirement: R5

Violation Risk Factor: Lower

Violation Severity Level: N/A

Region: WECC

Issue: URE self-reported that even though it maintains a list of designated personnel responsible for authorizing logical or physical access to protected CCA information, the list did not explicitly allow the individuals to authorize the logical or physical access (but rather, the relevant individuals on the list were supposed to know they had the necessary authority). The list also only listed the individuals’ names and titles and did not provide any phone numbers or a description of the information for which they were responsible for authorizing access.

Finding: WECC found that the CIP-003-1 violation constituted only a minimal risk to the BPS since URE had already enacted procedures to protect its CCA information before the Reliability Standards came into effect. Under its policy, URE only granted access to the CCA protected information to those individuals with a legitimate business needs for the information and who had received an acceptable personnel risk assessment and CIP training. In determining the penalty amount, the NERC BOTCC evaluated URE’s violation history; some of the violations were self-reported; URE was cooperative during the enforcement process and did not conceal the violations; URE has a compliance program in place (which was evaluated as a mitigating factor); the violations did not constitute a serious or substantial risk to BPS reliability; and there were no additional aggravating or mitigating factors.

Penalty: $135,000 (aggregate for 20 violations)

FERC Order: Issued March 1, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-12 (January 30, 2012)

Reliability Standard: CIP-003-1

Requirement: R1/1.2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: Texas RE

Issue: URE self-reported a violation of CIP-003-1 R1 because it did not make its cyber security policy available to contractors with access to, or responsibility for, CCAs. These contractors make up 6.7 percent of URE’s employees. Mitigating the consequence of this violation is that the other 93.3 percent of URE’s permanent employees did have ready access to the policy, and none of the contract employees were actually responsible for CCAs.

Finding: This violation posed only a minimal risk to the reliability of the BPS for three reasons. First, the error affected only a small percentage of employees. Second, the policy was readily available to all permanent employees. Third, during the period of the violation, there were no compromises or disruptions or attempts to compromise or disrupt the ESP or PSP of a CCA or the operation of a CCA itself..

Penalty: $9,000

FERC Order: Issued March 1, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-12 (January 30, 2011)

Reliability Standard: CIP-003-1

Requirement: R1, R6

Violation Risk Factor: Medium (R1); Lower (R6)

Violation Severity Level: Severe (R1); Lower (R6)

Region: WECC

Issue: During an on-site audit, it was found that URE violated CIP-003-1 R1 due to a finding that its cyber security policy did not have enough specificity regarding the CIP Standards. URE had three versions of its policy, the third version was sufficiently detailed and was created prior to the audit; however, two earlier versions did not address the requirements of the CIP Standards in detail. Regarding R6, URE’s change control and configuration management program did not address the procedures for configuration management in violation of the Standard.

Finding: The violations constituted minimal risk to BPS reliability. Even though the cyber security policy did not specifically set forth the CIP Standards requirements, which could have led to operators being unaware of how to handle situations involving CCAs, there was a broad policy in place, and before the audit, URE created a sufficiently detailed cyber security policy. Regarding R6, incorrect system configuration could adversely impact other parts of URE’s system. However, in this case, the relevant CCAs were protected inside ESPs and PSPs.

Penalty: $55,000 (aggregate for 12 penalties)

FERC Order: Issued March 1, 2012 (no further review)

Unidentified Registered Entity, Docket No. NP12-17 (February 29, 2012)

Reliability Standard: CIP-003-1

Requirement: R1/1.1; R3; R4.2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: SPP

Issue: During a spot check, SPP determined URE violated R1 and R3. Specifically, URE violated R1 because its cyber security policy failed to address the requirements in Standards CIP-002 through CIP-009, including provisions for emergencies in violation of R1 and R1.1. URE violated R3 because it failed to include any compensating measures or a statement accepting risk for its documented exceptions and failed to conduct an annual review and re-approve an exception for a password of a non-CCA server located in the ESP. URE submitted a Self-Report which led to SPP’s finding of a violation of R4.2 because URE’s documented procedures regarding CCAs failed to include a procedure to classify information to be protected based on the sensitivity of the CCA.

Finding: SPP determined that the violation of R1/1.1 posed a moderate risk, but did not pose a serious or substantial risk, to the reliability of the BPS because URE had cyber security procedures in place for all but four standards. The violations of R3 and R4.2 posed a minimal risk and not serious or substantial risk to the reliability of the BPS. The violation of R3 was not found to reflect a deficiency in URE’s security controls, and the password at issue was not related to a CCA. The violation of R4 was mitigated because CCA information was protected by several security measures, including restricted access and video surveillance.

Penalty: $40,000 (aggregate for 14 violations)

FERC Order: Issued March 30, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)

Reliability Standard: CIP-003-1

Requirement: R6

Violation Risk Factor: Lower

Violation Severity Level: High

Region: FRCC

Issue: URE self-reported that 17 package changes, 83 display changes, 8 code changes and 1 configuration (.rc) file change made to CCAs were not controlled or documented. URE explained that ineffective implementation and failure to follow to URE’s change control and configuration management process led to the reporting failure.

Finding: FRCC found the violation constituted a moderate risk to BPS reliability because the CCA changes were tracked by use of brief change logs, but no formal documentation was kept. Most changes were found to be day-to-day routine configuration and updates changes. FRCC considered URE’s internal compliance program as a mitigating factor in determining the appropriate penalty.

Penalty: $10,000 (aggregate for 3 violations)

FERC Order: Issued March 30, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-20 (March 30, 2012)

Reliability Standard: CIP-003-1

Requirement: R2

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-certified that it had not assigned a senior manager to have overall responsibility and authority for managing URE’s implementation of the CIP Reliability Standards as required. In addition, once URE appointed the relevant senior manager for the CIP Reliability Standards, it did not possess all of the required documentation.

Finding: WECC found that the CIP-003-1 violation constituted only a minimal risk to BPS reliability since URE had determined that it did not possess any Critical Assets. In addition, URE does not operate systems or facilities that are needed for system restoration or that are needed for automatic load shedding (under common system capable of shedding 300 MW or more). URE also has a peak demand under 150 MW. In approving the settlement agreement, NERC BOTCC considered the fact that these were URE’s first violations of the relevant Reliability Standards; URE was cooperative during the enforcement process and did not conceal the violations; and the violations did not constitute a serious or substantial risk to BPS reliability.

Penalty: $60,000 (aggregate for 13 violations)

FERC Order: Issued April 30, 2012 (no further review)

Unidentified Registered Entity, Docket No. NP12-22-000 (March 30, 2012)

Reliability Standard: CIP-003-1

Requirement: R1

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SPP RE

Issue: While performing a Spot Check, SPP RE found that URE’s cyber security policy (CSP) did not contain all of the provisions required by CIP-002 through CIP-009 – in particular, CIP-003-1 R1.1, 1.2, 1.3, 5.1, 5.1.2, 5.2.; CIP-004-1 R4; CIP-005-1 R1.2, 1.3, 2.3, 2.5, 2.5.1, 2.5.2, 2.5.4, 3, 3.1; CIP-006-1: R1.5, 1.8, 3, 3.1, 4; and CIP-007-1: R2.3, 5.2.2, 6.5.

Regarding the violation of CIP-003-1 R1, URE was unable to readily produce its CSP upon request by SCADA/EMS vendor support staff with authorized electronic access, as required by R1.2. And, URE could not provide documentation showing an annual review and approval of the CPS had been undertaken during the relevant calendar year, as required by R1.3.

Finding: The violation constituted a minimal risk to BPS reliability because URE does have a CSP in use; however, the master document did not address all CIP requirements. URE used individual policies and procedures addressing specific CIP requirements. And, even though URE could not readily supply its CSP to the SCADA/EMS vendors, no vendor had accessed URE’s CCA since before July 2008. Further, the annual CSP review was missed only one time. In determining the appropriate penalty, SPP RE considered URE’s internal compliance program a neutral factor.

Penalty: $12,000 (aggregate for 10 penalties)

FERC Order: Issued April 30, 2012 (no further review)

Unidentified Registered Entity, Docket No. NP12-22-000 (March 30, 2012)

Reliability Standard: CIP-003-1

Requirement: R3

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: SPP RE

Issue: URE submitted a self-report stating that it could not start security monitoring controls which could issue automated alerts for Cyber Security Incidents in its cyber security policy as set forth in CIP-003-1 R3 until 71 days after the enforcement date. The issue should have been reported as an exception to URE’s cyber security policy and authorized by the designated senior manager.

Finding: It was determined that the violation posed a minimal risk to BPS reliability because URE mitigated the violation by using a server that met the requirements of its cyber security policy and prior to the automated system URE was manually reviewing server logs for any possible reportable incidents, of which there were none. SPP RE considered URE’s compliance history in determining the appropriate penalty.

Penalty: $12,000 (aggregate for 8 penalties)

FERC Order: Issued April 30, 2012 (no further review)

Unidentified Registered Entity (URE), FERC Docket No. NP12-27 (May 30, 2012)

Reliability Standard: CIP-003-1

Requirement: R3.3

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: MRO

Issue: During a spot check, MRO was unable to verify that exceptions to URE’s cyber security policy were reviewed and approved annually by the senior manager or delegate to ensure the exceptions were still required and valid. Also, MRO was unable to verify whether exceptions documented in 2008 were terminated or converted to Technical Feasibility Exceptions within a year of approval. Evidence did not show that documented exceptions from 2008 were closed according to policy or reviewed in 2009 or 2010.

Finding: MRO deemed violation a minimal risk to the security of the reliability of the bulk power system (BPS) because the violation is an administrative issue, involving proper documentation of cyber security policy exceptions and their review. Though there was no evidence to demonstrate that documented exceptions had been reviewed, there was no concern regarding the exceptions or the compensating measures in place for any documented exception. URE re-evaluated documented exceptions and established senior manager review and approval of required exceptions or attestation of no exceptions.

Penalty: $12,000 (aggregate for 9 violations)

FERC Order: Issued June 29, 2012 (no further review)

Unidentified Registered Entity (URE), FERC Docket No. NP12-27 (May 30, 2012)

Reliability Standard: CIP-003-1

Requirement: R5.2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: MRO

Issue: During a spot check, MRO was unable to determine whether URE conducted a review of access privileges to protected information for a two year period. MRO reviewed policy and procedure documents, but none of these documents represented the access privileges list. MRO also reviewed notes from several meetings which indicated that approvals took place, however it was not clear what exactly was being approved. MRO concluded there was insufficient evidence to demonstrate that URE reviewed access privileges to protected information for the two years.

Finding: MRO determined the violation posed a minimal risk to reliability of the bulk power system (BPS) as the violation is an administrative issue regarding proper documentation of reviews of access privileges to protected information. URE maintains that the reviews were conducted; however, the documentation is not complete and does not expressly indicate that the annual review of access privileges was conducted. URE reviewed and updated the access control program.

Penalty: $12,000 (aggregate for 9 violations)

FERC Order: Issued June 29, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-27 (May 30, 2012)

Reliability Standard: CIP-003-1

Requirement: 6

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: MRO

Issue: During a spot check, MRO determined URE was not consistently following its established and documented procedure regarding a change control and configuration management for adding, modifying, replacing or removing CCA hardware or software. MRO found some change request forms were incomplete, their use was inconsistent, and in some instances the information provided lacked the specificity needed to determine compliance.

Finding: MRO determined that the violation posed a minimal risk to BPS reliability. URE maintained that it followed procedure; however, it was unable to produce sufficient documentation to confirm the procedure was adhered to in every instance. MRO considered the failure to exhibit consistent application of its procedure to manage changes to cyber security controls as indicative of a need for training within URE’s staff. MRO worked with URE to implement an effective Mitigation Plan, and URE reviewed and updated the change control and configuration management procedure, trained all applicable staff on the procedure, and implemented a review process to ensure consistent application of procedure.

Penalty: $12,000 (aggregate for 9 violations)

FERC Order: Issued June 29, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-36-000 (June 30, 2012)

Reliability Standard: CIP-003-1

Requirement: R5/5.2; R6

Violation Risk Factor: Lower

Violation Severity Level: High

Region: WECC

Issue: Upon finding that WECC was beginning the semi-annual CIP Self-Certification process, URE submitted to WECC that it was “Substantially Compliant” with CIP-003-1 R5 and R6 and submitted a self-report stating that it had failed to review CCA access privileges on an annual basis. URE reported that it had not confirmed that access privileges were correct and up-to-date based on personnel roles and responsibilities. In particular, 22 employees at URE having physical and/or logical access to protected CCA information had been “grandfathered” in as authorized personnel prior to the effective date of the Standard, but they had not completed the authorization form as required by the Standard. WECC’s review found that URE had violated the requirements of CIP-003-1 R5.2 to annually review access privileges to protected CCA information, and URE failed to confirm that for those 22 employees such access was still required. Regarding R6, URE self-reported that it was not using its own written form to report changes to software or hardware on its CCAs or CAs nor did it use a Change Log pursuant to CIP-003-1 R6. WECC’s review found that URE had no system for recording changes made on six patch cycles for fourteen CCAs. The relevant CCAs were used for Windows Active Directory, Network Time Protocol, and vulnerability scanning and are located in URE’s ESP.

Finding: The violations were deemed to pose minimal risk to BPS reliability. Regarding R5.2, the relevant personnel all had PRAs on file and CIP training and any access could be verified through the Windows Active Directory. URE also stated that its CCAs had up-to-date security software installed. Regarding R6, the information missing could be found in URE’s CIP-007 R3 reporting requirements, and URE stated that any changes to CCAs and other systems were tested prior to roll-out production and that tripwire software recorded any such changes. In determining the appropriate penalty, WECC gave mitigating credit for URE’s internal compliance program, but no self-report credit was given since URE reported the violations during the Self-Certification submission process. URE agreed/stipulated to WECC’s findings.

Penalty: $67,500 (aggregate for 9 violations)

FERC Order: Issued July 27, 2012 (no further review)

Unidentified Registered Entity, Docket No. NP12-37 (July 31, 2012)

Reliability Standard: CIP-003-1

Requirement: 4.2; 5.1

Violation Risk Factor: Lower

Violation Severity Level: N/A

Region: WECC

Issue: An Unidentified Registered Entity (URE) self-certified that it was not in compliance with R4.2 because it released protected CIP-related floor plans to eight unauthorized third-party vendors during a contractor bid process without first identifying and protecting the information. URE subsequently self-reported a violation of R5.1 because during an internal review it discovered that the construction project manager that released the protected floor plans was not identified on URE’s list of personnel with access to protected information within its documented program to manage access to protected information, and did not identify the information for which the construction manager was responsible.

Finding: WECC determined that the violation of R4.2 posed a moderate risk and the violation of R5.1 posed a minimal risk to the reliability of the BPS. Neither violation posed a serious or substantial risk to the BPS. The risk was mitigated because the recipients of the information were all past, existing or potential vendors that had good working relationships with URE and cooperated in returning or destroying the information. Moreover, the construction project manager that released the information was responsible for the information that was released.

Penalty: $134,350 (aggregate for 10 violations among 4 UREs)

FERC Order: Issued August 30, 2012 (no further review)

Unidentified Registered Entity, FERC Docket No. NP12-40 (July 31, 2012)

Reliability Standard: CIP-003-1

Requirement: R1/1.2/1.3; R2/2.1/2.2

Violation Risk Factor: Lower

Violation Severity Level: N/A

Region: WECC

Issue: Following a Spot Check, WECC determined URE violated R1 because it could not provide evidence that its cyber security policy covered all of the requirements in Standards CIP-002 through CIP-009 for a period of 19 months, it could not demonstrate that all personnel with access to (or responsibility for) CCAs had access to all the information required by R1.2, and could not verify that the policy was approved by the appropriate senior manager in violation of R1.3. WECC also found that URE could not provide clear and consistent evidence designating its CIP senior managers and proof that the CIP senior managers were designated consistent with the requirements in R2.1 and R2.2.

Finding: WECC found that the violations of R1 constituted a moderate risk to BPS reliability because it could result in inconsistent treatment of CCAs, which could lead to security threats. This risk was mitigated, however, because for a period of about seven of 19 months at issue URE’s cyber security policy addressed all but one requirement of one Reliability Standard. WECC found the violations of R2 posed a minimal risk to the reliability of the BPS because although URE could not prove that it had appropriately-designated CIP senior managers, it did have managers that were implementing the CIP program. WECC considered URE’s internal compliance program a mitigating factor.

Penalty: $22,000 (aggregate for 3 violations)

FERC Order: Issued August 30, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-46 (September 28, 2012)

Reliability Standard: CIP-003-1

Requirement: 6

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: WECC

Issue: URE self-certified that it did not test all of its security controls and therefore it did not properly establish change control and configuration management procedures to identify, control and document all entity-related or vendor-related changes to hardware and software components of its CCAs.

Finding: WECC found that the CIP-003-1 violation constituted a moderate risk to BPS reliability since it could expose the CCAs to security vulnerabilities by adding harmful hardware or software. But, the risk was mitigated since URE did have change control and management procedures that provided for the management and testing of entity-initiated and vendor-initiated changes (even though those procedures were incomplete). URE agreed and stipulated to the facts of the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE's compliance history and that URE had a compliance program in place when the violations occurred (which was viewed as a mitigating factor). URE was also cooperative during the enforcement process and did not conceal the violations. WECC found that the violations did not constitute a serious or substantial risk to BPS reliability and there were no additional aggravating or mitigating factors.

Penalty: $200,000 (aggregate for 17 violations)

FERC Order: Issued October 26, 2012 (no further review)

Unidentified Registered Entity (URE), Docket No. NP12-47-000 (September 28, 2012)

Reliability Standard: CIP-003-1

Requirement: 4/4.1

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: WECC

Issue: URE was found to be in violation of CIP-003-1 R4 because it did not include the Critical Asset list in its protected Critical Cyber Asset information program.

Finding: The violation was deemed to pose moderate risk to BPS reliability because not protecting a list of Critical Assets could expose the BPS to a cyber-security attack; however, the risk was mitigated because URE's Critical Asset list did not contain any Critical Cyber Asset information. In determining the appropriate penalty, URE was given mitigating credit for its internal compliance program.

Penalty: $65,000 (for 11 violations)

FERC Order: Issued October 26, 2012 (no further review)

Unidentified Registered Entity, Docket No. NP13-1 (October 31, 2012)

Reliability Standard: CIP-003-1

Requirement: 6

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: WECC

Issue: Following a self-certification, WECC determined URE violated R6 because URE could not provide evidence that it had a documented change control system that included supporting configuration management activities. The violation encompassed over 100 CCAs.

Finding: WECC determined that the violation posed a moderate risk to the reliability of the BPS because it could result in harmful modifications to hardware or software in CCAs essential to the operation of the BPS. URE's failure to include the CCAs could cause them to be vulnerable to a cyber attack and they could be misused or inoperable during CA recovery efforts. The risk was mitigated because the CCAs at issue are located within ESPs and are subject to redundant protective measures such as intrusion detection systems, VPN or two-factor authentication, and anti-virus and spam controls. In addition, personnel with access to the CCAs are appropriately authorized following a PRA. In approving the Settlement Agreement between WECC and URE, NERC BOTCC considered the following: URE's violation history, 11 of the 12 violations were self-reported, URE was cooperative, URE had a compliance program in place at the time of the violation, which was considered a mitigating factor, and there was no evidence of any attempt or intent to conceal a violation, nor that the violation was intentional.

Penalty: $200,000 (aggregate for 12 violations)

FERC Order: Issued November 29, 2012 (no further review)

Unidentified Registered Entity 1, Unidentified Registered Entity 2, and Unidentified Registered Entity 3, FERC Docket No. NP13-4 (October 31, 2012)

Reliability Standard: CIP-003-1

Requirement: 1, 5

Violation Risk Factor: Medium (1), Lower (5)

Violation Severity Level: High (1, 5)

Region: RFC

Issue: During a compliance audit, RFC determined that URE1 had not properly implemented its cyber security policy since it did not fully document it PSP as part of its physical security plan or its CCAs recovery plan (as called for in its cyber security policy) (R1). URE1 also self-reported (in anticipation of the compliance audit) that it had not created, maintained and verified on an annual basis its list of personnel who are responsible for authorizing logical or physical access to its protected information, as URE1 did not confirm that access privileges for substation personnel were correct and corresponded to URE1's needs and personnel roles and responsibilities. While URE1 had criteria which specified access rights according to specific roles and responsibilities and maintained a separate list of its personnel with access to CCA information, it did not link its personnel list to its list of roles and responsibilities as required. URE1 also did not assess and document, on an annual basis, its processes to control access privileges to its protected information. In addition, during the compliance audit, RFC found that URE1 had not properly documented that access privileges for the Emergency Management System (EMS) personnel were correct and corresponded to URE1's needs and personnel responsibilities. URE1 also did not properly document its annual assessment of its procedures to control access privileges to protected information for URE1's substations and its EMS (R5).

Finding: RFC found that the CIP-003-1 R1 and R5 violations constituted a moderate risk to BPS reliability. In regards to R1, there is a risk to the BPS when URE1 only partially implements its cyber security policy as there is a risk that the appropriate security management controls will not be in place and that there will by security gaps or unnecessary access points to the critical infrastructure of the BPS. But, URE1's partial implementation only involved inconsistent cross-referencing of the cyber security policy and other documents and did not involve substantive noncompliance or the failure of any cyber security protections. For R5, URE1 created a potential for the unauthorized access to CCA information, which could have led to disruptive acts. But, URE1 affirmed that it had actually limited access to CCA information to only personnel who needed to know and used technical restrictions (such as access control lists in its active directory) to provide protection. URE1 also stated that it was aware of who those personnel were and that it engaged in reviews of its procedures for controlling access privileges to protected information (even though these processes were not formally documented). In addition, URE1 had technical controls in place to maintain and protect its CCAs. In approving the settlement agreement, the NERC BOTCC found that, in the aggregate, the violations constituted a serious or substantial risk to BPS reliability because of the potential for compromised integrity of the CCAs. UREs did not have a culture of compliance for the CIP Reliability Standards and they were not familiar with their CIP processes and procedures (especially as compliance was divided between six executives, leading to inconsistent application of the compliance process and reduced ownership responsibility). But, the UREs were cooperative during the enforcement process, including working with RFC to remedy the violations and enacting measure, in collaboration with RFC, to foster an improved compliance program and to undertake compliance initiatives (which were evaluated as a mitigating factor). In addition, some of the violations were repeat violations and some of the violations were self-reported.

Penalty: $725,000 (aggregate for 73 violations)

FERC Order: Issued November 29, 2012 (no further review)

Unidentified Registered Entity 1, Unidentified Registered Entity 2, and Unidentified Registered Entity 3, FERC Docket No. NP13-4 (October 31, 2012)

Reliability Standard: CIP-003-1

Requirement: 6 (three violations, one for each URE)

Violation Risk Factor: Lower (6)

Violation Severity Level: High (6)

Region: RFC

Issue: During a compliance audit, RFC determined that URE1 had not properly established and documented in its Change Control Process of the Security Services Change Control and Configuration Management Plan a process for configuration management for CCA hardware or software, as well as its procedures for supporting configuration management activities to identify control and document all changes to hardware and software components of CCAs. URE1 also did not implement procedures for the change control in the removal of the legacy Emergency Management System (EMS) or create a change control form for the replacement EMS, as required. In addition, URE 2 and URE3 did not properly establish and document its configuration management process for adding, modifying, replacing or removing CCA hardware or software. URE2 and URE 3 also did not enact supporting configuration management activities that are needed to identify, control and document all entity or vendor-related changes to hardware and software components of the CCAs.

Finding: RFC found that the CIP-003-1 R6 violations constituted a serious and substantial risk to BPS reliability since minimum security management controls (such as configuration management) were not in place to protect Critical Assets. By having insufficient implementation and support for configuration management, URE1, URE2 and URE3 risked introducing unwanted security vulnerabilities and unauthorized access points, which can impact the availability of critical systems. But, the UREs did have change control processes (and URE1 affirmed that it did document the changes associated with its EMS replacement through other processes). In approving the settlement agreement, the NERC BOTCC found that, in the aggregate, the violations constituted a serious or substantial risk to BPS reliability because of the potential for compromised integrity of the CCAs. UREs did not have a culture of compliance for the CIP Reliability Standards and they were not familiar with their CIP processes and procedures (especially as compliance was divided between six executives, leading to inconsistent application of the compliance process and reduced ownership responsibility). But, the UREs were cooperative during the enforcement process, including working with RFC to remedy the violations and enacting measure, in collaboration with RFC, to foster an improved compliance program and to undertake compliance initiatives (which were evaluated as a mitigating factor). In addition, some of the violations were repeat violations and some of the violations were self-reported.

Penalty: $725,000 (aggregate for 73 violations)

FERC Order: Issued November 29, 2012 (no further review)

Unidentified Registered Entity (URE), FERC Docket No. NP13-11 (December 31, 2012)

Reliability Standard: CIP-003-1

Requirement: 5.2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: SPP

Issue: URE self-reported that it did not have the proper documentation showing that it had conducted the required annual reviews of its personnel with access rights to two areas with CCA information (a SharePoint site related to URE’s network services and an Energy Management System information folder on a network drive).

Finding: SPP found that the CIP-003-1 R5.2 violation only constituted a minimal risk to BPS reliability since when personnel with CCA access are terminated from employment at URE, their physical, domain and remote access rights are removed. Therefore, terminated employees would not be able to access URE’s CCAs (even though URE was not reviewing its access list on an annual basis). URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE’s violation history (which was considered as an aggravating factor for some of the violations), URE’s internal compliance program (which was not viewed as a mitigating factor) and the fact that some of the violations were self-reported. URE was cooperative during the enforcement process and did not conceal the violations.

Total Penalty: $107,000 (aggregate for 16 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity 1 (URE1), Docket No. NP13-12-000 (December 31, 2012)

Reliability Standard: CIP-003-1

Requirement: 1.1, 1.3

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SPP RE

Issue: While conducting a CIP Spot Check, SPP RE determined that URE1’s cyber security policy (Policy) did not meet all requirements of CIP-002 through CIP-009, which is a requirement of CIP-003-1 R1.1. The Policy did not ensure that CAs within URE1’s ESP reside within a six-wall PSP (CIP-006-1 R1.1). In addition, URE1 did not have a compliant password policy (CIP-007-1 R5.3). Finally, URE’s CIP senior manager did not approval or review yearly the Policy (CIP-003-1 R1.3). The senior manager did, however, delegate approval authority to subordinate managers who, in turn, did the required reviews and approvals.

Finding: SPP RE found that the violations posed a minimal risk to BPS reliability, but not a serious or substantial risk. SPP RE found the CAs were in fact within an enclosed six-wall PSP, but URE1’s Policy failed to document the requirement. Next, SPP RE determined that even though the Policy was not signed by the senior manager, it had been reviewed and approved by delegates. Regarding the password requirements not being completed discussed in the Policy, URE1’s employees were aware of the password management policy. The violations began on December 31, 2010, and ended on January 19, 2011, when URE1 completed its Mitigation Plan. URE1 neither admitted to nor denied the violation. In determining the appropriate penalty, SPP RE found URE’s written ICP to be a neutral factor.

Total Penalty: $15,000 (aggregate for 6 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity (URE), Docket No. NP13-16 (December 31, 2012)

Reliability Standard: CIP-003-1

Requirement: R1

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: WECC

Issue: Pursuant to a compliance audit, WECC found that URE did not make its cyber security policy readily available to contractors and contract personnel that support URE’s EMS in violation of R1.

Finding: WECC determined the violation posed a minimal and not a serious or substantial risk to the reliability of the BPS because all individuals with unescorted access to CCAs had completed PRAs and training, and all physical access to CCAs was monitored by URE. URE self-reported some of the violations. Duration of violations from the date the Standard became mandatory and enforceable to URE through the date URE made its cyber security policy available to all individuals with access to CCAs.

Total Penalty: $207,000 (aggregate for 12 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-18 (December 31, 2012)

Reliability Standard: CIP-003-1

Requirement: 5.2, 6

Violation Risk Factor: Lower (5.2, 6)

Violation Severity Level: Severe (5.2), Lower (6)

Region: SPP

Issue: URE self-reported that it did not possess the required documentation showing that it had conducted an annual review of its personnel who had access rights to two areas containing CCA information (a SharePoint site related to URE's network services and an Energy Management System (EMS) information folder on a network drive) (5.2). URE also self-reported that its CCA change control and configuration management process did not include adequate provisions covering supervisory approval, supervisory and managerial approval, a change implementation date, a notification date to groups affected by the change and an implementation date (6).

Finding: SPP found that the CIP-003-1 R5.2 and R6 violations only constituted a minimal risk to BPS reliability. For R5.2, URE had revoked the physical, domain and remote access rights of personnel who had access to network services and EMS information upon termination of their employment. Thus, terminated personnel would not be able to access the CCAs. In regards to R6, URE had, in practice, fully implemented its change control and configuration management process, establishing a multi-tier approach that minimized the risk of system changes being made without some level of review and approval. URE also obtained board approval on each occasion when a change was requested. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC evaluated URE's Internal Compliance Program (even though the compliance program was not viewed as a mitigating factor) and its violation history (which was viewed as an aggravating factor for some of the violations). NERC BOTCC also considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations.

Penalty: $153,000 (aggregate for 16 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-19 (December 31, 2012)

Reliability Standard: CIP-003-1

Requirement: 1.2

Violation Risk Factor: Medium

Violation Severity Level: Lower

Region: SERC

Issue: During a spot check, SERC determined that URE did not make its cyber security policy available to 160 of its personnel with access to or responsibility for URE's CCAs as required, as the policy was only available through a portal which required a URE Logon ID. In addition, URE self-reported that, for another segment of its operations, it also kept that cyber security policy in a portal associated with that segment and that required a URE Logon ID, thereby preventing three personnel who had access to URE's CCAs from not being able to access the cyber security policy.

Finding: SERC found that the CIP-003-1 R1.2 violations only constituted a minimal risk to BPS reliability since less than 12% of URE's personnel with access to the CCAs were not able to access the cyber security policy. In addition, all of URE's personnel with access to the CCAs had received cyber security training, which discussed the relevant policies, uses and handling of the CCAs for each particular role and responsibility. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the fact that some of the violations were self-reported and that URE was cooperative during the enforcement process and did not conceal the violations. URE also had a compliance program in place when the violations occurred (which SERC evaluated as a mitigating factor). SERC determined that over half of the violations constituted a serious or substantial risk to BPS reliability. URE was unprepared, compliance-wise, when the CIP requirements became mandatory and enforceable. As URE had problems identifying CCAs, Cyber Assets and access points, URE was not providing the mandated protections to all of the required devices, thereby greatly increasing the risk of CCAs becoming comprised or rendered inoperable and causing a loss of monitoring or control of the BPS. SERC found that URE's CIP program failure constituted a serious risk to BPS reliability as URE's CIP procedures were not sufficiently detailed and its personnel had a general lack of awareness about the CIP procedures (including a dependence on manual processes).

Penalty: $950,000 (aggregate for 24 violations)

FERC Order: Issued January 30, 2013 (no further review)

Unidentified Registered Entity 1 (SPP RE_URE1), Docket No. NP13-27, February 28, 2013

Reliability Standard: CIP-003-1

Requirement: 6

Violation Risk Factor: Lower

Violation Severity Level: Moderate

Region: SPP RE

Issue: SPP RE_URE1 self-reported a violation of R6 when it discovered that it had not been documenting performance of its change control and configuration management program for hardware and software changes to CCAs.

Finding: SPP RE determined that the R6 violation posed a minimal risk to the reliability of the BPS because although the company was not documenting its change control and configuration management activities, its system administrator was indeed following the company's documented procedure. Furthermore, there were only minimal system hardware changes during the violation period, and software changes during the same period were implemented with assistance from a third-party service provider. Finally, a firewall protected all of the company's CCAs. SPP RE and SPP RE_URE1 entered into a settlement agreement whereby SPP RE_URE1 agreed to pay a penalty and to undertake other mitigation measures to come into compliance with R6. SPP RE considered SPP RE_URE1's ICP a neutral factor in making its penalty determination. The violation began when the Standard became mandatory and enforceable to SPP RE_URE1 and ended on the implementation date of the revised procedure. SPP RE_URE1 neither admits nor denies the R6 violation.

Penalty: $8,000 (aggregate for 3 violations)

FERC Order: Issued March 29, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)

Reliability Standard: CIP-003-1

Requirement: 1

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that, as a result of an incomplete policy map, its cyber security policy did not address all of the required elements.

Finding: WECC found that the violation only constituted a minimal risk to BPS reliability. All of URE’s CCAs are contained in PSPs and ESPs and all of URE’s personnel with access to the CCAs had received the required training on the CIP Standards. URE’s compliance program was evaluated as a mitigating factor. URE stipulated to the violation.

Total Penalty: $58,000 (aggregate for 14 violations)

FERC Order: Issued May 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)

Reliability Standard: CIP-003-1

Requirement: 1/1.1

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that, as a result of an incomplete policy map, its cyber security policy did not address all of the required elements.

Finding: WECC found that the violation only constituted a minimal risk to BPS reliability. All of URE’s CCAs are contained in PSPs and ESPs and all of URE’s personnel with access to the CCAs had received the required training on the CIP Standards. URE’s compliance program was evaluated as a mitigating factor. URE stipulated to the violation.

Total Penalty: $53,000 (aggregate for 13 violations)

FERC Order: Issued May 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)

Reliability Standard: CIP-003-1

Requirement: 4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that it had not identified, as required by its information protection program and the Reliability Standard, its disaster recovery plan as protected information.

Finding: WECC found that the violation only constituted a minimal risk to BPS reliability. URE’s disaster recovery plan was only contained in electronic format and was protected from unauthorized access by measures such as folder share security. In addition, all of URE’s personnel who had access to the disaster recovery plan had received training on the proper handling of CCA information. URE’s compliance program was evaluated as a mitigating factor. URE stipulated to the violation.

Total Penalty: $58,000 (aggregate for 14 violations)

FERC Order: Issued May 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-33 (April 30, 2013)

Reliability Standard: CIP-003-1

Requirement: 4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: WECC

Issue: URE self-reported that it had not identified, as required by its information protection program and the Reliability Standard, its disaster recovery plan as protected information.

Finding: WECC found that the violation only constituted a minimal risk to BPS reliability. URE’s disaster recovery plan was only contained in electronic format and was protected from unauthorized access by measures such as folder share security. In addition, all of URE’s personnel who had access to the disaster recovery plan had received training on the proper handling of CCA information. URE’s compliance program was evaluated as a mitigating factor. URE stipulated to the violation.

Total Penalty: $53,000 (aggregate for 13 violations)

FERC Order: Issued May 30, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-34 (May 30, 2013)

Reliability Standard: CIP-003-1

Requirement: 1.3, 4.3, 5.2/5.3, 6

Violation Risk Factor: Medium (1.3, 4.3), Lower (5.2/5.3, 6)

Violation Severity Level: Severe (1.3, 4.3, 5.2/5.3, 6)

Region: TRE

Issue: During a compliance audit, TRE determined that URE's cyber security policy had not been approved by a senior manager and had not been subject to annual review since URE removed its generation facility from the Critical Asset list (1.3). URE also did not possess sufficient documentation showing that it had assessed, on an annual basis, its adherence to its CCA information protection program, logged the assessment results, or enacted action plans to remediate deficiencies as it did not properly approve the change in the Critical Asset status of its generation facility (4.3). In addition, URE did not annually review the access privileges to its protected information (5.2) or its procedures for controlling the access privileges to its protected information (5.3). URE had also physically removed a modem from its premises, but did not remove the modem from its CCA list as required. In addition, URE's policies on network change management, network configuration, router, switch and firewall confirmation did not contain version control languages or tables and had not been signed and dated, which interfered with its ability to implement supporting configuration management activities to identify, control, and document all changes to hardware and software components of its CCAs (6).

Finding: TRE found that the CIP-003-1 R1.3, 4.3, 5.2/5.3, 6 violations constituted a moderate risk to BPS reliability. The lack of managerial signatures on numerous polices demonstrates a lack of commitment by management as well as possible systematic issues. But, URE's cyber security policy did include all of the required content and was accessible to all of URE's personnel responsible for CCAs. In addition, by not having documented assessment results regarding URE's adherence to its CCA information protection program, there were vulnerability in URE's CCA protection program as URE had no assessment data to determine if deficiencies existed and the safety of the CCA information was unknown. But, URE had developed a program for the treatment of CCA information (including the classification of protected information). And while URE did not have a program for managing access to protected CCA information, the program had not been fully implemented and therefore the access to protected information may have been unknown. Also, URE's implementation of its change control configuration and management program did not follow the program guidelines (although it was relied upon for the majority of URE's assets). URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact the violations were URE's first violations of the relevant Reliability Standards and that none of the violations constituted a serious or substantial risk to BPS reliability. URE had a compliance program in place, but it was only evaluated as a neutral factor. URE was also cooperative during the enforcement process and did not conceal the violations.

Total Penalty: $137,000 (aggregate for 24 violations)

FERC Order: Issued June 28, 2013 (no further review)

Unidentified Registered Entity, Docket No. NP13-36, May 30, 2013

Reliability Standard: CIP-003-1

Requirement: 1, 4, 5, 6

Violation Risk Factor: Medium (R1, R4); Lower (R5, R6)

Violation Severity Level: Severe (all)

Region: Texas RE

Issue: While conducting a Reliability Standards audit, Texas RE found the following violations: (R1) – URE could not provide a signed copy of its cyber-security policy. URE’s CIP compliance senior manager did not approve or yearly review URE’s cyber-security policy in accordance with R1.3. (R4) – The risk-based assessment methodology removing URE’s facility as a Critical Asset (in 2010) was not approved or signed. (R5) – URE could not show that it was reviewing access privileges to confidential data on a yearly basis to ensure all privileges were current and correct. In addition, URE did not annually assess or document the procedures for controlling access privileges to protected information. (R6) – Texas RE found a model on URE’s CCA list was no longer at URE’s facility. URE did not maintain its CCA list in accordance with R6.

Finding: The violations were deemed to pose moderate risk to BPS reliability, but not serious or substantial risk. Regarding R1, Texas RE found that the lack of signature was evidence of a lack of company commitment to the policy. Texas RE found many documents unsigned by the appropriate personnel showing a system-wide problem at URE rather than an administrative oversight issue; however, with respect to the cyber-security policy, it was found to be otherwise compliant with R1. Regarding R4, Texas RE determined that URE’s failure to follow its CCA information program, including the failure to have implementation plans for remediating deficiencies, leaves URE’s CCA protection program vulnerable in that any deficiencies would be unaddressed. Regarding R5, URE did have a problem in place, but it was not fully utilized. Not knowing fully access privileges could leave protected information vulnerable. Finally, regarding R6, risk was mitigated because most of URE’s CCAs were properly accounted for. URE and Texas RE entered into a Settlement Agreement to resolve the issues. In determining the appropriate penalty, Texas RE considered URE’s internal compliance program as a neutral factor. The violations were the first by URE and URE cooperated during the enforcement process. Texas RE determined URE did not attempt (or intend) to conceal any violations.

Total Penalty: $137,000 (aggregate for 24 violations)

FERC Order: Issued June 28, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-38-000 (May 30, 2013)

Reliability Standard: CIP-003-1

Requirement: 3, 4, 5

Violation Risk Factor: Lower (3, 4, 5)

Violation Severity Level: Severe (3, 4, 5)

Region: WECC

Issue: URE self-certified that it did not properly document all exceptions to its cyber security policy at its generating station or explain why such exceptions were necessary. URE was required to document its exception related to the delayed implementation of URE’s PRA program (related to the terms of a union collective bargaining agreement). URE also did not review, in 2010, its documented exceptions to the cyber security policy at its control center, as required (3). URE also self-certified that the information protection program established at URE’s generating station did not incorporate printed documentation located at the facility, as required. URE also did not properly identify and designate CCA information to be protected and did not annually review its adherence to its information protection program (4). In addition, URE did not properly manage access to protected information physically located at URE’s generating station or review, in 2009, its process for controlling access privileges to protected information. URE also did not properly maintain its list of designated personnel with responsibility for authorizing logical or physic access to the protected information (5).

Finding: WECC found that the CIP-003-1 R3, R4 and R5 violations constituted only a minimal risk to BPS reliability. In regards to R3, URE had documented all exceptions to its cyber security policy at its control center, and performed the required annual review of exceptions in both 2009 and 2011. In regards to R4, URE had an adequate information protection policy at its control center and backup control center, and the violation was limited to CCAs at URE’s generating station. URE also hosted on-site staff meetings at which the information protection procedures were discussed. For R5, URE had a process in place to appropriately manage the protected information for CCAs housed at its control center, and the violation was limited to access management to CCA information at URE’s generation station. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact that some of the violations were self-reported and that URE engaged in voluntary corrective action to remediate the violations. URE also had an internal compliance program in place (which was evaluated as a mitigating factor). URE was cooperative during the enforcement process, did not conceal the violations and implemented the applicable WECC compliance directives. But, URE did have prior violations of the Reliability Standards (which was evaluated as an aggravating factor). None of the violations constituted a serious or substantial risk to BPS reliability.

Total Penalty: $291,000 (aggregate for 17 violations)

FERC Order: Issued June 28, 2013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP13-55 (September 30, 2013)

Reliability Standard: CIP-003-1

Requirement: 6

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: WECC

Issue: Unidentified Registered Entity (URE) self-reported that it did not timely develop procedures for configuration management to identify, control and document all entity- or vendor-related changes to hardware and software components of CCAs. In addition, URE also implemented configuration changes and did not abide by its procedures for the operating systems, patch levels, physical ports, and software enabled on its CCAs.

Finding: WECC found that the violation constituted a moderate risk to BPS reliability since by not having appropriate configuration management procedures, changes to hardware and software could expose URE’s CCAs to potential security vulnerabilities. But, URE’s CCAs are continuously monitored and logged, have antivirus and malware prevention tools installed, are contained within a restrictive network, and are backed up on a weekly basis. In addition, URE had established a change management process which utilized a ticketing system to approve and track master change requests (even though it was not properly documented in respect to the CCAs). URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered the fact that the CIP-002-3 R1 violation was self-reported and that URE had a compliance program in place when the violations occurred. URE’s prior violations of the Reliability Standards were not considered as an aggravating factor, as they were not similar to the instant violations and did not implicate broader corporate issues. URE was also cooperative during the enforcement process and did not conceal the violations. The violations did not present a serious or substantial risk to BPS reliability.

Total Penalty: $150,000 (aggregate for 16 violations)

FERC Order: Issued October 30, 3013 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-20 (December 30, 2013)

Reliability Standard: CIP-003-1

Requirement: 4

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: SERC

Issue: URE self-reported that it had not properly documented the results of its annual review regarding adherence to its CCA information protection program and that it did not adequately protect the CCA information within its configuration management database (CMDB) (which is used to document all critical and non-critical Cyber Assets and access points to the ESP).

Finding: SERC found that the CIP-003-1 R4 violation constituted a moderate risk to BPS reliability since the lack of documentation of the assessment results and action plan could have led to un-remediated deficiencies and inadequate CCA protection increased the risk of a cyber security attack. But, there were no identified deficiencies in the CCA information assessment and access to the CMDB was restricted to authorized users. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. Certain of the violations constituted a serious or substantial risk to BPS reliability. URE also engaged in mitigating measures that SERC determined to be above-and-beyond what was required.

Total Penalty: $198,000 (aggregate for 21 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-20 (December 30, 2013)

Reliability Standard: CIP-003-1

Requirement: 5

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: SERC

Issue: URE self-reported that it did not include 60 of its personnel with access to CCA information in its annual review of access privileges to protected information, as required.

Finding: SERC found that the CIP-003-1 R5 violation constituted only a minimal risk to BPS reliability as all of the personnel at issue had appropriately received CCA access based upon their roles and responsibilities at URE. URE neither admitted nor denied the violations. In approving the settlement agreement, NERC BOTCC considered URE’s compliance history as an aggravating factor. But, certain of the violations were self-reported and URE had a compliance program in place when the violations occurred, which was evaluated as a mitigating factor. URE was also cooperative during the enforcement process and did not conceal the violations. Certain of the violations constituted a serious or substantial risk to BPS reliability. URE also engaged in mitigating measures that SERC determined to be above-and-beyond what was required.

Total Penalty: $198,000 (aggregate for 21 violations)

FERC Order: Issued January 29, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)

Reliability Standard: CIP-003-1

Requirement: R1/R1.3 (3 violations – one for each URE Company)

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: The URE Companies self-reported that they did not have sufficient documentation showing that they had an assigned senior manager perform an annual review and approve their respective cybersecurity policies.

Finding: RFC determined that the violations constituted only a minimal risk to the BPS reliability as the URE Companies did actually perform the required annual reviews of the cybersecurity policies. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.

Total Penalty: $625,000 (aggregate for 77 violations)

FERC Order: Issued September 26, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)

Reliability Standard: CIP-003-1

Requirement: R4 (3 violations – one for each URE Company)

Violation Risk Factor: Medium

Violation Severity Level: High

Region: RFC

Issue: The URE Companies self-reported that they did not properly classify or protect information repositories that contained CCA information. The URE Companies also did not fully complete and implement the required annual assessments of their CCA information protection programs.

Finding: RFC determined that the violations constituted a moderate risk to the BPS reliability as it increased the risk that the protections guarding the CCA information would be decreased or eliminated. But, the relevant CCA information was in secure locations (on the URE Companies internal networks) and protected by access control mechanisms. The URE Companies also conducted the required annual reviews of the CCA information protection program (although their documentation was lacking). The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.

Total Penalty: $625,000 (aggregate for 77 violations)

FERC Order: Issued September 26, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)

Reliability Standard: CIP-003-1

Requirement: R5 (3 violations – one for each URE Company)

Violation Risk Factor: Lower

Violation Severity Level: High

Region: RFC

Issue: The URE Companies self-reported that they did not verify, as required, that the external vendor personnel providing IT support functions satisfied the training or Personnel Risk Assessments (PRA) requirements prior to obtaining access to protected CCA information. Additionally, the URE Companies did not properly classify information repositories that contained CCA information and did not provide the repositories and the relevant information with the necessary protective measures. The URE Companies also did not maintain sufficient documentation of grandfathered users’ access needs in regards to protected information. In addition, URE2 did not conduct the required annual verification and review of personnel responsible for authorizing access to the protected information and the access privileges granted.

Finding: RFC determined that the violations constitute a moderate risk to the BPS reliability as it increased the risk that the protections for access to protected CCA information would be lessened. But, the URE Companies had implemented protective measures to provide security to their Critical Assets and CCAs. For example, the URE Companies’ protected information was contained in secure locations with access control mechanisms in place. In addition, the external vendor personnel had actually completed the training and PRA requirements and all of the individuals without confirmed access privileges were trusted users with approved network access credentials. The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.

Total Penalty: $625,000 (aggregate for 77 violations)

FERC Order: Issued September 26, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP14-48-000 (August 27, 2014)

Reliability Standard: CIP-003-1

Requirement: R6 (2 violations – one for URE2 and one for URE3)

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: RFC

Issue: URE2 self-reported that it did not implement, as required, the change control processes for a set of computers and computer consoles classified as CCAs. In addition, URE3 self-reported that it did not have adequate documentation showing that it enacted supporting configuration management activities related to changes to its CCAs.

Finding: RFC found that the violations posed a moderate risk to the BPS reliability as it increased the risk of system outages or downtime related to unauthorized and/or undocumented changes. But, URE2 and URE3 did enact certain security management controls to protect their CCAs, including housing the assets within the defense-in-depth perimeters. Furthermore, all of the CCAs received protection via the implementation of at least some of the steps within the change control processes. The URE Companies (which include URE1, URE2 and URE3) neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations collectively constituted a moderate risk to BPS reliability. The URE Companies self-reported a number of the violations and agreed to undertake several “above and beyond” mitigating activities, which were considered mitigating factors. However, the URE Companies’ past compliance history and their slow progress working on the mitigating activities were considered aggravating factors. The URE Companies cooperated throughout the enforcement process and did not conceal the violations. The URE Companies did have a compliance program in place. RFC also committed in the future to randomly select and perform a spot check on one of the URE Companies.

Total Penalty: $625,000 (aggregate for 77 violations)

FERC Order: Issued September 26, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-5-000 (October 30, 2014)

Reliability Standard: CIP-003-1

Requirement: R6

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: SPP RE

Issue: During a compliance audit SPP RE determined that URE did not include processes for the replacement and removal of CCA hardware in its change control and configuration management process nor did URE have documented procedures for the disposition of a failed third party network monitoring device or proof that a replacement device was implemented properly.

Finding: SPP RE determined that the violation constituted only a minimal risk to the BPS reliability since URE proved that during the disposal of the failed device it was wiped clean and the replacement device did not cause any damage to its network operations. In addition, for multiple years the failed device operated successfully without negatively affecting URE’s network operations. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that URE had previously violated six of the standards, which SPP RE considered an aggravating factor. However, URE did have a compliance program in place and it received mitigating credit for self-reporting three of the violations. Moreover, URE agreed to additional corrective actions including: restructuring its CIP compliance program; hiring an additional system administrator; conducting a one day compliance workshop with SPP RE staff; and implementing an asset management system to further secure its EMS. URE was cooperative throughout the enforcement process and did not conceal or attempt to conceal the violations.

Penalty: $45,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-6-000 (October 30, 2014)

Reliability Standard: CIP-003-1

Requirement: R4/R4.3

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: Texas RE

Issue: URE self-reported that for two years it failed to document its annual adherence to its CCA information protection program. For one URE group, adherence assessments were not documented, and for a separate URE group, adherence were neither documented or conducted.

Finding: Texas RE determined that the violation constituted a moderate risk to the BPS reliability as inadequacies in security management controls increased the risk that sensitive information related to URE's CCA could be compromised and exposed to malicious access. However, the protected information was reviewed according to the URE's protection program, and URE's data custodians controlled access to protected information. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the following factors: the URE had an internal compliance program in place; the URE self-reported several of the violations and none posed a serious or substantial risk to the BPS reliability; the URE executed actions beyond those necessary to ensure compliance with the Standard and continues to make several enhancements as part of its self-assessment program; and the URE did not conceal or attempt to conceal the violations. Further, Texas RE did not consider URE's compliance history to be an aggravating factor, and URE was cooperative throughout the duration of the enforcement.

Penalty: $106,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-6-000 (October 30, 2014)

Reliability Standard: CIP-003-1

Requirement: R5/R5.1/R5.2/R5.3

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: Texas RE

Issue: URE self-certified and later self-reported that its list of personnel who authorized access to URE's CCA, was not updated in a timely manner and URE did not remove a former employee from its list of data custodians in a timely manner. For one management site, URE failed to review access privileges or assess and document processes for controlling access to protected information on an annual basis as required. URE also improperly attached confidential or restricted information to its change management system documentation, which allowed any contractor or employee with access to that system to view.

Finding: Texas RE determined that the violation constituted only a minimal risk to the BPS reliability since URE's Cyber Assets were protected by a strong system that utilized many layers of protection including: firewalls, group user authentication, shared account and infrastructure reviews, employee training, cyber incident detection, and ESP/PSP access authentication. In addition, URE verified that correct document level controls were in place and access to protected information on the management site at issue was controlled. URE neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC considered the following factors: the URE had an internal compliance program in place; the URE self-reported several of the violations and none posed a serious or substantial risk to the BPS reliability; the URE executed actions beyond those necessary to ensure compliance with the Standard and continues to make several enhancements as part of its self-assessment program; and the URE did not conceal or attempt to conceal the violations. Further, Texas RE did not consider URE's compliance history to be an aggravating factor, and URE was cooperative throughout the duration of the enforcement.

Penalty: $106,000 (aggregate for 20 violations)

FERC Order: Issued November 28, 2014 (no further review)

Unidentified Registered Entity, FERC Docket No. NP15-9-000 (November 25, 2014)

Reliability Standard: CIP-003-1

Requirement: R6 (2 violations – one for URE1 and one for URE3)

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: MRO, SPP RE and WECC

Issue: URE1 and URE3 self-reported to MRO and WECC respectively that they failed to apply their substation control process for changes to existing CCA and new CCAs, which led to inconsistencies in identifying and tracking CCAs. UREs' list of CCA did not accurately depict the CCA that were in production and the UREs failed to consistently apply their change control management process for CCA that were commissioned or decommissioned after a specific date. While some issues related to changes to existing substation CCAs, most of the incidents involved adding new CCA substations (including primary and secondary line relaying, bus differential relaying, and breaker failure relaying) where the UREs did not apply their configuration management and change control process or update documentation. In addition, UREs did not follow its change management process for CCAs that were modified or retired, such as substation protective relays.

Finding: MRO determined that the violation posed a moderate risk to the BPS reliability as there was an increased risk that could have been exploited due to vulnerabilities caused by new CCA that were placed at high-voltage substations and IROL flow gates for over two years that were not documented, included in the UREs' CIP compliance program or protected as required. But the UREs did provide standard security controls through the application of their standard testing, checkout and commissioning processes. The CCA changes at issue did not involve UREs' electronic access management system and throughout the violation, there were no incidents related to UREs' energy management system (EMS). The URE Companies neither admitted nor denied the violations. In approving the settlement agreement, the NERC BOTCC found that the violations for five of the Standards posed a serious or substantial risk to the BPS reliability. However, several of the violations were self-reported and the remainder of the violations posed only a minimal threat to BPS reliability. The UREs had a compliance program in place and their compliance history was not considered an aggravating factor by MRO. Furthermore, the UREs committed to spending $205,000 to retain a consultant to identify untapped opportunities in their CIP management controls for the current and future CIP versions and they received significant mitigating credit for their commitment to their corporate compliance program. The URE Companies were cooperative throughout the duration of the enforcement and none concealed the violations.

Penalty: $150,000 (aggregate for 19 violations)

FERC Order: Pending

Unidentified Registered Entity 1 (RFC_URE1), FERC Docket No. NP15-29-000 (May 28, 2015)

Reliability Standard: CIP-003-1

Requirement: R2

Violation Risk Factor: Lower

Violation Severity Level: High

Region: ReliabilityFirst

Issue: ReliabilityFirst, during a compliance audit, found that RFC_URE had delegated responsibility for leading and managing CIP Reliability Standard compliance to four individuals, but had failed to list the titles and specific responsibilities of each individual.

Finding: ReliabilityFirst found that this violation posed a minimal, but not a serious or substantial, risk to BPS reliability. RFC_URE1's Bulk Electric System facilities were relatively small, and RFC_URE1 had identified individuals with responsibility. To mitigate the violation, RFC_URE1 included the required information in a reissued authority delegation letter.

Penalty: No penalty

FERC Order: FERC approved the settlement on June 26th, 2015.

Top