Unidentified Registered Entity, FERC Docket No. NP11-226-000 (July 28, 2011)
Reliability Standard: CIP-006-2c
Requirement: R4, R5, R6
Violation Risk Factor: Medium (R4, R5); Lower (R6)
Violation Severity Level: High (R4, R5, R6)
Region: RFC
Issue: After a fire in a generating complex caused a loss of electrical power, Unidentified Registered Entity (URE) did not use its operational and procedural controls to manage physical access at all access points to the Physical Security Perimeters (PSPs) at all times because card readers were not correctly communicating with the corporate security computer and were allowing access to anyone with a URE identification badge (R4); and prior to security officers being stationed at access points, URE did not use its technical and procedural mechanisms for monitoring and logging individuals accessing PSPs (R5, R6).
Finding: RFC and URE entered into a settlement agreement to resolve multiple violations whereby URE agreed to pay a penalty of $85,000, and to undertake other mitigation measures. RFC determined that the violations did not pose a serious or substantial risk to the reliability of the bulk power system (BPS) because one of the units was not operational at the time of the fire and therefore unauthorized access to that unit was less likely to affect BPS reliability and the affected card readers did not protect any CCAs of the second unit so it was operating successfully. In approving the penalty amount, NERC found that the violations involving CIP-006 were repeat violations leading to a finding that URE has repeatedly failed to ensure the physical security of its CCAs, which was evaluated as an aggravating factor when determining the penalty; the violations were self-reported; the URE was cooperative during the enforcement process and did not conceal the violations; the URE had a compliance program in place (which was evaluated as a mitigating factor); and there were no additional aggravating or mitigating factors.
Penalty: $85,000 (aggregate for multiple violations)
FERC Order: Issued August 29, 2011 (no further review)
Unidentified Registered Entity, FERC Docket No. NP12-18 (February 29, 2012)
Reliability Standard: CIP-006-2c
Requirement: R2/2.2
Violation Risk Factor: Medium
Violation Severity Level: Severe
Region: ReliabilityFirst
Issue: URE self-reported that it had not identified three devices – a physical security server, a digital video recorder and a personal computer – that allow access to its PSP as CAs, so the devices did not have all protective measures as specified in CIP-006-2c R2.2. These devices were used to create access badges and authorize PSP access.
Finding: ReliabilityFirst found the violation constituted a moderate risk to BPS reliability which was mitigated because URE had separate security measures in place, such as intrusion detection, anti-virus, security logging, cyber and physical access control, and defense-in-depth network design, to control access, prevent virus and malware problems and to detect any attempted attacks to its system. ReliabilityFirst considered certain parts of URE’s compliance program as mitigating factors in determining the appropriate penalty.
Penalty: $55,000 (aggregate for 8 penalties)
FERC Order: Issued March 30, 2012 (no further review)