NERC Case Notes: Reliability Standard CIP-003-6

Alert

9 min read

Unidentified Registered Entity 1 (NPCC_URE1), FERC Docket No. NP19-15-000 (July 31, 2019)

NERC Violation ID: NPCC2018020350

Reliability Standard: CIP-003-6

Requirement: R1.1, R1.2

Violation Risk Factor: Medium

Violation Severity Level: High

Region: Northeast Power Coordinating Council, Inc. (NPCC)

Issue: After a third party contractor evaluated its compliance program, an unidentified entity submitted a September 5, 2018 Self-Report when it discovered that in June 2017, it was not in compliance with the reliability standard. The entity failed to implement documented cyber security policies that address cyber security awareness and cyber security incident response for its low impact Bulk Electric System (BES) Cyber Systems. The entity had not realized that there was a new version of the Critical Infrastructure Procedure (CIP) standards. The root cause of this violation was a lack of awareness of several NERC reliability standard requirement obligations. Specifically, the entity did not incorporate NERC reliability standard amendments into its compliance program.

Finding: NPCC found the violation constituted a minimal risk and did not pose a serious or substantial risk to bulk power system reliability. By failing to identify the impact level of its assets and to document cyber security policies, the entity exposed Cyber Assets to unauthorized use. However, the facility in scope had been classified as a Low Impact Asset that runs a few times a year. Furthermore, the entity’s process information system monitors and would send information if the connection were interrupted. Additionally, the Low Impact Asset was protected from unauthorized physical access. The violation began on April 1, 2017 when the entity failed to implement documented cyber security policies and ended on September 4, 2018 when the entity’s CIP Senior Manager reviewed and approved its policy. NPCC considered the internal compliance program to be a neutral factor in the penalty determination. Additionally, NPCC considered the entity’s compliance history and determined there were no relevant instances of noncompliance. NPCC noted that the compliance exception treatment was not appropriate based on the entity’s lack of due diligence and overall lack of NERC compliance awareness. To mitigate the violation, the entity contracted a third party to create a compliance program, implemented training, implemented a response plan, performed tabletop exercise of the response plan, and created a facility specific reliability standard procedure. Furthermore, to prevent recurrence, the entity implemented an automated system and tasks to ensure NERC activities are tracked and completed.

Penalty: $10,000

FERC Order: July 31, 2019 (no further review)

Unidentified Registered Entity 1 (NPCC_URE1), FERC Docket No. NP19-15-000 (July 31, 2019)

NERC Violation ID: NPCC2018020346

Reliability Standard: CIP-003-6

Requirement: R2

Violation Risk Factor: Lower

Violation Severity Level: Severe

Region: Northeast Power Coordinating Council, Inc. (NPCC)

Issue: After a third party contractor evaluated its compliance program, an unidentified entity submitted a September 5, 2018 Self-Report when it discovered that in June 2017, it was not in compliance with the reliability standard. The entity failed to implement documented cyber security policies that address cyber security awareness and cyber security incident response for its low impact Bulk Electric System (BES) Cyber Systems. The entity had not realized that there was a new version of the CIP standards. The root cause of this violation was a lack of awareness of several NERC reliability standard requirement obligations. Specifically, the entity did not incorporate NERC reliability standard amendments into its compliance program.

Finding: NPCC found the violation constituted a minimal risk and did not pose a serious or substantial risk to bulk power system reliability. By failing to identify the impact level of its assets and to document cyber security policies, the entity exposed Cyber Assets to unauthorized use.

However, the facility in scope had been classified as a Low Impact Asset that runs a few times a year. Furthermore, the entity’s process information system monitors and would send information if the connection were interrupted. Additionally, the Low Impact Asset was protected from unauthorized physical access. The violation began on April 1, 2017 when the entity failed to implement documented cyber security policies and ended on September 4, 2018 when the entity approved its policy. NPCC considered the internal compliance program to be a neutral factor in the penalty determination. Additionally, NPCC considered the entity’s compliance history and determined there were no relevant instances of noncompliance. NPCC noted that the compliance exception treatment was not appropriate based on the entity’s lack of due diligence and overall lack of NERC compliance awareness. To mitigate the violation, the entity contracted a third party to create a compliance program, implemented training, implemented a response plan, performed tabletop exercise of the response plan, and created a facility specific reliability standard procedure. Furthermore, to prevent recurrence, the entity implement an automated system and tasks to ensure NERC activities are tracked and completed.

Penalty: $10,000

FERC Order: July 31, 2019 (no further review)

Unidentified Registered Entity 1 (NPCC_URE1), FERC Docket No. NP19-15-000 (July 31, 2019)

NERC Violation ID: NPCC201802351

Reliability Standard: CIP-003-6

Requirement: R3

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: Northeast Power Coordinating Council, Inc. (NPCC)

Issue: After a third party contractor evaluated its compliance program, an unidentified entity, on September 5, 2018, submitted a Self-Report when it discovered in June 2017 that it was not in compliance with the reliability standard. The entity failed to identify a Critical Infrastructure Procedures (CIP) Senior Manager by name and had not realized that there was a new version of the CIP standards. The root cause of this violation was a lack of awareness of several NERC reliability standard requirement obligations. Specifically, the entity did not incorporate NERC reliability standard amendments into its compliance program.

Finding: NPCC found the violation constituted a minimal risk and did not pose a serious or substantial risk to bulk power system reliability. By failing to identify a CIP Senior Manager, the entity did not have an individual responsible for ensuring compliance. As a result, the entity failed to identify the impact level of its assets and failed to create and review one or more documented cyber security policies. Furthermore, by failing to identify the impact level of its assets and document cyber security policies, the entity exposed Cyber Assets to unauthorized use. However, the entity reduced the risk of its system being compromised in that the Low Impact Asset was protected from unauthorized physical access. The violation began on April 1, 2017 when the entity failed to identify a CIP Senior Manager by name and ended on September 4, 2018 when the entity designated a CIP Senior Manager. NPCC considered the internal compliance program to be a neutral factor in the penalty determination. Additionally, NPCC considered the entity’s compliance history and determined there were no relevant instances of noncompliance. NPCC noted that the compliance exception treatment was not appropriate based on the entity’s lack of due diligence and overall lack of NERC compliance awareness. To mitigate the violation, the entity identified and documented a CIP Senior Manager by name, contracted a third party to create a compliance program, and created a facility specific reliability standard procedure.

Penalty: $10,000

FERC Order: July 31, 2019 (no further review)

Unidentified Registered Entity 1 (NPCC_URE1), FERC Docket No. NP19-12-000 (June 27, 2019)

NERC Violation ID: NPCC2018020061

Reliability Standard: CIP-003-6

Requirement: R3

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: Northeast Power Coordinating Council, Inc. (NPCC)

Issue: After a Compliance Audit, NPCC determined that an unidentified entity was not in compliance with the Reliability Standard and Requirement. Specifically, the entity’s procedures were based on older standards, and the entity did not update its procedures when the new version of the Critical Infrastructure Procedure (CIP) Standards went into effect. The root causes of the violation were lack of accountability and management oversight.

Finding: NPCC found the violation constituted a minimal risk and did not pose a serious or substantial risk to bulk power system reliability. By failing to designate a CIP Senior Manager, the entity may fail to ensure CIP protections are afforded and maintained, which could expose applicable Cyber Assets to unauthorized use. However, the entity reduced the risk of Cyber Assets being compromised by affording physical and electronic protections. Furthermore, no harm is known to have occurred as a result of the noncompliance. The violation began on July 1, 2016, when the entity failed to identify a CIP Senior Manager by name and ended on December 1, 2016 when the entity designated a CIP Senior Manager. NPCC determined that the entity’s internal compliance program was a neutral factor in the penalty determination and that the entity’s compliance history revealed no relevant instances of noncompliance. To mitigate the violation, the entity designated a CIP Senior Manager. To prevent recurrence, the entity created automated tasks to maintain documentation for CIP Senior Manager designations.

Penalty: $0

FERC Order: June 27, 2019 (no further review)

Unidentified Registered Entity 1 (NPCC_URE1), FERC Docket No. NP19-12-000 (June 27, 2019)

NERC Violation ID: NPCC2018020062

Reliability Standard: CIP-003-6

Requirement: R3

Violation Risk Factor: Medium

Violation Severity Level: Severe

Region: Northeast Power Coordinating Council, Inc. (NPCC)

Issue: After a Compliance Audit, NPCC determined that an unidentified entity was not in compliance with the Reliability Standard and Requirement. Specifically, the entity’s procedures were based on older standards, and the entity did not update its procedures when the new version of the Critical Infrastructure Procedure (CIP) Standards went into effect. The root causes of the violation were lack of accountability and management oversight.

Finding: NPCC found the violation constituted a minimal risk and did not pose a serious or substantial risk to bulk power system reliability. By failing to designate a CIP Senior Manager, the entity may fail to ensure CIP protections are afforded and maintained, which could expose applicable Cyber Assets to unauthorized use. However, the entity reduced the risk of Cyber Assets being compromised by affording physical and electronic protections. Furthermore, no harm is known to have occurred as a result of the noncompliance. The violation began on July 1, 2016, when the entity failed to identify a CIP Senior Manager by name and ended on December 1, 2016 when the entity designated a CIP Senior Manager. NPCC determined that the entity’s internal compliance program was a neutral factor in the penalty determination and that the entity’s compliance history revealed no relevant instances of noncompliance. To mitigate the violation, the entity designated a CIP Senior Manager. To prevent recurrence, the entity created automated tasks to maintain documentation for CIP Senior Manager designations.

Penalty: $0

FERC Order: June 27, 2019 (no further review)

Top