FERC last week accepted a settlement between ReliabilityFirst and an unnamed entity in the Eastern Interconnection for violations of NERC reliability standards (NP20-15). In a notice on Friday, the commission said it would not review the settlement, leaving the $450,000 penalty intact.

In a Notice of Penalty submitted April 30, ReliabilityFirst described 34 separate violations of NERC’s critical infrastructure protection (CIP) standards. The standards at issue were:

• CIP-002-5.1 — BES cyber system categorization (one violation);
• CIP-004-6 — Cybersecurity personnel and training (five);
• CIP-005-5 — Electronic security perimeter(s) (one);
• CIP-006-6 — Physical security of BES cyber systems (four);
• CIP-007-3a — Systems security management (two);
• CIP-007-6 — Systems security management (nine);
• CIP-009-6 — Recovery plans for BES cyber systems (one);
• CIP-010-2 — Configuration change management and vulnerability assessments (10); and
• CIP-011-2 — Information protection (one).

Many details of the violations were redacted on the grounds that they “could be useful to a person planning an attack on critical electric infrastructure” by helping such a person identify the entity and its cybersecurity vulnerabilities, which could in turn jeopardize security of the wider bulk power system.

The time frame covered by the violations was also not disclosed, but the regional entity said many of them were “relatively short in duration.” In addition, most of the issues posed a minimal risk to BPS reliability. Only two violations were assessed as serious; of the remaining infringements, 11 were classed as moderate risk, including three violations of CIP-007-6, four of CIP-010-2, and one each of CIP-004-6, CIP-005-5, CIP-006-6 and CIP-007-3a.

The first serious risk violation involved CIP-007-3a, with the entity failing to evaluate and install necessary patches for certain programs. ReliabilityFirst attributed the issue to insufficient workforce management, leading to a mistaken assumption on the part of the entity that the vendor for the programs would track patches; however, this was not part of the vendor support agreement.

In the second serious violation, ReliabilityFirst determined that the entity had violated CIP-007-6 R4 in three instances. The first case involved improperly configured cyber assets; in the second case, server logs were not being properly reviewed; and in the third instance, cyber assets were not being monitored for security incidents. ReliabilityFirst blamed the lapses on insufficient asset and configuration management, coupled with insufficient process and workforce management.

All of the issues were self-reported by the entity and mitigated at the time of submission. ReliabilityFirst determined that a number of causes contributed to the minor violations, including issues implementing new assets, tools and processes; inadequate training; unclear or overlapping responsibilities of staff; inadequate planning; and gaps in existing processes, procedures and work instructions.

The RE acknowledged that the minor risk infringements could have been handled as compliance exceptions under different circumstances, but it said it wanted to “consider and evaluate the full scope” of the violations. It emphasized that the violations resolved in the settlement “are not indicative of” systemic issues in the entity’s CIP compliance program and predicted that many of the issues would occur less frequently as the compliance program matures.

The monetary penalty was “largely” based on the serious and moderate risk violations. In addition, a repeat noncompliance with CIP-006-6 was cited in aggravating the amount. Mitigating factors included the fact that the entity admitted to and accepted responsibility for the violations, most of which had been self-identified, and was cooperative throughout the enforcement process. The NERC Board of Trustees’ Compliance Committee approved the penalty as “appropriate for the violations and circumstances” and “consistent with NERC’s goal to promote and ensure reliability of the BPS.”