FERC on Friday accepted settlements between Texas Reliability Entity and Electric Transmission Texas (ETT), as well as with at least one unnamed entity in the Texas Interconnection. It also approved a settlement between WECC and an unnamed entity in the Western Interconnection for violations of NERC reliability standards (NP20-20).
NERC submitted the settlements July 30 in a spreadsheet Notice of Penalty (NOP); FERC indicated in a notice that it would not review the filing, leaving the penalties intact.
ETT Admits Rating Missteps
Texas RE’s settlement with ETT — the only one in the spreadsheet NOP in which the registered entity was identified — involved a violation of FAC-008-3, which covers entities’ facility ratings.
ETT self-reported the violation in December 2018, saying that one of its affiliates had discovered incorrect ratings in five transmission segments during an “extent of condition” review for an unrelated instance of noncompliance. The misratings had been in effect since May 2016, when the first of the affected segments was placed into service, and ended in October 2018, when ETT revised the ratings.
Texas RE attributed the violations to “an insufficient process for compliance with FAC-008-3.” Specifically, for four of the transmission segments, ETT failed to identify the most limiting series element (MLSE), while in the remaining segment, the utility had adopted a new facility rating methodology but neglected to revise the line’s rating.
ETT’s mitigation measures included another extent-of-condition review to document any additional revised facility ratings. The utility also began conducting quarterly reviews on randomly selected facility ratings and revised its FAC-008-3 compliance processes, including a process for identifying the MLSE for transmission assets.
In assessing its penalty, Texas RE decided not to give ETT mitigating credit for self-reporting the violation, as the review that led to the discovery was itself a result of noncompliance. However, the regional entity also acknowledged that ETT addressed the issue quickly and thoroughly, and that its affiliate had already been assessed a penalty for the previous infraction. As a result, Texas RE determined that no monetary penalty would be required.
Multiple CIP Violations in Texas, West
The remaining six settlements in the spreadsheet NOP — five involved Texas RE and one WECC — relate to violations of NERC’s Critical Infrastructure Protection (CIP) standards and thus have had significant amounts of information removed, including the names of violating entities.
Texas RE’s first entry in this series, for which no monetary penalty was assessed, was prompted by a violation of CIP-002-5.1 (bulk electric system cyber system configuration). According to the RE, the entity incorrectly identified at least one of its cyber systems as low-impact because the third party that reviewed the system in 2015 only considered “normal conditions”; a second review in 2017 by another third party found that the system should be considered medium-impact.
While Texas RE acknowledged that the violation posed a risk to the grid, it described the risk level as “moderate,” rather than substantial or severe. The RE also observed that the entity had reclassified the systems in question as medium-impact once it was informed of the oversight and developed its own “comprehensive evaluation methodology” for categorizing its cyber assets.
In addition, the fact that the entity conducted another review with a different third party just two years after the last one spoke to its strong compliance culture, Texas RE said. These factors led the RE to conclude that no further penalty was needed.
Unnamed Entity Hit for Cyber Problems
Texas RE’s next four settlements involved violations of CIP-007-6 (systems security management) and CIP-010-2 (configuration change management and vulnerability assessments), all apparently by the same entity. All violations were self-reported in July 2017.
The CIP-007-6 violations, which accounted for three of the four settlements, stemmed from a number of issues. In one instance, the entity had failed to evaluate or apply multiple security patches. According to the standard, the patches should have been reviewed within 35 days, but in some cases, they went unreviewed for more than a year. Texas RE identified the root cause of the noncompliance as a combination of inadequate patching procedure, changes in personnel responsible for patch management and fumbled planning for the transition to CIP-007-6 in July 2016.
Another violation of the same standard arose from the enabling of an unneeded listening port on one of the entity’s cyber assets, potentially providing an entry point for unauthorized personnel. In the third case, the entity found that it was not properly recording logs of malicious code on its cyber assets in accordance with the standard. The root cause of this violation was determined to be “insufficient procedures … to ensure the entity would be compliant” with CIP-007-6.
For the CIP-010-2 violation, the entity reported to Texas RE that it had failed to include the standard in its baseline documentation for some of its cyber assets because of the use of change-management processes that did not include the standard, either because of age or oversight. The baseline documentation was updated in July 2017.
In assessing the penalty for these violations, Texas RE balanced the number of infringements — and the fact they were only reported when the entity was informed of an upcoming compliance audit — with the entity’s lack of previous violations. Another significant factor was the fact that “the issue was part of a noncompliance spanning multiple regions and registered entities,” meaning that one of the entity’s affiliates had already been assessed a penalty for the same violation. Texas RE considered this an acceptable reason to reduce the total penalty to $36,750.
WECC Makes a Cybersecurity Example
The final settlement in the spreadsheet NOP involved a violation of CIP-011-2 (information protection) by an unnamed entity in the Western Interconnection. The entity reported the issue to WECC via the self-logging program in October 2018.
According to the entity’s report, a contractor on one of its projects forwarded documents containing bulk electric system cyber system information (BCSI) to a personal email account on five separate occasions, in breach of the entity’s procedure for protecting and securely handling BCSI. The violation ended in July 2018 when the contractor removed all BCSI information from their personal email account.
To mitigate the violation, the entity terminated the contractor’s physical and electronic access authorization after recovering all data and ensuring that the contractor had purged the data. It also reminded all other contractors associated with the project about the information security policies.
WECC found that the violation posed a minimal risk: While the information involved could have been damaging if disclosed to a malicious actor, the RE determined that the entity had exercised sufficient diligence in confirming that the emails had not been forwarded to any other individuals, and an investigation found that the contractor had not mishandled any other information. Furthermore, the BCSI in question was surrounded by noncritical data and thus unlikely to be recognized by an outsider as significant.
The low-risk assessment and zero monetary penalty could have justified handling the violation as a compliance exception. However, WECC decided to elevate the issue to an expedited settlement agreement in order to bring greater visibility to the issue of information security.