NERC on Dec. 30, 2015, notified FERC of a settlement and financial penalty of $235,000 for an unidentified company associated with various reliability standards violations that deal with cybersecurity measures.
The settlement is between the Southwest Power Pool Regional Entity (SPP RE) and an unidentified registered entity (URE) over Critical Infrastructure Protection (CIP) reliability standards.
SPP RE is a separate division of the Southwest Power Pool Inc. (SPP), which as a NERC Regional Entity monitors and enforces compliance with reliability standards, with authority to levy financial penalties against registered entities in an area that includes all or parts of Arkansas, Kansas, Louisiana, Mississippi, Missouri, New Mexico, Oklahoma and Texas.
For all CIP reliability standard violations, companies are not identified, Ron Ciesiel, general manager of the SPP RE told TransmissionHub Jan. 4.
The financial penalty, if upheld, will be used by SPP RE to offset its general budget and lower costs for entities within the SPP RE, Ciesiel said.
The unidentified company “neither admits nor denies the violations,” but agreed to the financial penalty and “other remedies and actions to mitigate the instant violations and facilitate future compliance” under the terms of the settlement, NERC said.
The filing (Docket No. NP16-7) listed 10 CIP standards violations, seven of which were self-reported and three of which were self-certified. All of the violations “posed a moderate and not serious or substantial risk to the reliability of the bulk power system,” NERC said.
Among the violations are that the URE did not maintain a complete list of Critical Cyber Assets, with the risk that the supervisory control and data acquisition/energy management system could be compromised; did not adhere to its change control and configuration management process; did not include a visual inspection of physical devices in performing vulnerability assessments; did not afford all of the protective measures specified in reliability standards for some physical access control system devices; and did not ensure that significant changes to cyber assets within the electronic security perimeter did not adversely affect existing cybersecurity controls.
The URE’s cyber assets were protected by firewalls configured to only allow access to those using specific protocols to enter the network, and SPP RE determined that no breach of security or data resulted from some of the violations.
For each of the violations listed, the unidentified company completed a mitigation plan and SPP RE verified that the company completed all mitigation activities, NERC told FERC.
The filing noted that in determining the amount of the penalty, "SPP RE considered URE’s compliance history as an aggravating factor in the penalty determination."
That means that the penalty was higher than it would have been for a company with a clean compliance history, Ciesiel told TransmissionHub.
The filing also said that URE had an internal compliance program, which SPP RE considered as a neutral factor in the penalty determination, that the URE was cooperative throughout the enforcement process, that the violations were moderate in nature, and that the URE did not try to conceal a violation.
While some violations were self-reported, the URE did not receive mitigating credit for others because they were submitted about four months prior to a compliance audit, which was after the URE received notice of the upcoming audit, NERC said.
NERC said that its board approved the settlement and believes that the financial penalty “is appropriate for the violations and circumstances at issue.”
The penalty will be effective upon expiration of a 30-day period following the notice of penalty with FERC, or, if FERC decides to review the penalty, upon a final determination by FERC, according to the filing.