On July 6, the North American Electric Reliability Corporation (NERC) filed with the Federal Energy Regulatory Commission (FERC or the Commission) the first batch of Notices of Penalty describing violations of Critical Infrastructure Protection (CIP) Reliability Standards by users, owners, and operators of the bulk-power system.
Most of these notices involved inappropriate access to Critical Cyber Assets, and all of the violations were settled for small amounts. Notably, these Notices of Penalty also utilized an abbreviated, confidential format that removed the name of the registered entity and most of the detail regarding the violations at issue.
In Order No. 706, issued on January 18, 2008, the Commission approved eight mandatory CIP Reliability Standards that were developed by NERC and are intended to provide significant cyber-security protections for cyber equipment determined to be critical for bulk-power system reliability. While the earliest compliance deadline for these Reliability Standards was July 1, 2008, the nine Notices of Penalty filed with the Commission on July 6 were the first confirmed violations reported to the Commission for approval, which is the process required before the penalties and settlements can take effect.
Analysis of the Notices of Penalty
The nine Notices of Penalty involved a total of $76,000 in sanctions. However, $39,000 of this amount stems from a single Notice of Penalty that had 11 total violations, only one of which was a CIP-002 through CIP-009 violation. Furthermore, of the nine Notices of Penalty, two involved a $0 penalty. One of the $0 penalties was for a "clerical error" that resulted in revoking access to the wrong facilities, while the other $0 penalty involved an unnamed federal agency.
Of the ten CIP Reliability Standard Requirements covered by these Notice of Penalty, eight were for violations of CIP-004-1-Personnel and Training, primarily R3 and R4 and their associated subrequirements. These violations involved failures to maintain appropriate lists of personnel with authorized access to Critical Cyber Assets, failures to perform personnel risk assessments or to provide appropriate training for personnel granted access to Critical Cyber Assets, and failures to revoke access to Critical Cyber Assets when it was not longer necessary.
One Notice of Penalty was for a violation of CIP-003-1-Security Management Controls stemming from a failure to identify a senior manager for CIP Reliability Standards compliance as required. The remaining Notice of Penalty addresses a violation of CIP-005-1-Electronic Security Perimeter(s) resulting from failures to use an access control model that denied access to the Electronic Security Perimeter by default and to enable only the ports within the Electronic Security Perimeter.
Unusual Notice of Penalty Format
Unlike a typical Notice of Penalty, which describes in detail the registered entity, the discovery and investigation of the violation, and the settlement and sanction determination, these CIP Reliability Standard Notices of Penalty are very abbreviated, and do not include the settlement agreement that is typically appended to a Notice of Penalty. While these CIP Notices of Penalty do identify the NERC region where the registered entity is located, they do not name the registered entity or explain in detail the nature of the violation or why the Regional Entity and NERC determined that the penalty was appropriate. Instead, the Notices of Penalty explain that this more complete information was submitted, along with the public Notice of Penalty, in a nonpublic exhibit.
However, these CIP Notices of Penalty do provide summaries of the violations and the subsequent mitigation by the registered entity. Indeed, because each Notice of Penalty briefly lists the mitigating actions that the registered entities implemented following the discovery of the Reliability Standard violations at issue, a review of these mitigating actions may provide guidance as to the type of mitigation plans that NERC and the Regional Entities consider acceptable to address these violations.
As mandatory compliance with CIP Reliability Standards has been in place for many entities for more than a year, NERC is likely to file many additional CIP Notices of Penalty in the near future. While these CIP Notices of Penalty are brief, they do provide worthwhile information regarding the enforcement of these Reliability Standards by NERC and the Regional Entities, as well as the compliance issues faced by registered entities and how they have addressed them. As a result, a review of these Notices of Penalty can be valuable for CIP compliance personnel when they are facing similar issues.
If you have any questions or would like more information on any of the issues discussed in this LawFlash, please contact any of the following Morgan Lewis attorneys:
Washington, D.C.
Stephen M. Spina
J. Daniel Skees