For the second time in less than a year, the North American Electric Reliability Corporation (NERC) has imposed a six-figure penalty on a participant in the electric market for fundamentally failing to comply with the NERC Critical Infrastructure Protection (CIP) standards. In this compliance Alert,1 we focus on the importance of complying with the NERC CIP standards.
For almost 10 years, the electric industry has been subject to mandatory NERC standards,2 including the CIP standards. While the CIP standards have varied over the years, the basic requirements have remained the same — identify critical cyber assets and then implement electronic and physical procedures to protect such assets.
Market participants can be subject to penalties for violating the NERC standards. Historically, while the CIP standards have been the standards most violated (in part because of the complexities arising from individual situations) the penalties imposed by NERC have been small, upwards to $250,000 depending on the severity of the violations, along with a requirement that the market participant fixes the problems from which the violations arose.
But 10 years into the mandatory CIP standards, some companies are fundamentally failing to comply with those requirements. In response, NERC is significantly increasing the applicable penalties.
Two recent cases show this revised (and increased) NERC response. In February 2016, the NERC settled with a registered entity that it did not identify (a so-called unidentified registered entity (URE)) for $1.7 million after finding “serious, systemic security and [CIP] compliance issues across URE’s multiple business units.” February 2016 CIP Violation at 4. The URE committed 36 CIP violations, many of which were repeats of prior violations, and 21 of which posed “a serious and substantial risk to the reliability of the Bulk Power System (BPS).” Id.
Reliability was threatened because CIP assets were not secured. The URE did not complete required patching, three Physical Security Perimeter (PSP) doors to a central control room could not be latched securely, and an employee worked eight shifts despite his physical access being revoked for failure to complete annual requalification training.
In October 2016, NERC proposed to settle with another URE for $1.1 million for “connect[ing] substations to the Bulk Electric System (BES) without ensuring those substations were afforded adequate CIP protections to electronically and physically protect the CCAs [Critical Cyber Assets] contained therein, prior to being energized and activated.” October 2016 CIP Violation at 4. Specifically, the URE “failed to protect the substations with firewalls, as well as failed to complete its physical access control system configurations.” Id.
The root cause of the violations was the URE’s failure to have a comprehensive change management, configuration, and communication process during the project, testing, and installation phases of new substations. Further, construction personnel did not have well-defined responsibility and accountability for ensuring those facilities were compliant with NERC CIP standards.
Management must seriously address (or reassess) its compliance with NERC’s cyber standards. A cyber breach compromising the nation’s electric grid would have serious public safety and national security ramifications. NERC itself said that the October 2016 CIP violation could have allowed a malicious individual to enter the substation without a key, badge, or authorization and take unauthorized action. Further, if load were lost as a result of a cyber violation, the applicable penalty would be more than $1-$2 million,3 corporate reputation would be damaged, along with the collateral reduction in stock prices and management changes.
To be sure, the NERC standards, and in particular the cyber standards, can often be unclear and open to interpretations depending on individual situations. However, assistance is available from NERC and the regional entities, as well as lawyers and consultants.
More importantly, though, management can go a long way in ensuring that their companies are in compliance by simply making CIP compliance a high priority company issue; similar to ensuring compliance with environmental or other governmental requirements. As NERC would conclude, the February 2016 CIP violation resulted from “cultural issues,” — code for management not taking these issues seriously — concluding that the problem stemmed from “URE management’s lack of awareness, engagement, and accountability for CIP compliance. February 2016 CIP Violation at 4.