Highest NERC Penalty Ever Unrelated to an Event

Reliability First, a Regional Entity tasked with compliance audits and enforcement, recently revealed more details on the highest penalty ever levied on an electrical registered entity for violations not related to an event. The penalty was for $1.7 million.

The largest penalty to date is the $25 million whopper issued to Florida Power & Light Co. (FPL) for the February 2008 blackout where millions of people in South Florida lost power for several hours. That was for actual society impact. This penalty was for the risk of actual impact; nothing bad actually ever happened, but the risk was high. The Ukraine attack probably didn't help decrease this fine. The December 2015 cyber attack caused 225k customers to be without power for several hours and is the first publicly acknowledged power outage caused by a cyber attack in the history of the world. That event has caused increased awareness of the importance of cyber controls, such as CIP, and the appetite for stronger fines and sanctions for non-compliance.

The entity in violation was not specifically named because it was CIP related, and potential cyber vulnerabilities could attract attackers. However, there is much to be learned from this situation.

  • RF conducted a CIP audit in 2011 and found 19 violations. RF conducted another audit in 2014 and found 36 CIP violations (only 43 CIP Requirements existed). The entity submitted Mitigation Plans in between those audits, but obviously they didn't sufficiently address the root causes.
  • RF found the entity thought of compliance separate from security. The compliance department lacked the sufficient authority and power to effect change - a sign of a poor culture of compliance. This led to issues such as 3 Physical Security Perimeter doors being altered so they didn't lock so people could enter without the "burden" of security.
  • RF found the entity didn't have the proper expertise to identify and fix issues. This could have been prevented by increasing internal resources or engaging outside help.
  • RF found the entity had abnormally high business silo difficulties. This led to issues such as having separate training, personnel risk assessment, and access provisioning/revoking programs (9 different violations in this case). This exists to some extent at all companies by nature, but this company lacked the correct coordination and central oversight to minimize it.
  • The entity didn't file Mitigation Plans until 8 months after the 2014 audit, and it filed plans that didn't properly mitigate the issues. The entity was late completing milestones, and was found by RF to not have completed 4 plans it said it did.
  • The RF president met with the entity's president, prompting change in senior leadership awareness, resource amounts, and organizational structure.

We have all seen these issues in some form or other - in some degree or other. They aren't unique to any one company but shared by all. This is a good reminder of the financial and reputational blows that can come from non-compliance. Many companies are working with Proven Compliance Solutions for help in establishing solid, achievable compliance programs as well as perform gap analyses, mock audits, and deliver training.

See https://www.rfirst.org/Pages/Newsletter.aspx for the May June 2016 Reliability First newsletter (pg. 7-8).

See https://www.ferc.gov/media/news-releases/2009/2009-4/10-08-09.asp for $25 million fine details.



Our Services