Thus the LIBCS should have been identified as MIBCS. The entity had categorized the BES Cyber System at the substation as LIBCS due to an error identifying lines’ connections. After evaluating the change, it was determined that the BES Asset information used to initially categorize the LIBCS was unclear and incomplete, which resulted in the incorrect impact rating of the BES Cyber Systems at that substation. Although the first entity-approved cyber system list was published to align the entity’s CIP Version 5 transition project, during the entity’s November 2016 BES Cyber System Review, a new preferential data source was identified and used to re-categorize the Low Impact Bulk Electric System (BES) Cyber Systems (LCBS) at a substation to Medium Impact BES Cyber Systems (MIBCS). The most comprehensive data sources for the entity’s asset characteristics were identified and used to categorize the BES Assets. In November 2014, the entity started its BES Asset analysis utilizing CIP Version 5 criteria. Issue: On December 16, 2016, an unidentified entity submitted a Self-Report stating that it was in violation of the Reliability Standard. Region: Western Electricity Coordinating Council (WECC) Unidentified Registered Entity 1 (WECC_URE1), FERC Docket No. Additionally, the entity stated in its mitigation plan that by November 7, 2019, it will have finalized and have the Critical Infrastructure Procedures Senior Manager approve of the draft identifications. To mitigate the violation, the entity created a draft process for reliability standard compliance, approved a documented internal compliance program, established a compliance committee, and conducted training.
Texas RE considered the entity’s compliance history and determined there were no relevant instances of noncompliance. The duration of the violation began on Jwhen the reliability standard became enforceable and is currently ongoing.
By failing to properly identify and classify a BES Cyber System, Texas RE exposed the BES Cyber System to inadequate cyber security protections. The root cause of this violation was that the entity did not have any process for complying with the reliability standard before or after the reliability standard was implemented.įinding: Texas RE found the violation constituted a moderate risk and did not pose a serious or substantial risk to bulk power system reliability. Specifically, the entity noted that it did not have or implement a certain process, and as a result, the entity did not identify each asset that contained a Bulk Electric System (BES) Cyber System. Issue: An unidentified entity submitted a Self-Certification that it was in noncompliance with CIP-002-5.1 R.1.
Unidentified Registered Entity 1 (Texas RE_URE1), FERC Docket No.