As we sled into winter and the new year draws near, it is natural to reflect on what we learned in 2024. This edition of Enforcement Explained discusses a few trends in 2024 violation intake and processing and highlights important outreach from ReliabilityFirst (RF) Enforcement staff throughout the year.

Violation Trends

First, a couple of key disclaimers regarding the data. First, all violation data included is current through mid-November. Second, there is discussion of CIP violation information below. As always, we are trying to communicate actionable insight while still protecting the confidentiality of individual violations and entities.

RF Violation Intake

It is highly probable that RF will see a second straight year of decline in overall intake, the degree to which is not yet clear as there is approximately a month and half of remaining intake to account for in 2024. Similar to the last several years, two other trends have persisted:

1. Most violations were self-reported or self-logged; and
2. A majority were CIP violations.

In 2024, approximately 5% of the violations RF received were of CIP-003 (Cyber Security – Security Management Controls) R2. RF performed a preliminary review of the violations and found the following trends:

• Lack of awareness of the full scope of obligations (e.g., incomplete cyber security plans);

• Insufficient implementation of plans to mitigate risks associated with transient cyber assets and removable media; and

• Insufficient physical security controls (e.g., unsecure doors and failure to adhere to access protocols).

Due to the persistent stream of violations in the CIP-003 R2/low impact space, many with similar fact patterns and root causes, RF is performing outreach on developing and executing successful CIP-003 programs. First, if you are new to the CIP-003 space, or experienced but looking for additional perspective, please read Lew Folkerth’s multi-part series “CIP Low Impact from the Ground Up.” This extensive 16-part series is designed to assist entities in developing all components of a CIP-003 program. Second, if you want to learn more about the common challenges and issues that CIP-003 applicable programs face, the CIP Themes and Lessons Learned Report is a helpful starting point.

RF Violation Processing

Balanced against 2024 intake, ReliabilityFirst will have reduced its overall inventory of open violations significantly. When further assessed, of the violations processed, 87% were disposed of as Compliance Exceptions or Find, Fix, and Track Reports, and a majority were CIP violations.

RF Inventory of Open Violations

This pie chart shows a snapchat of RF Enforcement’s open violations as of December 2024, categorized by year.

As discussed in this column frequently, and communicated by case managers to primary compliance contacts, RF Enforcement has been focused on clearing out older violations and prioritizing caseload. RF expects aged inventory figures to continue declining in 2025.

Enforcement Outreach-In Case You Missed It

A focal point for RF Enforcement has been increasing transparency into the enforcement process and communicating important trends we see in violations. Below are a few of the key pieces of written outreach RF Enforcement has supported in 2024.

1. CIP Themes and Lessons Learned Report. The third edition of a periodic report developed by the ERO Enterprise. The report communicates four themes that ERO staff identified by reviewing a plethora of violations that were submitted or disposed of in the last few years. The report then offers suggestions to address and reduce the risk of these issues occurring at an entity.
2. Challenges in Managing Vendor Access. A prior Enforcement Explained column discusses some of the challenges and failure types RF has seen when it comes to managing vendor access.  Additionally, it contains suggestions and lessons learned for addressing these challenges and failure types.
3. Self-Reporting Credit and Disposition Efficiency. Another Enforcement Explained column that highlights the relationship between quality self-reporting and disposition efficiency. Additionally, the column highlights some of the pitfalls RF sees in self-reports and provides guidance on how to avoid those issues in future self-reports.

If you want to discuss the information provided above, any topics you would like to see addressed in Enforcement Explained, or anything enforcement-related, please reach out to your case manager or you can email me at Mike.Hattery@RFirst.org. Finally, have a safe, refreshing, and reliable holiday season.