U.S. Energy Firm Fined $10 Million for Security Failures
A US energy company, identified by some media reports as Duke Energy, received a $10 million fine from the North American Electric Reliability Corporation (NERC) for nearly 130 violations of the Critical Infrastructure Protection (CIP) standards.
The record fine was announced by NERC last week. The agency has published a heavily redacted document that does not disclose the name of the targeted company, but E&E News and The Wall Street Journal reported that it was North Carolina-based Duke Energy, one of the largest electric power companies in the United States.
NERC’s CIP reliability standards describe the requirements for physical and cyber security for operators of North America’s bulk power system (BPS).
According to NERC’s notice of penalty, the organization has reached a settlement with the offending energy firm. In addition to the $10 million fine, which the company has agreed to pay, the settlement includes mitigating ongoing violations and facilitating future compliance.
A vast majority of the 127 violations found by NERC have been classified as “moderate” or “medium,” but 13 have been described as “serious.” The agency’s assessment says the violations “collectively posed a serious risk to the security and reliability of the BPS.”
“The companies’ violations of the CIP Reliability Standards posed a higher risk to the reliability of the BPS because many of the violations involved long durations, multiple instances of noncompliance, and repeated failures to implement physical and cyber security protections,” NERC explained.
The list of issues that were individually classified as “serious” includes improperly configured firewalls and intrusion detection systems; failure to implement proper physical access controls; failure to install available software patches for months and even years; failure to implement security event monitoring; shared passwords, default accounts and other account management issues; failure to develop and maintain accurate baseline configurations; security risks introduced by the use of transient cyber assets (i.e. temporarily connected systems used for data transfers, maintenance or vulnerability assessment); and failure to protect bulk electric system (BES) information.
The lack of managerial oversight, lack of internal controls, deficient processes and inadequate training have been cited as the causes for many of these issues. NERC claims that while some of these violations have been addressed, others are currently ongoing.
“I think the cyber security of the North American Bulk Electric System is very good, and that is in large part due to the CIP standards,” Tom Alrich, who provides cyber risk management and NERC CIP consulting services, said in a blog post. “But there is a big problem with CIP […]: The requirements don’t follow a risk-based approach, in which the entity first identifies the most serious cyber security risks they face, as well as the most important systems that needed to be protected. This would allow NERC entities to allocate their scarce cyber security resources toward mitigation of the biggest risks, and to the systems that most need to be protected.”
Last year, NERC announced a $2.7 million fine for another energy firm, but that fine was mainly related to one data security incident that resulted in the exposure of critical systems. While the agency did not name the targeted company, it was widely believed to be California-based Pacific Gas and Electric (PG&E).