NERC alleges utility company security breaches, settles for $10 million

U.S. electric reliability organization NERC has filed a Notice of Penalty with federal utility regulators, describing a settlement agreement through which unnamed companies have agreed to pay a $10 million penalty after NERC determined the companies committed 127 violations of cybersecurity and other Critical Infrastructure Protection reliability standards.

On January 25, 2019, NERC filed a Notice of Penalty with the Federal Energy Regulatory Commission. The Commission docketed the proceeding as Docket No. NP19-4. The public version of the filing was heavily redacted, and does not state the identity of the companies involved in the alleged violations.

The Notice of Penalty describes the risk posed to the reliability of the bulk power systems from the violations as ranging from minimal in 52 cases, to serious in 13 cases. It asserts that the 127 violations "collectively posed a serious risk to the security and reliability" of the grid because "many of the violations included long durations, multiple instances of noncompliance, and repeated failures to implement physical and cyber security protections." While some details of the alleged violations were redacted from the public filing, they include failure to revoke contractor and employee rights to access electronic systems after access was no longer required, failure to maintain an escort when required for personnel to enter a physical security perimeter, a contractor's failure to secure vent openings on a physical security perimeter after completion of a facility upgrade, failure to immediately review unauthorized access attempts, and failure to monitor and implement vendor security patches.

According to the public filing, the violations were discovered during compliance audits and through self-reports the companies submitted from 2015 through 2018. The filing asserts that the issues displayed contributing causes including a lack of management engagement, support and accountability; disassociation of compliance and security; and organizational silos between management levels and across business units.

In addition to agreeing to pay a penalty of $10 million, the Notice of Penalty describes other conditions of the settlement, including mitigation measures and increased compliance monitoring.

Following the filing of the Notice of Penalty, advocacy organization Public Citizen filed a motion to intervene in the FERC proceeding. Public Citizen also asked the Commission to direct the public release of the company's name, noting, "This is now the second record-breaking Notice of Penalty in a year where NERC has refused to identify the name of a violator." Last year, the Commission accepted a settlement featuring $2.7 million penalty for a violations of cybersecurity standards.

In its motion, Public Citizen asserted that multiple media reports have allegedly identified the company involved in the instant case as Duke Energy, citing reporting by EnergyWire, the Wall Street Journal, RTO Insider, the Charlotte Business Journal, and UtilityDive.