Utility hit with record fine for cybersecurity violations
David Wagman | February 01, 2019An unnamed utility was hit with a $10 million fine for more than 125 cybersecurity violations spanning four years.
The North American Electric Reliability Corp. (NERC) announced the fine through a public version of a January 25 notice of penalty, with the utility's name and other information redacted. The fine is believed to be a record, and the notice said the violations "collectively posed a serious risk" to the bulk power system's security and reliability.
Many of the violations took place over long periods of time, involved multiple instances of noncompliance, and represented repeated failures to implement physical and cybersecurity protections.
NERC said the violations were the result of a lack of management engagement, ineffective oversight and training, and organizational silos between management levels and business units.
To address the problems, the utility agreed in part to create a centralized critical infrastructure protection (CIP) oversight department, invest in enterprise-wide tools related to asset and configuration management and create multiple levels of training.
Most of the reported violations took place between 2015 and 2018. NERC said that some vulnerabilities remain to be fixed. It classified 13 of the violations as "serious," 62 as "moderate" and 52 as "minimal."
Many of the alleged violations outlined in the document were self-reported to NERC, but others were found as a result of audits of the utility's security program. Violations ranged from improperly vetting software updates to failing to secure firewall settings, potentially allowing unauthorized access to computer networks.
The Federal Energy Regulatory Commission oversees the security standards and fines and has until late February to approve or reject the $10 million settlement reached between NERC and the utility.
The Energy Policy Act of 2005 tasked FERC with the job of overseeing bulk power system reliability. As the nation’s electric reliability organization (ERO), NERC was tapped to develop CIP cybersecurity reliability standards. In January 2008, FERC Order No. 706 approved the CIP reliability standards.
In addition, the electric industry is incorporating information technology systems into its operations – commonly referred to as smart grid – as part of nationwide efforts to improve reliability and efficiency. There is concern that if these efforts are not implemented securely, the electric grid could become more vulnerable to attacks and loss of service. To address this, the Energy Independence and Security Act of 2007 (EISA) gave FERC and the National Institute of Standards and Technology (NIST) responsibilities related to coordinating the development and adoption of smart grid guidelines and standards.
