Security Experts:

Connect with us

Hi, what are you looking for?



U.S. Energy Firm Fined $10 Million for Security Failures

A US energy company, identified by some media reports as Duke Energy, received a $10 million fine from the North American Electric Reliability Corporation (NERC) for nearly 130 violations of the Critical Infrastructure Protection (CIP) standards.

A US energy company, identified by some media reports as Duke Energy, received a $10 million fine from the North American Electric Reliability Corporation (NERC) for nearly 130 violations of the Critical Infrastructure Protection (CIP) standards.

The record fine was announced by NERC last week. The agency has published a heavily redacted document that does not disclose the name of the targeted company, but E&E News and The Wall Street Journal reported that it was North Carolina-based Duke Energy, one of the largest electric power companies in the United States.

NERC’s CIP reliability standards describe the requirements for physical and cyber security for operators of North America’s bulk power system (BPS).

Energy firm fined for security failuresAccording to NERC’s notice of penalty, the organization has reached a settlement with the offending energy firm. In addition to the $10 million fine, which the company has agreed to pay, the settlement includes mitigating ongoing violations and facilitating future compliance.

A vast majority of the 127 violations found by NERC have been classified as “moderate” or “medium,” but 13 have been described as “serious.” The agency’s assessment says the violations “collectively posed a serious risk to the security and reliability of the BPS.”

“The companies’ violations of the CIP Reliability Standards posed a higher risk to the reliability of the BPS because many of the violations involved long durations, multiple instances of noncompliance, and repeated failures to implement physical and cyber security protections,” NERC explained.

The list of issues that were individually classified as “serious” includes improperly configured firewalls and intrusion detection systems; failure to implement proper physical access controls; failure to install available software patches for months and even years; failure to implement security event monitoring; shared passwords, default accounts and other account management issues; failure to develop and maintain accurate baseline configurations; security risks introduced by the use of transient cyber assets (i.e. temporarily connected systems used for data transfers, maintenance or vulnerability assessment); and failure to protect bulk electric system (BES) information.

The lack of managerial oversight, lack of internal controls, deficient processes and inadequate training have been cited as the causes for many of these issues. NERC claims that while some of these violations have been addressed, others are currently ongoing.

“I think the cyber security of the North American Bulk Electric System is very good, and that is in large part due to the CIP standards,” Tom Alrich, who provides cyber risk management and NERC CIP consulting services, said in a blog post. “But there is a big problem with CIP […]: The requirements don’t follow a risk-based approach, in which the entity first identifies the most serious cyber security risks they face, as well as the most important systems that needed to be protected. This would allow NERC entities to allocate their scarce cyber security resources toward mitigation of the biggest risks, and to the systems that most need to be protected.”

Last year, NERC announced a $2.7 million fine for another energy firm, but that fine was mainly related to one data security incident that resulted in the exposure of critical systems. While the agency did not name the targeted company, it was widely believed to be California-based Pacific Gas and Electric (PG&E).

Related: NERC Names Bill Lawrence as VP, Chief Security Officer

Related: U.S. Energy Department Invests Another $28 Million in Cybersecurity

Related: Cyberattacks Against Energy Sector Are Higher Than Average

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...