Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

U.S. Energy Firm Fined $10 Million for Security Failures

A US energy company, identified by some media reports as Duke Energy, received a $10 million fine from the North American Electric Reliability Corporation (NERC) for nearly 130 violations of the Critical Infrastructure Protection (CIP) standards.

A US energy company, identified by some media reports as Duke Energy, received a $10 million fine from the North American Electric Reliability Corporation (NERC) for nearly 130 violations of the Critical Infrastructure Protection (CIP) standards.

The record fine was announced by NERC last week. The agency has published a heavily redacted document that does not disclose the name of the targeted company, but E&E News and The Wall Street Journal reported that it was North Carolina-based Duke Energy, one of the largest electric power companies in the United States.

NERC’s CIP reliability standards describe the requirements for physical and cyber security for operators of North America’s bulk power system (BPS).

Energy firm fined for security failuresAccording to NERC’s notice of penalty, the organization has reached a settlement with the offending energy firm. In addition to the $10 million fine, which the company has agreed to pay, the settlement includes mitigating ongoing violations and facilitating future compliance.

A vast majority of the 127 violations found by NERC have been classified as “moderate” or “medium,” but 13 have been described as “serious.” The agency’s assessment says the violations “collectively posed a serious risk to the security and reliability of the BPS.”

“The companies’ violations of the CIP Reliability Standards posed a higher risk to the reliability of the BPS because many of the violations involved long durations, multiple instances of noncompliance, and repeated failures to implement physical and cyber security protections,” NERC explained.

The list of issues that were individually classified as “serious” includes improperly configured firewalls and intrusion detection systems; failure to implement proper physical access controls; failure to install available software patches for months and even years; failure to implement security event monitoring; shared passwords, default accounts and other account management issues; failure to develop and maintain accurate baseline configurations; security risks introduced by the use of transient cyber assets (i.e. temporarily connected systems used for data transfers, maintenance or vulnerability assessment); and failure to protect bulk electric system (BES) information.

The lack of managerial oversight, lack of internal controls, deficient processes and inadequate training have been cited as the causes for many of these issues. NERC claims that while some of these violations have been addressed, others are currently ongoing.

“I think the cyber security of the North American Bulk Electric System is very good, and that is in large part due to the CIP standards,” Tom Alrich, who provides cyber risk management and NERC CIP consulting services, said in a blog post. “But there is a big problem with CIP […]: The requirements don’t follow a risk-based approach, in which the entity first identifies the most serious cyber security risks they face, as well as the most important systems that needed to be protected. This would allow NERC entities to allocate their scarce cyber security resources toward mitigation of the biggest risks, and to the systems that most need to be protected.”

Advertisement. Scroll to continue reading.

Last year, NERC announced a $2.7 million fine for another energy firm, but that fine was mainly related to one data security incident that resulted in the exposure of critical systems. While the agency did not name the targeted company, it was widely believed to be California-based Pacific Gas and Electric (PG&E).

Related: NERC Names Bill Lawrence as VP, Chief Security Officer

Related: U.S. Energy Department Invests Another $28 Million in Cybersecurity

Related: Cyberattacks Against Energy Sector Are Higher Than Average

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

SpecterOps has appointed Tim Bender as CFO, Pat Sheridan as CRO, and Bryce Hein as CMO.

CISA has officially announced the appointment of Madhu Gottumukkala as its new deputy director.

Cloud and cybersecurity MSP Ekco has appointed Ben Savage as UK CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.