Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

U.S. Energy Firm Fined $10 Million for Security Failures

A US energy company, identified by some media reports as Duke Energy, received a $10 million fine from the North American Electric Reliability Corporation (NERC) for nearly 130 violations of the Critical Infrastructure Protection (CIP) standards.

A US energy company, identified by some media reports as Duke Energy, received a $10 million fine from the North American Electric Reliability Corporation (NERC) for nearly 130 violations of the Critical Infrastructure Protection (CIP) standards.

The record fine was announced by NERC last week. The agency has published a heavily redacted document that does not disclose the name of the targeted company, but E&E News and The Wall Street Journal reported that it was North Carolina-based Duke Energy, one of the largest electric power companies in the United States.

NERC’s CIP reliability standards describe the requirements for physical and cyber security for operators of North America’s bulk power system (BPS).

Energy firm fined for security failuresAccording to NERC’s notice of penalty, the organization has reached a settlement with the offending energy firm. In addition to the $10 million fine, which the company has agreed to pay, the settlement includes mitigating ongoing violations and facilitating future compliance.

A vast majority of the 127 violations found by NERC have been classified as “moderate” or “medium,” but 13 have been described as “serious.” The agency’s assessment says the violations “collectively posed a serious risk to the security and reliability of the BPS.”

“The companies’ violations of the CIP Reliability Standards posed a higher risk to the reliability of the BPS because many of the violations involved long durations, multiple instances of noncompliance, and repeated failures to implement physical and cyber security protections,” NERC explained.

The list of issues that were individually classified as “serious” includes improperly configured firewalls and intrusion detection systems; failure to implement proper physical access controls; failure to install available software patches for months and even years; failure to implement security event monitoring; shared passwords, default accounts and other account management issues; failure to develop and maintain accurate baseline configurations; security risks introduced by the use of transient cyber assets (i.e. temporarily connected systems used for data transfers, maintenance or vulnerability assessment); and failure to protect bulk electric system (BES) information.

The lack of managerial oversight, lack of internal controls, deficient processes and inadequate training have been cited as the causes for many of these issues. NERC claims that while some of these violations have been addressed, others are currently ongoing.

“I think the cyber security of the North American Bulk Electric System is very good, and that is in large part due to the CIP standards,” Tom Alrich, who provides cyber risk management and NERC CIP consulting services, said in a blog post. “But there is a big problem with CIP […]: The requirements don’t follow a risk-based approach, in which the entity first identifies the most serious cyber security risks they face, as well as the most important systems that needed to be protected. This would allow NERC entities to allocate their scarce cyber security resources toward mitigation of the biggest risks, and to the systems that most need to be protected.”

Advertisement. Scroll to continue reading.

Last year, NERC announced a $2.7 million fine for another energy firm, but that fine was mainly related to one data security incident that resulted in the exposure of critical systems. While the agency did not name the targeted company, it was widely believed to be California-based Pacific Gas and Electric (PG&E).

Related: NERC Names Bill Lawrence as VP, Chief Security Officer

Related: U.S. Energy Department Invests Another $28 Million in Cybersecurity

Related: Cyberattacks Against Energy Sector Are Higher Than Average

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...