Duke agreed to pay record fine for lax security — sources

By Blake Sobczak, Peter Behr | 02/01/2019 07:06 AM EST

Duke Energy Corp.'s 618-megawatt Edwardsport integrated gasification combined cycle (IGCC) plant is pictured. According to industry sources, Duke agreed to pay a $10 million fine to settle 127 violations of security standards.

Duke Energy Corp.'s 618-megawatt Edwardsport integrated gasification combined cycle (IGCC) plant is pictured. According to industry sources, Duke agreed to pay a $10 million fine to settle 127 violations of security standards. Duke Energy

Duke Energy Corp. agreed to pay a record $10 million fine from regulators to settle 127 violations of security standards meant to protect the electric grid from catastrophic outages, according to multiple industry sources.

The North American Electric Reliability Corp., which sets and enforces grid security rules, said utilities that sources identified as being owned by the Charlotte, N.C.-based electric power holding company committed the alleged physical and cybersecurity violations over four years.

Regulators had chosen to keep Duke’s identity a secret for security reasons, given the potential for Duke to uncover additional gaps in its defenses as it completes a required overhaul of its process for fending off hackers and other threats of sabotage. Industry sources credited Duke for having shored up its security program in recent years, so E&E News is disclosing the utility’s identity.


The fine is more than triple the previous record for NERC security violations, a $2.7 million penalty issued to San Francisco-based utility Pacific Gas & Electric Co. last year. In that case, sources confirmed that PG&E left sensitive grid schematics exposed to the public internet for 10 weeks in 2016, a cybersecurity lapse that was only uncovered and fixed when a "white hat" hacker tipped off the utility. Sources say NERC’s escalation to its first-ever eight-figure fine is likely to reverberate at other large utilities exposed to newfound cyber and regulatory risks.

The Federal Energy Regulatory Commission, which has final say over NERC enforcement actions and security standards, could opt to intervene in the settlement by the end of this month. But sources say FERC is expected to sign off on the penalty.

The finding that Duke spent years ignoring rules designed to keep hackers out of equipment serving more than 7 million electricity customers is the latest setback for the utility. Duke faced criticism after Hurricane Florence swept across the Southeast last fall and threatened to cause the collapse of toxic coal ash dumps the utility had not fully secured.

Duke spokesman Dave Scanzoni would not comment yesterday on the latest enforcement action, citing company policy.

NERC declined to name the subject of the fine, citing security concerns. The grid regulator, which sets and enforces binding critical infrastructure protection (CIP) standards for the bulk power grid, said that the collective lapses, dating back to 2015, "posed a serious risk to the security and reliability" of the bulk power system.

NERC cited a "lack of management engagement, support, and accountability" at the organization, according to a 765-page dossier of dozens of incidents and company responses.

Disassociation of compliance and security, communication missteps, and "confusion" stemming from organizational silos also contributed to the security problems at multiple locations, NERC found.

"To address these causes, the Companies committed to additional measures, apart from mitigation activities, to help ensure the effectiveness and sustainability of the CIP compliance and security program," NERC said, citing boosts to senior leadership involvement with security, the creation of a centralized CIP oversight department and annual compliance drills, among other steps.

Duke is one of the biggest utility holding companies in the U.S., with commercial operations spanning six states at all nodes of the grid: generation, transmission and distribution.

The company has included cybersecurity and regulatory risks in annual filings with the Securities and Exchange Commission, noting that Duke utilities "face a heightened risk of cyberattack" and could "be subject to increased regulation, litigation and reputational damage."

None of the security problems reported to NERC or discovered during routine audits resulted in a power outage, grid authorities reported. But in several instances, improper patching, poor handling of "transient" electronic devices like laptops and other mishaps could have exposed critical grid networks to hackers or physical intruders (Energywire, Jan. 31). The problems were rooted in "cultural issues" at the group of companies, NERC said.

Independent utility consultant Earl Shockley, who did not identify the subject of the fine, said in an interview this week that he would be "fearful" of the overall culture at an organization facing a stiff penalty from NERC.

"If you’re not paying attention to regulatory compliance, how close are you paying attention to safety?" he asked.