Federal energy regulators have proposed fining two power utilities $1 million each for breaking more than two dozen grid security rules, according to a pair of penalty notices posted last week.
The announcement adds to a record year for power sector cybersecurity enforcement at the North American Electric Reliability Corp. (NERC), the nonprofit organization charged with setting and enforcing U.S. grid security requirements.
If formally approved, as is widely expected, the fines will bring NERC’s total penalty collections to $12.4 million so far this year, nearly triple the tally for all of 2018.
NERC’s critical infrastructure protection standards lay out detailed rules for restricting access to sensitive substations and control rooms, protecting "high-impact" computer systems and taking other security precautions.
The latest round of penalties came from audits led by the Federal Energy Regulatory Commission, which has the final say over NERC’s standards and signs off on any fines.
Several violations at the two unnamed utilities posed "serious" risks to the reliability of the bulk power grid, according to the notices.
For instance, the first utility neglected to extend malware protection to eight vital computer systems, while the second lacked any way "to deter, detect, or prevent malicious code" from infecting similarly important networks.
Both entities also failed to cap login attempts on vital cyber assets, meaning a hacker could try common username and password combinations again and again until breaking in.
Auditors didn’t apparently find evidence that either utility was breached by hackers, insider threats or other attackers, although both reports are heavily redacted for security reasons.
The second utility would have had a hard time uprooting any actual cyber intrusion, given that it "did not implement a process to log events for the identification of, and after-the-fact investigations of, cyber security incidents" across swaths of its network.
New NERC leadership
The latest fines arrive as NERC has shaken up its top leadership.
Last week, the grid overseer’s chief financial and administrative officer, Scott Jones, resigned. The organization’s general counsel and one-time acting CEO Charlie Berardesco separately announced plans to step down on Aug. 31.
NERC President and CEO Jim Robb has made cybersecurity a priority for the nonprofit since taking the reins from Berardesco last April, shifting millions of dollars to the Electricity Information Sharing and Analysis Center, NERC’s hub for getting the word out about hacking threats. He also oversaw a record-setting $10 million cybersecurity fine handed down to Duke Energy Corp. earlier this year for violations dating back to 2015 (Energywire, Feb. 1).
"NERC has been roasted in FERC audits, IG audits, and even congressional testimony for being too lax on the industry and not issuing serious penalties," said Patrick Miller, managing partner at Archer Energy Solutions. "The new CEO may be making some changes."
Miller said he was not surprised to see escalating security penalties from NERC. "We’re past the learning stage and most of this should be already implemented and well-oiled," he said.
Auditors pointed to a few "mitigating factors" in the million-dollar fines, including the utilities’ openness throughout the yearslong process of conducting site visits, leading interviews and collecting security documentation.
Federal regulators cited "organizational weaknesses" as the most common culprit behind the violations, adding that the utilities had since addressed the weaknesses and laid plans to prevent repeat compliance breakdowns.
Tyson Slocum, energy program director at the public interest watchdog Public Citizen and a critic of the current FERC/NERC oversight system, has pushed regulators to be more transparent about the identities of large utilities that break security rules. Grid officials and utility industry trade groups have countered that revealing the names of penalty recipients could expose them to hackers.
"It really seems like the utility industry is screwing up with too much frequency," Slocum said. "I don’t think that NERC has a good handle on it, and I don’t think that the utilities are showing that they can be trusted with self-regulation."
