An energy company is facing a $10 million fine from the North American Electric Reliability Corporation (NERC) for 127 violations of Critical Infrastructure Protection (CIP) standards.
The record fine was announced by NERC last week. The agency published a document that does not disclose the name of the targeted company, however, security sources at the ARC Advisory Group Conference in Orlando, FL said the energy company was North Carolina-based Duke Energy.
NERC’s CIP reliability standards describe the requirements for physical and cyber security for operators of North America’s bulk power system (BPS).
The organization reached a settlement with the offending energy firm, according to the NERC document. In addition to the $10 million fine, which the company has agreed to pay, the settlement includes mitigating ongoing violations and facilitating future compliance.
A majority of the 127 violations ended up classified as “moderate” or “medium,” but 13 have been described as “serious.” The agency’s assessment said the violations “collectively posed a serious risk to the security and reliability of the BPS.”
The violations ended up discovered during CIP Compliance Audits and through self-reports the companies submitted from 2015 through 2018.
The issues displayed the following contributed causes:
• Lack of management engagement, support, and accountability relating to the CIP compliance program
• Disassociation of compliance and security that resulted in a deficient program and program documents, lack of implementation and ineffective oversight and training
• Organizational silos in the form of a lack of communication between management levels within the companies, which contributed to a lack of awareness of the state of security and compliance
• Organizational silos across business units that resulted in confusion regarding expectations and ownership of tasks, and poor asset and configuration management practices
Violations of the CIP Reliability Standards posed a higher risk to the reliability of the BPS because many of the violations involved long durations, multiple instances of noncompliance, and repeated failures to implement physical and cyber security protections, NERC said in the document.
The list of issues classified as “serious” includes improperly configured firewalls and intrusion detection systems; failure to implement proper physical access controls; failure to install available software patches for months and even years; failure to implement security event monitoring; shared passwords, default accounts and other account management issues; failure to develop and maintain accurate baseline configurations; security risks introduced by the use of transient cyber assets (i.e. temporarily connected systems used for data transfers, maintenance or vulnerability assessment); and failure to protect bulk electric system (BES) information.
NERC said some violations have been addressed, others are currently ongoing.