A US energy company, identified by some media sources as Duke Energy, recently received a $10 million fine from the North American Electric Reliability Corp. for repeated violations of critical infrastructure protection (CIP) reliability standards.
The record-breaking fine was announced by NERC last week, but the notice of penalty has been heavily redacted since then to not disclose the name of the targeted company. The Wall Street Journal and E&E News have reported that it was the North Carolina-based Duke Energy, one of the nation’s largest, with 7.6 million customers in six states. The previous record for NERC security violations was $2.7 million issued to San Francisco-based utility Pacific Gas & Electric Co. last year.
NERC’s 250-page filling cites 127 violations between 2015 and 2018. The majority of these violations have been classified by NERC as “moderate” or “medium”, but 13 have been classified as “serious”. NERC claims many of the violations involved long durations, reoccurring instances of non-compliance, and repeated failures to properly implement physical and cybersecurity protections.
NERC stated, “As an example, the companies’ failure to accurately document and track changes that deviate from existing baseline configurations increased the risk that the companies would not identify unauthorized changes, which could adversely impact BES [bulk electric system] cyber systems.”
NNT Change Tracker Gen7 R2 has an intelligent change control system to recognize changes that deviate from your initial baseline by alerting you through the dashboard or email. Once a change has been reviewed, at the most basic level, it can be simply acknowledged with details of the reason for the change appended.
There is an advanced option to create an Intelligent Planned Change for changes that only need to be reviewed once for just one representative device. An Intelligent Planned Change is Change Tracker’s unique way of learning about regular or repeated changes, like Windows Updates, that you want to be automatically approved when detected for other devices/on future occasions. In other words, the baseline is automatically updated and monitored for all devices in real-time, cutting out the overwhelming “change noise” to promote focus on genuinely suspicious activity events.
The list of violations classified as serious includes:
- Failure to protect critical cyber asset (CCA) information
- Failure to follow its change control and configuration management process. In three instances, software upgrades were deployed on a single CCA in the production environment without first being tested as required by the change control process
- Failure to maintain annual cybersecurity training for some employees with electronic or physical access to CCAs
- Failure to revoke former employees’ and contractors’ electronic access rights in a timely manner
- Failure to implement physical access controls to limit unescorted access to the physical security perimeter (PSP) and failing to document all required information in visitor logbooks
- Failure to change passwords on annual schedule and failing to change factory default passwords for remotely accessible BES cyber assets
- Failure to monitor electronic security perimeter (ESP) inbound and outbound communications and to restrict inbound electronic access to ESPs
- Allowing individuals improper electronic access to CIP-protected information
- Improperly configured routers that prevented monitor server logs from being sent to the security incident and event management (SIEM) device
- Firewalls were configured to allow external remote access to sensitive systems without first going through an intermediate system, using encryption or requiring multi-factor authentication
- Repeated failures to adhere to cybersecurity testing procedures, including deficient testing on software upgrades and failures to implement security patch programs
NERC cited a “lack of managerial oversight, lack of internal controls, deficient processes and inadequate training” as the causes for many of these issues. Some of these violations have already been addressed, others are currently ongoing.
In addition to the hefty fine, the settlement includes mitigating ongoing violations and facilitating future compliance. The company has also agreed to boost senior leadership involvement with security, create a centralized CIP oversight department, and conduct annual compliance drills.
Learn How NNT Interacts with the NERC CIP Compliance Standard