A US energy company, identified by some media sources as Duke Energy, recently received a $10 million fine from the North American Electric Reliability Corp. for repeated violations of critical infrastructure protection (CIP) reliability standards.

The record-breaking fine was announced by NERC last week, but the notice of penalty has been heavily redacted since then to not disclose the name of the targeted company. The Wall Street Journal and E&E News have reported that it was the North Carolina-based Duke Energy, one of the nation’s largest, with 7.6 million customers in six states. The previous record for NERC security violations was $2.7 million issued to San Francisco-based utility Pacific Gas & Electric Co. last year.

NERC’s 250-page filling cites 127 violations between 2015 and 2018. The majority of these violations have been classified by NERC as “moderate” or “medium”, but 13 have been classified as “serious”. NERC claims many of the violations involved long durations, reoccurring instances of non-compliance, and repeated failures to properly implement physical and cybersecurity protections.

NERC stated, “As an example, the companies’ failure to accurately document and track changes that deviate from existing baseline configurations increased the risk that the companies would not identify unauthorized changes, which could adversely impact BES [bulk electric system] cyber systems.”

NNT Change Tracker Gen7 R2 has an intelligent change control system to recognize changes that deviate from your initial baseline by alerting you through the dashboard or email. Once a change has been reviewed, at the most basic level, it can be simply acknowledged with details of the reason for the change appended.

There is an advanced option to create an Intelligent Planned Change for changes that only need to be reviewed once for just one representative device. An Intelligent Planned Change is Change Tracker’s unique way of learning about regular or repeated changes, like Windows Updates, that you want to be automatically approved when detected for other devices/on future occasions. In other words, the baseline is automatically updated and monitored for all devices in real-time, cutting out the overwhelming “change noise” to promote focus on genuinely suspicious activity events.  

The list of violations classified as serious includes:

  • Failure to protect critical cyber asset (CCA) information
  • Failure to follow its change control and configuration management process. In three instances, software upgrades were deployed on a single CCA in the production environment without first being tested as required by the change control process
  • Failure to maintain annual cybersecurity training for some employees with electronic or physical access to CCAs
  • Failure to revoke former employees’ and contractors’ electronic access rights in a timely manner
  • Failure to implement physical access controls to limit unescorted access to the physical security perimeter (PSP) and failing to document all required information in visitor logbooks
  • Failure to change passwords on annual schedule and failing to change factory default passwords for remotely accessible BES cyber assets
  • Failure to monitor electronic security perimeter (ESP) inbound and outbound communications and to restrict inbound electronic access to ESPs
  • Allowing individuals improper electronic access to CIP-protected information
  • Improperly configured routers that prevented monitor server logs from being sent to the security incident and event management (SIEM) device
  • Firewalls were configured to allow external remote access to sensitive systems without first going through an intermediate system, using encryption or requiring multi-factor authentication
  • Repeated failures to adhere to cybersecurity testing procedures, including deficient testing on software upgrades and failures to implement security patch programs

NERC cited a “lack of managerial oversight, lack of internal controls, deficient processes and inadequate training” as the causes for many of these issues. Some of these violations have already been addressed, others are currently ongoing.

In addition to the hefty fine, the settlement includes mitigating ongoing violations and facilitating future compliance. The company has also agreed to boost senior leadership involvement with security, create a centralized CIP oversight department, and conduct annual compliance drills.

 

Learn How NNT Interacts with the NERC CIP Compliance Standard

 

 

 

NNT Suite of Products

change tracker gen7r2 logo

Combine industry leading Device Hardening, File Integrity Monitoring, Change Control, Configuration Management & Compliance Management into one easy to use solution that can scale to the most demanding environments!

fastcloud logo

Automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology) Integrity Assurance.

log tracker logo logo

Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds.

vulnerability tracker logo

Continuously scan and identify vulnerabilities with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

USA Offices
New Net Technologies LLC
Naples
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
Atlanta
1175 Peachtree St NE
Atlanta, Georgia, 30361.
Portland
4145 SW Watson, Suite 350
Beaverton, Oregon, 97005.

Tel: (844) 898-8358
email [email protected]
UK Office
New Net Technologies Ltd
Rivers Lodge, West Common
Harpenden, Hertfordshire
AL5 2JD

Tel: 01582 287310
email [email protected]
CIS benchmarking SEWP Cybersecurity 500Sans Institute Now Certified IBM Security
Copyright 2019, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.