Recent disclosures revealed the identities of major utilities sanctioned for a total of $12.9 million for cybersecurity violations, including Pacific Gas & Electric Corp. (PG&E), the nation’s largest utility, and two other large utilities, Duke Energy Corp. (Duke) and DTE Energy Co. (DTE). The disclosures are unusual because the policy of the Federal Energy Regulatory Commission (FERC) and North American Electric Reliability Corporation (NERC) is to protect a violator’s identity in order to promote self-reporting and not to reveal vulnerabilities. Under this policy, violator names ordinarily remain confidential, unless they are leaked or must be disclosed pursuant to a Freedom of Information Act (FOIA) request.
NERC has issued mandatory Critical Infrastructure Protection (CIP) standards that apply to users, owners, and operators of the bulk-power system. These standards cover:
- incident reporting;
- response planning;
- critical cyber asset identification;
- personnel and training; and
- physical and digital security systems and management.