April 12, 2019

Major utilities sanctioned for cybersecurity violations

Recent disclosures revealed the identities of major utilities sanctioned for a total of $12.9 million for cybersecurity violations, including Pacific Gas & Electric Corp. (PG&E), the nation’s largest utility, and two other large utilities, Duke Energy Corp. (Duke) and DTE Energy Co. (DTE). The disclosures are unusual because the policy of the Federal Energy Regulatory Commission (FERC) and North American Electric Reliability Corporation (NERC) is to protect a violator’s identity in order to promote self-reporting and not to reveal vulnerabilities. Under this policy, violator names ordinarily remain confidential, unless they are leaked or must be disclosed pursuant to a Freedom of Information Act (FOIA) request.

NERC has issued mandatory Critical Infrastructure Protection (CIP) standards that apply to users, owners, and operators of the bulk-power system. These standards cover:

incident reporting;
response planning;
critical cyber asset identification;
personnel and training; and
physical and digital security systems and management.

Violation of the standards subjects the violator to potential sanctions. The recent disclosures identified Duke as the entity that faced a $10 million penalty for close to 130 violations of the CIP standards. A FOIA disclosure revealed violations by PG&E. The company faced sanctions for conduct in 2014 and 2016 that resulted in $1.2 million in fines for CIP violations. DTE agreed to pay $1.7 million in 2016 to settle 36 CIP violations. The apparent cybersecurity failings of these major utilities has led to fresh questions about the electric grid’s vulnerability and the policy of not disclosing the identities of violators.

NERC notice of penalty | FOIA request