US Electricity Giant Fined $10 Million for Cybersecurity Lapses

The North American Electric Reliability Corporation has imposed a $10 million fine – its largest ever­ for cybersecurity violations – on Duke Energy, one of the largest power companies in the United States

The North American Electric Reliability Corporation (NERC) has recommended a $10 million fine on an unidentified utility for repeated violations of critical infrastructure protection (CIP) reliability standards.

Energywire and The Wall Street Journal reported that the unnamed utility was Duke Energy, one of the largest in the US, with 7.6 million retail electric customers in six states.

In a Notice of Penalty filed Jan. 25, NERC cited 127 violations between 2015 and 2018.

“The 127 violations collectively posed a serious risk to the security and reliability of the [bulk power system]. The companies’ violations of the CIP reliability standards posed a higher risk to the reliability of the BPS because many of the violations involved long durations, multiple instances of noncompliance, and repeated failures to implement physical and cybersecurity protections,” NERC said. “As an example, the companies’ failure to accurately document and track changes that deviate from existing baseline configurations increased the risk that the companies would not identify unauthorized changes, which could adversely impact BES [bulk electric system] cyber systems.”

 

[Source: RTO Insider]