The North American Electric Reliability Corp. (NERC) imposed its stiffest fine to date for violations of Critical Infrastructure Protection (CIP) cybersecurity regulations. But who violated the standards and much of what the agency found remains secret.
Editor’s Note: Updated to include reports that Duke Energy was the target of the NERC fine. February 4, 2019 -PFR
In a 250 page regulatory filing, NERC fined undisclosed companies belonging to a so-called “Regional Entity” $10 million for 127 violations of the Critical Infrastructure Protection standards, the U.S.’s main cyber security standard for critical infrastructure including the electric grid.
Subsequent, public reports citing unnamed energy industry sources have identified Duke Energy Corp. as the subject of the fines. The Security Ledger has not been able to independently confirm this and Duke Energy has not publicly commented on the reports.
Thirteen of the violations listed were rated as a “serious risk” to the operation of the Bulk Power System and 62 were rated a “moderate risk.” Together, the “collective risk of the 127 violations posed a serious risk to the reliability of the (Bulk Power System),” NERC wrote.
Warnings about cyber threat to grid
The fines come as the U.S. intelligence community is warning Congress of the growing risk of cyber attacks on the U.S. electric grid. In testimony this week, Director of National Intelligence Dan Coats specifically called out Russia’s use of cyber attacks to cause social disruptions, citing that country’s campaign against Ukraine’s electric infrastructure in 2015 and 2016.
The extensively redacted document provides no information on which companies were fined or where they are located, citing the risk of cyber attack should their identity be known. Regional Entities account for virtually all of the electricity supplied in the U.S. They are made up of investor-owned utilities; federal power agencies; rural electric cooperatives; state, municipal, and provincial utilities; independent power producers; power marketers; and end-use customers.
Absence of security controls
However, details in the report provide some insight into the fines. For example, violations of a CIP statue that requires companies to “manage electronic access to (Bulk Electric System) Cyber Systems by specifying a controlled Electronic Security Perimeter” is rated a serious risk. So too are violations of CIP requirements calling for covered entities to “implement and document” access controls for “all electronic access points to the Electronic Security Perimeter(s).” Specific requirements that were violated suggest that the companies failed to implement access controls that “denies access by default,” “enable only ports and services required for operations and for monitoring Cyber Assets within the Electronic Security Perimeter,” and ensure the authenticity of parties attempting to remotely access the company’s “electronic security perimeter.”
NERC recognizes just seven Regional Entities in the U.S.: the Florida Reliability Coordinating Council (FRCC), the Midwest Reliability Organization (MRO), the Northeast Power Coordinating Council (NPCC), ReliabilityFirst (ReliabilityFirst), SERC Reliability Corporation (SERC). Texas Reliability Entity (Texas RE) and Western Electricity Coordinating Council (WECC).
NERC said it was following established policy by redacting both the name of the companies who were being cited and fined, but also information about their systems and operations. “As the Commission has previously recognized, information related to CIP violations and cyber security issues, including the identity of the registered entity, may jeopardize BPS security, asserting that “even publicly identifying which entity has a system vulnerable to a ‘cyber attack’ could jeopardize system security, allowing persons seeking to do harm to focus on a particular entity in the Bulk-Power System,” NERC wrote in its report.
The fine is by far the largest meted out for violations of the CIP standards. “This adds another decimal place to the previous largest fine” so far for violations of CIP standards, said Tom Arlich, an independent cyber risk management consultant who works in the electricity sector, in a blog post that was the first to call attention to the fine.
“I imagine this figure, being the smallest possible eight-digit amount, was deliberately chosen for its ability to strike terror into the hearts of utility compliance folks nationwide,” he wrote in the post.
The extensive 250-page public document announcing the penalty is only part of the official 700-page NERC Notice of Penalty, Aldrich noted.
But Joe Weiss, a noted expert on the cyber security of critical infrastructure, said that the extensive redactions and secretiveness of the filing mean that the impact of the enforcement will be slight.
Weiss said that, even within the utility sector, little is know about which firms were the target of the enforcement action. And, because so little is known about which companies violated the CIP and the specific violations that resulted in the fines, the impact of the enforcement is less.
“What’s the message?” Weiss wondered aloud. “If we don’t know what they did wrong, how can you be sending a message?”
NERC CIP is a set of requirements designed to secure the assets required for operating North America’s electricity grid. The standards specify the minimum that must be done to protect bulk power systems operated in the United States, Canada and a part of Baja California in Mexico that fall under the jurisdiction of NERC, a nonprofit international regulatory authority whose responsibility is to safeguard the reliability of these systems.
“There are currently 11 enforceable CIP standards, covering topics like Systems Security Management and Backup and Recovery,” Arlich explained to Security Ledger Thursday. The standards themselves each contain between two and nine requirements, as well as sub-requirements, making them fairly complex in terms of compliance.
A modest fine the steepest yet
While the fine seems steep, they are far short of the maximum penalty for violating any CIP requirement. Fines of up to $1 million per day are permitted under the guidelines, “although no NERC fines have ever approached that level,” Arlich acknowledged.
The problems at the fined companies appear widespread. NERC cites a lack of management engagement and support for the CIP program; deficient documentation, training, and implementation of CIP standards; lack of communication between management levels in the company; and lack of communication between business units on who is responsible for which tasks, Arlich noted.
The NERC Notice of Penalty includes detailed and specific information of the numerous violations committed by the penalized company according to each standard violated. For instance, the company violated CIP-003-3-R6 when they “failed to follow their documented change control and configuration management process, in three instances,” according to the Notice of Penalty.
“In all three instances, software upgrades were deployed on a single CCA in the production environment without first being tested in accordance with the companies’ change control process,” according to the notice.
Commitment to CIP compliance
In addition to the fine, the companies agreed to a laundry list of improvements and mitigation efforts it would undertake to boost its compliance with the CIP. These include increasing senior leadership and oversight of CIP standards as well as forming a centralized CIP oversight department.
The fined companies committed to revising their corporate IT compliance program so that they meet CIP requirements as well as requiring each business unit to revise their procedures and controls so they follow the corporate IT program, among other mitigation steps, Arlich wrote, adding that any utility also could “benefit from at least a few of these same practices.”
Critical infrastructure stakeholders in North America do have particular reason to worry about cybersecurity, which is why compliance with CIP standards should be a priority, industry watchers said. Evidence shows that state-sponsored actors from China, Iran and Russia have been persistently targeting critical infrastructure in the United States, and these attacks will likely worsen in the future.
In late 2017, the FBI and DoJ released a joint report outlining recent sophisticated attacks targeting the U.S. energy grid and critical infrastructure, tying third-party firms and web sites trying to gain access to energy and other critical infrastructure networks to a Russian hacking group.
Increased use of the Internet of Things (IoT) also is putting critical infrastructure at greater risk of attack, according to a report released last year, as well as strained political relations with and sanctions against Iran, which officials believe could prompt retaliation in the form of cyberattacks against U.S. utilities.
Paul Roberts contributed to this report.