- Duke Energy was fined $10 million by the North American Electric Reliability Corporation (NERC) for security violations between 2015 and 2018 regarding critical infrastructure assets, multiple news organizations reported last week.
- Duke has agreed to pay the fine. Its identity is redacted from NERC's public Jan. 25 filing with FERC, but was confirmed by E&E News and The Wall Street Journal on Friday.
- The 127 security violations, including critical cyber assets, were largely self-reported by the utility and caused by lack of managerial oversight, process deficiencies, inadequate training and lack of internal controls. While the safety violations "posed a serious risk to the security and reliability" of the bulk power system, it is not clear if hackers ever gained access to the utility's power system.
Grid modernization poses a "potential cyber vulnerability" due to the new lines of attack opened by grid interconnection, according to a recent Deloitte report that concluded the primary drivers for increasing utility cybersecurity risks are nation states, organized crime and disgruntled employees.
Hackers are beginning to target industrial control systems more frequently, blurring the line between physical and cyber attacks, Deloitte reported.
"[T]he Companies are focusing on key risk areas, including patching, identifying deficiencies, and strategies for continuously improving the Companies' security posture and program sustainability," the public NERC filing stated.
To address the safety rule violations, the settlement with NERC stipulates companies will increase specified training, oversight, restructuring of roles and addition of management and compliance tools.
"Duke Energy makes cyber security a top priority and is strongly committed to comprehensive, multi-layered cyber security measures designed to protect power plants and the electric grid," Dave Scanzoni, Duke spokesperson, told Utility Dive via email.
NERC told Utility Dive it does not discuss enforcement actions. The electric reliability organization (ERO) filed a redacted (public) and private version of the settlement and notice of penalty with FERC, which will have final approval of penalties.
Disclosures could pose physical and cybersecurity risks to the industry, Scanzoni said, and it is against the utility's policy to "comment on any enforcement filings" to FERC by NERC.
"Penalties are commensurate with the risk presented by the violations. Security of the bulk power system is a key priority for the ERO Enterprise," Kimberly Mielcarek, senior director of communications at NERC told Utility Dive via email.