Pacific Gas & Electric, DTE Energy and City Utilities of Springfield, Missouri, have been sanctioned for violating critical infrastructure protection rules designed to protect the country's electric system from cyber and physical attacks, the Wall Street Journal reported, citing newly release documents.
The violations, recorded from 2014 to 2016, coincided with a Russian campaign attempting to infiltrate American utility defenses, the report said citing federal officials.
In February, the North American Electric Reliability Corporation (NERC) fined Duke Energy $10 million, the largest cybersecurity-related penalty for a utility in history. The violations have led to questions about the regulatory system that encourages self-disclosure by utilities.
Boosting the resiliency of the U.S. energy sector is an issue of national security. And while utilities and regulators state their desire to improve cyber defense capabilities, repeated violations by some of the country's biggest players have raised questions about the integrity of those efforts, as well as their enforcement.
The San Francisco-based PG&E was also involved in a separate case in which it broke the same critical infrastructure protection rules, along with Detroit's DTE Energy, the report said, citing newly released documents and people familiar with the cases.
Issuing sanctions for security violations is not uncommon, about 250 penalty cases have been filed against U.S. utilities for failing to protect critical infrastructure in the past decade. However, due to the regulatory system's design, only few violators have been publicly identified by the Federal Energy Regulatory Commission (FERC).
The agency tries to keep names of the companies confidential to encourage self-disclosure within the industry.
"The confidentiality of the violation reporting process promotes self-reporting," PG&E spokesperson Jason King told Utility Dive in an email.
Though well intentioned, the current regulatory system appears to fall short of its goal. David Ortiz, deputy director of FERC's Office of Electric Reliability, told the Wall Street Journal that even though cyberattacks happen in large numbers, utilities almost never report successful breaches.
"In an average day, WAPA's firewalls are pinged nearly 200,000 times by suspicious or potentially damaging events," Mark Gabriel, administrator and CEO of Western Area Power Administration (WAPA), said during a recent cybersecurity conference.
In February, Duke Energy was fined $10 million by NERC for security violations between 2015 and 2018, it was the largest cybersecurity-related penalty in history. Shortly after, Duke Energy filed a request for approval with FERC in which it seeks to recover $137.4 million in capital investments from ratepayers for its cybersecurity program.
Advocacy group Public Citizen filed a protest with FERC over the timing of Duke's rate-recovery request. In addition to seeking clarity, the watchdog group wants FERC to scrutinize such requests more closely, especially given Duke's track record when it comes to the oversight of its cybersecurity initiatives, Tyson Slocum, director of Public Citizen's Energy Program, told Utility Dive last week.
Despite having incurred over $1.2 million in fines for two separate security violations in 2014 and 2016, PG&E said its cybersecurity measures are "robust and consistent with the best practices being employed in the industry."
The California investor-owned utility did not want to respond to Tuesday's report as "any comment on non-public NERC CIP violations may jeopardize national security by exposing potential grid vulnerabilities," according to King.