NERC Issues $10M Fine for Security Lapses
By Rich Heidorn Jr.
NERC has recommended a $10 million fine on an unidentified utility for repeated violations of critical infrastructure protection (CIP) reliability standards over more than three years that exposed a “lack of management engagement, support and accountability.”
In a Notice of Penalty filed Jan. 25, NERC cited 127 violations between 2015 and 2018 (52 posing “minimal” risk, 62 “moderate” and 13 “serious”). While most of the violations were self-reported, others resulted from compliance audits.
Although many of the details were redacted as critical energy/electric infrastructure information (CEIl), the document refers to “companies” and “regional entities” in the plural, suggesting a large, multistate utility was involved.
“The 127 violations collectively posed a serious risk to the security and reliability of the [bulk power system]. The companies’ violations of the CIP reliability standards posed a higher risk to the reliability of the BPS because many of the violations involved long durations, multiple instances of noncompliance, and repeated failures to implement physical and cybersecurity protections,” NERC said. “As an example, the companies’ failure to accurately document and track changes that deviate from existing baseline configurations increased the risk that the companies would not identify unauthorized changes, which could adversely impact [bulk electric system] cyber systems.”
The notice cited as contributing causes “disassociation of compliance and security that resulted in a deficient program and program documents, lack of implementation, and ineffective oversight and training.”
It also criticized “organizational silos” illustrated by a lack of communication between management levels and “a lack of awareness of the state of security and compliance.”
There were also silos across business units “that resulted in confusion regarding expectations and ownership of tasks, and poor asset and configuration management practices,” NERC said.
In a settlement, the companies agreed to pay the fine and to improve their performance by increasing senior leadership involvement and oversight; creating a centralized CIP oversight department; and restructuring roles to focus on standards, enterprise oversight, enterprise CIP tools, compliance metrics and regulatory interactions. They also agreed to conduct industry surveys and benchmark discussions to develop best practices.
The companies also agreed to invest in enterprise-wide tools for asset and configuration management, visitor logging, access management, configuration monitoring and vulnerability assessments; increase training; and institute annual compliance drills.
NERC said the penalty was based on the companies’ “repeat noncompliance” and “deficient” compliance program, mitigated by the lack of evidence of any attempt to conceal the violations. The settlement and fines are subject to approval by FERC.
