The North American Electric Reliability Corp. (NERC) issued $9.2 million in fines for violations of its cybersecurity rules between 2008 and October 2012, half of all fines issued over that period.
Violations of NERC’s Critical Infrastructure Protection (CIP) rules were involved in six of the top 10 penalties, including a $725,000 fine in October.
At a time when Congress has been unable to agree on cybersecurity legislation to protect the rest of the U.S. economy, there’s no doubt that NERC and the Federal Energy Regulatory Commission take the cyber threat seriously.
The industry has come a long way in the three years since I was sitting in on NERC audits as a member of the FERC enforcement staff. The new CIP rules approved by FERC last week will cover more assets and add more controls. They’ll no doubt be good for the business of IT consultants. Regulated utilities that are allowed to put the costs in rate base will be more than happy to spend the money.
But will it be enough to prevent the potential for what former Defense Secretary Leon Panetta called a “cyber Pearl Harbor”?
While Congress gave FERC authority to issue fines of up to $1 million per day per violation, the fines issued to date have been puny relative to the earnings of the companies involved — less than one-tenth of one percent of the companies’ net income (see table)
Meanwhile, a decision by NERC and FERC to stop disclosing the identities of CIP violators — so as not to expose the violators’ vulnerabilities — has removed any reputational risk that companies might fear. Since September 2011, virtually none of those penalized for CIP violations has been named.
In announcing the new CIP rules last week, FERC commissioners emphasized their desire to emphasize compliance over punishment. That’s a reasonable approach, especially when the rules are new.
But if there is no reputational risk and the financial penalties are not material, don’t be surprised if some companies decide that it’s better business to cut corners on cybersecurity.
Rich Heidorn Jr.
