Overview
A major utility has agreed to pay a record-setting $10 million fine to settle allegations by the North American Electric Reliability Corporation (NERC) for 127 cybersecurity code violations, which "collectively posed a serious risk to the security and reliability" of the bulk power system.[1] The fine is more than triple the previous record for NERC security violations, a $2.7 million penalty issued by the regulator last year. These penalties combined with recent and expected rulemakings and mounting political pressure send a clear message to utilities to get their cybersecurity systems in order or risk, in addition to the exposure to cyberthreats, heavy penalties.
According to NERC's January 25, 2019 Notice of Penalty explaining the facts and submitting the penalty to the Federal Energy Regulatory Commission (FERC), many of the utility's alleged violations involved "long durations, multiple instances of noncompliance, and repeated failures to implement physical and cybersecurity protections."[2] The reliability organization found that the utility's lack of management involvement was an "aggravating factor for penalty purposes."[3] The Notice of Penalty states that "management passively accepted the [c]ompanies' prior violations by creating and allowing a culture to exist that permitted [] systemic problems to continue for over five years."[4] NERC also found that the utility's "organizational silos" created a lack of communication between management levels and across business units, which contributed to the violations.[5]
In addition to paying the $10 million fine and implementing mitigation activities, the utility committed to costly additional measures "to help ensure the effectiveness and sustainability of [its Critical Infrastructure Protection (CIP)] compliance and security program" and "to support and assist staff in implementing a sustainable CIP compliance program."[6] According to the Notice of Penalty, these activities include:
-
Increasing senior leadership involvement and oversight;
-
Creating a centralized CIP oversight department and restructuring roles within that department;
-
Conducting industry surveys and benchmark discussions to help develop best practices relating to sustainable security and compliance practices;
-
Continuing to develop an in-house CIP program and talent development program;
-
Investing in enterprise-wide tools relating to asset and configuration management, visitor logging, access management, and configuration monitoring and vulnerability assessments;
-
Adding resources to help manage and implement compliance and security efforts;
-
Instituting annual compliance drills; and
-
Creating three levels of training (oversight training, awareness training for all staff, and performance training for staff implementing the security and compliance tasks).[7]
NERC's Notice of Penalty comes on the heels of FERC Order No. 850 that approved new mandatory Reliability Standards to bolster supply chain risk management protections for the bulk electric system.[8] The order requires medium-sized and large power companies to construct a system to flag vendor security incidents, employee terminations and vulnerabilities in contract services, coordinate incident responses with third parties and verify software integrity. Last summer, FERC also directed NERC to revise its Reliability Standards to develop enhanced cybersecurity incident reporting requirements. The goal of these requirements, which will require the reporting of cybersecurity incidents that compromise or attempt to compromise electronic security perimeters or associated electronic access control or monitoring systems, is to "improve awareness of existing and future cybersecurity threats and potential vulnerabilities."[9] FERC gave NERC six months to prepare and file the revised Reliability Standards.
The Trump administration also has taken a number of steps to address cyberthreats, including the creation of the Department of Energy's (DOE's) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) last year. DOE and FERC recently announced that they will co-host a technical conference on Security Investments for Energy Infrastructure to discuss security practices to protect energy infrastructure.[10]
The mounting political pressure on FERC and NERC to ramp up scrutiny of utilities' cybersecurity systems was apparent during last week's Senate Energy & Natural Resources Committee hearing on cybersecurity efforts in the energy industry.[11] In his testimony, FERC Chairman Chatterjee noted that "while I think both industry and government have made significant strides toward addressing this issue, I believe more work still needs to be done." He emphasized that compliance with mandatory standards is not enough—the industry also needs to take advantage of voluntary initiatives. Chairman Chatterjee reiterated previously expressed concerns about the security of natural gas infrastructure and the need for robust oversight, but stopped short of supporting mandatory standards for the natural gas industry. Despite current progress in the public and private sector, Senators seemed frustrated with the pace at which industry and regulators are tackling this issue, the lack of urgency and information sharing, and the existence of operational silos.
The government has made clear that industry needs to take cyberthreats seriously and that it will not hesitate from imposing further regulation and using enforcement tools if necessary. But utilities need to go beyond compliance with mandatory standards and ensure proper systems, management involvement, training, communications, and continuous attention to reliability to prevent devastating attacks. Failure to do so not only leaves utilities more vulnerable but also increases the risk of adverse findings and higher penalties in any reliability investigation. Reliability expert Earl Shockley even has suggested that a major cyberattack on the grid "would shatter the ideal cybersecurity framework of private-sector accountability for maintaining security of this critical infrastructure" and "could result in the government expropriating grid security responsibilities and creating different levels of oversight to ensure reliability and resilience of the electric power grid."[12]
We will continue to monitor the government's response to these issues. As one of the first US law firms to begin practicing in the area of cybersecurity, Steptoe is a recognized pioneer in the field and with one of the premier energy practices in the country, uniquely qualified to design creative solutions to even the industry’s most complex cybersecurity challenges.
[1] NERC's January 25, 2019 Public Notice of Penalty is available here (Notice of Penalty). While the identity of the utility is redacted from NERC's public filing, it was confirmed by both E&E News and The Wall Street Journal shortly after publication. FERC and NERC have since been criticized for shielding the name of the company. See e.g., Motion to Intervene and Request of Public Citizen, Inc. for the Commission to Direct the Public Release of the Violator Under 18 C.F.R. § 39.7(b)(4), FERC Docket No. NP19-4 (Feb. 19, 2019).
[2] Notice of Penalty at 12.
[3] Id. at 53.
[4] Id.
[5] Id. at 11.
[6] Id.
[7] Id.
[8] Supply Chain Risk Management Reliability Standards, 165 FERC ¶ 61,020 (Oct. 18, 2018) (Order No. 850). A recent Wall Street Journal report detailed the vulnerability of the electric grid to attacks via small contractors.
[9] Cyber Security Incident Reporting Reliability Standards, 164 FERC ¶ 61,033 at P 2 (July 19, 2018) (Order No. 848).
[10] Information on the March 28, 2019 technical conference is available here.
[11] A video of the hearing and testimony of the witnesses is available on the Committee's website.
[12] Earl Shockley, How to Avoid Shattering Private-Sector Accountability for Cybersecurity, Electric Light & Power (Oct. 5, 2017).