Thursday, February 21, 2019

NERC Seeks $10M Fine for Duke Energy Security Lapses

By Rich Heidorn Jr.

NERC has recommended a $10 million fine on an unidentified utility for repeated violations of critical infrastructure protection (CIP) reliability standards over more than three years that exposed a “lack of management engagement, support and accountability.”

Energywire and The Wall Street Journal reported that the unnamed utility was Duke Energy, one of the nation’s largest, with 7.6 million retail electric customers in six states and 49,500 MW of generating capacity. The company told the Journal it does not comment on enforcement filings.

The control room at Duke Energy’s Buck combined cycle plant in Rowan County, N.C. | Duke Energy

In a Notice of Penalty filed Jan. 25, NERC cited 127 violations between 2015 and 2018 (52 posing “minimal” risk, 62 “moderate” and 13 “serious”). While most of the violations were self-reported, others resulted from compliance audits.

Although many of the details were redacted as critical energy/electric infrastructure information (CEIl), the document refers to “companies” and “regional entities” in the plural, suggesting a large, multistate utility was involved.

“The 127 violations collectively posed a serious risk to the security and reliability of the [bulk power system]. The companies’ violations of the CIP reliability standards posed a higher risk to the reliability of the BPS because many of the violations involved long durations, multiple instances of noncompliance, and repeated failures to implement physical and cybersecurity protections,” NERC said. “As an example, the companies’ failure to accurately document and track changes that deviate from existing baseline configurations increased the risk that the companies would not identify unauthorized changes, which could adversely impact BES [bulk electric system] cyber systems.”

The notice cited as contributing causes “disassociation of compliance and security that resulted in a deficient program and program documents, lack of implementation, and ineffective oversight and training.”

It also criticized “organizational silos” illustrated by a lack of communication between management levels and “a lack of awareness of the state of security and compliance.”

There were also silos across business units “that resulted in confusion regarding expectations and ownership of tasks, and poor asset and configuration management practices,” NERC said.

In a settlement, the companies agreed to pay the fine and to improve their performance by increasing senior leadership involvement and oversight; creating a centralized CIP oversight department; and restructuring roles to focus on standards, enterprise oversight, enterprise CIP tools, compliance metrics and regulatory interactions. They also agreed to conduct industry surveys and benchmark discussions to develop best practices.

Redacted excerpt from NERC’s Notice of Penalty.| NERC

The companies also agreed to invest in enterprise-wide tools for asset and configuration management, visitor logging, access management, configuration monitoring and vulnerability assessments; increase training; and institute annual compliance drills.

NERC said the penalty was based on the companies’ “repeat noncompliance” and “deficient” compliance program, mitigated by the lack of evidence of any attempt to conceal the violations. The settlement and fines are subject to approval by FERC.

Among the most serious violations cited were:

  • A failure to protect critical cyber asset (CCA) information. One-line diagrams lacked the appropriate NERC ClP classification markings and some employees were improperly granted “read-only” access to CCA information.
  • A failure to follow its change control and configuration management process. In three instances, software upgrades were deployed on a single CCA in the production environment without first being tested as required by the change control process.
  • A failure to maintain annual cybersecurity training for some employees with electronic or physical access to CCAs.
  • A failure to timely revoke former employees’ and contractors’ electronic access rights.
  • Allowing individuals improper electronic access to CIP-protected information.
  • Improperly configured routers that prevented monitor server logs from being sent to the security incident and event management (SIEM) device.
  • A failure to monitor electronic security perimeter (ESP) inbound and outbound communications and to restrict inbound electronic access to ESPs. “The companies used overly broad ESP firewall rulesets, which permitted access across ports and services that were not required for operations or for monitoring CAs within the ESPs,” NERC said. “Additionally, the companies failed to implement strong technical controls to ensure the authenticity of the accessing party for [redacted] individuals who were granted unauthorized access to the ESPs.”
  • Firewalls were configured to allow external remote access to sensitive systems without first going through an intermediate system, using encryption or requiring multi-factor authentication.
  • A failure to implement physical access controls to limit unescorted access to the physical security perimeter (PSP) and failing to document all required information in visitor logbooks.
  • Repeated failures to adhere to cybersecurity testing procedures, including deficient testing on software upgrades and failures to implement security patch programs.
  • Failing to change passwords on annual schedule and failing to change factory default passwords for remotely accessible BES cyber assets.

Duke Energy Center, Charlotte, N.C. | Duke Energy

NERC’s filing came days before intelligence officials told the Senate Intelligence Committee on Jan. 29 that Russian hackers have the capability to disrupt electrical service in the U.S.

“Moscow is now staging cyberattack assets to allow it to disrupt or damage U.S. civilian and military infrastructure during a crisis and poses a significant cyber influence threat,” officials said in the annual Worldwide Threat Assessment.

“Russia has the ability to execute cyberattacks in the United States that generate localized, temporary disruptive effects on critical infrastructure — such as disrupting an electrical distribution network for at least a few hours — similar to those demonstrated in Ukraine in 2015 and 2016. Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.” (See DHS: 2017 Russian Probes Hit Hundreds of Energy Cos.)

The report also warned that China also “has the ability to launch cyberattacks that cause localized, temporary disruptive effects on critical infrastructure — such as disruption of a natural gas pipeline for days to weeks—in the United States.”

Leave a Comment