Duke Energy fined $10M for cybersecurity lapses since 2015
- Duke Energy was fined $10 million by the North American Electric Reliability Corporation (NERC) for security violations between 2015 and 2018 regarding critical infrastructure assets, multiple news organizations reported last week.
- Duke has agreed to pay the fine. Its identity is redacted from NERC's public Jan. 25 filing with FERC, but was confirmed by E&E News and The Wall Street Journal on Friday.
- The 127 security violations, including critical cyber assets, were largely self-reported by the utility and caused by lack of managerial oversight, process deficiencies, inadequate training and lack of internal controls. While the safety violations "posed a serious risk to the security and reliability" of the bulk power system, it is not clear if hackers ever gained access to the utility's power system.
Grid modernization poses a "potential cyber vulnerability" due to the new lines of attack opened by grid interconnection, according to a recent Deloitte report. It concluded the primary drivers for increasing utility cybersecurity risks are nation states, organized crime and disgruntled employees.
Hackers are beginning to target industrial control systems more frequently, blurring the line between physical and cyberattacks, Deloitte reported.
Duke Energy is a large electric holding company with utilities in multiple states. To address the safety rule violations, the settlement with NERC stipulates the subject of the fine will increase specified training, oversight, restructuring of roles and addition of management and compliance tools.
"Duke Energy makes cybersecurity a top priority and is strongly committed to comprehensive, multilayered cybersecurity measures designed to protect power plants and the electric grid," Dave Scanzoni, Duke spokesperson, told Utility Dive via email.
NERC told Utility Dive it does not discuss enforcement actions. The electric reliability organization (ERO) filed a redacted (public) and private version of the settlement and notice of penalty with FERC, which will have final approval of penalties.
Disclosures could pose physical and cybersecurity risks to the industry, Scanzoni said, and it is against the utility's policy to "comment on any enforcement filings" to FERC by NERC.
"Penalties are commensurate with the risk presented by the violations. Security of the bulk power system is a key priority for the ERO Enterprise," Kimberly Mielcarek, senior director of communications at NERC, told Utility Dive via email.
Follow Iulia Gheorghiu on Twitter