The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

26,962 Members

Post

NERC Hits Utility with $10 million CIP Fine

The North American Electric Reliability Corp. issued a $10 million fine to an unnamed utility for more than 125 cyber security violations spanning four years.

NERC said the violations "collectively posed a serious risk" to the bulk power system's security and reliability.

Many of the violations took place over long periods of time, involved multiple instances of noncompliance, as well as repeated failures to implement physical and cyber security protections.

NERC said the violations were the result of a lack of management engagement, ineffective oversight and training, and organizational silos between management levels and business units.

To address the problems, the utility agreed in part to create a centralized critical infrastructure protection (CIP) oversight department, invest in enterprise-wide tools related to asset and configuration management, and create multiple levels of training,

Most of the reported violations took place between 2015 and 2018. NERC said that some vulnerabilities remain to be fixed. It classified 13 of the violations as "serious," 62 as "moderate" and 52 as "minimal."

CIP standards focus on cyber and physical security safeguards and date back to 2008. They lay out requirements for controlling access to sensitive facilities as well as protections for critical cyber assets like control rooms.

The Federal Energy Regulatory Commission oversees the security standards and fines and has until late February to approve or reject the $10 million settlement reached between NERC and the utility.

The utility, which is believed to be a large holding company, agreed to overhaul its program for complying with NERC's CIP standards, according to the filing.

Most of the alleged violations outlined in the document were self-reported to NERC, but others were found only through audits of the utility's security program.

Violations ranged from improperly vetting software updates to failing to secure firewall settings, potentially allowing unauthorized access to computer networks.

DW Keefer's picture

Thank DW for the Post!

Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.

No discussions yet. Start a discussion below.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »