NERC Hits Utility with $10 million CIP Fine
- February 1, 2019
- 820 views
The North American Electric Reliability Corp. issued a $10 million fine to an unnamed utility for more than 125 cyber security violations spanning four years.
NERC said the violations "collectively posed a serious risk" to the bulk power system's security and reliability.
Many of the violations took place over long periods of time, involved multiple instances of noncompliance, as well as repeated failures to implement physical and cyber security protections.
NERC said the violations were the result of a lack of management engagement, ineffective oversight and training, and organizational silos between management levels and business units.
To address the problems, the utility agreed in part to create a centralized critical infrastructure protection (CIP) oversight department, invest in enterprise-wide tools related to asset and configuration management, and create multiple levels of training,
Most of the reported violations took place between 2015 and 2018. NERC said that some vulnerabilities remain to be fixed. It classified 13 of the violations as "serious," 62 as "moderate" and 52 as "minimal."
CIP standards focus on cyber and physical security safeguards and date back to 2008. They lay out requirements for controlling access to sensitive facilities as well as protections for critical cyber assets like control rooms.
The Federal Energy Regulatory Commission oversees the security standards and fines and has until late February to approve or reject the $10 million settlement reached between NERC and the utility.
The utility, which is believed to be a large holding company, agreed to overhaul its program for complying with NERC's CIP standards, according to the filing.
Most of the alleged violations outlined in the document were self-reported to NERC, but others were found only through audits of the utility's security program.
Violations ranged from improperly vetting software updates to failing to secure firewall settings, potentially allowing unauthorized access to computer networks.