NERC Fines Utilities $10 Million Citing Serious Cyber Risk, But Won't Name Them (securityledger.com) 28
chicksdaddy shares a report from The Security Ledger: The North American Electric Reliability Corp. (NERC) imposed its stiffest fine to date for violations of Critical Infrastructure Protection (CIP) cybersecurity regulations. But who violated the standards and much of what the agency found remains secret. In a heavily redacted 250-page regulatory filing, NERC fined undisclosed companies belonging to a so-called "Regional Entity" $10 million for 127 violations of the Critical Infrastructure Protection standards, the U.S.'s main cyber security standard for critical infrastructure including the electric grid. Thirteen of the violations listed were rated as a "serious risk" to the operation of the Bulk Power System and 62 were rated a "moderate risk." Together, the "collective risk of the 127 violations posed a serious risk to the reliability of the (Bulk Power System)," NERC wrote.
The fines come as the U.S. intelligence community is warning Congress of the growing risk of cyber attacks on the U.S. electric grid. In testimony this week, Director of National Intelligence Dan Coats specifically called out Russia's use of cyber attacks to cause social disruptions, citing that country's campaign against Ukraine's electric infrastructure in 2015 and 2016. The extensively redacted document provides no information on which companies were fined or where they are located, citing the risk of cyber attack should their identity be known. Regional Entities account for virtually all of the electricity supplied in the U.S. They are made up of investor-owned utilities; federal power agencies; rural electric cooperatives; state, municipal, and provincial utilities; independent power producers; power marketers; and end-use customers. However, details in the report provide some insight into the fines. For example, violations of a CIP statue that requires companies to "manage electronic access to (Bulk Electric System) Cyber Systems by specifying a controlled Electronic Security Perimeter" is rated a serious risk. So too are violations of CIP requirements calling for covered entities to "implement and document" access controls for "all electronic access points to the Electronic Security Perimeter(s)." Specific requirements that were violated suggest that the companies failed to implement access controls that "denies access by default," "enable only ports and services required for operations and for monitoring Cyber Assets within the Electronic Security Perimeter," and ensure the authenticity of parties attempting to remotely access the company's "electronic security perimeter."
The fines come as the U.S. intelligence community is warning Congress of the growing risk of cyber attacks on the U.S. electric grid. In testimony this week, Director of National Intelligence Dan Coats specifically called out Russia's use of cyber attacks to cause social disruptions, citing that country's campaign against Ukraine's electric infrastructure in 2015 and 2016. The extensively redacted document provides no information on which companies were fined or where they are located, citing the risk of cyber attack should their identity be known. Regional Entities account for virtually all of the electricity supplied in the U.S. They are made up of investor-owned utilities; federal power agencies; rural electric cooperatives; state, municipal, and provincial utilities; independent power producers; power marketers; and end-use customers. However, details in the report provide some insight into the fines. For example, violations of a CIP statue that requires companies to "manage electronic access to (Bulk Electric System) Cyber Systems by specifying a controlled Electronic Security Perimeter" is rated a serious risk. So too are violations of CIP requirements calling for covered entities to "implement and document" access controls for "all electronic access points to the Electronic Security Perimeter(s)." Specific requirements that were violated suggest that the companies failed to implement access controls that "denies access by default," "enable only ports and services required for operations and for monitoring Cyber Assets within the Electronic Security Perimeter," and ensure the authenticity of parties attempting to remotely access the company's "electronic security perimeter."
Seems reasonable (Score:3)
The country's grid is one giant 0-day. Best not to pics details or even identities until it is mitigated.
Re: (Score:2)
The bad guys are testing our security constantly along with all the bots and black hats, and they already know what's vulnerable. This is to protect the guilty, not the innocent.
Re: (Score:2)
The country's grid is one giant 0-day. Best not to pics details or even identities until it is mitigated.
I wouldn't call the grid "one giant 0-day". While there are plenty of utilities with their heads up their asses about cyber security (or "cyber" anything, honestly), there are plenty of others that DO take it seriously. Mine is one of them (no I will not name them either).
NERC literally spent Two. Years. auditing us. Top to bottom. We just officially got the finish and closure recently, probably around the same time these other utilities were getting their fines. It was like getting ISO certified, ex
Re: (Score:2)
The problem is, the power grid is a grid. All it takes is one utility doing things sufficiently wrong to potentially bring down the entire grid for a quarter of the country with a spectacular surge or sag. This happened in the northeastern U.S. in 1965 [wikipedia.org] and again in 2003 [wikipedia.org]. The first one was
While transparencts transparency is good... (Score:2)
it definitely seems prudent to keep the specifics from the world at large. There have already been enough reports over the past few years to realize our electric infrastructure is vulnerable. It's good to see they are at least doing something to motivate these various entities to get their stuff protected.
It would be a smart move for any country that wants to attack to us to use a coordinated Internet attack against our grid while also hitting us in whatever fashion they intend, be it landing troops or bomb
Hey: hold my karma beer and watch THIS! (Score:2)
and ensure the authenticity of parties attempting to remotely access the company's "electronic security perimeter.
What's that?!? I thought that walls don't work. Since they don't, why did the President say this? [youtube.com]
Should replace grid with microgrids (Score:4, Insightful)
Look, we know what power systems are resilient to attack and survive physical and internet attacks:
Renewable microgrids.
Naming old grid providers only provides rogue nation states and their kaiju hacker mercs with targets.
That said, give them 90 days and start jailing their senior execs. Fines won't work.
It's the Russians ... (Score:2)
Guess I'm safe (Score:2)
Maybe unnamed in that article, but they're known (Score:3)
WSJ reports [wsj.com], referring to Energywire, that it was Duke Energy.
Re: (Score:2)
Re: (Score:2)
How's the cyber security of nob-capitalist systems? I suppose, with no freedom of speech and no Internet even in some cases, you'll never know.
People complained about capitalism and pollution, but everywhere else was far worse.
$10m - so what (Score:2)
The only way that cyber security will be taken seriously is when failures result in serious damage to the profits of companies. Until then the temptation to do the minimum you can will remain far too great. Interestingly this is one of the advantages of having privitised utilities; you can burn them with fines without hurting the general public when they break the rules - a fact which the investors in the California utility should be about to find out unless the corrupt politicians of Sacramento shield thei