NERC Fines Utilities $10 Million Citing Serious Cyber Risk, But Won't Name Them

chicksdaddy shares a report from The Security Ledger: The North American Electric Reliability Corp. (NERC) imposed its stiffest fine to date for violations of Critical Infrastructure Protection (CIP) cybersecurity regulations. But who violated the standards and much of what the agency found remains secret. In a heavily redacted 250-page regulatory filing, NERC fined undisclosed companies belonging to a so-called 'Regional Entity' $10 million for 127 violations of the Critical Infrastructure Protection standards, the U.S.'s main cyber security standard for critical infrastructure including the electric grid. Thirteen of the violations listed were rated as a 'serious risk' to the operation of the Bulk Power System and 62 were rated a 'moderate risk.' Together, the 'collective risk of the 127 violations posed a serious risk to the reliability of the (Bulk Power System),' NERC wrote. The fines come as the U.S. intelligence community is warning Congress of the growing risk of cyber attacks on the U.S. electric grid. In testimony this week, Director of National Intelligence Dan Coats specifically called out Russia's use of cyber attacks to cause social disruptions, citing that country's campaign against Ukraine's electric infrastructure in 2015 and 2016. The extensively redacted document provides no information on which companies were fined or where they are located, citing the risk of cyber attack should their identity be known. Regional Entities account for virtually all of the electricity supplied in the U.S. They are made up of investor-owned utilities; federal power agencies; rural electric cooperatives; state, municipal, and provincial utilities; independent power producers; power marketers; and end-use customers. However, details in the report provide some insight into the fines. For example, violations of a CIP statue that requires companies to 'manage electronic access to (Bulk Electric System) Cyber Systems by specifying a controlled Electronic Security Perimeter' is rated a serious risk. So too are violations of CIP requirements calling for covered entities to 'implement and document' access controls for 'all electronic access points to the Electronic Security Perimeter(s).' Specific requirements that were violated suggest that the companies failed to implement access controls that 'denies access by default,' 'enable only ports and services required for operations and for monitoring Cyber Assets within the Electronic Security Perimeter,' and ensure the authenticity of parties attempting to remotely access the company's 'electronic security perimeter.'

Read more of this story at Slashdot.