Slashdot Mirror

← Back to Domains

Domain: nerc.com

Stories and comments across the archive that link to nerc.com.

Stories · 4

  1. NERC Fines Utilities $10 Million Citing Serious Cyber Risk, But Won't Name Them (securityledger.com)

    It · Security · · posted by BeauHD · from the finger-pointing dept. · 28 comments
    chicksdaddy shares a report from The Security Ledger: The North American Electric Reliability Corp. (NERC) imposed its stiffest fine to date for violations of Critical Infrastructure Protection (CIP) cybersecurity regulations. But who violated the standards and much of what the agency found remains secret. In a heavily redacted 250-page regulatory filing, NERC fined undisclosed companies belonging to a so-called "Regional Entity" $10 million for 127 violations of the Critical Infrastructure Protection standards, the U.S.'s main cyber security standard for critical infrastructure including the electric grid. Thirteen of the violations listed were rated as a "serious risk" to the operation of the Bulk Power System and 62 were rated a "moderate risk." Together, the "collective risk of the 127 violations posed a serious risk to the reliability of the (Bulk Power System)," NERC wrote.

    The fines come as the U.S. intelligence community is warning Congress of the growing risk of cyber attacks on the U.S. electric grid. In testimony this week, Director of National Intelligence Dan Coats specifically called out Russia's use of cyber attacks to cause social disruptions, citing that country's campaign against Ukraine's electric infrastructure in 2015 and 2016. The extensively redacted document provides no information on which companies were fined or where they are located, citing the risk of cyber attack should their identity be known. Regional Entities account for virtually all of the electricity supplied in the U.S. They are made up of investor-owned utilities; federal power agencies; rural electric cooperatives; state, municipal, and provincial utilities; independent power producers; power marketers; and end-use customers. However, details in the report provide some insight into the fines. For example, violations of a CIP statue that requires companies to "manage electronic access to (Bulk Electric System) Cyber Systems by specifying a controlled Electronic Security Perimeter" is rated a serious risk. So too are violations of CIP requirements calling for covered entities to "implement and document" access controls for "all electronic access points to the Electronic Security Perimeter(s)." Specific requirements that were violated suggest that the companies failed to implement access controls that "denies access by default," "enable only ports and services required for operations and for monitoring Cyber Assets within the Electronic Security Perimeter," and ensure the authenticity of parties attempting to remotely access the company's "electronic security perimeter."

  2. US One Step Closer To Electric Grid Cyberguards

    News · Power · · posted by Soulskill · from the take-off-your-shoes-before-replacing-that-fuse dept. · 74 comments
    coondoggie writes "The US Department of Energy this week officially opened up the bidding for a National Electric Sector Cyber Security Organization that would protect the nation's electrical grid from cyber attacks. According to the DOE, the agency has set an aggressive goal to meet the nation's need for a reliable, efficient, and resilient electric power grid, as well as improved accessibility to a variety of energy sources for generation. In order to achieve this, an independent organization is needed (PDF) to provide executive leadership to facilitate research, development, and deployment priorities; identify and disseminate best cybersecurity practices; organize the collection, analysis, monitoring, and dissemination of infrastructure vulnerabilities and threats; and enhance cybersecurity of the electric grid, including control and IT systems."

  3. NERC Releases Interim Report on Aug 14th Blackout

    It · Usa · · posted by michael · from the candlelight-vigil dept. · 426 comments
    will writes "The North American Electric Reliability Council has released four documents concerning the August 14th power outage power outage in the North East. The blackout investigation homepage lists all NERC's documents relating to this event. Press coverage is at The Washington Post, CNN, and CBS News. The take home message: FirstEnergy did it. The are, of course, denying it." The report is also available at reports.energy.gov. Reader stinkydog writes "According to Yahoo News part of the blame for the big fizzle of 2003 lies with a failing SCADA system, GE's XA/21 power management system. 'Not only did the software that controls audible and visual alarms stop working at 2:14 p.m. EDT, but about a half hour later, two servers supporting the emergency system failed, too.' According to the product specs, it is a Unix system with X Windows."

  4. NERC Releases Interim Report on Aug 14th Blackout

    It · Usa · · posted by michael · from the candlelight-vigil dept. · 426 comments
    will writes "The North American Electric Reliability Council has released four documents concerning the August 14th power outage power outage in the North East. The blackout investigation homepage lists all NERC's documents relating to this event. Press coverage is at The Washington Post, CNN, and CBS News. The take home message: FirstEnergy did it. The are, of course, denying it." The report is also available at reports.energy.gov. Reader stinkydog writes "According to Yahoo News part of the blame for the big fizzle of 2003 lies with a failing SCADA system, GE's XA/21 power management system. 'Not only did the software that controls audible and visual alarms stop working at 2:14 p.m. EDT, but about a half hour later, two servers supporting the emergency system failed, too.' According to the product specs, it is a Unix system with X Windows."