NERC Fines Utilities $10 Million Citing Serious Cyber Risk, But Won't Name Them

chicksdaddy shares a report from The Security Ledger: The North American Electric Reliability Corp. (NERC) imposed its stiffest fine to date for violations of Critical Infrastructure Protection (CIP) cybersecurity regulations. But who violated the standards and much of what the agency found remains secret. In a heavily redacted 250-page regulatory filing, NERC fined undisclosed companies belonging to a so-called "Regional Entity" $10 million for 127 violations of the Critical Infrastructure Protection standards, the U.S.'s main cyber security standard for critical infrastructure including the electric grid. Thirteen of the violations listed were rated as a "serious risk" to the operation of the Bulk Power System and 62 were rated a "moderate risk." Together, the "collective risk of the 127 violations posed a serious risk to the reliability of the (Bulk Power System)," NERC wrote.

The fines come as the U.S. intelligence community is warning Congress of the growing risk of cyber attacks on the U.S. electric grid. In testimony this week, Director of National Intelligence Dan Coats specifically called out Russia's use of cyber attacks to cause social disruptions, citing that country's campaign against Ukraine's electric infrastructure in 2015 and 2016. The extensively redacted document provides no information on which companies were fined or where they are located, citing the risk of cyber attack should their identity be known. Regional Entities account for virtually all of the electricity supplied in the U.S. They are made up of investor-owned utilities; federal power agencies; rural electric cooperatives; state, municipal, and provincial utilities; independent power producers; power marketers; and end-use customers. However, details in the report provide some insight into the fines. For example, violations of a CIP statue that requires companies to "manage electronic access to (Bulk Electric System) Cyber Systems by specifying a controlled Electronic Security Perimeter" is rated a serious risk. So too are violations of CIP requirements calling for covered entities to "implement and document" access controls for "all electronic access points to the Electronic Security Perimeter(s)." Specific requirements that were violated suggest that the companies failed to implement access controls that "denies access by default," "enable only ports and services required for operations and for monitoring Cyber Assets within the Electronic Security Perimeter," and ensure the authenticity of parties attempting to remotely access the company's "electronic security perimeter."

Seems reasonable

[omnichad]

The country's grid is one giant 0-day. Best not to pics details or even identities until it is mitigated.

Re:Seems reasonable

[drinkypoo]

The bad guys are testing our security constantly along with all the bots and black hats, and they already know what's vulnerable. This is to protect the guilty, not the innocent.

Re:Seems reasonable

[Mousit]

The country's grid is one giant 0-day. Best not to pics details or even identities until it is mitigated.

I wouldn't call the grid "one giant 0-day". While there are plenty of utilities with their heads up their asses about cyber security (or "cyber" anything, honestly), there are plenty of others that DO take it seriously. Mine is one of them (no I will not name them either).

NERC literally spent Two. Years. auditing us. Top to bottom. We just officially got the finish and closure recently, probably around the same time these other utilities were getting their fines. It was like getting ISO certified, except maybe even more invasive. They audited everything--every operational piece of the company from paperwork handling procedures to physical device specifications--for CIP compliance, so admittedly cyber security and pentesting was only one piece of the overall process, but they were still thorough with that piece too. Even, dare I say it, annoyingly fucking nitpicky in fact. They did find a number of little things, yes, because nothing is ever perfect, especially with the nitpicking. The recommendations report however was quite small, because our overall operational security was found to be excellent, by their rankings. "No significant issues", in bureaucratic speak.

It may not sound like much, but I'm pretty damn proud of that, especially as this is not some tight little office network. It's an industrial communications system spanning tens of thousands of square miles, with a network link in every substation. That's a lot of access control, just physically, before you even start considering all the layers above that.

So yeah, some utilities do care. And the idiots that don't, I hope they get their asses fined until it's too goddamn expensive for them not to care. If anything, $10 million for 127 violations is way too modest in my opinion.

Re:Seems reasonable

That's awesome and congratulations. But what we really want to hear about is the automatic weapons available to your outfit's security. Please embellish for mod points.

Re:Seems reasonable

[dgatwood]

I wouldn't call the grid "one giant 0-day". While there are plenty of utilities with their heads up their asses about cyber security (or "cyber" anything, honestly), there are plenty of others that DO take it seriously.

The problem is, the power grid is a grid. All it takes is one utility doing things sufficiently wrong to potentially bring down the entire grid for a quarter of the country with a spectacular surge or sag. This happened in the northeastern U.S. in 1965 and again in 2003. The first one was caused by the failure of a single relay. The second one was caused by a software bug. Both of these failures are the sorts of things that an attacker could potentially trigger remotely if network security is inadequate.

Mine is one of them (no I will not name them either).

You really kind of should. If more folks knew who was competent, the companies that aren't would at least know who to ask for help. :-)

While transparencts transparency is good...

[sarren1901]

it definitely seems prudent to keep the specifics from the world at large. There have already been enough reports over the past few years to realize our electric infrastructure is vulnerable. It's good to see they are at least doing something to motivate these various entities to get their stuff protected.

It would be a smart move for any country that wants to attack to us to use a coordinated Internet attack against our grid while also hitting us in whatever fashion they intend, be it landing troops or bombing us with aircraft and ICBMs.

Re:While transparencts transparency is good...

Wow, I sure butchered the title on that post...

Re:While transparencts transparency is good...

it definitely seems prudent to keep the specifics from the world at large. There have already been enough reports over the past few years to realize our electric infrastructure is vulnerable.

The vulnerability of our national grid is arguably an actual national emergency, albeit one random executive overreach will not solve. One obvious target date might be during an election. If you could figure out the right areas to hit to shift the odds... It doesn't all have to come from one country either. It could come from a number of them, who want an election swung in one way or another. We lost what 3 billion or so in the last shutdown that will never be gotten back. That is 3000 million, so 300 times the cost of this fine. Heck if the vulnerabilities are bad enough terrorists might even see opportunities. It is not as if you have to have the resources of a nation state to hack into poorly secured systems. That we haven't seem much yet is likely more due to the people with the means not seeing the cost benefit analysis swing into a region where they think it is worth it.

At any rate, I'm not convinced hiding the problem and hoping that it gets fixed is a sound strategy. It is more likely that things won't be taken seriously until we actually take a few serious attacks and even then, you might get a solution, a mission accomplished, and then a repeat a year later more excuses.

Hey: hold my karma beer and watch THIS!

[grep+-v+'.*'+*]

and ensure the authenticity of parties attempting to remotely access the company's "electronic security perimeter.

What's that?!? I thought that walls don't work. Since they don't, why did the President say this?

Re: Hey: hold my karma beer and watch THIS!

What the fuck are you on about, fool?

show butthoal

i sniff youre dog butthoal,

Re: show butthoal

Get back to coding, Vijay!

Re:show butthoal

Ooh, darhlink, please whisper those words into my ears in your native tongue of Portuguese!

BLT

I just bought a disgusting BLT sandwich

Should replace grid with microgrids

[WillAffleckUW]

Look, we know what power systems are resilient to attack and survive physical and internet attacks:

Renewable microgrids.

Naming old grid providers only provides rogue nation states and their kaiju hacker mercs with targets.

That said, give them 90 days and start jailing their senior execs. Fines won't work.

Re: Should replace grid with microgrids

Sorry, wrong. The household microgrid is just as suspect as the power company. Even more so. It's parts and supplies are from the same foreign designers and from the same parts designers as the power companies. If one can be tapped, so can the other. You cannot trust life to those companies. They operate for their profit, not yours. None are hardened to Carrington event level. None are proven to be better then another in events that may make a device non-functional. Even neatby transformers, can broadcast a code, flux from a pulse can be broadcasted from a transformer, that can be intercepted by all devices nearby, causing a shutdown, eliminating services. After all what causes all the interference in SW bands? And never heard codes over it? Come-on, get real.

Re: Should replace grid with microgrids

The Energy Policy Act law doesn't allow jailing, it allows fines. Up to $1M/day/violation.
Source: https://m.acc.com/legalresources/quickcounsel/ferc.cfm?

I would just keep ratcheting up the fines, daily, until they are hitting $1M/day/violation. You have to make it where compliance is cheaper than fines. So long as the fines cost less than perfect compliance during the same time period, then the bean-counters see it as a win and an acceptable risk. Up the risk the change their perspective.

It's the Russians ...

[PPH]

... who are disrupting my utilities' grid, causing widespread outages and mayhem. So tell me how I'm supposed to differentiate this from normal operations.

Guess I'm safe

[DCFusor]

Since I'm off-grid, another way of saying I'm the power company for myself. And none of it is accessible from the internet. In fact, the only parts of it available on my LAN are the results of data acquisition - all actual control is not even on the local network. It's not that hard to push a button once in awhile...

Maybe unnamed in that article, but they're known

[Flexagon]

WSJ reports, referring to Energywire, that it was Duke Energy.

Right to be forgotten

... citing the risk of cyber attack should their identity be known.

This might be compensating an inadequacy of 'capitalism will provide'. It is definitely giving criminal management a right to be forgotten.

Re:Right to be forgotten

[Impy+the+Impiuos+Imp]

How's the cyber security of nob-capitalist systems? I suppose, with no freedom of speech and no Internet even in some cases, you'll never know.

People complained about capitalism and pollution, but everywhere else was far worse.

I keep waiting to hear, but

I understand why the power grid operations folks need good comms. I know load- and frequency-matching is very important. The Intertubes is a great thing for that.
I also know that ANYthing connected to the grid is at risk for intrusion. So, I keep wondering why that stuff is connected to the 'net, and why nodangbody suggests we fix that. After all, back before Al Gore made the Intertubes, they used common, ordinary voice telephones to coordinate the electric grid and other critical infrastructure systems. I hope, as I have for years, that someday I'll see the reasons this stuff's still on the 'net.

$10m - so what

[Bruce66423]

The only way that cyber security will be taken seriously is when failures result in serious damage to the profits of companies. Until then the temptation to do the minimum you can will remain far too great. Interestingly this is one of the advantages of having privitised utilities; you can burn them with fines without hurting the general public when they break the rules - a fact which the investors in the California utility should be about to find out unless the corrupt politicians of Sacramento shield their campaign contributor again. https://www.nytimes.com/2019/0...

Re: $10m - so what

Depends on the size of the organization. I believe this was a small to medium sized organization. $10M may be a big smackdown for them.

Re: Maybe unnamed in that article, but they're kno

There were no violations for High-Impact related Cyber Assets. This points to it being a small to medium sized outfit. Duke is to big.

Rumors I have heard within the industry and timing point to Grant County PUD in Washington state in the middle of no where. They lost some key staff just before their scheduled WECC audit. I suspect a lack of management support and the staff went somewhere that would play by the regulations. If it was Grant County PUD, $10M is huge as they have a customer base of 40K. If it was Duke, $10M is pocket change.

Re: Maybe unnamed in that article, but they're kno

[jdharm]

Citation needed.

This should make for an interesting DistribuTECH

This should make for an interesting DistribuTECH this week.
I wonder who the SCADA vendor was at the utility?