Nearly a year after the federal government disclosed that Russian hackers have targeted the U.S.’s critical infrastructure since 2016, utilities are still struggling to keep up on security.
The North American Electric Reliability Corp., a nonprofit tasked with enforcing grid protection compliance, proposed a $10 million fine — its largest ever penalty — for an unnamed utility in late January. The fine was part of a settlement over 127 counts of failing to protect critical infrastructure from physical attacks and cyberattacks, and will need to be finalized by the Federal Energy Regulation Commission.
The violations ranged from mild to serious and took place between 2015 and 2018.
The agency did not name the utility. But the Wall Street Journal and the trade publication Energywire have reported it was Duke Energy Co., the parent company Duke Energy Florida, which serves Pinellas County and other parts of Florida.
In a statement Wednesday, North Carolina-based Duke Energy said its company policy is “not to confirm, deny or comment on any enforcement filings regarding any company.”
“Duke Energy makes cyber security a top priority and is strongly committed to comprehensive, multi-layered cyber security measures designed to protect power plants and the electric grid,” the company said in a statement, noting that it works closely with law enforcement agencies and industry organizations.
Earl Shockley, a utilities consultant who previously worked for North American Electric Reliability Corp., said what is most concerning to him is the precedent the fine sets for the rest of the industry.
“The most important thing is that we’ve got a leader in our energy sector who didn’t meet the mark,” he said.
Utilities, Shockley said, face several ongoing challenges when it comes to securing the grid. For one, aging infrastructure often must be updated to be properly secured, which can be expensive and time-intensive. And while hiring qualified people with the know-how to properly secure the grid might not be a significant issue for well-funded large utilities, smaller utilities are at somewhat of a disadvantage trying to compete from the same talent pool.
"The smaller ones are the ones really hurting," Shockley said.
And if utilities don't start to do better, especially large ones, it may open the door for an agency such as the U.S. Department of Homeland Security to step in and manage security.
"They’re putting the whole industry at risk of losing control over who’s managing the cyber systems," Shockley said. "If the Department of Homeland Security takes over, it’s going to be a lot more stringent."
Contact Malena Carollo at firstname.lastname@example.org or (727) 892-2249. Follow @malenacarollo.