Even during quarantine, the North American Electric Reliability Corp. (NERC) has continued a robust pace of enforcing grid reliability rules with a particular emphasis on cybersecurity vulnerabilities. For example, in late April 2020, NERC reached a settlement agreement with an unnamed entity to resolve a Notice of Penalty concerning 34 violations of NERC’s grid reliability rules, including cybersecurity vulnerabilities.
The identified cybersecurity infractions exposed widespread weaknesses in the company’s governance of cybersecurity controls and risk mitigation best practices, including inadequate training of staff; unclear or overlapping responsibilities; inadequate planning; and gaps in inspecting, and configuring existing processes and new procedures. The half million dollar fine imposed is among the largest ones levied by NERC recently.
NERC and the Federal Energy Regulatory Commission (FERC), which oversees NERC, cited two of the cybersecurity vulnerabilities as a “serious” risk to the bulk electric system (BES). First, security patches for certain programs were not tracked, evaluated, or installed because of the entity’s mistaken belief that these patches were being tracked by a vendor. Second, the entity’s access controls, network configuration, and monitoring of bulk electric system cyber assets were also inadequate. Both the failure to patch software and inadequate network configuration or access controls have the potential to expose the U.S. grid to cyberattacks.
NERC identified several administrative, technical, and physical vulnerabilities as “moderate” risks. For example, (i) cyber assets were not equipped with intrusion detection or prevention tools so that they could be monitored for security incidents; (ii) employees had access to a shared drive holding BES cyber information without the necessary authorization; and (iii) in three instances, workers and contractors accessed certain doors regardless of their access privileges.
The unnamed entity agreed to pay a $450,000 fine as part of a settlement with ReliabilityFirst Corp., a private FERC-approved regional entity that monitors compliance with grid reliability rules across 13 states in the mid-Atlantic and Midwest regions, primarily within the territory of the regional transmission organization, PJM Interconnection LLC. FERC did not further review the NERC Notice of Penalty, allowing the settlement to be affirmed by operation of law after a 30-day period. FERC and NERC typically refuse to name violators because of the possibility of inviting attacks that exploit identified vulnerabilities.
For assistance with understanding how NERC’s enforcement priorities under grid reliability rules affect your CIP compliance program or vendor relationships, or for assistance with training employees about NERC's enforcement priorites, please contact your Michael Best attorney in our Energy or Privacy & Cybersecurity practice groups.