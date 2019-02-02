Utility faces possible fine from U.S. over procedures to prevent physical, cyber attacks

By Rebecca Smith

Duke Energy Corp. faces a record $10 million fine from federal authorities for serious and pervasive violations of rules designed to keep the nation's electric system safe from physical and cyber attacks, according to people familiar with the matter.

Some violations lasted for years; others apparently are continuing, according to the people and newly released documents in a federal regulatory filing.

Investigators have referred the proposed penalty and a settlement agreement with Duke to the Federal Energy Regulatory Commission for approval, according to the filing by the North American Electric Reliability Corp., the organization that since 1967 has been responsible for keeping the nation's electric grid safe. The proposed fine is a fraction of the maximum amount allowed by law.

The filing refers to Duke only as an "unidentified registered entity," upholding the practice in recent years of shielding offenders from public exposure.

Duke, based in Charlotte, N.C., is a giant utility that operates gas and electric utilities in seven states and owns nuclear power plants and gas-transmission lines. It committed 127 violations of safety rules, federal investigators said, which "posed a serious risk to the security and reliability" of the eastern interconnection, the web of electric utilities east of the Rocky Mountains that furnishes electricity to most Americans.

The filing didn't say whether hackers gained access to Duke's systems, but for six months a "configuration error" meant that system engineers weren't alerted about some types of attempted hacks, the newly released documents show.

A Duke spokesman said the utility, "per standard policy, does not comment on enforcement filings."

The revelation of the extensive cybersecurity breakdown at a major utility comes as federal authorities are increasingly vocal about efforts by foreign actors, including those in Russia, to hack into U.S. utilities. In hearings this week before the Senate Intelligence Committee, the nation's intelligence chiefs warned that Russians now have the technical means to disrupt electrical service in the U.S.

An investigation by The Wall Street Journal, published last month, showed how Russian hackers used the unprotected computer systems of small vendors hired by utilities in an attempt to break through the controls of the larger companies. But Duke's systems, unlike those of small vendors, were presumed to be highly protected.

The case is especially striking because Duke is one of the nation's biggest and best-resourced utilities with more than $138 billion in assets and 29,000 employees. As such, its security program should have been top notch, industry experts say.

That Duke was the unnamed company was first reported Friday by the trade publication Energywire.

Many of Duke's violations involved "repeated failures to implement physical and cyber security protections," according to NERC, the investigating agency that referred the case to FERC. The reliability organization added that Duke's management "passively accepted" many shortcomings that employees reported and allowed "problems to continue for over five years."

In the enforcement document released to the public, which exceeds 750 pages, important details are blacked out. As a reason for the secrecy, NERC pointed to the Journal's investigation, published on Jan. 11, that explained how the Russians tried to penetrate the defenses of utilities. NERC said that any company shown to have weak defenses would be subject to more attacks.

NERC said it doesn't comment on enforcement cases.

Among the violations identified by NERC, Duke failed to protect sensitive information on its most critical cyber assets and allowed employees without proper clearances to access computerized records for more than four years, the documents say.

Duke also allowed contractors, employees and former employees without proper clearances to gain unescorted access to sensitive locations, like substations and computer server rooms, sometimes for many months.

In one case, according to the documents, a technician shared his username and password with two people who, as a result, had access to some of Duke's electronic systems for nearly three years, only losing access when the technician changed his password.

The utility company improperly configured firewalls for some of its networks and, in at least one instance, failed to "monitor for malicious communications," the documents say.

The company allowed remote, computer access to some of its sensitive systems without requiring what is called multi-factor authentication. That requires a user to jump through a series of hoops to verify that the person seeking access had proper authority. Nor did it require encryption. NERC noted the violation "is currently ongoing."

The lapses in the filing occurred at a time when foreign adversaries were known to be seeking ways to penetrate the defenses of utilities. U.S. intelligence agencies said this week, in the annual Worldwide Threat Assessment, that Russia now has the ability to launch cyber attacks that include "disrupting an electrical distribution network for at least a few hours."

Successful cyber attacks could cause enormous loss of life, especially if they happened during periods of extreme weather such as occurred this week with record-low temperatures in much of the U.S.

Industry observers said the widespread lapses in the filing shine an unflattering light on the utility sector, which is struggling to satisfy cyber security rules that have been getting more stringent since the first set was imposed in 2013.

"The state of compliance is pretty rotten," said Tom Alrich, a utility consultant who helps utilities audit their security programs. He added that he knows Duke spends a lot of money on its critical infrastructure protections. "I really doubt they are much more insecure than anyone else," he said.

