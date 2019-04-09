By Rebecca Smith

PG&E Corp. and a municipal utility in Missouri broke rules designed to protect the nation's electric system from cyber and physical attacks and were sanctioned by federal regulators, according to newly released documents that provided the identities of the violators.

In addition, PG&E was the utility sanctioned in a separate case for violations of these critical infrastructure protection rules, along with Detroit-based utility DTE Energy Co., according to people familiar with the cases and redacted documents reviewed by The Wall Street Journal.

The identification of the violators follows the recent revelation that Duke Energy Corp. broke the same set of rules.

The cases against DTE, PG&E and City Utilities of Springfield, Mo., were lodged from 2014 to 2016 -- a time when Russia was in the midst of a major campaign to penetrate utility defenses, according to federal officials.

What is unusual isn't that companies were penalized, but that the public now knows some of the identities. Most violators are kept confidential in a system designed to encourage self-disclosure by the utilities but some critics say is too protective of the industry.

Although about 250 penalty cases have been lodged against U.S. utilities in the past decade for violating rules designed to protect essential infrastructure, few identities have been divulged by the Federal Energy Regulatory Commission, the agency that oversees the interstate electric system.

When the identities do come out, the reason is usually because regulators released them in response to public-records requests after they believe vulnerabilities have been remedied. That was the case in FERC releasing documents disclosing City Utilities in its case and PG&E in one of its cases.

The other way that identities are revealed is when they are disclosed by people with knowledge of the matter. Such was the case for DTE and another PG&E case, though redacted information about their violations was already public.

Charlotte, N.C.-based Duke was outed in February as the company that committed 127 violations of safety rules in recent years. Among other things, Duke failed to protect sensitive information on its most critical cyber assets, officials said. FERC is reviewing the case and a $10 million settlement agreement.

Public officials are becoming more vocal about threats to critical infrastructure. In late January, U.S. intelligence agencies said Russian and Chinese agents possess the ability to knock out power temporarily and disrupt gas pipelines "for days to weeks" through cyber means.

A Journal investigation, published in January, showed how Russian hackers targeted the unprotected computer systems of small vendors in an attempt to move up the supply chain and compromise defenses of electric companies.

Increased public attention on grid vulnerabilities has sent a shudder through the electric industry.

Last week, three trade groups asked FERC to look at its rules on disclosure practices and, in the meantime, to halt processing records requests, including those by the Journal.

David Ortiz, deputy director of FERC's Office of Electric Reliability, said cyberattacks are happening in large numbers, but utilities report almost no successful attacks even when assured of confidentiality. Recently, FERC has started requiring utilities report attempts, not just successful hacks.

There is debate on how much of that information should be public.

Regulators rely on utilities to self-report their violations and accept audit findings. They fear that system will break down if companies are exposed to public scrutiny.

Security researcher and blogger Michael Mabee, who has asked FERC to identify utilities associated with more than 200 penalty cases, said the regulatory system needs fixing, and "the only way for that to happen is by shining the light of day on it."

Mr. Mabee also said penalties negotiated through settlement agreements are too low. So far, they have not been made public.

FERC's Mr. Ortiz said identities are protected to honor confidentiality requests from the North American Electric Reliability Corp., called NERC, the federally appointed organization that crafts utility standards and audits compliance. It refers penalty cases to FERC for enforcement.

The cases involving DTE, City Utilities and PG&E demonstrate why officials are worried about security.

DTE agreed to pay $1.7 million in 2016 to settle 36 infractions of rules in prior years, according to people with knowledge of the case. The utility said it takes a duty "to protect the bulk power system very seriously," but declined additional comment.

NERC said auditors found "serious, systemic security and compliance issues" that persisted from one examination to the next, according to public case documents.

The utility failed to apply 75 security patches to its Energy Management System, a set of computer-aided tools that guides engineers and helps control power flows. Auditors found the utility stopped making updates as soon as a prior audit ended.

The utility also failed to keep backup software that it would need to recover from a catastrophic cyber event.

City Utilities of Springfield, Mo., violated security rules by failing to identify its primary and backup control centers as critical facilities requiring special protections. Its identity was disclosed in the 2014 case in response to a FOIA request by the Journal and Mr. Mabee.

The utility didn't respond to requests for comment.

PG&E, California's biggest utility, now is known as the company behind three penalty cases.

FERC said PG&E was fined $98,500 in 2014 for failing to keep proper logs for 30 critical workstations. Without logs, auditors said, the utility couldn't have identified hackers' "attacks, multiple bad password attempts or irregular logons to these workstations." PG&E later found similar issues with 150 other workstations and servers.

Separately, PG&E was fined $1.125 million in 2016 for failing to adequately protect new electrical substations against potential attacks, according to one person familiar with the case.

PG&E said its cybersecurity measures are "robust and consistent with the best practices being employed in the industry." It added that confidentiality "promotes self-reporting" and disclosure "may jeopardize national security by exposing potential grid vulnerabilities."

Last year, PG&E was identified by the Journal as the company that lost control of a confidential database of its cyber assets in 2016 resulting in their internet exposure.

