Record fines come on the heels of warnings from US Intelligence warning of a growing risk to our utility providers.  Similar warnings have been issued for law firms, higher education, and small businesses, so this information is relevant to a wide spectrum of organizations who may need to review how they are protecting their data and systems.

The North American Electric Reliability Corp. (NERC) imposed its stiffest fine to date for violations of Critical Infrastructure Protection (CIP) cybersecurity regulations.  Unnamed sources have named Duke Energy Corp as a subject of fines, but NERC has not officially shared details of the investigation and citations.  Parts of the report that have been released point out weaknesses that are not unique to utilities, including:

  • Failure to deny access by default
  • Failure to enable ports and services needed for operations
  • Failure to monitor cyber assets

Other utilities can refer to NERC CIP Standards, and others may want to perform a gap assessment using the National Institute of Standards and Technology Cyber Security Framework to identify areas that may not be covered by current controls, policies or procedures.