The Reciprocal Newsletter

The recent news headlines about Duke Energy and the issues they’re facing related to North American Electric Reliability Corporation (NERC) regulatory violations could serve as a cautionary tale for utilities here in Ontario.

Duke Energy is one of the largest utility providers in the U.S. with 7.6 million customers across six states. Recently NERC cited Duke Energy for a total of 127 violations. Duke Energy was handed the biggest fine in NERC’s history, with an agreed amount of $10,000,000.

The violations cited were caused by:ⁱ

• Lack of managerial oversight
• Process deficiencies
• Inadequate training of staff
• Lack of internal controls
• Operational silos and a lack of communication between management levels
• A general lack of awareness of the state of security and compliance

In the rules based regulatory environment in the U.S., compliance is key to avoiding hefty fines and lengthy remediation requirements and is best coupled with strong corporate governance.

Although the regulatory landscape differs in Canada, tending towards principles-based guidance, the net exposure is similar and utilities in Ontario face the same challenges in protecting their networks from cyber threats. The recent introduction of the OEB Cybersecurity Framework has also raised awareness for Ontario utilities for potential regulatory recommendations and compliance requirements related to understanding and management of cyber risks.

There are clear parallels between the Duke Energy violations and the intent of recommendations under the OEB cybersecurity framework.

Originally issued February 2019.

The above nine violations could have been avoided with the implementation of a well-developed corporate cybersecurity policy which considers cyber risks on an enterprise wide basis. Effective management controls and oversight can be difficult and require focused effort on a continuing basis. Some important aspects include quality assurance, staff supervision, development and enforcement of corporate policies, and facilitating improvements in practice.ⁱⁱ

Duke Energy did not just get hit with a huge fine but had to agree to several measures to materially improve management and oversight of cybersecurity and ensure future compliance with the regulations. As part of the settlement, Duke Energy agreed to:

• Pay $10 million in fines
• Improve their performance by increasing senior leadership involvement and oversight
• Create a centralized critical infrastructure protection (CIP) oversight department
• Restructure roles to focus on standards, enterprise oversight, enterprise CIP tools, compliance metrics, and regulatory interactions.
• Conduct industry surveys and benchmark discussions to develop best practices
• Invest in enterprise-wide tools for assets and configuration management, visitor logging, access management, configuration monitoring, and vulnerability assessment
• Increase training
• Institute annual compliance drills

For utilities, the stakes are high. In addition to privacy regulation, related to the protection of client data, clearly the disruption of the electrical system would have dire consequences – particularly due to remediation costs, potential damage to customers, as well as company reputation and public trust. In 2018, the “Department of Homeland Security reported that over the last year, Russia’s military intelligence agency had infiltrated the control rooms of power plants across the United States. In theory, that could enable it to take control of parts of the grid by remote control.” ⁱⁱⁱThe threat is real and easily transcends borders to Canada as well.