Grid Security Now!

Grid Security Now!

Michael Mabee – Author of The Civil Defense Book

Menu
  • Home
  • Library
    • Grid Security Library
      • Government Documents on Grid Security
      • OE-417 Electric Disturbance Events Database
      • CIP Violation Database
      • Grid Protection Posts
      • Video (EMP and Grid Security)
      • What is the Electric Grid and How is it Regulated?
    • Civil Defense Library
      • Civil Defense Posts
      • Video (Preparedness)
      • Civil Defense Checklists
  • Fund The Fight!
  • Take Action!
  • About Me
    • About Michael
    • My Book
    • Michael in the Press
    • Subscribe to Mike’s Blog
    • Interviews
    • My Friends
    • Contact Me
Menu
Duke Redux

Duke Redux – A Repeat Cybersecurity Violator Exposed!

Posted on September 10, 2019September 10, 2019 by Michael Mabee
Share the knowledge...Tweet about this on Twitter
Twitter
Share on Facebook
Facebook
Share on LinkedIn
Linkedin
Pin on Pinterest
Pinterest
Share on Reddit
Reddit
Email this to someone
email
Print this page
Print

 


Duke Energy was cited twice for the same cybersecurity violations

On September 3, 2019 I received further results of Freedom of Information Act (FOIA) requests I have filed with the Federal Energy Regulatory Commission. One of the documents I received, identifies Duke Energy as the violator in FERC Docket No. NP10-138-000. So, we now know that on July 6, 2010, Duke was fined $5,000 for violating Critical Infrastructure Protection (CIP) standards. We recently learned that Duke Energy was fined $10 million on January 25, 2019 (Duke was outed by the press as the violator).

A comparison of these two Notices of Penalty show that Duke Energy was cited and fined on July 6, 2010 for the same regulatory violations that they were subsequently fined for on January 25, 2019.

Duke Energy gets the dubious honor of being the first company exposed as a repeat violator of the same Critical Infrastructure Protection (CIP) standard.

The Critical Infrastructure Protection (CIP) standards are enforced by the North American Electric Reliability Corporation (NERC) and the regulatory actions or “Notices of Penalty” are submitted to the Federal Energy Regulatory Commission (FERC) for approval. (The public is not given the names of the violators, which under the present system are withheld permanently.)

So, the public was never supposed to know whether or not there are repeat violators. The secret CIP regulatory system has shielded the electric utility industry from such scrutiny for over 9 years. However, there is now a move by FERC and NERC to increase transparency, but I digress. (If you want to read more about this—and what you can do to help—read this report.)

At issue is the requirement that when an employee or contractor is terminated, their access to “Critical Cyber Assets” must be revoked.

In 2010, Duke was cited for this:

“The Registered Entity did not revoke physical access rights to Critical Cyber Assets within seven days for personnel who no longer required access. The Registered Entity discovered seven instances where records could not be located to demonstrate badge deactivations occurred in a timely manner for personnel who no longer required access to Critical Cyber Assets. Subsequently, the Registered Entity submitted a letter in which it identified two additional instances in which revocation was similarly delayed and occurred in the same time frame as the original seven. Therefore, the Registered Entity self-reported a total of nine instances where access badges were not deactivated in a timely manner, following termination of those employees.” [NP10-138-000 NOP, page 2.]

Then in 2019, Duke was cited for this:

“The REs [Regional Entities] determined that the Companies failed to timely revoke a former employee’s electronic access rights, in five instances. In the first instance, the Companies terminated the employee, but the Companies’ manager did not notify the help desk per internal processes so that the help desk could immediately revoke access. In the second instance, the Companies’ contractor’s employment ended, but the account manager did not follow the Companies’ internal process of notifying the appropriate personnel to revoke the contractor’s physical badge access to CCAs within seven calendar days from the date of termination. In the third instance, the Companies required a contractor to go on a 30-day absence, but the contractor’s manager failed to follow the Companies’ internal process of completing the required change access request documentation to revoke the contractor’s physical badge access. In the fourth instance, the Companies failed to revoke access within seven calendar days for an employee who no longer required access to CCAs. In the fifth instance, the Companies failed to remove access for an employee because the badge access system was not designed to process NERC and non-NERC access requests or revocations on the same ticket.” [NP19-4-000 NOP, pages 17-18.]

And this:

“The REs determined that the Companies failed to revoke employees’ access within seven calendar days after access was no longer required, in three instances. In the first instance, the Companies’ manager initiated an access revocation, which was not finalized because the manager inadvertently kept the request in draft form. In the second instance, the Companies did not timely revoke employees’ access rights that were no longer needed. In the third instance, the Companies failed to timely revoke two employees’ authorized unescorted physical access to CCAs.” [NP19-4-000 NOP, page 18.]

And this:

“The REs determined that the Companies did not revoke a contractor’s physical access rights within seven calendar days from the date of termination. [NP19-4-000 NOP, page 18.]

And this:

“The REs determined that the Companies did not timely revoke eight individuals’ unescorted physical access to a [redacted] Physical Security Perimeter (PSP) within 24 hours from termination.” [NP19-4-000 NOP, page 20.]

Granted, Duke is a big company. There is no indication that the 2010 and the 2019 violations were in the same place. But that doesn’t matter. Duke did not get its cybersecurity act together and got penalized $10 million—including some repeat violations.

This information about repeat violations is of interest to the public, investors, Congress and other regulators. Such information should not be withheld. We need to know if we have repeat Critical Infrastructure Protection (CIP) violators and if we have potential bad actors. (I’m talking about bad actors in charge of protecting our critical infrastructures—not the ones attacking them.)

In the weeds with the Duke violations

For those who want more details on the requirements and the two penalty cases, details are below. First, here are the relevant CIP standards and effective dates:

  • CIP-004-1 Cyber Security — Personnel & Training (Effective Date: 6/1/2006)
  • CIP–004–3a Cyber Security — Personnel & Training (Effective Date: 12/12/2012)
  • CIP-004-6 Cyber Security — Personnel & Training (Effective Date: 7/1/2016)

On 7/6/2010 Duke was cited $5,000 (Docket No. NP10-138-000) for:

  • CIP-004-1 Requirement 4.2:
    • R4.2. The Responsible Entity shall revoke such access to Critical Cyber Assets within 24 hours for personnel terminated for cause and within seven calendar days for personnel who no longer require such access to Critical Cyber Assets.

From NERC’s website on Docket No. NP10-138

Duke Redux

On 1/25/2019 Duke was cited $10,000,000 (in Docket No. NP19-4-000) for numerous violations including:

  • CIP–004–3a Requirement R4.2:
    • R4.2. The Responsible Entity shall revoke such access to Critical Cyber Assets within 24 hours for personnel terminated for cause and within seven calendar days for personnel who no longer require such access to Critical Cyber Assets.
  • CIP-004-6 Table R5 Requirement:
    • 5.1 A process to initiate removal of an individual’s ability for unescorted physical access and Interactive Remote Access upon a termination action, and complete the removals within 24 hours of the termination action (Removal of the ability for access may be different than deletion, disabling, revocation, or removal of all access rights).
    • 5.2 For reassignments or transfers, revoke the individual’s authorized electronic access to individual accounts and authorized unescorted physical access that the Responsible Entity determines are not necessary by the end of the next calendar day following the date that the Responsible Entity determines that the individual no longer requires retention of that access.
    • 5.3 For termination actions, revoke the individual’s access to the designated storage locations for BES Cyber System Information, whether physical or electronic (unless already revoked according to Requirement R5.1), by the end of the next calendar day following the effective date of the termination action.
    • 5.4 For termination actions, revoke the individual’s non-shared user accounts (unless already revoked according to Parts 5.1 or 5.3) within 30 calendar days of the effective date of the termination action.

From NERC’s website on Docket No. NP19-4-000

Duke Redux

Conclusion

Out of the 255 dockets that I have FOIAs filed for, FERC has so far released 9 names to me. Of those 9 names, two NOPs were for Pacific Gas and Electric (PG&E) for different violations and two NOPs were for Duke Energy (including some repeat violations).

Getting some industry accountability is long overdue. Stay tuned for more in the coming weeks – subscribe to my blog HERE to make sure you don’t miss anything!

###


Click HERE for details on my FOIA requests



 

Share the knowledge...Tweet about this on Twitter
Twitter
Share on Facebook
Facebook
Share on LinkedIn
Linkedin
Pin on Pinterest
Pinterest
Share on Reddit
Reddit
Email this to someone
email
Print this page
Print

News

  • A Billion Reasons We Do Not Have Grid Security
  • Money Talks, Grid Security Walks
  • Critical Infrastructure Attacks Expose Regulatory Failures
  • Lawsuit: The Federal Government Must Secure The Grid
  • COVERUP UPDATE: CIP Violation Database and FOIAs
  • Securing America with Frank Gaffney: Threats to the Electric Grid
  • FERC: Who Will Be Responsible For All The Deaths If The Grid Goes Down?
  • Federal Energy Regulatory Commission Lays Down On The Job!
  • EMP Progress Report – A National Disgrace
  • EMP Ignorance Is Bliss – Dr. Peter Vincent Pry
  • China: EMP Threat – A New Report by Dr. Peter Pry
  • FERC Denies Grid Physical Security Complaint, BUT…
  • Secure the Grid Coalition Opposes Senate Bill S.3688
  • Electric Industry Lobbyist’s China Ties Questioned
  • Supply Chain Cybersecurity Complaint Filed with FERC
  • Executive Order 13920: Securing the United States Bulk-Power System
  • Electric Industry Wants to Defer Implementation of Cybersecurity
  • Electric Sector Protests Effective Grid Physical Security
  • Emergency Preparedness: Souhegan and Derry CERT
  • Coronavirus: Don’t Panic, Prepare!
  • New Hampshire Rep. David Testerman on Grid Physical Security
  • Former CIA Director James Woolsey on Grid Physical Security
  • Loopholes in Grid Physical Security Identified
  • FEMA’s Strategic Plan and the NDAA: A Perfect Fit
  • Greg Allison and Michael Mabee Talk Grid Security On YouTube
  • Complaint Filed About Inadequate Electric Grid Physical Security
  • Is the Tail Wagging The Dog in Grid Security?
  • Video: EMP Threat (KSNV News Las Vegas)
  • Why Thomas Popik should be a FERC Commissioner
  • “Wired for Greed: The Shocking Truth About America’s Electric Utilities”

Fund The Fight!


Subjects

Search Website

Subscribe for Updates!

Follow me on Twitter

Tweets by CivilDefenseBK

Click To Get Prepared!

The Civil Defense Book: Emergency Preparedness for a Rural or Suburban Community
The Civil Defense Book Get it now!

Subscribe for updates

Follow Me On Facebook

The Civil Defense Book

9 hours ago

The Civil Defense Book
Iranian missiles land within 20 miles of ship, 100 miles from Nimitz strike group in Indian Ocean: officialsapple.news/AS2qoJtG7R2ewr5C5T7qYyw ...

Iranian missiles land within 20 miles of ship, 100 miles from Nimitz strike group in Indian Ocean: officials — Fox News

apple.news

EXCLUSIVE: Long-range missiles from Iran splashed down dangerously close to a commercial ship in the Indian Ocean Saturday and 100 miles from the Nimitz aircraft carrier strike group, Fox News has learned, in the latest example of rising tensions in the region.
View on Facebook
· Share

Share on Facebook Share on Twitter Share on Linked In Share by Email

The Civil Defense Book

9 hours ago

The Civil Defense Book
Iran fires long-range missiles into Indian Ocean in military drill: mediaapple.news/As0qi8ME0Qq-QgzFvzJ8stA ...

Iran fires long-range missiles into Indian Ocean in military drill: media — Reuters

apple.news

Iran's Revolutionary Guards on Saturday fired long-range ballistic missiles into the Indian Ocean on the second day of a military exercise, state media reported.
View on Facebook
· Share

Share on Facebook Share on Twitter Share on Linked In Share by Email

Fund The fight!


©2021 Grid Security Now! | Theme by SuperbThemes