trending Market Intelligence /marketintelligence/en/news-insights/trending/WgFjFgsagsP_MZZx-68loQ2 content esgSubNav
In This List

FERC declines to publicly name Duke Energy as subject of $10M cybersecurity fine

Podcast

Next in Tech | Episode 49: Carbon reduction in cloud

Blog

Using ESG Analysis to Support a Sustainable Future

Research

US utility commissioners: Who they are and how they impact regulation

Blog

Q&A: Datacenters: Energy Hogs or Sustainability Helpers?


FERC declines to publicly name Duke Energy as subject of $10M cybersecurity fine

The Federal Energy Regulatory Commission on Aug. 29 declined to further review a $10 million penalty for an unnamed entity concerning 127 alleged violations of critical infrastructure protection standards.

In doing so, the commission denied motions to intervene from the advocacy group Public Citizen and other parties who sought to have Duke Energy Corp. publicly named as the recipient. However, Commissioner Richard Glick said in a separate statement that future violators especially those responsible for "numerous and significant" violations should be publicly identified as a deterrent.

The commission denied the motions from parties seeking intervention because FERC regulations only allow interventions in such proceedings when the subject of a notice of penalty petitions for review. In this case, the subject of the fine declined to pursue the matter any further.

FERC's order followed an Aug. 27 joint white paper in which FERC staff and the North American Electric Reliability Corp. proposed to publicly disclose the names of bulk power system asset owners that have violated mandatory NERC CIP reliability standards.

The matter dates back to January when NERC filed with FERC a notice of penalty and related settlement under which an unnamed power company and its affiliates agreed to pay a $10 million fine and take steps to remedy systemic security issues that led to 127 alleged violations of mandatory CIP standards. Various media outlets began reporting soon thereafter that the unidentified utility was Duke Energy.

Alleging the docket (FERC docket NP19-4) failed to publicly identify "the worst utility violator of cybersecurity rules in history," Public Citizen asked FERC in February to reveal the recipient of the penalty. A coalition of trade groups representing the utility industry opposed that request, arguing that "even information such as revealing the name of an entity involved in a remediated notice of penalty can result in unintended consequences."

Public Citizen later disputed that point in comments arguing NERC's proposed modifications to its cybersecurity and incident reporting reliability standard (FERC docket RD19-3) should be amended to require the public disclosure of the name of utilities subject to notice of penalty for CIP standard violations. The group specifically noted that PG&E Corp. has not reported any increase in malicious cyberattacks since it was publicly identified in 2018 for having a poor cybersecurity compliance record.

Under the Aug. 27 proposal outlined in the white paper, NERC notices of penalty submitted to FERC would include a public cover letter that discloses the name of the violator, the reliability standard the company violated and the penalty amount. But details on the nature of the violation, related mitigation activity and potential cyber vulnerabilities would be included in a separate, nonpublic attachment, along with a request that the information be designated as critical energy/electric infrastructure information exempt from public disclosure under the Freedom of Information Act.

In addition, NERC would submit CIP notices only after the responsible party has mitigated the underlying violation. Although the new submission format would apply in most circumstances, NERC could still ask FERC for permission to block the name of a violator from public disclosure.

In his Aug. 29 statement, Glick encouraged the parties seeking intervention in the proceeding to participate in the white paper docket (FERC docket AD19-18) as the commission works to address "ongoing concerns regarding transparency and security" of NERC's notice of penalty process.

Comments on the white paper are due by Sept. 26.