Call for utility cybersecurity transgressors to be named


A US national public interest group has pressed via a formal petition for confirmation that US utility Duke Energy was the company that agreed to pay a record amount of $10 million in penalties for cybersecurity violations.

Transgressions which regulators have said would have threatened the US grid.

Tyson Slocum, energy programme director for Public Citizen Inc. filed the petition with the Federal Energy Regulatory Commission (FERC).

The action follows notice sent by the North American Energy Reliability Corp. (NERC) to FERC that a $10 million fine was issued to an unnamed company for numerous violations of national cybersecurity requirements over a period of three years, and “collectively posed a serious risk to the security and reliability” of the grid.

Slocum feels strongly company’s name should be made public by FERC.

“While numerous media reports identify the offender as Duke Energy, the official record in this docket fails to publicly identify the worst utility violator of cybersecurity rules in history,” he writes in the petition.

“Failure to do so will establish Commission precedent that the agency does not take cybersecurity seriously enough to undertake the most basic tenant of enforcement: public disclosure of violators.”

He notes that his group, a non-profit public interest research and advocacy organisation comprising 400,000 members, made a similar move in 2018, when the previous record penalty was issued to an energy provider – in that case the fine amounted to $2.7 million for cybersecurity violations.

The company left unnamed is reported to be Pacific Gas & Electric.

NERC reported that case in 2018, and FERC has failed to act on it. The law, says Slocum, stated that NERC settlement would come into effect, but a decision on Public Citizens petition has been avoided by the FERC on whether it is good public policy to name a company on public record.

“It’s kind of a technical issue, but it ends up being very important for public accountability,” Slocum says, explaining in an interview why his organisation has not been successful to date in getting FERC to bring these issues out in the open. “I hope FERC forces NERC to defend its policy and say why it thinks masking the name of the violator is important for grid safety.”

This new petition argues that avoidance of the issue is detrimental to public safety and confidence.

“Taking cybersecurity responsibilities seriously should mean that the commission issues orders on … (reported penalties) that address comments and protests of intervenors,” noted Slocum. The petition also argues that a policy of non-disclosure has the effect of state regulators and other agencies that wield influence in the dark.

“Keeping the identity of the utility non-public from state utility regulators and from customer intervenors participating in state utility commission proceedings could allow the utility to seek retail rate recovery for compliance costs associated with the (penalty),” Slocum writes.

“Absent the knowledge of the violation, state utility commissions and any customer intervenors would be unable to assess whether these costs are properly recovered from ratepayers or should be borne by shareholders.”

Slocum has stressed that his petition amounts to FERC publicly naming Duke and other transgressors, and not the details of what Duke’s failings were or other weak points in either security or the implementation thereof..

“I am not asking them to create a road map for how you crack Duke’s cybersecurity system,” he said.

Take our poll: