On January 25, 2019, the North American Electric Reliability Corporation (“NERC”) asked the Federal Energy Regulatory Commission (“FERC”) to approve a settlement issuing a record $10 million fine against an unidentified utility resulting from violations of critical infrastructure protection standards (“CIP”) occurring mostly between 2015 and 2018 (referred to hereafter as the “Settlement Agreement”). Although none of the violations resulted in any reported outages, NERC concluded that the cumulative effect of the violations posed a serious risk to the reliability of the bulk U.S. power grid because “many of the violations involved long durations, multiple instances of noncompliance, and repeated failures to implement physical and cyber security protections.” Settlement Agreement at 12.
Critically, the utility had in place an internal compliance program at the time of the violations. However, NERC determined that the quality of the compliance program was deficient in facilitating compliance with the CIP standards. Moreover, NERC highlighted the both compliance history and a lack of management involvement in creating a culture of compliance as an aggravating factor for penalty purposes.
The Settlement Agreement is heavily redacted in places, including redactions of the utility’s name, so as not to disclose sensitive information about the utility’s cyber defenses and/or in any way compromise the bulk power system. However, the Settlement Agreement provides some important lessons and guideposts for other public utilities to re-assess their own cybersecurity programs with respect to CIP standards. Specifically, companies in the power sector would be well served to use the Settlement Agreement to inform gap assessments on their own compliance status, cyber incident preparedness and cyber risk management. In addition to discussing mitigation activities that are universally applicable, the Notice of Penalty accompanying the Settlement Agreement outlines additional compliance activities for a centralized CIP oversight department and program. Id. at 11. A clear theme throughout the settlement is the necessity to create a top-down, enterprise-wide culture of compliance and cyber risk management.
The NERC CIP standards are meant to protect the electric grid from catastrophic outages. They are a subset of the reliability standards and grid security rules enacted by NERC pursuant to delegated authority received from FERC. NERC’s Regional Entities have authority to enforce CIP standards on various power system entities by way of financial penalties for noncompliance. The $10,000,000 fine against the unnamed public utility is the largest one ever levied for purported NERC security violations. It is likely to lead to sweeping discussions across the public utility sphere, which is under increasing pressure to guard against cybersecurity incidents, and illustrates the regulatory risks for failing to maintain robust compliance programs.
FERC, which has the final say over the Settlement Agreement pursuant to authorities set forth in the Energy Policy Act of 2005, 16 USCA § 824o (b)(1), has 30 days to make its determination. 18 C.F.R. § 39.7(e). There is no indication that FERC will not approve it. Addressing cybersecurity risks increasingly is becoming a primary focus of the agency. For example, in July 2018, FERC issued a Final Rule on Cyber Security Incident Reporting Reliability Standards, which directs NERC “to develop and submit modifications to the NERC Reliability Standards to augment the mandatory reporting of Cyber Security Incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the [Bulk Energy System].” Final Rule ¶ 1. Also, FERC announced on February 4, 2019 that it will be co-hosting the Security Investments for Energy Infrastructure Technical Conference with the U.S. Department of Energy on March 28, 2019 to focus on “current cyber and physical security practices used to protect energy infrastructure and will explore how federal and state authorities can provide incentives and cost recovery for security investments in energy infrastructure, particularly the electric and natural gas sectors.” This follows statements made in 2018 by FERC Chairman Neil Chatterjee and Commissioner Richard Glick suggesting that Congress should give FERC statutory authority to implement mandatory cybersecurity standards for gas pipelines.
The recent NERC enforcement action coupled with FERC’s demonstrated interest in curbing cybersecurity threats highlight the ongoing need for industry responsiveness and collaboration. Opportunities exist for industry to have open communication with regulators to ensure that regulations are properly tailored to address risks. A public statement by Chairman Chatterjee accompanying the Final Rule referred to himself “an outspoken proponent of working with both industry and our government partners to do what we can to better defend against potential intrusions.”