NERC fines Duke Energy $10 million for cybersecurity failings

North Carolina-based Duke Energy has been fined a record $10 million by NERC (North American Electric Reliability Corporation) for 127 violations of rules designed to keep the U.S. power system safe from physical and cyber attacks.

According to NERC’s penalty notice, “although the risk posed to the BPS [bulk power system] by the individual violations ranged from minimal to serious (52 minimal, 62 moderate, and 13 serious), the collective risk of the 127 violations posed a serious risk to the reliability of the BPS.”

These violations included but are not limited to lack of management engagement, support and accountability relating to the CIP (critical infrastructure protection) compliance program, disassociation of compliance and security that resulted in deficient program and program documents, lack of implementation, and ineffective oversight and training. In five instances, Duke failed to restrict electronic access rights from employees or contractors that resigned or were terminated. In one instance they failed to revoke a contractor’s physical access rights. Per the fine, Duke will implement the mechanisms to correct the situation.

Duke Energy has not commented on the investigation.

Don’t get fined

Any organization that breaks the rules puts itself at risk of enforcement action. With new privacy laws such as the CCPA (California Consumer Privacy Act) coming into force across the U.S., understanding your data protection responsibilities is more important than ever. The CCPA affects any organization that collects and processes the personal data of California residents – whether or not it is based in the state. Failure to comply could incur millions in legal costs.


California Consumer Privacy Act (CCPA) Webinar Series

To learn how your organization can avoid being penalized, register for our webinar “How will my organization be penalized if it fails to adhere to the CCPA?”, scheduled for Tuesday, March 19, 1:00 p.m. – 2:00 p.m. EST.

The webinar will cover:

  • Penalties for breaches of the CCPA
  • Penalties for losing records in a breach
  • Breach notifications
  • The use of ISO 27001, ISO 27002, ISO 22301, and ISO 27035
  • The benefits of an ISO 27001 framework vs. SOC 2 concepts

Register here.