DTE and PG&E among those whose names have become public; confidentiality is rule

By Rebecca Smith 

This article is being republished as part of our daily reproduction of WSJ.com articles that also appeared in the U.S. print edition of The Wall Street Journal (April 10, 2019).

DTE Energy Co., PG&E Corp. and a municipal utility in Missouri broke rules designed to protect the nation's electric system from cyber and physical attacks and were sanctioned by federal regulators, according to newly released documents and people knowledgeable about the cases.

Penalty cases are not uncommon, but what is unusual is that the public is learning the operators' identities. Most violators' names are kept confidential in a system designed to encourage self-disclosure of infractions by the utilities -- an approach that some critics say is too soft on the industry.

The identification of the three violators follows the recent revelation that Duke Energy Corp. broke the same set of rules.

The cases against Detroit utility DTE, San Francisco-based PG&E and City Utilities of Springfield, Mo., were lodged from 2014 to 2016 -- a time when Russia was in the midst of a major campaign to penetrate utility defenses, according to federal officials.

Although about 250 penalty cases have been lodged against U.S. utilities in the past decade for violating rules designed to protect essential infrastructure, few identities have been divulged by the Federal Energy Regulatory Commission, the agency that oversees the nation's bulk-power system.

When the identities do come out, the reason is usually because regulators released them in response to public-records requests after they believe vulnerabilities have been remedied. That applied in FERC's release of documents disclosing City Utilities in its case and PG&E in one of its cases.

The other way that identities are revealed is through unofficial disclosure by people with knowledge of the matter. That happened with DTE and another PG&E case, though redacted information about their violations was already public.

Charlotte, N.C.-based Duke was outed unofficially in February as the company that committed 127 safety violations in recent years. Among other things, Duke failed to protect sensitive information on its most critical cyberassets, officials said. FERC is reviewing the case and a $10 million settlement agreement.

Public officials are becoming more vocal about threats to critical infrastructure. In late January, U.S. intelligence agencies said Russian and Chinese have infiltrated utility networks and possess the ability to knock out power temporarily and disrupt gas pipelines "for days to weeks" through cyber means.

A Journal investigation, published in January, showed how Russian hackers targeted the unprotected computer systems of small vendors in an attempt to move up the supply chain and compromise defenses of electric companies.

Increased public attention on grid vulnerabilities has sent a shudder through the electric industry.

Last week, three trade groups asked FERC to look at its rules on disclosure practices and, in the meantime, to halt processing records requests, including those by the Journal.

David Ortiz, deputy director of FERC's Office of Electric Reliability, said cyberattacks are happening in large numbers, but utilities seldom report successful attacks as required, even when assured of confidentiality. Recently, FERC has started requiring utilities to report even unsuccessful hack attempts.

There is debate on how much of that information should be public.

Regulators rely on utilities to self-report their violations and accept audit findings. They fear that system will break down if companies are exposed to public scrutiny.

Security researcher and blogger Michael Mabee, who has asked FERC to identify utilities associated with more than 200 penalty cases, said the regulatory system needs fixing, and "the only way for that to happen is by shining the light of day on it."

Mr. Mabee also said penalties negotiated through settlement agreements are too low. So far, settlement agreements haven't been made public.

FERC's Mr. Ortiz said identities are protected to honor confidentiality requests from the North American Electric Reliability Corp., called NERC, the federally appointed organization that crafts utility standards and audits compliance. It refers penalty cases to FERC for enforcement.

The cases involving DTE, City Utilities and PG&E demonstrate why officials are worried about the electric-system security.

DTE agreed to pay $1.7 million in 2016 to settle 36 infractions of rules in prior years, according to people with knowledge of the case. The utility said it takes a duty "to protect the bulk power system very seriously," but declined additional comment.

NERC said auditors of an unidentified utility -- now known to be DTE -- found "serious, systemic security and compliance issues" that persisted from one examination to the next, according to public case documents.

For example, the Detroit-based utility failed to apply 75 security patches to its Energy Management System, a set of computer-aided tools that guides engineers and helps control power flows. Auditors found the utility stopped making updates as soon as a prior audit ended.

The utility also failed to keep backup software that it would need to recover from a catastrophic cyber event.

City Utilities of Springfield, Mo., violated security rules by failing to identify its primary and backup control centers as critical facilities requiring special protections. Its identity was disclosed in the 2014 case in response to a request under the Freedom of Information Act by the Journal and Mr. Mabee.

The utility didn't respond to requests for comment.

PG&E, California's biggest utility, now is known as the company behind three penalty cases.

FERC said PG&E was fined $98,500 in 2014 for failing to keep proper logs for 30 critical workstations. Without logs, auditors said, the utility would have been unable to identify hackers' "attacks, multiple bad password attempts or irregular logons to these workstations." PG&E later found similar issues with 150 other workstations and servers.

Separately, PG&E was fined $1.125 million in 2016 for failing to adequately protect new electrical substations against potential attacks, according to one person familiar with the case.

PG&E said its cybersecurity measures are "robust and consistent with the best practices being employed in the industry." It added that confidentiality "promotes self-reporting" and disclosure "may jeopardize national security by exposing potential grid vulnerabilities."

Last year, PG&E was identified by the Journal as the company that lost control of a confidential database of its cyber assets in 2016 resulting in their internet exposure. It was fined $2.7 million.

Write to Rebecca Smith at rebecca.smith@wsj.com

 

(END) Dow Jones Newswires

April 10, 2019 02:47 ET (06:47 GMT)

Copyright (c) 2019 Dow Jones & Company, Inc.
DTE Energy (NYSE:DTE)
Historical Stock Chart
From Feb 2024 to Mar 2024 Click Here for more DTE Energy Charts.
DTE Energy (NYSE:DTE)
Historical Stock Chart
From Mar 2023 to Mar 2024 Click Here for more DTE Energy Charts.