FERC Should Require Naming the Utility Facing a Record Penalty for Repeat Cybersecurity Violations

Feb. 19, 2019

FERC Should Require Naming the Utility Facing a Record Penalty for Repeat Cybersecurity Violations

Media Outlets Have Identified Duke Energy as the Violator

WASHINGTON, D.C. – The Federal Energy Regulatory Commission should force the North American Electric Reliability Corporation to disclose the name of a utility that is facing a record penalty for repeat cybersecurity violations, Public Citizen is demanding in a filing with the commission today.

On Jan. 25, the North American Electric Reliability Corporation submitted a Notice of Penalty against an unidentified electric utility for 127 cybersecurity violations between 2015 and 2018. The unnamed company agreed to pay a $10 million fine, the highest on record for a utility committing cybersecurity violations. Despite multiple media outlets identifying the utility as Duke Energy, Public Citizen believes that formal disclosure of the violator’s identity is key to holding the company accountable and ensuring that ratepayers do not absorb the costs of its misdeeds.

“Concealing the name of the recipient of the largest fine in history sends a confusing message to the public that large penalties do not come with full accountability,” said Tyson Slocum, director of Public Citizen’s energy program and author of the filing. “Future violators may be able to similarly hide behind the veil of anonymity. Moreover, keeping the public in the dark about the cybersecurity track record of our electric utilities may create a false sense of security and reduce the likelihood of more public awareness and vigilance needed to protect cybersecurity.”

Duke Energy’s electric utility operations are in Florida, Indiana, Kentucky, North Carolina, Ohio and South Carolina.

###