As a child, I remember fallout shelter signs on many buildings and even a few nuclear safety drills at school. I am not sure how hiding under our little desks at school would protect us in the event of nuclear war, especially since we were living in such a target rich area. Today, the biggest threat to America may be cyberwarfare. And electric utilities are today’s prime targets.
Shutting down a utility for a couple hours wouldn’t be catastrophic. But taking out the grid for a prolonged period of time could cause widespread devastation, particularly in urban areas.
Hospitals, water treatment facilities and refrigerators need power. While living without your refrigerator might be inconvenient, having no access anywhere to refrigeration would make fresh food scarce. In the winter time, people could freeze.
America took down the Iranian nuclear program in 2010 with the Stuxnet virus. Although no one knows for sure how the attack was carried out, the United States and Israel are credited with the attack. In many ways, that was the beginning of state sponsored cyberwarfare.
After our attack caused Iran’s nuclear centrifuges to self-destruct, former CIA chief Michael Hayden said, “Șomebody just used a new weapon, and this weapon will not be put back in the box.” He was right.
Now that the “war” has commenced, our enemies are fighting back. Ransomware, our elections… and one of their top targets, our utilities and America’s power grid.
The Russians are credited at the first attempt to shut down a country’s electrical grid. With the start of hostilities in Crimea and eastern Ukraine, the Russians are widely blamed for the cyberattacks on the Ukrainian power grid.
On December 23rd, 2015 at midnight, three power companies were attacked in the Ukraine. About 230,000 customers were left without power for up to 6 hours.
Experts later claim that the same malicious software that infected Ukrainian grid, BlackEnergy, was also planted American electric companies.
The attacks wouldn’t end with the three Ukrainian power companies. The defense ministry, pension system, railway booking system and treasury were also attacked. All suffered crippling injuries to data.
The attacks on the Ukraine’s electric infrastructure took a few hours to fix. Experts tell us that a more sophisticated attack could potentially cause dangerous power surges that would permanently cripple transformers, something that could take weeks or months to fix.
Homeland Security has already acknowledged that our power grid and electric utilities are under assault. How deeply they have already been penetrated remains to be seen.
Although many of the power utilities now have isolated networks to minimize the vulnerability of Russian and other state sponsored attacks (Russia denies the attacks), these utilities are still quite vulnerable. The newest threat is now coming from the vendors on which power companies rely.
Cyber security experts have been warning about the vulnerabilities in our electric power infrastructure for over a decade. None of this should come as a surprise to power companies. In fact, that is precisely why we are now seeking a power company whistleblower. More on that below.
Duke Power Fined $10 Million
Power utilities and transmission companies are regulated by an alphabet soup of state and federal agencies. These include the Federal Energy Regulatory Commission (FERC), the North American Electric Reliability Corporation (NERC), Pipeline and Hazardous Materials Safety Administration, EPA, DOT, Nuclear Regulatory Commission, OSHA, the FTC, state Public Utility Commissions and state attorney generals. In addition, the several North American power grids also have been given some regulatory authority.
Since 1967, the agency primarily responsible for keeping our power grid safe is NERC. In 2019, NERC sent a proposed settlement and $10 million fine to FERC for approval. NERC didn’t name the utility it was fining for security reasons but it later emerged that the company was Duke Energy.
Regulators allegedly found 127 violations, most related to cyber security and prior hacking events. For security reasons, NERC doesn’t identify the exact nature of the violations. We do know, however, that Duke suffered “repeated failures to implement physical and cyber security protections.”
Considering the company has over $130 billion in assets, $10 million is a small fine.
Power of the Purse to Stop Cyberhacking
We already know that sophisticated cyberhackers could do permanent damage to our power infrastructure. Folks in Ukraine only lost their power for several hours. No one froze to death. Some see that hacking attempt as an early trial run for something much bigger**.
The feds are worried. In June of 2019, FERC released new cybersecurity standards for utilities. The new rules bolster existing reporting requirements of the Critical Infrastructure Protection Reliability Standards.
Reporting hacks is not the same as preventing them.
We suspect now that a major utility has been fined (Duke Energy), fines for poor cyber hygiene will become more frequent.
Whether or not regulators choose to act, however, doesn’t prevent you from acting.
After the Duke Energy fine, at least one law firm launched its own investigation.
Why a law firm?
A company’s officers and directors have a fiduciary duty to shareholders. By not correcting poor cybersecurity practices and by not complying with cyber reporting and prevention regulators, they are putting both customers and investors at risk.
We are always seeking information from insiders with information about significant cyber security violations or safety issues. We can’t pay you for the information and you may not qualify for an award. But we can help put an end to the problem. [And we can probably do so anonymously.]
Whistleblower Reward for a Power Company Whistleblower? (Cybersecurity Violations)
Most power companies are public companies. If your company has an SEC reporting requirement (most do), failing to disclose known risks is an SEC violation. A power company whistleblower can earn significant rewards from the Securities and Exchange Commission for their information.
Why Become a Power Company Whistleblower? (Why Stick My Neck Out?)
As already noted above, we can probably keep you anonymous. We don’t make promises in a blog post because every case is different. Call us and we can figure out a way to stop the fraud and perhaps help you collect a reward for your efforts.
The best reason for becoming a power company whistleblower is not always the reward money. Stopping fraud and terrorism is simply the right thing to do!
There is a great line from a Brad Thor novel, I have used it before. “If you don’t meet the barbarians out on the road, they will soon be at your gates. And once at your gates, be they Islamic terrorists or Russian soldiers, they would soon be inside.”
We aren’t expecting barbarians and Russian soldiers coming across our borders. The next war is likely to be a cyber war. And already suspected Russian, North Korean, Chinese and Iranian hackers are testing our defenses. It may not be state actors that launch an attack. Many groups such as ISIS also hate the United States and all it stands for.
As our society becomes more complex and technology driven, we in turn become more dependent on our electric utility infrastructure. That makes us especially vulnerable to an attack on our power grid. If you have inside information about companies that fail to defend our infrastructure, give us a call.
For more information contact us online, by email or phone . All inquiries are protected by the attorney – client privilege and kept confidential. Want to learn more about the SEC whistleblower process, visit our SEC whistleblower and Cybersecurity / Cyberhacking pages.
**Less than one week after writing this post, much of Manhattan was plunged into darkness by a massive power outage.
Yes, power outages happen and usually there is a mundane reason for the failure such as storms or equipment failure. New York’s ConEd is claiming July 12’s outage was caused by a manhole fire on the Upper West Side of Manhattan.
I certainly am not a conspiracy theorist but the date and even the hour of the blackout corresponds to the 42nd anniversary of New York’s 1977 blackout. Coincidence? Maybe.
Once again, if you have information about unreported hacks or vulnerabilities to our infrastructure, contact us.