Local

Power grid attack: Duke Energy previously fined for security violations, report alleges

MOORE COUNTY, N.C. — Amid a power grid attack in North Carolina, Channel 9 has uncovered a report alleging Duke Energy was fined $10 million over security violations in the past decade.

Two substations in Moore County were attacked Saturday night, leaving families, businesses and schools in the dark for days.

A Duke spokesperson gave an update on the company’s restoration efforts in a news conference Wednesday afternoon, saying only 1,200 people were still without power, down from a initial estimate of 45,000 customers. Power is expected to be fully restored by Wednesday night.

The FBI is still working to figure out who carried out the attack, and leaders have offered a reward totaling $75,000 for information.

Channel 9 investigative reporter Madison Carter has been digging through information in this case and uncovered a report alleging that in the past decade, Duke Energy was fined $10 million for more than 100 security violations.

But did security improve prior to the substation attacks over the weekend? It’s hard to say.

The report is a 250-page heavily redacted document about an unnamed utility company from the North American Electric Reliability Corporation, or NERC -- a nonprofit regulatory agency. It details more than 100 violations that were uncovered by inspectors or self-reported between 2015 and 2018.

Two weeks after the report came out in 2019, Energywire, an industry magazine, named Duke Energy as the violator, citing sources.

Madison Carter spoke with Michael Mabee, a power grid watchdog.

“This is the only regulatory regime in the United States that I know of where we protect the name,” Mabee said. “The government protects the names of the violators of cybersecurity and physical security standards.”

Mabee has sued the federal government several times over power grid vulnerabilities and lack of transparency.

READ MORE:

“A physical attack against the electric grid does not take a high level of sophistication,” he said.

Data from the Department of Energy show there have been at least 900 physical attacks on the U.S. power grid since 2010. 107 of those happened this year.

“So this is not a hypothetical threat,” Mabee said. “This is a threat that’s been happening for years and is continuing to happen now.”

The security standards were written by the power companies themselves, and the feds leave it up to companies to decide what that security looks like.

“The standard only literally requires that they have a notebook entitled physical security with some certain papers in it,” Mabee said.

A Duke spokesperson emailed a statement to Carter, saying, “I can tell you that Duke Energy employs a robust physical defense system that meets – and exceeds – industry best practices. We also monitor and meet all industry standards for protecting critical infrastructure and deploy additional security measures when appropriate.”

But as far as our questions about the settlement and whether they’ve implemented security upgrades since being named as the alleged violator, we’ve gotten no response at all.

How is Duke Energy making sure this doesn’t happen again?

While many are desperate for answers about who committed the attack, Channel 9 is digging into whether the energy you pay for is being protected properly, and what Duke Energy is doing to make sure it doesn’t happen again.

A man who used to oversee energy reliability at the highest level in our nation is asking similar questions.

One of the most notorious substation attacks happened while Jon Wellinghoff was the chairman of the Federal Energy Regulatory Committee back in 2013. That’s when two people used rifles to shoot up a substation in San Jose, California.

He said there are “gaps” in security standards that make it so there are no baseline requirements for companies to keep your power safe in many cases. He said that gap won’t be closed unless the public forces companies to act.

“Until consumers step up and ultimately demand that both state and federal governments require that there be certain prescriptive standards to protect these substations. And that hasn’t been done yet,” Wellinghoff said.

And while Duke Energy has refused to answer our questions about what specific actions they took to heed power grid attack warnings, on Wednesday, a spokesperson said the company has prepared for an attack like this.

“This was one of the scenarios that we planned for, and what we’re seeing is the response based on our preps for that and take learnings from this event,” said Duke’s Jeff Brooks.

As the law reads now, many companies are not required to share that planning he mentioned or security measures with anyone -- not Channel 9, or even law enforcement.

(WATCH BELOW: FBI investigating power grid attack in Moore County, sheriff says)

Madison Carter

Madison Carter, wsoctv.com

Madison is an investigative reporter and anchor for Channel 9.