Something Seems A Little Fishy In North Carolina
In February 2018, Duke Energy was hit with a $10 million dollar fine from the North American Electric Reliability Corporation (NERC) for cybersecurity violations, this was the highest on record for a utility. Now it seeks to pass along their $137.4 million in capital investments to ratepayers for cybersecurity upgrades. A consumer watchdog association is screaming foul. Essentially the group doesn't think rate payers should have to pay for Duke’s ineptitude. I agree. I would understand it if Duke was seeking recovery after it implemented the program and can show proof of progress, but it appears, they want to recover the money spent without showing proof that anything has improved. Who could actually show proof of improvement after only two months? The procurement process for assets is longer than two months, I couldn’t buy a firewall in less than two months!
If you look at the reason for the fine, it was based on security violations from 2015-2018 regarding critical infrastructure assets. Yes, upgrading all of your critical infrastructure in mass could cost you about $137M. Or $127+$10M to cover the fine. But to try to pass along that cost to ratepayers before you even get the assets is a bold move! NERC should ask for receipts and have some folks do a site visit. It will be interesting to watch how Duke explains that capital investments for their cyber security program has nothing to do with their cyber security critical infrastructure violations. Critical infrastructure is normally a capital expense. Right?