Duke Energy battles to fend off cyberattacks

The country's largest electricity company is on alert for cyberattacks that aim to hamper the critical flow of power and is listening to U.S. intelligence agencies about potential threats, the Duke Energy Corp. executive heading electronic protection efforts said.

Duke Energy manages dams, nuclear power plants and other types of electricity-generating plants — three of the 16 types of infrastructure critical to American life that the U.S. is focused on protecting from criminal hackers and hostile governments. As the power supplier to more than 7 million customers in six Southeast and Midwest states—including about 810,000 customers in Indiana—the utility's computer systems are under constant attack, Duke Energy Executive Vice President A.R. Mullinax said.

Mullinax said he carries a U.S. government "secret" clearance that allows him to be briefed by the FBI and other security agencies about threats to the power grid that runs everything from corporate data networks to household refrigerators.

While power companies share information among themselves, the company's Charlotte hometown also is one of dozens of cities with a chapter of InfraGard, a business partnership with the FBI to share information and prevent hostile acts.

"FBI is actually a great resource," Mullinax said in an interview last week on the sidelines of a cybersecurity conference that included members of the FBI, Secret Service and Department of Homeland Security offering tips to business leaders. "They don't necessarily share classified information with us, but they can say we're seeing things that would cause you to take this action."

About a dozen times in the last decade, sophisticated foreign hackers have gained enough remote access to control the operations networks that keep the lights on, top experts who spoke only on condition of anonymity due to the sensitive nature of the subject matter told The Associated Press. It's believed businesses are hacked much more frequently than is reported and the secret is kept successfully.

Utilities regulators in North Carolina and South Carolina haven't required that electric utilities in their states improve preparedness against a cyberattack or set regulations on how much they should invest to keep online systems safe, officials said. But Duke Energy knows the stakes, Mullinax said.

"I don't want to incite panic, but we're very cognizant that the cyberthreats are real," he said. "We're constantly working to advance our network and how we ensure the integrity of our network."

Information about how companies and the government respond to hacks is often protected and sometimes classified, making it hard to know how well power companies are defending against cyberattacks. Violation records kept by regional enforcement agencies are scrubbed of information identifying utilities and other users, owners, and operators of the grid.

There were more than 500 alleged violations of cybersecurity rules between mid-2008 and last month in the 16 Southern and Midwest states managed by Charlotte-based SERC Reliability Corp., which monitors electric-grid reliability standards. Most were judged to be minimal or moderate risks to the power grid, but more than a dozen were deemed serious.

One organization failed to keep up with software patches for most of its connected devices, and auditors found further shortcomings, a report said. The unnamed entity agreed in February to a $70,000 penalty while neither admitting nor denying a dozen cybersecurity violations, according to SERC documents.

Another organization failed to test cybersecurity controls before deploying them, according to a letter in which it agreed last December to pay $120,000 to settle 21 violations, SERC documents showed.