Case 4. The Electric Reliability Council of Texas (ERCOT)By Elizabeth Bennett | Posted 2006-06-07 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Using "shadow companies" with puppet CEOs and inflated or bogus invoices, a number of I.T. managers stand accused of ripping off their employers—in some instances, for tens of millions of dollars or more. The scam? It's called procurement
Case #4: The Electric Reliability Council of Texas (ERCOT)
The Target: The Electric Reliability Council of Texas (ERCOT) is the organization entrusted to keep electric power flowing to approximately 20 million Texas customers—representing 85% of the state's electric load and about 75% of Texas' land area.
The Subjects: Kenneth Shoquist, ERCOT's former chief information officer; Stephen Wallace, former program development director; Chris Uranga, ERCOT's ex-director of I.T. operations and corporate security; Chris Douglas, former senior manager, data warehouse; Carlos Luquis, former physical security manager; and John Benito Cavazos, a non-employee contractor.
For an organization such as the Electric Reliability Council of Texas (ERCOT) that puts a premium on security, the November 2002 hiring of Kenneth Shoquist as chief information officer seemed like a well-considered move. As it turned out, however, the company could have made a better choice, given the outcome of his tenure.
Founded in 1970, ERCOT, based in Taylor, Texas, is an independent, third-party, not-for-profit organization responsible for overseeing the reliable and safe transmission of electricity over Texas' main electricity power grid. ERCOT's staff grew from 50 employees in January 2000 to more than 400 employees in September 2004.
As such in a post- Sept. 11 world, its job is to safeguard the state's electric grid from everything from hurricanes to cyberthreats and terrorists. To this end, the company frequently conducts security reviews and drills with a number of outside organizations, including the U.S. Department of Homeland Security and the Public Utility Commission of Texas.
Shoquist, who reported directly to ERCOT's then-CEO, Tom Noel, seemingly put a premium on security from the outset. Shoquist was a veteran technology executive; he had served as the CIO of Dell Financial Services, Dell's financial arm, and worked at major companies including MasterCard International and Texas Instruments, according to the news release ERCOT issued when it hired him on Nov. 19, 2003. Shoquist soon began beefing up ERCOT's internal security capabilities with new hires, experienced men with whom he had worked before. Two months after signing on with ERCOT, Shoquist hired Stephen Wallace—a longtime friend, according to the Texas Attorney General's office—as program development director to oversee ERCOT's multi-million-dollar annual program budget. He also brought in Chris Uranga as director of corporate security and information-technology operations, the Texas AG's office said. According to the AG's office, Shoquist also hired Chris Douglas to serve as senior manager for data warehouse and security while putting Carlos Luquis, a former FBI agent, in charge of ERCOT's physical security.
As The Dallas Morning News was the first to report, these men all had links to Shoquist and to one another. Uranga, Douglas and Wallace, for instance, had worked at both Dell and EDS under Shoquist. Uranga and Luquis had also served together as Navy cryptologists in Japan, held top-secret government security clearances and had performed work for the National Security Agency (NSA).
With his hiring out of the way, Shoquist brought in a computer services company, DSS Group, to provide I.T. services and consulting, according to the Attorney General's office. A month later, in March 2003, ERCOT signed with another consultancy called ECT Global Solutions to evaluate ERCOT's security, the AG's office states. Soon after, the company also signed security-related contracts with Tri Force Security and Cyberensics, the AG's office states. "Security, ever since 9/11, has been center stage [at ERCOT]," Shoquist told a reporter from Public Utilities Fortnightly in an October 2003 interview. He and Uranga also made regular presentations to the ERCOT board, updating them on progress in securing the state electric gird and ERCOT's computer systems.
For ERCOT, which then had a $133 million budget, the cost for these efforts was substantial—far more so than the ERCOT board or its CEO were aware. The San Antonio-based DSS Group, for example, sent ERCOT 13 invoices totaling nearly a million dollars, according to the Texas Attorney General's office, for work that for the most part was never performed. The only person who actually worked on the ERCOT account on behalf of DSS was a nephew of Wallace, says the Attorney General's office.
DSS proved to be a shell company, the Attorney General's office discovered, headed by a San Antonio stage actor and private contractor named John Benito Cavazos and allegedly run by Stephen Wallace. Cavazos would submit invoices for work that had never been done to Shoquist, who approved them in exchange for part of the fee. In the space of a little less than a year, Shoquist's take amounted to $220,000 while Wallace allegedly cleared $800,000, according to the AG's office.
Meanwhile, Uranga, Douglas and Luquis were allegedly raking in illicit funds as well through contracts with ECT, Cyberensics and Tri Force Security, which, like DSS, were allegedly shadow companies headed by what the Attorney General's office would later call "puppet presidents." Each of the companies billed ERCOT for hundreds of thousands of dollars for services for work that was never done and equipment that was never delivered, the Attorney General's office charges. In one instance, Uranga charged his employer for the services of a consultant who had died long before. In less than a year, Uranga and Douglas each allegedly misappropriated more than $300,000, while Luquis's alleged take topped $100,000.
Shoquist and Wallace allegedly signed and approved the contracts with DSS; Luquis and Douglas allegedly signed and approved contracts and payments with Cyberensics; and Uranga signed and approved invoices from ECT and Tri Force, says the AG's office.
Emboldened by their success, some of the men, who were paid between $80,000 and $120,000 at ERCOT, allegedly began living large, buying expensive cars, luxury homes on golf courses and even yachts. "Fellow employees sometimes wondered how they were able to afford expensive houses and expensive cars," Texas Attorney General Greg Abbott said in a Jan. 28, 2005, news conference.
Still, Shoquist and the others might never have been apprehended had it not been for several whistle-blowers within ERCOT.
Beginning in late 2004, these employees e-mailed members of the Texas Public Utilities Commission (PUC) and Randy Chapman, executive director of the Texas Legal Services Center, with numerous allegations concerning Shoquist and the others, Chapman says. The first reaction was shock, says one of the recipients, Paul Hudson, chairman of the Texas PUC: "The second was concern about the systems' vulnerability based on the materials that we had received." There was ample reason for concern. Most of the so-called security work that had supposedly gone into protecting ERCOT over the previous year was as shadowy as the companies that provided it.
Resolution: When the whistle-blowers initially surfaced with their anonymous e-mails, ERCOT's reaction was to attack the messengers and ignore the message. In November 2004, it sued two Internet service providers, Yahoo and Time Warner, in the Travis County District Courthouse to force them to reveal the identities of the employees who had leaked information about the fraud. The suits were filed based on ERCOT's claim that the e-mails were defamatory and "solicited ERCOT employees to turn over confidential information to outside entities."
"The lawsuits had a chilling effect at a time when we required absolute openness and accuracy," says Texas PUC chairman Hudson. Within a few days, the Public Utilities Commission and various state politicians convinced ERCOT to drop the lawsuits. At the same time, the PUC held an emergency open meeting to review ERCOT's audit procedures and controls. "It was a sad state of affairs," says Chapman, who met with the ERCOT board. "There were no checks and balances in place. At the time, ERCOT wouldn't even allow a state auditor to come in because they claimed that an outsider would be too intrusive."
As the result of the emergency meeting, a number of reforms were put in effect, including strengthening contracting procedures and putting strong internal controls in place, according to ERCOT chief executive officer Thomas F. Schrader's statements in a company press release. Schrader recently resigned from the company. Law enforcement was notified during the same time frame and began an investigation. On Jan. 29, 2005, a grand jury in Williamson County issued 23 indictments against the former ERCOT managers and one outside contractor, Cavazos.
On Aug. 17, 2005, Chris Uranga pleaded guilty to misapplication of funds and admitted he owes ERCOT $500,000 for illegal profits he obtained. He awaits sentencing and could receive up to 15 years in prison, the Texas Attorney General's office says.
On Dec. 20, 2005, John Benito Cavazos of San Antonio pleaded guilty to misapplication of fiduciary property enhanced to organized criminal activity, a third-degree felony. He returned $8,700 to ERCOT, which is the amount he was illegally paid as a security contractor. He will receive four years of probation or deferred adjudication, according to the Texas Attorney General's office, and will also testify at Luquis's trial.
On April 12, 2006, Chris Douglas pleaded guilty to two charges, one for engaging in organized criminal activity for misapplication of fiduciary property, and one for theft. They are first-degree felonies, and he has also agreed to repay ERCOT more than $500,000 in illegal profits he obtained. Prosecutors have agreed to recommend no more than nine years in prison upon sentencing.
Former chief information officer Kenneth Shoquist pleaded guilty on March 24, 2006, to engaging in organized criminal activity for commercial bribery, and said he received $120,000 in bribes from Wallace. He will be repaying the money prior to his Aug. 1 sentencing. He accepted a plea deal for a nine-year sentence and could be eligible for parole in 2 1/2 years if the judge abides by the plea.
Meanwhile, Wallace and Luquis have opted to go to trial and are contesting their cases. Wallace has a pre-trial hearing scheduled this month. His lawyer, Daniel Castro, did not return Baseline's phone calls. His trial date has not yet been set. Luquis is scheduled to go to trial July 24. His lawyer, Patricia Cummings, has asked to have the indictments against her client dismissed, according to a published newspaper report. She did not return Baseline's phone calls.
Shoquist and the others could not be located, and their lawyers failed to return phone calls in regard to this story.
Of CIO Shoquist, Attorney General Abbott said, "This defendant was the gatekeeper who made the scope of this white-collar crime possible by hiring and enabling the other criminals in the first place. It is safe to say that none of the fraud that occurred at ERCOT would have been possible except for the insider dealing he encouraged."
As procurement fraud becomes increasingly sophisticated, it becomes all the more difficult to ferret out, says LECG's Anastasi. As a result, companies that believe they are being victimized but are not sure—or don't know whom might be responsible—sometimes turn to cyber-sleuths, private detectives for the digital age who rely on computer forensics to catch the bad guys.
Recently, Anastasi, who served as the global leader of Deloitte's forensics investigation practice before joining LECG, was called in by a client on such a case. "They suspected their I.T. chief was running some kind of a procurement scam, but they couldn't figure out how he was doing it," he says.
The first thing Anastasi and his investigative team did was deploy SilentRunner as a network forensics tool. "SilentRunner produces this three-dimensional map of your entire system," Anastasi says. "You can see every node on your network."
Using this map of the client's I.T. infrastructure, Anastasi was able to track all of the digital traffic going in and out of the client's system. As it developed, considerable traffic—and client funds—were being transmitted out to several Web sites. These proved to be shell Internet companies that were supposedly providing services to the client, but in actuality were the fictitious creations of someone with the client company. "We knew someone within the company was communicating with these sites by wireless, so we had an investigator go through the client headquarters to see where the transmitter was hidden," he says.
He didn't have to look far. "The transmitter was hidden under the CIO's desk," Anastasi says. "We had him dead to rights."
Unfortunately, however, that is the exception, not the rule. Shane Shook, a colleague of Anastasi's and managing director in LECG's electronic discovery practice, says that at most 40% of procurement fraudsters are nabbed. As Shook explains, "They're getting more sophisticated in the ways they access the systems and cover their tracks."
Electric Reliability Council of Texas (ERCOT) Base Case
Headquarters: 2705 W. Lake Drive, Taylor, TX 76574
Phone: (512) 248-6800
Business: Responsible for overseeing the reliable and safe transmission of electricity over Texas' main electricity power grid.
Chief Executive Officer: None. Thomas F. Schrader had been CEO, but resigned on May 16. The company is seeking to replace him.
Financials: ERCOT is an independent, third-party, not-for-profit organization. Its $126.9 million annual budget is funded by mandatory fees paid by electricity customers or their power providers.
Incident: The company's CIO and four other senior I.T. and security managers, plus one outside contractor, allegedly defrauded ERCOT through shell vendors.