Access Management , Governance & Risk Management , Identity & Access Management

US Power Company Fined $2.7 Million Over Data Exposure

Grid Regulator Says Company Left Critical Data Exposed for 70 Days
US Power Company Fined $2.7 Million Over Data Exposure

An unnamed U.S. power company has agreed to a record settlement after it was accused of leaving sensitive data exposed online for 70 days in a violation of energy sector cybersecurity regulations.

See Also: Is Cyberstorage the New Paradigm for Data Security?

The $2.7 million settlement agreement was outlined in a Feb. 28 notice from the North American Electric Reliability Corp., or NERC, to Kimberly D. Bose, secretary of the Federal Energy Regulatory Commission. Her agency regulates, monitors and investigates electricity, natural gas, hydropower, oil matters, natural gas pipelines, LNG terminals, hydroelectric dams, electric transmission, energy markets and pricing.

NERC's Feb. 28 letter to FERC, announcing the $2.7 million settlement.

NERC's notice says security problems at the unnamed company resulted in sensitive information remaining internet-exposed for more than two months.

"The data was exposed publicly on the internet for 70 days. The usernames of the database were also exposed, which included cryptographic information of those usernames and passwords," according to the notice. "Exposure of the username and cryptographic information could aid a malicious attacker in using this information to decode the passwords."

NERC wrote that it was filing the "notice of penalty" - including information about the flaws and how they have been resolved - after the Western Electricity Coordinating Council and the unnamed company reached a settlement agreement over two violations of the Critical Infrastructure Protection NERC Reliability Standards. The council is one of eight regional entities that NERC has designated to monitor and enforce its standards.

Map showing the Regional Reliability Councils and Interconnections in North America. (Source: Bouchecl, via CC BY-SA 3.0)

At Risk: Control Centers, Substations, SCADA

The published notice, which has been stripped of "non-public and confidential" information, refers to the offending power company only as Unidentified Registered Entity, or URE.

According to the notice, WECC determined that the company failed to comply with the information protection portion of NERC's CIP-003-3 standard for security controls, which "requires that responsible entities have minimum security management controls in place to protect critical cyber assets."

The data, exposed by the company's asset management system, could also have been used to compromise other sensitive systems, NERC said. "These violations posed a serious or substantial risk to the reliability of the bulk power system (BPS). The CCAs [Critical Cyber Assets] associated with the data exposure include servers that store user data, systems that control access within URE's control centers and substations, and a supervisory control and data acquisition (SCADA) system that stores critical CCA information."

Patrick McBride, vice president at cybersecurity firm Claroty, tells Information Security Media Group: "State-sponsored adversaries have been targeting U.S. and European electric and other industrial companies networks writ large to glean information or gain foothold into the network that can be leveraged when they choose. While the U.S. electric grid, and particularly nuclear power plants, are above-average in their cybersecurity posture, that average for industrial systems is unfortunately quite low. Given the active an ongoing targeting of these systems by determines adversaries, asset owners, like the power company in question, need not make it any easier."

30-Day Review Period

The penalty will become final 31 days after the notice was published, unless FERC chooses to review it.

If finalized, this would be the biggest-ever energy sector fine for violating information security regulations, according to E&E News, which first reported on the proposed fine.

Reached for comment, FERC spokesman Craig Cano says the notice remains under review. "If the commission determines to take further action on a NERC notice of penalty, it may result in a subsequent FERC order or settlement providing more detail," he tells Information Security Media Group. "However, commission investigations are non-public, so if they do not result in an order/settlement the specific details would not be public."

Thus it's not clear if the as-yet-unnamed power company might ever be unmasked.

Who's the Culprit?

But suspicion has fallen on Pacific Gas and Electric, a large electric utility based in California, which was the focus of a May 2016 security alert from information security researcher Chris Vickery.

In a blog post, he reported finding a "publicly exposed database" that "appeared to be PG&E's asset management system," and noted that the company's IT department was trying to claim that the database was fake.

Vickery said the database included sensitive information.

"Among other things, it contained details for over 47,000 PG&E computers, virtual machines, servers, and other devices. All of it completely unprotected. No username or password required for viewing," he wrote. "We're talking about IP addresses, operating systems, hostnames, locations, MAC addresses, and more. This would be a treasure trove for any hostile nation-state hacking group. That's not to mention the 120 hashed employee passwords, or the plaintext NTLM, SOAP, and mail passwords."

The Obama-era Presidential Policy Directive 21, issued in 2013, classified the energy sector - together with communications systems - "as uniquely critical due to the enabling functions they provide across all critical infrastructure sectors."

Extract from the Presidential Policy Directive 21, issued in 2013.

Accordingly, Vickery had said he was attempting to share a copy of the data he'd obtained with the Department of Homeland Security.

PG&E Backtracked: Data Wasn't Fake

In a June 2016 statement, PG&E said that no systems had been breached and blamed the information exposure on a vendor that was developing an asset management platform for the energy firm.

"Our initial review indicated that the data was non-sensitive, mocked-up data," PG&E said. "We based this feedback on an initial response from the vendor stating that the information in the database was demo or 'fake' data. Following further review, we learned that the data was not fake and removed access."

PG&E didn't immediately respond to a question about whether it was the "unidentified registered entity" in the Feb. 28 NERC notice.

Locking Down Assets

Whatever the identity of the energy company that's entered into the settlement agreement, its information exposure resulted from a software development server not being properly locked down. According to FERC's notice, once the organization took the server offline, that corrected the problem. The firm reportedly also conducted three digital forensic analyses to confirm that only an unnamed security researcher had accessed the data, requested that the researcher share all data they had obtained and attest in an affidavit that they had shared the data as well as deleted it from their own systems.

To prevent a recurrence of the problem, the unnamed power provider implemented a new system for handling source code. "To allow vendors to perform development work on projects, URE [unidentified registered entity] implemented a process whereby an authorized URE employee must copy the source code from the asset management database and securely transfer it to the software development vendor," the notice reads. "Upon work completion, the vendor would then securely transfer the new version of code to an authorized URE employee who would load it back onto the asset management database."

The organization also added stronger access controls to the database, in part to prevent "classified emails and attachments from being sent to outside email addresses," according to the notice. Plus, it now requires all of its vendors to take annual information security and privacy awareness training. And it implemented "a new vendor remote access platform, and enhancing policies, background checks, and contract language for vendor employees."

The organization has also begun using data classification to ensure that all information relating to information security gets appropriately designated as such and then protected.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.