Skip to content ↓ | Skip to navigation ↓

A US-based power company has agreed to pay a $2.7 million penalty after inadvertently exposing sensitive data online and violating energy industry cybersecurity standards.

According to an electronic filing by the North American Electric Reliability Corporation (NERC) on Feb. 28, the unnamed utility reached the settlement with power regulators despite neither admitting nor denying the violations.

The notice made to the Federal Energy Regulatory Commission (FERC) states the power company received a report from a security researcher who had discovered more than 30,000 asset records online, including information such as IP addresses and server host names.

“The data was exposed publicly on the Internet for 70 days. The usernames of the database were also exposed, which included cryptographic information of those usernames and passwords,” read the notice.

According to NERC, the security oversight could have helped hackers gain access to the power provider’s systems:

“Exposure of the username and cryptographic information could aid a malicious attacker in using this information to decode the passwords. This exposed information increases the risk of a malicious attacker gaining both physical and remote access to URE’s [Unidentified Registered Entity] systems. A malicious attacker could use this information to breach the secure infrastructure and access the internal CCAs [Critical Cyber Assets] by jumping from host to host within the network.”

The notice also listed additional remedies and actions agreed upon by the entity to mitigate the violations and facilitate future compliance.

Such steps included shutting down its software development server to end the data exposure, performing various forensic analyses, changing access controls to the database, and improving security controls, among other activities.

The penalty is set to become final 31 days after the notice was published unless FERC decides to review it.

If approved, the multimillion-dollar fine would be the largest-ever in the energy industry involving compliance with cybersecurity regulations.

10 Ways Tripwire Outperforms Other Cybersecurity Solutions
  • sailfishman

    While this may be the largest fine to date, the article fails to state that there have been other multi-million dollar penalties for the same/similar violations in 2017, 2016 and 2015. The article also fails to mention that government entities such as TVA, Salt River and others regularly fail their Cyber related audits without a single fine being levied because NERC/FERC are not permitted to fine a government agency. In almost all the cases where an entity like TVA and Salt River fail their audits, they fail them completely because they know there is no repercussion that they have to worry about…no one loses their job, no one is held accountable/responsible.

<!-- -->