A US-based power company has agreed to pay a $2.7 million penalty after inadvertently exposing sensitive data online and violating energy industry cybersecurity standards.
According to an electronic filing by the North American Electric Reliability Corporation (NERC) on Feb. 28, the unnamed utility reached the settlement with power regulators despite neither admitting nor denying the violations.
The notice made to the Federal Energy Regulatory Commission (FERC) states the power company received a report from a security researcher who had discovered more than 30,000 asset records online, including information such as IP addresses and server host names.
“The data was exposed publicly on the Internet for 70 days. The usernames of the database were also exposed, which included cryptographic information of those usernames and passwords,” read the notice.
According to NERC, the security oversight could have helped hackers gain access to the power provider’s systems:
“Exposure of the username and cryptographic information could aid a malicious attacker in using this information to decode the passwords. This exposed information increases the risk of a malicious attacker gaining both physical and remote access to URE’s [Unidentified Registered Entity] systems. A malicious attacker could use this information to breach the secure infrastructure and access the internal CCAs [Critical Cyber Assets] by jumping from host to host within the network.”
The notice also listed additional remedies and actions agreed upon by the entity to mitigate the violations and facilitate future compliance.
Such steps included shutting down its software development server to end the data exposure, performing various forensic analyses, changing access controls to the database, and improving security controls, among other activities.
The penalty is set to become final 31 days after the notice was published unless FERC decides to review it.
If approved, the multimillion-dollar fine would be the largest-ever in the energy industry involving compliance with cybersecurity regulations.