Image

“Exposure of the username and cryptographic information could aid a malicious attacker in using this information to decode the passwords. This exposed information increases the risk of a malicious attacker gaining both physical and remote access to URE’s [Unidentified Registered Entity] systems. A malicious attacker could use this information to breach the secure infrastructure and access the internal CCAs [Critical Cyber Assets] by jumping from host to host within the network.”The notice also listed additional remedies and actions agreed upon by the entity to mitigate the violations and facilitate future compliance. Such steps included shutting down its software development server to end the data exposure, performing various forensic analyses, changing access controls to the database, and improving security controls, among other activities. The penalty is set to become final 31 days after the notice was published unless FERC decides to review it. If approved, the multimillion-dollar fine would be the largest-ever in the energy industry involving compliance with cybersecurity regulations.