NERC fines utility $2.7 million for cyber breach

Friday, March 9, 2018

The electric reliability organization responsible for the grid spanning much of North America has penalized an unidentified utility $2.7 million for its violations of mandatory reliability standards in connection with a data security breach. The penalty may be the largest fine to date associated with U.S. utility cybersecurity regulation.

NERC, or the North American Electric Reliability Corporation, is charged by U.S. law with ensuring the reliability of the nation's bulk power system. NERC establishes reliability standards for the bulk electric system, which are approved by the Federal Energy Regulatory Commission, and takes action to monitor and enforce compliance with its reliability standards.

On February 28, 2018, NERC filed with the Commission a Notice of Penalty regarding what it described as noncompliance by an "Unidentified Registered Entity (URE)", following a settlement between the anonymous utility and regional reliability group Western Electricity Coordinating Council (WECC).

Some of the details of the underlying fact pattern are protected from public disclosure as Critical Energy Infrastructure Information or CEII. But NERC's public filing says the settlement arose from WECC's determination and findings that the anonymous utility violated two of NERC's Critical Infrastructure Protection or CIP cybersecurity standards. According to NERC's report, the utility received a report that an outside "white hat security researcher" had found data publicly available online which appeared to be protected information associated with the utility.

Following this tipoff, an investigation by the utility and regional reliability group WECC revealed that a third-party contractor hired by the utility had copied data from the utility's network environment to the contractor's network environment, where it was no longer subject to the utility's visibility or control -- in violation of the contractor's authority. While the data was on the contractor's network, a subset of live utility data including over 30,000 records was accessible online without the need to enter a user ID or password for a period of 70 days. These records included some associated with the utility's Critical Cyber Assets, such as servers storing user data, systems controlling physical access within the utility's control centers and substations, and supervisory control and data acquisition or SCADA systems. System logs showed unauthorized access to this data set by both the white hat researcher and unidentified IP addresses.

According to the Settlement Agreement, the anonymous utility neither admitted nor denied the violations, but agreed to pay a $2,700,000 penalty and take other compliance actions. This may represent the largest fine to date for violations of NERC's CIP standards. While federal penalty policy encourages self-reporting of violations and having an internal compliance program in place -- as the anonymous utility did -- the settlement notes that the utility "was not fully transparent and forthcoming with all pertinent information detailing the data exposed in the incident." In particular, the settlement says the utility did not initially provide WECC with all the data fields exposed in the incident. These factors, combined with a finding that the violations posed a serious and substantial risk to the reliability of the bulk power system, led WECC to set the penalty amount at $2.7 million, which NERC subsequently approved.

By federal rule, the penalty will be effective upon expiration of the 30-day period following the penalty notice's filing with the Federal Energy Regulatory Commission or, if FERC decides to review the penalty, upon final determination by FERC.

No comments:

Post a Comment