Feds Hit Energy Provider with Security Fine

Thursday, March 15, 2018 @ 04:03 PM gHale

An U.S. energy firm whose identity was not immediately available was hit with a $2.7 million fine over a data security incident.

That incident led to exposing critical cyber assets.

Feds Alert on Russian Cyber Activity Targeting ICS
Hacking Robots with Ease
Siemens, Partners Ink Cybersecurity Charter
Safety System Attack: Plan to Wake Up Industry

This unnamed power company agreed to pay the penalty and take action to avoid future leaks, said officials at the North American Electric Reliability Corporation (NERC).

The affected entity has not been named, but the penalty notice published by NERC provides some details about the incident and clarifies that while the energy firm agreed to pay the fine, it neither admitted nor denied violating Critical Infrastructure Protection (CIP) NERC reliability standards.

NERC provided a summary table identifying each violation of a Reliability Standard resolved by the Settlement Agreement.
Graphic by NERC

The penalty notice read:

“The North American Electric Reliability Corporation (NERC) hereby provides this Notice of Penalty regarding noncompliance by an Unidentified Registered Entity (URE) in accordance with the Federal Energy Regulatory Commission’s (Commission or FERC) rules, regulations, and orders, as well as NERC’s Rules of Procedure including Appendix 4C (NERC Compliance Monitoring and Enforcement Program (CMEP)).

“NERC is filing this Notice of Penalty, with information and details regarding the nature and resolution of the violations, with the Commission because Western Electricity Coordinating Council (WECC) and URE have entered into a Settlement Agreement to resolve all outstanding issues arising from WECC’s determination and findings of two violations of the Critical Infrastructure Protection (CIP) NERC Reliability Standards.

“According to the Settlement Agreement, URE neither admits nor denies the violations, but has agreed to the assessed penalty of two million seven hundred thousand dollars ($2,700,000), in addition to other remedies and actions to mitigate the instant violations and facilitate future compliance under the terms and conditions of the Settlement Agreement.”

The incident, which has been assigned a risk rating of “serious,” involved a third-party contractor that improperly copied data from the energy firm to its own network. Despite receiving training, the contractor failed to comply with the company’s information protection program.

A security researcher found the contractor allowed anyone to access the data without a username or password. According to NERC, more than 30,000 records were exposed, including critical cyber assets (CCAs), IP addresses, and server host names. The information was available online for 70 days.

URE submitted identical mitigation plans to address the referenced violations. To mitigate these violations, URE:
• Required the vendor to shut down their software development server, thereby ending the data exposure
• Performed three different forensic analyses to verify that only the security researcher accessed the data during the time of the exposure
• Required the security researcher to provide the data to the IT department, delete the data from his computer, and attest in an affidavit that these items were complete
• Removed vendor access to the asset management database in the datacenter. To allow vendors to perform development work on projects, URE implemented a process whereby an authorized URE employee must copy the source code from the asset management database and securely transfer it to the software development vendor. Upon work completion, the vendor would then securely transfer the new version of code to an authorized URE employee who would load it back onto the asset management database
• Changed access controls to the database. URE also deployed a suite program to provide policies and controls to prevent confidential-Bulk Electric System (BES) Cyber System Information or restricted-BES Cyber System Information classified emails and attachments from being sent to outside email addresses
• Improved security controls for vendor management by requiring vendors to take information security and privacy awareness training annually, implementing a new vendor remote access platform, and enhancing policies, background checks, and contract language for vendor employees
• Classified all BES Cyber System Information for both production and non-production assets

Leave a Reply

You must be logged in to post a comment.