Last month, the North American Reliability Corporation (“NERC”) approved a settlement agreement between the Western Electric Coordinating Council (“WECC”) and an unnamed power company that imposed a penalty of $2.7 million on the power company for improper cybersecurity oversight after the company inadvertently allowed critical cyber security data to be exposed online for 70 days.
According to NERC’s Notice of Penalty, the online data exposure was attributed to a third-party contractor who was doing work for the unnamed company. The contractor improperly accessed data from the company’s network and copied that data onto the contractor’s network. While the information was on the contractor’s network it was accessible online to anyone without password protection. The information exposed records of over 30,000 assets, including records associated with Critical Cyber Assets (“CCAs”) such as IP addresses and server host names.
The breach was discovered when a white hat security researcher found the information on the internet. The unnamed power company then notified WECC, its regulator, of the breach. The data incident ultimately revealed that the power company was in violation of NERC’s Critical Infrastructure Protection (“CIP”) Reliability Standards. The WECC found that the power company “failed to implement adequately its program to identify, classify, and protect information associated with CCAs [cyber security assets]” and failed to “implement adequately a program for managing access to protected information related to CCAs … .”
When determining the penalty to assess on the power company, WECC took into consideration several factors, a few of which worked to the power company’s advantage: (1) that the violations constituted the power company’s first occurrence of violations of the subject NERC Reliability Standards; and (2) that the power company had an internal compliance program at the time of the violations.
The unnamed power company did not admit or deny the allegations, but agreed to the penalty and agreed to take corrective action to mitigate the violation and facilitate future compliance under the terms of the settlement. The penalty will be effective upon expiration of the 30-day period following the filing of NERC’s notice, or upon final determination by the Federal Energy Regulatory Commission.