The North American Electric Reliability Corporation (NERC) has fined an unnamed power company $2.7 million for unwittingly exposing critical cybersecurity data that could have allowed hackers to gain access to its systems, according to a notice recently filed with the Federal Energy Regulatory Commission. NERC, which oversees the reliability of the U.S. bulk power system, said in a February 28, 2018 Notice of Penalty that the unidentified power company had reached a settlement with the Western Electricity Coordinating Council (WECC), which handles grid reliability for the Western Interconnection.
Specifically, a third-party contractor to the utility exceeded its authorized access by improperly copying certain data from the utility’s network environment to the contractor's network environment, where it was no longer subject to the utility’s visibility or controls. The contractor failed to comply with the utility’s information protection program on which it was trained. While the data was on the contractor's network, a subset of live data was accessible online without the need to enter a user ID or password. WECC determined the utility failed to adequately implement its program to identify, classify, and protect information associated with critical cyber assets, as required by Reliability Standard CIP-003-3 R4, as well as failed to implement adequately a program for managing access to protected information related to critical cyber assets, as required by Reliability Standard CIP-003-3 R5.