Policy & Regulation

PG&E Fined $2.7M by Feds for Third Party’s Data Breach

Numerous news outlets and websites, citing the Wall Street Journal and other reports, are identifying Pacific Gas & Electric as the utility which was fined by federal regulators for a inadvertent data breach which caused PG&E to lose control of confidential information put online for more than two months.

The San Francisco-based utility agreed to a $2.7 million fine first announced by the North American Electric Reliability Corp. in February. PG&E was not named in the NERC announcement, but later identified by another group, according to the Wall Street Journal piece.

The earlier NERC release says the utility did not confirm or deny the allegations, but agreed to the financial penalty. The utility reportedly lost control of more than 30,000 pieces of information made available on the internet, according to reports.

The utility, called an unidentified registered entity (URE) in the NERC statement, was alerted to the data breach by a “white hat security researcher” who was not part of the company. A third-party contractor apparently had improperly copied data from the utility’s network to the contractor’s network,“ where it was no longer subject to the URE’s visibility or controls.

“The contractor failed to comply with URE’s information protection program on which it was trained,” the NERC statement reads. “While the data was on the contractor’s network, a subset of live URE data was accessible online without the need to enter a user ID or password.”

The incident happened in 2016 and was the system data was left vulnerable on the internet for close to 70 days, according to reports. Several cyber security websites reported on the breach as early as May 2016.

NERC reported that it was unlikely had other parties had accessed or downloaded the data, although more detail system logs were required to determine that definitively.

“To recover the exposed data, URE contacted the security researcher and requested that he securely return the data, securely delete all copies of the data from his system, and submit to URE a signed, notarized affidavit confirming that he deleted all copies of the data.”

PG&E released a statement regarding the report and breach.

“Cybersecurity and keeping our data safe and secure is absolutely a top priority for PG&E,” it reads. “We take extensive measures to protect our control systems and data. Once we learned of the exposure, we communicated proactively with the appropriate government agencies and regulators, and have since worked with them on corrective actions. PG&E’s cybersecurity measures are robust and consistent with the best practices being employed in the industry.“

This report follows recent research by ABI Research that smart utilities are not implementing digital security effectively, due to cost, resources and time constraints. This is coupled with the challenge of adapting cybersecurity to OT environments, along with a lack of experience and knowledge.

According to ABI, public sector efforts to secure smart utilities has lagged since 2012-2013, despite both power and water utilities reporting advanced threats that exploit ICS.

Michela Menting, research director of digital security, ABI Research, says: “run-of-the-mill cyberthreats such as ransomware and DDoS attacks are increasingly affecting operator’s cyber-assets, both on the back and front-end.”

While more than $8 billion will be spent on cybersecurity on power and water grid infrastructure, only a small amount will be dedicated to operational technologies and smart systems, the report says.

According to the research, grid modernisation efforts provide the ideal opportunity to design and integrate digital security while adapting existing mechanisms and processes to the OT space.

(Part of this story was contributed by Smart Energy International).