With increased awareness of the urgent threat that cybersecurity failures pose to critical infrastructure, regulators have been stepping up their enforcement efforts, particularly against those entities that fail to establish and implement sufficient precautions against breaches. Those precautions should include proactive oversight of vendors that have access to sensitive data and electronic systems.

Recently, a power company agreed to pay a $2.7 million penalty for violations of Critical Infrastructure Protection (CIP) requirements enforced by the North American Electric Reliability Corporation (NERC). These violations arose as a result of an online exposure of the company’s data due to a third-party vendor’s mishandling of the data, resulting in unrestricted, third-party access to 30,000 asset records, including records associated with Critical Cyber Assets (CCAs).

This violation also highlights the need for regimented—and proactive—supply chain management, particularly when vendors have access to a company’s network. NERC’s “Notice of Penalty” filed with the Federal Energy Regulatory Commission (FERC), which does not name the company, explains that the information regarding the CCAs was accessible on the Internet for 70 days, and system logs showed unauthorized access to the data. The vendor, according to the filing, copied sensitive data from the regulated entity’s network to its own network, thereby effectively removing those files from the regulated entity’s network controls. According to the Notice of Penalty, a subset of the data containing thousands of records, which potentially included live IP addresses and host names for CCAs, remained unsecured and publicly available from the vendor’s network for approximately 70 days.

The Notice of Penalty specifies two violations of CIP-003-3¹ against the regulated entity. NERC concluded that the regulated entity failed to adequately implement the required information protection program. Specifically, NERC determined that the regulated entity failed to properly classify the information with the appropriate sensitivity level, and that the regulated entity failed to manage access to the information because it did not ensure that the vendor protected the sensitive information after the data was improperly copied from the regulated entity’s network.

NERC focused on the gravity of the breach, not only because it would have allowed physical and remote access to the company’s system, but also because it threatened the reliability of the entire bulk power system. NERC concluded that access to the publicly available usernames and passwords could have allowed an attacker to “login to the CCAs” and jump from host to host within the network; the exposure of such sensitive information could have enabled a malicious actor to access the regulated entity’s network and “install an application that can cause potential harm in the future.”

The Notice of Penalty explains that the regulated entity has taken mitigation steps to ensure the violations do not recur in the future. As reported in the Notice of Penalty, these mitigation steps include, among other things, requiring the vendor to shut down its software development server, ending access to the data, performing multiple forensic analyses to verify the extent of the access to the data, removing vendor access to the asset management database, implementing a new process by which an employee controls access to the data, and improving controls for vendor management.

FERC has 30 days to review the proposed penalty, after which the penalty will become effective, absent any action from FERC otherwise.

This incident highlights the need for effective supply chain management, particularly where vendors are granted access to a company’s network. Although arising in the context of NERC’s CIP standards, the lessons learned are much broader and apply to all companies that rely on granting vendors access to systems and data. A robust information protection program, coupled with rigorous and timely auditing of compliance with the program’s requirements, can help prevent the type of unauthorized access that is the subject of the Notice of Penalty in this case.

¹ CIP-003-3 has been replaced, as of July 2016, by CIP-011-2, which contains largely identical requirements for the protection of sensitive cybersecurity-related information.