Power Company Fined for Contractor Copying Data to its Own Insecure Network

Robinson+Cole Data Privacy + Security Insider
Contact

Vendor management continues to be a problem for all industries, but some are scarier than others.

The North American Electric Reliability Corp. (NERC) recently provided notice to the Federal Energy Regulatory Commission that an unidentified power company has reached a settlement with the Western Electricity Coordinating Council for $2.7 million to resolve two violations of NERC’s critical infrastructure protection standards.

The settlement stems from a violation that a third-party contractor of the power company copied critical infrastructure data to its own insecure network. While on the third party’s network, it could be accessed without a user name or password. Some of the records included the power company’s critical cyber assets, IP addresses and host names. According to the notice, the critical cyber assets included “servers that store user data, systems that control access with the power company’s control centers and substations, and a supervisory control and data acquisition system that stores critical cyber information.” The data was exposed for 70 days.

Although the exposure was detected by a white hat security researcher, the notice stated that “there is no reasonable assurance that during the time the data was exposed on the internet, it was not already used by a malicious actor—or collected by such an actor—to access…the network and install an application that can cause potential harm in the future.” 

The power company agreed to implement a mitigation plan.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Robinson+Cole Data Privacy + Security Insider

Written by:

Robinson+Cole Data Privacy + Security Insider
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide