Did PG&E lose control of confidential information?


Numerous news reports, citing the Wall Street Journal, are identifying Pacific Gas & Electric as the utility that was fined by federal regulators for a data breach, which caused PG&E to lose control of confidential information for more than two months.

The San Franciso-based utility agreed to a $2.7 million fine first announced by the North American Electric Reliability Corp. in February. PG&E was not named in the NERC announcement but was later identified by a non-profit group, according to the Wall Street Journal piece.

The NERC release says the utility did not confirm or deny the allegations but agreed to the financial penalty. PG&E reportedly lost control of more than 30,000 pieces of information available on the Internet, according to reports.

The utility, called an unidentified registered entity (URE) in the NERC statement, was alerted to the data breach by a “white hat security researcher” who was not part of the company. A third-party contractor apparently had improperly copied data from the utility’s network to the contractor’s network, “where it was no longer subject to URE’s visibility or controls.

“The contractor failed to comply with URE’s information protection programme on which it was trained,” the NERC statement reads. “While the data was on the contractor’s network, a subset of live URE data was accessible online without the need to enter a user ID or password.”

The incident happened in 2016 and was left on the internet for close to 70 days, according to reports.

NERC reported that it was unlikely that other parties had accessed or downloaded the data, although more detailed system logs were required to determine that definitely.

“To recover the exposed data, URE contacted the security researcher and requested that he securely return the data, securely delete all copies of the data from his system, and submit to URE a signed, notarised affidavit confirming that he deleted all copies of the data.”

This report follows recent research by ABI Research that smart utilities are not implementing digital security effectively, due to cost, resources and time constraints. This is coupled with the challenge of adapting cybersecurity to OT environments, along with a lack of experience and knowledge.

According to ABI, public sector efforts to secure smart utilities has lagged since 2012-2013, despite both power and water utilities reporting advanced threats that exploit ICS.

Michela Menting, research director of digital security, ABI Research, says: “run-of-the-mill cyberthreats such as ransomware and DDoS attacks are increasingly affecting operator’s cyber-assets, both on the back and front-end.”
While more than $8 billion will be spent on cybersecurity on power and water grid infrastructure, only a small amount will be dedicated to operational technologies and smart systems, the report says.
According to the research, grid modernisation efforts provide the ideal opportunity to design and integrate digital security while adapting existing mechanisms and processes to the OT space.
Parts of this story were originally published by our colleagues at PennWell.