PG&E Identified as Utility That Lost Control of Confidential Information -- Update
August 24 2018 - 6:05PM
Dow Jones News
By Rebecca Smith
San Francisco-based PG&E Corp. was identified Friday as the
large utility that authorities had fined in May for losing control
of a database with confidential information about its systems and
leaving it exposed to the internet for 70 days.
The breach happened in 2016 and, until this week, the Federal
Energy Regulatory Commission had declined to identify the utility
that it fined $2.7 million earlier this year, a small amount
compared with a potential fine of as much as $140 million.
Heavily redacted documents released Friday showed correspondence
among regulators related to the incident, which referenced
PG&E, but they provided no additional details. However, other
previously available documents provided information about the
incident, so together they show how PG&E's systems were
exposed.
In a written statement, PG&E said that "once we learned of
the exposure, we communicated proactively with the appropriate
government agencies and regulators and have since worked with them
on corrective actions."
It added that its cybersecurity measures are "robust and
consistent with the best practices being employed in the
industry."
PG&E's identity was revealed because of a Freedom of
Information Act request filed to FERC by Secure the Grid Coalition,
a nonprofit group focused on critical infrastructure protection.
Michael Mabee, a New Hampshire representative of the group, said he
petitioned for the information, because he thought it was
"disturbing and wrong" for federal officials to protect a utility
whose actions endangered the public.
As a result of the failure, 30,000 records about PG&E's
cyber assets were exposed to the internet -- without password
protection -- at a time when authorities have said Russian agents
were trying to gain access to U.S. energy companies.
An investigation into the data breach by the North American
Electric Reliability Corp. and a related organization found that an
unnamed vendor hired by PG&E to assist with an asset-management
program downloaded records from a cyber-asset database to his own
computer -- without the utility's permission and in violation of
company policy -- then left it exposed to the internet until it was
brought to PG&E's attention by an internet-security
researcher.
The records included information on systems that control
physical as well as remote access to the utility's control centers
and electrical substations as well as the utility's system that
regulates electricity flows.
It also included usernames for more than 100 people with network
access and "hashed" passwords that could have been cracked by a
skilled adversary to garner actual log-in credentials, according to
an investigation by federal authorities.
Federal investigators said they don't know who may have accessed
the data but said there was evidence others had found it. An
investigative report said there was "residual risk" that malicious
actors established a foothold in PG&E's networks and could be
positioned to cause harm in the future.
PG&E owns power plants, natural gas pipelines, a nuclear
generating station and electric power lines that are vital to
California and the western power grid. It furnishes electricity to
nearly one in 20 Americans.
Utilities have been subject to cybersecurity rules for a decade.
They require utilities to secure sensitive information to prevent
unauthorized access.
California's chief utility regulator attempted to confirm that
PG&E was the unidentified utility fined by FERC in May but was
rebuffed. Recent laws have given federal authorities more ability
to keep information from state officials. "We're all wrestling with
it," said Michael Picker, president of the California Public
Utilities Commission.
The Securities and Exchange Commission recently warned public
companies that they must improve their cyber disclosures, noting
that cyber breaches "pose grave threats to investors, our capital
markets and our country."
It doesn't appear that PG&E disclosed the event in its SEC
filings.
Write to Rebecca Smith at rebecca.smith@wsj.com
(END) Dow Jones Newswires
August 24, 2018 17:50 ET (21:50 GMT)
Copyright (c) 2018 Dow Jones & Company, Inc.
PG&E (NYSE:PCG)
Historical Stock Chart
From May 2024 to Jun 2024
PG&E (NYSE:PCG)
Historical Stock Chart
From Jun 2023 to Jun 2024