U.S. Power Company Fined $2.7 Million for Security Flaws

According to an electronic filing, an unidentified American power company has reached a settlement to pay a $2.7 million penalty over significant security flaws that could have allowed hackers to gain remote access to their systems.

• By Jessica Davis
• Mar 15, 2018

According to an electronic filing, an unidentified American power company has reached a settlement to pay a $2.7 million penalty over significant security flaws that could have allowed hackers to gain remote access to their systems.

According to a Notice of Penalty filed by the North American Electric Reliability Corporation, power regulators reached a settlement with the unidentified company after a security researcher found that more than 30,000 company records online were accessible without a password or any other protections. The company’s name was not disclosed.

“These violations posed a serious or substantial risk to the reliability of the bulk power station,” the filing says. The data associated with the exposure affected critical assets, including systems that control access to the unnamed company’s “control centers and substations, and a supervisory control and data acquisition (SCADA) system that stores [critical cyber asset] information.”

According to the filing, the data included usernames and “cryptographic information” of those usernames and passwords, and was exposed online for 70 days.

“Exposure of the username and cryptographic information could aid a malicious attacker in using this information to decode the passwords,” the filing said. “A malicious attacker could use this information to breach the secure infrastructure and access the internal [critical cyber assets] by jumping from host to host within the network.”

The $2.7 million penalty is pending approval of the Federal Energy Regulatory Commission.