San Francisco-based Pacific Gas and Electric Co. (PG&E) acknowledged Monday that it has been taking corrective action following a $2.7 million fine by FERC for a 2016 lapse that left critical confidential information exposed on the internet for more than two months.
The beleaguered combination utility giant was not previously named by the Federal Energy Regulatory Commission when the cybersecurity blunder was first made public. At the time, U.S. intelligence sources were concerned about Russian agents trying to gain access to U.S. energy companies.
A subsequent investigation revealed that an unnamed vendor hired by PG&E had downloaded data to a computer without the utility's permission, in violation of company policy. The vendor eventually left the data exposed on the internet until it was brought to the utility's attention.
"Once we learned of the exposure, we communicated proactively with the appropriate government agencies and regulators, and have since worked with them on corrective actions," said PG&E spokesperson Jason King. The utility's cybersecurity measures, he said, are consistent with "the best practices being employed in the industry,” and it has taken extensive measures to protect control systems and data.
In the lapse at PG&E, whose operations include power plants, natural gas pipelines, a nuclear generation plant and electric power lines, the exposed data included information on systems controlling physical as well as remote access to PG&E control centers, electrical substations and systems regulating power flows.
There were also usernames for more than 100 people with network access and "hashed" passwords that could have been cracked by skilled hackers. Federal investigators indicated they don't know who may have accessed the data, but there was evidence that others had found it.
Corrective actions include efforts to weed out any malicious actors that may have established a foothold in PG&E's networks during the exposure period.
In the past five years, federal officials have been increasingly concerned by the vulnerability of the nation's energy infrastructure to cyberattacks. FERC established its cybersecurity office in 2012 during the Obama administration.
In a related development, Rep. Fred Upton (R-MI) said Monday he would begin a series of online discussions regarding proposed House Resolution 5175, aka the Pipeline and Liquefied Natural Gas (LNG) Preparedness Act, which is aimed at providing cybersecurity safeguards to U.S. pipelines and LNG facilities.