PG&E Identified As Utility That Lost Control of Confidential Information

As a result of 2016 failure, 30,000 records about PG&E’s cyber assets were exposed on the internet. PG&E Identified As Utility That Lost Control of Confidential Information

San Francisco-based PG&E Corp. was identified Friday as the large utility that authorities had fined in May for losing control of a database with confidential information about its systems and leaving it exposed on the internet for 70 days.

The breach happened in 2016 and, until this week, the Federal Energy Regulatory Commission had declined to identify the utility that it fined $2.7 million earlier this year, a small amount compared with a potential fine of as much as $140 million.

Heavily redacted documents released Friday showed correspondence among regulators related to the incident, which referenced PG&E, but they provided no additional details. However, other previously available documents provided information about the incident, so together they show how PG&E’s systems were exposed.

In a written statement, PG&E said that “once we learned of the exposure, we communicated proactively with the appropriate government agencies and regulators and have since worked with them on corrective actions.”

It added that its cybersecurity measures are “robust and consistent with the best practices being employed in the industry.”

PG&E’s identity was revealed because of a Freedom of Information Act request filed to FERC by Secure the Grid Coalition, a nonprofit group focused on critical infrastructure protection. Michael Mabee, a New Hampshire representative of the group, said he petitioned for the information, because he thought it was “disturbing and wrong” for federal officials to protect a utility whose actions endangered the public.

As a result of the failure, 30,000 records about PG&E’s cyber assets were exposed to the internet—without password protection—at a time when authorities have said Russian agents were trying to gain access to U.S. energy companies.

An investigation into the data breach by the North American Electric Reliability Corp. and a related organization found that an unnamed vendor hired by PG&E to assist with an asset-management program downloaded records from a cyber-asset database to his own computer—without the utility’s permission and in violation of company policy—then left it exposed to the internet until it was brought to PG&E’s attention by an internet-security researcher.

The records included information on systems that control physical as well as remote access to the utility’s control centers and electrical substations as well as the utility’s system that regulates electricity flows.

It also included usernames for more than 100 people with network access and “hashed” passwords that could have been cracked by a skilled adversary to garner actual log-in credentials, according to an investigation by federal authorities.

Federal investigators said they don’t know who may have accessed the data but said there was evidence others had found it. An investigative report said there was “residual risk” that malicious actors established a foothold in PG&E’s networks and could be positioned to cause harm in the future.

PG&E owns power plants, natural gas pipelines, a nuclear generating station and electric power lines that are vital to California and the western power grid. It furnishes electricity to nearly one in 20 Americans.

Utilities have been subject to cybersecurity rules for a decade. They require utilities to secure sensitive information to prevent unauthorized access.

California’s chief utility regulator attempted to confirm that PG&E was the unidentified utility fined by FERC in May but was rebuffed. Recent laws have given federal authorities more ability to keep information from state officials. “We’re all wrestling with it,” said Michael Picker, president of the California Public Utilities Commission.

The Securities and Exchange Commission recently warned public companies that they must improve their cyber disclosures, noting that cyber breaches “pose grave threats to investors, our capital markets and our country.”

It doesn’t appear that PG&E disclosed the event in its SEC filings.