Forensics , Incident & Breach Response , Security Operations

Breach Reveal: PG&E Exposed 30,000 Sensitive Records

Previously Unnamed Utility Reached Record $2.7 Million Settlement Agreement

The headquarters of PG&E in the Pacific Gas & Electric Building in San Francisco (Photo: LPS.1 via Wikimedia Commons)

A previously unnamed U.S. energy company that agreed to a record $2.7 million settlement after it left 30,000 records about its information security assets exposed online for 70 days in violation of energy sector cybersecurity regulations has been named as California utility PG&E (see US Power Company Fined $2.7 Million Over Data Exposure).

See Also: Live Webinar | Cybersecurity in Healthcare Supply Chains: A CISO Perspective

Officially known as the Pacific Gas and Electric Company, PG&E is a publicly traded utility headquartered in San Francisco. The company had previously admitted to unintentionally exposing sensitive data in 2016, although it initially claimed that a publicly exposed database contained fake data. Subsequently, however, it confirmed that it did, in fact, leave sensitive information - including hashed passwords for administrators that attackers could have reverse-engineered - exposed to the internet.

But it wasn't clear if that incident - or utility - was the subject of a settlement agreement announced early this year.

NERC's Feb. 28 notice to FERC, announcing the $2.7 million settlement

News of the settlement agreement - but not the name of the utility that had reached the agreement - first emerged in a Feb. 28 notice from the North American Electric Reliability Corp., or NERC, to Kimberly D. Bose, secretary of the Federal Energy Regulatory Commission. FERC regulates, monitors and investigates electricity, natural gas, hydropower, oil matters, natural gas pipelines, LNG terminals, hydroelectric dams, electric transmission, energy markets and pricing.

NERC's notice to FERC said security problems at the then-unnamed company resulted in sensitive information remaining internet-exposed for more than two months.

"The data was exposed publicly on the internet for 70 days. The usernames of the database were also exposed, which included cryptographic information of those usernames and passwords," according to the notice. "Exposure of the username and cryptographic information could aid a malicious attacker in using this information to decode the passwords."

According to the notice, the Western Electricity Coordinating Council and the then-unnamed energy provider reached the settlement agreement over two violations of the Critical Infrastructure Protection NERC Reliability Standards. WECC is one of eight regional entities that NERC has designated to monitor and enforce its standards.

Confirmed: PG&E Was the Utility

On Friday, the Wall Street Journal reported that a freedom of information act request filed by Secure the Grid Coalition, a nonprofit group that focuses on critical infrastructure protection, had confirmed that PG&E was the utility that reached the settlement agreement. It reported that a NERC investigation found that a PG&E contractor had downloaded records from a PG&E cyber-asset database without permission and in violation of corporate policies, and left them exposed online.

The FOIA request returned documents which, while heavily redacted, revealed that PG&E was the utility that reached the settlement agreement with NERC, the Wall Street Journal reported.

Secure the Grid is part of the Center for Security Policy, a right-leaning national security think tank in Washington. Michael Mabee, a New Hampshire representative of Secure the Grid, told the Wall Street Journal that he sought the information because he believed it was "disturbing and wrong" for federal officials to mask the identity of a utility that put the public at risk.

PG&E didn't immediately respond to a request for more information.

But the company told the Wall Street Journal in a statement that "once we learned of the exposure, we communicated proactively with the appropriate government agencies and regulators and have since worked with them on corrective actions."

The company also said that its cybersecurity practices are "robust and consistent with the best practices being employed in the industry."

In February, FERC spokesman Craig Cano, commenting on the $2.7 million settlement agreement, told Information Security Media Group that the penalty would become final within 31 days, unless the commission chose to review it. Reached for comment on Tuesday, he said the commission had chosen to take no further action, so the settlement agreement, by law, went into effect.

Researcher Found Information Online

Information security researcher Chris Vickery discovered the PG&E information online. In a May 2016 blog post, he reported finding a "publicly exposed database" that "appeared to be PG&E's asset management system," and noted that the company's IT department was trying to claim that the database was fake.

Vickery said the database "contained details for over 47,000 PG&E computers, virtual machines, servers and other devices," as well as mail passwords, none of which was encrypted or which required a username and password to access. He also reported finding 120 hashed passwords for employee access to the utility's systems.

"This would be a treasure trove for any hostile nation-state hacking group," Vickery warned.

PG&E provides electricity and natural gas to approximately 40 percent of Californians and one in 20 Americans.

PG&E: Data Wasn't Fake

In a June 2016 statement, PG&E blamed the information exposure on a contractor that was developing an asset management platform for the energy firm. At the time, PG&E claimed that no systems had been breached and that the system contained only fake data for development purposes.

Subsequently, however, PG&E reversed that assertion. "Our initial review indicated that the data was non-sensitive, mocked-up data," PG&E said. "We based this feedback on an initial response from the vendor stating that the information in the database was demo or 'fake' data. Following further review, we learned that the data was not fake and removed access."

NERC's notice said that the data exposed by the company's asset management system could also have been used to compromise other sensitive systems. "These violations posed a serious or substantial risk to the reliability of the bulk power system (BPS). The CCAs [Critical Cyber Assets] associated with the data exposure include servers that store user data, systems that control access within URE's [Unidentified Registered Entity's] control centers and substations, and a supervisory control and data acquisition (SCADA) system that stores critical CCA information."

According to NERC's notice, once PG&E learned of the problem, it took a server offline, which removed the inappropriately internet-exposed data. NERC says PG&E also brought in digital forensic experts to investigate, and adopted or revised a number of new information security policies, procedures and technology, including implementing a new system for handling source code, as well as requiring third-party vendors to use it.