PG&E Identified as Utility That Lost Control of Confidential Information
San Francisco-based PG&E Corp. PCG was identified Friday as the large utility that authorities had fined in May for losing control of a database with confidential information about its systems and leaving it exposed on the internet for 70 days.
The breach happened in 2016 and, until this week, the Federal Energy Regulatory Commission had declined to identify the utility that it fined $2.7 million earlier this year, a small amount compared with a potential fine of as much as $140 million.
Heavily redacted documents released Friday showed correspondence among regulators related to the incident, which referenced PG&E, but they provided no additional details. However, other previously available documents provided information about the incident, so together they show how PG&E’s systems were exposed.
In a written statement, PG&E said that “once we learned of the exposure, we communicated proactively with the appropriate government agencies and regulators and have since worked with them on corrective actions.”
It added that its cybersecurity measures are “robust and consistent with the best practices being employed in the industry.”
PG&E’s identity was revealed because of a Freedom of Information Act request filed to FERC by Secure the Grid Coalition, a nonprofit group focused on critical infrastructure protection. Michael Mabee, a New Hampshire representative of the group, said he petitioned for the information, because he thought it was “disturbing and wrong” for federal officials to protect a utility whose actions endangered the public.
As a result of the failure, 30,000 records about PG&E’s cyber assets were exposed to the internet—without password protection—at a time when authorities have said Russian agents were trying to gain access to U.S. energy companies.
An investigation into the data breach by the North American Electric Reliability Corp. and a related organization found that an unnamed vendor hired by PG&E to assist with an asset-management program downloaded records from a cyber-asset database to his own computer—without the utility’s permission and in violation of company policy—then left it exposed to the internet until it was brought to PG&E’s attention by an internet-security researcher.
The records included information on systems that control physical as well as remote access to the utility’s control centers and electrical substations as well as the utility’s system that regulates electricity flows.