Vendor management continues to be a problem for all industries, but some are scarier than others.

The North American Electric Reliability Corp. (NERC) recently provided notice to the Federal Energy Regulatory Commission that an unidentified power company has reached a settlement with the Western Electricity Coordinating Council for $2.7 million to resolve two violations of NERC’s critical infrastructure protection standards.

The settlement stems from a violation that occurred when a third-party contractor of the power company copied critical infrastructure data to its own insecure network. While on the third party’s network, it could be accessed without a user name or password. Some of the records included the power company’s critical cyber assets, IP addresses and host names. According to the notice, the critical cyber assets included “servers that store user data, systems that control access with the power company’s control centers and substations, and a supervisory control and data acquisition system that stores critical cyber information.” The data was exposed for 70 days.

Although the exposure was detected by a white hat security researcher, the notice stated that “there is no reasonable assurance that during the time the data were exposed on the internet, it was not already used by a malicious actor—or collected by such an actor—to access…the network and install an application that can cause potential harm in the future.” 

The power company agreed to implement a mitigation plan.