• NERC and Regulated Entity Reach Settlement on Violations of Cybersecurity Standards
  • March 20, 2018
  • A regulated entity has reached an agreement with the North American Reliability Corporation (“NERC”) to pay $2.7 million for violations of a Critical Infrastructure Protection (“CIP”) standard. These violations arose as a result of an online exposure of the regulated entity’s data; the violation resulted in unrestricted access to 30,000 asset records, including records associated with Critical Cyber Assets (“CCAs”). NERC’s “Notice of Penalty” with the Federal Energy Regulatory Commission (“FERC”), which does not name the regulated entity, notes that the information regarding the CCAs was accessible on the internet for 70 days, and system logs showed unauthorized access to the data. NERC states that the risks associated with this violation include allowing physical and remote access to the registered entity’s system. The Notice of Penalty explains that the registered entity has taken mitigation steps to ensure the violations do not recur in the future. FERC has 30 days to review the proposed penalty.