ERCOT Reports That, Due To Cybersecurity Failure At Market Participant (MP), Attacker Was Able To Modify MP's Banking Details With ERCOT, Re-route Monies Owed To MP To Fraudulent Account

April 24, 2020

Email This Story
Copyright 2010-20 EnergyChoiceMatters.com
Reporting by Paul Ring • ring@energychoicematters.com

The following story is brought free of charge to readers by EC Infosystems, the exclusive EDI provider of EnergyChoiceMatters.com

ERCOT issued a market notice stating, "On April 23, 2020, ERCOT was informed by a Market Participant (disclosing MP) that its registration information (i.e., contact information and bank account information) with ERCOT may have been compromised. ERCOT and the disclosing MP immediately began investigating the concern."

"ERCOT has determined a Cybersecurity Incident originated with a compromised Microsoft Office 365 (Office 365) account belonging to the disclosing MP. The attacker used the compromised Office365 account by assuming the email address belonging to the disclosing MP’s Authorized Representative (AR), and creating new email accounts using domain typo-squatting (i.e., the attacker created new email addresses that were similar to officers/employees of the disclosing MP). While the disclosing MP is located in the United States, the attacker leveraged several foreign IP addresses from Germany and Ghana," ERCOT said in the market notice

"On April 20, 2020, ERCOT received and processed a Notice of Change of Information (NCI) from what appeared to be the disclosing MP’s AR (using the AR’s email address on file with ERCOT). The NCI modified the MP’s banking information. For Business Days, April 21 – 23, 2020, wires from ERCOT to the disclosing MP were sent to the revised bank account identified in the NCI. In coordination with federal authorities, ERCOT has been able to recover a majority of the wires that had been sent to the fraudulent bank account. ERCOT is continuing to work closely with federal authorities concerning the remaining funds, and the impacted Market Participant to ensure the proper and safe communication of information and transfer of funds. At this time, ERCOT has found no evidence to suggest that this incident is related to the JPMorgan data disclosure described in Market Notice M-D041720-01," ERCOT said in the market notice

"The ERCOT Protocols define a Cybersecurity Incident as 'a malicious or suspicious act that compromises or disrupts a computer network or system that could foreseeably jeopardize the reliability or integrity of the ERCOT System or ERCOT’s ability to perform the functions of an independent organization under [PURA].' Although ERCOT’s ability to perform certain registration functions were impacted, ERCOT has determined that no ERCOT computer network or system was compromised as a result of this Cybersecurity Incident. Based upon preliminary findings, the only computer or network compromised was a single Office 365 email account belonging to the disclosing MP. ERCOT processed the NCI in accordance with its business practices and processes set forth in the ERCOT Protocols, and has implemented additional levels of controls for bank information, and is further evaluating additional controls to help ERCOT verify changes made to MP registration information. ERCOT plans to engage stakeholders in further discussion regarding such controls at future stakeholder meetings," ERCOT said in the market notice

"The disclosing MP had not enabled a two-factor authentication (2FA), also known as two-step verification, or multi-factor authentication (MFA), on its Office365 account. ERCOT believes that 2FA or MFA would have prevented this incident, and therefore highly encourages all MPs to protect systems and devices from hackers and malware by employing 2FA or MFA. This measure will create an extra layer of security to help ensure that only authorized individuals can access an MP’s email account. Pre-registering domains similar to the actual domains utilized by MPs may also reduce the chance of typo-squatting. ERCOT utilizes a Domain-Based Message Authentication (DMARC) practice to reject emails that do not pass a verification test. Enabling a DMARC practice can help MPs control who can send emails on behalf of the MP, and thereby prevent nefarious parties from utilizing a MP’s domain. See Market Notice M-A031419-01, ERCOT Implementation of a DMARC 'Reject' Policy," ERCOT said in the market notice

ADVERTISEMENT
NEW Jobs on RetailEnergyJobs.com:
• NEW! -- Senior Energy Intelligence Analyst -- Energy Procurement
• NEW! -- Channel Partner Sales Manager -- Retail Supplier
• NEW! -- Energy Procurement Manager
• NEW! -- Channel Relations Manager -- Retail Supplier
• Senior Retail Energy Markets Pricing Analyst
• Energy Market Analyst -- DFW