Author: NERC
Problem Statement An electronic access point connected to the internet from a low-impact facility for remotely accessing a capacitor bank was compromised by unauthorized internet users for seven months prior to discovery.
Details A registered entity discovered a compromised electronic access point connected to the internet from a lowimpact facility. The access point was originally intended to be temporary and was installed by a SCADA Manager who subsequently left the entity without providing adequate documentation and turnover to the next SCADA Manager. The access point was misidentified as a remote terminal unit (RTU) with an end-oflife (EOL) operating system and left in place. Unauthorized personnel accessed the cyber asset for seven months before the registered entity became aware of the compromise. Because the device was identified as an EOL system, the compromised system was not maintained (patched, monitored, etc.) by the registered entity and was thus more susceptible to exploitable vulnerabilities.