NOTICE DATE: October 14, 2022

NOTICE TYPE: M-B101422-01 General

SHORT DESCRIPTION: Cybersecurity Incident

INTENDED AUDIENCE: All Market Participants

DAYS AFFECTED: October 14, 2022

LONG DESCRIPTION: On October 14, 2022, at approximately 4:30 p.m., ERCOT was informed by a Market Participant (disclosing MP) that the MP’s Internet-facing firewalls had been compromised.  This did not affect the disclosing MP's operations nor was there any indication the attacker pivoted to any other systems.  ERCOT's computer network and systems were not affected by this event and the Texas power grid was not impacted.

The disclosing MP indicated that their firewalls had been compromised by an attacker that exploited a newly disclosed vulnerability, CVE-2022-40684.  The incident was confined to two sites owned by the disclosing MP and the disclosing MP was able to identify and contain the compromise.  The disclosing MP is in the process of restoring the affected firewalls to a known-good configuration.     

The firewall vendor, Fortinet, released an updated advisory on 10/10/22 indicating that an authentication bypass vulnerability in FortiOS, FortiProxy and FortiSwitchManager was actively being exploited and urged customers to apply the recommended update or workaround. 

ERCOT urges MPs that use Fortinet products to immediately review the advisory and apply the recommended fixes as soon as practicable.  If there is indication of compromise, the vendor should be contacted for assistance.

CONTACT: If you have any questions, please contact your ERCOT Account Manager. You may also call the general ERCOT Client Services phone number at (512) 248-3900 or contact ERCOT Client Services via email at [log in to unmask].

If you are receiving email from a public ERCOT distribution list that you no longer wish to receive, please follow this link in order to unsubscribe from this list: http://lists.ercot.com.

dg