E-Tag Incident

Event Year: 2005 Reliability: Confirmed
Country: United States
Industry Type: Power and Utilities

An individual logs into the electronic tagging (e-tag)  system associated with a Purchasing-Selling Entity (PSE).  They had legitimate access to a valid user name, password, and digital certificate of an active account, but this login was unauthorized and was made from an offsite computer not under the direct control of the PSE.  The motive was to play a joke on the PSE scheduler.

Because the account’s credentials were valid, the e-tag system accepted the login.  It is standard operating procedure for the PSE to share user accounts amongst appropriate staff within the organization.  At the time, the PSE had approximately 7-8 user accounts with over a dozen personnel all sharing access to these user accounts.  The IP address used for this access is not associated with the PSE’s network.  For business continuity reasons, the PSE allows remote access to the e-tag system from multiple locations, including remote offsite locations.  Because the user account, password, and digital certificate were valid, the e-tag vendor appropriately accepted the login.

Three minutes after logging in, the person logged into this account submits an e-tag without the knowledge of the PSE.  The e-tag requests a large amount of power to be delivered on behalf of the PSE to another large control area for the next hour.  This tag was rejected by the generation control area’s automated e-tag processing software.  While there were several reasons to reject the e-tag (i.e., it was submitted less than 30 minutes before the time of the request, etc.), their software cites an incorrect open-access same-time information system (OASIS) number as the reason for rejecting the transaction.

During the same timeframe, the e-tag was approved by the receiving control area, and denied by an intermediate control area in the scheduling path, and then denied by the receiving control area (reversing their previous approval action).  Note that denial by any party on the e-tag will cause it to be rejected.

All of the approval actions on this e-tag were complete 4 minutes after the tag was submitted.  The rejected e-tag (called a “dead” tag) is returned and posted to the PSE’s trading system, but because that screen was minimized at the time, neither of the two traders on duty at the PSE are aware that anything out of the ordinary has happened.

A short while later, the person logged into this account submits a second e-tag, also without the knowledge of the PSE.  This e-tag is directed only to one control area (both e-tags specify the same load control area; the previous e-tag specified a different generation control area).  There are other similarities between this e-tag and the one submitted 6 minutes earlier, including the same power amount, the same timeframe, and similar path information.  The primary difference between this e-tag and the previously-submitted e-tag, in addition to the generating control area, are changes to the path information (thereby removing the reference to the incorrect OASIS information).

Almost immediately after receiving this e-tag, control area personnel called the PSE inquiring about this most unusual e-tag that they had received from them (most notably the very large MW requested).  At this time, one of the traders on duty at the PSE looked at the e-tag vendor’s screen at his terminal, saw the e-tag that had been entered on their behalf, and immediately realized that neither he nor the other trader on duty had issued this e-tag.  He immediately withdrew the e-tag.

The PSE staff then went into “high alert”.  The trader on duty at the PSE knew that he could supersede the privileges of the person logged into the account by logging into the same account himself.  (The system only allows one active session for each account, and disables any existing sessions when somebody new logs into that account.)  The trader also notified relevant control areas and notified internal IT support and other personnel within the PSE.



Loss of staff time.

Action Description: The following day, the digital certificate associated with the account was revoked by the PSE's security officer.