New Mexico tells the federal government: “The public has a right to know.”
The State of New Mexico, in an extraordinary filing with the Federal Energy Regulatory Commission (FERC), just made it clear that the public has a right to know the names of the companies that are endangering us.
The issue is that since 2010, the North American Electric Reliability Corporation (NERC) has been withholding the names of regulatory violators submitted to FERC. In the last nine years, ALL the names of companies that violate of Critical Infrastructure protection (CIP) standards, which include cybersecurity and physical security standards, have been covered up from public view. FERC, for its part, did nothing to prevent the industry from affecting this coverup of their dirty laundry. In fact, FERC perpetuated the coverup by delaying and denying Freedom of Information Act (FOIA) requests for the identities of these violators.
The PRC believes that two principles should guide the FERC’s decision-making concerning the degree of openness in Notices of Penalty (NOP) for violations of Critical Infrastructure Protection (CIP).
- The public has a right to know if any utility is not complying with FERC reliability standards and its wildfire prevention plans, as do local and statewide government agencies. This information could be useful to them in myriad ways, not the least of which is mitigation of forest fires.
- Grid resiliency should be a primary value. To the extent keeping CIP outage information confidential undermines grid resiliency, the rules should be changed to promote more openness.
New Mexico, in their filing, endorsed the proposal of the New Hampshire Office of Consumer Advocate who also called for more transparency. The coverup came to light when my investigation revealed that between July of 2010 and July of 2019 FERC has withheld the identity of the regulatory violators in 253 cases, involving close to 1,500 companies. The investigation revealed a massive cover-up by the electric grid regulators in which they have hidden the identities of all violators of Critical Infrastructure Protection (CIP) regulations concerning cybersecurity and physical security.
New Hampshire says: “The public has a right to know.”
This may sound somewhat geeky, but the FERC “white paper docket” was exciting. First of all, just the fact that public pressure forced FERC and NERC to consider more transparency was a victory for democracy. (In China, Russia or Iran, many of us would have “disappeared” or been sent to gulags for criticizing a government sanctioned cover up.) Second, the public’s voice was heard. There were over 60 filings in favor of increased transparency from members of the public, public advocacy groups as well as elected and appointed public officials.
Heroically, a group of New Hampshire officials stood up for the public. It started with New Hampshire Representative Kat McGhee listening to a constituent’s concerns and having to courage to be the first public official to comment on the docket. Rep. Kat McGhee advised FERC:
“With cyber mischief and the potential for cyber warfare on the rise, we are in no position to dismiss tools that help reinforce critical security. On the question of cyber-security transparency for the grid system, I believe we are benefited by more public insight, not less.”
A bipartisan group of New Hampshire legislators followed: New Hampshire State Rep. Donna Mombourquette, New Hampshire Rep. David Woodbury and New Hampshire Rep. David Testerman all filed comments. And critically, Donald Kreis, the New Hampshire Office of Consumer Advocate noted:
“The need for transparency is all the more acute in these particular circumstances; via Section 215(c) of the Federal Power Act and the FERC’s designation of an industry-sponsored organization (NERC) as the nation’s primary reliability watchdog, the federal government has substantially privatized an essential public function subject to carefully circumscribed oversight from the FERC.”
U.S. Congresswoman Ann McLane Kuster also wrote to FERC urging them to increase transperancy:
“While FERC has issued fines to utilities that are found in noncompliance, ratepayers are left in the dark as to whether their utility is in compliance with cybersecurity standards. It would be prudent for FERC to judiciously examine how increased transparency of cybersecurity violations would improve compliance with cybersecurity standards and enhance both ratepayer and lawmakers understanding of current cybersecurity threats to our electric grid.”
In addition to the New Hampshire public officials, several New Hampshire citizens and the New Hampshire based Foundation for Resilient Societies commented on this docket. See below for all the comments.
Across the Country: “The public has a right to know.”
Citizens across the country wrote in to this FERC “white paper” docket demanding more transparency and an end to the coverup. In addition to the citizens, several Public Utility Commissions, consumer advocacy groups and even an organization representing the press filed comments in favor of more transparency.
The State of Connecticut agencies (Connecticut Public Utilities Regulatory Authority Connecticut Office of Consumer Counse) noted:
The CT Agencies believe that making the violator’s name public serves three functions: 1) it brings unwanted attention to the violator and in doing so acts as an added deterrent against violations; 2) it assists state agencies and other parties with oversight/regulatory/advocacy responsibilities in following-up and taking appropriate action; and 3) it specifically alerts and informs the public in the vicinity of the violator.
The Louisiana Public Service Commission believes:
There do seem to be several areas where additional public disclosure of information might be accomplished while not providing potential violators with any useful information. This is particularly true since the CIP NOPs will not be filed until after mitigation is complete.
The PUCs and state authorities in particular seem annoyed that the identities of violators have been kept from state regulators as well.
The New York Power Authority noted the importance of having sufficient information available to the state authorities:
Noncompliance information posted to NERC’s Enforcement and Mitigation website provides an important resource for utilities to improve their NERC Reliability Standards compliance programs and further support self-enforcement.
And the New Jersey Board of Public Utilities noted that the ongoing coverup impacted state regulators as well:
The Board generally supports the recommendations stated in the Joint White Paper as they appear to balance confidentiality, transparency, security and efficiency concerns. However, the Board, as a state regulatory commission, urges the Commission and NERC Staff to consider enhancing this process to enable state commissions access to the confidential information submitted in the attachment.
In addition to six states telling the federal government that more transparency is needed, the Reporters Committee for Freedom of the Press noted:
With respect to the identities of electric utilities that violate rules designed to protect the nation’s grid against cyber and physical attacks, logic and practice illustrate that disclosure will yield greater accountability, and ultimately promote greater compliance with applicable cybersecurity laws.
It is clear that the public, the state regulators, elected and appointed state and federal officials and the press are demanding increased transparency – and an end to the coverup of the identities of CIP violators.
So who would possibly oppose ending the coverup? Why, the industry whose identities are being covered up, of course!
The Electric Industry Says the Public is Too Stupid To Handle Transparency.
Astoundingly, the electric utility industry argues that more transparency would confuse the public. (So we best keep the coverup going.) The Joint Trade Associations argued that releasing the penalty amounts to the public would be dangerous:
“While penalty amounts are not CEII, they can create some risk, as well as significant confusion for the public.” (Page 14.)
In other words, the industry says you are too stupid to be able to understand significance of the amount of a fine against your utility company. Ouch. Unfortunately, the insults continue:
“Given that the public would require specialized training and expertise to derive any value from the name of the Standard violated (beyond the general understanding that a Standard was violated), it is not clear what benefit there is in automatic disclosure of this information. To better protect BPS reliability, reference to specific Standards should not be included in the NOP public cover sheet.” (Page 11.)
“[T]he detailed information included in NOPs is not meaningful to the general public as it is highly technical and requires specialized training and expertise to understand.” (Page 14.)
Translated: The public is not sophisticated enough to understand even the name of a cybersecurity standard. In sum, it’s better to hide all of the CIP citations since the public is too stupid to understand them anyway.
The U.S. Chamber of Commerce says that divulging the names of violators would discourage entities from “self reporting” violations:
“Any disincentive to self-reporting could serve to undermine, rather than support, overall cyber compliance efforts. Thus, the routine disclosure of entities subject to a Notice of Penalty would be counterproductive, and should be rejected.”
Excuse me? So you are saying that the electric grid is going to engage in a regulatory mutiny if FERC releases the names of the violators? Who is running this regulatory show anyway, the industry or the government? (Stupid question. Clearly the industry.)
But there is some sanity in this docket. As the New Hampshire Office of Consumer Advocate pointed out:
Our experience, as a frequent litigant before the New Hampshire Public Utilities Commission and as an end-user member of NEPOOL (the stakeholder advisory board to the regional transmission organization ISO New England) is that electric utilities (i.e., the same firms that own the bulk power transmission system) consistently rely on conclusory and self-serving allegations about the ill-effects of transparency to thwart efforts to hold them and their regulators publicly accountable.
Kudos to the New Hampshire Consumer Advocate and the New Mexico Public Regulation Commission (PRC) for telling it like it is. Below are the comments from the docket – read them and see for yourself – the public has a right to know!
Comments in favor of Transparency:
- Michael Mabee (U.S. Army Command Sergeant Major, ret.)
- George Cotter (former Chief Information Officer, NSA)
- Joseph M. Weiss (internationally renowned cybersecurity expert)
- David Jonas Bardin (General Counsel to U.S. Federal Power Commission [now FERC] during several Administrations)
- Frank Gaffney (Founder, Center for Security Policy)
- Tommy Waller
- Michael Mabee on the role of transparency in preventing regulatory failures
- Congresswoman Ann McLane Kuster
- New Hampshire Office of Consumer Advocate
- New Hampshire Representative Kathy “Kat” McGhee
- New Hampshire State Representative Donna Mombourquette
- New Hampshire Representative David Woodbury
- New Hampshire Representative David Testerman
- Karen Testerman
- Foundation for Resilient Societies
- Louisiana Public Service Commission
- Connecticut Public Utilities Regulatory Authority, et. al.
- New Jersey Board of Public Utilities,et al.
- Aldrich B. Monahan Jr.
- Mortimore Kelly
- John W Russell
- Preston L. Schleinkofer
- Fred Reitman
- Dennis Hunt
- Dale Rowley
- Ken Sletten
- David Phelps
- Comment by a Concerned Citizen
- Task Force on National and Homeland Security
- Constance A. Zimmerman
- Mary S. Kass
- Terri Timmcke
- Reporters Committee for Freedom of the Press
- Alyssa A. Lappen
- Andrew Bumbak
- Jim LeBlanc
- Dennis P. Burke, SR
- Kenneth D. Chrosniak
- J. Dexter Smith
- Douglas Ellsworth
- Sara Z. Wood
- Henry W. Newton
- Richard Firth
- Valerie J. MacIntosh
- Stacey West
- Bradley A. Kropf
- Phiyllis Ulrich
- Foundation for Resilient Societies
- Theresa V. Hubbard
- Eunie Smith
- Joseph A. Voglund
- Frank Heindel
- DeNexus, Inc.
- Gabriel Frank
- Jerry R. Ladd and James M. Babcock, CIWRX, Inc.
- George E. Kondos
- Public Citizen, Inc.
- Eric Richter
- Sandra J. Lafleur
- Foundation for Resilient Societies
- New Mexico Public Regulation Commission (PRC)
Comments Against Transparency:
(Note that all of these are either the electric utility industry itself, or groups representing the electric utility industry. I consider the Department of Energy – a captive regulator – to fit into the latter category: “groups representing the electric utility industry.”)
- Joint Trade Associations
- U.S. Chamber of Commerce
- North American Generator Forum (NAGF)
- PSEG Companies
- Georgia System Operations Corporation
- Cogentrix Energy Power Management, LLC
- Memphis Light, Gas and Water Division
- Midcontinent Independent System Operator, Inc.
- MISO Transmission Owners
- ISO-RTO Council
- Wolverine Power Supply Cooperative, Inc.
- United States Department of Energy
Final note: I find it highly disturbing that the Chamber of Commerce claims that FOIA has been “weaponized” to expose the CIP violators and then the U.S. Department of Energy – the following day – provides the industry with legal advice to avoid FOIA disclosures. In fact, I was so disturbed, that I filed a Freedom of Information Act (FOIA) request with the U.S. Department of Energy to determine to what extent their filing was influenced by the electric utility industry. (Read my FOIA request HERE.)
Stay tuned and subscribe to my newsletter for updates.