FERC Must Make A Choice

 

---

For almost 9 years, FERC has aided and abetted a massive coverup. Now they can choose to do the right thing—or not.

In July of 2010 Cheryl LaFleur became a Commissioner with the Federal Energy Regulatory Commission (FERC). That same month, The North American Electric Reliability Corporation (NERC) began covering up the names of companies that endangered the electric grid. The coverup has continued unabated until the present.

Thankfully for America, Commissioner LaFleur, who for years has allowed this misbehavior by the electric industry, is getting the boot.

Now it is time for the remaining FERC Commissioners to clean up LaFleur’s mess.

The three remaining Commissioners are: Chairman Neil Chatterjee (on FERC since August 8, 2017), Commissioner Richard Glick (on FERC since November 29, 2017) and Commissioner Bernard L. McNamee (on FERC since December 11, 2018). Are they going to step up and fix the broken regulatory scheme that endangers the electric grid?

On April 2, 2019, there was a bad sign—FERC denied my FOIA request to release to the public the identities of the companies who endangered the electric grid. I have filed an appeal, which is available below.

The failure of the present “double secret probation” style regulatory scheme is teed up in several places at FERC right now and must have the Commissioners’ attention:

• Click HERE for my April 17, 2019 FOIA Appeal to FERC
• Click HERE for my submission to FERC in Docket NP19-4 (Duke Energy)
• Click HERE for my Petition for Rulemaking, filed February 5, 2019
• Click HERE for my submission to FERC on 192 “URE” Dockets

The central issue in all of these venues is that after a decade—including close to 9 years of industry lobbied secret regulation—the Russians and Chinese waltz in and out of our electric grid largely unchecked. Don’t believe me? Fine. Let’s ask Senator Angus King (I-Maine):

Who was that guy that looked like a deer in the headlights? That was NERC President and Chief Executive Officer James B. Robb. And who was that other guy gushing about all the great cooperation and collaboration between FERC and industry? That was FERC Chairman Neil Chatterjee. (Sigh… He seems like a really nice guy.)

Bottom line: NERC’s secret regulatory system of back-room settlements and handshake penalties for Critical Infrastructure Protection (CIP) standards violations has not worked and is not working (except for the Russians, the Chinese and the Iranians, for whom it is working quite well). We need immediate action.

The time for Mr. Nice Guy is over.

FERC – This is a national emergency!

Chairman Chatterjee:

The electric industry, including their purported regulator NERC and the other industry trade groups, have given cybersecurity and physical security only lip service for a decade. Meanwhile, our most critical of assets—the U.S. electric grid—is at grave risk.

• We need to “Red Team” utilities that have challenges and help them fix themselves (to the extent that they are willing). DHS and DoD have the expertise to help—but only FERC has the authority to make this happen.
• We need to “Black Hat” regulate chronic violators and hold them accountable with stiff penalties and public scrutiny.

FERC must make a choice. Step up and fix this failed CIP regulatory system
—or accept responsibility when lots of Americans die in a massive power outage.

Remember FERC Commissioners:

“The Commission shall have jurisdiction, within the United States, over the ERO certified by the Commission under subsection (c), any regional entities, and all users, owners and operators of the bulk-power system, including but not limited to the entities described in section 824(f) of this title, for purposes of approving reliability standards established under this section and enforcing compliance with this section. All users, owners and operators of the bulk-power system shall comply with reliability standards that take effect under this section.”

16 U.S. Code § 824o(b)(1). Electric reliability

Yes, FERC Commissioners—it is your job.

###

---

Click HERE for PDF Version of FOIA Appeal

---

April 17, 2019

James Danly, General Counsel
Federal Energy Regulatory Commission
888 First Street, NE,
Washington, D.C. 20426

Via Email: james.danly@ferc.gov

Subject: Appeal of April 2, 2019 Determination in FOIA 2019-0019

Dear Mr. Danly:

I hereby appeal the determination letter dated April 2, 2019, denying part of my Freedom of Information Act (FOIA) request in FOIA 2019-0019.[1] I also note that your determination on this appeal will have an impact on the rest of the processing of both FOIA 2019-0019 and FOIA 2019-0030—both of which I filed requesting that the identities of Critical Infrastructure Protection (CIP) violators be released to the public.[2] For the reasons more fully set forth below, the Federal Energy Regulatory Commission (FERC) should release the requested information because:

1. There is no valid FOIA exemption that would prevent the release of this information.
2. To the extent that the Commission believes there is an applicable exemption, the Commission should exercise its discretion to release the information because it is in the public interest to do so. And,
3. It would enhance the security of the critical infrastructures to release this information to the public.

I.        Introduction.

This appeal could be the “poster child” for why the Freedom of Information Act exists; to allow the public to understand how their government operates and call for change when a regulatory system fails us. According to the federal government’s reference website on FOIA, www.foia.gov, the operation of this important law has a presumption of openness:

The FOIA provides that when processing requests, agencies should withhold information only if they reasonably foresee that disclosure would harm an interest protected by an exemption, or if disclosure is prohibited by law. Agencies should also consider whether partial disclosure of information is possible whenever they determine that full disclosure is not possible, and they should take reasonable steps to segregate and release nonexempt information.[3] [Emphasis added.]

The names of violators in a regulatory regime overseen and approved by the United States government must be made available to the public. Legitimately sensitive and harmful information can be protected by exemptions to the FOIA, but disclosing the name of a company that is subject to a regulatory action does not harm national security. In fact, the opposite is true. When the names of violators are withheld from public scrutiny, the incentive for bad behavior is increased. Indeed, if national security is the true rationale for the FERC/NERC regulatory regime, then Congress and the public should have the right to know how this regime (or concealment scheme) is working.

II.      Procedural history.

On December 18, 2018 I submitted a FOIA request to the Federal Energy Regulatory Commission (FERC), Request FOIA-2019-19. I subsequently filed an amended FOIA request on January 4, 2019. The original and amended requests are attached hereto as Exhibit A.[4]

On January 18, 2019 FERC sent a letter to the North American Electric Reliability Corporation (NERC) requesting their views on the release of the information I seek. This FERC letter is attached hereto as Exhibit B. Apparently, NERC, the industry Trade Associations[5] and some individual companies responded, but their responses have not yet been provided to me and are presently the subject of a separate FOIA request (FOIA 2019-0056).

On February 28, 2019 FERC issued a “Notice of Intent to Release” letter to the parties, which is attached as Exhibit E. On March 18, 2019 FERC issued an “Initial Release Letter” to the parties which is attached as Exhibit F. FERC subsequently released the identity of the UREs in two of the 53 FERC dockets covered by my FOIA request.[6]

On March 28, 2019 the Trade Associations disclosed their objections to this FOIA as well as a related FOIA request: FOIA 2019-0030 as exhibits to a Motion to Intervene on FERC Docket NP19-4-000. I have attached those responses as Exhibits C and D.

On April 2, 2019 FERC issued a second determination letter in FOIA 2019-0019 denying my request for FERC to disclose the identities of the “UREs” who violated CIP regulations in FERC Docket Numbers NP14-30, NP14-37, and NP14-39.” FERC’s April 2, 2019 letter (entitled “FOIA FY19-19 (Rolling) Denial (NP14-30, NP14-37, and NP14-39)—Second Response Letter”) is attached as Exhibit G.

There is no apparent difference in law between the February 28 decision of FERC to release the identities of UREs and the April 2 decision of FERC to deny release of URE identities. In fact, the only apparent rationale is the intervening entreaties to FERC by the industry Trade Associations on March 28, 2019 in Docket NP19-4-000 to withhold the names of their misbehaving members from public scrutiny. In fact, the Trade Associations used their filing under Docket NP19-4-000[7] as an opposition to my FOIA requests.[8]

Pressure on FERC by the Trade Associations is not an allowed FOIA exemption.

III.    Withholding the names of CIP violators from the public has not made the electric grid more reliable and America more secure. In fact, the opposite is true.

NERC and the Trade Associations argue that the names of the CIP violators must be kept from the public in order to protect us. The record on this matter demonstrates that this clearly is not true. In fact, the evidence infers that the continued withholding of this information is placing the critical infrastructures, and the public, in more danger.

The practice of withholding the names of the CIP violators from the public began in July of 2010. If we take NERC at their word that the reason the names of CIP violators are being withheld from public scrutiny is to protect Americans, we should see some improvement in the security of our electric grid between 2010 and the present.

In an official assessment to the U.S. Congress released on January 29, 2019, the U.S. Intelligence Community confirmed that the U.S. electric grid is not secure against foreign incursions:[9]

Russia has the ability to execute cyber attacks in the United States that generate localized, temporary disruptive effects on critical infrastructure, such as disrupting an electrical distribution network for at least a few hours, similar to those demonstrated in Ukraine in 2015 and 2016. Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.

Vulnerability of the U.S. electric grid to foreign attack has been longstanding. In an April 8, 2009 article, “Electricity Grid in U.S. Penetrated By Spies,” the Wall Street Journal disclosed:[10]

Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.

 

The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven’t sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

 

“The Chinese have attempted to map our infrastructure, such as the electrical grid,” said a senior intelligence official. “So have the Russians.”

So, we know for a fact the at the Russians and the Chinese have infiltrated our electric grid for over a decade. In January of 2011, about six months after NERC began withholding the identities of CIP violators, the U.S. Department of Energy, Office of Inspector General, issued a report which provides an interesting baseline at the time the entity names began to be withheld.[11] The OIG noted:

In addition, as noted in a recent survey conducted by industry and the Center for Strategic and International Studies, more than half of the operators of power plants and other “critical infrastructure” components reported that their computer networks had been infiltrated by sophisticated adversaries. Furthermore, during recent testimony to Congress, the Director of National Intelligence stated that the cyber security threat was growing at an unprecedented rate and stressed the need for increased cooperation between government and industry to help alleviate the threats. The importance of implementing effective cyber security measures over the power grid was recently highlighted by the discovery of sophisticated malware within various industrial control systems. An industry expert also noted that there have been more than 125 industrial control system incidents resulting in impacts ranging from environmental and equipment damage to death.

 When examining the Director of National Intelligence’s January 29, 2019 report quoted above, one thing is apparent: For eight years the Director of National Intelligence and other federal officials have warned that our grid has been penetrated by adversaries.

Nothing positive has occurred as a result of withholding the names of the CIP violators. In fact, the industry has vehemently opposed more stringent cybersecurity standards, claiming that they are “unduly burdensome.”[12] (Meanwhile, the Russians and Chinese apparently don’t find it “unduly burdensome” to penetrate our electric grid.)

If keeping the names of the CIP violators from the public was going to make the grid more reliable and the nation more secure, it should have worked by now. Why is the public being kept in the dark? How does hiding the names of CIP violators protect America? In order to answer these questions, FERC must honor the spirit of the FOIA and release this information so the public can evaluate this regulatory scheme.

Specifically, the public needs to analyze whether the decade-long failure to secure the U.S. electric grid is a direct result of NERC’s enforcement regime that shields the identities of standard violators from public scrutiny.

The NERC coverup started in July 2010. (Previous to July 10, 2010, identities of standards violators were disclosed by both NERC and FERC.) The public must examine the incentives under this enforcement regime for electric utilities to implement meaningful cybersecurity protections. Will the industry devote only moderate attention to grid security while knowing any gaps will be kept hidden from ratepayers, investors, the U.S. Congress, and the public at large? In its consideration of this appeal, FERC now has the opportunity to end these practices injurious to national security and the public interest.

In sum, withholding of names of CIP violators has not worked to thwart our adversaries—the Russians and Chinese infiltrated the electric the grid for a decade. In fact, withholding violators’ names has made the grid less reliable and America less secure because the industry has little incentive to improve their Critical Infrastructure Protection (CIP) performance. This is exactly why the Russians and the Chinese are still in the grid, because information is being withheld from the public. If the truth was known, Congress could reasonably conclude that NERC’s enforcement of the CIP regulatory system has failed, and the system must be reformed.

FERC can make the country safer simply by releasing this regulatory information to the public. Public scrutiny through transparency and disclosure is the time-tested oversight for regulatory systems in a free society. Even if FOIA exemptions might be applicable, it is within FERC’s discretion to release the identity of standards violators. FERC is charged with serving the public interest; the public interest demands disclosure.

IV.    The test that FERC devised for this FOIA request is too restrictive and violates FOIA.

In its February 28, 2019 “Notice of Intent to Release” letter, FERC described a test it intended to use to determine whether to release the names of the CIP violators under my FOIA request:

A case-by-case assessment of each requested document must consider the following: the nature of the CIP violation; whether mitigation is complete; the content of the public and non-public versions of the Notice of Penalty; the extent to which the disclosure of the pertinent URE identity would be useful to someone seeking to cause harm; whether an audit has occurred since the violation(s); whether the violation(s) was administrative or technical in nature; and the length of time that has elapsed since the filing of the public Notice of Penalty. An application of these factors will dictate whether a particular FOIA exemption, including 7(F) and/or Exemption 3, is appropriate. See Garcia v. US. DOJ, 181 F. Supp. 2d 356, 378 (S.D.N.Y. 2002) (“In evaluating the validity of an agency’s invocation of Exemption 7(F), the court should within limits, defer to the agency’s assessment of danger.”) (citation and internal quotations omitted).

This test devised by FERC is too restrictive and does not comport with FOIA’s presumption of openness. This “test” appears to have been concocted as an attempt to bolster FERC’s improper uses of FOIA exemptions 3 and 7(F), neither of which apply in this case as is more fully set forth later.

At issue here is the disclosure of the names of regulatory violators. I would note that NERC already publishes a great deal of information on its website, including the identities of its regulated entities and their functions; for example, the “NERC Active Compliance Registry Matrix”[13] and other files. But it somehow becomes a problem to use the name of the entity when they are associated with a CIP violation. Because there is no legitimate security argument to withhold all names of all CIP violators in perpetuity, as is the current practice, public scrutiny should be mandatory. It appears that the real reason for concealing the names of CIP standard violators is to avoid public scrutiny of electric utilities.

I would further note that industry embarrassment does not equal national security concern and does not equal FOIA exemption either. On April 10, 2019, the Wall Street Journal quoted a FERC official explaining why the identities of the CIP violators are not disclosed to the public:[14]

FERC’s Mr. Ortiz[15] said identities are protected to honor confidentiality requests from the North American Electric Reliability Corp., called NERC, the federally appointed organization that crafts utility standards and audits compliance. It refers penalty cases to FERC for enforcement.

NERC’s “confidentiality requests” do not fall under an exemption under FOIA. If the potential “harm” of disclosure is the embarrassment of the entity subjected to a regulatory action, this is not a “harm” recognized by any exemption of the FOIA.

Finally, the burden of proof should not be on the public to prove that there is not a risk in the release of violators’ names; the burden should be on the business submitter (NERC) or government (FERC) to credibly demonstrate that release of the information would reasonably constitute a risk to the public.

I observe there is not a scintilla of public evidence over the last decade that there would be a security risk in releasing the names of CIP violators. There is ample evidence that the real danger here has been in the lack of disclosure in this failed regulatory scheme.

V. Exemption 7(F) does not apply to the names of CIP violators.

It is puzzling that FERC cites Exemption 7(F) as a basis for withholding the names of regulatory violators. This exemption generally allows an agency to protect the identities of law enforcement agents. This exemption is also valid in protecting the names and identifying information of non-law enforcement federal employees, local law enforcement personnel, and other third persons in connection with particular law enforcement matters.[16]

The identities of companies who violate CIP standards and are subject to regulatory actions by the government simply don’t fit in any arguable way under Exemption 7(F).

VI. Exemption 3 does not apply to the names of CIP violators.

According to the Department of Justice FOIA Manual[17]:

Exemption 3 allows the withholding of information prohibited from disclosure by another federal statute provided that one of two disjunctive requirements are met: the statute either “(A) requires that the matters be withheld from the public in such a manner as to leave no discretion on the issue, or (B) establishes particular criteria for withholding or refers to particular types of matters to be withheld.”

Neither of these requirements are met here. There is no law that NERC or FERC has cited that even arguably requires the withholding of the names of entities subject to regulatory actions under either prong of the exemption.

I further note that FERC failed to properly disclose to the U.S. Attorney General and Congress its use of Exemption 3 in 2018 for another of my FOIA requests—more evidence of FERC’s non-compliance with the most basic aspects of FOIA law. Agencies are required in their annual FOIA reports each year to list all Exemption 3 statutes that they relied upon during that year. Disturbingly, FERC’s annual FOIA reports from 1998 to 2018[18] reveals that for the past 21 years, all the years reports are available, FERC claims to have never used Exemption 3 in such a manner as it has here.

• From 1998-1999 FERC only used Exemption 3 under 41 U.S.C. § 253b(m)—Proposals submitted by unsuccessful contract bidders.
• From 2000-2001 FERC only used Exemption 3 under 16 U.S.C. 470hh(a)—Information pertaining to the nature and location of certain archaeological resource.
• In 2002 FERC did not use Exemption 3.
• From 2003-2018 FERC only used Exemption 3 under 16 U.S.C. 470hh(a)—Information pertaining to the nature and location of certain archaelogical [sic] resource.

However, FERC did use Exemption 3 in 2018 for my FOIA No. FY18-75 and failed to disclose the relevant statute, 16 U.S.C. 824o-1(d)(1), in its 2018 Annual Freedom of Information Act Report.

Exhibit J is page 10 of FERC’s 2018 FOIA report which is required by 5 U.S.C. § 552(e)(1)(B)(ii). It lists only one Exemption 3 statute: 16 U.S.C. 470hh(a)— “Information pertaining to the nature and location of certain archaelogical [sic] resource.”

Exhibit K is a FOIA response letter from FERC dated May 25, 2018 denying FOIA No. FY18-75 under exemptions 3 and 7(F). Exhibit L is a letter from FERC dated August 7, 2018 (after an appeal of the May 25, 2018 denial) upholding the denial to disclose documents under exemptions 3 and 7(F). Specifically, the letter states:

FOIA Exemption 3 protects information “specifically exempted from disclosure by statute.” Here, CEII is specifically exempted from disclosure under the Fixing America’s Surface Transportation Act, Pub. L. No. 118-94, § 61003 (2015).

This use of an Exemption 3 statute is not disclosed in FERC’s annual FOIA report.

Apparently, the undisclosed argument is that the names of the entities subject to regulatory actions constitute “Critical Electric Infrastructure Information” (CEII) exempt from disclosure,[19] This argument fails under FOIA and under FERC’s own interpretive regulations and orders.

Neither the “FAST Act”[20], apparently cited by FERC as the Exemption 3 law in their April 2, 2019 denial letter, nor the Commission’s implementing regulations prohibit the disclosure of the names of regulatory violators. Therefore, the argument that withholding this information under Exemption 3 is required fails on both prongs of the exemption, which would allow withholding where a federal law:

• A) requires that the matters be withheld from the public in such a manner as to leave no discretion on the issue, or
• B) establishes particular criteria for withholding or refers to particular types of matters to be withheld.

Since neither prong is met, Exemption 3 does not apply. However, to the extent that anybody still wants to argue prong “B”, let’s dig deeper into the “criteria” for withholding information determined to be CEII.

Only NERC is asserting that the names of violators are CEII or “privileged” or “nonpublic” The Commission has not made such a determination. 18 CFR § 388.112(c)(1)(i) provides that:

The documents for which privileged treatment is claimed will be maintained in the Commission’s document repositories as non-public until such time as the Commission may determine that the document is not entitled to the treatment sought and is subject to disclosure consistent with § 388.108. By treating the documents as nonpublic, the Commission is not making a determination on any claim of privilege status. The Commission retains the right to make determinations with regard to any claim of privilege status, and the discretion to release information as necessary to carry out its jurisdictional responsibilities. [Emphasis added.]

NERC has for years been classifying the names of the violators and the settlement agreements as “nonpublic” and tries to argue that FERC also deems these documents as “nonpublic”—but this presumption is not in compliance with the clear requirements of the CFR.

Even the Commission’s own interpretation of the Critical Energy Infrastructure Information rules support disclosure. I note that FERC Order No. 833 holds that[21]:

24. In response to the Trade Associations’ comments seeking clarification if a name or location of a facility should be protected as CEII, the Commission’s current practice is that information that “simply give[s] the general location of the critical infrastructure” or simply provides the name of the facility is not CEII. [FN 40] However, under certain circumstances, information regarding the location of infrastructure or its name that is not already publicly known could be CEII. [FN 41] Therefore, we clarify that, while as a general matter the location or name of infrastructure is not CEII, a submitter of information to the Commission may ask that non-public information about the location, or the name, of critical infrastructure be treated as CEII. The submitter would have to provide a justification for the request and explain why the information is not already publicly known.

 

FN 40 18 CFR 388.113(c)(1)(iv).

FN 41 For example, the location of an operating transformer is likely publicly known. However, the location of a spare transformer housed in a central location may not be publicly known and, therefore, may qualify as CEII.

Particularly instructive is the footnote 41 example of what may qualify as CEII.

Notably, NERC has not provided legally valid justification for keeping the names of violators secret. And the reason “the information is not already publicly known” is FERC’s noncompliance with its own regulations.

FERC is ignoring another relevant holding of its Order No. 833[22]:

36. The Commission does not agree that the scope of CEII should be modified, as suggested by the Trade Associations, to encompass information “related to compliance with the Reliability Standards.” The Trade Associations’ proposal is unduly broad and inconsistent with the FAST Act because it could lead to all infrastructure information, whether critical or not, being treated as CEII. For the same reason, we do not agree that the blanket presumption that information relating to compliance with Reliability Standards is CEII, proposed by the Trade Associations, is appropriate. Like other forms of CEII, however, information on compliance with Reliability Standards may be treated as CEII if the submitter justifies its treatment as CEII under the Commission’s regulations.

It is clear and unambiguous that the industry wanted the names of violating entities to be always considered CEII but the Commission specifically denied this in rulemaking. Where did NERC justify treatment as CEIII of the names of standard violators for each NOP submitted? Nowhere. In retrospect, it is clear that the NERC did the industry’s bidding, and FERC allowed this behavior on a wholesale basis.

VII.  FERC regulations require disclosure.

18 CFR § 39.7 (b)(4) provides that:

Each violation or alleged violation shall be treated as nonpublic until the matter is filed with the Commission as a notice of penalty or resolved by an admission that the user, owner or operator of the Bulk Power System violated a Reliability Standard or by a settlement or other negotiated disposition. The disposition of each violation or alleged violation that relates to a Cybersecurity Incident or that would jeopardize the security of the Bulk-Power System if publicly disclosed shall be nonpublic unless the Commission directs otherwise. [Emphasis added.]

It must be noted that in the three NOPs which are the subject of this appeal, the “cybersecurity incident” exception clearly does not apply. It is critical to point out that nothing in these three NOPs refers to a “cybersecurity incident.” 18 CFR § 39.1 defines “cybersecurity incident” as:

Cybersecurity Incident means a malicious act or suspicious event that disrupts, or was an attempt to disrupt, the operation of those programmable electronic devices and communications networks including hardware, software and data that are essential to the Reliable Operation of the Bulk-Power System.

There is no allegation in these NOPs of a malicious act or suspicious event that disrupted or attempted to disrupt the Reliable Operation of the Bulk-Power System. These were simply regulatory actions after instances of noncompliance of CIP standards were discovered, either through self-reports or regulatory audits. Nor has NERC provided an explanation of how the security of the Bulk Power System would be jeopardized if the names of CIP standard violators were to be publicly disclosed.

Further, 18 CFR § 39.7(d)(1) provides that a notice of penalty by the Electric Reliability Organization shall consist of, inter alia: “The name of the entity on whom the penalty is imposed.”

So, 18 CFR § 39.7 (b)(4) and 18 CFR § 39.7(d)(1) are clear that at the point when “the matter is filed with the Commission as a notice of penalty or resolved by an admission that the user, owner or operator of the Bulk Power System violated a Reliability Standard or by a settlement or other negotiated disposition” then the name of the penalized entity as well as the supporting documentation, including the settlement agreement, must be publicly disclosed. Importantly, the “notice of penalty” is afforded different treatment in 18 CFR § 39.7 (b)(4) than the “disposition of each violation. There is no provision in regulation to make the “notice of penalty” nonpublic. Moreover, 18 CFR § 39.7(d)(1) makes it absolutely clear that “the name of the entity on whom the penalty is imposed” is part of the “notice of penalty.”

18 CFR § 39.7 (b)(4) allows the “disposition of each violation” (or alleged violation) to be made nonpublic, but only if disclosure of the “disposition” would jeopardize security of the Bulk Power System. Again, the “name of the entity” is not part of “disposition” of the violation, so there is never an exemption of the violator’s name from public disclosure. Nor has NERC made a credible case that disclosure of the “disposition” of these NOPs would jeopardize the security of the Bulk-Power System, especially when the violations do not involve bona fide Cybersecurity Incidents as defined in 18 CFR § 39.1.

FERC has made no public order (or change in regulation) to allow NERC to withhold the “notice of penalty” for these NOPs. If FERC has made a private directive to NERC to withhold the “disposition” of the violations in Duke NOP, and other NOPs, then the public interest demands that the text of this hidden FERC directive and its underlying legal rationale be promptly released by the Commission.

VIII. NERC’s standard argument about “information in the aggregate.”

In the NOP for Docket NP19-4-000, which was subsequently outed by the press to be against Duke Energy Corp.,[23] and which the Trade Associations are now using as a forum to fight my FOIA requests[24] NERC essentially argues that they are redacting the names of “the Companies” and any identifying information because:

Malicious individuals already target the Companies’ operational personnel, seeking bits and pieces of data to map the Companies’ systems and identify possible attack vectors. The public disclosure of a single piece of redacted information may not, on its own, provide everything needed to exploit an entity and attack the electric grid. But, successive public disclosures of additional pieces of redacted information will increase the likelihood of a cyber-intrusion with a corresponding adverse effect on energy infrastructure. Each successive disclosure could fill in some knowledge gaps of those planning to do harm, helping to complete the maps of entity systems. Therefore, it is important to examine and evaluate the redacted information in the aggregate.[25]

This is a generic argument that any information of any kind identifying “the Companies” would assist hackers. Therefore, according to NERC, hiding the names of the companies will somehow thwart the Chinese and Russians (who already dwell comfortably in the grid). The Trade Associations mirror this argument in their direct opposition to these FOIAs (see Exhibits C & D):

Even information that some may deem innocuous—such as revealing the names of UREs involved in a remediated NOP—can result in unintended consequences. For example, in some instances, a URE may have remediated a particular instance of regulatory noncompliance. However, that URE may have experienced a pattern of similar noncompliance—not because of a lack of will to fix, but because there are significant other factors at play. In addition, UREs face challenges in integrating modern information technology systems with older operational technology systems that were never designed with modern cybersecurity needs in mind. Sophisticated bad actors, like the ones discussed above, may be able to discern points of attack and vulnerabilities in publicly disclosed UREs based on their patterns of NOPs. The Trade Associations recognize that public access to information is important, and appreciate the goal of FOIA, but believe the line must be drawn where a requested disclosure might risk the security of the Bulk-Power System.

Another very reasonable inference to draw here is that the line was already “drawn” on the wrong side. For example:

• Might disclosing the names of the violators lead the public and Congress to assess how well the regulatory system is working?
• Might this information inform the public and Congress as to whether the current regulatory system has adequately thwarted threats to the grid?
• Also, might this information lead the public and Congress to conclude that better investment in the critical infrastructures is necessary?

These are public policy questions, not CEII.

Interestingly, NERC, the Trade Associations and the companies themselves put a lot of information about the companies and the industry as a whole on their websites. By their defective rationale, all information “in the aggregate” should be CEII. In fact, any information whatsoever about any of the 1,500 regulated entities by this bogus argument should be considered CEII. All websites should be shut down, and even our electric bills should not list the name of the company we are paying, lest these small pieces of “information in the aggregate” leads hackers to realize which utility is operating in that area, and thus helps to narrow the hacker’s target list.

Obviously, the forgoing illustration of the industry argument is ridiculous as is ultimately the industry argument itself. Why? Because there is only one piece of information that the industry is fighting vehemently to keep from the public: The names of regulatory violators.

Why is this one piece of information so sensitive to the industry? Because the name of a standard violator is the most essential piece of information to hold that utility accountable.

Public disclosure of the identity of law-breakers is a purpose of FOIA. The public has the right and Congress the obligation to examine this failed enforcement regime.

IX. The CEII Designation has expired in 195 of the 243 dockets in FOIAs 2019-0019 and 2019-0030.

To the extent that FERC may continue to argue that the names of the “UREs” constitute CEII, this argument fails on 195 of the requested dockets, including two of the three denied by FERC’s April 2, 2019 denial letter. In these two cases, the purported CEII designation made by NERC has expired. 18 CFR § 388.113(e)(1) provides that the designation of Critical Energy/Electric Infrastructure Information (CEII) “may last for up to a five-year period, unless re-designated.” One hundred ninety-five of the Commission dockets subject to these two FOIAs (See Exhibit M) were filed by NERC between July 6, 2010 and the date of this appeal. Each of these actions was filed over five years from the date of this appeal and, thus, the CEII assertion by the North American Electric Reliability Corporation (NERC) has expired in each docket. There is no public evidence that the CEII assertion has been re-designated. In fact, as I noted previously, there is no public evidence that NERC appropriately designated its NOP as CEII in the first place, as these NOPs were filed as “privileged,” not “CEII.”

I note that the regulation requires that: “In making a determination as to whether the designation should be extended, the CEII Coordinator will take into account information provided in response to paragraph (d)(1)(i) of this section, and any other information, as appropriate.”

18 CFR § 388.113(d)(1)(i) provides that, should NERC seek a re-designation of CEII for these dockets, NERC must for each of these dockets demonstrate “how the information, or any portion of the information, qualifies as CEII, as the terms are defined in paragraphs (c)(1) and (2) of this section.” [26]

18 CFR § 388.113(d)(1)(i) also provides that: “Failure to provide the justification or other required information could result in denial of the designation and release of the information to the public.” Because NERC has failed to seek re-designation for CEII on a timely basis for these 194 dockets, FERC should rule, as a matter of both current and future policy, that NERC has waived any purported interest in CEII re-designation.

Finally, the Commission has never ruled that the information withheld by the public in these 195 dockets is actually CEII—this is just the assertion of NERC. 18 CFR § 388.113(d)(iv) provides that:

The information for which CEII treatment is claimed will be maintained in the Commission’s files as non-public until such time as the Commission may determine that the information is not entitled to the treatment sought. By treating the information as CEII, the Commission is not making a determination on any claim of CEII status. The Commission retains the right to make determinations with regard to any claim of CEII status at any time, and the discretion to release information as necessary to carry out its jurisdictional responsibilities. [Emphasis added.]

Specifically, related to FERC’s April 2, 2019 FOIA denial letter, I note:

• NP14-30-000 was filed on 1/30/2014 (the purported CEII designation is expired)
• NP14-37-000 was filed on 3/31/2014 (the purported CEII designation is expired)
• NP14-39-000 was filed 4/30/2014 (the purported CEII designation expires on 4/29/2019)

X. The violations have long been mitigated; the names of the violators should be disclosed.

Once CIP standard violations have been mitigated, there can be no legitimate rationale for withholding names of the violators. If compliance with CIP standards truly protects electric grid systems, then the identities of utilities that have mitigated violations is evidence of security, not vulnerability.

Specifically, related to FERC’s April 2, 2019 FOIA denial letter, Exhibit N is the information on the violations relevant to this FOIA denial from NERC’s public website.[27] Each of the CIP violations for NP14-30-000, NP14-37-000 and NP14-39-000 have long been mitigated (see the highlighted “Mitigation Completion Date” column), and FERC has issued a final order (see “Notice of No Further Review Issued” column).

These cases are long ago closed and mitigated. There is no plausible argument that releasing the name of the violator would now be a threat to security.

XI. The specifics of the three denied NOPs do not support CEII designation of violators’ names.

The three NOPs covered in the April 2, 2019 FOIA denial letter from FERC—NP14-30-000, NP14-37-000 and NP14-39-000—disclose no information that could credibly aid attackers, even if the identities of the violations were to be disclosed. Specifically:

1. The locations and capacities of equipment are not disclosed.
2. The vendors used by the utilities are not disclosed.
3. Network configurations and IP addresses are not disclosed.
4. The description of the violations is idiosyncratic to the violating utilities and cannot be reasonably extended to other utilities.
5. All violations have long ago been mitigated (see Section X above and Exhibit N).

In summary, the apparent purpose of the NOPs is to support the assessment of NERC fines, and therefore technical details that could aid attackers, have not been included.

XII.  All settlements are required to be disclosed including the names of violators.

The three NOPs covered in the April 2, 2019 FOIA denial letter from FERC, NP14-30-000, NP14-37-000 and NP14-39-000, were all regulatory actions that resulted in settlement agreements. I hereby incorporate the argument made by the Foundation for Resilient Societies in FERC Docket NP19-4-000 (attached hereto as Exhibit O) that all settlement agreements are required to be public, including the names of the CIP violators. In sum, the Foundation for Resilient Societies argues:

FERC made a public commitment in Order 672 that “settlement agreements will be public”; this is inconsistent with NERC’s claim that settlement agreements are “privileged” or “CEII.” For Docket No. NP19-4-000 specifically, a redacted settlement agreement that would perpetually omit the identity of the standard violators will never be “public” in any meaningful way and therefore is in apparent violation of FERC Order 672.

CEII is defined by FERC as “specific engineering, vulnerability, or detailed design information about proposed or existing critical infrastructure (physical or virtual) that…could be useful to a person planning an attack on critical infrastructure.” FERC has not given the public an explanation why the disposition of corrected standards violations should be classified as “CEII.” Standard violations that have been corrected by means of a settlement agreement do not fall within a commonsense interpretation of the CEII definition, because a corrected standard violation should be of minimal usefulness in planning an attack, or not useful at all.

This further rebuts the argument by the industry that 1) FERC has “told them” to omit the names of the CIP violators, and 2) that the names of standards violators are CEII. The CEII exemption simply does not apply and time after time, FERC orders have correctly concluded that the public is entitled to information on standards violators, and time after time, the industry has ignored the Commission’s orders. Unfortunately, up to now, the Commission has allowed this misbehavior.

XIII. Conclusion.

The Commission must now make a choice. Either:

1. Follow the clear mandates of the Freedom of Information Act and the Commission’s own orders and regulations. Or,
2. Be a captive regulator of an industry that has put America’s security at grave risk.

I await the Commission’s decision.

Sincerely,

Michael Mabee

Attachments: Exhibits A-O

CC: Charles A. Beamon, Associate General Counsel
Via Email: charles.beamon@ferc.gov

---

Click HERE for Exhibits

---

Footnotes:

[1] Specifically, FERC denied my request to supply the names of the entities that were subject to regulatory actions in FERC Docket Numbers NP14-30, NP14-37, and NP14-39. Note, my FOIA request was for specific documents. I requested: “the ’NERC Full Notice of Penalty’ version which includes the name of the registered entity (and which has been previously withheld from the public). In the instances where there was a ‘Spreadsheet NOP’ I request a copy of the spreadsheet that lists the name(s) of the entity subject to the regulatory action.” After negotiation with the FERC staff, and in order to reduce the staff’s burden, I agreed to accept the first page of the public version of the NOP with the name of the entity and the docket number entered onto the page.

[2] The industry euphemism for the entities whose names are withheld from the public is “Unidentified Regulated Entity” or “URE.”

[3] https://www.foia.gov/about.html (accessed April 12, 2019).

[4] While the determination letter dated April 2, 2019 makes no reference to my fee waiver request, I assume it was granted. If the issue must be revisited for any reason, I hereby incorporate my fee waiver request of December 18, 2018 by reference.

[5] The American Public Power Association (APPA), the Edison Electric Institute (EEI), and the National Rural Electric Cooperative Association (NRECA).

[6] I filed a separate, but related FOIA request on January 12, 2019 for Notices of Penalty on an additional 190 docket numbers. FOIA 2019-0030.

[7] Accession Number: 20190328-5292. Document Date: 3/28/2019

[8] FERC Docket 19-4-000. “Motion to Intervene and Protest of The American Public Power Association, The Edison Electric Institute, and The National Rural Electric Cooperative Association.” March 28, 2019. Page 11.

[9] Coats, Daniel R. “Worldwide Threat Assessment of the U.S. Intelligence Community” Senate Select Committee on Intelligence. January 29, 2019. https://www.dni.gov/files/ODNI/documents/2019-ATA-SFR—SSCI.pdf (accessed February 5, 2019).

[10] Gorman, Siobhan. “Electricity Grid in U.S. Penetrated By Spies.” Wall Street Journal. April 8, 2009. https://www.wsj.com/articles/SB123914805204099085 (accessed April 12, 2019). Also, see a decade later: Smith, Rebecca. “America’s Electric Grid Has a Vulnerable Back Door—and Russia Walked Through It.” Wall Street Journal. January 10, 2019. https://www.wsj.com/articles/americas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112 (accessed April 12, 2019).

[11] U.S. Department of Energy Office of Inspector General. “Federal Energy Regulatory Commission’s Monitoring of Power Grid Cyber Security.” January 2011. https://www.ferc.gov/industries/electric/indus-act/reliability/cybersecurity/doe-ig-report.pdf?csrt=4870345339811568870 (accessed April 12, 2019).

[12] See for example, the summary of the industry’s opposition to increased cybersecurity measures in my filing under Docket No. RM17-13-000 (Supply Chain Risk Management Reliability Standards) FERC Accession Number 20180326-5018. March 25, 2018.

[13] Available at: https://www.nerc.com/pa/comp/Pages/Registration.aspx (accessed April 12, 2019).

[14] Smith, Rebecca. “PG&E Among Utilities Cited for Failing to Protect Against Cyber and Physical Attacks.” Wall Street Journal. April 9, 2019. https://www.wsj.com/articles/pg-e-among-utilities-cited-for-failing-to-protect-against-cyber-and-physical-attacks-11554821337 (accessed April 12, 2019).

[15] David Ortiz, Deputy Director, FERC Office of Electric Reliability.

[16] Exhibit H is the U.S. Department of Justice Guide to the Freedom of Information Act, Exemption 7(F), page 653, et seq.

[17] Exhibit I is the U.S. Department of Justice Guide to the Freedom of Information Act, Exemption 3, page 207, et seq.

[18] Located at: https://www.ferc.gov/legal/ceii-foia/foia/ann-rep.asp (accessed April 12, 2019).

[19] 16 U.S.C. 824o-1(d)(1) Protection of critical electric infrastructure information

[20] The Fixing America’s Surface Transportation Act, Pub. L. No. 118-94, § 61003 (2015)

[21] 157 FERC ¶ 61,123. Pg. 17.

[22] 157 FERC ¶ 61,123. Pg. 24.

[23] Sobczak, Blake and Behr, Peter. “Duke agreed to pay record fine for lax security — sources” E&E News, February 1, 2019. https://www.eenews.net/energywire/2019/02/01/stories/1060119265?fbclid (accessed April 15, 2019).

[24] See Exhibits C and D which the Trade Associations filed as exhibits to their Motion to Intervene in FERC Docket NP19-4-000.

[25] Docket NP19-4-000 NOP pg. 56

[26] 18 CFR § 388.113(c)(1) defines Critical Electric Infrastructure Information as “information related to critical electric infrastructure, or proposed critical electrical infrastructure, generated by or provided to the Commission or other Federal agency other than classified national security information, that is designated as critical electric infrastructure information by the Commission or the Secretary of the Department of Energy pursuant to section 215A(d) of the Federal Power Act. Such term includes information that qualifies as critical energy infrastructure information under the Commission’s regulations. Critical Electric Infrastructure Information is exempt from mandatory disclosure under the Freedom of Information Act, 5 U.S.C. 552(b)(3) and shall not be made available by any Federal, State, political subdivision or tribal authority pursuant to any Federal, State, political subdivision or tribal law requiring public disclosure of information or records pursuant to section 215A(d)(1)(A) and (B) of the Federal Power Act.”

18 CFR § 388.113(c)(2) defines Critical Energy Infrastructure Information as “specific engineering, vulnerability, or detailed design information about proposed or existing critical infrastructure that:

(i) Relates details about the production, generation, transportation, transmission, or distribution of energy;

(ii) Could be useful to a person in planning an attack on critical infrastructure;

(iii) Is exempt from mandatory disclosure under the Freedom of Information Act, 5 U.S.C. 552; and

(iv) Does not simply give the general location of the critical infrastructure.”

[27] “Searchable NOP Spreadsheet” available at: https://www.nerc.com/pa/comp/CE/Pages/Enforcement-and-Mitigation.aspx (accessed April 15, 2019).

---

[wpedon id=”5868″ align=”center”]

---