Is the Tail Wagging The Dog in Grid Security?

NERC’s Performance Assessment Report: The Tail Wagging The Dog?

In an order issued on January 23, 2020 the Federal Energy Regulatory Commission (FERC) largely accepted the North American Electric Reliability Corporation’s (NERC) Five-Year Electric Reliability Organization (ERO) Performance Assessment Report. FERC’s  order in Docket RR19-7-000 finds that “NERC continues to satisfy the statutory and regulatory criteria for certification as the ERO, and find that the Regional Entities continue to satisfy applicable statutory and regulatory criteria.”

In English, this means that NERC will continue to be the regulator for the electric grid despite its well documented failure to secure the electric grid. How is this even possible? The answer, unfortunately is that we are seeing the electric utility industry as “the tail wagging the dog.” (The “dog” being the U.S. Government.) I have discussed this many times in the past:

• See how the industry has bought Congress: Money Talks, Grid Security Walks
• See how the industry has co-opted FERC: Why Thomas Popik should be a FERC Commissioner
• See how the industry throws tantrums: Regulatory Mutiny: The Grid Just Threatened FERC

Down the rabbit hole we go!

Let me take you on a guided journey through a bureaucratic document that affects the lives of all 329 million people in the United States.  I’ll point out some of NERC’s lies and misrepresentations (most of which the Commission bought).

But also, hidden between the lines of this legalese is a story of a few heroic career FERC employees who are trying to do the right thing. There are a few patriots at FERC who are putting the public interest first and attempting to hold NERC and the electric industry accountable. Even if their agency does not always do the same.

The numbers correspond to the paragraph numbers in the order. I have omitted the footnotes. Hold, your nose and here we go!

28. NERC states that during the assessment period, it enhanced its CMEP by: (1) researching and identifying noncompliance trends; (2) maintaining transparency over the final disposition of noncompliance; and (3) increasing procedural efficiencies. NERC explains its Alignment Process collects discrepancies in practices across the ERO Enterprise, which NERC then reviews, resolves, and tracks and reports publicly.

Really? “Transparency” and “reports publicly” are very misleading words to use in the context of NERC’s Compliance Monitoring and Enforcement Program (CMEP). As we know, there has been a massive cover up of the names of every single violator of Critical Infrastructure Protection (CIP) standard going back to 2010. In fact, I have filed a lawsuit against FERC on this very issue!

Here’s a good one:

31. NERC summarizes its bylaws and Rules of Procedure that assure its independence from users, owners, and operators of the Bulk-Power System while also assuring fair stakeholder representation in the selection of its directors and balanced decision making in any ERO committee or subordinate organizational structure. NERC states that its bylaws provide that NERC’s affairs are managed by an independent board of trustees plus the president of NERC, none of whom can be an officer, director, or employee of any entity “that would be perceived as having a direct financial interest in the outcome of board decisions, and may not have any other relationship that would interfere with the exercise of independent judgment in carrying out the responsibilities of a trustee.”  NERC’s trustees are nominated by a nominating committee comprised of independent trustees whose terms are not expiring and members of the Member Representatives Committee.

Let’s break that down. Although technically anybody can become a “member” of NERC, the membership structure stacks the deck in favor of the electric industry as far as the election of NERC’s “independent trustees” (the board that governs NERC). NERC accomplishes this shell-game by assigning all members to one of 12 groups. According to NERC rules:

Each member will join only 1 of 12 industry sectors and be eligible for selection as a sector representative on the NERC Member Representatives Committee (MRC). The MRC elects NERC’s independent trustees, votes on amendments to the bylaws, and provides advice and recommendations to the Board with respect to the development of annual budgets, business plans and funding mechanisms, and other matters pertinent to the purpose and operations of NERC.

So what are the “12 industry sectors?”

1. Investor-owned utility
2. State/municipal utility
3. Cooperative utility
4. Federal or provincial utility/Federal Power Marketing Administration
5. Transmission-dependent utility
6. Merchant electricity generator
7. Electricity marketer
8. Large end-use electricity customer
9. Small end-use electricity customer
10. Independent system operator/regional transmission organization
11. Regional entity
12. Government representatives

In other words, two sectors are customers and one is the government. The other nine are the electric industry. The electric industry gets 9 votes—the customers and the government get 3. If that is not a stacked deck, I don’t know what is.

Here’s another one where NERC stretches the truth:

55. NERC states that during the performance assessment period, it “continued to demonstrate its ability to develop Reliability Standards in support of a reliable and more secure grid,” citing standards development projects addressing physical security, geomagnetic disturbances, cybersecurity supply chain risk, enhanced cyber incident reporting, and transmission planning for single points of failure. NERC states that it evaluates whether reliability or technical risks require modification to Reliability Standards or development of guidance and that guidelines are important tools it uses to address reliability risks. NERC explains that, although reliability guidelines are not monitored or enforced, it uses guidelines when it needs to investigate a risk to reliability more thoroughly or when a potential Reliability Standard needs additional consideration prior to starting the standards drafting process. NERC adds that it is developing a repeatable process to determine when a risk to the Bulk-Power System requires development of a reliability guideline or a Reliability Standard.

Let’s start from the top. NERC asserts that it “continued to demonstrate its ability to develop Reliability Standards in support of a reliable and more secure grid.” Is this true on physical security? Nope. (READ THIS.) Is this true on geomagnetic disturbances? Nope. (READ THIS.) Is this true on cybersecurity supply chain risk and enhanced cyber incident reporting? Not really. (READ THIS.)

The second part is a little more disturbing. “Reliability Standards” are enforceable. “Reliability Guidelines” are not. First of all, many of us in the Secure the Grid Coalition believe that the current reliability standards, particular the CIP standards, are not adequate. Our view is shared by the Government Accountability Office (GAO) which just issued a report on the issue in August of 2019 entitled “Actions Needed to Address Significant Cybersecurity Risks Facing the Electric Grid.”

Yet, NERC seems to want to do more non-enforceable “Reliability Guidelines” while the electric industry continues to try to water down any proposed CIP standards.

56. During the performance assessment period, NERC developed over twenty “Reliability and Security Guidelines” (compared to only two during the prior performance assessment period) addressing reliability risks. NERC also issued multiple lessons learned and alerts about newly-discovered risks in cyber security. Moreover, we understand that NERC is developing numerous additional guidelines relating to topics such as cyber security, natural gas fired generation fuel security, electromagnetic pulse, and inverter technology.

All seems well and good, but here is where some heroic career FERC employees threw down the bull shit card. Are these “Reliability Guidelines” even effective?

57. Given NERC’s increased reliance on guidelines, we believe that transparency regarding the effectiveness of those guidelines is necessary. However, we are not aware of any formalized written process to steer the development and approval of guidelines or to provide feedback to the NERC standard development process on whether the guideline is effective. Moreover, unlike the transparent standards development process, in at least some cases guidelines are based on the input of a limited number of interested participants and NERC staff’s perspective is unknown.

58. We appreciate that, as NERC states in the Performance Assessment, guidelines and lessons learned reflect the collective experience, expertise, and judgment of industry to suggest approaches or behaviors in a given technical area for improving reliability and that new and emerging risks may require tools to address reliability risks outside of Reliability Standard development.  Nevertheless, NERC’s process and criteria for determining whether and when to develop mandatory Reliability Standards versus voluntary measures to comply with section 215, and how NERC uses information gained from the issuance of a guideline to improve or develop a new Reliability Standard, are unclear. Our concern is highlighted by the fact that, although guidelines may be precursors to Reliability Standards, NERC has not yet formalized a transparent process for evaluating when components or language found in a NERC guideline should be incorporated into the Reliability Standards.

59. We direct NERC to explain in the ninety (90) day compliance filing: (1) its guidance development process; including how and when it evaluates the need to develop, approve, and post a guideline document; (2) the methodology and metrics NERC proposes to use to determine if that guidance document is addressing the risks that led to its development; and (3) how and at what interval NERC will evaluate whether components of the guidance document should be incorporated into the Reliability Standards.

Kudos to the FERC staff. Clearly, someone at FERC is not convinced that these unenforceable “Reliability Guidelines” are effective.

Here’s another important one that the FERC staff caught. Bear with me.

80. When we originally approved the NERC Sanction Guidelines, we agreed with NERC that they “are not intended to establish fixed penalty amounts; they instead provide flexible guidance as establishing an appropriate amount within the range of applicable penalties.”  We continue to support the understanding that the Sanction Guidelines should provide NERC and the Regional Entities “flexibility in fashioning an appropriate response to a violation.”  However, the ERO’s approach to enforcement has since evolved to a risk-focused methodology without a corresponding update to its Sanction Guidelines.  We have identified certain potential areas of improvement within the Sanction Guidelines to ensure that NERC and the Regional Entities continue to implement the risk-based CMEP in a reasonable and transparent manner, and that the Commission will maintain a meaningful oversight role.

81. We direct NERC to amend its Sanction Guidelines in the 180-day compliance filing to provide more transparency in those guidelines as to how NERC and the Regional Entities apply the Base Penalty, Adjustment Factors and Non-Monetary Sanctions, and to submit for Commission review any “tools or formulae” used to implement the Sanction Guidelines.

82. NERC should ensure that its revised Sanction Guidelines reflect how NERC and the Regional Entities currently apply the various factors when determining penalties. First, the revisions should explain how NERC and the Regional Entities choose the base penalty amount within the range based on violation risk factor and violation severity level (i.e., section 3.1 and 3.2 of the Sanction Guidelines). Second, the revised guidelines should detail the potential range for aggravating factors applied to the base penalty amount for: (1) risk; (2) duration of violations; (3) size of the entity; (4) management involvement; (5) repetitive violations; and (6) any other factors applied to increase the base penalty amount. NERC should ensure the revised guidelines similarly detail the potential range of mitigating factors applied to reduce the resulting penalty amount for: (1) settlement; (2) self-reporting; (3) admission; (4) internal compliance program; (5) cooperation; and (6) any other credits used to decrease the base penalty amount. Finally, the revised guidelines should address: (1) whether and/or how non-monetary sanctions will be considered in reaching the final penalty amount; (2) how NERC and the Regional Entities will assess a penalty which bears a reasonable relation to the seriousness of the violation and the size of the violator when dealing with multiple subsidiaries of a parent corporation that commit the same violations; (3) how NERC and the Regional Entities will calculate a single penalty for multiple violations by a single entity; and (4) how NERC and the Regional Entities consider “the violator’s financial ability to pay the Penalty,” so that “no Penalty is inconsequential to the violator to whom it is assessed,” as provided in section 2.6 of the current Sanction Guidelines.

Here is why this is critical: In my analysis of the (presently) 259 CIP dockets since 2010 almost all of them resulted in settlement agreements or were agreed to by the violating entity. This means that there is an appearance that the violators largely negotiate a “penalty” that they are willing to pay. Sometimes that may be appropriate, but if that is the norm, then the penalties just become a negotiable “cost of doing business.” In other words, they lose their value as a deterrent to future bad conduct.

We have even seen instances where in some of the cases that were “settled,” the regulated entities were “uncooperative” (FERC Docket NP16-12-000) or “not fully transparent and forthcoming” (FERC Docket NP18-7-000). “Settling” with such bad actors raises many regulatory red flags and the public needs to analyze these FERC-approved transactions in more detail.

Again, kudos to FERC’s staff for calling NERC out on this important issue.

One last example. This one is chock full of bureaucratic acronyms, but I’ll explain in a moment.

69. It also appears that over time NERC’s description of the relationship between the E-ISAC and the ESCC and the MEC has changed. For example, in NERC’s 2017 business plan and budget filing NERC explains that the E-ISAC “coordinates” with the ESCC and the MEC. But in the Performance Assessment, NERC describes the MEC as “providing strategic oversight and guidance” to the E-ISAC. More recently, in its 2020 business plan and budget filing, NERC states that it was the MEC that approved the E-ISAC long-term strategic plan. Accordingly, NERC has variously described the relationship between the E-ISAC and the MEC as one of coordination, but also one in which the MEC provides the E-ISAC with strategic oversight, and where the MEC is responsible for approving aspects of the E-ISAC. Based on these differing descriptions and given the increasing size, scope, and importance of the E-ISAC, we believe additional information describing the relationship between the MEC and the E-ISAC is warranted and would help provide a better understanding of how the E-ISAC works to support NERC’s other statutory FPA section 215 functions.

70. We direct NERC in the ninety (90) day compliance filing to further elaborate on the relationship between the E-ISAC and the MEC. In particular, NERC should describe how the MEC provides “strategic oversight and guidance” to guide and support the EISAC, as noted in the Performance Assessment, as well as what other aspects of the EISAC, if any, the MEC is responsible for approving.

That was a mouthful. Here’s what the acronyms mean and why this is important.

• E-ISAC: Electricity Information Sharing and Analysis Center. This is a “a division of the North American Electric Reliability Corporation” (NERC) whose mission is: “The E-ISAC reduces cyber and physical security risk to the electricity industry across North America by providing unique insights, leadership, and collaboration.”
• ESCC: Electricity Subsector Coordinating Council. It is “The CEO-led Electricity Subsector Coordinating Council (ESCC) serves as the principal liaison between the federal government and the electric power industry.” Members of ESCC include the Edison Electric Institute (EEI), whose members include the government of the People’s Republic of China. EEI is on ESCC’s Steering Committee. This group admittedly represents the electric power industry.
• MEC: Member Executive Committee. This is a committee of ESCC. This group represents the electric power industry.  According to an ESCC document, “In 2015, the ESCC formed the MEC to advise the E-ISAC on ways in which the industry can speed delivery and analysis of potential threats to the power system. The MEC provides industry leadership and expertise to guide and support the E-ISAC vision and mission.“

The E-ISAC serves a critical function in the security of the grid. In a nutshell, the above paragraphs mean that somebody at FERC is clearly concerned about the undue influence of the ESCC (i.e., the electric industry) over the operations of E-ISAC.

Again, kudos to some patriotic FERC employees for trying to hold NERC and the electric industry accountable.

When you have the tail wagging the dog, the type of dog is critical.

I have long felt that FERC is a captive regulator. Fluffy the poodle, in terms of dogs. Occasionally in a regulatory system, you need a bigger dog.

I am glad to see that FERC still has a few snarling Dobermans on their staff who are trying to protect us.

###