Regulatory Mutiny: The Grid Just Threatened FERC
The electric grid just threatened the federal government with a regulatory mutiny if the names of their regulatory violators are revealed to the public.
Perhaps a bit of background is in order. There is a little known battle playing out in an obscure docket before an even more obscure federal agency, the Federal Energy Regulatory Commission (FERC). In this battle, members of the Secure the Grid Coalition are taking a stand against an industry coverup that is endangering you and your family (not to mention, the national security of the United States).
The issue is simple: Since July of 2010, the North American Electric Reliability Corporation (NERC) has been covering up the identities of companies who violate Critical Infrastructure Protection (“CIP”) standards, including cybersecurity and physical security protections. The industry euphemism for these covered up violators is “Unidentified Registered Entities.” Between 2010 and 2018 this involved 243 FERC dockets and at least 1,465 “Unidentified Registered Entities” related to these dockets who violated CIP standards. None of these “Unidentified Registered Entities” has yet been identified to the public by either NERC or FERC even though they have been subject to regulatory action overseen by the United States government. These actions all claim that the violations have been “mitigated,” so there is absolutely no national security argument that the identities of these entities and the settlement agreements should still be withheld from the public.
The fact is that the electric utility industry does not want to be held accountable for their lack of action on cybersecurity and physical security. By not releasing the names of the violators, the industry has been shielding itself from criticism and scrutiny by the public, state regulators and Congress. The industry has consistently fought against more stringent CIP standards in rulemaking, arguing that such strict standards are “unduly burdensome.” Meanwhile, we know for a fact that Russian and Chinese cyberattackers have been inside the electric grid for at least a decade:
- Read 2009 article – Wall Street Journal: “Electricity Grid in U.S. Penetrated By Spies”
- Read 2019 article – Wall Street Journal: “America’s Electric Grid Has a Vulnerable Back Door—and Russia Walked Through It.”
So, if keeping the names of the CIP violators from the public was going to make us safer, wouldn’t it have worked by now? Clearly, our safety is not the point of hiding the names. NERC’s “Double Secret Probation” grid coverup is happening because the electric utility industry wants anonymity and cover for their minimalistic approach to electric grid security.
The fight is shaping up around the issue of a $10 million penalty NERC imposed on January 25, 2019 against unnamed companies that committed 127 violations of Critical Infrastructure Protection (CIP) standards over several years. The press has since outed Duke Energy Corp as the violator, but neither NERC nor the U.S. government have acknowledged this.
Initially, consumer advocacy group Public Citizen Inc., and myself filed Motions to Intervene, both requesting that FERC release the name of the violator to the public docket. Our motions were followed by several members of the Secure The Grid Coalition:
- Click Here for Motion to Intervene of Michael Mabee
- Click Here for Motion to Intervene of Public Citizen, Inc.
- Click Here for Motion to Intervene of Dale Rowley #1
- Click Here for Motion to Intervene of Dale Rowley #2
- Click here for Motion to Intervene of Karen Testerman
- Click here for Motion to Intervene of Foundation for Resilient Societies
- Click here for Motion to Intervene of Dr. Fred Reitman
- Click here for Motion to Intervene of George R Cotter, Esq.
- Click here for Motion to Intervene of Henry W Newton
- Click here for Motion to Intervene of David K Testerman
- Click here for Motion to Intervene of Frank Gaffney
- Click here for Reply Comments of Foundation for Resilient Societies
- Click here for Reply Comments of Michael Mabee
- Click here for Motion to Intervene of Douglas E. Ellsworth
- Click here for 2nd Motion to Intervene of George R. Cotter, Esq.
- Click here for Motion to Intervene of Kenneth D. Chrosniak
The Electric Utility Industry Yells “Arrgggh!” (Or Perhaps “Waah”?)
The fight is getting ugly—now the entire industry through its three Trade Associations is threatening FERC with what can only be described as a regulatory mutiny. The American Public Power Association (APPA), the Edison Electric Institute (EEI), and the National Rural Electric Cooperative Association (NRECA) have filed a Motion to Intervene in which they misrepresent several key issues. The Trade Associations also threaten that if the Commission (FERC) releases the names of the regulatory violators, the industry will stop cooperating with regulators by “reconsidering” whether to self report violations!
As I point out below, the industry’s reaction to the calls for transparency is like a child throwing a tantrum when they don’t get their way. Industry hissy fits notwithstanding, the misrepresentations and threats are not going unanswered! The Secure the Grid Coalition has replied to the Trade Associations’ motion:
- Click here for Reply Comments of Michael Mabee (also published below)
- Click here for Reply Comments of Foundation for Resilient Societies
FERC extended the docket until July 26, 2019. This type of docket is normally only open for 30 days and then the Commission rubberstamps the Notice of Penalty (NOP). However, in this instance, FERC has now extended the time on this docket twice while it considers what to do.
You can join us and be heard!
We need to all let the Federal Energy Regulatory Commission (FERC) know that the security of the electric grid is critical—secret regulation and coverups are unacceptable to the public. You have the right to file a “Motion to Intervene” in this docket and be heard! The deadline to file on this docket is July 26, 2019 so write your letter today and submit it online to FERC Docket Number NP19-4-000, or mail it in to FERC (Be sure to include the Docket Number in your letter).
Submit to FERC online HERE (you need to register if this is your first time)
or, submit by mail:
Federal Energy Regulatory Commission
Kimberly D. Bose, Secretary
ATTN: Docket No. NP19-4-000
888 First Street, NE
Washington, DC 20426
My reply comments to the Trade Associations motion are below.
###
Michael Mabee, a private citizen, requests the Commission’s leave to file reply comments to the Motion to Intervene of the American Public Power Association (“APPA”), the Edison Electric Institute (“EEI”), and the National Rural Electric Cooperative Association (“NRECA”), (collectively, the “Trade Associations”).
I. Background
On March 28, 2019 the Trade Association’s filed Motions to Intervene in docket no. NP19-4-000 and 192 other FERC dockets wherein the names of the Critical Infrastructure Protection (CIP) standards violators were withheld from the public by the NERC.[1] The Trade Associations’ filings were prompted by my Motions to Intervene in these 193 dockets, requesting that the Commission release the names of the standards violators to the public and not allow the industry to continue this coverup. The Trade Associations are also apparently using their motions in these dockets as a forum to fight two FOIA requests that I have pending before the Commission.[2]
II. The Trade Associations Misrepresented FERC’s Role in the Industry Coverup
In the Trade Associations’ March 28, 2019 motions, they refer to an alleged agreement between the Commission and NERC to intentionally withhold the names of CIP violators since 2010:
“The Trade Associations understand that in 2010 NERC and the Commission intentionally chose to post only the public versions of the Notices of Penalty without the names of the entities to address security concerns because the names, when combined with information on the violations and penalties, were considered CEII. In addition to the entity names, details on cybersecurity vulnerabilities and mitigation measures that can be used by an attacker to determine which entity to target; what device or system to target; and how to target that entity, device, or system were also intentionally left out of the public versions.”[3] [Emphasis Added.]
This statement is not true. On April 1, 2019 I filed a Freedom of Information Act (FOIA) request[4] with the Commission requesting documentation of this alleged agreement between the FERC and NERC described in the Trade Associations’ motions. A copy of this request is attached hereto as Exhibit B. On April 30, 2019, The Commission responded to the FOIA request stating that there were no responsive documents. A copy of the Commission’s response is attached hereto as Exhibit C.
In other words, this proves that there are no records that the Commission ever agreed with the scheme to wholesale withhold all the names of all the CIP violators in perpetuity from the public as the Trade Associations allege. Therefore, when NERC initiated this practice in 2010, they did so with no written approval from the Commission. The Trade Associations have attempted to mislead the Commission staff and the public by falsely asserting that there was an agreement by FERC to perpetuate this industry coverup.
III. The Trade Associations Misrepresented FERC’s Orders
The Trade Associations claim in their objections to my FOIAs which they attached as exhibits to their NP19-4 Motion to Intervene:
For these reasons, the Commission should not release the documents requested. Also, this information has previously been protected by the Commission from public disclosure.[FN 4] As discussed below, this is not a new policy, but one carefully crafted by the Commission over nine years ago in its 2011-2012 Find, Fix, and Track and Report (“FFT”) proceeding—an open and transparent proceeding in which stakeholders and the public were able to weigh in on policy concerns, ultimately striking a careful balance between information disclosure and national security throughout the six months of that proceeding.[FN 5]
FN 5 See FFT Order, 138 FERC ¶ 61,193 (Mar. 15, 2012).
[Emphasis added.] This statement is not true. In fact, FERC’s order (138 FERC ¶ 61,193) says the opposite:[Emphasis Added, internal citations omitted.] Of course, the “Cybersecurity Incident” exception does not apply here as 18 CFR § 39.1 defines “cybersecurity incident” as:67. NERC asserts that, with regard to the FFT informational filings, the Commission’s regulations do not appear to permit public disclosure of confidential information that is not included in a Notice of Penalty. Therefore, NERC proposes that the FFT informational filings will not publicly disclose identification of registered entities.
68. We disagree with NERC on this issue. Section 39.7(b)(4) of our regulations provides that “[e]ach violation or alleged violation shall be treated as non-public until the matter is filed with the Commission as a notice of penalty or resolved by [an admission of violation] or a settlement or other negotiated disposition . . ..” We do not see this provision of our regulations as preventing the disclosure of the identity of an entity that is the subject of an FFT matter. First, the regulation is intended to prevent the public disclosure of an entity subject to an ongoing compliance matter. The FFT informational filing results in closure of a compliance matter before NERC. Thus, similar to the filing of a Notice of Penalty with the Commission, the submission of a FFT filing is the appropriate time for disclosure. Moreover, it is reasonable to view the closure of a possible violation pursuant to the FFT informational filing as the product of a “negotiated disposition” that NERC may file on a public basis pursuant to the first sentence of section 39.7(b)(4). Because there may be similarly situated registered entities, public disclosure of the identity of the entity in an FFT informational filing will provide industry with valuable information on compliance issues. Further, public disclosure will make the full information regarding an FFT matter available to state regulators and the public, thus, providing additional accountability and deterrence.
69. However, section 39.7(b)(4) of our regulations also provides an exception that “[t]he disposition of each violation or alleged violation that relates to a Cybersecurity Incident or that would jeopardize the security of the Bulk-Power System if publicly disclosed shall be non-public unless the Commission directs otherwise.” This exception will continue to apply in the FFT context.
Cybersecurity Incident means a malicious act or suspicious event that disrupts, or was an attempt to disrupt, the operation of those programmable electronic devices and communications networks including hardware, software and data that are essential to the Reliable Operation of the Bulk-Power System.
There is no allegation in the NP19-4-000 NOP of a malicious act or suspicious event that disrupted or attempted to disrupt the Reliable Operation of the Bulk-Power System. This was simply a regulatory action after instances of noncompliance of CIP standards were discovered, either through self-reports or regulatory audits.[5]
If not a “Cybersecurity Incident,” the second prong of §39.7(b)(4) provides that “[t]he disposition of each violation…that would jeopardize the security of the Bulk-Power System if publicly disclosed shall be non-public unless the Commission directs otherwise” also does not apply here. First, the second prong does not apply to the names of the violators – only the dispositions. Second, for all of the reasons discussed in my Motion to Intervene[6] it is outlandish to claim that the withholding of all the names of all the regulatory violators in perpetuity will somehow protect the security of the Bulk-Power System. This may be the way the electric utility industry would like their regulatory scheme to continue, but it is not the way that an effective regulatory system works in a free society.
Specifically, as discussed in my Motion to Intervene, there are no circumstances or arguments made by NERC or the Trade Associations in the NP19-4-000 NOP which would indicate that withholding the name of the violator is necessary for the security of the Bulk-Power System. In fact, customers and investors have a right to follow up with the violator. State regulators and Congress also may have an interest in following up with the violator. This is why the Commission noted that “public disclosure will make the full information regarding an FFT matter available to state regulators and the public, thus, providing additional accountability and deterrence.” The same applies to NOPs which the regulations also require to be disclosed to the public – including the names of the violators.
Thus, the Trade Associations have made two egregious misrepresentations in their filings in these dockets. I noted instances in my Motion to Intervene in Docket NP19-4-000 of NERC making similar misrepresentations of FERC orders and regulations.[7] It appears that there may be a deliberate effort by the industry, including NERC and the Trade Associations to mislead the Commission and the public by misrepresenting Commission orders and regulations in the public dockets. Such behavior is repugnant to the public interest and should not be tolerated by the Commission.
But it gets worse.
IV. The Trade Associations Threaten the Commission with a Regulatory Mutiny
The Trade Associations’ Motions to Intervene contains a not so thinly veiled threat:
“If the Commission begins releasing entity names in addition to the information already made public in the posted Notices of Penalty, then Registered Entities may re-evaluate whether they will continue to self-report security information knowing that providing such information to their regulators may be disclosed to the public, including to people seeking to attack their systems. In addition, Registered Entities also may re-evaluate what information is included in their mitigation plans.”
This is an extraordinary threat that the entire industry represented by the Trade Associations, and who are subject to mandatory reliability standards under federal law,[8] will essentially engage in a regulatory mutiny if the Commission decides to release the names of regulatory violators to the public, as its past orders and regulations require.
To justify this threat, the Trade Associations mirror NERC’s argument in the NP19-4-000 NOP that any little piece of information contributes to “information in the aggregate” which would assist hackers. Therefore, according to NERC and the Trade Associations, hiding the names of the companies will somehow thwart the Chinese and Russians (whose cyberattackers already dwell comfortably in the grid). The Trade Associations state in the appendices to their Motions to Intervene:[9]
“Even information that some may deem innocuous—such as revealing the names of UREs involved in a remediated NOP—can result in unintended consequences. For example, in some instances, a URE may have remediated a particular instance of regulatory noncompliance. However, that URE may have experienced a pattern of similar noncompliance—not because of a lack of will to fix, but because there are significant other factors at play. In addition, UREs face challenges in integrating modern information technology systems with older operational technology systems that were never designed with modern cybersecurity needs in mind. Sophisticated bad actors, like the ones discussed above, may be able to discern points of attack and vulnerabilities in publicly disclosed UREs based on their patterns of NOPs. The Trade Associations recognize that public access to information is important, and appreciate the goal of FOIA, but believe the line must be drawn where a requested disclosure might risk the security of the Bulk-Power System.”
Another very reasonable inference to draw here is that the line was already “drawn” on the wrong side. For example:
- Might disclosing the names of the violators lead the public and Congress to assess how well the regulatory system is working?
- Might this information inform the public and Congress as to whether the current regulatory system has adequately thwarted threats to the grid?
- Also, might this information lead the public and Congress to conclude that better investment in the critical infrastructures is necessary?
These are public policy questions, not CEII.
Interestingly, NERC, the Trade Associations and the regulated companies themselves put a lot of information about the companies and the industry as a whole on their websites. By their defective rationale, all this “innocuous” information should be CEII. In fact, any information whatsoever about any of NERC’s 1,500 regulated entities by this bogus argument should be considered CEII. All utility websites open to the public should be shut down, and even our electric bills should not list the name of the company we are paying, lest these small pieces of “innocuous” information in the aggregate leads hackers to realize which utility is operating in that area, and thus helps to narrow the hacker’s target list.
Obviously, the forgoing illustration of the industry argument is ridiculous as is ultimately the industry argument itself. Why? Because there is only one piece of information that the industry is fighting vehemently to keep from the public: The names of regulatory violators.
Why is this one piece of information so sensitive to the industry? Because the name of a standard violator is the most essential piece of information to hold that utility accountable.
For the industry to threaten the federal government with a regulatory mutiny if the names of their regulatory violators are revealed to the public is stunning. Such a threat if carried out, would endanger the bulk power system – it is not the release of the names that would cause the danger – it is the industry’s refusal to be regulated.
For any entities that choose this route – the regulatory equivalent of a child throwing a snit in the cereal aisle – NERC and FERC should ensure that these entities enjoy the maximum benefit of the penalties using their lack of self-reporting as an aggravating factor.
V. Conclusion
The Commission should disregard the Trade Associations motions and comments in these 193 dockets and proceed to correct the industry’s cover up, starting with the name of the violator of NP19-4-000, which should be immediately disclosed in the public docket. The names of the violators in the 192 dockets with expired CEII designations should also be immediately disclosed to the public.
Neither NERC nor the Trade Associations have provided any compelling reason to withhold this information any longer from Congress, state regulators and the public.
Respectfully submitted by:
Michael Mabee
Click HERE for exhibits to my reply comments
Footnotes:
[1] Exhibit A is a list of the 192 dockets other than NP19-4-000.
[2] FOIAs #2019-0019 filed December 18, 2018, amended on January 4, 2019 and #2019-0030 filed on January 12, 2019. The Trade Associations included as appendices to their filing in these 193 dockets two letters to the Commission in opposition to my FOIA requests and argue in their filing in these dockets that the Commission should deny my FOIA requests.
[3] Motion of Trade Associations in FERC Docket NP19-4 (as well as the 192 additional dockets listed on the motion) at page 14.
[4] FOIA #2019-0061.
[5] The same applies to the other 192 dockets listed in Exhibit A. To my knowledge, none allege “a malicious act or suspicious event that disrupts, or was an attempt to disrupt, the operation of those programmable electronic devices and communications networks including hardware, software and data that are essential to the Reliable Operation of the Bulk-Power System.”
[6] Motion to Intervene of Michael Mabee Filed in Docket NP19-4-000 on February 21, 2019, Accession Number: 20190221-5025.
[7] Ibid., pages 5-9.
[8] 16 U.S. Code § 824o(b)(1) (Electric reliability) provides that: “The Commission shall have jurisdiction, within the United States, over the ERO certified by the Commission under subsection (c), any regional entities, and all users, owners and operators of the bulk-power system, including but not limited to the entities described in section 824(f) of this title, for purposes of approving reliability standards established under this section and enforcing compliance with this section. All users, owners and operators of the bulk-power system shall comply with reliability standards that take effect under this section.” [Emphasis added.]
[9] Exhibits B & C
[wpedon id=”5868″ align=”center”] Regulatory Mutiny