FERC White Paper: We Need YOU In This Fight!

FERC White Paper Proposal Would Not Give The Public Enough Information

On August 27, 2019 the staffs of the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) published a white paper and opened an administrative docket for public comment. The white paper proposes ending the longstanding Critical Infrastructure Protection (CIP) violator coverup. While this is a great leap forward for the Commission and NERC, the white paper proposal would not give the public, investors, Congress and other regulators enough information to evaluate CIP violators and the regulatory system. For this reason, I have submitted the alternate proposal below.

We need to be heard – You can help!

FERC is accepting comments on this white paper (FERC Docket No. AD19-18-000) until October 28, 2019. We need to all let the Federal Energy Regulatory Commission (FERC) know that the security of the electric grid is critical – secret regulation and coverups are unacceptable to the public. As a citizen, you have the right to file a comment in this docket and be heard! Below are some of the comments that have already been filed that you can look at for examples.

Tell the Commission in your letter that the public has the right to know the names of companies that violate the regulatory standards and we need sufficient details to make sure that the regulatory system is working! Tell the Commission that you support the alternate proposal submitted by Michael Mabee on September 3, 2019.

The deadline to file on this docket is October 28, 2019 so write your letter today and submit it online to FERC Docket Number AD19-18-000, or mail it in to FERC (Be sure to include the Docket Number in your letter). To submit YOUR own filing to FERC, download and use these instructions to file BEFORE 28 October! See below for helpful examples and remember, you’re submitting an eFiling – not eComments (see the instructions).

Submit to FERC online HERE (you need to register if this is your first time – see these instructions if this is your first time.)

or, submit by mail:

Federal Energy Regulatory Commission
Kimberly D. Bose, Secretary
ATTN: Docket No. AD19-18-000
888 First Street, NE
Washington, DC 20426

UPDATED: Read Comments Submitted to the Docket Here:

• Michael Mabee (U.S. Army Command Sergeant Major, ret.)
• George Cotter (former Chief Information Officer, NSA)
• Joseph M. Weiss (internationally renowned cybersecurity expert)
• David Jonas Bardin (General Counsel to U.S. Federal Power Commission [now FERC] during Eisenhower, Kennedy, Johnson, Nixon Administrations)
• Frank Gaffney (Founder, Center for Security Policy)
• Tommy Waller
• Michael Mabee on the role of transparency in preventing regulatory failures
• Congresswoman Ann McLane Kuster
• New Hampshire Office of Consumer Advocate
• New Hampshire Representative Kathy “Kat” McGhee
• New Hampshire State Rep. Donna Mombourquette 
• New Hampshire Representative David Woodbury
• New Hampshire Representative David Testerman
• Karen Testerman
• Foundation for Resilient Societies
• Louisiana Public Service Commission
• Connecticut Public Utilities Regulatory Authority, et. al.
• New Jersey Board of Public Utilities,et al.
• Aldrich B. Monahan Jr.
• Mortimore Kelly
• John W Russell
• Preston L. Schleinkofer
• Fred Reitman
• Dennis Hunt
• Dale Rowley
• Ken Sletten
• David Phelps
• Comment by a Concerned Citizen
• Task Force on National and Homeland Security
  
• Constance A. Zimmerman
• Mary S. Kass
• Terri Timmcke
• Reporters Committee for Freedom of the Press
• Alyssa A. Lappen
• Andrew Bumbak
• Jim LeBlanc
• Dennis P. Burke, SR
• Kenneth D. Chrosniak
• J. Dexter Smith
• Douglas Ellsworth
• Sara Z. Wood
• Henry W. Newton
• Richard Firth
• Valerie J. MacIntosh
• Stacey West
• Bradley A. Kropf
• Phiyllis Ulrich
• Foundation for Resilient Societies
• Theresa V. Hubbard
• Eunie Smith
• Joseph A. Voglund
• Frank Heindel
• DeNexus, Inc.
• Gabriel Frank
• Jerry R. Ladd and James M. Babcock, CIWRX, Inc.
• George E. Kondos
• Public Citizen, Inc.
• Eric Richter
• Sandra J. Lafleur
• New Mexico Public Regulation Commission (PRC)

UPDATE September 6, 2019

I was quoted in the Wall Street Journal about this FERC docket:
Regulator Weighs Disclosing Names of Utilities That Violate Grid Security Rules

Michael Mabee, a New Hampshire security blogger who has pushed for fuller disclosure, said that “getting the names of the violators is a huge victory,” but he wants to know the identities of past violators too, and doesn’t think that information should be withheld because vulnerabilities are required to be fixed, when discovered.

Mr. Mabee previously filed Freedom of Information Act requests for the release of unredacted penalty case documents, believing that public attention will make utilities focus harder on security.

A U.S. Army veteran, Mr. Mabee said he was sensitized to the importance of a secure electric grid after seeing what happens when a society suffers protracted blackouts and worries that U.S. utilities are lax about protecting their assets against attack. He said that lengthy blackouts tear at social structures, and said he witnessed the effects in two tours of duty in Iraq, in providing humanitarian assistance to Guatemala after a hurricane and after being in Manhattan during the terrorist attacks of 2001 and in the Northeast after a major blackout in 2003.

“It’s like a Forrest Gump thing, where I’ve been present to witness so many disasters,” he said. “I took an oath to defend America and I see threats to the grid as a major threat against our country.”

 

UPDATE September 30, 2019

I was quoted in Inside CyberSecurity about this FERC Docket:
Energy regulators’ proposal to name violators of cyber standards complicated by cost, liability concerns

According to records examined by the security blogger and military veteran Michael Mabee, since 2010, NERC has been routinely concealing the identity of violators in the notices, listing them instead as “Unidentified Registered Entities.” In previous years, going back to 2008, NERC consistently named the entities, in addition to providing specific details, such as whether the “violation risk factor” was low, medium or high; the date mitigating actions were completed; how the violation was discovered — self-reported or through audit; and whether entities were “uncooperative” in settlement agreements.

In the first comment filed with the commission on the proposal, Mabee argues simply adding the name of the violator to all the information that’s currently available, “is not going to suddenly make all this publicly available information CEII,” especially since the violations are mitigated before they are revealed.

In this vein, he noted the potential consequence of companies dragging out “their mitigation plan for a long period of time — even years — in an effort to delay their name being exposed as a CIP violator.”

Overall, he said withholding penalty details by default would thwart their “use in statistical analysis” and “the White Paper proposal does not contain enough public information to allow for public, investor, Congressional and state scrutiny and evaluation of the violators and the regulatory system — activities that are critical to the security of the bulk power system.”

Update October 11, 2019

Read Our Op Ed in The Epoch Times
“Blackouts & Cover Ups: Why ALL Americans Must Work to ‘Secure the Grid’”

Click HERE for a PDF Version

Comments and Alternate Proposal

Submitted to FERC on September 3, 2019

Michael Mabee, a private citizen, respectfully submits comments and an alternate proposal on FERC Docket No. AD19-18-000, Joint Staff White Paper on Notices of Penalty Pertaining to Violations of Critical Infrastructure Protection Reliability Standards. First of all, I commend the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) for proposing to seek more transparency in Notice of Penalty (NOP) filings. Such public transparency is critical to the security of the bulk power system as it provides an incentive for companies to comply with mandatory Critical Infrastructure Protection (CIP) standards. It also provides the means for public, investor, Congressional and state scrutiny and evaluation of the violators and the regulatory system.

Introduction

“Publicity is justly commended as a remedy for social and industrial diseases. Sunlight is said to be the best of disinfectants; electric light the most efficient policeman.”

– Justice Louis D. Brandeis

Background and Public Interest in the Identities of CIP Violators

On February 28, 2018 NERC submitted a proposed Notice of Penalty to FERC on an “Unidentified Registered Entity” in Docket No. NP18-7-000. This entity was fined $2,700,000 for a massive cybersecurity breach that, according to NERC, posed a “serious or substantial risk” to the electric grid. This cybersecurity breach and the subsequent Notice of Penalty garnered much press attention.[1] Some of the press articles speculated that the “Unidentified Registered Entity” was actually PG&E Corp.[2] After numerous citizens intervened unsuccessfully in the docket, I filed a Freedom of Information Act (FOIA) request for the identity of the violator.[3] The press began to report on the issue of citizens demanding that the names of CIP violators be released.[4] FERC initially denied my FOIA request, necessitating that I file an appeal. Finally, on August 24, 2018, FERC released the name of the CIP violator (PG&E Corp.) to me. This information was reported on my blog[5] and in the press.[6]

This particular Notice of Penalty in Docket No. NP18-7-000 garnered a great deal of public comment as well as press coverage. This demonstrated that the identity of a CIP violator is a matter of legitimate public interest. It is important to note that to this day, the name of the violator in this docket is only available on my website and in the press articles. It has still not been released to FERC’s public docket or on NERC’s website. So even with names that are released under FOIA, a transparency issue remains.

After conducting extensive research, I determined that beginning on July 6, 2010, NERC began withholding the identities of the entities subject to regulatory action in Critical Infrastructure Protection (CIP) reliability standard Notices of Penalty submitted to FERC. (Prior to July 6, 2010, identities of CIP standards violators were disclosed by both NERC and FERC – see Exhibit A.) In fact, as of August 31, 2019 there have been a total of 255 FERC dockets involving almost 1,500 “Unidentified Registered Entities” or “UREs”, which is the industry euphemism for a CIP violator whose name is being withheld from the public.

I currently have FOIA requests filed for 253 out of these 255 dockets.[7] Note that my FOIA requests do not include all of the “Find, Fix and Track” (FFT) and “Compliance Exemption” (CE) cases. These FFT and CE cases are very difficult for the public to find, analyze and also must be included in this transparency initiative. The release of names of “Unidentified Registered Entities” pursuant to my FOIA requests has garnered additional press interest.[8] Upon information and belief, several other FOIA requests for Notices of Penalty cases were filed with FERC after I filed my initial FOIAs.[9] On February 5, 2019, I filed a petition for rulemaking to require the disclosure of the names of regulatory violators.[10] The Commission has not docketed my petition.

The Commission discussed this transparency issue at the June 27, 2019 FERC Reliability Technical Conference, and FERC was questioned on the transparency issue by the House Subcommittee on Energy on July 12, 2019.[11] Finally, on August 27, 2019, the Commission published a “white paper” and opened this administrative docket for public comment on the issue of disclosing the names of CIP violators.

The White Paper Proposal

The white paper proposes the following disclosure on NOP cases going forward:

“This White Paper proposes a new approach in which NERC would submit CIP NOPs containing a public cover letter and a confidential attachment. The cover letter would publically disclose:

(1) the name of the violator,

(2) the Reliability Standard(s) violated (but not the requirement or subrequirement violated), and

(3) the penalty amount.

NERC would provide details on the nature of the violation, mitigation activity, and potential vulnerabilities to cyber systems in a confidential attachment.”[12]

While I applaud the staffs of FERC and NERC for moving forward to engage in a public discussion about disclosure of the identities of CIP violators, the above proposal does not give the public, investors, Congress and other regulators the information needed to ensure that companies comply with their obligations to protect the critical infrastructure and to ensure that the regulatory system is working. Therefore, I propose an alternative approach.

Alternate Proposal

I have done a great deal of research, analysis and public dissemination of information about CIP violators and therefore believe I am well qualified to propose an alternate approach that will satisfy the public interest as well as protect the security interest of the critical infrastructure. In fact, you will note from my work that my primary interest and goal is the security of the electric grid.[13]

The White Paper proposal does not contain enough public information to allow for public, investor, Congressional and state scrutiny and evaluation of the violators and the regulatory system – activities that are critical to the security of the bulk power system.

I propose that the information required by the public, investors, Congress and state regulators consists of:

1. All information fields contained in the present NERC “Searchable NOP Spreadsheet”[14] including the name of the entity disclosed in the “Registered Entity” field.
2. Date violation discovered.
3. Duration of violation
4. How violation was discovered (e.g., self-report, audit, etc.)
5. A plain English (non-technical) description of each violation.
6. Aggravating and mitigating factors in penalty assessment
7. Settlement agreement

Below is a more detailed description of each data point and the reason it is needed by the public, investors, Congress and state regulators.

1. All information fields contained in the present NERC “Searchable NOP Spreadsheet” including the name of the entity disclosed in the “Registered Entity” field.
   • “Date”: This is the date the NOP was filed with FERC. This information is necessary to determine when a NOP was filed, as well as for various statistical calculations. For example, examining trends of the dates the matters are filed with FERC with the date the violations were discovered and the dates the violations are mitigated provides information on the effectiveness of the regulatory system.
   • “Regulatory Authority”: This field is not necessary unless there is a situation where there could be a regulatory authority other than FERC.
   • “Regulatory Filing ID”: This is the FERC “Docket Number” which is necessary in order to identify a case and to find documents related to the violation on FERC’s public system.
   • “Region”: This is necessary in order to do statistical analysis based on geographic location. It is also necessary to do comparison and analysis of performance between regions. As an example, using this field, I was able to determine that there were at least four undisclosed violations of vegetation management standards for transmission lines in the Western Interconnection – the same region where over 86 deaths occurred in the “Camp Fire” – the deadliest and most destructive wildfire in California history.[15] This is the same region where a “regulated entity” (PG&E) has significant liability for wildfires. These violations were mixed in with CIP violations and therefore were not disclosed to the public – despite the significant public interest in the fires and the possible involvement and liability of utility companies in that region.
   • “Registered Entity”: The name of the regulatory violator. This is necessary so the public, investors, Congress and other regulators can see which entities are violating CIP regulations and if there are repeat violators. This information is necessary for any public follow up with Congress or other regulators. Other regulatory agencies need this information as many BPS entities also fall under regulation by state Public Utilities Commissions, the U.S. Securities and Exchange Commission and other federal, state and local authorities.
   • “NCR ID (NERC Compliance Registry Identifier)”: This information is useful in relational databases as a database key (since the names of entities may not be spelled the exact same way in every violation). I note that this information is already available on NERC’s public website.[16]
   • “Total Penalty ($) (The total penalty amount represents an aggregate amount for the filing; it does not represent an amount per violation.)”: This is necessary so that the public, investors and Congress can understand the enforcement of CIP standards and also to evaluate the effectiveness of the enforcement regime.
   • “SA, NOCV, ACP, SNOP or OMNI”: The disposition of the violation is noted here and this information is necessary so that the public, investors and Congress can understand the enforcement of CIP standards and also to evaluate the effectiveness of the enforcement regime.
   • “NERC Violation ID”: This information is useful in relational databases as a database key since there can be multiple violations under each docket and often in data analysis, we will look at violations from multiple dockets. (e.g., to count how many violations of a particular standard or requirement were levied in a particular period, or in a particular region.)
   • “Reliability Standard”: This information is necessary in order for the public, investors, Congress and other authorities to know what general CIP violations are taking place. This field alone does not give the public sufficient information on the violation. Below is a listing of the current enforceable CIP “Reliability Standard[s]”.[17] The whitepaper proposes giving only “the Reliability Standard(s) violated (but not the requirement or subrequirement violated).” However, as you can see from the below listing of current CIP standards and titles, these broad descriptions are not enough for the public to fully understand the regulatory action taken:
     • CIP-002-5.1a Cyber Security – BES Cyber System Categorization
     • CIP-003-6 Cyber Security – Security Management Controls
     • CIP-004-6 Cyber Security – Personnel & Training
     • CIP-005-5 Cyber Security – Electronic Security Perimeter(s)
     • CIP-006-6 Cyber Security – Physical Security of BES Cyber Systems
     • CIP-007-6 Cyber Security – System Security Management
     • CIP-008-5 Cyber Security – Incident Reporting and Response Planning
     • CIP-009-6 Cyber Security – Recovery Plans for BES Cyber Systems
     • CIP-010-2 Cyber Security – Configuration Change Management and Vulnerability Assessments
     • CIP-011-2 Cyber Security – Information Protection
     • CIP-014-2 – Physical Security
   • “Req.”: The “Req.” field is the requirement of the standard. This added to the “Reliability Standard” field gives a slightly better description of the violation but does not give specific information that would be useful to an attacker. The white paper stated that the “the requirement or subrequirement violated” would not be released, but this must be reconsidered. For example, here is what a Physical Security Violation would look like with the requirments (“Req.”) added. As you can see, there is nothing here that would aid an attacker:
     • “Reliability Standard” violated: CIP-014-2 Physical Security
     • “Req.” violated: R1. Each Transmission Owner shall perform an initial risk assessment and subsequent risk assessments of its Transmission stations and Transmission substations (existing and planned to be in service within 24 months) that meet the criteria specified in Applicability Section 4.1.1. The initial and subsequent risk assessments shall consist of a transmission analysis or transmission analyses designed to identify the Transmission station(s) and Transmission substation(s) that if rendered inoperable or damaged could result in instability, uncontrolled separation, or Cascading within an Interconnection.
     • Even if we add in the “subrequirement violated” there still is not usable information here that would assist an attacker. We can do the same exercise for all the Reliability Standards, requirements and subrequirements. Moreover, it is important to point out that when the violations have been mitigated – as the vast majority are before the NOP is even issued – the Reliability Standard, requirement and subrequirement alone do not give an attacker any actionable information.
   • “Violation Risk Factor (Lower, Medium, High)”: This is necessary for the public and others to             understand the gravity of the violation. It is important to point out that when the violations have been mitigated – as the vast majority are before the NOP is even issued – the “Violation Risk Factor (Lower, Medium, High)” does not give an attacker any actionable information.
   • “Risk Assessment (Minimal, Moderate, Serious)”: This is necessary for the public and others to understand the gravity of the violation. It is important to point out that when the violations have been mitigated – as the vast majority are before the NOP is even issued – the “Risk Assessment (Minimal, Moderate, Serious)” does not give an attacker any actionable information.
   • “Mitigation Completion Date”: This is critical for use in statistical analysis. For example: The amount of time between the discovery of a violation and the “Mitigation Completion Date” is instructive both on the entity’s sense of urgency to fix the violation, but also the regulator’s sense of urgency to find and abate the violation. Also, the amount of time between the “Mitigation Completion Date” and the date the NOP was filed with FERC is instructive as to the functioning of the regulatory regime.
   • “Notice of No Further Review Issued”: This is important because it indicates that FERC will not review the case and the NOP has become effective. It signals to the public that the regulatory action has been completed. As a note, it would be better for the public if this field contained the date of the FERC order (rather than a check mark). The date of the FERC order is publicly available elsewhere, but the public has to dig for each individual date.
2. Date violation discovered: This is critical for use in statistical analysis. For example, we can study the length of time between when a violation is discovered and the “Mitigation Completion Date.” Also, the amount of time between when violations are discovered and the NOP is filed with FERC.
3. Duration of violation: This is critical for the public, investors, Congress to understand the length of time they were at risk. It is important to point out that when the violations have been mitigated – as the vast majority are before the NOP is even issued – the “Duration of violation” does not give an attacker any actionable information.
4. How violation was discovered: (e.g., self-report, audit, etc.) This is important for the public and others to assess how well the companies and regulators are doing at locating violations. It is also important in understanding how the regulatory system is functioning.
5. A plain English (non-technical) description of each violation: I spoke with a well-respected journalist who pointed out it is helpful to journalists and the public for there to be a brief, non-technical explanation of the violation (e.g., what the company failed to do or what the violation was in general). Just the CIP standard and requirement are very broad and don’t give us even a basic appreciation of what occurred.
6. Aggravating and mitigating factors in penalty assessment: This is critical information for the public and others to appreciate how penalties are assessed. It is also necessary for the public to be able to evaluate the entity’s cooperation or lack of cooperation with the regulatory system.
7. Settlement agreement. It is critical for the public to know how these cases are resolved. For example, in some of the cases that were “settled,” the regulated entities were “uncooperative” (FERC Docket NP16-12-000) or “not fully transparent and forthcoming” (FERC Docket NP18-7-000). “Settling” with such bad actors raises many regulatory red flags and the public needs to analyze these FERC-approved transactions in more detail. Also, some entities do not admit to a violation in the settlement. While this is a common practice in settlements, the public must have the ability to scrutinize how regulators settle cases with the regulated community.

I should point out that all of the information above is presently available to the public with the exception of the name of the violator and the settlement agreement in cases prior to 2019.[18] Merely adding the name of the violator is not going to suddenly make all this publicly available information Critical Electric Infrastructure Information (CEII).

In fact, making the above information available will enhance accountability and ultimately result in a more secure bulk power system as both companies and regulators will have the proper incentive to work harder on CIP standard compliance. And the public and Congress will be able to evaluate the performance of our regulatory system.

Therefore, I propose that this modified list of information be the default disclosure on every future NOP case – unless NERC can specifically show how one of these pieces of information in a particular case would endanger the bulk power system. When that showing can be made (and is examined and approved by the Commission), then that one piece of information might be withheld in that particular instance.

Based on my analysis of past cases, I do not anticipate that this would happen often, If at all.

FERC and NERC regulatory vigilance is needed

Culture change is hard and takes time.

The industry trade associations – and even NERC itself – has fought vehemently against the release of the names of CIP violators since I first raised the issue by intervening in Docket NP18-7-000 on April 15, 2018 and filing FOIA 2018-0075 on April 13, 2018. I am encouraged that NERC now appears to realize that the transparency balance needs to be reexamined and is working with FERC though participation in this whitepaper to find a way forward.

However, the regulated industry is represented by trade associations who have not only fought against increased transparency, but threatened a regulatory mutiny if FERC begins to release the names of CIP violators.

The American Public Power Association (APPA), the National Rural Electric Cooperative Association (NRECA) and the Edison Electric Institute (EEI)[19] have thus far opposed any increased transparency. In a Motion to Intervene in Docket NP19-4-000, the Trade Associations threaten that if the Commission (FERC) releases the names of the regulatory violators, the industry may stop cooperating with regulators by “reconsidering” whether to self-report violations. [20] I filed reply comments on May 9. 2019 addressing the regulatory threat and numerous misrepresentations, including FERC’s alleged approval of the coverup of CIP violators names as well as misleading interpretations of Commission orders.[21]

I’m not concerned that the trade associators will oppose transparency by filing opposition in this docket – considering diverse opinions on the transparency issue is purportedly what this docket is all about. What concerns me is that the industry may try to subvert transparency by abusing NERC and FERC NOP procedures. For example, we see from Exhibit A and the underlying NOPs that mitigation is generally completed within reasonable timeframes. However, companies could, for example, drag out their mitigation plan for a long period of time – even years – in an effort to delay their name being exposed as a CIP violator.

FERC and NERC must remain vigilant – especially in the next few years – for attempts by the industry to avoid the name disclosure that they vehemently oppose.

Existing NOP Cases

FERC needs to disclose the names of the violators in the past NOP cases – almost all of which have been mitigated and the NOPs have become effective by FERC order. I have highlighted the “Mitigation Completion Date” in Exhibit A, which is a listing of all CIP violations from June 4, 2008 through August 29, 2019. When you look at the “Mitigation Completion Date” column and the “Notice of No Further Review Issued”[22] column, it appears that ALL NOPs up through December 2018 and many of the 2019 NOPs have been mitigated.[23]

Continuing to withhold the names of the violators in these already mitigated cases is making it appear more and more that there is something here to hide. Perhaps there is. Let’s get it all out in the open and deal with it. What I am convinced is not hiding in all these past mitigated and closed NOPs is CEII if merely the names of the violators are released.

Respectfully submitted by:

Michael Mabee

Click HERE for Exhibit A.

Footnotes:

[1] Blake Sobczak, E&E News. “Grid regulator issues ‘massive’ penalty over data exposure.” March 5, 2018. https://www.eenews.net/energywire/stories/1060075377/print (accessed August 31, 2019); Energy Policy Update. “NERC fines utility $2.7 million for cyber breach.” March 9, 2018. http://energypolicyupdate.blogspot.com/2018/03/nerc-fines-utility-27-million-for-cyber-breach.html (accessed August 31, 2019); Morgan Lewis. “Data Exposure by Vendor Leads to $2.7 Million NERC Penalty for Utility.” March 9, 2018. https://www.jdsupra.com/legalnews/data-exposure-by-vendor-leads-to-2-7-30103/ (accessed August 31, 2019); Dell Cameron, Gizmodo. “US Power Company Fined $2.7 Million Over Security Flaws Impacting ‘Critical Assets’.” March 13, 2018. https://gizmodo.com/us-power-company-fined-2-7-million-over-security-flaws-1823745994 (accessed August 31, 2019); Eduard Kovacs, SecurityWeek. “U.S. Energy Firm Fined $2.7 Million Over Data Security Incident.” March 14, 2018. https://www.securityweek.com/us-energy-firm-fined-27-million-over-data-security-incident (accessed August 31, 2019).

[2] Schwartz, Matthew J. BankInfoSecurity. “US Power Company Fined $2.7 Million Over Data Exposure.” March a4, 2018. https://www.bankinfosecurity.com/us-power-company-fined-27-million-over-data-exposure-a-10715 (accessed August 31, 2019); Cameron, Dell. Gizmodo. “US Power Company Fined $2.7 Million Over Security Flaws Impacting ‘Critical Assets’.” March 13, 2018. https://gizmodo.com/us-power-company-fined-2-7-million-over-security-flaws-1823745994 (accessed August 31, 2019).

[3] FOIA No. 2018-0075, submitted to FERC on April 13, 2018.

[4] Blake Sobczak, E&E News. “FERC pressed to name names in cybersecurity fine.” April 17, 2018. https://www.eenews.net/energywire/stories/1060079243 (accessed August 31, 2019); Alison Noon. Law360. “FERC Pressured To Disclose Cybersecurity Violators.” February 19, 2019. https://www.law360.com/articles/1130454/ferc-pressured-to-disclose-cybersecurity-violators (accessed August 31, 2019).

[5] See report: “PG&E endangered the grid – and tried to cover it up.” https://securethegrid.com/pge-endangered-the-grid/ (accessed September 1, 2019).

[6] Rebecca Smith. Wall Street Journal. “PG&E Identified as Utility That Lost Control of Confidential Information” August 24, 2018. https://www.wsj.com/articles/pg-e-identified-as-utility-that-lost-control-of-confidential-information-1535145850 (accessed August 31, 2019); Max A. Cherney. MarketWatch. “PG&E named as utility fined $2.7 million for cybersecurity breach.” August 24, 2018. https://www.marketwatch.com/story/pge-named-as-utility-fined-27-million-for-cybersecurity-breach-2018-08-24 (accessed August 31, 2019).

[7] FOIA 2019-0019 for URE dockets from 2014-2018, FOIA 2019-0030 for URE dockets from 2010-2013 and FOIA 2019-0099 for URE dockets from January 2019 through July of 2019.

[8] Rebecca Smith. Wall Street Journal. “PG&E Among Utilities Cited for Failing to Protect Against Cyber and Physical Attacks.” April 9, 2019. https://www.wsj.com/articles/pg-e-among-utilities-cited-for-failing-to-protect-against-cyber-and-physical-attacks-11554821337 (Accessed August 31, 2019); Alison Noon. Law360. “FERC Pressured To Disclose Cybersecurity Violators.” February 19, 2019. https://www.law360.com/articles/1130454/ferc-pressured-to-disclose-cybersecurity-violators (accessed August 31, 2019).

[9] The Commission should consider these NOPs “frequently requested records” under the Freedom of Information Act, 5 U.S.C. § 552(a)(2)(D)

[10] Incorporated by reference: “Petition for Rulemaking to Require Disclosure of Names of Regulated Entities Subject to Regulatory Actions by the Commission or by the Electric Reliability Organization” FERC accession number 20190205-5150. https://elibrary.ferc.gov/IDMWS/common/OpenNat.asp?fileID=15237718 (accessed September 1, 2019).

[11] I incorporate by reference the two video clips on the transparency issue from 1) the June 27, 2019 FERC Reliability Technical Conference and 2) the July 12, 2019 House Subcommittee on Energy hearing. These video clips are available at: https://securethegrid.com/cip-coverup/ (accessed August 31, 2019).

[12] Joint Staff White Paper on Notices of Penalty Pertaining to Violations of Critical Infrastructure Protection Reliability Standards. Docket No. AD19-18-000, August 27, 2019. Page 10.

[13] See https://securethegrid.com/ (accessed August 31, 2019).

[14] Exhibit A is adapted from NERC’s “Searchable NOP Spreadsheet” https://www.nerc.com/pa/comp/CE/Pages/Enforcement-and-Mitigation.aspx (Information downloaded on August 29, 2019).It lists all CIP violations from Notices of Penalty from June 4, 2008 through August 31, 2019. One column was removed (“Regulatory Authority”) to allow the data to fit the width of the page.

[15] See report at: https://securethegrid.com/transmission-vegetation-management/ (accessed August 31, 2019).

[16] See: “NERC Active Compliance Registry Matrix” at https://www.nerc.com/pa/comp/Registration%20and%20Certification%20DL/NERC_Compliance_Registry_Matrix_Excel.xls (accessed August 31, 2019).

[17] See: https://www.nerc.com/pa/Stand/pages/cipstandards.aspx (accessed August 31, 2019).

[18] In 2019, NERC started making a redacted version of the settlement agreements available.

[19] Edison Electric Institute’s members include the government of the People’s Republic of China – one of the governments that the U.S. has accused of penetrating the electric grid in cyberattacks. See report at: https://securethegrid.com/edison-electric-institute-china/ (accessed August 31, 2019).

[20] “Motion to Intervene and Protest of The Trade Associations under NP19-4.” available at: https://elibrary.ferc.gov/idmws/file_list.asp?document_id=14756159 (accessed August 31, 2019).

[21] Incorporated by reference: “Reply Comments of Michael Mabee to Those of the Trade Associations under NP19-4-000.” Available at: https://elibrary.ferc.gov/idmws/file_list.asp?document_id=14769879 (accessed August 31, 2019).

[22] The “Notice of No Further Review Issued” column represents the issuance of the FERC order that the Commission will not review the NOP on their own motion.

[23] I note that several older dockets list “TBD” as the mitigation date, however, FERC has issued a final order, so I assume these are administrative errors in not being updated. These dockets are: NP15-32-000, NP14-40-000, NP14-40-000, NP14-40-000, NP13-45-000, NP13-45-000.