After floating the idea a year ago of outing violators of mandatory cybersecurity standards without sharing details of their violations, the Federal Energy Regulatory Commission announced a new policy Sept. 23 that, instead, bars any public disclosure of information relating to these violations.
The shift in position comes as the staffs for FERC and the North American Electric Reliability Corp. concluded, after reviewing comments on the initial proposal, that the substantial security risks to the bulk power system posed by disclosing violators and information on their noncompliance outweighed any transparency benefits, according to the joint staffs' second white paper on the topic (AD19-18).
At issue is the handling and confidentiality of notices of penalty submitted by NERC and processed by FERC, with some arguing for more transparency in the process and others concerned that more disclosure could harm grid security.
NOPs for violations of critical infrastructure protection reliability standards, which govern cybersecurity of the bulk power system, detail the nature of the violation, mitigation activities, and potential vulnerabilities from noncompliance. NERC does not name entities involved in CIP violations so as not to jeopardize bulk power system security by disclosing vulnerabilities that could be exploited by a potential adversary, the organization has said.
New procedure
But after that practice came under attack by public advocacy groups, FERC staff last year joined with NERC staff to prepare a white paper on possible changes to the NOP filing format to achieve a better balance of security and transparency. That white paper, issued Aug. 27, 2019, sought comment on a proposal that would disclose the identity of power companies, the reliability standards they violated, and the number of penalties they were assessed, but keep under wraps most other details about the violations.
Upon further review, and informed by comments, FERC and NERC determined that such a plan "is insufficient to protect the security of the bulk power system and does not fully implement the commission's legal authority to shield such information from public disclosure," they said in a joint staff white paper released Sept. 23.
"Going forward, NERC will file or submit CIP noncompliance information with a request that the entire filing or submittal be treated as [critical energy/electric infrastructure information]," they said in the white paper. "Commission staff will maintain the confidentiality of those filings and submittals by designating them as CEII in their entirety. Similarly, because of the risk associated with the disclosure of CIP noncompliance information, NERC will no longer publicly post redacted versions of CIP noncompliance filings and submittals."
Reaction
Consumer advocate offices, state representatives, and members of the public had urged FERC and NERC to be more forthcoming with information on cybersecurity violations.
The Foundation for Resilient Societies has been a vocal critic of the concealment of CIP violators' identities. "Foreign adversaries already know the cybersecurity vulnerabilities of our electric grid," Thomas Popik, the group's chairman and president, said in a Sept. 25 email. "Under FERC's non-disclosure process, it's just the American public that will be left in the dark."
Popik added that "the FERC position is self-defeating because it will be impossible to get significant funding for security improvements through the state public utility commissions without disclosing which utilities have violated cybersecurity and other reliability standards."
Industry groups, on the other hand, contended that outing violators could increase the number and success of focused cyberattacks as malicious actors could identify and target a company's problem areas.
The Edison Electric Institute applauded FERC and NERC for recognizing the existing risks and taking steps to protect CEII from disclosure that could "jeopardize national security and the reliability of the energy grid," EEI Vice President for Security and Preparedness Scott Aaronson said in an emailed statement.
Daniel Skees, a partner at the law firm Morgan Lewis, said in an interview Sept. 25 that he was "pleasantly surprised" by the new approach, which reflects the federal government's "heightened sensitivity to anything that could create cybersecurity risks for the electric system at this point."
Downside
The new position errs on the side of security and heeds recommendations from the Department of Energy. Skees added that while he understood from a security perspective the decision to also eliminate NERC's posting of redacted CIP noncompliance information, such action would be a loss for the regulated community.
He said those redacted posts provided a "positive feedback loop" on issues utilities were facing, how they fixed them, and mitigation measures, allowing others in the industry to learn from CIP violators' experiences and use that information to improve their own compliance and security protocols.
"Really the only downside of the new approach is that you no longer have that visibility into the issues that people across the industry are experiencing," Skees said.