FERC, NERC propose to publicly identify utilities violating cybersecurity standards

Dive Brief:

• The Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) are seeking public comment on a joint white paper proposing to publicly identify violators of cybersecurity standards in the bulk electric system.
• The white paper, released Aug. 27, proposes that NERC would include a public cover letter with each notice that discloses the name of the violator, the reliability standards violated and the amount of penalties assessed, FERC said in a statement.
• The commission said that it has received an unprecedented number of Freedom of Information Act (FOIA) requests for non-public information for violations of the Critical Infrastructure Protection (CIP) reliability standards since 2018. Consumer advocacy group Public Citizen welcomes the proposed changes as a vocal critic of the current CIP standards, which are intended to encourage self-disclosure.

Dive Insight:

Safeguarding the U.S. power grid against a potential cyberattack remains a high priority for regulators and utilities alike. While there has been no loss of load in North America from a cyberattack, the threat is at an all-time high, according to NERC. 

The changes proposed in the white paper address the biggest complaints of the current reporting structure, which fails to identify the violator and the type of violation. NERC previously defended the CIP reporting structure by claiming that its confidentiality promotes self-reporting and keeps sensitive information out of the hands of potential attackers. 

U.S. lawmakers as well as advocacy group Public Citizen have raised concerns about this structure, claiming it protects utilities and other generating companies from prioritizing cybersecurity.

"If we're going to take cybersecurity seriously, we need to be serious about the way that NERC oversees the industry," Tyson Slocum, director of Public Citizen's Energy Program, told Utility Dive in July. "That means more affirmative use of audits and less reliance on self-reporting to handle enforcement and compliance matters."

Repeat offenses by some of the country's largest utilities — Duke Energy, PG&E and DTE Energy — have further called the industry's cybersecurity efforts into question.

White the white paper calls for more transparency, detailed information that might compromise the security of critical infrastructure, such as details regarding violations, mitigation and vulnerabilities, likely would be exempt from FOIA requests, FERC said in a release. 

Nevertheless, Public Citizen considers the proposed changes a step in the right direction, even though it expects industry pushback.  

"It's a huge success of Public Citizen's efforts to promote transparency that FERC is now proposing to require the public disclosure of Notice of Penalty violators," Slocum said in an email. "We applaud both FERC and NERC for agreeing to this needed reform. Of course, the White Paper promotes a proposed rule, so I am sure that the utility trade associations – Edison Electric Institute (EEI), American Public Power Association (APPA) and National Rural Electric Cooperative Association (NRECA) – will likely push back."

EEI noted that it appreciates FERC's recognition of the importance to protect information from disclosure.

"Even seemingly innocuous information that is self-reported can be exploited by sophisticated adversaries to target the energy grid. Protecting this information helps our members in their efforts to keep our nation’s electricity supply secure and reliable," Phil Moeller, EEI Executive Vice President of Business Operations Group and Regulatory Affairs, told Utility Dive in an email.

Meanwhile, FERC last week denied a request from multiple parties to name the unidentified registered entity that is the subject of the Notice of Penalty (NOP). 

"The current NOP process makes it difficult for the Commission to provide for a necessary level of transparency because the Commission must also ensure that we are not inadvertently providing information useful to someone seeking to attack critical electric infrastructure," Commissioner Richard Glick said in a statement. "Under the current approach, it is possible that identifying an offending party in an NOP might also reveal weaknesses in the entity's process for protecting critical infrastructure, inadvertently exposing the bulk power system."

However, Glick added that identifying repeat offenders could encourage management to take appropriate actions to avoid the attention that comes with being publicly identified as having significantly violated CIP standards.

Comments are closed.