Author Archives: mmadmin

The Electric Utility Industry Lacks Effective Regulation

 

FERC Must Hold Electric Utility Industry Accountable

I previously described what smells like a electric utility industry cover-up of a massive cyber breach which endangered the electric grid – and endangered countless American lives. In sum, a large utility company exposed a massive amount of data that could enable hackers or state actors to gain access to the electric grid. This appears to be a major violation which jeopardized the reliability of the electric grid. [Click here for details.]electric utility industry

We are talking about a threat to national security. We already know for a fact that the Russians have hacked into the electric utility industry. We know for a fact that the Iranian Revolutionary Guard has hacked into numerous government entities including the Federal Energy Regulatory Commission (FERC) – the electric grid’s federal regulator. And we know for a fact that North Korean hackers have also targeted the electric grid.

Yet the regulatory response of the North American Electric Reliability Corporation (NERC) and the Western Electricity Coordinating Council (WECC) to this massive data breach amounted to an “oopsy.” The unidentified utility agreed to pay a paltry 2.7 million dollar fine, did not admit fault and had its identity withheld in the regulatory filings on the incident. This provides no incentive to companies in the electric utility industry to protect the grid. If they violate cyber security standards, they can essentially get away with it.

The public has a right to know who endangered them and the details of the “settlement.”  So, yesterday I filed a motion to intervene in the case with the Federal Energy Regulatory Commission (FERC), requesting that the federal government review this matter and disclose the name of the company that endangered the electric grid. Read the motion below. I have also filed a Freedom of Information Act (FOIA) request with FERC.

Is NERC a legitimate regulatory body, or simply a proxy for the electric utility industry? As I have discussed, it is a struggle to even get rudimentary regulations through NERC.  If the electric utility industry – and NERC – is going to continue to fight efforts to secure the grid from known threats, we need the federal government to step up.

For starters, the Federal Energy Regulatory Commission must not allow this electric utility industry cover-up to stand.

Click here for PDF copy of motion

Click here for PDF copy of FOIA request


UNITED STATES OF AMERICA
BEFORE THE
FEDERAL ENERGY REGULATORY COMMISSION

 

NERC Full Notice of Penalty regarding                 )
Unidentified Registered Entity                               )            Docket No. NP18-7-000
 

 

REQUEST TO INTERVENE

Submitted to FERC on April 15, 2018

 

Michael Mabee, a private citizen, requests the Commission’s leave to intervene in the above captioned docket, pursuant to 18 C.F.R. § 39.7(e)(4)[1]. My proposed intervention is limited to requesting that the Commission review this Notice of Penalty to insure that it is in the public interest. Based on the limited public information available, this Notice of Penalty raises several significant public interest concerns.

Background on the Intervenor

I am a private citizen with expertise on emergency preparedness, specifically on community preparedness for a long-term power outage. My career includes experience as an urban emergency medical technician and paramedic, a suburban police officer, and in the federal civil service. In the U.S. Army, I served in two wartime deployments to Iraq and two humanitarian missions to Guatemala. I retired from the U.S. Army Reserve in 2006 at the rank of Command Sergeant Major (CSM). I was decorated by both the U.S. Army and the federal government for my actions on 9/11/2001 at the World Trade Center in New York City. In sum, I have a great deal of experience – both overseas and in the U.S. – working in worlds where things went wrong. I have studied the vulnerabilities of the U.S. electric grid to a variety of threats. My research lead me to write two books about how communities can prepare for and survive a long term power outage.[2] I continue to write extensively on emergency preparedness for blackout.

Background on FERC Docket No. NP18-7-000

On February 28, 2018 NERC issued a “Notice of Penalty regarding Unidentified Registered Entity”[3] in which the NERC-anonymized entity apparently agreed to pay penalties of $2,700,000 for two very serious violations of the Critical Infrastructure Protection (CIP) NERC Reliability Standards. According to NERC, this data breech involved “30,000 asset records, including records associated with Critical Cyber Assets (CCAs). The records included information such as IP addresses and server host names.”

According to NERC

“These violations posed a serious or substantial risk to the reliability of the bulk power system (BPS). The CCAs associated with the data exposure include servers that store user data, systems that control access within URE’s  Control centers and substations, and a supervisory control and data acquisition (SCADA) system that stores critical CCA Information. The data was exposed publicly on the Internet for 70 days. The usernames of the database were also exposed, which included cryptographic information of those usernames and passwords.

Exposure of the username and cryptographic information could aid a malicious attacker in using this information to decode the passwords. This exposed information increases the risk of a malicious attacker gaining both physical and remote access to URE’s systems. A malicious attacker could use this information to breach the secure infrastructure and access the internal CCAs by jumping from host to host within the network. Once in the network, the attacker could attempt to login to CCAs, aided by the possession of username and password information.”

Concerns Raised by the Publically Available Information Which Should Trigger Commission Review

  1. Prompt reporting requirement: It is unclear from the publically available information whether the Electric Reliability Organization (North American Electric Reliability Corporation) or the Regional Entity (Western Electricity Coordinating Council) “report[ed] promptly to the Commission any self-reported violation or investigation of a violation or an alleged violation of a Reliability Standard” in accordance with 18 CFR § 39.7(b). The Commission should determine whether this requirement was satisfactorily met.
  2. Identity of the “Unidentified Registered Entity.” NERC’s lack of transparency by hiding the identity of the “Unidentified Registered Entity” from the public is against the public interest and should not be allowed by the Commission.
    • At the time the matter was filed with the Commission, the name should have been disclosed publically. 18 CFR § 39.7(b)(4) states that: “Each violation or alleged violation shall be treated as nonpublic until the matter is filed with the Commission as a notice of penalty or resolved by an admission that the user, owner or operator of the Bulk-Power System violated a Reliability Standard or by a settlement or other negotiated disposition.” [Emphasis added.] Therefore, when NERC filed their notice of penalty on February 28, 2018, the name of the entity should have been disclosed publically.
    • The notice of penalty is defective. In accordance with 18 CFR § 39.7(d)(1), the notice of penalty must include “[t]he name of the entity on whom the penalty is imposed.”
    • NERC cannot argue that the name of the entity is Critical Energy Infrastructure Information (CEII). FERC Order No. 833 holds that the Commission’s practice is that information that “simply give[s] the general location of the critical infrastructure” or simply provides the name of the facility is not Critical Energy Infrastructure Information (CEII).[4] We also note that the name of the entity has been widely speculated in the media.[5] NERC withholding the name of the entity is against the public interest.
    • NERC cannot argue that this should be a non-public proceeding related to a “cybersecurity incident”[6] as this does not meet the regulatory definition of a “cybersecurity incident.”[7] According to NERC, this incident was a not “malicious act” as the definition of “cybersecurity incident” requires – rather it was a colossal blunder on the part of the regulated entity. The public has the right to know who endangered them.
  3. The terms of the settlement agreement are suspicious and should be reviewed by the commission to insure that they are fair and in the public interest. The relatively light penalty and non-admission clause raise immediate concerns. If the Western Electricity Coordinating Council truly concluded, as NERC states, that two violations of the Critical Infrastructure Protection (CIP) Reliability Standards were committed, why is the entity being allowed to enter an agreement where it “neither admits nor denies the violations”? Such an agreement is against the public interest as it does not serve as a deterrent for future violations in the industry. What strong incentive is there for regulated entities to adhere to Critical Infrastructure Protection (CIP) Reliability Standards if the penalties are light, they do not have to admit fault for violations, and their identity will not be disclosed.
  4. The settlement agreement should be released to the public. The terms of the agreement are only vaguely discussed in the notice of penalty and therefore should be available for public scrutiny. There could be terms that are contrary to the public interest (such as any form of confidentiality clause).

Conclusion:

For the forgoing reasons, I request that the Commission fully review the notice of penalty and the surrounding circumstances to insure that the resolution is in the public interest and that the identity of the “Unidentified Registered Entity” is promptly disclosed to the public.

 

Respectfully submitted by:

 

Michael Mabee


End Notes:

[1] On March 30, 2018, the Commission extended until May 29, 2018, the time period for consideration whether to review on its own motion the penalty contained in the Notice of Penalty in Docket No. NP18-7-000. 162 FERC ¶ 61,291.

[2] Mabee, Michael. The Civil Defense Book: Emergency Preparedness for a Rural or Suburban Community. ISBN-13: 978-1974320943, first edition published July 4, 2013, second edition published October 17, 2017.

[3] NERC “Full Notice of Penalty regarding Unidentified Registered Entity FERC Docket No. NP18-_-000.”  February 28, 2018. http://www.nerc.com/pa/comp/CE/Enforcement%20Actions%20DL/Public_CIP_NOC-2569%20Full%20NOP.pdf (accessed April 7, 2018).

[4] Order No. 833 at pg. 17. Also see 18 C.F.R. §388.113(c)(1)(iv).

[5] Information Security Media Group. “US Power Company Fined $2.7 Million Over Data Exposure – Grid Regulator Says Company Left Critical Data Exposed for 70 Days.” March 14, 2018.  https://www.bankinfosecurity.com/us-power-company-fined-27-million-over-data-exposure-a-10715 (accessed April 7, 2018); Gizmodo Media Group. “US Power Company Fined $2.7 Million Over Security Flaws Impacting ‘Critical Assets’.” March 13, 2018. https://gizmodo.com/us-power-company-fined-2-7-million-over-security-flaws-1823745994 (accessed April 7, 2018).

[6] 18 CFR § 39.7(e)(7)

[7] 18 CFR § 39.1 defines “cybersecurity incident” as “a malicious act or suspicious event that disrupts, or was an attempt to disrupt, the operation of those programmable electronic devices and communications networks including hardware, software and data that are essential to the Reliable Operation of the Bulk-Power System.”


 


A NERC Cover-Up? Who Put the Electric Grid at Risk?

 

 

A NERC Cover-Up?

NERC Cover-UpThis incident has the olfactory bouquet of a NERC cover-up: On February 28, 2018 the North American Electric Reliability Corporation (NERC) submitted a proposed “Notice of Penalty” to the federal government against an “Unidentified Registered Entity.” This entity was responsible for a massive data breach that, according to NERC, posed a “serious or substantial risk” to the electric grid. Is there any legitimate reason that the public is not allowed to know who put us at risk?

Alas, a NERC cover-up really should not come as a surprise since NERC is actually just a proxy for the electric utility industry.

Q: Who actually regulates the grid? A: The grid.

Perhaps a bit of background is in order for those unfamiliar with the regulatory scheme of the electric grid. First of all, the federal regulator for the electric grid is an obscure agency called the Federal Energy Regulatory Commission (FERC). But in reality, “the grid” is self regulated. “The grid” is actually thousands of companies – both public and private sector – who are involved in the generation, transmission and distribution of electric power. These companies – much like Wall Street – regulate themselves through an entity known as the North American Electric Reliability Corporation, or NERC. The law allows FERC to designate an entity as what is known as the “Electric Reliability Organization” (ERO). This ERO makes the rules – including grid security regulations, and submits them to FERC for approval. NERC is the Commission-certified Electric Reliability Organization.

NERC’s annual funding is provided through assessments to the entities that it regulates. Moreover,  although technically anybody can become a “member” of NERC, the membership structure stacks the deck in favor of the electric industry as far as the election of NERC’s “independent trustees” (the board that governs NERC). NERC accomplishes this shell-game by assigning all members to one of 12 groups. According to NERC rules:

“Each member will join only 1 of 12 industry sectors and be eligible for selection as a sector representative on the NERC Member Representatives Committee (MRC). The MRC elects NERC’s independent trustees, votes on amendments to the bylaws, and provides advice and recommendations to the Board with respect to the development of annual budgets, business plans and funding mechanisms, and other matters pertinent to the purpose and operations of NERC.”

NERC cover-upSo what are the “12 industry sectors?”

1. Investor-owned utility
2. State/municipal utility
3. Cooperative utility
4. Federal or provincial utility/Federal Power Marketing Administration
5. Transmission-dependent utility
6. Merchant electricity generator
7. Electricity marketer
8. Large end-use electricity customer
9. Small end-use electricity customer
10. Independent system operator/regional transmission organization
11. Regional entity
12. Government representatives

In other words, two sectors are customers and one is the government. The other nine are the electric industry. The electric industry gets 9 votes – the customers and the government get 3. If that is not a stacked deck, I don’t know what is. So NERC is literally funded, run and its leadership elected by the electric utility industry  that it allegedly regulates. As we have seen lately in the fight for cybersecurity regulations, if the grid does not want to be regulated, it has means to resist being regulated.

Back to the NERC Cover-Up

The details provided by NERC are vague (likely in order to protect the guilty). At an unknown date in the past – but likely 2016 based on the “NERC Violation ID” number on page 2 – the NERC-anonymized entity experienced a horrific data breach. According to NERC, this data breech involved “30,000 asset records, including records associated with Critical Cyber Assets (CCAs). The records included information such as IP addresses and server host names.”

According to NERC

“These violations posed a serious or substantial risk to the reliability of the bulk power system (BPS). The CCAs associated with the data exposure include servers that store user data, systems that control access within URE’s control centers and substations, and a supervisory control and data acquisition (SCADA) system that stores critical CCA Information. The data was exposed publicly on the Internet for 70 days. The usernames of the database were also exposed, which included cryptographic information of those usernames and passwords.

Exposure of the username and cryptographic information could aid a malicious attacker in using this information to decode the passwords. This exposed information increases the risk of a malicious attacker gaining both physical and remote access to URE’s systems. A malicious attacker could use this information to breach the secure infrastructure and access the internal CCAs by jumping from host to host within the network. Once in the network, the attacker could attempt to login to CCAs, aided by the possession of username and password information.”

NERC Cover Up

(Click to enlarge) FERC Docket No. NP18-7-000

This is really really bad. Imagine what would happen if North Korea, Iran, Russia or China came into possession of such a treasure trove of information to access the electric grid?

As bad as this is, the NERC-anonymized entity does not admit any fault and agrees to pay a paltry $2,700,000 fine for what might be the worst threat to national security of the 21st century. This is the settlement proposal that NERC wants the federal government to sign off on.

And, NERC thinks the public does not have a right to know who the violator is.

It appears from a separate filing, that is not available to the public, NERC is claiming that the identity of the violator is “Critical Energy Infrastructure Information” (CEII). We can’t tell for sure since we do not have access to the document. But FERC regulations and policy holds that information that “simply give[s] the general location of the critical infrastructure” or simply provides the name of the facility is not Critical Energy Infrastructure Information (CEII). We agree. The breach is over and has been allegedly “mitigated” according to NERC. Why does the public not have the right to know who endangered us?

Message to FERC

Notwithstanding NERC’s lack of transparency in hiding the identity of the “Unidentified Registered Entity,” such a NERC cover-up is against the public interest and should not be allowed by FERC. On March 30, 2018, FERC announced that is is delaying approval of the NERC Notice of Penalty until May 29, 2018. (FERC Docket No. NP18-7-000.) One can only hope that this means FERC intends on reviewing this extremely fishy NERC cover-up.

 


(Possible Spoiler Alert: The identity of the NERC-anonymized entity has been speculated in the press here and here.)


 


Frank Gaffney Interviews Dr. Peter Vincent Pry

 

 

Frank Gaffney of Secure Freedom Radio interviewed Dr. Peter Vincent Pry on March 28, 2018.

Click Here to Listen.

Dr. Peter Vincent Pry is the Executive Director of the Task Force on National and Homeland Security, Director of the U.S. Nuclear Strategy Forum, Served on the Congressional EMP Commission, the House Armed Services Committee and the CIA.  This interview discusses:

  • How our civilization’s survival depends on US electric grid
  • The vulnerability of our grid to EMP & cyber attacks

 

Dr. Peter Vincent Pry

Dr. Peter Vincent Pry

Frank Gaffney interviews Dr. Peter Vincent Pry

Frank Gaffney