.
January 30, 2019
The Honorable Lisa Murkowski, Chairman
The Honorable Joe Manchin III, Ranking Member
U.S. Senate Committee on Energy and Natural Resources
304 Dirksen Senate Building
Washington, DC 20510
Dear Senators Murkowski and Manchin
I am writing in regard to the systemic coverup of electric grid standard violations by the utility industry and their self-regulatory body, the North American Electric Reliability Corporation (NERC). This coverup has been enabled by the Federal Energy Regulatory Commission (FERC).
I am a regular citizen who has discovered the magnitude of this betrayal of the public trust. I ask that your committee open a formal investigation. With continuing wildfires caused by utilities in the Western Interconnection, and the names of vegetation management violators being hidden, many lives are at risk. A cybersecurity attack and resulting long-term blackout could also cause widespread casualties.
In February of 2018, I read about a “white hat” security researcher who found confidential records of PG&E’s network configuration, including passwords, on the public internet. Checking the FERC library, I found a record of a cybersecurity standard violation in about the same timeframe. However, FERC and NERC did not name the violator, instead calling the utility an “Unidentified Registered Entity.”
I filed a Freedom of Information Act (FOIA) request – and an appeal when my request was denied – in order to obtain the identity of the violator.[1] To this day, further details are still withheld from public examination.
On August 24, 2018, the Wall Street Journal ran a story titled: “PG&E Identified as Utility That Lost Control of Confidential Information.” Subtitle: “As a result of 2016 failure, 30,000 records about PG&E’s cyber assets were exposed on the internet.”[2] This was the first time the public found out about PG&E’s massive cyber breach and that PG&E was the violator subjected to a 2.7 million dollar regulatory fine. I was quoted in the Wall Street Journal article and cited as the source of the information.
I did further research and discovered that since July of 2010, NERC has routinely been withholding the identities of regulated entities that violate Critical Infrastructure Protection (CIP) Standards even when there is no reasonable “national security” reason to do so. FERC has allowed this odious practice to continue, even though the agency has a regulation clearly stating that the Notices of Penalty will be disclosed to the public after the vulnerability is remedied.[3]
My research has uncovered that FERC has hidden information in 243 dockets involving at least 1465 registered entities between 2010 and 2018. Attached is a list of these dockets for your review. I have filed FOIA request for these records, but I expect, as happened previously, NERC will oppose the release of this information and FERC will deny my request. I believe that without the intervention of your oversight committee, this FERC/NERC cover up will likely continue.
A review of the publicly available information on these dockets reveals troubling issues, however, without the disclosure of the names of the entities and the text of settlement agreements, it is impossible for the public to fully appreciate how standards violations by utilities place lives at risk. Here are some examples:
- Since the Metcalf substation attack on April 16, 2013, one would think that there would be utility focus on physical security for high voltage transformers – most of which are guarded only by a chain link fence and crossed fingers. So exactly how many enforcement actions would you guess there have been in the last 5 years for “CIP-014” physical security? Only one. (FERC Docket NP18-14-000.)
- Many of the “penalties” result from settlement agreements (e.g., the “Unidentified Registered Entity” agreed to pay the “penalty” and in many cases does not admit fault for the violation). Without knowing the details of the settlement agreements, the public cannot adequately analyze the terms and penalties, or even identify offending utilities.
- In some of the cases that were “settled,” the regulated entities were “uncooperative” (FERC Docket NP16-12-000) or “not fully transparent and forthcoming” (FERC Docket NP18-7-000). “Settling” with such actors raises many regulatory red flags and the public needs to analyze these FERC-approved transactions in more detail.
- I have found numerous examples of non-CIP violations that have been redacted. For example, I have found at least 4 violations of vegetation management standards for transmission lines in the Western Interconnection – the same region where over 86 deaths occurred in the “Camp Fire” – the deadliest and most destructive wildfire in California history. This is the same region where a “regulated entity” (PG&E) has significant liability for wildfires. The public has a right to know who standard violators are.
After this FERC/NERC cover up started in July of 2010, there has been less incentive to fix the grid security problems. That’s why disclosure is important. Why should utilities spend money to fix grave cybersecurity issues if they know that 1) if caught, the friendly regulator will “settle” the violation privately, 2) the utility can negotiate a trivial fine, and 3) the utility’s name will not be disclosed to the public?
I request that your Committee hold a hearing on this critical matter. I am willing to testify as to my findings and research, as well, as why this conduct by NERC and FERC is endangering the U.S. electric grid and the public safety.
Respectfully,
Michael Mabee
Attachment: FERC Dockets where identities of CIP violators were withheld from the public
CC: Senator Maggie Hassan (NH)
Senator Jeanne Shaheen (NH)
Representative Ann McLane Kuster (NH)
[1] See FERC docket number NP18-7-000.
[2] Smith, Rebecca. The Wall Street Journal. August 24, 2018. https://www.wsj.com/articles/pg-e-identified-as-utility-that-lost-control-of-confidential-information-1535145850 (accessed November 22, 2018).
[3] 18 CFR § 39.7 (b)(4) provides that: “Each violation or alleged violation shall be treated as nonpublic until the matter is filed with the Commission as a notice of penalty or resolved by an admission that the user, owner or operator of the Bulk-Power System violated a Reliability Standard or by a settlement or other negotiated disposition.” [Emphasis added.] Further, 18 CFR § 39.7(d)(1) provides that a notice of penalty by the Electric Reliability Organization shall consist of, inter alia: “The name of the entity on whom the penalty is imposed.”
Further Information:
- Click here to read my first FOIA Request
- Click here to read my second FOIA Request
- Download List of “Unidentified Registered Entity” Dockets
Related Reports:
- NERC Coverup Investigation Report
- Transmission Vegetation Management Cover Up?
- FERC Commissioner Cheryl LaFleur: Step Up on Grid Security or Step Down!
- Electric Grid Cyber Cover-Up: More Details Emerging
- These “Unidentified Registered Entities” Endangered the Electric Grid
- PG&E endangered the grid – and tried to cover it up
