Duke Energy was fined $10 million for cybersecurity violations – But you don’t have the right to know this!
Would the public be interested in knowing what company was issued a $10 million penalty for cybersecurity violations? Do we have a right to know if companies are endangering our lives, and if our government’s regulatory regime to protect us is effective?
Nope. Not according to the government.
The grid’s non-profit regulator, the North American Electric Reliability Corporation (NERC) imposed the $10 million penalty on January 25, 2019 against unnamed companies that committed 127 violations of Critical Infrastructure Protection (CIP) standards over several years. The press has since outed Duke Energy Corp. as the violator, but neither NERC nor the U.S. government have acknowledged this. The coverup remains.
Numerous citizens wrote to the Federal Energy Regulatory Commission (FERC) requesting the identity of just such a regulatory violator. The answer from FERC? They refuse to listen to the citizens based on a technicality.
This means, the government has shut down the Duke Energy penalty case without officially revealing who the violator is. And this is not an isolated case.
Duke Energy is just one example in a massive coverup
Since July of 2010 when the coverup began, there have been 255 regulatory penalty cases for violations of Critical Infrastructure Protection (CIP) standards. These cases have involved almost 1,500 violators and not one identity of a violator has been released to the public dockets. I have filed Freedom of Information Act (FOIA) requests for 253 of the 255 cases so far, but to date, FERC has only released the names of 4 of the violators to me under FOIA. For detailed information on my FOIA battle with all of the documents, click HERE. A few others have been outed by the press, but not one of the almost 1,500 CIP violators has been acknowledged by the government.
Why is this important to you? Because there is significant evidence that the regulatory system that protects our electric grid is broken. In order to determine whether they regulatory system is effective or not, the public, Congress, and state utility regulators need more information on who is violating CIP regulations – and what is being done about it.
Evidence that the regulatory system needs reform
A review of the publicly available information on these dockets reveals troubling issues; however, without the disclosure of the names of the entities and the text of settlement agreements, it is impossible for the public to fully appreciate how standards violations by utilities place lives at risk. Here are some examples:
- Since the Metcalf substation attack on PG&E on April 16, 2013, one would think that there would be utility focus on physical security for high voltage transformers – most of which are guarded only by a chain link fence and crossed fingers. So exactly how many enforcement actions would you guess there have been in the last 6 years for “CIP-014” physical security? Only four (4). (See this report for details.)
- Many of the “penalties” result from settlement agreements (e.g., the “Unidentified Registered Entity” agrees to pay the “penalty” and in many cases does not admit fault for the violation). Without knowing the details of the settlement agreements, the public cannot adequately analyze the terms and penalties, or even identify offending utilities.
- In some of the cases that were “settled,” the regulated entities were “uncooperative” (FERC Docket NP16-12-000) or “not fully transparent and forthcoming” (FERC Docket NP18-7-000). “Settling” with such bad actors raises many regulatory red flags and the public needs to analyze these FERC-approved transactions in more detail.
- I have found numerous examples of non-CIP violations that have been redacted. For example, I have found at least four violations of vegetation management standards for transmission lines in the Western Interconnection – the same region where over 86 deaths occurred in the “Camp Fire” – the deadliest and most destructive wildfire in California history. This is the same region where a “regulated entity” (PG&E) has significant liability for wildfires. The public has a right to know who standard violators are, especially when the standards violations may have resulted in dozens of deaths.
- The total penalties between July 2010 to August 2019 for CIP violations have been $35,825,920. Is this a large or small amount? Well, the electric utility industry spent $145,139,140 in lobbying and political contributions in 2018 alone. (So I’d say it is a small amount of penalties for a 9 year period.)
After this NERC cover up started in July of 2010, there has been less incentive to fix the grid security problems. That’s why disclosure is important. Why should utilities spend money to fix grave cybersecurity and physical security issues if they know that 1) if caught, the friendly regulator will “settle” the violation privately and the settlement agreement will be kept secret, 2) the utility can negotiate a trivial fine, and 3) the utility’s name will not be disclosed to the public?
We need citizen’s to take action!
The Secure The Grid Coalition is fighting to fix the electric grid’s broken regulatory scheme that is endangering all of us. We need your help.
The Commission has recently received an unprecedented number of FOIA requests for non-public information in CIP NOPs. Consistent with its regulations, Commission staff has released the identity of UREs in some limited cases where the Commission staff has determined that the release will not jeopardize the security of the Bulk-Power System if publicly disclosed. The significant increase in FOIA requests for non-public information in CIP NOPs has raised security and transparency concerns within industry and the general public, which has prompted Commission and NERC staffs to re-evaluate the format of CIP NOPs filed with the Commission. The current filing format, containing detailed violation information, when coupled with the potential release of URE identities, may not be achieving an appropriate balance of security and transparency. The White Paper proposes a revised format that is intended to improve this balance.
FERC is accepting comments on this white paper (FERC Docket No. AD19-18-000) until September 26, 2019. We need to all let the Federal Energy Regulatory Commission (FERC) know that the security of the electric grid is critical – secret regulation and coverups are unacceptable to the public. As a citizen, you have the right to file a comment in this docket and be heard!
Tell the Commission in your letter that the public has the right to know the names of companies that violate the regulatory standards and we need sufficient details to make sure that the regulatory system is working!
The deadline to file on this docket is September 26, 2019 so write your letter today and submit it online to FERC Docket Number AD19-18-000, or mail it in to FERC (Be sure to include the Docket Number in your letter).
Submit to FERC online HERE (you need to register if this is your first time)
or, submit by mail:
Federal Energy Regulatory Commission
Kimberly D. Bose, Secretary
ATTN: Docket No. AD19-18-000
888 First Street, NE
Washington, DC 20426
Read More on the CIP Coverup:
- CIP Coverup: The Proverbial Cat is Out of the Bag
- UPDATED: CIP Violation Database and FOIAs
- Regulatory Mutiny: The Grid Just Threatened FERC
- Physical Security: The Electric Grid’s Dirty Little Secret
- FERC Must Make A Choice
- Grid Coverup: NERC’s “Double Secret Probation” of CIP Violators Continues
- NERC’s “Cybersecurity Incident” Shell Game
- NERC Coverup Investigation Report
- Dear Senators Murkowski and Manchin…
- Transmission Vegetation Management Cover Up?
- FERC Commissioner Cheryl LaFleur: Step Up on Grid Security or Step Down!
- Electric Grid Cyber Cover-Up: More Details Emerging
- These “Unidentified Registered Entities” Endangered the Electric Grid
- PG&E endangered the grid – and tried to cover it up
- Now It’s a FERC Cover-Up
- A NERC Cover-Up? Who Put the Electric Grid at Risk?