Grid Security Now!

Grid Security Now!

Michael Mabee – Author of The Civil Defense Book

Menu
  • Home
  • Library
    • Grid Security Library
      • Government Documents on Grid Security
      • OE-417 Electric Disturbance Events Database
      • CIP Violation Database
      • Database of Chinese Transformers and Equipment in the U.S. Electric Grid
      • Why Haven’t We Secured the Grid?
      • What is the Electric Grid and How is it Regulated?
      • Grid Protection Posts
      • Video (EMP and Grid Security)
    • Civil Defense Library
      • The cavalry is not coming
      • Civil Defense Posts
      • Video (Preparedness)
      • Civil Defense Checklists
  • In the Press
  • Take Action!
  • Fund The Fight!
  • About Me
    • About Michael
    • Interviews – Michael Mabee
    • Subscribe to Mike’s Blog
    • Contact Me
  • My Book
Menu

Electric Grid Cyber Cover-Up: More Details Emerging

Posted on January 2, 2019January 6, 2019 by Michael Mabee

.

.

More Details Emerging on the Electric Grid Cyber Cover-Up

The deeper we dive into the electric grid cyber cover-up, the more disturbing it becomes. In the last 5 years (2014-2018), there have been 53 Federal Energy Regulatory Commission (FERC) dockets involving 81 “Unidentified Registered Entities.”  These all allege violations of Critical Infrastructure Protection Standards (CIP Standards). Such violations could endanger the electric grid, however, the identities of the violators are being kept from the public. Here is a comprehensive list of the CIP violations with some data on each one. CLICK HERE FOR LIST.

There is a lot to digest.

First of all, none of the violators are identified. The North American Electric Reliability Corporation (NERC) has created a loophole whereby they bend the regulations to “protect the guilty” so that these companies do not have to be embarrassed. They are all simply called “Unidentified Registered Entities” or “UREs.” And FERC has allowed this to happen.

Next, each violation has a “Violation Risk Factor” and a “Violation Severity Level.” These seem to be somewhat subjective and it is not easy to find and compare this information.  According to NERC:

“A Violation Severity Level (VSL) is a post-violation measurement of the degree to which a Reliability Standard Requirement was violated (Lower, Moderate, High, or Severe). To establish a Base Penalty for a violation, NERC considers the VSL, together with a Violation Risk Factor, which represents the potential risk to reliability.”

So they are supposed to consider both the “Violation Severity Level” and the “Violation Risk Factor.” This is not easy for the public to audit because the information is hard to find and only exists in a form that makes analysis difficult. Is this by design? I wonder.

Also, many of the “penalties” result from settlement agreements (e.g., the “URE” agreed to pay the “penalty” and in many cases do not admit fault for the violation. How convenient).

Clearly, something smells very foul in a regulatory system where the public does not have access to information about regulatory actions which are approved by the United States government – FERC has to at least passively rubber-stamp all of these actions.

It’s bad enough that we have an electric grid cyber cover-up, but when you look at some of these “enforcement actions”, it paints a very weak regulatory picture.

Physical Security? Nope.

Here’s one example. Since the Metcalf transformer attack on April 16, 2013, you would think that there would be some focus on physical security of the high voltage transformers – most of which are guarded by a chain link fence and crossed fingers. So exactly how many enforcement actions would you guess there have been in the last 5 years for “CIP-014” physical security? Only one. (FERC Docket NP18-14-000.) How can this possibly be? Moreover, this is very difficult to see if you are a member of the public due to the electric grid cyber cover-up .

Some Bad Actors

There are a lot of substantial fines here, but two fines are bigger than the others.

We know that PG&E Corp (identified by a Freedom of Information Act request) was fined $2.7 million dollars in Docket NP18-7-000. a great quote from that one is:

“URE was not fully transparent and forthcoming with all pertinent information detailing the data exposed in the incident. Specifically, URE did not provide WECC initially with all the data fields exposed in the incident”

In other words, they lied.

Another interesting one is the $1,700,000 fine of an “Unidentified Registered Entity” announced on February 29, 2016 – FERC Docket NP16-12-000.

“URE was not cooperative throughout the compliance enforcement process, and ReliabilityFirst considered URE’s lack of cooperation as an aggravating factor in the penalty determination.”

and

“ReliabilityFirst considered 21 of the instant violations as repeat noncompliance with the subject NERC Reliability Standards…”

Self regulation at its best. I would note that both of these “big fines” (actually, quite paltry when you consider the risk that these violations exposed us all to) were settlement agreements. In other words, these already uncooperative and not so forthcoming entities agreed to pay these fines. Doesn’t seem like they hurt too much. And they still get to be an “URE” and not have their name revealed to the public!

As you know, we have filed a Freedom of Information Act (FOIA) request with FERC for the identities of these “Unidentified Registered Entities” – stay tuned as this battle unfolds.

CLICK HERE FOR THE LIST OF “Unidentified Registered Entities”

How to Read the Electric Grid Cyber Cover-Up Chart

I’m including a list and links below to the CIP standards (as of 12/31/2018) – there are also links on the electric grid cyber cover-up document. If you need a primer on what the electric grid is and how it is regulated, click here.

Regions. NERC delegates its enforcement authority to regional entities. So, on the chart under “Region” you will see the initials for one of the below regional entities. The map helps narrow down the geographic area.

Electric Grid Cyber Cover-Up
Data Source:
U.S. Energy Information Administration
  • Florida Reliability Coordinating Council (FRCC)
  • Midwest Reliability Organization (MRO)
  • Northeast Power Coordinating Council (NPCC)
  • ReliabilityFirst Corporation (RFC)
  • SERC Reliability Corporation (SERC)
  • Southwest Power Pool RE (SPP)
  • Texas Reliability Entity (TRE)
  • Western Electricity Coordinating Council (WECC)

In addition to the regional entities, the new NERC reliability assessment areas are a mixture of NERC reliability entities, entity sub-regions, regional transmission organizations and system operators. The map below illustrates these:

Electric Grid Cyber Cover-Up

Data Source:
U.S. Energy Information Administration
  • BASN – Basin (WECC)
  • CALN– California – North (WECC)
  • CALS – California – South (WECC)
  • DSW– Desert Southwest (WECC)
  • ERCOT – Electric Reliability Organization of Texas (TRE)
  • FRCC – Florida Reliability Coordinating Council
  • ISO-NE – ISO New England Inc (NPCC)
  • MAPP – Mid-Continent Area Power Pool
  • MISO – Midwest Independent Transmission System Operator, Inc
  • NORW – Northwest (WECC)
  • NYISO – New York Independent System Operator (NPCC)
  • PJM – PJM Interconnection
  • ROCK – Rockies (WECC)
  • SERC-E – SERC – East
  • SERC-N – SERC – North
  • SERC-SE – SERC – Southeast
  • SERC-W – SERC – West
  • SPP – Southwest Power Pool Regional Entity

Each violation has a “Violation Risk Factor” listed. You have to dig and find the “Violation Severity Level” to get the full picture (although the categories seem rather subjective). You also have to dig through multiple layers of documents to find the information I cobbled together on this chart. It contains both the “Violation Risk Factor” and “Violation Severity Level” side by side. Normally, one has to do a “NERC treasure hunt” to find this information piece by piece. This is the first time this information has been compiled in one place for analysis.

Several of us from the Secure the Grid Coalition are actively analyzing and working this issue. Subscribe to my blog to stay informed of our progress.

###

Download Electric Grid Cyber Cover-Up Chart

Download Underlying Regulatory Filings (Huge 11 MB File)

Subscribe to my blog for updates:

[email-subscribers namefield=”YES” desc=”” group=”Public”]



CIP standards (as of 12/31/2018)

StandardTitleRelated InformationStatus
CIP-003-7Cyber Security — Security Management ControlsRelated InformationSubject to Future Enforcement
CIP-005-6Cyber Security — Electronic Security Perimeter(s)Related InformationSubject to Future Enforcement
CIP-010-3Cyber Security — Configuration Change Management and Vulnerability AssessmentsRelated InformationSubject to Future Enforcement
CIP-013-1Cyber Security – Supply Chain Risk ManagementRelated InformationSubject to Future Enforcement
CIP-002-5.1aCyber Security — BES Cyber System CategorizationRelated InformationSubject to Enforcement
CIP-003-6Cyber Security – Security Management ControlsRelated InformationSubject to Enforcement
CIP-004-6Cyber Security – Personnel & TrainingRelated InformationSubject to Enforcement
CIP-005-5Cyber Security – Electronic Security Perimeter(s)Related InformationSubject to Enforcement
CIP-006-6Cyber Security – Physical Security of BES Cyber SystemsRelated InformationSubject to Enforcement
CIP-007-6Cyber Security – System Security ManagementRelated InformationSubject to Enforcement
CIP-008-5Cyber Security – Incident Reporting and Response PlanningRelated InformationSubject to Enforcement
CIP-009-6Cyber Security – Recovery Plans for BES Cyber SystemsRelated InformationSubject to Enforcement
CIP-010-2Cyber Security – Configuration Change Management and Vulnerability AssessmentsRelated InformationSubject to Enforcement
CIP-011-2Cyber Security – Information ProtectionRelated InformationSubject to Enforcement
CIP-014-2Physical SecurityRelated InformationSubject to Enforcement
CIP-001-0Sabotage Reporting Inactive
CIP-001-1Sabotage Reporting Inactive
CIP-001-1aSabotage Reporting Inactive
CIP-001-2aSabotage ReportingRelated InformationInactive
CIP-002-1Cyber Security – Critical Cyber Asset Identification Inactive
CIP-002-2Cyber Security – Critical Cyber Asset Identification Inactive
CIP-002-3(i)Cyber Security – Critical Cyber Asset IdentificationRelated InformationInactive
CIP-002-3(i)bCyber Security – Critical Cyber Asset IdentificationRelated InformationInactive
CIP-002-3Cyber Security – Critical Cyber Asset IdentificationRelated InformationInactive
CIP-002-3aCyber Security – Critical Cyber Asset Identification Inactive
CIP-002-3bCyber Security – Critical Cyber Asset IdentificationRelated InformationInactive
CIP-002-4Cyber Security – Critical Cyber Asset IdentificationRelated InformationInactive
CIP-002-4aCyber Security – Critical Cyber Asset IdentificationRelated InformationInactive
CIP-002-5Cyber Security – BES Cyber System CategorizationRelated InformationInactive
CIP-002-5_1Cyber Security — BES Cyber System CategorizationRelated InformationInactive
CIP-003-1Cyber Security – Security Management Controls Inactive
CIP-003-2Cyber Security – Security Management Controls Inactive
CIP-003-3Cyber Security – Security Management ControlsRelated InformationInactive
CIP-003-3aCyber Security — Security Management ControlsRelated InformationInactive
CIP-003-4Cyber Security – Security Management ControlsRelated InformationInactive
CIP-003-4aCyber Security — Security Management ControlsRelated InformationInactive
CIP-003-5Cyber Security – Security Management ControlsRelated InformationInactive
CIP-004-1Cyber Security – Personnel & Training Inactive
CIP-004-2Cyber Security – Personnel & Training Inactive
CIP-004-3Cyber Security – Personnel & TrainingRelated InformationInactive
CIP-004-3aCyber Security – Personnel & TrainingRelated InformationInactive
CIP-004-4Cyber Security – Personnel & TrainingRelated InformationInactive
CIP-004-4aCyber Security – Personnel & TrainingRelated InformationInactive
CIP-004-5Cyber Security – Personnel & TrainingRelated InformationInactive
CIP-004-5_1Cyber Security — Personnel & TrainingRelated InformationInactive
CIP-005-1Cyber Security – Electronic Security Perimeter(s) Inactive
CIP-005-1aCyber Security – Electronic Security Perimeter(s) Inactive
CIP-005-2Cyber Security – Electronic Security Perimeter(s) Inactive
CIP-005-2aCyber Security – Electronic Security Perimeter(s) Inactive
CIP-005-3Cyber Security – Electronic Security Perimeter(s) Inactive
CIP-005-3aCyber Security – Electronic Security Perimeter(s)Related InformationInactive
CIP-005-4aCyber Security – Electronic Security Perimeter(s)Related InformationInactive
CIP-006-1Cyber Security – Physical Security of Critical Cyber Assets Inactive
CIP-006-1aCyber Security – Physical Security of Critical Cyber Assets Inactive
CIP-006-1bCyber Security – Physical Security of Critical Cyber Assets Inactive
CIP-006-1cCyber Security – Physical Security of Critical Cyber Assets Inactive
CIP-006-2Cyber Security – Physical Security of Critical Cyber Assets Inactive
CIP-006-2aCyber Security – Physical Security of Critical Cyber Assets Inactive
CIP-006-2bCyber Security – Physical Security of Critical Cyber Assets Inactive
CIP-006-2cCyber Security – Physical Security of Critical Cyber Assets Inactive
CIP-006-3Cyber Security – Physical Security of Critical Cyber Assets Inactive
CIP-006-3aCyber Security – Physical Security of Critical Cyber Assets Inactive
CIP-006-3cCyber Security – Physical Security of Critical Cyber AssetsRelated InformationInactive
CIP-006-3dCyber Security – Physical Security of Critical Cyber AssetsRelated InformationInactive
CIP-006-4cCyber Security – Physical Security of Critical Cyber AssetsRelated InformationInactive
CIP-006-4dCyber Security – Physical Security of Critical Cyber AssetsRelated InformationInactive
CIP-006-5Cyber Security – Physical Security of BES Cyber SystemsRelated InformationInactive
CIP-007-1Cyber Security – Systems Security Management Inactive
CIP-007-2Cyber Security – Systems Security Management Inactive
CIP-007-2aCyber Security – Systems Security Management Inactive
CIP-007-3aCyber Security — Systems Security ManagementRelated InformationInactive
CIP-007-3bCyber Security — Systems Security ManagementRelated InformationInactive
CIP-007-4aCyber Security — Systems Security ManagementRelated InformationInactive
CIP-007-4bCyber Security — Systems Security ManagementRelated InformationInactive
CIP-007-5Cyber Security – System Security ManagementRelated InformationInactive
CIP-008-1Cyber Security – Incident Reporting and Response Planning Inactive
CIP-008-2Cyber Security – Incident Reporting and Response Planning Inactive
CIP-008-3Cyber Security – Incident Reporting and Response PlanningRelated InformationInactive
CIP-008-4Cyber Security – Incident Reporting and Response PlanningRelated InformationInactive
CIP-009-1Cyber Security – Recovery Plans for Critical Cyber Assets Inactive
CIP-009-2Cyber Security – Recovery Plans for Critical Cyber Assets Inactive
CIP-009-3Cyber Security – Recovery Plans for Critical Cyber AssetsRelated InformationInactive
CIP-009-4Cyber Security – Recovery Plans for Critical Cyber AssetsRelated InformationInactive
CIP-009-5Cyber Security – Recovery Plans for BES Cyber SystemsRelated InformationInactive
CIP-010-1Cyber Security – Configuration Change Management and Vulnerability AssessmentsRelated InformationInactive
CIP-011-1Cyber Security – Information ProtectionRelated InformationInactive
CIP-014-1Physical SecurityRelated InformationInactive
CIP-012-1Cyber Security – Communications between Control Centers Filed and Pending Regulatory Approval

Title: Electric Grid Cyber Cover-Up

News

  • How to Fix Electric Grid Security
  • U.S. Continues to Import Large Transformers from China
  • 60 Minutes – How secure is America’s electric grid?
  • COVERUP UPDATE: CIP Violation Database and FOIA Lawsuit
  • Q: How Did We Become So Vulnerable?
  • Rate Recovery: How Electric Customers Fund Industry Lobbying
  • Energy Sector Supply Chain Review – U.S. Department of Energy
  • Criminally Negligent Homicide in February 2021 Texas Blackout Deaths?
  • Chinese Transformer Threat Now Confirmed by Two Administrations
  • Secretary of Energy Advisory Board: Comments of Michael Mabee
  • Electricity Advisory Committee: Comments of Michael Mabee
  • How the electric utility industry torpedoed grid security
  • Chinese Transformer Complaint Filed with U.S. Government
  • U.S. Electric Grid Imports More Chinese Transformers in 2020 and 2021
  • Recent Grid Threats: Frank Gaffney and Michael Mabee Break It Down
  • Secret Penalties: The Electric Grid Is Making You Pay Their Fines
  • Government Misses the Boat on Grid Security – Again
  • Critical Electric Infrastructure – The Government Must Step Up
  • FERC Dismisses Texas Grid Collapse Complaint
  • FERC Office of Public Participation: End the Electric Industry Coverup
  • Testimony of Michael Mabee on SB 1606 – All Hazards Grid Security
  • Federal Complaint Filed on Texas Grid Collapse
  • We Are Plugged In To Life Support
  • Texas Blackout: The Unacceptable Outcome of a Foreseeable Event
  • Chinese Transformers in the Electric Grid: Lights Out For NYC?
  • Message to Governor Jennifer Granholm and the Department of Energy
  • Chinese Transformers in the Electric Grid
  • The U.S. Has 300 Chinese Large Power Transformers
  • Senator Murkowski Questions Cybersecurity Order Suspension
  • Grid Supply Chain Cybersecurity Order “Suspended”

Fund The Fight!


Subjects

Search Website

Subscribe for Updates!

Follow me on Twitter

Tweets by CivilDefenseBK

Click To Get Prepared!

The Civil Defense Book: Emergency Preparedness for a Rural or Suburban Community
The Civil Defense Book Get it now!

Subscribe for updates

Follow Me On Facebook

The Civil Defense Book

8 months ago

The Civil Defense Book
Bradford Clark Freeman, the last surviving member of Easy Company's Band of Brothers, dies at 97apple.news/AkFt2MfXqTCWTe4KGOFDOPg ... See MoreSee Less

Bradford Clark Freeman, the last surviving member of Easy Company's Band of Brothers, dies at 97 — CNN

apple.news

Bradford Clark Freeman, believed to be the last surviving original member of the historic World War II parachute infantry regiment of the US Army known as Easy Company, died Sunday in Columbus, Missis...
View on Facebook
· Share

Share on Facebook Share on Twitter Share on Linked In Share by Email

The Civil Defense Book

9 months ago

The Civil Defense Book
Here Comes the Sun—to End Civilizationwww.wired.com/story/sun-storm-end-civilization/ ... See MoreSee Less

Here Comes the Sun—to End Civilization

www.wired.com

Every so often, our star fires off a plasma bomb in a random direction. Our best hope the next time Earth is in the crosshairs? Capacitors.
View on Facebook
· Share

Share on Facebook Share on Twitter Share on Linked In Share by Email

Fund The fight!


©2023 Grid Security Now! | Theme by SuperbThemes