Electric Grid Cyber Cover-Up: More Details Emerging

.

.

More Details Emerging on the Electric Grid Cyber Cover-Up

The deeper we dive into the electric grid cyber cover-up, the more disturbing it becomes. In the last 5 years (2014-2018), there have been 53 Federal Energy Regulatory Commission (FERC) dockets involving 81 “Unidentified Registered Entities.”  These all allege violations of Critical Infrastructure Protection Standards (CIP Standards). Such violations could endanger the electric grid, however, the identities of the violators are being kept from the public. Here is a comprehensive list of the CIP violations with some data on each one. CLICK HERE FOR LIST.

There is a lot to digest.

First of all, none of the violators are identified. The North American Electric Reliability Corporation (NERC) has created a loophole whereby they bend the regulations to “protect the guilty” so that these companies do not have to be embarrassed. They are all simply called “Unidentified Registered Entities” or “UREs.” And FERC has allowed this to happen.

Next, each violation has a “Violation Risk Factor” and a “Violation Severity Level.” These seem to be somewhat subjective and it is not easy to find and compare this information.  According to NERC:

“A Violation Severity Level (VSL) is a post-violation measurement of the degree to which a Reliability Standard Requirement was violated (Lower, Moderate, High, or Severe). To establish a Base Penalty for a violation, NERC considers the VSL, together with a Violation Risk Factor, which represents the potential risk to reliability.”

So they are supposed to consider both the “Violation Severity Level” and the “Violation Risk Factor.” This is not easy for the public to audit because the information is hard to find and only exists in a form that makes analysis difficult. Is this by design? I wonder.

Also, many of the “penalties” result from settlement agreements (e.g., the “URE” agreed to pay the “penalty” and in many cases do not admit fault for the violation. How convenient).

Clearly, something smells very foul in a regulatory system where the public does not have access to information about regulatory actions which are approved by the United States government – FERC has to at least passively rubber-stamp all of these actions.

It’s bad enough that we have an electric grid cyber cover-up, but when you look at some of these “enforcement actions”, it paints a very weak regulatory picture.

Physical Security? Nope.

Here’s one example. Since the Metcalf transformer attack on April 16, 2013, you would think that there would be some focus on physical security of the high voltage transformers – most of which are guarded by a chain link fence and crossed fingers. So exactly how many enforcement actions would you guess there have been in the last 5 years for “CIP-014” physical security? Only one. (FERC Docket NP18-14-000.) How can this possibly be? Moreover, this is very difficult to see if you are a member of the public due to the electric grid cyber cover-up .

Some Bad Actors

There are a lot of substantial fines here, but two fines are bigger than the others.

We know that PG&E Corp (identified by a Freedom of Information Act request) was fined $2.7 million dollars in Docket NP18-7-000. a great quote from that one is:

“URE was not fully transparent and forthcoming with all pertinent information detailing the data exposed in the incident. Specifically, URE did not provide WECC initially with all the data fields exposed in the incident”

In other words, they lied.

Another interesting one is the $1,700,000 fine of an “Unidentified Registered Entity” announced on February 29, 2016 – FERC Docket NP16-12-000.

“URE was not cooperative throughout the compliance enforcement process, and ReliabilityFirst considered URE’s lack of cooperation as an aggravating factor in the penalty determination.”

and

“ReliabilityFirst considered 21 of the instant violations as repeat noncompliance with the subject NERC Reliability Standards…”

Self regulation at its best. I would note that both of these “big fines” (actually, quite paltry when you consider the risk that these violations exposed us all to) were settlement agreements. In other words, these already uncooperative and not so forthcoming entities agreed to pay these fines. Doesn’t seem like they hurt too much. And they still get to be an “URE” and not have their name revealed to the public!

As you know, we have filed a Freedom of Information Act (FOIA) request with FERC for the identities of these “Unidentified Registered Entities” – stay tuned as this battle unfolds.

CLICK HERE FOR THE LIST OF “Unidentified Registered Entities”

How to Read the Electric Grid Cyber Cover-Up Chart

I’m including a list and links below to the CIP standards (as of 12/31/2018) – there are also links on the electric grid cyber cover-up document. If you need a primer on what the electric grid is and how it is regulated, click here.

Regions. NERC delegates its enforcement authority to regional entities. So, on the chart under “Region” you will see the initials for one of the below regional entities. The map helps narrow down the geographic area.

Electric Grid Cyber Cover-Up
Data Source:
U.S. Energy Information Administration
  • Florida Reliability Coordinating Council (FRCC)
  • Midwest Reliability Organization (MRO)
  • Northeast Power Coordinating Council (NPCC)
  • ReliabilityFirst Corporation (RFC)
  • SERC Reliability Corporation (SERC)
  • Southwest Power Pool RE (SPP)
  • Texas Reliability Entity (TRE)
  • Western Electricity Coordinating Council (WECC)

In addition to the regional entities, the new NERC reliability assessment areas are a mixture of NERC reliability entities, entity sub-regions, regional transmission organizations and system operators. The map below illustrates these:

Electric Grid Cyber Cover-Up

Data Source:
U.S. Energy Information Administration
  • BASN – Basin (WECC)
  • CALN– California – North (WECC)
  • CALS – California – South (WECC)
  • DSW– Desert Southwest (WECC)
  • ERCOT – Electric Reliability Organization of Texas (TRE)
  • FRCC – Florida Reliability Coordinating Council
  • ISO-NE – ISO New England Inc (NPCC)
  • MAPP – Mid-Continent Area Power Pool
  • MISO – Midwest Independent Transmission System Operator, Inc
  • NORW – Northwest (WECC)
  • NYISO – New York Independent System Operator (NPCC)
  • PJM – PJM Interconnection
  • ROCK – Rockies (WECC)
  • SERC-E – SERC – East
  • SERC-N – SERC – North
  • SERC-SE – SERC – Southeast
  • SERC-W – SERC – West
  • SPP – Southwest Power Pool Regional Entity

Each violation has a “Violation Risk Factor” listed. You have to dig and find the “Violation Severity Level” to get the full picture (although the categories seem rather subjective). You also have to dig through multiple layers of documents to find the information I cobbled together on this chartIt contains both the “Violation Risk Factor” and “Violation Severity Level” side by side. Normally, one has to do a “NERC treasure hunt” to find this information piece by piece. This is the first time this information has been compiled in one place for analysis.

Several of us from the Secure the Grid Coalition are actively analyzing and working this issue. Subscribe to my blog to stay informed of our progress.

###

Download Electric Grid Cyber Cover-Up Chart

Download Underlying Regulatory Filings (Huge 11 MB File)

Subscribe to my blog for updates:

[email-subscribers namefield=”YES” desc=”” group=”Public”]



CIP standards (as of 12/31/2018)

StandardTitleRelated InformationStatus
CIP-003-7Cyber Security — Security Management ControlsRelated InformationSubject to Future Enforcement
CIP-005-6Cyber Security — Electronic Security Perimeter(s)Related InformationSubject to Future Enforcement
CIP-010-3Cyber Security — Configuration Change Management and Vulnerability AssessmentsRelated InformationSubject to Future Enforcement
CIP-013-1Cyber Security – Supply Chain Risk ManagementRelated InformationSubject to Future Enforcement
CIP-002-5.1aCyber Security — BES Cyber System CategorizationRelated InformationSubject to Enforcement
CIP-003-6Cyber Security – Security Management ControlsRelated InformationSubject to Enforcement
CIP-004-6Cyber Security – Personnel & TrainingRelated InformationSubject to Enforcement
CIP-005-5Cyber Security – Electronic Security Perimeter(s)Related InformationSubject to Enforcement
CIP-006-6Cyber Security – Physical Security of BES Cyber SystemsRelated InformationSubject to Enforcement
CIP-007-6Cyber Security – System Security ManagementRelated InformationSubject to Enforcement
CIP-008-5Cyber Security – Incident Reporting and Response PlanningRelated InformationSubject to Enforcement
CIP-009-6Cyber Security – Recovery Plans for BES Cyber SystemsRelated InformationSubject to Enforcement
CIP-010-2Cyber Security – Configuration Change Management and Vulnerability AssessmentsRelated InformationSubject to Enforcement
CIP-011-2Cyber Security – Information ProtectionRelated InformationSubject to Enforcement
CIP-014-2Physical SecurityRelated InformationSubject to Enforcement
CIP-001-0Sabotage Reporting Inactive
CIP-001-1Sabotage Reporting Inactive
CIP-001-1aSabotage Reporting Inactive
CIP-001-2aSabotage ReportingRelated InformationInactive
CIP-002-1Cyber Security – Critical Cyber Asset Identification Inactive
CIP-002-2Cyber Security – Critical Cyber Asset Identification Inactive
CIP-002-3(i)Cyber Security – Critical Cyber Asset IdentificationRelated InformationInactive
CIP-002-3(i)bCyber Security – Critical Cyber Asset IdentificationRelated InformationInactive
CIP-002-3Cyber Security – Critical Cyber Asset IdentificationRelated InformationInactive
CIP-002-3aCyber Security – Critical Cyber Asset Identification Inactive
CIP-002-3bCyber Security – Critical Cyber Asset IdentificationRelated InformationInactive
CIP-002-4Cyber Security – Critical Cyber Asset IdentificationRelated InformationInactive
CIP-002-4aCyber Security – Critical Cyber Asset IdentificationRelated InformationInactive
CIP-002-5Cyber Security – BES Cyber System CategorizationRelated InformationInactive
CIP-002-5_1Cyber Security — BES Cyber System CategorizationRelated InformationInactive
CIP-003-1Cyber Security – Security Management Controls Inactive
CIP-003-2Cyber Security – Security Management Controls Inactive
CIP-003-3Cyber Security – Security Management ControlsRelated InformationInactive
CIP-003-3aCyber Security — Security Management ControlsRelated InformationInactive
CIP-003-4Cyber Security – Security Management ControlsRelated InformationInactive
CIP-003-4aCyber Security — Security Management ControlsRelated InformationInactive
CIP-003-5Cyber Security – Security Management ControlsRelated InformationInactive
CIP-004-1Cyber Security – Personnel & Training Inactive
CIP-004-2Cyber Security – Personnel & Training Inactive
CIP-004-3Cyber Security – Personnel & TrainingRelated InformationInactive
CIP-004-3aCyber Security – Personnel & TrainingRelated InformationInactive
CIP-004-4Cyber Security – Personnel & TrainingRelated InformationInactive
CIP-004-4aCyber Security – Personnel & TrainingRelated InformationInactive
CIP-004-5Cyber Security – Personnel & TrainingRelated InformationInactive
CIP-004-5_1Cyber Security — Personnel & TrainingRelated InformationInactive
CIP-005-1Cyber Security – Electronic Security Perimeter(s) Inactive
CIP-005-1aCyber Security – Electronic Security Perimeter(s) Inactive
CIP-005-2Cyber Security – Electronic Security Perimeter(s) Inactive
CIP-005-2aCyber Security – Electronic Security Perimeter(s) Inactive
CIP-005-3Cyber Security – Electronic Security Perimeter(s) Inactive
CIP-005-3aCyber Security – Electronic Security Perimeter(s)Related InformationInactive
CIP-005-4aCyber Security – Electronic Security Perimeter(s)Related InformationInactive
CIP-006-1Cyber Security – Physical Security of Critical Cyber Assets Inactive
CIP-006-1aCyber Security – Physical Security of Critical Cyber Assets Inactive
CIP-006-1bCyber Security – Physical Security of Critical Cyber Assets Inactive
CIP-006-1cCyber Security – Physical Security of Critical Cyber Assets Inactive
CIP-006-2Cyber Security – Physical Security of Critical Cyber Assets Inactive
CIP-006-2aCyber Security – Physical Security of Critical Cyber Assets Inactive
CIP-006-2bCyber Security – Physical Security of Critical Cyber Assets Inactive
CIP-006-2cCyber Security – Physical Security of Critical Cyber Assets Inactive
CIP-006-3Cyber Security – Physical Security of Critical Cyber Assets Inactive
CIP-006-3aCyber Security – Physical Security of Critical Cyber Assets Inactive
CIP-006-3cCyber Security – Physical Security of Critical Cyber AssetsRelated InformationInactive
CIP-006-3dCyber Security – Physical Security of Critical Cyber AssetsRelated InformationInactive
CIP-006-4cCyber Security – Physical Security of Critical Cyber AssetsRelated InformationInactive
CIP-006-4dCyber Security – Physical Security of Critical Cyber AssetsRelated InformationInactive
CIP-006-5Cyber Security – Physical Security of BES Cyber SystemsRelated InformationInactive
CIP-007-1Cyber Security – Systems Security Management Inactive
CIP-007-2Cyber Security – Systems Security Management Inactive
CIP-007-2aCyber Security – Systems Security Management Inactive
CIP-007-3aCyber Security — Systems Security ManagementRelated InformationInactive
CIP-007-3bCyber Security — Systems Security ManagementRelated InformationInactive
CIP-007-4aCyber Security — Systems Security ManagementRelated InformationInactive
CIP-007-4bCyber Security — Systems Security ManagementRelated InformationInactive
CIP-007-5Cyber Security – System Security ManagementRelated InformationInactive
CIP-008-1Cyber Security – Incident Reporting and Response Planning Inactive
CIP-008-2Cyber Security – Incident Reporting and Response Planning Inactive
CIP-008-3Cyber Security – Incident Reporting and Response PlanningRelated InformationInactive
CIP-008-4Cyber Security – Incident Reporting and Response PlanningRelated InformationInactive
CIP-009-1Cyber Security – Recovery Plans for Critical Cyber Assets Inactive
CIP-009-2Cyber Security – Recovery Plans for Critical Cyber Assets Inactive
CIP-009-3Cyber Security – Recovery Plans for Critical Cyber AssetsRelated InformationInactive
CIP-009-4Cyber Security – Recovery Plans for Critical Cyber AssetsRelated InformationInactive
CIP-009-5Cyber Security – Recovery Plans for BES Cyber SystemsRelated InformationInactive
CIP-010-1Cyber Security – Configuration Change Management and Vulnerability AssessmentsRelated InformationInactive
CIP-011-1Cyber Security – Information ProtectionRelated InformationInactive
CIP-014-1Physical SecurityRelated InformationInactive
CIP-012-1Cyber Security – Communications between Control Centers Filed and Pending Regulatory Approval

Title: Electric Grid Cyber Cover-Up