Comments of Michael Mabee
Submitted to FERC on April 22, 2021
My name is Michael Mabee. I am a private citizen who conducts public interest research on the security of the electric grid because I recognize the absolutely vital role of this infrastructure in powering every one of the nation’s 16 critical infrastructures and in undergirding not just the well-being but the very survival of our modern society.
The Office of Public Participation must work to improve the transparency of Commission enforcement proceedings. This lack of transparency is endangering the electric grid and endangering the public and must be the Office of Public Participation (OPP’s) top priority.
Since 2010 there have been 275 FERC dockets involving at least 1,500 entities that have violated Critical Infrastructure Protection Standards (“CIP Standards”). Every single one of these 1,500+ names have been withheld from the public.
Almost all of these violations had been mitigated at the time the Notice of Penalty had been submitted to FERC. In fact, out of all of the complaints, there appear to be only four where the mitigation date might not be complete:
- Docket #NP19-4-000 issued 1/25/2019 mitigation is “ongoing”
- the mitigation date is listed as “TBD” in Docket #NP15-32-000, issued 7/30/2015, NP14-40-000 issued 4/30/2014 and Docket #NP13-45-000 issued 7/31/2013.
- In all four of these dockets, FERC has issued a “Notice of No Further Review.” So even these 4 may be through failure of NERC to update the data.
In essence, the industry has argued in Docket #AD19-18-000 that the names of all CIP violators must be withheld from the public – forever.
The names of regulatory violators is critical to the public, Congress and state regulators in order to be able to scrutinize the regulatory system to see if it is working or if improvements are needed.
There is a great deal of evidence that the present regulatory system in not working and needs public and Congressional scrutiny. Just a few examples:
- There have been 721 physical attacks on the electric grid in the last decade – this calls into question the effectiveness of the physical security standard.
- Numerous entities in the electric grid were penetrated by the Solar Winds Hack, yet there is no requirement that malware be detected, removed or mitigated in the cybersecurity CIP standards – this calls into question the effectiveness of the cybersecurity standards.
- The Texas electric grid collapsed in 1989, 2011 and again in 2021 – this time causing over 125 deaths. All three collapses of the Texas grid were caused by cold weather. Clearly the Mandatory Reliability Standards failed or were not enforced.
Another reason the public has a right to know if the company they rely upon – and pay – for electricity violates CIP standards is illustrated by these three questions:
- Who is paying for the CIP violation fines—the ratepayers or the shareholders?
- Who is paying for any mitigation ordered or agreed upon—the ratepayers or the shareholders?
- Most importantly, who decides who pays?
The last question is easy: Absent transparency, the regulatory violator decides who pays. This is why it is critical that the Commission release the names of the regulatory violators along with sufficient information so that the public (“ratepayers”), investors (“shareholders”), the PUCs (the ones who should be making these decisions) and Congress (the oversight) can see what is happening.
So why is it that the only piece of information the industry vehemently opposes being released is the names of the violators? Because it is the one piece of information needed to hold entities accountable. And FERC has endorsed this cover-up for the last decade.
I have concluded that “secret regulation” of CIP standards has not worked. It appears from the available evidence that the real reason for the “protection” of the names of the regulatory violators is because the industry does not want to be held accountable for doing more than the minimum on physical and cyber security. There appears to be no legitimate security reason to withhold the names of regulatory violators in perpetuity as is currently the practice.
In sum, CIP regulations should protect the U.S. electric grid by holding the electric utility companies and grid operators accountable to protect the portion of the U.S. critical infrastructure that they own or operate. Instead, the electric utility industry has twisted this regulatory scheme into a sham where companies have no incentive to do more than the minimum. If caught violating a CIP standard, NERC and the Regional Entities will settle the matter privately with the “unidentified registered entities” negotiating a “penalty” that the “unidentified registered entities” are willing to pay and will keep the matter from public view. It looks like a system of back-room settlements and handshake penalties. A great deal for the “unidentified registered entities”—not so much for the American people.
I urge FERC to revisit Docket AD19-18-000 and hold the industry and NERC accountable for their actions – and inactions – by allowing the public transparency in regulation that is a cornerstone of our democracy.
Thank you for taking my comment.
Footnotes to Comments: Office of Public Participation Docket AD21-9-000
 See generally FERC Docket AD19-18-000 including my October 25, 2019 filing in that docket, available at: https://michaelmabee.info/transparency-regulatory-failures/
 See https://michaelmabee.info/cip-violation-database/
 See https://www.nerc.com/pa/comp/CE/Pages/Enforcement-and-Mitigation.aspx
 See https://michaelmabee.info/oe-417-database/
 See https://michaelmabee.info/critical-infrastructure-attacks/
 See https://michaelmabee.info/federal-complaint-filed-on-texas-grid-collapse/