The Electric Industry Can’t Credibly Argue That The U.S. Electric Grid is Secure.
But they sure are trying and FERC – the federal agency responsible for grid security – is buying it. Edison Electric Institute (whose members include state owned entities controlled by the government of the People’s Republic of China) and other electric industry lobbying groups consistently argue that no further grid security regulation is needed. I guess we should believe China that the U.S. Grid is secure despite what has been reported by the Wall Street Journal. By the way – these electric industry groups spend millions of dollars every year lobbying congress to prevent grid security regulation.
Unfortunately, the Federal Energy Regulatory Commission (FERC) – the only federal government agency with the authority to secure the U.S. Electric grid is laying down on the job. The United States and our families remain vulnerable to a catastrophic power outage that could kill millions.
What is going on?
In a nutshell, the electric utility industry has a checkered past, to put it charitably. This is the same industry that brought us everything from the Samuel Insull frauds in the 1920’s, to the Enron fraud in 2001 to PG&E causing the 2018 Camp Fire in California that killed 85 people and burned down two entire towns. Yet, somehow, the United States has allowed this industry to create their own regulatory regime, write its own “mandatory” reliability standards and largely regulate itself on its compliance with its own mandatory reliability standards, including Critical Infrastructure Protection (CIP) standards. (Okay, not “somehow.” The industry accomplished this feat through their massive lobbying and political contributions.)
To summarize, we trust the national security of the United States and the lives of its citizens to an industry with a history of irresponsibility, greed and nefarious behavior.
What could possibly go wrong?
And more importantly, who will be responsible for thousands or perhaps millions of deaths if the U.S. experiences a large-scale long-term blackout?
The electric utility industry will point it’s finger at FERC: “We followed FERC’s rules” they will say. And they won’t be wrong, as a matter of law. While the industry may have been irresponsible, deceptive and self serving, that’s just business. However, the federal regulators at FERC will have allowed this to happen.
If there are deaths due to a cyberattack on the electric grid, these FERC Commissioners are responsible:
Chairman Neil Chatterjee, Commissioner James Danly and Commissioner Richard Glick just had the opportunity to improve the cybersecurity standards, but instead chose to drink the electric utility industry’s conclusory “all is well” glass of Kool-Aid.
On October 2, 2020, FERC denied my complaint about the inadequacy of the CIP Cybersecurity standards “because the relief sought therein is either unsupported or premature given current proceedings before the Commission and projects within NERC.” Largely FERC argues that the complaint is “premature” because FERC issued two “Notices of Inquiry (NOIs)” But both of these were issued after the complaint was filed. And these two “Notices of Inquiry” directly delay action on the two complaint items.
Here’s the timeline:
- May 12, 2020 – I filed a Complaint about 1) the supply chain cybersecurity CIP standard and 2) that CIP standards were not adopting enough of the NIST cybersecurity framework (as GAO and Congress have pointed out).
- June 18, 2020 – FERC issues NOI on whether more of the NIST framework should be adopted in CIP standards (171 FERC ¶ 61,215)
- September 17, 2020 – FERC issues NOI on Supply Chain Cybersecurity (172 FERC ¶ 61,224)
- October 2, 2020 – the complaint was dismissed (173 FERC ¶ 61,010)
I do not think this timeline is a coincidence. I think it is entirely possible that these NOIs were issued because of the pressure put on FERC with this complaint. I’m sure FERC wanted to dismiss this complaint months ago, but they couldn’t until these two NOIs were issued so that they could argue that they were doing something. This complaint certainly must have been uncomfortable for FERC since they took almost 6 months to dismiss it and issued these two NOIs in the interim.
The electric utility industry argued that my complaint should be dismissed and the NOIs gave FERC a convenient way to kick the can down the road. The electric utility industry loves “further study” – it gives them the opportunity to do nothing and more chances to argue that nothing further needs to be done. In other words, “let’s admire the problem” further to delay taking any action and water down any further action to be taken.
FERC bought it.
If there are deaths due to a physical attack on the electric grid, these FERC Commissioners are responsible:
In an order that appeared to be largely cut and pasted from the electric industry arguments, Chairman Neil Chatterjee, Commissioner Bernard McNamee and Commissioner Richard Glick denied my electric grid physical security complaint on June 9, 2020.
After discovering some disturbing inadequacies in the physical security of the electric grid, I filed a complaint with the FERC on January 29, 2020. My complaint alleged that the mandatory physical security standard for the electric grid (CIP-14-2) was grossly inadequate and rarely enforced. I provided detailed analysis of the standard and evidence to support my allegations. FERC opened Docket Number EL20-21-000 on the complaint and invited public comments and intervention. NERC and almost the entire electric industry vehemently opposed the complaint.
Unfortunately, FERC Commissioners have frequently proven themselves unwilling to buck the industry – even on national security matters. Therefore, the easiest thing for them to do here was dismiss the complaint on a technicality. (It’s not that the physical security of the grid is adequate – it is that we already approved the standard and we see no reason to revisit it now.)
Hmm. There have been 679 physical attacks on the grid in the last 10 years. I guess FERC doesn’t consider that to be a problem. This is odd, because the Government Accountability Office (GAO) found that grid physical security was a problem almost 40 years ago.
If there are deaths because the electric industry failed to follow Critical Infrastructure Protection Standards, these FERC Commissioners are responsible:
Chairman Neil Chatterjee, Commissioner Bernard McNamee, Commissioner Cheryl LaFleur, Commissioner James Danly and Commissioner Richard Glick presided over the electric industry’s decade-long coverup of the identity of the violators of Critical Infrastructure Protection (CIP) standards. This has prevented the public, Congress and state regulators from scrutinizing the regulatory system – or even seeing if it is working.
Since 2010 the industry has hid the names of the violators of CIP standards – even years after the violations are mitigated. The coverup removes the ability for congress and the public to see if the regulatory system is working and hold the industry and the government accountable to the security of the electric grid.
And this coverup is now fully supported by FERC.
I have written extensively about this coverup and fought it for several years. I have been joined in this fight for transparency by experts from across the country, legislators, elected and appointed public officials, the media and the public. Of course, the electric industry opposes releasing the names of its miscreants and being held accountable for the national security of the U.S. and the safety of the public. The industry has argued vehemently against the release of the names, making unsupported and conclusory statements that somehow the release of the names of violators would endanger the country.
However, FERC bought these unsupported, conclusory electric industry statements.
On September 23, 2020 the Federal Energy Regulatory Commission released a “White Paper” which regurgitates the electric industry’s arguments and concludes:
Accordingly, going forward, CIP noncompliance filings and submittals by NERC will request that the entire filing or submittal be treated as CEII and Commission staff will designate such filings and submittals as CEII in their entirety. Additionally, because of the risk associated with the disclosure of CIP noncompliance information, NERC will no longer publicly post redacted versions of the CIP noncompliance filings and submittals.
This result is outrageous. Not only will the coverup continue, but going forward NO INFORMATION will be available to the public, Congress or state regulators!
Read more on this issue in these articles:
- Federal Energy Regulatory Commission Lays Down On The Job!
- Multiple States to FERC: “The public has a right to know”
- Lawsuit filed to end electric grid coverup
- The Role of Transparency in Preventing Regulatory Failures
So who will be accountable for all the deaths if the grid goes down?
Unfortunately, like many a tragedy in the past, fingers will start pointing and bureaucrats will jockey to distance themselves. There will be hearings, studies and in the end it will not bring back the people who died from a preventable catastrophe.
The Federal Energy Regulatory Commission is the only federal agency in a position to fix grid security based on existing laws, but they are failing us. Current Commissioners Neil Chatterjee, James Danly and Richard Glick as well as former Commissioners Cheryl LaFleur and Bernard McNamee were charged to protect us. If there are deaths resulting from a large-scale blackout from a cyber attack, physical attack, EMP attack, GMD event or other preventable cause, they must be held accountable.
