The Press Goes to Michael Mabee on grid security:
Washington Post: The Cybersecurity 202
December 3, 2019
Activist wants court to name and shame electric utilities for violating cybersecurity rules
“Everybody in the United States is dependent on electricity, but we’re being told by the regulators we don’t have a right to know whether our electricity provider is obeying the rules,” Mabee told me. “If there’s unsafe food, we all hear don’t eat spinach from ABC company … But, when it comes to the electric grid, any company that violates critical infrastructure protection regulations gets their name withheld.”
“The Chinese and the Russians may very well have malware planted in the U.S. electric grid and they might be able to turn it off,” Mabee told me. “[But] right now we’re very unsafe because there’s no incentive for these companies to do more than the minimum.”
E&E News
November 19, 2019
Lawsuit: FERC concealing utilities that broke cyber rules
“We need to have transparency and accountability,” Mabee told E&E News in an interview yesterday. “People need to know if the company they depend on for electricity is a serial violator of these standards.”
“When you’re fighting the bureaucracy, and the entire electric utility industry is fighting your FOIAs, it sometimes can be discouraging,” said Mabee, whose background in the U.S. military includes two combat tours in Iraq. “It really, really encouraged me that you can go to your elected officials, and they’ll take a look at your issue and jump in.”
“I’ve been very open about why I’m doing this and what I’m after,” Mabee said. “And what I’m after is that the names of regulatory violators get released.”
Inside Cybersecurity
September 30, 2019
Energy regulators’ proposal to name violators of cyber standards complicated by cost, liability concerns
According to records examined by the security blogger and military veteran Michael Mabee, since 2010, NERC has been routinely concealing the identity of violators in the notices, listing them instead as “Unidentified Registered Entities.” In previous years, going back to 2008, NERC consistently named the entities, in addition to providing specific details, such as whether the “violation risk factor” was low, medium or high; the date mitigating actions were completed; how the violation was discovered — self-reported or through audit; and whether entities were “uncooperative” in settlement agreements.
In the first comment filed with the commission on the proposal, Mabee argues simply adding the name of the violator to all the information that’s currently available, “is not going to suddenly make all this publicly available information CEII,” especially since the violations are mitigated before they are revealed.
In this vein, he noted the potential consequence of companies dragging out “their mitigation plan for a long period of time — even years — in an effort to delay their name being exposed as a CIP violator.”
Overall, he said withholding penalty details by default would thwart their “use in statistical analysis” and “the White Paper proposal does not contain enough public information to allow for public, investor, Congressional and state scrutiny and evaluation of the violators and the regulatory system — activities that are critical to the security of the bulk power system.”
Wall Street Journal
September 6, 2019
Regulator Weighs Disclosing Names of Utilities That Violate Grid Security Rules
Michael Mabee, a New Hampshire security blogger who has pushed for fuller disclosure, said that “getting the names of the violators is a huge victory,” but he wants to know the identities of past violators too, and doesn’t think that information should be withheld because vulnerabilities are required to be fixed, when discovered.
Mr. Mabee previously filed Freedom of Information Act requests for the release of unredacted penalty case documents, believing that public attention will make utilities focus harder on security.
A U.S. Army veteran, Mr. Mabee said he was sensitized to the importance of a secure electric grid after seeing what happens when a society suffers protracted blackouts and worries that U.S. utilities are lax about protecting their assets against attack. He said that lengthy blackouts tear at social structures, and said he witnessed the effects in two tours of duty in Iraq, in providing humanitarian assistance to Guatemala after a hurricane and after being in Manhattan during the terrorist attacks of 2001 and in the Northeast after a major blackout in 2003.
“It’s like a Forrest Gump thing, where I’ve been present to witness so many disasters,” he said. “I took an oath to defend America and I see threats to the grid as a major threat against our country.”
Wall Street Journal
April 4, 2019
PG&E Among Utilities Cited for Failing to Protect Against Cyber and Physical Attacks
Security researcher and blogger Michael Mabee, who has asked FERC to identify utilities associated with more than 200 penalty cases, said the regulatory system needs fixing, and “the only way for that to happen is by shining the light of day on it.”
Mr. Mabee also said penalties negotiated through settlement agreements are too low. So far, they have not been made public.
Law360
February 19, 2019
FERC Pressured To Disclose Cybersecurity Violators
Michael Mabee of Secure the Grid Coalition filed a separate motion asking FERC to disclose the subjects of nearly 200 cases resolved between five years and nine years ago, and is also in the process of penning a request for the identity of the record-setting settlement.
Public Citizen’s motion claimed disclosure would benefit state regulators and other local watchdogs, the public and even the industry. Mabee’s filing echoed concerns about public awareness and added that the secrecy appears legally unjustified.
“FERC needs to shine a light on utility violations that place the public at risk of long‐term and widespread electric grid outage from cyberattack and other deliberate actions of foreign adversaries,” Mabee’s motion said.
Mabee said potentially successful attacks like Russia’s undermine NERC’s primary reason for shielding companies where regulators find bad security practices — to protect that entity from further attack.
“If keeping the names of violators private was going to help, one would think it would have helped by now,” Mabee told Law360. “The public should be able to take a look at who the violators are and who the repeat violators are to evaluate the issue.”
Mabee compiled FERC data that shows out of 243 cases between 2010 and 2018, 1,465 energy entities violated the government’s critical infrastructure standards. The agency did not identify any of them.
He asked FERC to force NERC to name the companies involved in dockets that are five years or older — the regulatory limit, he said, for their confidential designation. In his request, Mabee claimed regulators have been abusing the rule that allows them to shield specific engineering, vulnerability or detailed design information that, if disclosed, could help someone attack the grid.
“NERC has been basically twisting the language and the definitions to have an excuse to not release these things,” Mabee said.
Wall Street Journal
August 24, 2018
PG&E Identified as Utility That Lost Control of Confidential Information
PG&E’s identity was revealed because of a Freedom of Information Act request filed to FERC by Secure the Grid Coalition, a nonprofit group focused on critical infrastructure protection. Michael Mabee, a New Hampshire representative of the group, said he petitioned for the information, because he thought it was “disturbing and wrong” for federal officials to protect a utility whose actions endangered the public.
Articles:
DomPrep Journal – Domestic Preparedness
December 2019
“The Electric Grid – Overcoming Vulnerability”
The Epoch Times
October 11, 2019
“Blackouts & Cover Ups: Why ALL Americans Must Work to ‘Secure the Grid’”
DomPrep Journal – Domestic Preparedness
September 2019
“Life Support – Ensuring Proper Regulation of the Electric Grid”