The Press Goes to Michael Mabee on grid security:
Wall Street Journal
September 6, 2019
Regulator Weighs Disclosing Names of Utilities That Violate Grid Security Rules
Michael Mabee, a New Hampshire security blogger who has pushed for fuller disclosure, said that “getting the names of the violators is a huge victory,” but he wants to know the identities of past violators too, and doesn’t think that information should be withheld because vulnerabilities are required to be fixed, when discovered.
Mr. Mabee previously filed Freedom of Information Act requests for the release of unredacted penalty case documents, believing that public attention will make utilities focus harder on security.
A U.S. Army veteran, Mr. Mabee said he was sensitized to the importance of a secure electric grid after seeing what happens when a society suffers protracted blackouts and worries that U.S. utilities are lax about protecting their assets against attack. He said that lengthy blackouts tear at social structures, and said he witnessed the effects in two tours of duty in Iraq, in providing humanitarian assistance to Guatemala after a hurricane and after being in Manhattan during the terrorist attacks of 2001 and in the Northeast after a major blackout in 2003.
“It’s like a Forrest Gump thing, where I’ve been present to witness so many disasters,” he said. “I took an oath to defend America and I see threats to the grid as a major threat against our country.”
Wall Street Journal
April 4, 2019
PG&E Among Utilities Cited for Failing to Protect Against Cyber and Physical Attacks
Security researcher and blogger Michael Mabee, who has asked FERC to identify utilities associated with more than 200 penalty cases, said the regulatory system needs fixing, and “the only way for that to happen is by shining the light of day on it.”
Mr. Mabee also said penalties negotiated through settlement agreements are too low. So far, they have not been made public.
Law360
February 19, 2019
FERC Pressured To Disclose Cybersecurity Violators
Michael Mabee of Secure the Grid Coalition filed a separate motion asking FERC to disclose the subjects of nearly 200 cases resolved between five years and nine years ago, and is also in the process of penning a request for the identity of the record-setting settlement.
Public Citizen’s motion claimed disclosure would benefit state regulators and other local watchdogs, the public and even the industry. Mabee’s filing echoed concerns about public awareness and added that the secrecy appears legally unjustified.
“FERC needs to shine a light on utility violations that place the public at risk of long‐term and widespread electric grid outage from cyberattack and other deliberate actions of foreign adversaries,” Mabee’s motion said.
Mabee said potentially successful attacks like Russia’s undermine NERC’s primary reason for shielding companies where regulators find bad security practices — to protect that entity from further attack.
“If keeping the names of violators private was going to help, one would think it would have helped by now,” Mabee told Law360. “The public should be able to take a look at who the violators are and who the repeat violators are to evaluate the issue.”
Mabee compiled FERC data that shows out of 243 cases between 2010 and 2018, 1,465 energy entities violated the government’s critical infrastructure standards. The agency did not identify any of them.
He asked FERC to force NERC to name the companies involved in dockets that are five years or older — the regulatory limit, he said, for their confidential designation. In his request, Mabee claimed regulators have been abusing the rule that allows them to shield specific engineering, vulnerability or detailed design information that, if disclosed, could help someone attack the grid.
“NERC has been basically twisting the language and the definitions to have an excuse to not release these things,” Mabee said.
Wall Street Journal
August 24, 2018
PG&E Identified as Utility That Lost Control of Confidential Information
PG&E’s identity was revealed because of a Freedom of Information Act request filed to FERC by Secure the Grid Coalition, a nonprofit group focused on critical infrastructure protection. Michael Mabee, a New Hampshire representative of the group, said he petitioned for the information, because he thought it was “disturbing and wrong” for federal officials to protect a utility whose actions endangered the public.
Articles:
DomPrep Journal – Domestic Preparedness
September 2019
“Life Support – Ensuring Proper Regulation of the Electric Grid”