Michael Mabee in the Press - Grid Security Now!

The Press Goes to Michael Mabee on grid security:

60 Minutes
February 27, 2022
How secure is America’s electric grid?

Self-taught U.S. electric grid expert Mike Mabee says he is both fascinated and horrified by the grid. Based on his analysis of Department of Energy data, “in the past decade there have been over 700 physical attacks against the U.S. electric grid.” https://t.co/uQaKkYJpwv pic.twitter.com/BXBb0kh82i

— 60 Minutes (@60Minutes) February 28, 2022

KVUE News, Austin TX
March 31, 2022
Report: Texas power grid faces cyber threats from Russian hackers

Industrial Cyber
November 16, 2021
Chinese transformers in critical electric sector confirmed by two US administrations

Michael Mabee has repeatedly raised concerns about the security of the critical electric sector.

“The problem is that we are importing transformers and equipment from the People’s Republic of China to install in our critical electric infrastructure that the Chinese government is already hacking,” Mabee explained. “This creates a massive cyber vulnerability for the United States. As far back as 2003, Congress expressed concern about China conducting ‘coordinated cyber reconnaissance’ and ‘probing’ U.S. electric utilities in a hearing entitled: ‘Implications of Power Blackouts for The Nation’s Cybersecurity and Critical Infrastructure Protection,’” he added.

Industrial Cyber
November 2, 2021
Safeguarding electric infrastructure takes center stage at DOE’s inaugural SEAB meeting

Michael Mabee, a private citizen who conducts public interest research on the security of the electric grid, pointed out in his statement to the SEAB that there has been talking about securing critical electric infrastructure for over four decades from the very threats currently faced.

“After decades of self‐regulation and pleading for voluntary actions, the U.S. is still vulnerable to all of these threats and now is imminently threatened by both adversaries and nature,” Mabee said. “To protect our national security from these imminent threats, the U.S. must immediately make protection of the critical electric infrastructure against these known threats mandatory.”

Mabee also recommended that through a Presidential Executive Order and a Department of Energy Emergency Order, protection of the entire electric grid against known threats must be made mandatory. He also called upon Congress to enact legislation mandating that reasonably prudent actions on cybersecurity, physical security, EMP/GMD protective measures, and hardening for severe weather events be taken by all entities, public or private sector, that is part of the critical electric infrastructure. These measures must be certified periodically by the Chief Executive Officer of each such critical electric infrastructure entity.

“The security of the electric grid against known threats is a true national emergency. The threats are here. They are real and we are out of time,” Mabee added.

Washington Examiner
May 24, 2021
Biden leaves electric grid vulnerable to Chinese checkmate

As grid-protection activist Michael Mabee notes, the U.S. already uses 300 large power transformers made in China, and at least 10% of New York City’s electricity is routed through a Chinese-built transformer in Bayonne, New Jersey. Mabee has filed complaint after complaint to the Federal Energy Regulatory Commission about the inadequacies of grid security.

E&E News
February 3, 2021
What to watch for cybersecurity in Biden’s first 100 days

Biden’s decision to suspend the order for 90 days and instruct DOE and the Office of Management and Budget to consider a replacement met with mixed reactions.

Scott Aaronson, vice president for security and preparedness at EEI, praised Biden’s order, saying the move provides more time to get new DOE officials up to speed.

Grid security advocate Michael Mabee said he was “very concerned” that the order was suspended.

“The electric utility industry, as well as the regulators FERC and NERC have been behind the eight ball on supply chain cybersecurity for years,” Mabee said in an email. “And this is a position the United States can’t afford to be in. Now is not the time to suspend supply chain cybersecurity measures.”

S&P Global
June 12, 2020
FERC rejects complaint seeking revamp of grid physical security measures

But Mabee asserted that “nobody with regulatory authority even has to even approve [the security plan] — all you need is somebody to ‘review’ it … That unapproved three-ring binder of papers is what is standing between the United States and a catastrophic widespread power outage caused by a terrorist attack.”

Mabee said in a June 11 interview that he was “very disappointed” with FERC’s decision not to do more to protect against physical threats. “Right now, the electric grid is highly vulnerable to physical attacks and the CIP standard presently only covers a very, very small portion of that,” the blogger said.

POWER Magazine
April 22, 2020
FERC Orders Delayed Implementation of NERC Reliability Standards

FERC also received a single protest, filed by Michael Mabee, a private citizen who is a member of the ad hoc Secure the Grid Coalition. Mabee decried the three-day response period as “unreasonably” short. He also argued that because the U.S. government, NERC, and the electric industry have been aware of a pandemic threat for years, it should have been prepared. “If the Commission believes it must grant the requested relief, then this is evidence that the industry was not adequately prepared for a pandemic,” he wrote. “Therefore, if granting the requested relief, the Commission should also direct NERC to develop a CIP standard for pandemic and biological hazard preparedness.”

Washington Post: The Cybersecurity 202
December 3, 2019
Activist wants court to name and shame electric utilities for violating cybersecurity rules

“Everybody in the United States is dependent on electricity, but we’re being told by the regulators we don’t have a right to know whether our electricity provider is obeying the rules,” Mabee told me. “If there’s unsafe food, we all hear don’t eat spinach from ABC company … But, when it comes to the electric grid, any company that violates critical infrastructure protection regulations gets their name withheld.”

“The Chinese and the Russians may very well have malware planted in the U.S. electric grid and they might be able to turn it off,” Mabee told me. “[But] right now we’re very unsafe because there’s no incentive for these companies to do more than the minimum.”

E&E News
November 19, 2019
Lawsuit: FERC concealing utilities that broke cyber rules

“We need to have transparency and accountability,” Mabee told E&E News in an interview yesterday. “People need to know if the company they depend on for electricity is a serial violator of these standards.”

“When you’re fighting the bureaucracy, and the entire electric utility industry is fighting your FOIAs, it sometimes can be discouraging,” said Mabee, whose background in the U.S. military includes two combat tours in Iraq. “It really, really encouraged me that you can go to your elected officials, and they’ll take a look at your issue and jump in.”

“I’ve been very open about why I’m doing this and what I’m after,” Mabee said. “And what I’m after is that the names of regulatory violators get released.”

Inside Cybersecurity
September 30, 2019
Energy regulators’ proposal to name violators of cyber standards complicated by cost, liability concerns

According to records examined by the security blogger and military veteran Michael Mabee, since 2010, NERC has been routinely concealing the identity of violators in the notices, listing them instead as “Unidentified Registered Entities.” In previous years, going back to 2008, NERC consistently named the entities, in addition to providing specific details, such as whether the “violation risk factor” was low, medium or high; the date mitigating actions were completed; how the violation was discovered — self-reported or through audit; and whether entities were “uncooperative” in settlement agreements.

In the first comment filed with the commission on the proposal, Mabee argues simply adding the name of the violator to all the information that’s currently available, “is not going to suddenly make all this publicly available information CEII,” especially since the violations are mitigated before they are revealed.

In this vein, he noted the potential consequence of companies dragging out “their mitigation plan for a long period of time — even years — in an effort to delay their name being exposed as a CIP violator.”

Overall, he said withholding penalty details by default would thwart their “use in statistical analysis” and “the White Paper proposal does not contain enough public information to allow for public, investor, Congressional and state scrutiny and evaluation of the violators and the regulatory system — activities that are critical to the security of the bulk power system.”

Wall Street Journal
September 6, 2019
Regulator Weighs Disclosing Names of Utilities That Violate Grid Security Rules

Michael Mabee, a New Hampshire security blogger who has pushed for fuller disclosure, said that “getting the names of the violators is a huge victory,” but he wants to know the identities of past violators too, and doesn’t think that information should be withheld because vulnerabilities are required to be fixed, when discovered.

Mr. Mabee previously filed Freedom of Information Act requests for the release of unredacted penalty case documents, believing that public attention will make utilities focus harder on security.

A U.S. Army veteran, Mr. Mabee said he was sensitized to the importance of a secure electric grid after seeing what happens when a society suffers protracted blackouts and worries that U.S. utilities are lax about protecting their assets against attack. He said that lengthy blackouts tear at social structures, and said he witnessed the effects in two tours of duty in Iraq, in providing humanitarian assistance to Guatemala after a hurricane and after being in Manhattan during the terrorist attacks of 2001 and in the Northeast after a major blackout in 2003.

“It’s like a Forrest Gump thing, where I’ve been present to witness so many disasters,” he said. “I took an oath to defend America and I see threats to the grid as a major threat against our country.”

Wall Street Journal
April 4, 2019
PG&E Among Utilities Cited for Failing to Protect Against Cyber and Physical Attacks

Security researcher and blogger Michael Mabee, who has asked FERC to identify utilities associated with more than 200 penalty cases, said the regulatory system needs fixing, and “the only way for that to happen is by shining the light of day on it.”

Mr. Mabee also said penalties negotiated through settlement agreements are too low. So far, they have not been made public.

Law360
February 19, 2019
FERC Pressured To Disclose Cybersecurity Violators

Michael Mabee of Secure the Grid Coalition filed a separate motion asking FERC to disclose the subjects of nearly 200 cases resolved between five years and nine years ago, and is also in the process of penning a request for the identity of the record-setting settlement.

Public Citizen’s motion claimed disclosure would benefit state regulators and other local watchdogs, the public and even the industry. Mabee’s filing echoed concerns about public awareness and added that the secrecy appears legally unjustified.

“FERC needs to shine a light on utility violations that place the public at risk of long‐term and widespread electric grid outage from cyberattack and other deliberate actions of foreign adversaries,” Mabee’s motion said.

Mabee said potentially successful attacks like Russia’s undermine NERC’s primary reason for shielding companies where regulators find bad security practices — to protect that entity from further attack.

“If keeping the names of violators private was going to help, one would think it would have helped by now,” Mabee told Law360. “The public should be able to take a look at who the violators are and who the repeat violators are to evaluate the issue.”

Mabee compiled FERC data that shows out of 243 cases between 2010 and 2018, 1,465 energy entities violated the government’s critical infrastructure standards. The agency did not identify any of them.

He asked FERC to force NERC to name the companies involved in dockets that are five years or older — the regulatory limit, he said, for their confidential designation. In his request, Mabee claimed regulators have been abusing the rule that allows them to shield specific engineering, vulnerability or detailed design information that, if disclosed, could help someone attack the grid.

“NERC has been basically twisting the language and the definitions to have an excuse to not release these things,” Mabee said.

Wall Street Journal
August 24, 2018
PG&E Identified as Utility That Lost Control of Confidential Information

PG&E’s identity was revealed because of a Freedom of Information Act request filed to FERC by Secure the Grid Coalition, a nonprofit group focused on critical infrastructure protection. Michael Mabee, a New Hampshire representative of the group, said he petitioned for the information, because he thought it was “disturbing and wrong” for federal officials to protect a utility whose actions endangered the public.