Grid Security Now!

Grid Security Now!

Michael Mabee – Author of The Civil Defense Book

Menu
  • Home
  • Library
    • Grid Security Library
      • Government Documents on Grid Security
      • OE-417 Electric Disturbance Events Database
      • CIP Violation Database
      • Database of Chinese Transformers and Equipment in the U.S. Electric Grid
      • Why Haven’t We Secured the Grid?
      • What is the Electric Grid and How is it Regulated?
      • Grid Protection Posts
      • Video (EMP and Grid Security)
    • Civil Defense Library
      • The cavalry is not coming
      • Civil Defense Posts
      • Video (Preparedness)
      • Civil Defense Checklists
  • In the Press
  • Take Action!
  • Fund The Fight!
  • About Me
    • About Michael
    • Interviews – Michael Mabee
    • Subscribe to Mike’s Blog
    • Contact Me
  • My Book
Menu
NERC Cover-Up

A NERC Cover-Up? Who Put the Electric Grid at Risk?

Posted on April 1, 2018April 2, 2018 by Michael Mabee

 

 

A NERC Cover-Up?

NERC Cover-UpThis incident has the olfactory bouquet of a NERC cover-up: On February 28, 2018 the North American Electric Reliability Corporation (NERC) submitted a proposed “Notice of Penalty” to the federal government against an “Unidentified Registered Entity.” This entity was responsible for a massive data breach that, according to NERC, posed a “serious or substantial risk” to the electric grid. Is there any legitimate reason that the public is not allowed to know who put us at risk?

Alas, a NERC cover-up really should not come as a surprise since NERC is actually just a proxy for the electric utility industry.

Q: Who actually regulates the grid? A: The grid.

Perhaps a bit of background is in order for those unfamiliar with the regulatory scheme of the electric grid. First of all, the federal regulator for the electric grid is an obscure agency called the Federal Energy Regulatory Commission (FERC). But in reality, “the grid” is self regulated. “The grid” is actually thousands of companies – both public and private sector – who are involved in the generation, transmission and distribution of electric power. These companies – much like Wall Street – regulate themselves through an entity known as the North American Electric Reliability Corporation, or NERC. The law allows FERC to designate an entity as what is known as the “Electric Reliability Organization” (ERO). This ERO makes the rules – including grid security regulations, and submits them to FERC for approval. NERC is the Commission-certified Electric Reliability Organization.

NERC’s annual funding is provided through assessments to the entities that it regulates. Moreover,  although technically anybody can become a “member” of NERC, the membership structure stacks the deck in favor of the electric industry as far as the election of NERC’s “independent trustees” (the board that governs NERC). NERC accomplishes this shell-game by assigning all members to one of 12 groups. According to NERC rules:

“Each member will join only 1 of 12 industry sectors and be eligible for selection as a sector representative on the NERC Member Representatives Committee (MRC). The MRC elects NERC’s independent trustees, votes on amendments to the bylaws, and provides advice and recommendations to the Board with respect to the development of annual budgets, business plans and funding mechanisms, and other matters pertinent to the purpose and operations of NERC.”

NERC cover-upSo what are the “12 industry sectors?”

1. Investor-owned utility
2. State/municipal utility
3. Cooperative utility
4. Federal or provincial utility/Federal Power Marketing Administration
5. Transmission-dependent utility
6. Merchant electricity generator
7. Electricity marketer
8. Large end-use electricity customer
9. Small end-use electricity customer
10. Independent system operator/regional transmission organization
11. Regional entity
12. Government representatives

In other words, two sectors are customers and one is the government. The other nine are the electric industry. The electric industry gets 9 votes – the customers and the government get 3. If that is not a stacked deck, I don’t know what is. So NERC is literally funded, run and its leadership elected by the electric utility industry  that it allegedly regulates. As we have seen lately in the fight for cybersecurity regulations, if the grid does not want to be regulated, it has means to resist being regulated.

Back to the NERC Cover-Up

The details provided by NERC are vague (likely in order to protect the guilty). At an unknown date in the past – but likely 2016 based on the “NERC Violation ID” number on page 2 – the NERC-anonymized entity experienced a horrific data breach. According to NERC, this data breech involved “30,000 asset records, including records associated with Critical Cyber Assets (CCAs). The records included information such as IP addresses and server host names.”

According to NERC

“These violations posed a serious or substantial risk to the reliability of the bulk power system (BPS). The CCAs associated with the data exposure include servers that store user data, systems that control access within URE’s control centers and substations, and a supervisory control and data acquisition (SCADA) system that stores critical CCA Information. The data was exposed publicly on the Internet for 70 days. The usernames of the database were also exposed, which included cryptographic information of those usernames and passwords.

Exposure of the username and cryptographic information could aid a malicious attacker in using this information to decode the passwords. This exposed information increases the risk of a malicious attacker gaining both physical and remote access to URE’s systems. A malicious attacker could use this information to breach the secure infrastructure and access the internal CCAs by jumping from host to host within the network. Once in the network, the attacker could attempt to login to CCAs, aided by the possession of username and password information.”

NERC Cover Up
(Click to enlarge) FERC Docket No. NP18-7-000

This is really really bad. Imagine what would happen if North Korea, Iran, Russia or China came into possession of such a treasure trove of information to access the electric grid?

As bad as this is, the NERC-anonymized entity does not admit any fault and agrees to pay a paltry $2,700,000 fine for what might be the worst threat to national security of the 21st century. This is the settlement proposal that NERC wants the federal government to sign off on.

And, NERC thinks the public does not have a right to know who the violator is.

It appears from a separate filing, that is not available to the public, NERC is claiming that the identity of the violator is “Critical Energy Infrastructure Information” (CEII). We can’t tell for sure since we do not have access to the document. But FERC regulations and policy holds that information that “simply give[s] the general location of the critical infrastructure” or simply provides the name of the facility is not Critical Energy Infrastructure Information (CEII). We agree. The breach is over and has been allegedly “mitigated” according to NERC. Why does the public not have the right to know who endangered us?

Message to FERC

Notwithstanding NERC’s lack of transparency in hiding the identity of the “Unidentified Registered Entity,” such a NERC cover-up is against the public interest and should not be allowed by FERC. On March 30, 2018, FERC announced that is is delaying approval of the NERC Notice of Penalty until May 29, 2018. (FERC Docket No. NP18-7-000.) One can only hope that this means FERC intends on reviewing this extremely fishy NERC cover-up.

 


(Possible Spoiler Alert: The identity of the NERC-anonymized entity has been speculated in the press here and here.)


 

News

  • How to Fix Electric Grid Security
  • U.S. Continues to Import Large Transformers from China
  • 60 Minutes – How secure is America’s electric grid?
  • COVERUP UPDATE: CIP Violation Database and FOIA Lawsuit
  • Q: How Did We Become So Vulnerable?
  • Rate Recovery: How Electric Customers Fund Industry Lobbying
  • Energy Sector Supply Chain Review – U.S. Department of Energy
  • Criminally Negligent Homicide in February 2021 Texas Blackout Deaths?
  • Chinese Transformer Threat Now Confirmed by Two Administrations
  • Secretary of Energy Advisory Board: Comments of Michael Mabee
  • Electricity Advisory Committee: Comments of Michael Mabee
  • How the electric utility industry torpedoed grid security
  • Chinese Transformer Complaint Filed with U.S. Government
  • U.S. Electric Grid Imports More Chinese Transformers in 2020 and 2021
  • Recent Grid Threats: Frank Gaffney and Michael Mabee Break It Down
  • Secret Penalties: The Electric Grid Is Making You Pay Their Fines
  • Government Misses the Boat on Grid Security – Again
  • Critical Electric Infrastructure – The Government Must Step Up
  • FERC Dismisses Texas Grid Collapse Complaint
  • FERC Office of Public Participation: End the Electric Industry Coverup
  • Testimony of Michael Mabee on SB 1606 – All Hazards Grid Security
  • Federal Complaint Filed on Texas Grid Collapse
  • We Are Plugged In To Life Support
  • Texas Blackout: The Unacceptable Outcome of a Foreseeable Event
  • Chinese Transformers in the Electric Grid: Lights Out For NYC?
  • Message to Governor Jennifer Granholm and the Department of Energy
  • Chinese Transformers in the Electric Grid
  • The U.S. Has 300 Chinese Large Power Transformers
  • Senator Murkowski Questions Cybersecurity Order Suspension
  • Grid Supply Chain Cybersecurity Order “Suspended”

Fund The Fight!


Subjects

Search Website

Subscribe for Updates!

Follow me on Twitter

Tweets by CivilDefenseBK

Click To Get Prepared!

The Civil Defense Book: Emergency Preparedness for a Rural or Suburban Community
The Civil Defense Book Get it now!

Subscribe for updates

Follow Me On Facebook

The Civil Defense Book

9 months ago

The Civil Defense Book
Bradford Clark Freeman, the last surviving member of Easy Company's Band of Brothers, dies at 97apple.news/AkFt2MfXqTCWTe4KGOFDOPg ... See MoreSee Less

Bradford Clark Freeman, the last surviving member of Easy Company's Band of Brothers, dies at 97 — CNN

apple.news

Bradford Clark Freeman, believed to be the last surviving original member of the historic World War II parachute infantry regiment of the US Army known as Easy Company, died Sunday in Columbus, Missis...
View on Facebook
· Share

Share on Facebook Share on Twitter Share on Linked In Share by Email

The Civil Defense Book

9 months ago

The Civil Defense Book
Here Comes the Sun—to End Civilizationwww.wired.com/story/sun-storm-end-civilization/ ... See MoreSee Less

Here Comes the Sun—to End Civilization

www.wired.com

Every so often, our star fires off a plasma bomb in a random direction. Our best hope the next time Earth is in the crosshairs? Capacitors.
View on Facebook
· Share

Share on Facebook Share on Twitter Share on Linked In Share by Email

Fund The fight!


©2023 Grid Security Now! | Theme by SuperbThemes