A NERC Cover-Up?
This incident has the olfactory bouquet of a NERC cover-up: On February 28, 2018 the North American Electric Reliability Corporation (NERC) submitted a proposed “Notice of Penalty” to the federal government against an “Unidentified Registered Entity.” This entity was responsible for a massive data breach that, according to NERC, posed a “serious or substantial risk” to the electric grid. Is there any legitimate reason that the public is not allowed to know who put us at risk?
Alas, a NERC cover-up really should not come as a surprise since NERC is actually just a proxy for the electric utility industry.
Q: Who actually regulates the grid? A: The grid.
Perhaps a bit of background is in order for those unfamiliar with the regulatory scheme of the electric grid. First of all, the federal regulator for the electric grid is an obscure agency called the Federal Energy Regulatory Commission (FERC). But in reality, “the grid” is self regulated. “The grid” is actually thousands of companies – both public and private sector – who are involved in the generation, transmission and distribution of electric power. These companies – much like Wall Street – regulate themselves through an entity known as the North American Electric Reliability Corporation, or NERC. The law allows FERC to designate an entity as what is known as the “Electric Reliability Organization” (ERO). This ERO makes the rules – including grid security regulations, and submits them to FERC for approval. NERC is the Commission-certified Electric Reliability Organization.
NERC’s annual funding is provided through assessments to the entities that it regulates. Moreover, although technically anybody can become a “member” of NERC, the membership structure stacks the deck in favor of the electric industry as far as the election of NERC’s “independent trustees” (the board that governs NERC). NERC accomplishes this shell-game by assigning all members to one of 12 groups. According to NERC rules:
“Each member will join only 1 of 12 industry sectors and be eligible for selection as a sector representative on the NERC Member Representatives Committee (MRC). The MRC elects NERC’s independent trustees, votes on amendments to the bylaws, and provides advice and recommendations to the Board with respect to the development of annual budgets, business plans and funding mechanisms, and other matters pertinent to the purpose and operations of NERC.”
So what are the “12 industry sectors?”
1. Investor-owned utility
2. State/municipal utility
3. Cooperative utility
4. Federal or provincial utility/Federal Power Marketing Administration
5. Transmission-dependent utility
6. Merchant electricity generator
7. Electricity marketer
8. Large end-use electricity customer
9. Small end-use electricity customer
10. Independent system operator/regional transmission organization
11. Regional entity
12. Government representatives
In other words, two sectors are customers and one is the government. The other nine are the electric industry. The electric industry gets 9 votes – the customers and the government get 3. If that is not a stacked deck, I don’t know what is. So NERC is literally funded, run and its leadership elected by the electric utility industry that it allegedly regulates. As we have seen lately in the fight for cybersecurity regulations, if the grid does not want to be regulated, it has means to resist being regulated.
Back to the NERC Cover-Up
The details provided by NERC are vague (likely in order to protect the guilty). At an unknown date in the past – but likely 2016 based on the “NERC Violation ID” number on page 2 – the NERC-anonymized entity experienced a horrific data breach. According to NERC, this data breech involved “30,000 asset records, including records associated with Critical Cyber Assets (CCAs). The records included information such as IP addresses and server host names.”
According to NERC
“These violations posed a serious or substantial risk to the reliability of the bulk power system (BPS). The CCAs associated with the data exposure include servers that store user data, systems that control access within URE’s control centers and substations, and a supervisory control and data acquisition (SCADA) system that stores critical CCA Information. The data was exposed publicly on the Internet for 70 days. The usernames of the database were also exposed, which included cryptographic information of those usernames and passwords.
Exposure of the username and cryptographic information could aid a malicious attacker in using this information to decode the passwords. This exposed information increases the risk of a malicious attacker gaining both physical and remote access to URE’s systems. A malicious attacker could use this information to breach the secure infrastructure and access the internal CCAs by jumping from host to host within the network. Once in the network, the attacker could attempt to login to CCAs, aided by the possession of username and password information.”
This is really really bad. Imagine what would happen if North Korea, Iran, Russia or China came into possession of such a treasure trove of information to access the electric grid?
As bad as this is, the NERC-anonymized entity does not admit any fault and agrees to pay a paltry $2,700,000 fine for what might be the worst threat to national security of the 21st century. This is the settlement proposal that NERC wants the federal government to sign off on.
And, NERC thinks the public does not have a right to know who the violator is.
It appears from a separate filing, that is not available to the public, NERC is claiming that the identity of the violator is “Critical Energy Infrastructure Information” (CEII). We can’t tell for sure since we do not have access to the document. But FERC regulations and policy holds that information that “simply give[s] the general location of the critical infrastructure” or simply provides the name of the facility is not Critical Energy Infrastructure Information (CEII). We agree. The breach is over and has been allegedly “mitigated” according to NERC. Why does the public not have the right to know who endangered us?
Message to FERC
Notwithstanding NERC’s lack of transparency in hiding the identity of the “Unidentified Registered Entity,” such a NERC cover-up is against the public interest and should not be allowed by FERC. On March 30, 2018, FERC announced that is is delaying approval of the NERC Notice of Penalty until May 29, 2018. (FERC Docket No. NP18-7-000.) One can only hope that this means FERC intends on reviewing this extremely fishy NERC cover-up.
(Possible Spoiler Alert: The identity of the NERC-anonymized entity has been speculated in the press here and here.)