Secret Regulatory Regime is Hosing Electric Customers
Fact: If you pay an electric bill, you are likely paying the secret regulatory fines your utility company is assessed if it violates Critical Infrastructure Protection (CIP) Standards. This is a lot to unpack, so let’s get started.
The system sounds good on the surface: There are mandatory Critical Infrastructure Protection (CIP) Standards that companies in the bulk power system have to follow. If they violate these standards, they can be fined. So far, so good.
But here’s where it gets fishy:
- Who writes the standards? The electric utility industry.
- Who enforces the standards? A not-for-profit corporation funded and controlled by the electric utility industry.
No Big deal. This is America and we are all about “self-regulation” but let’s dig deeper.
- Who has been fined for violations? The public is not allowed to know.
- Is the electric company you pay a violator? The electric utilities do not want you to know.
- Why is the public not allowed to know? Because the electric utility industry said so.
But wait. Are you saying that the tail is wagging the regulatory dog here? Yes. That is precisely what I am saying. So here is the final point that is the most disturbing of all:
- Who pays these secret fines? You – the electric customer.
That’s right. If the company you pay for electricity violates a Critical Infrastructure Protection (CIP) Standard, you eat the fine. But you are not allowed to know it. I will provide solid evidence of this, but first Let’s review how the system works.
Brief summary of the secret regulatory system for CIP violations
Arguably, the electric grid was invented in 1882 by Thomas Edison and his Edison Illuminating Company. The Pearl Street Station in New York City started off powering 85 customers, and providing electricity to 400 electric lamps. In 1882, the grid was not a “critical infrastructure.” Over the generations, more and more of the U.S. became electrified. Somewhere along the way, electricity ceased being a luxury and actually became necessary. Today, the lives of 330 million Americans depend on the electric grid. It is literally our life support system. Without it, everything the U.S. population needs to survive stops.
The Kleinman Center for Energy Policy charitably said: “Today’s electric grid is developing within the confines of a century-old regulatory system.” There are more than 60 different regulators involved in the regulation of the generation, transmission and distribution of electricity.
After the Great Northeast Blackout of 2003, the interstate transmission system (known as the “bulk power system”) went from voluntary self regulation to mandatory self regulation – but still self regulation. The not-for-profit corporation that regulates the electric grid is the North American Electric Reliability Corporation (NERC). NERC is funded and controlled by the electric utility industry. NERC is nominally overseen by the Federal Energy Regulatory Commission (FERC). NERC and the electric industry write their own reliability standards, including Critical Infrastructure Protection (CIP) standards, which are then rubber-stamped by FERC.
The first problem is that in the 286 FERC cases to date where companies have been charged with violating CIP standards, the names of all the violators (over 1,500 of them) have been permanently withheld from the public at the insistence of the electric utility industry. Why? The industry says to “protect us.” I say so the industry can avoid accountability and embarrassment.
I have argued for years that the CIP standards are inadequate and more transparency and accountability is needed (read more on this HERE), but notwithstanding the inadequacy of the CIP standards to protect us, there is something even more insidious going on here: When a company receives a fine for violating CIP standards, the fine is paid by the “ratepayers” (i.e., the electric customers).
This is made possible by the lack of transparency and regulatory complexity of this system. It is a scam that victimizes the customers in allegedly plain sight. Let’s look at some examples.
A secret needle in a haystack.
If you are a resident of 15 midwestern states including Arkansas, Indiana, Illinois, Iowa, Kentucky, Louisiana, Michigan, Minnesota, Mississippi, Missouri, Montana, North Dakota, South Dakota, Texas, Wisconsin and Manitoba (Canada), you got hosed. Here’s how:
On December 22, 2010 NERC filed a Notice of Penalty in Docket No. NP11-59-000 against an “Unidentified Registered Entity” (the industry euphemism for a CIP violator whose identity the industry is withholding from the public). The Notice of Penalty found that the “Unidentified Registered Entity” had violated a cybersecurity standard, CIP-004-1, and was assessed a $7,000 penalty.
It is bad enough that the residents of the above 15 states (and a province of Canada) would have had no idea that the entity involved impacts them due to the coverup of the identity. But is gets worse when you see what happens next.
The Federal Register on Tuesday February 8, 2011 consisted of 417 pages. Somehow, if you are a resident of the above 15 states, you should have noticed this entry on page 6776:
You’ll first notice that it is a completely different docket number: ER11-2798-000. The second thing you will notice is there is no indication of the violator’s identity or geographic area. There is no possible way for the public to know if they are impacted.
Buried deep in this obscure docket in FERC’s complex and bureaucratic system, an entity called Midwest Independent Transmission System Operator, Inc. (now known as Midcontinent Independent System Operator, Inc. or “MISO”) applied to FERC to pass the $7,000 penalty from the Notice of Penalty in NP11-59-000 on to its customers.
FERC approved the application and the customers in 15 states and a province of Canada were hosed on May 6, 2011. The violator successfully passed their violation penalty to the customers.
This abhorrent situation was best summed up in a filing by Norris Electric Cooperative in Illinois:
NERC fined MISO a. penalty of $7,000. That is a small penalty and its payment would typically have little impact on an entity the size of MISO if MISO was not a not-for-profit. Due to the not-for-profit status, when NERC penalized MISO, they did not really penalize MISO, they penalized the members of MISO who have no governing control over MISO. A penalty should have the same result as disciplining a child. You spank them in hopes they do not repeat the offense. This penalty has no affect on MISO since the origin of the penalty dollars will come from the unwilling market participants. In our case it will be passed on to our own residential and commercial members. So, in my opinion, the penalty will have no affect on future behavior!
In this process, MISO is paying a law firm, Hunton & Williams, to file for the ability to recover the penalty from the MISO members. The cost of the law firm probably exceeds the cost of the penalty. When you couple that with MISO’s approved budget containing line items for attorney fees, it appears to me that it would be a far better use of the line budget item to pay the penalty!
Kudos to Norris Electric Cooperative for standing up for your customers. We have occasionally seen heroes among the state agencies and some electric industry companies who believe that the system needs more transparency and that the public has a right to know. Several examples, such as the New Mexico Public Regulation Commission, the Louisiana Public Service Commission and multiple elected and appointed officials in New Hampshire can be found HERE.
More customers pay the fines for Critical Infrastructure Protection (CIP) violators
Unfortunately, this was not an isolated incident. I have found several FERC orders in which the CIP violation penalties were approved to be passed on to the customers:
- FERC Docket ER11-2798-000
- FERC Docket ER12-1112-000
- FERC Docket ER15-764-000
- FERC Docket ER19-2362-000
In each instance, the identity of the violator was withheld from the public when the Notice of Penalty was issued. In each instance, a separate docket was opened with an obscure “public notice” in the Federal Register which, in all four cases, did not give the public adequate information to determine if they were impacted. And in each case, FERC approved the the penalty being passed on to the public.
There are likely many more. These are difficult to find and took a bit of “docket archeology” to root these examples out. Unfortunately, without access to the names of the violators, the public has no hope of seeing how many times FERC has approved secret violation penalties being passed on to the electric customers. In fact, these instances are all not-for-profit companies. In the case of a for profit company, they don’t even have to ask. They just decide themselves whether the customers or the shareholders eat the penalties. The CEO is certainly not going to eat it!
Let me give you an example of a for profit company: PG&E
PG&E endangers the grid – and you paid for it.
On February 28, 2018, NERC filed a Notice of Penalty in FERC Docket Number NP18-7-000 against an “Unidentified Registered Entity” for cybersecurity violations and assessed a penalty of $2.7 million dollars. I filed a Freedom of Information Act request for the name of the entity. After a great deal of effort, I was able to determine that the entity was PG&E and this was reported in the Wall Street Journal.
In addition to the $2.7 million dollar penalty, PG&E presumably also had to spend an unknown amount (but likely a substantial amount) of money on mitigation. Somebody had to pay for all of this. Because I could find no disclosure of the event or its costs in PG&E’s filings with the Securities and Exchange Commission, it is impossible for the public to know whether the shareholders or the ratepayers ate these costs—I am sure both groups would like to know.
- Does it make a difference in who should pay if a company is a repeat CIP violator? (Which PG&E is.)
- Does it make a difference in who should pay if the company is negligent? (Which PG&E was.)
One thing is for sure: PG&E’s former CEO Geisha Williams didn’t suffer. In 2018 she was paid $9.3 million – an increase from the previous year. In fact, for a chart of just how obscene PG&E’s executive compensation was for the time period when this CIP violation occurred, Click HERE (from PG&E’s 2019 Proxy Statement filed with the SEC). No, the PG&E executives didn’t suffer.
The last one who should be deciding who pays is the regulatory violator. This decision should be made by the appropriate regulator (the PUC) with full transparency to the two possible victims: the ratepayers and the shareholders.
But this is not how the system presently works.
The electric utility industry: “who’s better than us?”
I have to admit, the industry lobbyists and attorneys have devised a brilliant system. There is no incentive to do more than the minimum to secure the electric grid from cyber or physical threats – the types of threats supposedly covered by the industry-written CIP standards.
In sum, CIP standards should protect the U.S. electric grid by holding the electric utility companies and grid operators accountable to protect the portion of the U.S. critical infrastructure that they own or operate. Instead, the electric utility industry has twisted this regulatory scheme into a sham where companies have no incentive to do more than the minimum. If caught violating a CIP standard, NERC and the Regional Entities will settle the matter privately with the “unidentified registered entities” negotiating a “penalty” that the “unidentified registered entities” are willing to pay and will keep the matter from public view. It looks like a system of back-room settlements and handshake penalties. A great deal for the “unidentified registered entities”—not so much for the American people.
To add insult to injury, it is the American people who will ultimately pay the secret penalties. In fact, they could pay with their lives if the inadequate Critical Infrastructure Protection (CIP) standards are not fixed and violators held accountable.
This secret “regulatory system” must be fixed. Violators must be held accountable and the public should not unknowingly foot the bill for the secret violations.
For more information on my fight to change this secret regulatory system, Click HERE.