Foundation for Resilient Societies

NERC Coverup Investigation Report

NERC Coverup Introduction

“Publicity is justly commended as a remedy for social and industrial diseases. Sunlight is said to be the best of disinfectants; electric light the most efficient policeman.”

Justice Louis D. Brandeis

In an official assessment to the U.S. Congress released on January 29, 2019, the U.S. Intelligence Community confirmed that the U.S. electric grid is not secure against foreign incursions:[1]

Russia has the ability to execute cyber attacks in the United States that generate localized, temporary disruptive effects on critical infrastructure—such as disrupting an electrical distribution network for at least a few hours—similar to those demonstrated in Ukraine in 2015 and 2016.  Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.

Vulnerability of the U.S. electric grid to foreign attack has been longstanding. In an April 8, 2009 article, “Electricity Grid in U.S. Penetrated By Spies,” the Wall Street Journal disclosed:[2]

Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.

The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven’t sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

“The Chinese have attempted to map our infrastructure, such as the electrical grid,” said a senior intelligence official. “So have the Russians.”

FERC’s decade-long failure to secure the U.S. electric grid is in large part due to its complicity in a North American Electric Reliability Corporation (NERC) enforcement regime that shields the identities of standard violators from outside scrutiny. The NERC coverup, enabled and abetted by FERC, started in July 2010. (Previous to July 6, 2010, identities of standards violators were disclosed by both NERC and FERC.) Under this apparently illegal enforcement regime, incentives for electric utilities have become clear: devote only moderate attention to grid security while knowing any gaps will be kept hidden from ratepayers, investors, the U.S. Congress, and the public at large.

Disclosure is the cornerstone of a successful regulatory scheme in a free society. The Securities and Exchange Commission routinely publicizes the names of companies and individuals subject to regulatory actions under U.S. securities laws;[3] the Food and Drug Administration routinely publicizes the names of companies whose food is being recalled due to public safety concerns;[4] the National Transportation Safety Board routinely publicizes the names of companies responsible for airplane crashes as well as the causes. There are numerous other examples of appropriate disclosure. [5] It is high irony that public disclosure has made food consumption and airline travel extremely safe for Americans while a far greater danger, the threat of long-term blackout for millions, has been neglected by the responsible federal regulator, FERC.

Presently, NERC, as the designated ERO, is improperly using the Critical Energy/Electric Infrastructure Information (CEII) rule[6] to hide from public view the identities of entities that violate Critical Infrastructure Protection (“CIP”) Reliability Standards – even when the violation has been abated and there is no longer a security need to withhold this information. Essentially, NERC and the Regional Entities are misusing FERC’s authority to shield industry from public scrutiny. The Commission must not allow this practice repugnant to the public interest to continue.

Duke Energy Example – FERC Docket NP19-4-000

On January 25, 2019, NERC filed a 250 page Notice of Penalty with FERC that disclosed 127 cybersecurity standard violations by an “unidentified registered entity.” NERC and its Regional Entities (RE) determined:

[T]he 127 violations collectively posed a serious risk to the security and reliability of the BPS (Bulk Power System). The Companies’ violations of the CIP Reliability Standards posed a higher risk to the reliability of the BPS because many of the violations involved long durations, multiple instances of noncompliance, and repeated failures to implement physical and cyber security protections.

The NERC-imposed fine was $10 million, tiny in comparison to Duke’s 2017 net income of $3 billion. It is notable that the Notice of Penalty revealed violations that could allow adversaries in remote locations to gain electronic access to grid facilities:

The REs determined that the Companies allowed interactive remote access to the BCSs (Bulk Electric System Cyber Systems) inside the Companies ESP (Electronic Security Perimeter) without first going through an Intermediate System, utilizing encryption, and requiring multi-factor authentication.

The violation started when the Standard became mandatory and enforceable and is currently ongoing. [Emphasis added.]

The violated standard, CIP-005-5-2 R2, became effective in July 2015. Without fear of public scrutiny, it is apparent that even three and one-half years have not been sufficient time for the “unidentified registered entity” to remedy this currently ongoing violation.

On February 1, 2019, trade publication EnergyWire disclosed that Duke Energy is the unnamed standards violator.[7] Duke Energy is one of America’s largest utilities, with 7.2 million customers across seven states. Duke’s generation fleet includes six nuclear plants. A physical or cyber attack on Duke could cause a long-term, wide-area blackout and result in release of radioactive contaminants. Nonetheless, the NERC standard enforcement regime, with its practice of hiding the names of violators under the guise of CEII, has failed to assure the protection of Americans depending on Duke for their electric power.

Pacific Gas and Electric Example – FERC Docket NP18-7-000

Another example of NERC abuse of the CEII rule is contained in FERC Docket NP18-7-000, which is hereby attached as Exhibits A-G. Also instructive are the events both before and after the docket. Let’s start with the end of the story – the American public is informed.

On August 24, 2018, the Wall Street Journal ran a story titled: “PG&E Identified as Utility That Lost Control of Confidential Information.” Subtitle: “As a result of 2016 failure, 30,000 records about PG&E’s cyber assets were exposed on the internet.”[8] This story stems from FERC Docket NP18-7-000, however, it required Herculean effort by citizens to force the disclosure of PG&E’s identity. This should not have been the case.

Events leading to FERC Docket NP18-7-000 began on May 30, 2016 when cybersecurity expert Chris Vickery reported a massive data breach by Pacific Gas and Electric (PG&E).[9] According to Mr. Vickery:

Among other things, it contained details for over 47,000 PG&E computers, virtual machines, servers, and other devices. All of it completely unprotected. No username or password required for viewing. We’re talking about IP addresses, operating systems, hostnames, locations, MAC addresses, and more. This would be a treasure trove for any hostile nation-state hacking group. That’s not to mention the 120 hashed employee passwords, or the plaintext NTLM, SOAP, and mail passwords.

Any anonymous internet user—including those in North Korea, Iran or Russia—having free access to sensitive PG&E data is a grave national security violation. A cyber-attack on PG&E could cause a cascading collapse, resulting in a blackout for San Francisco, Silicon Valley, and much of the Western Interconnection.

On February 28, 2018 NERC issued a “Notice of Penalty regarding Unidentified Registered Entity”[10] in which the NERC-anonymized entity apparently agreed to pay penalties of $2.7 million for very serious cybersecurity violations. According to NERC, this data breach involved “30,000 asset records, including records associated with Critical Cyber Assets (CCAs). The records included information such as IP addresses and server host names.”

According to NERC:

These violations posed a serious or substantial risk to the reliability of the bulk power system (BPS). The CCAs associated with the data exposure include servers that store user data, systems that control access within URE’s [Unidentified Regulated Entity’s] control centers and substations, and a supervisory control and data acquisition (SCADA) system that stores critical CCA Information. The data was exposed publicly on the Internet for 70 days. The usernames of the database were also exposed, which included cryptographic information of those usernames and passwords.

Exposure of the username and cryptographic information could aid a malicious attacker in using this information to decode the passwords. This exposed information increases the risk of a malicious attacker gaining both physical and remote access to URE’s systems. A malicious attacker could use this information to breach the secure infrastructure and access the internal CCAs by jumping from host to host within the network. Once in the network, the attacker could attempt to login to CCAs, aided by the possession of username and password information.

By the time of NERC’s submission of its February 28, 2018 “Notice of Penalty regarding Unidentified Registered Entity,” the breach had been mitigated and there was no longer an access vulnerability.[11] According to a federal regulation, 18 CFR § 39.7 (b)(4), at the point where “Notice of Penalty regarding Unidentified Registered Entity” was submitted to FERC, the identity of the “URE” should have been disclosed.

NERC cannot argue that its February 28, 2018 “Notice of Penalty regarding Unidentified Registered Entity” should be a non-public proceeding related to a “cybersecurity incident”[12]  as it does not meet the regulatory definition of a “cybersecurity incident.”[13]  According to NERC, this incident was a not “malicious act” as the definition of “cybersecurity incident” requires – rather it was a colossal blunder on the part of the regulated entity. The public had the right to know who endangered them.

Despite the interventions and protests of several citizens and groups in Docket NP18-7-000[14], the matter was closed without review by the Commission on May 30, 2018[15] and the name of the “Unidentified Registered Entity” was never disclosed on NERC’s website or in FERC’s public docket.

Below is the information as it appears on NERC’s public website about FERC Docket NP18-7-000:[16]

NERC Coverup NP17-7-000
Click to View NP17-7-000 Notice of Penalty

It took a Freedom of Information Act (FOIA) request by this Investigator, and an appeal of the denied request, to conclusively determine the identity of the standards violator: PG&E, one of America’s largest utilities.

Numerous Other Examples of Secret Enforcement Actions

In fact, analysis of NERC enforcement actions between 2010 and 2018 reveals a multitude of cases in which NERC hid the identities of the “registered entities” that violated reliability standards.[17] Many of these enforcement actions involved settlements for substantial penalties, yet the settlement agreements were not disclosed either.

Exhibit O Lists 243 FERC dockets and at least 1,465 “Unidentified Registered Entities” related to these dockets who violated CIP standards between 2010 and 2018. None of these “Unidentified Registered Entities” has yet been identified to the public by either NERC or FERC even though they have been subject to regulatory action overseen by the United States government. These actions all claim that the violations have been “mitigated,” so there is absolutely no national security argument that the identities of these entities and the settlement agreements should still be withheld from the public.

Moreover, NERC cannot argue – as they are attempting to argue in the January 25, 2019 Duke Energy NOP (Docket Number NP19-4-000) – that these should be non-public proceedings related to “cybersecurity incidents.” None of these 243 regulatory actions involve “cybersecurity incidents” as defined in the regulation. These dockets were regulatory actions resulting from audits or self-reports – not “a malicious act or suspicious event that disrupts, or was an attempt to disrupt, the operation of those programmable electronic devices and communications networks including hardware, software and data that are essential to the Reliable Operation of the Bulk-Power System” as defined at 18 CFR § 39.1. NERC is simply misapplying this FERC regulation in an attempt to shield the industry from proper public scrutiny.

A review of the publicly available information on these dockets reveals troubling issues; however, without the disclosure of the names of the entities and the text of settlement agreements, it is impossible for the public to fully appreciate how standards violations by utilities place lives at risk. Here are some examples:

  • Since the Metcalf substation attack on PG&E on April 16, 2013, one would think that there would be utility focus on physical security for high voltage transformers – most of which are guarded only by a chain link fence and crossed fingers. So exactly how many enforcement actions would you guess there have been in the last 5 years for “CIP-014” physical security? Only one. (FERC Docket NP18-14-000.)
  • Many of the “penalties” result from settlement agreements (e.g., the “Unidentified Registered Entity” agrees to pay the “penalty” and in many cases does not admit fault for the violation). Without knowing the details of the settlement agreements, the public cannot adequately analyze the terms and penalties, or even identify offending utilities.
  • In some of the cases that were “settled,” the regulated entities were “uncooperative” (FERC Docket NP16-12-000) or “not fully transparent and forthcoming” (FERC Docket NP18-7-000). “Settling” with such bad actors raises many regulatory red flags and the public needs to analyze these FERC-approved transactions in more detail.
  • I have found numerous examples of non-CIP violations that have been redacted. For example, I have found at least four violations of vegetation management standards for transmission lines in the Western Interconnection[18] – the same region where over 86 deaths occurred in the “Camp Fire” – the deadliest and most destructive wildfire in California history. This is the same region where a “regulated entity” (PG&E) has significant liability for wildfires. The public has a right to know who standard violators are, especially when the standards violations may have resulted in dozens of deaths.

After this NERC coverup started in July of 2010, there has been less incentive to fix the grid security problems. That’s why disclosure is important. Why should utilities spend money to fix grave cybersecurity issues if they know that 1) if caught, the friendly regulator will “settle” the violation privately and the settlement agreement will be kept secret, 2) the utility can negotiate a trivial fine, and 3) the utility’s name will not be disclosed to the public?

Federal Regulations Require Disclosure

18 CFR § 39.7 (b)(4) provides that: “Each violation or alleged violation shall be treated as nonpublic until the matter is filed with the Commission as a notice of penalty or resolved by an admission that the user, owner or operator of the Bulk Power System violated a Reliability Standard or by a settlement or other negotiated disposition.” [Emphasis added.]

Further, 18 CFR § 39.7(d)(1) provides that a notice of penalty by the Electric Reliability Organization shall consist of, inter alia: “The name of the entity on whom the penalty is imposed.”

The federal regulations are very clear that the name of the entity on whom the NERC penalty is imposed must be disclosed. Yet, somehow NERC has apparently been excused from complying from federal regulations. How has this happened?

Even the Commission’s own interpretation of the Critical Energy Infrastructure Information (CEII) rules support disclosure. I note that FERC Order No. 833 holds that the Commission’s practice is that information that “simply give[s] the general location of the critical infrastructure” or simply provides the name of the facility is not Critical Energy Infrastructure Information (CEII).[20]

Nevertheless, in July 2010 FERC began allowing NERC to hide the identity of the “Unidentified Registered Entities.” Further, as described below, NERC claims FERC instructed this change in policy.

NERC’s concealments are against the public interest and should never have been allowed by FERC. The PG&E data breach in 2016 and NERC’s cover-up of the identity of the “Unidentified Registered Entity” in FERC Docket NP18-7-000 — a standard violation by NERC’s own admission that endangered the bulk power system — is clearly against the public interest. Likewise for the NERC coverup of 127 cybersecurity violations of Duke Energy exposed by the press in January 2019. The public must be able to cast scrutiny over the activities of NERC and its regulated entities for the self-regulatory scheme codified in Section 215 of the Federal Power Act (16 U.S. Code § 824o) to be effective.

Disclosure of Violators’ Identity Should Be the Default Practice

In the PG&E example, disclosure of the identity of the “URE” took a Freedom of Information Act (FOIA) request and a subsequent appeal by this Investigator. Attached as exhibits are the initial request (Exhibit H), FERC’s April 23, 2018 submitter rights letter to NERC (Exhibit I), NERC’s April 30, 2018 Response Letter to FERC (Exhibit J), FERC’s May 25, 2018 response letter to me denying the FOIA request in its entirety (Exhibit K), my June 16, 2018 appeal of FERC’s determination (Exhibit L), FERC’s August 2, 2018 response letter granting my appeal in part – specifically agreeing to disclose the identity of the URE (Exhibit M), and the August 24, 2018 FERC disclosure of the requested information (Exhibit N).

Notably, FERC’s initial denial of the FOIA request on May 25, 2018 was based on NERC’s very puzzling interpretation of FERC’s policy. I am including NERC’s objection below in its entirety:

NERC is compelled to object to this FOIA Request, because the Federal Energy Regulatory Commission (“Commission”) has instructed NERC not to divulge the identity of entities that have violated NERC Critical Infrastructure Protection (“CIP”) Reliability Standards. The Commission’s expectation that NERC should not identify entities violating CIP Reliability Standards is longstanding but is most recently reflected in FERC’s 2014 Order on the Electric Reliability Organization’s Five-Year Performance Assessment. In that order, the Commission stated that, “[w]ith respect to concerns and questions raised regarding NERC’s protection of information deemed to be confidential, particularly as related to cybersecurity incidents or CIP violations, we believe that NERC currently has adequate rules and procedures in place to protect against improper disclosure of sensitive information (…).” Order on the Electric Reliability Organization’s Five-Year Performance Assessment, 149 FERC ¶61,141, at n. 55, P 47, and n. 65 (2014) (in response to a commenter referencing a prior inadvertent disclosure of the identity of a URE sanctioned for violations of CIP Reliability Standards). [Emphasis added.]

The statement that “the Federal Energy Regulatory Commission (‘Commission’) has instructed NERC not to divulge the identity of entities that have violated NERC Critical Infrastructure Protection (‘CIP’) Reliability Standards” is completely unsupported by any reasonable read of 149 FERC ¶61,141. This order simply does not state or imply in any way that the Commission has ever given NERC any such instruction. And, to the extent that the NERC Rules of Procedure conflict with 18 CFR § 39.7, the federal regulation must take precedence. A corporation’s “procedures” do not trump federal regulations.[21]

While this slight of pen on the part of NERC’s attorneys may have mislead the Commission’s staff into denying the initial FOIA request on May 25, 2018 (Exhibit D), on appeal, the Commission’s general counsel correctly concluded “that the name of the URE can be disclosed” on August 2, 2018 (Exhibit F).

However, this one FOIA disclosure in this one instance is not enough to abate NERC’s abhorrent practice of routinely concealing information from the public – which continues to this day. FERC regulations, while seemingly clear, have been abused by NERC and the Regional Entities to the point of creating a “new normal.” Clarification by means of a formal rulemaking is needed.

FERC’s Mandate to Act in the Public Interest

16 U.S.C. § 824o(d)(2) provides that: “The Commission may approve, by rule or order, a proposed reliability standard or modification to a reliability standard if it determines that the standard is just, reasonable, not unduly discriminatory or preferential, and in the public interest.” [Emphasis added.]

Thus, FERC is charged with serving the public interest. Not the interests of NERC and/or the electric utility industry. The public interest demands that information on industry practices, successes, failings and regulatory actions be available for public scrutiny. This is especially the case in the electric utility industry on which every American is dependent – and indeed, pays for.

In order to serve the public interest, the Commission should not allow NERC and the electric utility industry to continue to hide the identities of regulated entities that are subject to regulatory actions.


Continuing assessments by the U.S. intelligence community make it clear that our electric grid is not secure. By allowing NERC to hide the identities of utilities that violate grid security standards, FERC is failing in its duty to the American public. Free of public scrutiny, utilities do not correct security shortfalls for months and even years; the regulatory system is broken. Now is the time to end NERC’s apparently illegal scheme that hides the names of the violators of grid security standards.

Exhibits (Click Here – Large File):

  1. February 28, 2018 NERC Full Notice of Penalty regarding Unidentified Registered Entity
  2. March 30, 2018 FERC Notice (162 FERC ¶ 61,291)
  3. April 15, 2018 Motion to Intervene of Michael Mabee
  4. April 15, 2018 Motion to Intervene and Comment of Public Citizen, Inc. and The Utility Reform Network
  5. May 29, 2018 Comments of Isologic, LLC and the Foundation for Resilient Societies
  6. May 29, 2018 Comments of Frank J. Gaffney
  7. May 30, 2018 FERC Notice (163 FERC ¶ 61,153)
  8. April 13, 2018 FOIA Request (FOIA No. FY18‐75)
  9. April 23, 2018 FERC Submitter Rights Letter to NERC
  10. April 30, 2018 NERC Response Letter to FERC
  11. May 25, 2018 FOIA Response Letter
  12. June 16, 2018 Appeal of Determination in FOIA No. FY18‐75
  13. August 2, 2018 FERC Response Letter
  14. August 24, 2018 FERC Response Letter
  15. 246 FERC Dockets involving “Unidentified Registered Entities” 2010-2018


[1] Coats, Daniel R. “Worldwide Threat Assessment of the U.S. Intelligence Community” Senate Select Committee on Intelligence. January 29, 2019.—SSCI.pdf (accessed February 5, 2019).

[2] Gorman, Siobhan. “Electricity Grid in U.S. Penetrated By Spies.” Wall Street Journal. April 8, 2009. (accessed February 5, 2019).

[3] U.S. Securities and Exchange Commission. (accessed November 22, 2018).

[4] U.S. Food and Drug Administration. (accessed November 22, 2018).

[5] U.S. National Transportation Safety Board. (accessed February 5, 2019).

[6] 18 CFR § 388.113, et seq.

[7] Sobczak, Blake and Behr, Peter. “Duke agreed to pay record fine for lax security — sources” E&E News, February 1, 2019. (accessed February 5, 2019).

[8] Smith, Rebecca. “PG&E Identified as Utility That Lost Control of Confidential Information.” The Wall Street Journal. August 24, 2018. (accessed November 22, 2018).

[9] Vickery, Chris. “Pacific Gas and Electric Database Exposed.” (accessed November 28, 2018).

[10] Attached as Exhibit A.

[11] Id. At 4-5.

[12] 18 CFR § 39.7(e)(7)

[13] 18 CFR § 39.1 defines “cybersecurity incident” as “a malicious act or suspicious event that disrupts, or was an attempt to disrupt, the operation of those programmable electronic devices and communications networks including hardware, software and data that are essential to the Reliable Operation of the Bulk Power System.”

[14] Attached as Exhibits C-F.

[15] 163 FERC ¶ 61,153, attached as Exhibit G.

[16] (accessed December 9, 2018)

[17] 2014:;




2018: (accessed December 9, 2018).

[18] See FERC Docket Numbers: NP11-1-000; NP11-128-000; NP11-137-000 and NP12-20-000.

[20] FERC Order No. 833 at pg. 17. Also see 18 C.F.R. §388.113(c)(1)(iv).

[21] Perhaps FERC or one of its Commissioners gave an “off-the-record” instruction to NERC to conceal the identity of standards violators. If NERC continues to claim an exemption from 18 CFR § 39.7 in future filings, this is a matter that should be investigated by the Department of Energy’s Office of the Inspector General.

Further Information on NERC Coverup:

Related NERC Coverup Reports:

NERC Coverup Investigation Report

New England Long-Term Power Outage Summit

If you missed it, here are some pictures (click for larger pic)…

New England Long-Term Power Outage Summit

Frank Gaffney opens the summit

New England Long-Term Power Outage Summit

Tommy Waller explains the threats to the grid

New England Long-Term Power Outage Summit

(From left) Frank Gaffney, Meredith Angwin and Thomas Popik talk energy security.

New England Long-Term Power Outage Summit

(From left) Justin Kates, Arlene Magoon, Dale Rowley and Todd Therrien discuss building a culture of preparedness.

New England Long-Term Power Outage Summit

Dr. Amir Toosi leading the EM expert panel

New England Long-Term Power Outage Summit

David Fortino discusses recent FEMA prolonged power outage TTXs


(Videos of the New England Long-Term Power Outage Summit coming soon!)


Why You Should Attend The New England Long-Term Power Outage Summit

In 2018, our society is moments away from adversity while generations removed from self-reliance. We are completely dependent on the electric grid for all things that make life possible. Today, there are numerous threats to the electric grid both from humans and nature. What would happen if there was a long-term power outage in the United States and how can we prepare for it?

New England Long-Term Power Outage Summit

You are invited to attend the

New England Long-Term Power Outage Summit
 Saturday 11/10/2018
 New England College in Henniker, NH


This conference will be of interest to Emergency Managers, first responders, CERT team members, college students in Emergency Management or Homeland Security programs. Town, county and state leaders, legislators and policy makers would benefit also greatly benefit from this conference.


Registration is available through Eventbrite and includes lunch.  Click HERE to register.

  • Registration is $30 
  • A discount for Police / Fire / EMS / FEMA / DHS / CERT (Community Emergency Response Team) members ($15 per ticket) is available until 11/9/2018
  • A student discount ($10 per ticket) is available until 11/9/2018
  • Students at New England College can register for free with valid student ID

Any proceeds after conference expenses will support non-profit 501(c)(3) organizations active in protecting the power grid.


The morning session will provide unclassified briefings from nationally recognized experts on threats to the critical infrastructures.  The afternoon session will focus on community preparedness including an expert panel facilitated by Dr. Amir Toosi, Dean of Business Administration at Rivier University.

Among the confirmed speakers are Frank Gaffney (Center for Security Policy), Thomas Popik (Foundation For Resilient Societies), Tommy Waller (Secure The Grid Coalition), Dr. William R. Forstchen (author of  “One Second After“), Meredith Angwin (author of “Campaigning for Clean Air: Strategies for Pro-Nuclear Advocacy”), April M. Salas (Tuck School of Business at Dartmouth), Michael Mabee (author of “The Civil Defense Book”), Emergency Managers Justin Kates (Nashua, NH) and Dale Rowley (Waldo County, ME), Arlene Magoon (FEMA),  David Fortino (FEMA), Professor Todd Therrien (Rivier University) and others.

Attendees will leave with action items to build a culture of preparedness in their communities.


New England Long-Term Power Outage Summit
November 10, 2018
New England College, Henniker, New Hampshire

Frank J. Gaffney

New England Long-Term Power Outage Summit

Frank Gaffney is the Founder and President of the Center for Security Policy in Washington, D.C., a not-for-profit, non-partisan educational corporation established in 1988. Under Mr. Gaffney’s leadership, the Center has been nationally and internationally recognized as a resource for timely, informed and penetrating analyses of foreign and defense policy matters.

In April 1987, Mr. Gaffney was nominated by President Reagan to become the Assistant Secretary of Defense for International Security Policy, the senior position in the Defense Department with responsibility for policies involving U.S.-USSR relations, nuclear forces, arms control, missile defense policy and U.S.-European defense ties. He acted in that capacity for seven months during which time, he was the Chairman of the prestigious High Level Group, NATO’s senior politico-military committee. He also represented the Secretary of Defense in key U.S.-Soviet negotiations and ministerial meetings.

From August 1983 until November 1987, Mr. Gaffney was the Deputy Assistant Secretary of Defense for Nuclear Forces and Arms Control Policy under Assistant Secretary Richard Perle.

From February 1981 to August 1983, Mr. Gaffney was a Professional Staff Member on the Senate Armed Services Committee, chaired by the late Senator John Tower (R-Texas). And, in the latter 1970’s, Mr. Gaffney served as an aide to the late Senator Henry M. “Scoop” Jackson (D-Washington) in the areas of defense and foreign policy.

Mr. Gaffney holds a Master of Arts degree in International Studies from the Johns Hopkins University School of Advanced International Studies and a Bachelor of Science in Foreign Service from the Georgetown University School of Foreign Service.

Tommy Waller

New England Long-Term Power Outage Summit

Tommy Waller is Director for Special Projects at the Center for Security Policy.

As Director for Special Projects, Tommy performs a wide range of duties for the Center for Security Policy. These duties include educating policymakers at the state and federal level in all branches of government and working daily with renowned national security experts to help provide those policymakers an unconstrained analysis of the current threat environment along with workable policy solutions to address these threats.

One of the most urgent areas of concern for the Center is the vulnerability of the U.S. Electric Grid. Because the effects of a pro-longed power outage could be catastrophic to our nation, The Center sponsors the Secure the Grid Coalition – a group of the country’s top-level experts on threats to the grid and how these threats must be mitigated. The Secure the Grid Coalition is co-chaired by former House Speaker Newt Gingrich and President Clinton’s Director of Central Intelligence, R. James Woolsey. Frank Gaffney, the founder and president of the Center for Security Policy, has directed Tommy Waller to manage the day to day operations of the Secure the Grid Coalition.

Thomas Popik

New England Long-Term Power Outage Summit

Thomas S. Popik is the Chairman, President, and co-founder of the Foundation for Resilient Societies, a New Hampshire think tank that advocates for protection of critical infrastructures from infrequently occurring natural and man-made disasters.

Mr. Popik holds a Master of Business Administration from Harvard Business School and a Bachelor of Science in Mechanical Engineering from MIT. In his early career, Mr. Popik served as an officer in the U.S. Air Force, with a final rank of Captain. Mr. Popik is a co-founder of the Academy for Science and Design, New Hampshire’s charter high school for science and math education.

Dr. William R. Forstchen

New England Long-Term Power Outage Summit

William R. Forstchen has a Ph.D. from Purdue University with specializations in Military History and the History of Technology. He is a Faculty Fellow and Professor of History at Montreat College. He is the author of fifty books including the New York Times bestselling series One Second After, the Lost Regiment series, and the award-winning young adult novel, We Look Like Men of War. He has also authored numerous short stories and articles about military history and military technology.

Dr. Forstchen’s interests include the Civil War, archaeological research on sites in Mongolia, and the potential of space exploration. As a pilot he owns and flies an original World War II “recon bird.” Dr. Forstchen resides near Asheville, North Carolina with his dog Maggie.

Meredith Angwin

New England Long-term Power Outage Summit

Author and Nuclear Advocate Meredith Angwin is devoted to supporting clean, safe, affordable nuclear energy. She also works to protect the interests of electricity consumers (that is, all of us), by serving as one of two Vermont representatives to the steering committee of the Consumer Liaison Group of ISO-NE, the New England grid operator.

Meredith holds an M.S. in physical chemistry from the University of Chicago. In her long research career, she was inventor on several patents in pollution control for fossil fuels, and did extensive work in corrosion control for nuclear plants. Meredith was one of the first women to be a project manager at EPRI (Electric Power Research Institute), beginning with the renewables group, and moving eventually to the nuclear group. Later, she founded a small consulting company that consulted on pollution control and water chemistry for fossil, nuclear and renewable power plants, and natural gas pipelines. The company’s clients included local and international utilities.

April Salas

New England Long-Term Power Outage Summit

April M. Salas is the Executive Director, Revers Center for Energy, Tuck School of Business at Dartmouth.

Mrs. Salas has over 15 years of public and private sector experience in global and domestic energy project- and international-development. Starting her career in energy finance, she worked as a consultant in mid-/downstream oil and gas projects in Africa, as well as, an energy markets analyst covering Europe and Latin America.  Mrs. Salas has held various senior positions within the US Department of Energy in power delivery, energy reliability and systems analysis, and just prior to joining Tuck, Mrs. Salas directed the White House’s Quadrennial Energy Review Task Force Secretariat, in conjunction with the Secretary of Energy, and the White House’s Domestic Policy Council and Office of Science and Technology Policy. Domestically, Mrs. Salas served as Director of the State Energy Assurance Program, as well as, Chief of Planning and Analysis for all federal energy emergency response with FEMA. Globally, Mrs. Salas established and led a global energy security advisory program, energy security and systems analysis for DOE’s country-to-country engagements, as well as, US government support to international energy emergency response. Mrs. Salas represented US government energy security interests at NATO, led engagements in Colombia, Haiti, Iraq, and within the EU.

Mrs. Salas earned her MBA from Cornell University; two Masters degrees, in International Security and Economics, with a focus on energy poverty and development, and her BA from the College of William and Mary. Mrs. Salas speaks French, Spanish and Arabic, and has worked in and/or visited over 64 countries.

Michael Mabee

New England Long-Term Power Outage Summit

Michael Mabee has worked as an urban emergency medical technician and paramedic, a suburban police officer, and in the federal civil service. Michael received his B.A. in English from Southern Connecticut State University in 1994 and is a graduate of the United States Army Sergeants Major Academy, Fort Bliss, Texas.

Michael has a great deal of experience – both overseas and in the U.S. – working in worlds where things went wrong.  He is a veteran of both Persian Gulf wars, serving with the U.S. Army as a Platoon Sergeant in Operations Desert Shield, Desert Storm, and Provide Comfort. In his most recent deployment, Michael served as a brigade level Command Sergeant Major in Iraq. He also participated in two humanitarian missions to Guatemala. He retired from the U.S. Army Reserve in 2006 at the rank of Command Sergeant Major (CSM). Michael was decorated by both the U.S. Army and the federal government for his actions on 9/11/2001 at the World Trade Center in New York City. (In sum, quite like Forrest Gump, he is generally at the right place at the wrong time.)

Michael has studied and written extensively on the vulnerabilities of the U.S. electric grid to a variety of threats. He has participated in federal rulemaking related to grid security and has written two books about how communities can prepare for and survive a long-term power outage.  He continues to write and speak about emergency preparedness for a long-term blackout.

David Fortino

New England Long-Term Power Outage Summit

David Fortino has more than 15 years of experience in emergency management, specializing in emergency response operations, preparedness, recovery, crisis management and business continuity.

Currently, Mr. Fortino is the Regional Continuity Manager for FEMA Region II. In this position, Mr. Fortino provides expert continuity and crisis management guidance and advice to all Federal, State, territorial, tribal, and local governments on appropriate training programs to include coordination, oversight, management, and leadership for plans and programs, and test, training, and exercises (TT&E), including lead trainer for continuity related train-the-trainer courses, multi-year strategies, and overall program implementation.

Previously, Mr. Fortino spent 9 years at the Madison Ambulance Association and North Branford Fire Department.  At Madison Ambulance Association, Mr. Fortino was the Chief of Service. Furthermore, he is a certified as an EMT, Firefighter II, Fire Instructor, and Hazmat Operations. Mr. Fortino has his B.A. from the University of Connecticut in Urban and Regional Studies.

Dr. Amir Toosi

New England Long-Term Power Outage Summit

Dr. Amir Toosi is currently the Dean of Business Division that oversees the business, homeland and international security, cybersecurity management program at Rivier University. Dr. Toosi’s work experience has included the corporate and higher education fields, where he has served leadership roles and taught in the traditional classroom, hybrid model, and fully online format.

In the corporate industry, Dr. Toosi has served as an international and domestic telecommunication consultant in logistics, assembly, and project management; independent consultant in strategic management, operation management, statistical research, and entrepreneurship; and property management at a real estate investment firm. He has been in more than thirty-five states within the United States and has traveled to more than twenty countries in Asia, Europe, and North America.

Dr. Toosi is a member of Academy of Management, The Association of Continuing Higher Education, and served as the Chair and Past Chair for the Scholarly-Practitioner Publication Committee for Accreditation Council for Business Schools and Programs. He currently serves as the Chairperson on the Board of Directors for the Greater Nashua Chamber of Commerce, Board of Directors for United Way of Greater Nashua, Symphony NH. Furthermore, he is currently serving as an Ambassador for the Greater Nashua Chamber of Commerce. Finally, in addition to chairing the Rivier University’s Business Advisory Council and Security Studies Advisory Council, Dr. Toosi serves on the Nursing Advisory Council and Public Health Advisory Council.

Justin Kates

New England Long-Term Power Outage Summit

Justin Kates joined the City of Nashua Mayor’s Cabinet in August 2011 after coming from his role as a Homeland Security Consultant for the Delaware Emergency Management Agency.  In his role, Justin coordinates city-wide emergency response efforts by working with Federal, State, and other areas of municipal government in obtaining the necessary resources to recover after a disaster.  He developed the Comprehensive Emergency Management Plan for the City and chairs the Local Emergency Planning Committee.  During his time in Nashua, Justin was responsible for coordinating the response and recovery of FEMA declared disasters Tropical Storm Irene, the “Snowtober” Nor’easter, Superstorm Sandy, Winter Storm Nemo, and Winter Storm Juno.

He is a Certified Emergency Manager (CEM) affiliated with the International Association of Emergency Managers (IAEM) and was awarded “NH Emergency Management Director of the year” in 2015.  Justin is a graduate of the University of Delaware where he majored in Emergency Management and Public Administration.  In his spare time he has taught Crisis Management as an Adjunct Professor at Daniel Webster College, Public Health Emergency Preparedness as an Adjunct Instructor at Rivier University, and numerous FEMA state-delivered courses for the New Hampshire Fire Academy.  He is currently the Vice President of the IAEM Region 1 Board of Directors and the Chair of the NH Voluntary Organizations Active in Disaster (NH VOAD).

Dale Rowley

New England Long-Term Power Outage Summit

Dale Rowley has served as the Director of the Waldo County Emergency Management Agency (EMA) in Belfast, Maine for the past 13 years. Before becoming the Director, he served as a volunteer with the County EMA office and as a municipal Emergency Manager for 9 years.

Dale served in the U.S. Air Force and Maine Air National Guard as a Civil Engineering Officer and Emergency Manager, retiring in 2011 at the rank of Lieutenant Colonel, after 22 years.

He is a registered Professional Engineer in the State of Maine and has a B.S. in Civil Engineering. He is also a 14-year Certified Emergency Manager (CEM), an 18-year member of the International Association of Emergency Managers (IAEM), and has a Master’s Degree in Emergency & Disaster Management.

Professor Todd Therrien

New Eng;land Long-Term Power Outage Summit

Professor Todd Therrien spent over 20 years as a certified Police Officer with the Nashua Police Department, where he spent time with various units, including Physical Training Instructor and K-9 Training assistant and was assigned to various detective divisions for close to 10 years.

He then switched careers to become an educator, teaching U.S. history, economics, civics, law, world history and psychology at Bishop Guertin High School in Nashua and teaching at Nashua Community College in the Criminal Justice curriculum. Prof. Therrien teaches Homeland & International Security courses for the Division of Business, Rivier University.

Prof. Therrien earned his A.A. in Criminal Justice from Middlesex Community College, his B.A. in American Studies from Franklin Pierce University, and his M.Ed. in Secondary Education from Franklin Pierce University. He is currently enrolled in Rivier’s Principal Certification Program.

Arlene Magoon

New England Long-Term Power Outage Summit

Arlene Magoon began working for FEMA in 2008 where she has been deployed to many disaster locations here in NE and around the country. In each deployment a service delivery plan for long term recovery was developed to identify the unique needs of the communities she served. She has developed many contacts within the States and National VOAD organizations whom she considers partners and friends.

Recognizing that may communities would be best served if they were prepared for disasters, in 2016 Ms. Magoon joined the National Preparedness Division to share preparedness messages and activities in vulnerable communities across New England. Although she still holds the Voluntary Agency Liaison emergency role and is still deployed under that role, she remains aware of the need to create resilient communities through preparedness.

Ms. Magoon previously worked for the American Red Cross in New Hampshire as a Health & Safety Operations Manager in 2001. Her first day began on September 11. In the fast moving days after that tragic day, Ms. Magoon quickly learned that without preplanning for donations and volunteers before a crisis another emergency known as the “disaster within a disaster” can occur. Having successfully coordinated donations and volunteers in that event, Ms. Magoon was later hired by NH State emergency management as the coordinator for volunteers in all hazards emergency events. Two months after beginning the work to re-establish NH Voluntary Organizations Active in Disaster, a major flood occurred in western NH communities.

Ms. Magoon holds a Bachelor of Science degree from Southern New Hampshire University with a minor in Operations Management. She has received many awards including 1999 SBA, Woman Advocate of the Year, and National VOAD 2004 Innovations in Disaster Recovery and two time winner of the regional 2015 & 2016 Toast Master International Humorous Speech contest.



Karen Testerman (603) 721-9933
Michael Mabee (516) 808-0883



New England Long-Term Power Outage Summit

New England Long-Term Power Outage Summit

New England Long-Term Power Outage Summit

STG Coalition Submits New EMP Commission Reports to FERC

Click here to read comments of Foundation for Resilient Societies

Click here to read comments of Michael Mabee

STG Coalition Acts on New EMP Commission Reports

STG CoalitionMembers of the Secure The Grid Coalition (“STG Coalition”) wasted no time getting the new EMP Commission reports into the hands of the Federal Energy Regulatory Commission (“FERC”). As it turns out, the reports were released on May 8, 2018 and the next day, the FERC Docket on Grid Resilience closed for comments . (FERC Docket No. RM18-1-000 and AD18-7-000 – click here to learn more.) There have been over 2000 comments submitted in this docket.

So, among the 2000 comments, the new EMP Commission reports were attached as appendices to my comments, and Foundation for Resilient Societies linked to the reports in their comments.

STG Coalition Rebuts “fake science”

On important thing about the EMP Commission reports – and why it was important that these be submitted to FERC – is to rebut the fake science by the electric utility industry. The EMP Commission explains this situation best:

“This EMP Commission Report, utilizing unclassified data from Soviet-era nuclear tests, establishes that recent estimates by the Electric Power Research Institute (EPRI) and others that the low-frequency component of nuclear high-altitude EMP (E3 HEMP) are too low by at least a factor of 3. Moreover, this assessment disproves another claim–often made by the U.S. Federal Energy Regulatory Commission (FERC), the North American Electric Reliability Corporation (NERC), EPRI and others—that the FERC-NERC Standard for solar storm protection against geo-magnetic disturbances (8 volts/kilometer, V/km) will also protect against nuclear E3 HEMP. A realistic unclassified peak level for E3 HEMP would be 85 V/km for CONUS as described in this report. New studies by EPRI and others are unnecessary since the Department of Defense has invested decades producing accurate assessments of the EMP threat environment and of technologies and techniques for cost-effective protection against EMP. The best solution is for DoD to share this information with industry to support near-term protection of electric grids and other national critical infrastructures that are vital both or DoD to perform its missions and for the survival of the American people.”

See Preface, “Recommended E3 HEMP Heave Electric Field Waveform for the Critical Infrastructures.

It is difficult to overstate the importance of the security and reliability of the U.S. electric grid. Our ability to maintain our present human population depends on the electric grid. Significantly, the EMP Commission notes:

“A long-term outage owing to EMP could disable most critical supply chains, leaving the U.S. population living in conditions similar to centuries past, prior to the advent of electric power. In the 1800s, the U.S. population was less than 60 million, and those people had many skills and assets necessary for survival without today’s infrastructure. An extended blackout today could result in the death of a large fraction of the American people through the effects of societal collapse, disease, and starvation. While national planning and preparation for such events could help mitigate the damage, few such actions are currently underway or even being contemplated.”

See page 4, “Assessing the Threat from Electromagnetic Pulse (EMP). Executive Report.