But, we just won round two against the grid coverup
A year ago, I began reporting on and filing objections to a grid coverup involving a Critical Infrastructure Protection (CIP) standards. Specially, it all started with a 2.7 million dollar Notice of Penalty against an “Unidentified Registered Entity” of the electric grid. The North American Electric Reliability Corporation (NERC) – the alleged “regulator” for the electric grid – covered up the name. And the Federal Energy Regulatory Commission (FERC) – the federal agency responsible to oversee NERC – looked the other way on this grid coverup.
This incident triggered a year-long investigation. You can read the complete details of the investigation here: NERC Coverup Investigation Report. Our investigation revealed that between 2010 and 2018, there had been 243 FERC dockets involving 1465 “Unidentified Registered Entities.” In other words, the names of 1465 CIP violators were kept from the public view.
NERC’s “Double Secret Probation” of CIP violators is ongoing
Unfortunately, the coverup continues unabated. In 2019 (as of this writing) the CIP violations continue to have the names of the violators withheld from the public. The recent $10 million dollar Notice of Penalty is a prime example. Filed against an “unidentified” set of “companies,” the press soon reported that the culprit was Duke Energy Corp (NYSE ticker: DUK). But FERC has not acknowledged the name in the public docket! (See my Motion to Intervene in FERC Docket NP19-4-000.) FERC continues to allow the electric grid to engage in secret regulatory actions away from the scrutiny of the American public.
NERC’s “Double Secret Probation” of the CIP violators is just wrong on every level. Why? Because secret regulation has not worked.
We know for a fact the at the Russians and the Chinese have been in our electric grid for over a decade:
So, if keeping the names of the CIP violators from the public was going to make us safer, wouldn’t it have worked by now? Clearly, our safety is not the point of hiding the names. NERC’s “Double Secret Probation” grid coverup is happening because that is what the companies of the electric grid want – anonymity and cover.
The electric utility industry does not want to be held accountable for cybersecurity – it is simply “too burdensome” to be accountable to the American people. And NERC does not want to be held accountable for their failed regulatory scheme. If the grid gets taken down, all industry fingers are going to point to FERC: “We just did what you allowed us to do!”
Who will be responsible for all the deaths?
I recently criticized Cheryl A. LaFleur – the longest serving Commissioner of FERC – for failing to take action to protect the U.S. electric grid in her 8 1/2 year tenure. Chairman Neil Chatterjee, Commissioner Bernard McNamee and Commissioner Richard Glick I have a question: If the grid goes down and millions of Americans die (see Senate report here), who is responsible?
Are the FERC Commissioners responsible?
Is NERC responsible?
Is the electric utility industry responsible?
I suspect the answer will be none of the above. Nobody will be take responsibility if we have a horrible catastrophe. Fingers will point in every direction. “Blue ribbon panels” will be appointed to investigate and ultimately, the results won’t matter to the millions of dead Americans and their dead families.
We need somebody to step up and take responsibility to protect the American people now. FERC – this is your cue: Stop the industry coverup and let’s have open and transparent regulation of Critical Infrastructure Protection (CIP) Standards!
The main beneficiaries of this failed secret regulatory system have been the Russian, Chinese, North Korean and Iranian governments and their state-sponsored hackers. I think it is high time to kick them all out of our grid.
The American people win round two
After uncovering the extent of the coverup last year, I’ve filed three more FOIA requests:
I filed the third one because NERC and the electric utility industry objected to the release of the names of the CIP violators in the first two FOIA requests. In other words, NERC and the the multi-billion dollar electric utility industry are fighting me to prevent having the names of regulatory violators revealed to the 326 million people that the industry is endangering!
But, on February 28, 2019, the Federal Energy Regulatory Commission sided with the American people and decided:
Based on my application of the various factors discussed above, I determine that the disclosure of the name of the URE is appropriate.
So starting Monday, the Federal Energy Regulatory Commission will begin disclosing the names of these regulatory violators to me a few at a time and I will be able to disclose them to the public HERE.
The fight is not over. Not by a long shot. FERC is still not disclosing the names in the public dockets and NERC will still cover up each and every new one. Unless I continue to file frequent FOIAs, the coverup will continue unabated.
You can take action to help fix this grid coverup
A regulatory scheme should not require FOIAs to get vital regulatory information to the public. We all need to let the Federal Energy Regulatory Commission (FERC) know that the security of the electric grid is critical – secret regulation and coverups are unacceptable to the public.
Consider this: The North American Electric Reliability Corporation (NERC) reported ZERO “Cybersecurity Incidents” for the last three years. But NERC is withholding the names of cyber violators from the public because of the “Cybersecurity Incidents” over the last three years.
So, not only does literally everybody in the U.S. pay an electric bill; not only do we all rely on the electric grid for everything necessary for life – but it seems the electric grid also thinks we are all stupid.
Seriously, here is the issue: Secret self-regulation does not work.
The electric grid is self regulated by NERC – a non-profit corporation. This self-regulatory scheme is nominally overseen by the Federal Energy Regulatory Commission (FERC). For the last decade, Russian and Chinese hackers have been inside the U.S. electric grid. Our regulators have failed and refused to secure the electric grid. This shocking revelation was front and center when Senator Angus King (Maine) questioned the CEO of NERC, James Robb, on February 14, 2019:
Disclosure is the cornerstone of a successful regulatory scheme in a free society. The Securities and Exchange Commission routinely publicizes the names of companies and individuals subject to regulatory actions under U.S. securities laws; the Food and Drug Administration routinely publicizes the names of companies whose food is being recalled due to public safety concerns; the National Transportation Safety Board routinely publicizes the names of companies responsible for airplane crashes. There are numerous other examples of appropriate disclosure. It is high irony that public disclosure has made food consumption and airline travel extremely safe for Americans while a far greater danger – the threat of long-term blackout for millions – has been neglected by the responsible federal regulator, FERC.
The Secure The Grid Coalition is fighting to fix the electric grid’s broken regulatory scheme that is endangering all of us. The fight is shaping up around the issue of a $10 million penalty NERC imposed on January 25, 2019 against unnamed companies that committed 127 violations of Critical Infrastructure Protection (CIP) standards over several years. The press has since outed Duke Energy Corp as the violator, but neither NERC or the U.S. government have acknowledged this. The coverup remains.
You can join us and be heard!
We need to all let the Federal Energy Regulatory Commission (FERC) know that the security of the electric grid is critical – secret regulation and coverups are unacceptable to the public. As a citizen, you have the right to file a “Motion to Intervene” in this docket and be heard! The deadline to file on this docket is March 29, 2019so write your letter today and submit it online to FERC Docket Number NP19-4-000, or mail it in to FERC (Be sure to include the Docket Number in your letter).
Mabee, a private citizen, requests the Commission’s leave to intervene in the
above captioned docket, pursuant to 18 C.F.R. § 39.7(e)(4). I request that 1) the
Commission review this Notice of Penalty (NOP) to ensure that it is in the
public interest, and 2) that the name of the entities(s), the unredacted Notice
of Penalty and the unredacted settlement agreement be released in the public
docket. NERC has made redactions to the publicly available documents, alleging
the identities and other identifying information about Critical Infrastructure
Protection (CIP) standards violators must be kept from the public. The lack of
transparency in this Notice of Penalty raise significant public interest concerns.
Background on FERC Docket No. NP19-4-000
On January 25, 2019, the North American Electric
Reliability Corporation (NERC) filed a Notice of Penalty with FERC that
disclosed 127 cybersecurity standard violations by unidentified “Companies.”
NERC and its Regional Entities (RE) determined:
[T]he 127 violations collectively posed a serious risk to the security and reliability of the BPS (Bulk Power System). The Companies’ violations of the CIP Reliability Standards posed a higher risk to the reliability of the BPS because many of the violations involved long durations, multiple instances of noncompliance, and repeated failures to implement physical and cyber security protections.
It is notable that the Notice of Penalty revealed
violations that could allow adversaries in remote locations to gain electronic
access to grid facilities:
The REs determined that the Companies allowed interactive remote access to the BCSs (Bulk Electric System Cyber Systems) inside the Companies ESP (Electronic Security Perimeter) without first going through an Intermediate System, utilizing encryption, and requiring multi-factor authentication.
violation started when the Standard became mandatory and enforceable and is currently ongoing. [Emphasis added.]
The violated standard, CIP-005-5-2 R2, became effective
in July 2015. Without the violator having fear of public scrutiny, it is
apparent that even three and one-half years have not been sufficient time for “the
Companies” to remedy this currently
On February 1, 2019, trade publication EnergyWire disclosed that Duke Energy is
the unnamed standards violator.
Duke Energy is one of America’s largest utilities, with 7.2 million customers
across seven states. Duke’s generation fleet includes six nuclear plants. A
physical or cyber-attack on Duke could cause a long-term, wide-area blackout
and result in release of radioactive contaminants. Nonetheless, the NERC
standard enforcement regime, with its practice of hiding the names of violators
under the guise of so-called Critical Energy/Electric Infrastructure
Information (CEII), has failed to assure the protection of Americans depending
on Duke for their electric power.
The NERC-imposed fine was $10 million, tiny in comparison
to Duke’s 2017 net income of $3 billion.
This NOP had redactions that are far beyond the
redactions in all previous CIP NOP’s submitted to FERC by NERC. For example, in
all previous CIP NOPs, the identity of the Regional Entity (RE) was disclosed
and the NERC Violation ID was disclosed. Also, in this NOP the reason for the
NOP was redacted – usually it is disclosed that the reason the NOP is being
filed is that, for example, the Regional Entity and the “Unidentified
Registered Entity” have entered into a settlement agreement. Here on page 1 of
the Duke NOP, NERC has redacted the reason for the NOP’s submission:
This is the first instance since 2010 that NERC has used this
type of redaction. Also, the “NERC Violation ID” is redacted for the first time
since 2010. Here is the beginning of the violation table from page 2 of the
NERC’s coverup of the identity of the violator (‘the
Companies”), the identity of the regulator (the “Regional Entities” or “REs”), and
settlement agreement are profoundly against the public interest. FERC should
not tolerate this concealment by NERC. “The Companies” were subjected to a $10-million
fine for 127 cybersecurity violations; the details of this compliance gap are of
great public interest.
The public must be able to cast scrutiny over the activities of NERC and its
regulated entities for the self-regulatory scheme codified in Section 215 of
the Federal Power Act to be effective.
Federal Regulations Require Disclosure
NERC requests that the redacted portions of the NOP be
designated as nonpublic under 18 CFR § 39.7(b)(4) and as CEII under 18 CFR §
388.113(e)(1). Neither of these regulations provide NERC, the “Regional
Entities” or “the Companies” relief from public scrutiny in this regulatory
action. As described in detail below, NERC is apparently violating its duties
as the designated “Electric Reliability Organization” (ERO) by:
Improperly classifying information as CEII,
Improperly applying the “Cybersecurity Incident” exemption
Improperly applying the “disposition” exemption to
Providing misleading interpretations of Commission
Each violation or alleged violation shall be treated as nonpublic until the matter is filed with the Commission as a notice of penalty or resolved by an admission that the user, owner or operator of the Bulk Power System violated a Reliability Standard or by a settlement or other negotiated disposition. The disposition of each violation or alleged violation that relates to a Cybersecurity Incident or that would jeopardize the security of the Bulk-Power System if publicly disclosed shall be nonpublic unless the Commission directs otherwise. [Emphasis added.]
Further, 18 CFR § 39.7(d)(1) provides that a notice of
penalty by the Electric Reliability Organization shall consist of, inter alia: “The name of the entity on
whom the penalty is imposed.”
So, 18 CFR § 39.7 (b)(4) and 18 CFR § 39.7(d)(1) are
clear that at the point when “the matter is filed with the Commission as a
notice of penalty or resolved by an admission that the user, owner or operator
of the Bulk Power System violated a Reliability Standard or by a settlement or
other negotiated disposition” then the name of the penalized entity as well as
the supporting documentation – including the settlement agreement – must be
publicly disclosed. Importantly, the “notice of penalty” is afforded different
treatment in 18 CFR § 39.7 (b)(4) than the “disposition of each
violation”—there is no provision in regulation to make the “notice of penalty”
nonpublic. Moreover, 18 CFR § 39.7(d)(1) makes it absolutely clear that “the
name of the entity on whom the penalty is imposed” is part of the “notice of
18 CFR § 39.7 (b)(4) allows the “disposition of each
violation” (or alleged violation) to be made nonpublic, but only if disclosure
of the “disposition” would jeopardize security of the Bulk Power System. Again,
the “name of the entity” is not part of “disposition” of the violation, so
there is never an exemption of the violator’s name from public disclosure. Nor
has NERC made a credible case that disclosure of the “disposition” of the Duke violations
would jeopardize the security of the Bulk-Power System, especially when the
violations do not involve bona fide
Cybersecurity Incidents as defined in 18 CFR § 39.1.
FERC has made no public order (or change in regulation)
to allow NERC to withhold the “notice of penalty” for the Duke NOP (or any
other NOP). If FERC has made a private directive to NERC to withhold the “disposition”
of the violations in Duke NOP, and other NOPs, then the public interest demands
that the text of this hidden FERC directive and its underlying legal rationale
be promptly released by the Commission.
NERC’s “Cybersecurity Incident” Shell Game.
The “cybersecurity incident” exception that NERC
frequently evokes as a justification for covering up the names of violators clearly
does not apply. It is critical to point out that nothing in this redacted NOP
refers to a “cybersecurity incident.” 18 CFR § 39.1
defines “cybersecurity incident” as:
Cybersecurity Incident means a malicious act or suspicious event that disrupts, or was an attempt to disrupt, the operation of those programmable electronic devices and communications networks including hardware, software and data that are essential to the Reliable Operation of the Bulk-Power System.
There is no allegation in the NOP of a malicious act or
suspicious event that disrupted or attempted to disrupt the Reliable Operation
of the Bulk-Power System. This was simply a regulatory action after instances
of noncompliance of CIP standards were discovered, either through self-reports
or regulatory audits.
It is extremely disconcerting that NERC claims in 2015,
2016, and 2017 there were zero reportable cybersecurity incidents. In NERC’s
June 2018 “State of Reliability 2018” report,
on page 39 we see NERC’s claim:
Yet somehow, in the Duke NOP NERC claims the name of “the
Companies” must be withheld from public scrutiny since these are “cybersecurity
incidents.” Since the violations described in the Duke NOP occurred over the
same time period that NERC reported that there were no reportable
“cybersecurity incidents”, the public is confused. Why is it we cannot have the
name of the violator? In its State of Reliability report NERC says that there
were no reportable cybersecurity incidents, but the Duke NOP contains
descriptions of “cybersecurity incidents” so serious they must be redacted?
NERC’s twisted logic defies all commonsense.
Further, to the extent that NERC attempts to argue that
disclosure of the name of the regulated entity or the settlement agreement
“would jeopardize the security of the Bulk-Power System if publicly disclosed”,
their argument falls flat. In fact, it is misleading.
In the NOP NERC quotes FERC Order 672 – out of context –
and argues that:
As the Commission has previously recognized, information related to CIP violations and cyber security issues, including the identity of the registered entity, may jeopardize BPS security, asserting that “even publicly identifying which entity has a system vulnerable to a ‘cyber attack’ could jeopardize system security, allowing persons seeking to do harm to focus on a particular entity in the Bulk-Power System.”
This is a grossly selective use of a quote from FERC
Order 672. The entire passage from the FERC order explains the benefit of transparency:
As explained in the NOPR, and confirmed by numerous commenters, a proceeding involving a Cybersecurity Incident requires additional protection because it is possible that Bulk-Power System security and reliability would be further jeopardized by the public dissemination of information involving incidents that compromise the cybersecurity system of a specific user, owner or operator of the Bulk-Power System. For example, even publicly identifying which entity has a system vulnerable to a “cyber attack” could jeopardize system security, allowing persons seeking to do harm to focus on a particular entity in the Bulk-Power System. While the Commission recognizes the benefit of transparency in Commission proceedings, as discussed by APPA and TAPS, the benefits of transparency are overridden in the limited situation of cases in which such transparency would jeopardize Bulk-Power System security. [Internal footnotes omitted, Emphasis added.]
Nothing in this NOP credibly alleges that a
“Cybersecurity Incident” as defined in 18 CFR § 39.1 has taken place. Moreover,
NERC provides no evidence or argument, other than a conclusory statement, that
disclosure of the redacted information would jeopardize Bulk-Power System
Then NERC compounds this apparent misrepresentation by
Consistent with the Commission’s statement, NERC is treating as nonpublic the identity of the Companies and any information that could lead to the identification of the Companies.
In other words, NERC is blaming FERC for the coverup by
quoting this out of context passage and apparently misapplying federal
If NERC has direction from FERC allowing redaction of Notices
of Penalty, the public interest demands that FERC release the text of this
direction. If in fact there is no direction from FERC, the Commission should
make this clear.
Perhaps NERC is somehow arguing that releasing any data
that identifies any entity that is subject to a regulatory action (or even the
identity of the regulator or “Regional Entity”) will endanger the Bulk-Power
System. One way to read this argument is is that since our regulatory regime is
so weak and ineffective, a coverup is necessary so the “malicious actors” don’t
find out how vulnerable we are.
Presently, NERC as ERO, is improperly using the Critical
Energy/Electric Infrastructure Information (CEII) rule
to hide from public view the identities of entities that violate Critical
Infrastructure Protection (“CIP”) Reliability Standards – even when the
violation has been abated and there is no arguable security need to withhold
this information. Essentially, NERC and the Regional Entities are misusing
FERC’s authority to shield industry from public scrutiny. The Commission must
not allow this practice repugnant to the public interest to continue.
Only NERC is asserting that this information is CEII or
“privileged” or “nonpublic” – the Commission has not made such a determination.
18 CFR § 388.112(c)(1)(i) Provides that:
The documents for which privileged treatment is claimed will be maintained in the Commission’s document repositories as non-public until such time as the Commission may determine that the document is not entitled to the treatment sought and is subject to disclosure consistent with § 388.108. By treating the documents as nonpublic, the Commission is not making a determination on any claim of privilege status. The Commission retains the right to make determinations with regard to any claim of privilege status, and the discretion to release information as necessary to carry out its jurisdictional responsibilities. [Emphasis added.]
NERC has for years been classifying the names of the
violators and the settlement agreements as “nonpublic” and tries to argue that
FERC also deems these documents as “nonpublic” – not so according to the
Finally, even the Commission’s own interpretation of the
Critical Energy Infrastructure Information rules support disclosure. I note
that FERC Order No. 833 holds that the Commission’s practice is that
information that “simply give[s] the general location of the critical
infrastructure” or simply provides the name of the facility is not Critical
Energy Infrastructure Information (CEII).
The NERC Enforcement Regime is Broken and Endangers the U.S.
CIP regulations should protect the U.S. electric grid by
holding “the Companies” accountable to protect the portion of the U.S. critical
infrastructure that they own or operate. Instead, NERC has twisted this
regulatory scheme into a sham where companies have no incentive to do more than
the minimum. If caught violating a CIP standard, NERC and the Regional Entities
will settle the matter privately with “the Companies,” negotiating a “penalty”
that “the Companies” are willing to pay and will keep the matter from public
view. A great deal for “the Companies” – not so much for the American people.
NERC’s view of how an effective enforcement regime should
work is gravely flawed. NERC essentially argues in the NOP that they are
redacting the names of “the Companies” and any identifying information because:
Malicious individuals already target the Companies’ operational personnel, seeking bits and pieces of data to map the Companies’ systems and identify possible attack vectors. The public disclosure of a single piece of redacted information may not, on its own, provide everything needed to exploit an entity and attack the electric grid. But, successive public disclosures of additional pieces of redacted information will increase the likelihood of a cyber-intrusion with a corresponding adverse effect on energy infrastructure. Each successive disclosure could fill in some knowledge gaps of those planning to do harm, helping to complete the maps of entity systems. Therefore, it is important to examine and evaluate the redacted information in the aggregate.
This is a generic argument that any information of any
kind identifying “the Companies” would assist hackers. Therefore, according to
NERC, hiding the names of the companies will somehow thwart the Chinese and
What would work better is if “the Companies” took the CIP
regulations seriously and put effort in to thwart the malicious individuals.
What would also help is if NERC became a regulator rather than an industry
advocate. Public scrutiny of regulatory failings is the time-tested method to ensure
accountability in a free society.
NERC has been redacting the names of the companies since
July 6, 2010 – over 8 ½ years. In an official assessment to the U.S. Congress
released on January 29, 2019, the U.S. Intelligence Community confirmed that
the U.S. electric grid is not secure against foreign incursions:
Russia has the ability to execute cyber attacks in the United States that generate localized, temporary disruptive effects on critical infrastructure—such as disrupting an electrical distribution network for at least a few hours—similar to those demonstrated in Ukraine in 2015 and 2016. Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.
Redacting the names, NRC ID and other “identifying
information” clearly hasn’t thwarted our adversaries – it has only thwarted the
American people from evaluating the weakness of NERC’s enforcement regime – and
actually it is this weak enforcement of
CIP standards that has assisted the “malicious individuals.” (One has to
wonder whether NERC is spending more legal effort on hiding threats from the
public than on enforcing grid security standards on utilities.)
Finally, NERC has no problem providing all this
identifying information on its website on all active registered entities in its
“NERC Active Compliance Registry Matrix” (NCR). Exhibit A is the most recent
list of all the 1495 registered entities – with NRC ID and functions – pieces
of information redacted in the NOP – and in all other NOP’s since July 6, 2010.
I obtained this list from NERC’s public website on February 10, 2019.
So this list apparently poses no information of interest to “malicious
individuals” but somehow NERC argues that the name of the of the entity
subjected to a regulatory action in every single CIP violation since July of
2010 somehow poses such a threat.
Industry Embarrassment Does Not Equal National Security Concern
NERC began covering up the names of CIP violators – as they are continuing to
do in this NOP – there has been less incentive to fix the grid
security problems. That’s why disclosure is important. Why should
utilities spend money to fix grave cybersecurity issues if they know that 1) if
caught, their friendly regulator will “settle” the violation privately and the
settlement agreement will be kept secret, 2) the utility can negotiate a
trivial fine, and 3) the utility’s name will not be disclosed to the public?
On the surface, it is hard to understand why
the industry has taken the lack of transparency approach to CIP regulation. However,
upon closer historical examination, the industry has crafted its own favorable
(to the industry) regulatory scheme whereby it implements whatever protections
are convenient and inexpensive – but it can avoid any protections that the
industry deems too “burdensome.”
Simply put, the security of the electric grid is apparently optional – we
depend on about 1,500 electric utility industry entities to do the right thing
– but there is no strong requirement that they do the right thing.
A logical conclusion one can draw from this
set of facts is that the industry seeks to avoid public exposure for their
inaction on cyber security. Under the guise of protecting us (because we the
public cannot be trusted with this sensitive information) private, secret
regulation is ongoing, with back-room settlements and handshake penalties.
Thus, “the Companies” and their shareholders avoid the embarrassment of being
outed for a lack of action on Critical Infrastructure protection (CIP)
standards. And NERC is not held accountable for their ineffective enforcement
Meanwhile, after a decade of inaction, it is
well known that our electric grid is vulnerable – and in fact, has been
penetrated and probed. This regulatory scheme has not made us safer.
The federal regulations are very clear that the name of
the entity on whom the NERC penalty is imposed must be disclosed, along with
the settlement agreements and all documents necessary for public scrutiny of
the regulatory transaction. FERC has failed to enforce its own regulations,
with great harm to the public interest.
For all of the forgoing reasons, I request that the
Commission fully review the Notice of Penalty in this docket and require that
the identity of “the Companies”, names of the regional entities, the full text
of the settlement agreement, and all other redacted information is promptly
disclosed to the public.
If FERC’s practice of allowing NERC to hide the names of cybersecurity
violators was going to help electric grid security, it should have worked over
the past nine years. The Director of National Intelligence says that America’s
electric grid is at grave risk of cyberattack—it is obvious that reform of this
weak enforcement regime is long overdue.
This NOP is a departure from past NOPs where the violators were referred to a
“Unidentified Registered Entities.” In this NOP, the unidentified entities are
referred to as “the Companies.”
is noteworthy that on February 14, 2019 in a hearing before the Senate
Committee on Energy and Natural Resources – a hearing attended by both the
President and CEO of NERC as well as the Chairman of the Commission – Senator
Angus King noted unequivocally that “the Russians are already in the grid.” See:
(accessed February 20, 2019).