- Federal regulators reversed previous recommendations to identify utilities violating Critical Infrastructure Protection (CIP) standards in response to electric utility concerns that publicly identifying violators could expose vulnerable systems to further attacks.
- Staff of the Federal Energy Regulatory Commission and the North American Electric Reliability Corporation (NERC) released the recommendations in a Wednesday white paper. The paper calls for halting the current practice of publishing redacted violation notices, and FERC can immediately begin utilizing the updated process, according to commission officials.
- One consumer advocates fears the recommendations could reduce transparency from current levels.
The white paper is "a complete 180" from initial recommendations NERC and FERC staff made in August 2019, said Tyson Slocum, director of Public Citizen's energy program.
A first joint white paper proposed that CIP Notices of Penalty (NOP) submissions consist of a public cover letter disclosing the name of the violator, the CIP reliability standards violated and the penalty amount.
Those recommendations resulted in 77 sets of comments filed by utilities, industry groups, private citizens, and state and federal government entities, according to the white paper. Comments from NERC-registered entities and trade organizations raised concerns that disclosing that information could increase the number and success of focused cyberattacks.
"While transparency may hold some value to the public and some stakeholders, it also can benefit malicious actors," Edison Electric Institute (EEI), American Public Power Association, Electric Power Supply Association, Transmission Access Policy Study Group and the Large Public Power Council said in joint comments filed in October 2019.
FERC and NERC staff agreed, and the NOP submissions will now be considered non-public Critical Energy/Electric Infrastructure Information (CEII). Staff said the "comments demonstrate that the disclosure of CIP noncompliance information risks the security" of the bulk power system.
"Additionally, because of the risk associated with the disclosure of CIP noncompliance information, NERC will no longer publicly post redacted versions of the CIP noncompliance filings and submittals," according to the white paper.
Disclosing CEII information "can jeopardize national security and the reliability of the energy grid," EEI Vice President for Security and Preparedness Scott Aaronson said in a statement. He said the group "applauds" FERC and NERC "for their recognition of existing risks and their continued efforts to protect CEII from disclosure."
But according to Slocum, ratepayers are losing out with what he views as a growing lack of transparency.
"Almost all of cybersecurity investment is subject to rate recovery," said Slocum. "It's billed to the customer. These are ratepayer-funded investments. Utilities can't hide behind trying to be anonymous if ratepayers are on the hook."
Slocum says utilities fear the embarrassment of being called out for CIP noncompliance — and how that looks to shareholders.
'Utilities are very good at flexing muscle'
Staff's new set of recommendations "is a radical departure" from the first report, said Slocum. "Obviously utilities are very good at flexing muscle. ... they came out with these sensationalist arguments."
According to Slocum, there is evidence that disclosing CIP violations does not lead to an increase in cyberattacks. There was no reported spike in cyberattacks on Duke Energy or Pacific Gas & Electric when news broke in 2019 that they and other utilities had been fined for non-compliance, he said.
"We have two significant violators, everybody knows who they are, and I'm not seeing hackers united in taking down these systems," said Slocum.
Duke Energy, in a statement, responded that "due to the potential physical and cyber security risks a disclosure could pose to the industry, it's standard industry practice and Duke Energy policy not to comment on enforcement filings – regarding any company – submitted by NERC to FERC."
Regarding the joint staff white paper, Duke said it "supports the industry position advocated by the Edison Electric Institute."
PG&E also referred to the joint comments filed by EEI and other industry groups. "These comments are aligned with PG&E's position and outline the benefits of the approach taken in the second white paper in terms of grid and national security," according to a spokesperson.
"The white paper makes clear that security concerns outweigh any potential benefit of public disclosure," FERC spokesperson Mary O'Driscoll said in an email. "As the white paper notes, section 215 of the Federal Power Act relies primarily on the prospect of substantial penalties – not public scrutiny – to incentivize compliance with NERC Reliability Standards."