In a bid to improve transparency, staff with the Federal Energy Regulatory Commission and North American Electric Reliability Corp. proposed in a joint white paper to publicly disclose the names of bulk power system asset owners that have violated mandatory critical infrastructure protection reliability standards.
The proposal comes amid "an unprecedented number" of Freedom of Information Act requests for non-public information on utilities that have received notices of penalty for violating NERC's critical infrastructure protection, or CIP, reliability standards, the white paper said.
Under the Aug. 27 proposal, NERC notices of penalty submitted to FERC would include a public cover letter that discloses the name of the violator, the reliability standard the company violated and the penalty amount. But details on the nature of the violation, related mitigation activity and potential cyber vulnerabilities would be included in a separate, non-public attachment, along with a request that the information be designated as critical energy/electric infrastructure information exempt from public disclosure under the Freedom of Information Act.
In addition, NERC would submit CIP notices only after the responsible party has mitigated the underlying violation. Although the new submission format would apply in most circumstances, NERC could still ask FERC for permission to block the name of a violator from public disclosure.
"I believe the FERC and NERC staff have put forth one proposal worthy of consideration for a way to handle these [notices of penalty] differently," outgoing FERC Commissioner Cheryl LaFleur said. "I hope that we receive a wide range of comments on the white paper, including any suggestions for alternative processes, which will allow FERC and NERC to move forward on this issue."
FERC and NERC are not making any changes for now to the CIP penalty filing format and will only seek revisions after considering public comments on the white paper, which are due in 30 days. Among other things, the commission and NERC staff sought comment on the potential security benefits and concerns arising from the new format, possible implementation difficulties, and if the plan would provide sufficient transparency to the public.
FERC approved the first version of NERC's CIP reliability standards in January 2008 and began submitting CIP notices of penalty in July 2010. In that time, NERC has requested to withhold the identity of violators in all CIP notices, with only one exception.
But the white paper recognized the "strong public interest" in obtaining the identities of CIP violators and said the proposed new format would provide the names of violators without giving detailed information that could be useful to someone planning an attack on critical infrastructure.
"The proposal strikes a reasonable balance because it allows for an appropriate level of transparency while providing a sound approach to secure information that could jeopardize the security of the bulk-power system," the white paper said.
As attempted cyberattacks on critical infrastructure increase, the public and members of the media have become more interested in the potential security vulnerabilities of major utilities. But public information on specific cyberthreats and violations of reliability standards can be tough to come by.
In January 2019, NERC filed with FERC a notice of penalty and related settlement under which an unnamed power company and its affiliates agreed to pay a massive $10 million fine to remedy systemic security issues that resulted in 127 alleged violations of CIP standards. Soon thereafter, various media outlets began reporting that the unidentified utility was Duke Energy Corp.
In the wake of the filing, Public Citizen urged FERC to reveal the target of the fine, saying that concealing the name "sends a confusing message to the public that large penalties do not come with full accountability, as future violators may be able to similarly hide behind ... the veil of anonymity."
