NERC, FERC recommend public anonymity for utilities violating power system security rules
The white paper is “a complete 180” from initial recommendations NERC and FERC staff made in August 2019, said Tyson Slocum, director of Public Citizen’s energy program.
A first joint white paper proposed that CIP Notices of Penalty (NOP) submissions consist of a public cover letter disclosing the name of the violator, the CIP reliability standards violated and the penalty amount.
Those recommendations resulted in 77 sets of comments filed by utilities, industry groups, private citizens, and state and federal government entities, according to the white paper. Comments from NERC-registered entities and trade organizations raised concerns that disclosing that information could increase the number and success of focused cyberattacks.
“While transparency may hold some value to the public and some stakeholders, it also can benefit malicious actors,” Edison Electric Institute (EEI), American Public Power Association, Electric Power Supply Association, Transmission Access Policy Study Group and the Large Public Power Council said in joint comments filed in October 2019.
FERC and NERC staff agreed, and the NOP submissions will now be considered non-public Critical Energy/Electric Infrastructure Information (CEII). Staff said the “comments demonstrate that the disclosure of CIP noncompliance information risks the security” of the bulk power system.
“Additionally, because of the risk associated with the disclosure of CIP noncompliance information, NERC will no longer publicly post redacted versions of the CIP noncompliance filings and submittals,” according to the white paper.
Disclosing CEII information “can jeopardize national security and the reliability of the energy grid,” EEI Vice President for Security and Preparedness Scott Aaronson said in a statement. He said the group “applauds” FERC and NERC “for their recognition of existing risks and their continued efforts to protect CEII from disclosure.”
But according to Slocum, ratepayers are losing out with what he views as a growing lack of transparency.
“Almost all of cybersecurity investment is subject to rate recovery,” said Slocum. “It’s billed to the customer. These are ratepayer-funded investments. Utilities can’t hide behind trying to be anonymous if ratepayers are on the hook.”
Slocum says utilities fear the embarrassment of being called out for CIP noncompliance — and how that looks to shareholders.
‘Utilities are very good at flexing muscle’
Staff’s new set of recommendations “is a radical departure” from the first report, said Slocum. “Obviously utilities are very good at flexing muscle. … they came out with these sensationalist arguments.”