The Federal Energy Regulatory Commission (FERC) is seeking comments from the public about a white paper FERC and the North American Electric Reliability Corporation (NERC) put together. The “white paper proposes to provide transparency and public access to information on violations of mandatory reliability standards governing cybersecurity of the bulk electric
system while protecting sensitive information that could jeopardize security.”
FERC has “received an unprecedented number of Freedom of Information Act(FOIA) requests for non-public information in the Notices of Penalty (NOPs) for violations of Critical Infrastructure Protection (CIP) reliability standards” since 2018. Since 2010, NERC “has been submitting CIP NOPs to FERC… they typically include information regarding the nature of the violations, potential vulnerabilities to cyber systems as a result of noncompliance, and mitigation activities.” The white paper also “proposes that NERC would submit each notice with a public cover letter that discloses the name of the violator, which reliability standards were violated, and the amount of penalties assessed.” In every notice would be “non-public attachments that detail the nature of the violation, mitigation activity and potential vulnerabilities to cyber systems. These attachments would also contain a request for designation of such information as Critical Energy Infrastructure Information.”
The proposed changes will make it more straightforward to distinguish between public and non-public information, which “should make submission and processing of the notices more efficient while also reducing the risk of inadvertent disclosure of non-public information. While names of violators would be made public, detailed information that could be useful in planning an attack on critical infrastructure, such as details regarding violations, mitigation and vulnerabilities, likely would be considered exempt from FOIA.”
“FERC is seeking comment on many aspects of the white paper, including: the potential security benefits and, if applicable, risks associated with the proposed NOP format; difficulties with implementation or other concerns that should be considered; and the level of transparency provided by this proposed changed.”
The notice of the white paper says that comments need to be filed within 30 days, and FERC “encourages electronic submission of comments in lieu of paper using the ‘eFiling’ link at http://www.ferc.gov .” For those who prefer not to file their comments electronically, they can submit their comments to “Federal Energy Regulatory Commission, 888 First Street, NE, Washington, DC 20426.” All filings on this will be accessible online, under the eLibrary link. There is an option to subscribe to the docket to be alerted via email when a new document is added. FERC Commissioner Cheryl A. LaFleur issued a statement regarding the white paper, explaining her opinions on the matter.
LaFleur said she “mentioned at our Reliability Technical Conference in June, the handling and confidentiality of these NOPs has been an issue of growing controversy. As I advocated then, I think it is essential that FERC and NERC conduct public process to consider the appropriate balance between transparency and security in these instances. I am very pleased that such a process is being instituted today.”
She explained that the procedures that are currently in place have been there for over a decade, without changing, and she thinks it is good that they consider revising the processes now. “it is important that we handle NOPs so as to avoid subjecting the bulk electric system to risk of a cyber attack once a vulnerability is identified. At the same time, I believe state
regulators, members of the public, and others have a legitimate interest in such violations, and we should seek to achieve as much transparency as we can consistent with protecting legitimate security interests.”
LaFleur says the proposal is “worthy of consideration for a way to handle these NOPs differently. I hope that we receive a wide range of comments on the White Paper, including any suggestions for alternative processes, which will allow FERC and NERC to move forward on this issue.”
The Notice was issued on August 27, 2019, comments can be submitted until September 27, 2019.