Following significant pushback from the regulated community, FERC and NERC Staff jointly announced in a new white paper that filings and other submissions to FERC describing violations of cybersecurity reliability standards would be entirely nonpublic. Under the revised approach, all cybersecurity noncompliance information will be considered CEII and not disclosed in response to FOIA requests.
This was a significant change from last year, when in a heavily criticized white paper, FERC and NERC Staff proposed to publicize the names of utilities found to have violated cybersecurity reliability standards, along with the financial penalty imposed and the reliability standards (but not requirements) that were violated. Under that approach the specific circumstances of the violations would have been nonpublic.
This recent change in course was driven by the conclusion that even disclosing the limited information proposed last year could create “tangible risks.” Specifically, the white paper recognized that together with other information that a bad actor could learn about a utility, the identification of entities with poor compliance programs or specific compliance problems could enable bad actors to target specific weaknesses at specific utilities.
The white paper also recognized that FERC’s considerable penalty authority, rather than the public identification of noncompliance, should be the primary incentive for appropriate compliance behavior.
The only apparent downside to the revised approach is that this will also discontinue NERC’s past practice of providing anonymized descriptions of cybersecurity noncompliance. Utilities have historically used that information to identify compliance issues that other utilities have experienced and how those concerns were resolved through programmatic or technological improvements. Without access to that information, utilities should be attentive to the other methods of learning best practices, including lessons learned reports issued by FERC Staff and guidance from NERC and regional entities through conferences, webinars, and newsletters.