FERC, CFTC, and State Energy Law Developments

At its open meeting on November 21, FERC announced organizational changes to enhance the agency’s focus on cybersecurity threats and challenges to electric infrastructure. Commission staff unveiled five “focus areas” related to grid cybersecurity and announced organizational changes within the Office of Energy Projects (OEP) and Office of Electric Reliability (OER) designed to better position Commission resources to address cybersecurity concerns.

New Strategic Focus Areas

Commission staff developed the following five focus areas based on their review of threat reports (public and nonpublic), global cybersecurity events, North American Electric Reliability Corporation (NERC) CIP standards, and OEP’s specialized security program for hydropower projects.

  1. Supply Chain/Insider Threat/Third-Party Authorized Access

    This is not the first time the Commission has made supply chain and third-party (or vendor) management security a priority. In 2016, the Commission directed NERC to develop mandatory supply chain risk management controls, which have since been approved and are set to take effect next year.

FERC Staff issued an October 4 report on Commission-led critical infrastructure protection (CIP) reliability audits completed during fiscal year 2019. The report provides lessons learned and identifies voluntary practices that FERC Staff observed during those audits that could improve the protection of electric infrastructure from cyberattacks.

Facing what it deems an “unprecedented number of FOIA requests” for nonpublic information related to utility violations of the North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) requirements governing cybersecurity compliance for critical electric infrastructure, FERC Staff has issued a white paper proposing to make publicly available additional information regarding those violations, including the names of the utilities involved. If adopted, this proposal could increase the risk of a serious and successful attack on the nation’s electric infrastructure with no benefit other than a “name and shame” approach to CIP enforcement.

On June 24, the US Supreme Court issued its opinion in Food Marketing Institute v. Argus Leader Media, expanding the scope of information protected under Exemption 4 of the Freedom of Information Act (FOIA). FOIA establishes an expansive right for the public to access records from executive agencies to hold the government accountable. Limiting that broad right, FOIA includes several broadly worded exceptions whereby the release of certain information may not be compelled under FOIA. One such exemption, Exemption 4, states that “trade secrets and commercial or financial information obtained from a person” that are “privileged or confidential” are protected from mandatory public disclosure. The statute does not define “confidential,” so the question of what “commercial or financial information” is protected from disclosure has resulted in much litigation.

The US Department of Energy (DOE) issued Order No. 486.1 on June 7 prohibiting DOE employees and contractors from participating in the foreign government “talent recruitment programs” of countries designated by the DOE as a “foreign country of risk,” which apparently include China and Russia. The order aims to balance the DOE’s broad scientific mission with national security interests by preventing the unauthorized transfer of scientific and technical information to certain foreign entities. DOE contractors and subcontractors within the utility and nuclear sectors should be prepared to implement controls to ensure that neither they nor their employees or subcontractors participate in these foreign-sponsored programs for identified countries.

The US Government Accountability Office (GAO) issued a report on December 18, 2018, identifying significant weaknesses in the Department of Homeland Security’s (DHS) Transportation Security Administration’s (TSA) Pipeline Security Program management and recommending improvements to address those weaknesses. The report was driven by a recognition that “pipelines increasingly rely on sophisticated networked computerized systems and electronic data, which are vulnerable to cyber attack or intrusion,” and that “new threats to the nation’s pipeline systems have evolved to include sabotage by environmental activists and cyber attack or intrusion by nations.”

A new report by the National Infrastructure Advisory Council (NIAC) concludes that the nation is not prepared to adequately respond to a catastrophic power outage. The NIAC is a special advisory council composed of representatives from private industry, state and local government, and academia that is tasked with providing the president with advice on issues facing the nation’s 16 federally designated critical infrastructure sectors. The NIAC issued the report after it was tasked with examining the nation’s ability to respond to and recover from a “catastrophic power outage of a magnitude beyond modern experience, exceeding prior events in severity, scale, duration, and consequence.” The NIAC generally considers these to be limited- or no-notice events with a long duration (i.e., lasting weeks or months due to damage) impacting a broad geographic area (e.g., multiple states and affecting tens of millions of people) that could be further complicated by a cyber or physical attack.

Central to the NIAC’s report is examining the extent to which a catastrophic power outage that causes a failure in one critical infrastructure sector could lead to severe cascading impacts and force other critical sectors to operate in a degraded state for an extended period of time. The report reflects the NIAC’s view that, while the roles and responsibilities for emergency authorities are understood generally, the actual implementation of roles and responsibilities in response to a catastrophic power outage (e.g., cyber and physical attacks and larger-scale disasters) is still very much unclear. In this regard, the report stresses the importance of strong federal leadership in responding to and recovering from large-scale emergencies.

American national security officials believe that spies working on behalf of an adversarial nation-state successfully carried out an attack against US companies by compromising a key hardware supply chain, according to a report issued October 4 by Bloomberg Businessweek. The report details how the attackers implemented a “seeding” attack by installing tiny, malicious microchips on motherboards—a type of computer circuit board that houses processing and other essential components—that were assembled in Chinese factories. The exploit apparently had a ripple effect, as the compromised motherboards were ultimately installed in commercial servers that are widely distributed in the United States. One official estimates that the attack affected almost 30 companies, including a major bank and government contractors, and may have enabled the attackers to communicate with or infiltrate the sabotaged servers.

The Nuclear Regulatory Commission (NRC) and the Federal Energy Regulatory Commission (FERC) entered into a Memorandum of Understanding (MOU) on June 6 regarding the care and protection of critical energy/electric infrastructure information (CEII). The MOU delineates how the two agencies will cooperate to identify, process, and protect CEII that the NRC holds, explaining that the two independent agencies “mutually agree that it is important to protect CEII to ensure the safety and security of the electric grid.” Under the MOU, the NRC will be able to consult with FERC to designate certain NRC-held information as CEII—and therefore FOIA-exempt—if requested by a third-party under that open records law.

The MOU is another step in the US government’s attempt to address growing concerns about physical and cybersecurity threats to the electricity grid. Congress, recognizing these threats, directed the US Department of Energy and FERC to identify and protect CEII when it passed the “Fixing America’s Surface Transportation Act” (FAST Act) in 2015. FERC issued its CEII regulations in late 2016.