Facing what it deems an “unprecedented number of FOIA requests” for nonpublic information related to utility violations of the North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) requirements governing cybersecurity compliance for critical electric infrastructure, FERC Staff has issued a white paper proposing to make publicly available additional information regarding those violations, including the names of the utilities involved. If adopted, this proposal could increase the risk of a serious and successful attack on the nation’s electric infrastructure with no benefit other than a “name and shame” approach to CIP enforcement.
FERC Staff’s Proposal
For a decade, NERC reports on CIP violations have followed a process under which the nature of the violation, the risk created by the violation, and the steps taken to fix the violation are disclosed, but no identifying information about the utility involved becomes public. This allows electric utilities to understand how NERC and the Regional Entities are interpreting CIP reliability standards in practice, identify common compliance gaps and process errors, and model best practices in security and mitigation.
However, following large recent CIP settlements including a $10 million penalty in Docket No. NP19-4 and a $2.7 million penalty in Docket No. NP18-7, a growing number of entities have submitted Freedom of Information Act (FOIA) requests asking that the utilities involved in these CIP settlements (and many others) be unmasked. In responding, FERC Staff has taken an ad hoc approach, granting some requests (generally over the objections of those involved) and denying others.
Now FERC Staff (with the concurrence of NERC Staff) has proposed a radical departure from past practice to address these FOIA requests. Under the proposal, future CIP violations submitted to FERC for confirmation (a requirement under the Federal Power Act) would only include public information about the name of the utility involved, the specific reliability standard that was violated, and the amount of the penalty. Everything else would be submitted confidentially.
This proposal, straightforward on its face, presents significant security risks and other downsides for the regulated community.
Creating Security Risks
As has been widely reported, electric utilities in the United States are under a constant and serious threat of cyberattack by a variety of hacking groups, including state-sponsored entities. These groups seek the ability to control electric assets so that they have the ability to cause blackouts on demand in order to accomplish their geopolitical objectives. Given the ever-increasing reliance on reliable electricity for economic productivity and public health, safety, and security, such blackouts could have catastrophic consequences. The CIP reliability standards are focused on protecting against those risks, and although not above criticism, there is no question that the significant cyber hardening of electric utilities over the last decade is due in part to the implementation of these requirements.
FERC Staff’s proposal would provide an additional advantage to the bad actors who seek to harm the electric grid because it will publicly link utilities with the types of security failures they have experienced. To what degree this would prove useful to bad actors would depend on the specifics in a given situation, but it will provide some advantage to them, and given the stakes involved any advantage would seem unwise.
As an example, if a state-sponsored hacking group is attempting to breach the defenses of a utility in California and a specific California utility is identified under FERC Staff’s proposed policy as having repeated violations of CIP-005 (which provides a series of security controls for remote electronic access to protected assets) over a period of months or years, the hacking group would know that that utility likely continues to have weaknesses in remote access protections.
Similarly, assume a hacking group has targeted a specific utility and is developing a plan for that attack. Under FERC Staff’s proposed policy, that group could, for example, identify that the utility in question has repeated violations of CIP-011 (governing information protection) and draw on that information to design an attack that will attempt to uncover sensitive information as a first step in a broader attack.
Forcing Bad Choices
FERC Staff’s “balancing act” in this proposal achieves the claimed “balance” between transparency and security by forcing utilities into two dilemmas.
- Once a utility is identified publicly as having violations of certain standards, stakeholder groups, regulators, public interest organizations, members of the press, and even competitors are likely to begin speculating about what the violation means. Given the lack of additional public detail, they may expect and report the worst possible scenarios. Utilities will then be faced with a choice of either releasing information to correct the record and defend their security practices, resulting in additional security risks, or not responding at all, in which case the security reputation of the utility can be impugned without response.
- Recognizing that any violations will be publicly disclosed, utilities internally reviewing a potential noncompliance will need to choose between compliance and security. A utility erring on the side of compliance will self-report the issue to its Regional Entity with the understanding that the Regional Entity is certain to confirm the violation even if an auditor would not find a violation on the same facts, and therefore the self-report will result in the utility’s identification and thereby create an increased security risk. A utility erring on the side of security will correct the issue to mitigate the security risk created by the possible violation and not report the potential noncompliance to its Regional Entity, despite the widespread historical practice of self-reporting violations as part of the compliance culture at electric utilities. However, if the issue were identified during an audit, the Regional Entity could downgrade the utility’s compliance culture and compliance program.
There is no good or correct answer to these dilemmas, and neither dilemma exists under the current CIP enforcement process.
Removing Useful Information
Under the current disclosure rules for CIP violations, electric utilities have a significant amount of detail regarding the circumstances behind a violation, including the process or technical failures that led to the noncompliance finding, the risk created by the violation and its impact on bulk-power system operations, and the steps taken to correct the violation and put in place improvements to avoid a recurrence. Utilities have historically used this information to root out similar issues in their own security programs and implement best practices for enhanced security controls, resulting in an overall hardening of industry cyber assets.
The FERC Staff proposal would remove all of this information in favor of identifying by name the utilities involved. As a result, none of the security improvements enabled by the current “no names” process will be able to occur.
None of These Risks Are Necessary
Finally, these risks and complications should be viewed in the context of Federal Power Act Section 215A, under which this disclosure by FERC is entirely voluntary. Recognizing the risk that the disclosure of information regarding electric critical infrastructure could pose to the security of electric service in the United States, in late 2015 Congress added Section 215A to the Federal Power Act, allowing FERC to classify as “critical electric infrastructure information” all information “related to critical electric infrastructure,” and to reject all requests for such information under FOIA.
In implementing this authority, FERC chose not to adopt the complete FOIA exemption provided by the statute, and instead continues to make such critical infrastructure information available to certain requesting entities following a FOIA review that attempts to balance the benefits and risks of disclosure. This new proposal simplifies that balancing analysis, but does so unnecessarily. FERC could choose not to disclose any CIP violation-related information at all—including the names of the entities found to be in violation—and in doing so could avoid all the issues identified above.
Comments on the proposal are due no later than September 26, 2019, and can be filed in Docket No. AD19-18.