The Federal Energy Regulatory Commission is seeking public comment on a white paper jointly prepared by its staff and staff from the North American Electric Reliability Corporation (NERC) that proposes changes to the way that FERC handles notices involving violations of mandatory reliability standards governing cybersecurity of the bulk electric system.
Currently, when NERC submits Notices of Penalty (NOPs) for violations of Critical Infrastructure Protection (CIP) reliability standards to FERC, it redacts certain information, including the identity of the violator, from the public filing. NERC, the designated electric reliability organization, has been submitting CIP NOPs to FERC since 2010. The filings typically include information regarding the nature of the violations, potential vulnerabilities to cyber systems as a result of noncompliance, and mitigation activities.
The white paper notes that since 2018, FERC has received an unprecedented number of Freedom of Information Act (FOIA) requests for non-public information in the CIP NOPs.
Citing this increase in FOIA requests and other considerations, the white paper suggests a revised approach for submitting NOPs involving CIP standards violations. The white paper proposes that NERC would submit each notice with a public cover letter that discloses the name of the violator, which reliability standards were violated, and the amount of penalties assessed (AD19-18-000).
Each notice would also contain non-public attachments that detail the nature of the violation, mitigation activity and potential vulnerabilities to cyber systems. These attachments would also contain a request for designation of such information as Critical Energy/Electric Infrastructure Information.
The white paper opines that “the proposed revised format more appropriately balances confidentiality, transparency, security and efficiency concerns.” The proposed changes will make distinguishing between public and non-public information straightforward, the paper says. According to FERC and NERC staff, these revisions should make submission and processing of the notices more efficient while also reducing the risk of inadvertent disclosure of non-public information.
While names of violators would be made public, detailed information that could be useful in planning an attack on critical infrastructure, such as details regarding violations, mitigation and vulnerabilities, likely would be considered exempt from FOIA.
The white paper specifically requests comments on the following issues: (1) the potential security benefits from the new proposed format; (2) any potential security concerns that could arise from the new format; (3) any other implementation difficulties or concerns that should be considered; and (4) does the proposed format provide sufficient transparency to the public.
In connection with a notice regarding a CIP violation notice of penalty in Docket No. NP19-4-000, Commissioner Rich Glick highlighted the white paper, encouraging “interested parties . . . to participate in the White Paper docket as the Commission works to address ongoing concerns regarding transparency and security of the NERC NOP process.”
Comments on the white paper are currently due by Sept. 26, 2019. On Sept. 11, the Association, the Large Public Power Council, Transmission Access Policy Study Group, and a number of other industry associations asked FERC to extend the comment deadline until Oct. 27, 2019.