By Rich Heidorn Jr.

FERC and NERC on Tuesday asked for comment on a proposal to change how they disclose information on violations of critical infrastructure protection (CIP) rules.

FERC and NERC staffs published a white paper outlining proposed changes to their current procedures, which they said “may not be achieving an appropriate balance of security and transparency.”

From 2010 until December 2018, the public version of NERC’s CIP Notices of Penalty contained similar information as the confidential submission to FERC but excluded material NERC considered Critical Energy/Electric Infrastructure Information (CEII), such as the name of the registered entity. In 2019, NERC began submitting public line-by-line redactions of information claimed as CEII.

The commission initially treats information claimed by NERC as CEII as non-public but has reviewed those determinations — and sometimes released additional information — in response to Freedom of Information Act (FOIA) requests. The staffs said they reconsidered their approach in response to an increase in FOIA requests.

The white paper proposes that NERC CIP NOPs include a public cover letter disclosing the name of the violator, the standards violated (but not the requirements) and the penalty amount. NERC would submit the remainder of the NOP, containing details on the violation, mitigation activity and potential vulnerabilities to cyber systems, as a non-public attachment, for which it would request CEII designation.

The only time a CIP NOP identified the violator was a 2011 case involving the Southwestern Power Administration, a federal power marketer (NP11-238). “The identity of the entity in this particular case was material to the resolution of the matter, as the entity had asserted a defense regarding the extent of the commission’s authority to impose a monetary penalty on a federal entity,” the paper said.

In January, NERC recommended a $10 million CIP violation fine for a utility news organizations identified as Duke Energy. (See NERC Seeks $10M Fine for Duke Energy Security Lapses.)

The staffs said separating public and non-public information will improve efficiency “because the information that would be made available to the public is readily identified and set forth in a cover letter. Perhaps more significantly, there is less opportunity for errors, including the inadvertent disclosure of potential CEII in the preparation and submission of CIP NOPs with line-by-line redactions.”

“The public identification of the CIP violator may result in increased hacker activity such as scanning of cyber systems and possible phishing attempts,” the staffs acknowledged. “However, the joint staffs believe that the limited information provided in the proposed cover letter would not provide an adversary with insights on the nature of the CIP violation or related cyber vulnerabilities, processes or procedures that could be used for an informed, focused attack on the violator’s cyber assets.”

The staff notice seeks comments on potential security benefits and security concerns from the new format as well as whether it will provide sufficient transparency to the public. Comments are due 30 days from the Aug. 27 notice.

FERC Commissioner Cheryl LaFleur said she was pleased the commission and NERC are reconsidering their policy, saying it was “an issue of growing controversy.” (See Reliability Conference: Deterrence or Collaboration?)

“It is important that we handle NOPs so as to avoid subjecting the bulk electric system to risk of a cyberattack once a vulnerability is identified,” LaFleur said in a statement. “At the same time, I believe state regulators, members of the public, and others have a legitimate interest in such violations, and we should seek to achieve as much transparency as we can consistent with protecting legitimate security interests.”