FERC and NERC will no longer publicly post information about violations of the ERO’s Critical Infrastructure Protection (CIP) standards, according to a joint white paper published by the organizations on Wednesday (AD19-18).
Under the new rule, NERC will request that CIP noncompliance information filed to the commission be treated as critical energy/electric infrastructure information (CEII) in its entirety, and it will end its current practice of publicly posting redacted versions of the filings. It is unclear whether NERC will continue to provide public information about violations of CIP standards in any form.
NERC and FERC’s new direction is a sharp contrast to a proposal floated last year that would have seen the ERO file public cover letters with its CIP-related Notices of Penalty (NOP), including the name of the violator, the standards violated (but not the requirements) and the penalty amount. (See FERC, NERC Propose New CIP Disclosure Rules.) The remainder of the NOP, containing details on the violation, mitigation activity and potential vulnerabilities to cyber systems, would be submitted as a nonpublic attachment with CEII designation.
NERC has been redacting information claimed as CEII from public filings on a line-by-line basis since 2019; previously, the public version of NOPs involving CIP violations contained similar information as the confidential submissions to FERC, with CEII excluded entirely. The proposal for public cover sheets came about in response to “an unprecedented number of requests” under the Freedom of Information Act (FOIA), with the organizations saying the new approach would achieve “an appropriate balance of security and transparency.”
Dueling Concerns over Security, Transparency
Stakeholder responses to the last white paper, submitted in November 2019, revealed widespread opposition to the proposal, though the reasons for disapproval varied widely. (See FERC, NERC Reviewing Comments on CIP Disclosures.)
Several consumer advocacy groups, such as the Foundation for Resilient Societies (FRS) and Public Citizen, criticized the plan for not providing enough transparency. FRS objected to the requirement that any CIP violations be fully mitigated before an NOP is submitted, and to allowing utilities to request indefinite delays in public disclosure. Public Citizen called for further reforms, including formal protection for whistleblowers.
At the other end of the spectrum was a number of industry representatives, such as the MISO Transmission Owner stakeholder sector, and a group of trade organizations, including the Edison Electric Institute, National Rural Electric Cooperative Association and WIRES. They argued that even the limited information that NERC and FERC proposed to release “could provide roadmaps to bad actors” targeting critical infrastructure assets by exposing vulnerabilities in the bulk power system.
Report Sides with Industry Objections
In their final decision, FERC and NERC leaned decisively toward the second line of reasoning, agreeing that the previous proposal “is insufficient to protect the security of the bulk power system” and that disclosing the identity of CIP violators creates “substantial risks” from hackers and other malicious cyber actors.
“Since the public does not have a statutory role in the enforcement of reliability standards, public disclosure of CIP noncompliance information does not serve any statutory purpose,” the white paper said. “Although commission and NERC staffs recognize the potential deterrent effect of publicizing the identity of violators in general, the security concerns discussed here outweigh the potential benefit.”
In addition, the report cited a filing by the Department of Energy that argued the commission “did not fully avail itself” of the authority to protect CEII provided to it by the Fixing America’s Surface Transportation Act and the Federal Power Act. The department also noted that the FOIA contains exemptions for both CEII and confidential business information, and suggested that CIP violation information could fall under either category.
