FERC on Thursday rejected a complaint by cybersecurity activist George Cotter, who last year accused NERC of seriously neglecting the cybersecurity needs of the bulk electric system (EL21-105).
The commission said Cotter did “not provide any legal basis to conclude” that NERC had neglected to follow relevant statutory or regulatory requirements, as he alleged.
Cotter, a former chief of staff at the National Security Agency, filed his complaint in October 2021, originally as a response to FERC’s proposal for incentivizing public utilities to invest in cybersecurity improvements (RM21-3). However, because the submission was “styled as a complaint,” the commission re-docketed it as a complaint proceeding.
The original filing concerns a number of alleged issues with NERC’s Critical Infrastructure Protection (CIP) standards. Cotter called FERC’s proposed cybersecurity incentives a “distinct challenge to overall transparency” of the CIP standards and an attempt at hiding a “major decision [by the commission] to protect regional entities’ control of pre-existing non-CIP reliability standards from potential conflict/interference from CIP standards.” He called on FERC to address the shortcomings in the standards that he claimed to have identified.
Cotter Claimed Deep Standard Flaws
According to Cotter’s narrative, the creation of NERC’s reliability standards following a mandate in the Federal Power Act of 2005 created “two sets of, apparently, non-interfering standards” comprising the CIP standards on the one hand and the non-CIP standards on the other.
As part of the effort to create the CIP standards, Cotter argued, FERC Order 706 allowed NERC to exclude “communications and networks” from the CIP family “to support the fiction that the [CIP standards] secured the” bulk power system, in spite of the “enormous dependencies of non-CIP … standards on precisely the same resources.” Cotter said that omitting this important element of cybersecurity made the grid significantly more vulnerable to intrusion.
| National Security Agency
The response to subsequent security incidents, including the penetration by Russian intelligence of the supply chains of three vendors providing control systems for U.S. utilities in 2012, was hampered by FERC’s further unnecessary interference, in Cotter’s telling. The commission’s decision to implement version 5 of the CIP standards in 2016 impeded the investigation into these attacks and constituted “a low-water mark in the early history of cyber warfare” for which “FERC will forever bear the fundamental responsibility.”
“With every opportunity to plug the vulnerability that risks much of the nation’s national security and critical infrastructures, FERC is determined to continue fogging up this huge advantage to the nation’s adversaries in this legislation,” Cotter said in the filing. “Regulatory procedures adopted by FERC intended to prevent public knowledge of utility security flaws, vulnerabilities, incidents, and compliance audits have obscured all but a slow leakage of industry and FERC efforts to maintain the status quo.”
Cotter also suggested that the introduction of the CIP standards created a bifurcated regime, with “non-CIP reliability standards still largely controlled by regional entities.” By this Cotter apparently meant the existence of regional variants on national standards, which are developed by REs and submitted to NERC for approval.
To address these issues, Cotter argued that “FERC must accept that 4,000 … independent and semi-independent utilities cannot collectively secure the grid” and must also accept — along with government officials — “the reality of ‘deterrence’ as the first line of defense of the electric system.” This new approach would also include training National Guard and military reserve units as first responders to incidents with electricity providers. Cotter also called for the adoption of the National Institute of Standards and Technology’s cybersecurity framework by utilities, and for regulators to “orient their cybersecurity standards decisions on ‘vulnerabilities’ vs. ‘threats.’”
NERC Noted No Basis
In a response filed last year, NERC asserted that Cotter’s allegations “rest on various misunderstandings regarding legislative history, commission issuances, and NERC activities.” The organization said that these misunderstandings are the reason for the “gap in reliability standards” that Cotter claimed. NERC said that contrary to Cotter’s description, there is no division between CIP standards and others in NERC’s library, that it does not suppress information on CIP violations, and that its compliance monitoring and enforcement regarding the CIP standards is not deficient.
Moreover, Cotter’s description of the non-CIP standards as controlled by REs reflects a “complete misunderstanding of … [RE] activities.” NERC pointed out that “there are fewer than 20 regional variations in effect across North America,” all of which were approved by NERC and “applicable governmental authorities.” The organization called for FERC to dismiss the complaint on the grounds that it lacks a “basis in fact and law for the positions taken,” and does not demonstrate any action by NERC that is inconsistent with applicable laws under FERC’s jurisdiction.
In its decision, FERC sided with NERC, citing multiple apparent problems with the complaint. First, the commission said that Cotter provided no proof or analysis in support of his allegations, notably for how the actions and inactions he described violated the Federal Power Act. FERC echoed NERC, saying there is no difference between CIP and non-CIP standards in terms of enforcement.
In addition, the commission dismissed Cotter’s claim that communication networks are excluded from the CIP standards, saying the exemption referenced is “limited [in] nature” and sets out criteria for networks that must be included in the enforcement. Moreover, regarding regional standard variants, while FERC acknowledged that “uniformity of reliability standards should be the rule rather than the exception,” it noted that regional variants must be “more stringent than the continent-wide reliability standards [or] necessitated by a physical difference in the” BPS.
FERC also pointed out that several of Cotter’s suggested solutions require action by entities such as the U.S. Congress, states, and the military, over which FERC does not have jurisdiction. Regarding the other solutions, the commission concluded that Cotter’s request would require it to direct NERC to create a new standard or modify existing standards. Because of the lack of factual basis for Cotter’s claims, FERC concluded there is no need for such a standard at this time.