The names of bulk power system entities that violate federal critical infrastructure cybersecurity reliability standards–along with identification of standards violated and penalties assessed–may soon be routinely disclosed under changes proposed by the Federal Energy Regulatory Commission (FERC) and the North American Reliability Corp. (NERC).
The proposed changes, which FERC and NERC outlined in an Aug. 27-released joint white paper, would effectively revise the format of Notices of Penalty (NOPs)–which NERC issues to violators of Critical Infrastructure Protection (CIP) reliability standards–by segregating what information can be made public.
If their format is changed, the CIP NOPs, which NERC submits to FERC after a violation, would be reformatted to consist of a public cover letter containing the names of the violators, the standards violated, and the penalties assessed. However, more detailed information that could potentially pose security risks–such the nature of the violation, mitigation activity, and potential vulnerabilities–would be attached to the CIP NOPs in a "non-public," confidential document.
FERC and NERC said in the joint white paper that these changes would help the government more efficiently address a surge of public information requests and boost transparency about critical infrastructure cybersecurity incidents. But, because the proposed NOP format revision officially segregates violation information in "public" and "non-public" formats, it would also lessen the potential for inadvertent disclosure of non-public information, they said.
Concerns About How Much to Disclose
NERC has issued CIP NOPs under authority of the Federal Power Act (Section 215[e]) to users, owners, or operators of the bulk power system for violations of a FERC-approved reliability standard since July 2010, a few years after the first CIP standard was promulgated. CIP NOPs typically include information pertaining to the nature of the violation, potential vulnerabilities to cyber systems as a result of the noncompliance, as well as mitigation activities entities have taken in response to the violation.
However, certain information in NOPs–including the identity of the violator and potential vulnerabilities–that NERC deems may be useful to critical infrastructure attackers or otherwise poses a security risk to a NERC-registered entity have so far been designated as "non-public" and exempted from public disclosure under FERC's 2016-revised Critical Energy/Electric Infrastructure Information (CEII) regulations, which are rules to protect engineering, vulnerability, or detailed design information about physical or virtual assets. FERC practice generally treats information asserted as CEII as non-public, without specific designation, until staff determines otherwise.
In all cases but one since 2010, NERC has designated names of violators as exempted from public disclosure under CEII, identifying them only as "unidentified registered entities" (UREs). The exception came in August 2011, when, for the first time, NERC identified a violator by name–federal power marketer Southwestern Power Administration–because it was "material to the resolution" of a dispute that challenged FERC's authority to impose a monetary penalty on a federal entity.
But last year, for the first time, FERC received a Freedom of Information Act (FOIA) request seeking the name of a CIP violator, which then forced FERC staff to make an unprecedented CEII determination.
Since then, as FERC noted Tuesday, a wide swath of NOP information has been sought by the public, and the agency has been deluged by an "unprecedented number" of FOIA requests for non-public information in the NOPs for violations of CIPs. While recent requests have "resulted in the release of CIP violator's identity in limited instances," they have also forced FERC and NERC to re-evaluate what information should be kept confidential.
"The significant increase in FOIA requests for non-public information in CIP NOPs has raised security and transparency concerns within industry and the general public, which has prompted Commission and NERC staffs to re-evaluate the format of CIP NOPs filed with the Commission," it said.
If changes proposed in the joint white paper are approved (following a 30-day public comment period), NERC CIP NOP submissions would consist of a proposed public cover letter that discloses the name of the violator, the reliability standards violated (but not the requirement), and the penalty amount. NERC would submit the remainder of the CIP NOP filing containing details on the nature of the violation, mitigation activity, and potential vulnerabilities to cyber systems as a "non-public" attachment, along with a request for the designation of such information as CEII.
It means that while the names of violators would be made public with each submission, details that could pose a security risk–such as those regarding violations, mitigation, and vulnerabilities–would likely be considered by FERC staff to be exempt from FOIA. FERC said this proposal–which would only apply to future CIP NOPs–would "allow for transparency related to the identity of the entity and violation while protecting the more sensitive security information that could jeopardize the security of the Bulk-Power System." The changes, it noted, essentially provide a better, "straightforward" approach to separate public and non-public information, and "lessen the potential for inadvertent disclosure of non-public information."
Among issues that FERC and NERC are seeking comment for during the brief 30-day comment period (Docket No. AD19-18-000) are potential security benefits and concerns that could arise from the new format, and whether the format would provide enough transparency to the public.
Privacy Concerns Deepen
FERC and NERC's proposed changes are certain to cause a stir in the power sector, which has shown reluctance to share too much information about physical or virtual assets, owing to privacy and security concerns.
In response to an October 2018 DOE notice of proposed rule-making to implement its authority over CEII designation, for example, the American Public Power Association (APPA), the Large Public Power Council, and the National Rural Electric Cooperative Association (NRECA) urged the DOE to provide greater clarity and certainty concerning procedures for the designation, handling, and sharing of CEII, noting that appropriately structured rules could minimize risks that CEII would pose to critical infrastructure.
This February, APPA and NRECA were joined by the Edison Electric Institute–a trade group that represents all U.S. investor-owned power companies–in urging FERC not to release information in response to FOIAs that requested information from "full" CIP NOPs for 242 dockets covering CIP reliability, and which span the last decade.
"Even with perfect compliance, cyber vulnerabilities would exist, given the constantly evolving threats to cybersecurity. Each requested NOP, when coupled with the name of the URE and other, already-public information, could provide sufficient information to materially assist those entities that are driven to find and exploit such vulnerabilities," the trade groups warned in a joint letter.
Though the groups noted that public transparency is important, they said that if FERC determined that it is necessary to provide "any element" of a NOP in response to a FOIA request, it should at least give NERC and the violator enough time to review the information and "provide a detailed assessment of the potential harm that could result from disclosure."
They added: "This would be appropriate given the very few days that the UREs and NERC have to analyze and respond to the Submitter's Rights Letter and the FOIA request in general, which seeks the disclosure of thousands, if not tens of thousands, of pages of information. In addition, FERC itself should consider carefully how any piece of information, no matter how seemingly innocuous on its own, could be coupled with other information and used by those seeking to attack the reliability of U.S. energy infrastructure."
–Sonal Patel is a POWER senior associate editor (@sonalcpatel, @POWERmagazine)