Regulator Weighs Disclosing Names of Utilities That Violate Grid Security Rules (#GotBitcoin?)
FERC said if it releases names, it might hold back other details adversaries could use to target vulnerabilities. Regulator Weighs Disclosing Names of Utilities That Violate Grid Security Rules (#GotBitcoin?)
Regulators are weighing whether to disclose the identities of electric utilities that violate rules designed to protect the nation’s grid against cyber and physical attacks.
The Federal Energy Regulatory Commission’s current practice is to provide the public general information about federal rule violations and penalties levied—but not to name the companies that broke the rules.
The commission said late last month it has received an unprecedented number of requests for nonpublic identifying information, and it is seeking public comment until Sept. 26 on a proposal to release violators’ names in the future.
FERC said its current practice “may not be achieving an appropriate balance of security and transparency.”
The commission said if it releases identities, it might hold back more of the details of cases, so that adversaries won’t get information they could use to target companies’ prior areas of weakness. Organizations that represent utilities likely will oppose moves to expose the identity of companies that have security lapses.
Since 2008, when the first set of Critical Infrastructure Protection rules took effect, there have been about 250 penalty federal cases brought against electric utilities. But it is impossible for the public to tell which companies have the best and worst records.
Earlier this year, then-National Intelligence Director Dan Coats warned that the nation’s electric grid and gas pipelines are in the crosshairs of foreign adversaries.
“China has the ability to launch cyberattacks that cause localized, temporary disruptive effects on critical infrastructure,” he said at the time, and Russia “is now staging cyberattack assets to allow it to disrupt or damage U.S. civilian and military infrastructure during a crisis.”
Michael Mabee, a New Hampshire security blogger who has pushed for fuller disclosure, said that “getting the names of the violators is a huge victory,” but he wants to know the identities of past violators too, and doesn’t think that information should be withheld because vulnerabilities are required to be fixed, when discovered.
Mr. Mabee previously filed Freedom of Information Act requests for the release of unredacted penalty case documents, believing that public attention will make utilities focus harder on security.
A U.S. Army veteran, Mr. Mabee said he was sensitized to the importance of a secure electric grid after seeing what happens when a society suffers protracted blackouts and worries that U.S. utilities are lax about protecting their assets against attack. He said that lengthy blackouts tear at social structures, and said he witnessed the effects in two tours of duty in Iraq, in providing humanitarian assistance to Guatemala after a hurricane and after being in Manhattan during the terrorist attacks of 2001 and in the Northeast after a major blackout in 2003.
“It’s like a Forrest Gump thing, where I’ve been present to witness so many disasters,” he said. “I took an oath to defend America and I see threats to the grid as a major threat against our country.”
The Wall Street Journal, in a public-records request filed in March, asked the commission to reveal the identities of violators in 245 penalty cases “in order to increase the accountability of the electric industry” to the public.
The commission’s response to the FOIA requests has been to release documents on a case-by-case basis, after first checking with the utility that was fined. Only a handful of documents have been released so far.
Earlier this year, the Journal published an article about a Russian cyberattack campaign that exploited utilities’ vendor supply chains to gain access to utility networks. The government hasn’t disclosed the identities of the companies that were hit in that campaign.
The Journal and other news organizations have identified a few violators of Critical Infrastructure Protection rules without federal assistance. Duke Energy Corp. , PG&E Corp. , and DTE Energy are three companies known to have paid some of the largest penalties.
Duke and DTE declined to comment on the penalty cases at the time, other than to say they take security seriously. PG&E initially declined to comment on three penalty cases, other than to say its cybersecurity measures were robust. More recently, it said it has implemented reforms designed to close the gaps.
Trade associations, in the past, have opposed the release of identifying information.
The Edison Electric Institute, which represents investor-owned utilities, said that “even seemingly innocuous information that is self-reported can be exploited by sophisticated adversaries to target the electric grid. Protecting this information helps our members in their efforts to keep our nation’s electricity supply secure and reliable.”
Tyson Slocum, director of Public Citizen’s energy program, said his advocacy organization intends to file comments generally applauding the proposal. He said he thinks “disclosure plays a central role in promoting enforcement and compliance.”
But he said there are still issues to be worked out. His group recently was told it didn’t have standing to challenge FERC’s approval of penalty amounts in these cases proposed by the North American Electric Reliability Corp., the group that audits compliance. “We think that is an error and that’s still an issue,” Mr. Slocum said. But he said he favors any movement in the direction of transparency in the enforcement proceedings. Regulator Weighs Disclosing Names,Regulator Weighs Disclosing Names