In late August, the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) released a white paper that "proposes to provide transparency and public access to information on violations of mandatory reliability standards governing cybersecurity of the bulk electric system, while protecting sensitive information that could jeopardize security."
The reasoning: "Since 2018, FERC has received an unprecedented number of Freedom of Information Act (FOIA) requests for non-public information in the Notices of Penalty (NOP) for violations of Critical Infrastructure Protection (CIP) reliability standards," according to a FERC press release.
In sum, the white paper proposes that NERC would submit each notice with a public cover letter that discloses the name of the violator, which reliability standards were violated, and the amount of the penalties assessed. However, each notice would also contain non-public attachments that detail the nature of the violation, mitigation activity and potential vulnerabilities to cyber systems. In sum, the proposed reporting system would distinguish between public and non-public information. And, according to FERC, "These revisions should make submission and processing of the notices more efficient, while also reducing the risk of inadvertent disclosure of non-public information. While names of violators would be made public, detailed information that could be useful in planning an attack on critical infrastructure, such as details regarding violations, mitigation and vulnerabilities, likely would be considered exempt from FOIA."
Following the release of the white paper, FERC released a statement on August 27 seeking public comment on the proposed new rule. Those interested in making comment have until September 26 to do so.
There are strong thoughts on each side. Many U.S. lawmakers and public information groups applaud the idea, claiming that the public availability of utility names involved in cybersecurity infractions will encourage these utilities to be more assertive in thoroughly address the cybersecurity weaknesses in their systems.
However, pushback is likely expected from some or all of the major utility groups: the Edison Electric Institute, the American Public Power Association and the National Rural Electric Cooperative Association, which are likely to express concern than even identifying specific utilities and the specific standards that were violated by those utilities could provide valuable information to those intent on launching cybersecurity attacks on the U.S. electric grid.