Federal Energy Regulatory Commission seeking public comment on Critical Infrastructure Protection Standards Notices of Penalties white paper

The Federal Energy Regulatory Commission (FERC) said Tuesday it is seeking public comment on a white paper jointly prepared by FERC staff and staff from the North American Electric Reliability Corporation (NERC).

The white paper proposes strategies for providing transparency and public access to information regarding violations of mandatory reliability standards related to cybersecurity of the bulk electric system while protecting sensitive information that could jeopardize security.

FERC noted that, since 2018, it has received an unprecedented number of Freedom of Information Act (FOIA) requests for non-public information in the Notices of Penalty (NOPs) for violations of Critical Infrastructure Protection (CIP) reliability standards.

NERC, the designated electric reliability organization, has been submitting CIP NOPs to FERC since 2010. These NOPs typically include information about the nature of the violations, potential vulnerabilities to cyber systems due to noncompliance and mitigation activities.

The white paper proposes that NERC submit each notice with a public cover letter that includes the name of the violator, which reliability standards were violated and the number of penalties assessed. Each notice would also include non-public attachments that describe the nature of the violation, mitigation activity, and potential vulnerabilities to cyber systems. The attachments would also contain a request for designation of such information as Critical Energy Infrastructure Information.

“The procedures that NERC and FERC have followed in processing NOPs for CIP violations has been in place since before I joined FERC and has not been changed in the past decade, as outlined in the attached White Paper,” FERC Commissioner Cheryl LaFleur said. “I think it is highly appropriate that we consider changes to the process at this time. As I discussed at the technical conference, it is important that we handle NOPs so as to avoid subjecting the bulk electric system to risk of a cyber attack once a vulnerability is identified. At the same time, I believe state regulators, members of the public, and others have a legitimate interest in such violations, and we should seek to achieve as much transparency as we can consistent with protecting legitimate security interests.”

According to the joint staff white paper, the proposed changes would make distinguishing between public and non-public information straightforward, make submission and processing of the notices more efficient and reduce the risk of inadvertent disclosure of non-public information.

The names of violators would be public, but details that could be used to plan an attack on critical infrastructures, such as details regarding violations, mitigation, and vulnerabilities, would likely be considered exempt from FOIA.

FERC is seeking comment on several aspects of the white paper, including the potential security benefits and, if applicable, risks associated with the proposed NOP format; difficulties with implementation or other concerns that should be considered; and the level of transparency provided by this proposed change.

“I believe the FERC and NERC staff have put forth one proposal worthy of consideration for a way to handle these NOPs differently,” LaFleur said. “I hope that we receive a wide range of comments on the White Paper, including any suggestions for alternative processes, which will allow FERC and NERC to move forward on this issue.”

Comments are due 30 days after the white paper’s publication on Aug. 27.