FERC/NERC joint white paper on cyber transparency

Tuesday, August 27, 2019

U.S. electricity regulators have asked for public comment on a staff white paper proposing to provide increased transparency and public access to information on violations of mandatory reliability standards governing cybersecurity of the bulk electric system, while protecting sensitive information whose disclosure would be a security risk. If the changes are adopted, the identity of violators would be made public, while detailed information that could be useful in planning an attack on critical infrastructure would remain protected from public disclosure.

At issue is a white paper jointly prepared by staff of the Federal Energy Regulatory Commission and of North American Electric Reliability Corporation (NERC). The Joint Staff White Paper on Notices of Penalty Pertaining to Violations of Critical Infrastructure Protection Reliability Standards was released on August 27, 2019.

The Commission's regulatory jurisdiction includes cybersecurity issues affecting the bulk electric system. NERC, in its role as the nation's electric reliability organization, has adopted a variety of reliability standards, including those governing Critical Infrastructure Protection (CIP) and cybersecurity of the grid. Since 2010, NERC has submitted Notices of Penalty to FERC pertaining to violations of its CIP standards, which typically describe the nature of the violations, potential cyber system vulnerabilities, and mitigation activities, but which do not publicly identify the entity alleged to have violated the standards.

But according to the Commission, since 2018 it has received an "unprecedented number" of Freedom of Information Act requests for non-public information in these Notices of Penalty, such as the identity of the entity alleged to have violated the standard. For example, earlier this year a nongovernmental organization unsuccessfully pressured the Commission to identify an anonymous utility that had agreed to pay a $10 million penalty to settle allegations of violations of cybersecurity and other reliability standards.

To refine the balance between transparency and security, the joint white paper proposes that NERC would submit each notice with a public cover letter that discloses the name of the violator, which reliability standards were violated, and the amount of penalties assessed. Separate non-public attachments would detail the nature of the violation, mitigation activity and potential vulnerabilities to cyber systems, with such information designated as Critical Energy Infrastructure Information and subject to additional protections. According to the Commission, these proposed changes will facilitate distinguishing between public and non-public information.

The Commission has issued a Notice of White Paper, calling for public comments to be filled within 30 days. The Commission has specifically asked for comment on the potential security benefits and risks associated with this approach; difficulties with implementation or other concerns that should be considered; and the level of transparency provided by this proposed change.

No comments:

Post a Comment