August 27, 2019
Docket No. AD19-18-000
Notice for White Paper | Joint White Paper
The Federal Energy Regulatory Commission (FERC) is seeking public comment on a white paper jointly prepared by its staff and staff from the North American Electric Reliability Corporation (NERC).
The joint staff white paper proposes to provide transparency and public access to information on violations of mandatory reliability standards governing cybersecurity of the bulk electric system while protecting sensitive information that could jeopardize security.
Since 2018, FERC has received an unprecedented number of Freedom of Information Act (FOIA) requests for non-public information in the Notices of Penalty (NOPs) for violations of Critical Infrastructure Protection (CIP) reliability standards.
NERC, the designated electric reliability organization, has been submitting CIP NOPs to FERC since 2010; they typically include information regarding the nature of the violations, potential vulnerabilities to cyber systems as a result of noncompliance, and mitigation activities.
The white paper proposes that NERC would submit each notice with a public cover letter that discloses the name of the violator, which reliability standards were violated, and the amount of penalties assessed. Each notice would also contain non-public attachments that detail the nature of the violation, mitigation activity and potential vulnerabilities to cyber systems. These attachments would also contain a request for designation of such information as Critical Energy Infrastructure Information.
As noted in the joint staff white paper, the proposed changes will make distinguishing between public and non-public information straightforward. These revisions should make submission and processing of the notices more efficient while also reducing the risk of inadvertent disclosure of non-public information.
While names of violators would be made public, detailed information that could be useful in planning an attack on critical infrastructure, such as details regarding violations, mitigation and vulnerabilities, likely would be considered exempt from FOIA.
FERC is seeking comment on many aspects of the white paper, including: the potential security benefits and, if applicable, risks associated with the proposed NOP format; difficulties with implementation or other concerns that should be considered; and the level of transparency provided by this proposed changed. Comments are due in 30 days.