The White Paper considers whether sensitive infrastructure information disclosed in a NOP should be shielded from the public or disclosed in the interest of transparency. Under section 215 of the Federal Power Act, the Commission has charged NERC with promulgating and enforcing CIP Reliability Standards to safeguard the bulk power system.2 If NERC determines that a CIP Reliability Standard has been violated, it can assess penalties to system users, owners, and operators by filing a NOP with the Commission. If neither the Commission nor the purported violator seeks review of the NOP, the penalty takes effect on the 31st day after NERC’s filing.
As noted in Commissioner Cheryl A. LaFleur’s statement, the current system for filing and processing NOPs has not been significantly modified in well over a decade.3 When NERC reports a NOP to the Commission, it describes the nature of the violation, assesses vulnerabilities to various components of the electrical system, including cyber systems, and discusses mitigation strategies. While this process is intended to reinforce the bulk power system, the information contained in NOPs could also serve as a blueprint for disabling the grid.
Under the existing system, several layers of security protected NOP-related material from public scrutiny. The Commission is authorized to classify details of a NOP as non-public if they relate to a cybersecurity incident4 or if disclosure would jeopardize the security of the bulk power system.5 Information contained in a NOP can also be designated as confidential and non-public under the Commission’s Critical Energy/Electric Infrastructure Information (CEII) regulations, including the identity of the violator and certain details related to the reliability standard violation. CEII is secured from public review until the Commission “determine[s] that the information is not entitled to the treatment sought.”6
Increasingly, outside parties have made formal requests to the Commission, pursuant to the Freedom of Information Act, to disclose more information regarding reliability standard infractions.7 To balance demands for greater transparency in NOP proceedings with security concerns, NERC and the Commission propose to revamp the format of the NOPs that NERC submits to the Commission. Under the White Paper’s model, NOP submissions would include: (1) a proposed public cover letter that discloses the name of the violator; (2) the CIP Reliability Standard(s) violated; and (3) the penalty amount. Details regarding the specific nature of the CIP violation, recommended mitigation activities, and an evaluation of cyber security weaknesses would be presented to the Commission as a non-public attachment with a request for the designation of such information as CEII. The White Paper also recommends an important change in the timing of the NOP process. Under the proposal, NERC would submit NOPs after mitigation of the underlying violation is completed. Finally, if adopted, the modified NOP process would be applied on a prospective basis only.
To fully evaluate the NOP format proposed in the White Paper, NERC and the Commission request public comment on the following issues:
- the potential security benefits from the format proposed in the White Paper;
- any potential security concerns that could arise from the new format;
- any implementation difficulties or concerns that should be considered; and
- whether the proposed format provide sufficient transparency to the public.
The Commission and NERC have also requested any additional suggestions to improve the format of NOPs that would secure sensitive information while preserving transparency. Parties interested in commenting on the White Paper must file their comments with the Commission in FERC Docket No. AD19-18-000 by September 26, 2019.
- Joint Staff White Paper on Notices of Penalty Pertaining to Violations of Critical Infrastructure Protection Reliability Standards, Docket No. AD19-18-000 (issued Aug. 27, 2019).
- 16 U.S.C. § 824o (2012).
- Joint Staff White Paper on Notices of Penalty Pertaining to Violations of Critical Infrastructure Protection Reliability Standards, Docket No. AD19-18-000, (issued Aug. 27, 2019) (Statement of Commissioner LaFleur).
- 16 U.S.C. § 824o (A “cybersecurity incident” is defined as “a malicious act or suspicious event that disrupts, or was an attempt to disrupt, the operation of those programmable electronic devices and communication networks including hardware, software and data that are essential to the reliable operation of the bulk power system.”).
- 18 C.F.R. §§ 39.7(b)(4), 39.7(e)(7) (2019).
- 18 C.F.R. 388.113(d)(1)(iv) (2019).
- 5 U.S.C. § 552 (2012).
Client Alert 2019-221