Reed Smith Client Alerts

On August 27, 2019, the Federal Energy Regulatory Commission (FERC or the Commission) issued notice of the publication of the Joint Staff White Paper on Notices of Penalty Pertaining to Violations of Critical Infrastructure Protection Reliability Standards (the White Paper) in FERC Docket No. AD19-18-000.1  Prepared in conjunction with the North American Electric Reliability Corporation (NERC), the White Paper proposes to revise the format for NERC Notices of Penalty (NOPs) for violations of Critical Infrastructure Protection (CIP) Reliability Standards in order to better protect sensitive infrastructure information, particularly the grid’s cyber systems, while maintaining adequate transparency.  The Commission has requested comments on the White Paper by Thursday, September 26, 2019.

The White Paper considers whether sensitive infrastructure information disclosed in a NOP should be shielded from the public or disclosed in the interest of transparency.  Under section 215 of the Federal Power Act, the Commission has charged NERC with promulgating and enforcing CIP Reliability Standards to safeguard the bulk power system.2  If NERC determines that a CIP Reliability Standard has been violated, it can assess penalties to system users, owners, and operators by filing a NOP with the Commission.  If neither the Commission nor the purported violator seeks review of the NOP, the penalty takes effect on the 31st day after NERC’s filing.

As noted in Commissioner Cheryl A. LaFleur’s statement, the current system for filing and processing NOPs has not been significantly modified in well over a decade.3  When NERC reports a NOP to the Commission, it describes the nature of the violation, assesses vulnerabilities to various components of the electrical system, including cyber systems, and discusses mitigation strategies.  While this process is intended to reinforce the bulk power system, the information contained in NOPs could also serve as a blueprint for disabling the grid.

Under the existing system, several layers of security protected NOP-related material from public scrutiny.  The Commission is authorized to classify details of a NOP as non-public if they relate to a cybersecurity incident4 or if disclosure would jeopardize the security of the bulk power system.5  Information contained in a NOP can also be designated as confidential and non-public under the Commission’s Critical Energy/Electric Infrastructure Information (CEII) regulations, including the identity of the violator and certain details related to the reliability standard violation.  CEII is secured from public review until the Commission “determine[s] that the information is not entitled to the treatment sought.”6