On August 27, 2019, the Federal Energy Regulatory Commission (FERC) and North American Electric Reliability Corporation (NERC) issued a White Paper proposing to disclose the names of entities that violate Critical Infrastructure Protection (CIP) standards, while continuing to withhold other details of those violations. This significant change in policy reflects broader issues in FERC’s handling of security information.

The CIP standards for protecting the security of the bulk power system have been in place for many years and are updated periodically through NERC-led processes to assure that the standards respond to current threats. Maintaining confidentiality of information related to the bulk power system is an important element of the CIP standards. As such, FERC and NERC have generally withheld the names of entities that violate the CIP standards from public view.

FERC is authorized to designate electricity sector security information as “Critical Electric Infrastructure Information” and withhold it from disclosure to third parties or the public. The White Paper makes a strong case that the names of entities that violate CIP standards fall within this authority. Specifically, it points out that disclosing such information “may result in increased hacker activity” by making the entities targets for scanning and phishing attempts.[1] Yet the White Paper recommends the information be disclosed to the public anyway. A brief historical perspective on FERC’s handling of security information provides insight into this apparent internal contradiction.

Two years after 9/11, FERC issued regulations authorizing the designation of security information in its possession as “Critical Energy Infrastructure Information.”[2] FERC relied on pre-existing general exemptions under the Freedom of Information Act (FOIA) to protect this information from disclosure.[3] But that subjected FERC’s designation decisions to complicated FOIA jurisprudence, making them vulnerable to court challenge. This specter of legal action pressured FERC to engage in balancing tests that weighed a third party’s request for such information against the risks associated with the disclosure of that information.

In 2008, then-FERC Chairman Joseph Kelliher testified to the Senate that FERC’s ability to “ensure the confidentiality of sensitive information” was a “common concern” within the electricity sector.[4] Kelliher asked for additional legal authority to protect grid security information from disclosure.[5]

Congress answered that call seven years later when it included language in the 2015 Highway Bill (the “FAST Act”) that authorized FERC and DOE to designate grid security information as “Critical Electric Infrastructure Information”[6] and provided such information with a number of protections, including a statutory exemption from FOIA.

In 2016, FERC issued regulations implementing its FAST Act authority. These regulations melded the Act’s new “Critical Electric Infrastructure Information” designation into FERC’s existing “Critical Energy Infrastructure Information” program, creating a third designation called “Critical Energy/Electric Infrastructure Information.” [7]

In doing so, FERC underutilized its statutory authority to protect grid security information. The FAST Act freed FERC from the need to engage in balancing tests. Yet FERC’s implementation regulations state that FERC will continue its longstanding practice of balancing the sensitivity of information against a requestor’s need for that information.[8]

This leads to the White Paper’s internal contradiction. It states that disclosing CIP violation information can threaten the grid, seemingly qualifying that information for protection under the FAST Act. Yet the White Paper applies FERC’s pre-FAST Act balancing tests, leading it to insinuate that such information may not “clearly fall within the scope of information that is likely to be considered by Commission staff to be exempt from FOIA.”[9]

FERC is not prohibited from retaining balancing tests when assessing security information. It can also decline to protect any part of CIP violation information from disclosure. But these are discretionary decisions—ones that the White Paper admits could increase grid cyber-attacks. Ultimately, the White Paper raises the broader question of whether FERC’s balancing tests remain appropriate, especially when Congress, with the FAST Act, so firmly placed its finger on the scale toward security. It may be timely for Congress to review whether FERC has drawn the right line between circumstances where sensitive information clearly should be protected from disclosure or where a balancing analysis should be used.

 

Eric Hutchins, Principal Attorney, H2 Legal, P.C.

Paul M. Tiao, Partner, Hunton Andrews Kurth LLP

Frederick R. Eames, Partner, Hunton Andrews Kurth LLP

 

 

 

[1] FERC and NERC, Joint Staff White Paper on Notices of Penalty Pertaining to Violations of Critical Infrastructure Protection Reliability Standards 11, Docket No. AD19-18.

[2] 81 Fed. Reg. at 43557/P 3; see Critical Energy Infrastructure Information, Order No. 630, 68 Fed. Reg. 9857 (Mar. 3, 2003).

[3] Specifically, FERC asserted that FOIA Exemptions 2 (internal procedures), 4 (trade secrets) and 7 (law enforcement) “would most likely apply” to information designated “Critical Energy Infrastructure Information.” Id. at P 14.

[4] Implications of Cyber Vulnerabilities on the Resilience and Security of the Electric Grid: Hearing Before the Subcomm. on Emerging Threats, Cybersecurity, and Science and Tech. of the H. Comm. on Homeland Sec., 110th CONG. 12-13 (May 21, 2008) (statement of Hon. Joseph T. Kelliher).

[5] Id.

[6] 16 U.S.C. § 824o-1.

[7] 81 Fed. Reg. 93732 (Dec. 21, 2016).

[8] Id. at 93746.

[9] White Paper at 11-12.