On August 27, 2019, FERC staff and the North American Electric Reliability Corporation (“NERC”) staff (collectively, “Staff”) jointly issued a white paper on Notices of Penalty (“NOP”) for violating Critical Infrastructure Protection (“CIP”) Reliability Standards, which details requirements for Bulk Power System cyber security.  Staff elected to draft the white paper in response to the increase in Freedom of Information Act (“FOIA”) requests for the disclosure of non-public information in CIP NOPs, such as the identity of the CIP violator.  The overarching objective of the proposal is to provide increased transparency, while protecting sensitive security information that could jeopardize the Bulk Power System if made public.  If approved, the proposal will not have a retroactive effect on pending matters, or CIP NOPs already filed with the Commission.

The Commission, in CIP NOP proceedings, has traditionally treated information asserted to be Critical Energy/Electric Infrastructure Information (“CEII”) as non-public, without formally designating it as such, unless the Commission found such a designation was unnecessary.  However, due to the “unprecedented” increase in the number of FOIA requests for non-public information in CIP NOPs, the Staff has concluded that format of CIP NOPs filed with the Commission may need to be modified in an effort to balance the need for increased transparency and continued cybersecurity.

NERC has submitted CIP NOPs that include CEII requests since 2010.  However, FERC staff never assessed those requests for CEII designation until 2018 when the Commission received a FOIA request for the name of an undisclosed CIP violator in a NOP.  The Commission has continued to receive a greater number of FOIA requests for non-public information in CIP NOPs since that time.  In some cases, the FERC Staff has released the identity of the unidentified CIP violator when it concluded that public release of the requested information would not jeopardize the security of the Bulk-Power System.

In the white paper, Staff have proposed to revise the format of CIP NOPs to include a public cover letter and a separate non-public attachment.  The public letter would disclose the name of the violator, the Reliability Standard(s) violated—but not the requirement or sub-requirement violated—and the penalty amount. The separate non-public attachment would detail the nature of the violation, mitigation activity, and potential cyber system vulnerabilities, with a request that such information be designated as CEII.  Under the proposal, in the limited instances where public disclosure of information included in the cover letter could potentially jeopardize the security of the Bulk-Power System, NERC would be able to submit such information to the Commission confidentially.  According to Staff, the proposal segregates public and non-public information in a manner that is consistent with relevant law, including section 215 of the Federal Power Act, the Fixing America’s Surface Transportation Act, and FOIA.

Staff have requested comments on (1) the potential security benefits from the new proposed format; (2) any potential security concerns that could arise from the new format; (3) other implementation difficulties or concerns that should be considered; and (4) whether the proposed format provides sufficient transparency to the public. All public comment must be submitted within thirty days of the issuance of the White Paper Notice, which was issued on August 27, 2019.

Click here to read the white paper.