FERC Should Require Naming Utilities With Repeat Cybersecurity Violations

By David Rosen

Duke Energy. DTE Energy Co. PG&E Corp.

These companies’ cybersecurity failures remained secret until media outlets outed them as utilities that broke rules designed to protect the nation’s electric system from cyberattacks. In all three cases, the agency that oversees the nation’s bulk-power system—Federal Energy Regulatory Commission (FERC)—kept the names of violators confidential, abiding by a system that relies on self-reporting of violations by utility companies.

Groups like Public Citizen have raised concerns about the system of secrecy and have insisted that FERC name utilities that commit cybersecurity violations. In August, FERC heeded the call, joining the North American Electric Reliability Corporation (NERC) to propose making the name of a utility committing a violation public.

“It’s a huge success. Public Citizen’s efforts to promote transparency are paying off, and now regulators are proposing to require the public disclosure of violators,” said Tyson Slocum, director of Public Citizen’s Energy Program and author of multiple filings calling for FERC to identify the corporations that violate cybersecurity laws. “We applaud both FERC and NERC for moving toward making this needed reform.”

Public Citizen’s call and FERC’s response come as U.S. intelligence officials warn of increased threats to critical infrastructure. In late January, media outlets reported that Russian and Chinese hackers have infiltrated U.S. utility networks and possess the ability to shut down power and disrupt gas pipelines for several days.

Duke Energy was one utility identified by the media, in February, for violations and is facing a record penalty for repeat cybersecurity violations: It committed 127 cybersecurity violations between 2015 and 2018 and failed to protect sensitive information on its hardware and networks, leaving it vulnerable to cyberattacks. Duke Energy agreed to pay a $10 million fine—the highest on record for a utility committing cybersecurity violations.

Under current law, the federal government has delegated frontline oversight and enforcement of the nation’s cybersecurity laws for electric utilities to a private corporation: NERC. Nine of 12 members of NERC’s board of trustees hail from the utility industry, resulting in inadequate independence from the companies they are supposed to oversee. Although NERC reports to FERC, and FERC can order NERC to make the names of utility scofflaws public, federal regulators have not done so.

In multiple filings with FERC, Public Citizen has called on FERC to tell NERC it must change its unofficial policy of shielding the names of cybersecurity violators from the public. Public Citizen’s latest filing was on June 24, when the organization intervened in two cases involving unnamed utilities that each were fined $1 million for committing multiple cybersecurity violations that “posed a serious or substantial risk to the reliability of the bulk power system.”

In May, Public Citizen submitted comments to FERC for its Security Investments for Energy Infrastructure Technical Conference, noting that:

  • NERC’s lack of independent board governance may compromise its effectiveness as a regulator;
  • FERC’s reliance on industry self-reporting fails to keep us secure;
  • Public identification of utilities that commit violations will help to keep us secure; and
  • FERC should promote and protect roles for whistleblowers.

“Disclosure of violators’ identities is key to holding companies accountable and ensuring that ratepayers do not absorb the costs of their misdeeds,” Slocum said.