FERC and NERC Staff Change Course on Disclosure of CIP Violators

Arjun Prasad Ramadevanahalli, J. Daniel Skees
Morgan Lewis - Power & Pipes
Contact
LinkedIn
Facebook
X
Send
Embed

Morgan Lewis - Power & PipesFollowing significant pushback from the regulated community, FERC and NERC Staff jointly announced in a new white paper that filings and other submissions to FERC describing violations of cybersecurity reliability standards would be entirely nonpublic. Under the revised approach, all cybersecurity noncompliance information will be considered CEII and not disclosed in response to FOIA requests.

This was a significant change from last year, when in a heavily criticized white paper, FERC and NERC Staff proposed to publicize the names of utilities found to have violated cybersecurity reliability standards, along with the financial penalty imposed and the reliability standards (but not requirements) that were violated. Under that approach the specific circumstances of the violations would have been nonpublic.

This recent change in course was driven by the conclusion that even disclosing the limited information proposed last year could create “tangible risks.” Specifically, the white paper recognized that together with other information that a bad actor could learn about a utility, the identification of entities with poor compliance programs or specific compliance problems could enable bad actors to target specific weaknesses at specific utilities.

The white paper also recognized that FERC’s considerable penalty authority, rather than the public identification of noncompliance, should be the primary incentive for appropriate compliance behavior.

The only apparent downside to the revised approach is that this will also discontinue NERC’s past practice of providing anonymized descriptions of cybersecurity noncompliance. Utilities have historically used that information to identify compliance issues that other utilities have experienced and how those concerns were resolved through programmatic or technological improvements. Without access to that information, utilities should be attentive to the other methods of learning best practices, including lessons learned reports issued by FERC Staff and guidance from NERC and regional entities through conferences, webinars, and newsletters.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morgan Lewis - Power & Pipes | Attorney Advertising

Written by:

Morgan Lewis - Power & Pipes
Morgan Lewis - Power & Pipes
Contact
more
less

Morgan Lewis - Power & Pipes on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide