In some cases, companies have paid hefty fines for multiple serious violations. Duke Energy, for example, paid a still-not-officially-disclosed $10 million fine to settle 127 violations “of security standards meant to protect the electric grid from catastrophic outages,” E&E News reported  earlier this year, citing industry sources.

Mabee’s FOIA requests also uncovered a $2.7 million penalty issued to San Francisco-based Pacific Gas & Electric in 2018 for exposing sensitive grid schematics on the Internet for several weeks.

In both cases, NERC revealed the value of the fines and a rough outline of the offenses, which had already been corrected, but not the name of the violator.

The Federal Energy Regulatory Commission, which oversees NERC, released a proposal in August to start revealing the names of violators along with other information that wouldn’t help attackers. However, the new system wouldn’t apply to past violations. NERC is essentially a nongovernment commission tasked with ensuring that electric utilities are following cyber and physical security rules.

Several groups are also urging more transparency beyond the new proposal, including state-level electricity regulators in New Hampshire and New Mexico and the Reporters Committee for Freedom of the Press.

A FERC spokesman declined to comment on the lawsuit. He also declined comment on the proposal to increase transparency, saying the commission is still reviewing comments from the public.