PowerPost Follow @powerpost Get the Cybersecurity 202 Newsletter PowerPost Analysis The Cybersecurity 202: Activist wants court to name and shame electric utilities for violating cybersecurity rules

Author: Joseph Marks Published 12/3/19 PowerPost

A Pacific Gas & Electric sign is shown outside of a PG&E building in San Francisco. (AP Photo/Jeff Chiu)

THE KEY

A cybersecurity activist is suing the electricity industry’s main regulator to uncover what he says is a system that lacks accountability and leaves the electric grid highly vulnerable to cyberattacks.

Michael Mabee is asking a federal court in Washington to reveal the identities of hundreds of electric companies that paid fines for violating cybersecurity rules during the past decade but whose names have never been publicly revealed.

The North American Electric Reliability Corporation, which imposed those fines, has argued that publishing the names could give Russia or another U.S. adversary a roadmap for how to hack into the electric grid and cause major damage. But Mabee and his supporters say withholding the names means there’s little public pressure on the companies to clean up their acts.

“Everybody in the United States is dependent on electricity, but we’re being told by the regulators we don't have a right to know whether our electricity provider is obeying the rules,” Mabee told me. “If there's unsafe food, we all hear don't eat spinach from ABC company … But, when it comes to the electric grid, any company that violates critical infrastructure protection regulations gets their name withheld.”

The suit, which Mabee filed last month, follows years of warnings that Russia is developing hacking tools that could shut down portions of the U.S. electric grid. In an ominous demonstration, Russia also appears to have launched a cyberattack that shut off electricity for tens of thousands of Ukrainians in 2015 — the first known such attack to actually turn the lights off.

A threat assessment from the Office of the Director of National Intelligence this year even warned that “Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.”

But that sense of urgency hasn’t filtered down to local and regional electric companies, which often take a lax attitude to basic cybersecurity protections such as making sure former employees don't retain access to their systems.

“The Chinese and the Russians may very well have malware planted in the U.S. electric grid and they might be able to turn it off,” Mabee told me. “[But] right now we're very unsafe because there's no incentive for these companies to do more than the minimum.”

Secrecy about cybersecurity violations also makes it far harder for state-level regulators or investors to hold electric companies accountable.

“By disclosing the names, you're empowering more stakeholders to help the utility improve its systems,” Tyson Slocum, director of the Public Citizen advocacy group's energy program and a supporter of Mabee’s lawsuit, told me. “Cybersecurity has become an important tool of global warfare between states…so ensuring that utilities have the highest possible cybersecurity.

Mabee is a blogger and researcher whose interest in grid security was sparked when he was in Manhattan during the 2003 Northeast blackout. He’s filed about 250 Freedom of Information Act requests seeking the names of utilities responsible for about 1,500 cybersecurity violations since 2010, but has received only a handful of responses. If it's sucessful, his lawsuit would force the government to answer those FOIAs and to be more transparent about future violations.

In some cases, companies have paid hefty fines for multiple serious violations. Duke Energy, for example, paid a still-not-officially-disclosed $10 million fine to settle 127 violations “of security standards meant to protect the electric grid from catastrophic outages,” E&E News reported earlier this year, citing industry sources.

Mabee’s FOIA requests also uncovered a $2.7 million penalty issued to San Francisco-based Pacific Gas & Electric in 2018 for exposing sensitive grid schematics on the Internet for several weeks.

In both cases, NERC revealed the value of the fines and a rough outline of the offenses, which had already been corrected, but not the name of the violator.

The Federal Energy Regulatory Commission, which oversees NERC, released a proposal in August to start revealing the names of violators along with other information that wouldn’t help attackers. However, the new system wouldn’t apply to past violations. NERC is essentially a nongovernment commission tasked with ensuring that electric utilities are following cyber and physical security rules.

Several groups are also urging more transparency beyond the new proposal, including state-level electricity regulators in New Hampshire and New Mexico and the Reporters Committee for Freedom of the Press.

A FERC spokesman declined to comment on the lawsuit. He also declined comment on the proposal to increase transparency, saying the commission is still reviewing comments from the public.