The Federal Energy Regulatory Commission erred in 2013 when it failed to consult with the Departments of Energy and Homeland Security over sharing "sensitive, nonpublic" information on critical energy infrastructure with industry that had national security implications, Chairwoman Cheryl LaFleur said yesterday.
Had she been FERC’s leader at the time, "what I hope I would have done is recognize that when we’re working with national security, we should make a call to the DOE and the DHS and not do something like this alone," LaFleur said in an interview.
"The problem was that things were created where classification should have been considered and it wasn’t considered," LaFleur said.
The things created included multiple analyses, PowerPoint presentations and substation failure simulations "depicting a potentially devastating impact on the grid," said DOE Inspector General Gregory Friedman in his report released yesterday.
Then-Chairman Jon Wellinghoff in early 2013 ordered his staff to identify critical substations by location and simulate widespread blackouts that would result from their destruction, Friedman said.
While the information was not classified, some FERC staff warned Wellinghoff that the information, "should it fall into the wrong hands, could provide terrorists or other adversaries with information they might use to disable portions of the grid," said the inspector general’s report.
A senior FERC official indicated that the analyses didn’t exist outside the agency and said it would "serve as a very nice road map to someone planning such attacks," according to the report.
Wellinghoff disputed assertions made by FERC staff and DOE officials about the sensitivity of the simulations, saying he had discussed the "general nature" of analyzed grid vulnerabilities with one member of the media and considered the material to be unclassified because it was drawn from public sources.
Determined that the information should be conveyed to industry and other federal agencies "so that corrective actions to improve security could be completed," Wellinghoff "made the decision" to share the information, said the IG, citing commission staff.
But the FERC analysis sparked a political firestorm on Capitol Hill after it appeared in a Wall Street Journal article in March 2013. The analysis’s bottom line: The United States could suffer weeks or even months of coast-to-coast blackouts if saboteurs were able to knock out nine of the country’s 55,000 electric-transmission substations on a scorching summer day.
After the Journal story, LaFleur said she made "a pretty strong public statement that I think publication of information of that nature could undercut the security of the grid. So I do think that things such as the studies that were discussed in the [story] should not be communicated publicly."
Missing emails may have shed light on decision process
The report found that "inconsistencies in the testimony of Commission staff and the former Chairman were troubling."
To try to resolve the differences, Friedman sought email and other documents but could not compare statements Wellinghoff made in an interview with supporting documentation because "we found no email traffic in the former Chairman’s account for the relevant period in October and November of 2013."
Wellinghoff stepped down as FERC chairman on Nov. 25, 2013.
It wasn’t that all of Wellinghoff’s emails from that period were missing; "it was emails on this particular topic," LaFleur clarified.
In 2013, FERC was operating "three different email systems; we kept changing from one platform to the next and had inconsistent backup periods," LaFleur said.
"Our formal document retention policy was written some time ago, and our emails that constitute agency records are supposed to be printed and retained. I don’t have to tell you that’s a little bit of an old-fashioned policy," LaFleur said.
"So we are doing a complete revamp of our document retention policy to make sure that it doesn’t rely on people such as Chairman Wellinghoff doing a paper backup."
In October 2013, Wellinghoff briefed Energy Secretary Ernest Moniz and other DOE officials on the FERC analysis, sparking questions among senior DOE officials about whether the information should be classified.
DOE, which classifies information for FERC, and DHS officials told the IG that after they learned more about the analysis, the material was deemed "sensitive but unclassified." There are sanctions for the unauthorized release of classified information, but there are no penalties for releasing "sensitive" data, the IG report says.
FERC officials told Friedman the analysis was hypothetical, and DOE officials said the loss of critical substations — a "highly unlikely assumption" — would only cause the formation of "islands of power" and not a total loss of power.
"Commission officials assert, and we confirmed, that there is apparently no penalty or sanction that could be imposed for disclosing such information for individuals that either leave or were never a part of the federal service," Friedman wrote.
Asked if such a penalty should be considered, LaFleur said her agency doesn’t have the "authority to impose penalties; that would require, I believe, congressional action. I certainly would understand if Congress chose to make to make stronger penalties for former federal officials," she said.
Wellinghoff reaffirms vulnerability of substation
Asked a day before the IG report was released to respond to criticism that the grid cannot be taken down by attacking a small number of substations and that the probability of such an attack succeeding is remote, Wellinghoff said, "I challenge that."
"It doesn’t take a lot to figure out which nodes to hit. You can hit them anytime. It doesn’t take a genius to understand that you want to try in the middle of summer, when things are stressed most. In terms of which nodes are most important, there are government reports going back to 1981 discussing critical nodes," he said in an interview.
Wellinghoff is now an attorney at the Portland, Ore.-based law firm Stoel Rives. His office said he was not responding yesterday to the IG’s report.
Murkowski pledges review of IG report
Senate Energy and Natural Resources Chairwoman Lisa Murkowski (R-Alaska), whose committee oversees FERC, vowed to fully review Friedman’s findings and possibly take legislative action to improve FERC’s handling of sensitive data.
"Not only did the report find inconsistencies between the testimony of former FERC Chairman Wellinghoff and commission officials, but it found that during Wellinghoff’s tenure there was a ‘culture of reluctance to classify certain nonpublic documents,’" Murkowski said in a statement.
Murkowski also questioned why the former chairman’s emails during the relevant time frame last year went missing and hampered the IG’s investigation.
"Oversight of FERC is an important duty of this committee," she added. "As chairman, I will fully review the inspector general’s recommendations, including potential legislative proposals to improve FERC’s handling of sensitive information."
Work on IG suggestions ‘well under way’
Friedman made a number of recommendations for FERC to reform its procedures and training about how to handle information about critical energy infrastructure.
"The work on how we strengthen our security practices going forward is well under way," LaFleur said, including staff training on the proper handling of nonpublic information, such as so-called critical energy infrastructure information, or CEII, that may be viewed by nongovernmental officials only after they have signed a nondisclosure agreement.
LaFleur said the steps being taken at her agency will help protect "the reliability and security of the grid … the integrity of the commission and peoples’ confidence in doing business with us."
"We want to reassure industry that they could take ultimate confidence in information they give us. It is absolutely essential that we keep those things confidential, and in general, we have a very good track record," LaFleur said.
"So we’re going to learn from what happened to make sure that we have the processes and training in place so that this can’t happen again."
Reporters Hannah Northey and Peter Behr contributed.
