Updated at 1:54 p.m. EST.
The Federal Energy Regulatory Commission and its former chairman shared sensitive — but not likely classified — information about hypothetical attacks on the electric grid without the proper clearance, sparking concerns about terrorist attacks on the power system, according to a report released today by the Department of Energy’s inspector general.
Former FERC Chairman Jon Wellinghoff ordered his staff in 2013 to identify critical substations by location and simulate widespread blackouts that would result from their destruction, Inspector General Gregory Friedman found.
FERC staffers expressed concern the information could be of "national security" interest and might provide terrorists with a blueprint for disabling portions of the grid if it fell into the wrong hands, the IG report says. One senior FERC official indicated the analysis didn’t exist outside the agency and said it would "serve as a very nice road map to someone planning such attacks," according to the report.
Despite those objections, Wellinghoff decided to share "some or all" of that information with utility industry and federal officials, staffers told the IG. The former chairman briefed Secretary of Energy Ernest Moniz and other DOE officials in October 2013, sparking questions among senior DOE officials about whether the information should be classified. Wellinghoff, now an attorney at the Portland, Ore.-based law firm Stoel Rives LLP, was not available to comment on the IG’s findings.
DOE, which classifies information for FERC, and Department of Homeland Security officials told the IG that after they learned more about the analysis, the material was deemed "sensitive but unclassified." There are sanctions for the unauthorized release of classified information, but there are no penalties for releasing "sensitive" data, the report says. Adding to that argument, FERC officials told Friedman the analysis was hypothetical and DOE officials said the loss of critical substations — a "highly unlikely assumption" — would only cause the formation of "islands of power" and not a total loss of power.
"Commission officials assert, and we confirmed, that there is apparently no penalty or sanction that could be imposed for disclosing such information for individuals that either leave or were never a part of the federal service," Friedman wrote.
But the FERC analysis sparked a political firestorm on Capitol Hill after it appeared in a Wall Street Journal article in March 2013. The analysis’s bottom line: The United States could suffer weeks or even months of coast-to-coast blackouts if saboteurs were able to knock out nine of the country’s 55,000 electric-transmission substations on a scorching summer day.
The Journal story appeared around the same time a "military style" attack was taken out on Pacific Gas and Electric Co.’s Metcalf power substation near San Jose, Calif., which remains unsolved (E&E Daily, April 10, 2014).
The IG report highlights what Friedman calls "troubling" inconsistencies between interviews with the former chairman and agency staff.
Wellinghoff during interviews with IG disputed assertions made by FERC staff and DOE officials about the sensitivity of the simulations, saying he discussed the "general nature" of analyzed grid vulnerabilities with one member of the media and considered the material to be unclassified because it was drawn from public sources.
Neither DOE nor FERC, the former chairman said, had signaled the data might be classified, and there was a general assumption that presentations based on staff’s analysis should be considered Critical Energy Infrastructure Information (CEII) — meaning those who viewed the information were required to sign nondisclosure agreements — and that was a step he took.
Friedman said he was unable to resolve differences of opinion about the sensitivity of the data because critical emails from the former chairman’s account between October and November of 2013 were missing.
The report also faults FERC procedures for handling sensitive material. Friedman found FERC staff wasn’t prepared to deal with internal documents that may have had national security implications, and some staffers were unfamiliar with agency policies for handling and sharing data that fall under CEII.
Murkowski vows review
Friedman offered recommendations that the commission has agreed to implement.
FERC staff, he said, must develop a program to ensure sensitive and restricted information is protected — one that balances the needs of industry to access data while keeping it out of the wrong hands.
"Striking a balance between information sharing and protecting nonpublic information that could adversely affect national security continues to pose a major management challenge for the Commission," Friedman wrote, adding that sanctions only apply to the unauthorized exposure of classified information — not sensitive data.
The IG’s office found FERC staff had inconsistently labeled various version of the grid analysis and simulations, and the information was not always protected when in use. The IG also found CEII information was removed from the agency’s premises without proper authorization. Friedman also said the IG found "inconsistent and conflicting" accounts about how the information was released outside the agency, what form it took and whether viewers signed nondisclosure agreements.
Although the IG received 106 signed nondisclosure forms, not all federal officials or congressional staff granted access signed such agreements, according to the report.
Senate Energy and Natural Resources Chairwoman Lisa Murkowski (R-Alaska), whose committee oversees FERC, questioned why Wellinghoff shared an analysis that the agency’s staff later discredited. She vowed to fully review Friedman’s findings and possibly take legislative action to improve FERC’s handling of sensitive data.
Murkowski also questioned why the former chairman’s emails during the relevant time frame last year went missing and hampered the IG’s investigation.
"Not only did the report find inconsistencies between the testimony of former FERC Chairman Wellinghoff and commission officials, but it found that during Wellinghoff’s tenure there was a ‘culture of reluctance to classify certain nonpublic documents,’" Murkowski said in a statement.
"Oversight of FERC is an important duty of this committee," she added. "As chairman, I will fully review the inspector general’s recommendations, including potential legislative proposals to improve FERC’s handling of sensitive information."
