Article is behind a paywall, but I thought this passage was interesting:
A grid security activist has sued the Federal Energy Regulatory Commission for shielding the names of hundreds of U.S. utilities found to have broken cybersecurity rules.
Michael Mabee called on FERC to reveal the identities of the violators under the Freedom of Information Act last year, but the agency rejected some of his requests and hasn't responded to others. He filed a FOIA lawsuit Friday in the U.S. District Court for the District of Columbia aimed at forcing the agency to start naming names.
"We need to have transparency and accountability," Mabee told E&E News in an interview yesterday. "People need to know if the company they depend on for electricity is a serial violator of these standards."
A FERC spokeswoman declined comment on legal matters. The agency's Critical Infrastructure Protection (CIP) standards, in place since 2008, include detailed cyber and physical security requirements for utilities connected to the bulk U.S. power grid.
Companies that run afoul of the CIP rules can face multimillion-dollar fines, but their names are normally kept secret, on the grounds that stripping their anonymity could expose them to hackers and put the power grid in danger.
What are your thoughts on the idea of keeping these companies secret-- is it wise to protect their vulnerabilities or does the industry/community have a right to know? How do you weigh these competing priorities?