This week, the House of Representatives approved three measures aimed at improving cybersecurity in the energy industry:

  • Energy Emergency Leadership Act. This Bill requires the Secretary of Energy to assign energy emergency and cybersecurity responsibilities to an Assistant Secretary, including responsibilities regarding infrastructure and cybersecurity.
  • Cyber Sense Act of 2021. This Bill encourages coordination between the Department of Energy and electric utilities. It also requires the Department of Energy to test products and technologies intended for use in the bulk power system.

These measures, which will now move to the Senate, are in response to the slew of recent cybersecurity attacks against critical U.S. infrastructure, including the ransomware attacks on Colonial Pipeline and JBS USA. You can find our previous post on the Colonial Pipeline cyberattack and the Federal Government’s response here.

In addition to the recent legislative efforts, the Department of Homeland Security’s (“DHS”) Transportation Security Administration (“TSA”) announced on July 20 a new security directive requiring owners and operators of critical pipelines transporting hazardous liquids and natural gas to implement urgently needed protections against cyber intrusions. The directive is in response to the “ongoing cybersecurity threat to pipeline systems” and follows the security directive issued by the TSA in May, immediately following the Colonial Pipeline cyberattack.

The new directive requires owners and operators of critical pipelines to develop and implement a cybersecurity contingency and recovery plan and conduct a cybersecurity architecture design review. The first security directive requires critical pipeline owners and operators to: 1) report confirmed and potential cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (“CISA”); 2) designate a Cybersecurity Coordinator to be available 24/7; 3) review current practices; and 4) identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA an CISA within 30 days.