Energy-sector cybersecurity and privacy is generating significant attention of late. Last month, the Federal Energy Regulatory Commission issued a final rule creating new standards for the cybersecurity of the electric grid. FERC followed this issuance with a report on electrical grid recovery and restoration planning that makes a number of recommendations for improved cyber-incident response and recovery plans.
In parallel, the U.S. Congress is working on a variety of measures to combat perceived cybersecurity and privacy threats related to the powergrid. The failure of the powergrid in Ukraine due to security breaches; reports of ISIS and other foreign threats attempting to hack the U.S. grid; and news reports about the sensitivity of data on home energy usage have added a sense of urgency to this work.
House Bill Cyber Provisions
On December 3, 2015, in a largely partisan vote with overwhelming Republican support, the U.S. House of Representatives passed the North American Energy Security and Infrastructure Act of 2015 by a vote of 249-147. The bill includes a “Cyber Sense” program in Section 1106 that directs the secretary of energy to identify and promote cyber-secure products intended for use in the bulk-power system. In carrying out the Cyber Sense program, the secretary is directed to:
- establish a testing process to identify products and technologies intended for use in the bulk-power system;
- maintain cybersecurity vulnerability reporting processes and a related database for products tested and identified under the Cyber Sense program;
- promulgate regulations regarding vulnerability reporting for products tested and identified under the Cyber Sense program;
- provide technical assistance to utilities, product manufacturers, and other electric sector stakeholders to help mitigate vulnerabilities in products tested and identified under the Cyber Sense program;
- biennially review products tested and identified under the Cyber Sense program for vulnerabilities and provide analysis with respect to how such products respond to and mitigate cyber threats;
- develop procurement guidance for utilities for products tested and identified under the Cyber Sense program;
- provide reasonable notice to the public, and solicit comments from the public, prior to establishing or revising the Cyber Sense testing process; oversee Cyber Sense testing carried out by third parties; and
- consider incentives to encourage the use of products tested and identified under the Cyber Sense program in the bulk-power system.
The House bill also provides new authority in Section 1104 to the secretary of energy, upon a written directive from the president, to issue orders for emergency measures as are necessary to protect or restore critical electric infrastructure. The secretary may undertake these activities with or without notice, hearing, or report. The bill also creates a mechanism for critical electric infrastructure entities that incurred substantial costs complying with emergency measures to recover such costs.
Senate Bill Cyber Provisions
In the Senate, the Energy Policy Modernization Act of 2015 includes cybersecurity provisions similar to the House bill. This Senate bill was reported out of the Committee on Energy and Natural Resources on September 9, 2015, and is currently awaiting consideration by the full Senate.
Like the House bill, the Senate bill provides the secretary of energy wide authority over certain electricity systems in the event of a cybersecurity threat. At the direction of the president, the Department of Energy would have the authority to require, without notice, certain electric infrastructure companies to take actions to avert or mitigate cybersecurity threats. Also, like the House bill, the legislation directs the Secretary to: collaborate with critical infrastructure owners and provide technical cybersecurity assistance; establish a cyber testing program to identify vulnerabilities; oversee third-party cyber testing of component parts; and develop procurement guidelines for energy sector supply chain components.
A Lack of Privacy Provisions in the Senate Bill
The House energy bill includes a number of privacy protections for customers’ smart meter data that have not been included in the Senate bill. In general, these provisions would restrict companies from: disclosing customers’ energy data to a third party without consent; selling customers’ energy data or any other personally identifiable information for any purpose; providing a discount for access to customer data without consent; or conditioning customer access to his or her data upon consent to share customer data with third parties. The House bill expressly states that it does not preclude an electrical or gas corporation from using aggregate customer energy data for analysis, reporting, or program management.
The Senate bill does not include any of the above provisions. However, if the Senate bill is considered by the full Senate chamber, expect members to offer privacy amendments for consideration such as the ones in the House bill.
Prospects for Passage
The cybersecurity and privacy provisions discussed above are included in comprehensive energy bills. These energy bills are notoriously difficult to pass (the last time Congress did so was in 2007). Debates about climate change, the Keystone XL pipeline, LNG exports and many other issues unrelated to cybersecurity and privacy impede progress on energy legislation. Of course, the cybersecurity and privacy provisions could be separated, debated, and passed out of both chambers. There are no indications yet that this will occur.
Going forward, it will be important to watch how the debate over comprehensive energy legislation progresses in the Congress, particularly in the Senate. If prospects for passage of broad legislation are stymied and a significant cybersecurity or privacy breach occurs in the energy sector, be on the lookout for attempts to pass standalone cybersecurity or privacy reforms for energy companies.
A number of differences do persist between the House and Senate bills. Nonetheless, the core provisions described above suggest that a common approach to energy-sector cybersecurity legislation is forming in the Congress. Cybersecurity could be one area of energy policy where the Congress could legislate this year.
This entry originally was published on the International Association of Privacy Professionals’ (IAPP) Privacy Tracker.