On February 12, 2013, just before his State of the Union address, President Obama issued an Executive Order on Improving Critical Infrastructure Cybersecurity ("Executive Order") and a related Presidential Policy Directive on Critical Infrastructure Security and Resilience ("Policy Directive"). The Executive Order notes that "[i]t is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties."
Executive orders, by nature, do not create laws, regulations or requirements applicable to private entities. Instead, executive orders create obligations for agencies of the Federal Government. The Executive Order issued last month establishes requirements for several federal agencies andvoluntary obligations for critical infrastructure owners and operators, as discussed in more detail below.
Cybersecurity is also an issue facing Congress right now. The Cyber Intelligence Sharing and Protection Act ("CISPA"), H.R. 624, which was reintroduced in the House of Representatives last month after passing in the House and then dying in the Senate last year, sets forth rights and obligations for both the Federal Government and critical infrastructure owners and operators. CISPA goes beyond the Executive Order’s directive for the Federal Government to share classified information regarding cybersecurity threats with the targeted entity by permitting private entities to share information with the Federal Government regarding perceived cyber threats. Under CISPA, entities that share information with the Federal Government are granted broad civil and criminal immunity regarding that entity’s identification of cyber threats, sharing of cyber threat information and decisions made based on cyber threats, provided that the entity acted in "good faith." This bill is hotly contested by privacy advocates who fear that the law, if enacted, would allow companies to share private, personal information with the Federal Government, while business advocates support the bill as a measure to fight cybersecurity threats.
Energy-Related Critical Infrastructure
The Executive Order deems critical infrastructure to mean "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." Because the President has defined critical infrastructure so broadly, the directives in the Executive Order will have a far-reaching effect. Many types of energy-related infrastructure will be implicated, including generators, pipelines and electronic networks.
The Executive Order seeks to ensure that information regarding cyber threats is shared with the necessary entities in a timely fashion. The United States Attorney General ("Attorney General"), the Secretary of Homeland Security ("Secretary") and the Director of National Intelligence are each directed to issue instructions to "ensure the timely production of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity" within 120 days of the Executive Order (i.e., by June 12, 2013). The Attorney General and Secretary must also, with the assistance of the Director of National Intelligence, establish a process to facilitate alerting the targeted entity of such cyber threats and other critical infrastructure entities authorized to receive information regarding such cyber threats.
Furthermore, the Secretary is directed to issue procedures which expand the Enhanced Cybersecurity Services program, a voluntary program in which the Federal Government provides classified cyber threat and technical information to eligible critical infrastructure companies or entities that offer security services to critical infrastructure, from the defense sector to all critical infrastructure sectors (including the energy sector). Finally, the Secretary is directed to establish "a consultative process to coordinate improvements to the cybersecurity of critical infrastructure" among numerous entities, including the Critical Infrastructure Partnership Advisory Council (established by the Department of Homeland Security to coordinate infrastructure protection between federal, state and local governments, and the private sector), Sector Coordinating Councils (entities that serve as main contact with the Federal Government for addressing and implementing sector-specific critical infrastructure protection issues), critical infrastructure owners and operators, regulatory agencies and state and local governments.
The Director of the National Institute of Standards and Technology ("NIST"), pursuant to the Executive Order, will lead the development of a Cybersecurity Framework ("Framework") in an effort to reduce cyber risks to critical infrastructure. This Framework will consist of "voluntary consensus standards and industry best practices to the fullest extent possible." The Framework is also required to: i) identify areas of improvement of cross-sector security standards and guidelines applicable to critical infrastructure that should be addressed in the future; ii) be technology neutral and enable entities to benefit "from a competitive market for products and services" related to addressing cyber risks; and iii) provide guidance for measuring performance of an entity in its implementation of the Framework.
The Executive Order directs that the Framework be developed using a collaborative process and with an open public review and comment process. A preliminary Framework must be published within 240 days of the Executive Order (i.e., by October 10, 2013) and the final Framework must be published within one year of the Executive Order (i.e., by February 12, 2014). The Framework must be reviewed and updated as necessary by the NIST Director.
The NIST, in response to the Executive Order, formally issued a request for information ("RFI") on February 26, 2013, with responses due no later than April 8, 2013.1
The RFI notes that the goals of the Framework development process are to:
- "identify existing cybersecurity standards, guidelines, frameworks, and best practices that are applicable to increase the security of critical infrastructure sectors and other interested entities;
- specify high-priority gaps for which new or revised standards are needed; and
- collaboratively develop action plans by which these gaps can be addressed."
The initial stage of the Framework will emphasize "finding commonality within and across the affected sectors." To that end, the RFI seeks information from stakeholders regarding specific industry practices, as well as current risk management practices, and use of frameworks, standards, guidelines and best practices. While the RFI poses specific questions in each of these three categories, stakeholder responses are not limited to addressing such questions.
The NIST invites a wide scope of stakeholders, beyond critical infrastructure owners and operators, to respond to the RFI, including federal agencies, state, local, territorial and tribal governments, standard-setting organizations, other members of industry, consumers and solution providers. The NIST will use stakeholder comments to prepare the preliminary Framework, which must be published (as noted above) no later than October 10, 2013 and will also be subject to stakeholder comments.
Those federal agencies (excluding independent regulatory agencies, such as the Federal Energy Regulatory Commission) that are responsible for regulating the security of critical infrastructure must, in collaboration with other federal agencies such as the Department of Homeland Security, review the preliminary Framework and assess whether current cybersecurity regulatory requirements are adequate. If such requirements are not, the Executive Order directs such agencies to "propose prioritized, risk-based, efficient, and coordinated actions…to mitigate cyber risk." Within two years of the Framework’s final publication, such agencies are required to report "on any critical infrastructure subject to ineffective, conflicting, or excessively burdensome cybersecurity requirements." Furthermore, such report must also "describe efforts made by agencies, and make recommendations for further actions, to minimize or eliminate such requirements."
Voluntary Critical Infrastructure Cybersecurity Program
The Executive Order directs the Secretary to establish a voluntary program that supports the adoption of the Framework by critical infrastructure owners and operators, and to establish unspecified incentives for participation in the program. Sector-specific agencies, such as the Department of Energy for energy-related critical infrastructure, as set forth in the Policy Directive, are directed to review the Framework and develop any necessary guidance to address sector-specific cyber risks and operating environments.
Identification of Critical Infrastructure at Greatest Risk
The Secretary is directed to, within 150 days of the Executive Order (i.e., by July 12, 2013), identify critical infrastructure using a risk-based approach "where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health and safety, economic security, or national security." This list must be reviewed and updated annually by the Secretary. Owners and operators of the identified critical infrastructure will be notified of such identification and the basis for such identification. The Secretary is required to develop a process in which owners and operators may submit information regarding identified critical infrastructure and request reconsideration of the Secretary’s identification of such infrastructure.
The Policy Directive establishes that the Secretary will coordinate the overall effort to enhance the cybersecurity of critical infrastructure, sets forth specific roles and responsibilities of the Secretary, defines roles and responsibilities of the sector-specific federal agencies which will assist in the implementation of the Policy Directive, and assigns responsibilities to other federal agencies, such as the Department of Justice, Department of the Interior and the Department of Commerce. Furthermore, the Policy Directive sets forth three strategic initiatives, including: i) clarifying functional relationships across the Federal Government to advance a national plan to strengthen the cybersecurity of critical infrastructure; ii) enabling efficient information sharing between all levels of government and critical infrastructure owners and operators; and iii) implementing an integration and analysis function to inform planning and operational decisions regarding critical infrastructure.
The Executive Order and the resulting Framework will have a widespread impact on the energy industry since so much of the industry’s infrastructure will be deemed critical infrastructure. Most, if not all, energy facilities will now be subject to the measures developed and implemented pursuant to the Executive Order, especially with respect to the Framework. Because such facilities are already subject to extensive regulation by other entities (e.g., North American Electric Reliability Corporation ("NERC"), state governments, etc.), these new Framework measures may lead to some industry confusion despite the Federal Government’s best efforts to implement the Executive Order "consistent with applicable law."
Owners, operators and users of the Bulk Electric System are subject to NERC Reliability Standards which include requirements that protect such entities and their critical infrastructure against the threat of cybersecurity intrusions and attacks. Because NERC Reliability Standards heavily restrict owners, operators and users of the Bulk Electric System from sharing confidential information, the Federal Government must ensure that its cybersecurity initiatives reflect these restrictions. Furthermore, the Federal Government must require that sensitive information regarding critical infrastructure be shared in a manner that protects the information from inadvertent disclosure to unauthorized entities.
The energy industry must follow these cybersecurity developments closely to ensure that its obligations under the Framework are clear, to confirm that the Federal Government has established protections against inadvertent disclosure of confidential information and to ensure that the Secretary has accurately identified the critical infrastructure at greatest risk. The first opportunity to engage in the enhancement of cybersecurity protections is for entities to respond to the NIST RFI by the April 8, 2013 deadline.