United States: Energy Sector Alert Series: Cybersecurity Developments in the Energy Sector

In this eight-week alert series, we are providing a broad look at current and emerging issues facing the energy sector. Lawyers from across the firm are discussing issues ranging from cybersecurity, antitrust and intellectual property to the impact of both Brexit and the upcoming presidential election on the energy industry. Read our recent publications, including articles from a previous alert series published earlier this year.

Russian, Iranian, and Chinese hackers have demonstrated their capability to use cyber exploits to control and disrupt power grids, generation facilities, and sophisticated natural resource extraction operations.1 Responding to these kinds of threats and others, Congress and federal agencies have dramatically strengthened cybersecurity requirements and authorities in the energy sector in recent year, and additional efforts are under way. Some of the most important recent developments include (i) enactment of the Cybersecurity Act and the FAST Act in December 2015; (ii) adoption of new critical infrastructure protection (CIP) standards under the direction of the Federal Energy Regulatory Commission (FERC) and the North American NERC; and (iii) growing efforts by industry to coordinate private sector responses to the threat. Several of those efforts, particularly ones that may be important for energy-sector companies to know about so that they can evaluate changes in the regulatory environment and potential government resources available to address cybersecurity, are described here.

I. Cybersecurity Legislation and the Energy Sector

Over the past 12 months, Congress has shown itself to be keenly focused on cybersecurity threats related to the energy sector with several pending bills focused on research for better grid-related cyber resiliency and Department of Energy authorities. Two developments in the past year, however, merit special attention. First, in December 2015, Congress created new emergency authorities for the President in the event of a cybersecurity crisis through the so-called Fixing America's Surface Transportation Act (FAST Act). Second, also in December 2015, Congress enacted the Cybersecurity Act of 2015 to encourage private sector and government cooperation to confront cybersecurity threats, particularly threats to critical infrastructure such as the electrical grid. For many years the United States has lacked any broad consensus for how to establish better cybersecurity standards. Both the FAST Act and the Cybersecurity Act of 2015 are largely premised on the idea that existing guidance and regulations are not enough, that critical infrastructure in the United States is at risk, and, simply put, more needs to be done. While the Cybersecurity Act of 2015 is premised on voluntariness, the law forbids government use of voluntarily provided information as the basis for regulatory action, the cybersecurity provisions of the FAST Act open the door for unilateral regulatory action by authorizing the issuance of emergency orders.

A. The FAST Act

The FAST Act has three particularly significant provisions aimed at improving cybersecurity for the electrical sector. Each provision is described below.

(i) Emergency Presidential Authority

The Act allows the President to declare a "grid security emergency."2 Once such an emergency has been declared, the Secretary of Energy may:

with or without notice, hearing, or report, issue such orders for emergency measures as are necessary in the judgment of the Secretary to protect or restore the reliability of critical electric infrastructure or of defense critical electric infrastructure during such emergency.3

The Act states that an order promulgated pursuant to this authority may apply to any (i) electric reliability organization, (ii) electric regional entity, or (iii) any user or owner or operator of "critical electric infrastructure" or of "defense critical electric infrastructure." These categories are likely to cover a very large amount of the electrical sector in the United States. "Critical electric infrastructure" is defined under the Act as:

system or asset of the bulk-power system, whether physical or virtual, the incapacity or destruction of which would negatively affect national security, economic security, public health or safety, or any combination of such matters.4

The definition of "defense critical electric infrastructure" is even broader. The Act defines this category as:

any electric infrastructure located in any of the 48 contiguous States or the District of Columbia that serves a facility designated by the Secretary pursuant to subsection (c), but is not owned or operated by the owner or operator of such facility.

Subsection (c), in turn, directs the Secretary of Energy to designate "critical defense facilities," which are defined as facilities located in the 48 contiguous United States that are critical to the defense of the United States and vulnerable to a disruption of the supply of energy.6 Put another way, the Act requires the Secretary of Energy to designate critical defense facilities and then, once those designations are in place, any "electrical infrastructure" that is especially important for maintaining power at those facilities may be the subject of an emergency regulation pursuant to the Act's emergency provisions.

These new emergency powers can apply to more than just a cyber-attack. The law allows a grid emergency to be declared in the event of a damaging geomagnetic storm, use of an electromagnetic pulse, or other assault on key electricity infrastructure, among other things. The authority is also familiar territory. Like the Communications Act of 1934, which includes similar provisions for the promulgation of emergency regulations in the event of a war,7 the FAST Act provisions cast broad authority for the creation of new regulations to confront unanticipated problems in the future.

(ii) DoE as Lead Sector Specific Agency

The Act makes the Department of Energy the lead cybersecurity agency for the energy sector, and assigns the Secretary of Energy several duties and obligations, including: (i) coordinating with the Department of Homeland Security and other agencies responsible for cybersecurity; (ii) collaborating with owners of critical infrastructure associated with the energy sector; and (iii) collaborating with state and local and independent agencies.8 This portion of the Act is designed to put make the Secretary of Energy the primary federal coordinator of cybersecurity protection efforts for the energy sector, and may cement the Secretary's role in the National Infrastructure Protection Plan (NIPP) process.9

(iii) Critical Electric Infrastructure Information

The Act requires FERC, in consultation with the Secretary of Energy, to promulgate regulations establishing procedures for certain information to be designated as Critical Electric Infrastructure Information (CEII) which shall be exempt from disclosure under the Freedom of Information Act and will be specially protected from dissemination when received by government personnel.10 CEII data can be much broader than information about cybersecurity threats—it can conceivably include data about physical vulnerabilities, layout, schematics, etc.—but it is likely to include network data and information about cyber vulnerabilities.

The Act does not require any information sharing,11 but it does provide broad liability protection for any voluntary sharing of CEII information that does occur.12 Still, it is not clear on the face of the new law how regulations to be promulgated for designating and sharing CEII will ultimately relate to separate authorities that FERC already has to designate information as "critical energy infrastructure information."13 But given the existence of immunity protections and the possibility that CEII can be used to protect sensitive data generally, the creation of a new category of CEII will certainly be viewed as potentially significant for many energy companies in the coming years.

B. Cybersecurity Act of 2015

The relationship between CEII sharing provisions may be partly overtaken by the regime to be established pursuant to the Cybersecurity Act of 2015 for sharing "cyber threat indicators." The Cybersecurity Act of 2015 authorizes any entity to share cyber threat indicators or "defensive measures" with another private entity or the government, subject to a variety of privacy protections.14 In this regard technical information about cyber threats (i.e., cyber threat indicators or defensive measures) shared pursuant to the Cybersecurity Act of 2015 may overlap with the category of critical electric infrastructure information that may be shared pursuant to the FAST Act. Unlike the CEII provisions of the FAST Act, which are only applicable to specially designed CEII data, the sharing provisions of the Cybersecurity Act apply to any set of data that satisfies the definition of "cyber threat indicator" or "defensive measure" under the law. Consequently, energy sector companies may in the future be more inclined to share cybersecurity information pursuant to the Cybersecurity Act of 2015.

II. Changing Energy Sector Cybersecurity Standards

Pursuant to the Energy Policy Act of 2005, FERC designated the North American Electric Reliability Corporation (NERC) as the entity responsible for creating security rules in the United States for the bulk power system.15 These rules are promulgated through Critical Infrastructure Protection (CIP) standards that include cybersecurity specific requirements.16   

Earlier this year, FERC updated CIP standards related to cybersecurity, largely because of concerns about growing threats to the electrical grid.17 In particular, the CIP cybersecurity standards outline the minimum capabilities that utilities must develop to guard against cyber-attacks. For example, facilities must employ electronic security measures like encryption, firewalls, or multi-factor authentication to safeguard their networks.18 They must also protect computer systems against suspicious removable media like USB drives.19 Utilities must monitor physical access to and around their compounds by retaining security guards, screening personnel, maintaining visitor logs, or utilizing motion sensors, badge readers and electronic locks.20

The new standards also establish how utilities may effectively respond to cyberattacks. All facilities must train employees on managing cybersecurity events.21 They must also develop and test response plans that outline how the facility will recover from a cyber-attack.22 And in the event of a reportable cybersecurity incident, utilities must provide timely notification to ES-ISAC.23

While the Department of Energy does not directly establish cybersecurity rules, it does, through a variety of forums, promulgate guidance and pursues efforts to encourage energy sector organizations to build cybersecurity into their network architecture. In 2013, President Obama issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity.24 EO 13636, which was accompanied by a Presidential Policy Directive, instructed the National Institute of Standards and Technology (NIST) to establish voluntary cybersecurity standards and for DHS to identify critical infrastructure entities where a cyber-attack "could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security."25 The NIST Framework has become a critical benchmark for many companies across multiple critical infrastructure sectors, including energy companies, to establish compliance with an established cybersecurity standard.26 Some agencies are beginning to mandate compliance with other NIST standards as a condition of doing business with the government.27

At the state and local level, energy sector companies encounter an entirely different set of regulators. State and local utility commissions or other regulatory bodies generally regulate the local power distribution system. In 2013, the National Association of Regulatory Utility Commissioners (NARUC) published its Resolution Regarding Cybersecurity Awareness and Initiatives, which advised among other things:

NARUC continues to encourage member commissions to become increasingly knowledgeable about cybersecurity threats to the relevant utility and pipeline sectors and to maintain an open dialogue with their regulated utilities to ensure adequate resources and expertise are being applied to deter, detect, and respond to cyber-attacks.28

And many state commissions have indeed responded to these growing concerns. For example, in April 2016, the Connecticut Public Utilities Regulatory Authority published new cybersecurity standards applicable to utilities in the state,29 and it is likely that other state authorities will continue to revise existing standards to add more cybersecurity requirements in the coming years.

III. Voluntary Cybersecurity Initiatives 

The regulations described above are important, but they are also relatively narrow. For many energy companies the marketplace is as important a source of cybersecurity guidance as regulators. NERC, the Department of Energy, and others have continued to focus attention on cooperative arrangements to encourage companies responsible for various parts of the grid to improve their security practices and to be better prepared to deal with an emergency.

Many of these efforts involve the Electricity Information Sharing and Analysis Center (E-ISAC), a public-private partnership through which companies in the energy sector share cyber threat information with one another and with the government. The E-ISAC is the primary information-sharing group for cyber threat data and helping members prepare for responding to cybersecurity events. For example, From November 18–19, 2015, E-ISAC led GridEx-III, the largest grid security simulated exercise to date.30 Members who share cyber threat data may also receive briefings from the government about developing threats, access to malware samples, and other data that may be useful for responding to particular threats.

The past 24 months has also seen growing outreach from federal executive branch agencies to notify energy-sector companies about developing or potential threats. The Federal Bureau of Investigation often reaches out to utilities thought to be facing special cyber threats. Likewise, the Department of Homeland Security has exapnded its Industrial Control System Emergency Response Team, which "works to reduce risks within and across all critical infrastructure sectors by partnering with law enforcement agencies and the intelligence community and coordinating efforts among federal, state, local, tribal, and territorial governments and control systems owners, operators, and vendors."31

*  *  *

Energy companies are going to continue to encounter a fluid and changing environment relative to cybersecurity regulations, executive branch initiatives, and threats to their digital assets. Companies should ensure that they stay aware of developments in this area and, in light of the many threats companies may face take steps to prepare to respond to cyber threats that may be encountered in the future. 


See Evan Perez, U.S. Investigators Find Proof of Cyberattack on Ukraine Power Grid, CNN (Feb. 3, 2016); www.theblaze.com/stories/2015/12/21/ap-investigation-u-s-power-grid-vulnerable-to-foreign-hacks-public-often-kept-in-the-dark/.
See Fixing America's Surface Transportation Act, Pub. L. No. 114-94 (hereinafter FAST Act) § 61003(a).
Id.
Id.
5 Id.
Id.
See 47 U.S.C. § 606(a) (establishing Presidential power to prioritize communications activities during a war); 606(d)(empowering the President to suspend or amend regulations during a threat of war). During World War I the President was empowered "in time of war or public peril or disaster" to close, control, or take over and use all the radio stations within the jurisdiction of the United States." Act of August 13, 1912, 37 Stat. at L., 302 (Sec. 2).
8 FAST Act § 61003(c).
9 For a description of the NIPP and the related Presidential policy directives establishing sector specific agencies for various critical infrastructure sectors, see www.dhs.gov/national-infrastructure-protection-plan
10 FAST Act Section 61003(c)
11  Id.
12  Id.
13 For more information about critical energy infrastructure information, see www.ferc.gov/legal/ceii-foia/ceii.asp
14 The Cybersecurity Act of 2015 was enacted as Division N in the Fiscal Year 2016 omnibus spending bill. The Act took effect on the date of its enactment (December 18, 2015). Title I of the Act, which includes the authorization and liability protections for cybersecurity monitoring, information-sharing, and use of defensive measures, will remain in effect with respect to any action authorized by or information obtained pursuant to it during the period ending on September 30, 2025.
15 A thorough description of FERC authorities is available at www.ferc.gov/industries/electric/indus-act/reliability/cybersecurity.asp.
16 The Nuclear Regulatory Commission (NRC) has its own authority to regulate security standards for certain nuclear facilities. Toward that end, in January 2010, the NRC published Cybersecurity Guidelines for Nuclear Facilities, which provides instructions for how NRC licensees and license applicants can satisfy cybersecurity rules applicable to this highly regulated sector. A copy of the NRC guidance can be found at pbadupws.nrc.gov/docs/ML0903/ML090340159.pdf. According to the NRC website, the guidance "includes 'best practices' from such organizations as the International Society of Automation, the Institute of Electrical and Electronics Engineers, and the National Institute of Standards and Technology, and the Department of Homeland Security." Nuclear Regulatory Commission, Backgrounder on Cyber Security (Dec. 2014).
17  See, e.g., 18 C.F.R. Part 40 (Revised Critical Infrastructure Protection Reliability Standards) (Jan. 26, 2016).
18 Cyber Security – Electronic Security Perimeter(s), CIP-005-5. All CIP standards cited are available at www.nerc.com/pa/Stand/Pages/CIPStandards.aspx.
19 Cyber Security – Systems Security Management, CIP-007-6. 
20 Cyber Security – Systems Security Management, CIP-006-6. 
21 Cyber Security – Personnel and Training, CIP-004-6. 
22 Cyber Security – Recovery Plans for BES Cyber Systems, CIP-009-6. 
23 Cyber Security – Incident Reporting and Response Planning, CIP-008-5. 
24  See Jonathan Cedarbaum and Leah Schloss, Implementation of the Cybersecurity Executive Order and President Policy Directive: Timetable and Processes, 12 Privacy and Security Law Report 673 (Apr. 22, 2013).
25  E.O. 13,636 (Feb. 12, 2013) at Section 9.
26  See  Energy Sector Cybersecurity Framework Implementation Guidance (Jan. 5, 2015). 
27  See, e.g., 80 Fed. Reg. 81472 (Dec. 30, 2015).
28  Resolution Regarding Cybersecurity Awareness and Initiatives, July 24, 2013.
29  Connecticut Public Utilities Cybersecurity Action Plan, April 2, 2016.
30  See NERC, Grid Security Exercise: GridEx III Report (March 2016). See also NERC, Electricity ISAC, (last visited Nov. 2, 2016) (describing the functions and role of E-ISAC); E-ISAC, Understanding your E-ISAC (June 2016) (background information on E-ISAC). 
31  www.brymar-consulting.com/wp-content/uploads/Misc/ICS-CERT_140520.pdf

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Jonathan G. Cedarbaum
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions