Public power utilities, together with the entire electric utility industry, take very seriously their responsibility to maintain a secure and reliable electric grid. Electric utilities are the only critical infrastructure sector that has mandatory and enforceable federal regulatory standards in place for cyber and physical security (collectively known as grid security).
- Congress approved the standards regime for the bulk power system in the Energy Policy Act of 2005 (EPAct05) (section 215 of the Federal Power Act). Under section 215, the North American Electric Reliability Corporation (NERC), working with electric industry experts, regional entities, and government representatives, regularly drafts reliability, physical security, and cybersecurity standards that apply across the North American grid.
- ElectriCities supported passage of the Cybersecurity Act of 2015, which provides policies and procedures for sharing cybersecurity threat information between the federal government and private entities (which includes electric utilities), as well as sharing between private entities while providing limited liability protection for these activities if conducted in accordance with the act.
- We also strongly support the grid security provisions of the Fixing America’s Surface Transportation Act or “FAST Act,” which gave the Secretary of Energy broader authority to address grid security emergencies under the Federal Power Act. It also clarified the ability of FERC and other federal agencies to protect sensitive critical electric infrastructure information (CEII) from public disclosure under the federal Freedom of Information Act (FOIA).
The authorities, regulations, and standards outlined above provide a solid foundation for strengthening the industry’s security posture. As an industry, we will continue to focus on improving on that foundation.
Accordingly, we will remain active as the administration writes rules for implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022, requiring covered entities to report covered cyber incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransomware payments within 24 hours. DHS should harmonize the requirements with existing electric sector reporting rules so that the requirements are not merely duplicative.