Public power utilities, together with the entire electric utility industry, take very seriously their responsibility to maintain a secure and reliable electric grid. Electric utilities are the only critical infrastructure sector that has mandatory and enforceable federal regulatory standards in place for cyber and physical security (collectively known as grid security).
- ElectriCities supports the electric industry’s existing cybersecurity regulatory structures. Federal law gives the Federal Energy Regulatory Commission (FERC) and the North American Energy Reliability Council (NERC) the authority to establish and enforce reliability standards on “all users, owners and operators of the bulk-power system” including public power entities. NERC, working with electric industry experts, regional entities, and government representatives, regularly drafts reliability, physical security, and cybersecurity standards that apply across the North American grid.
- ElectriCities supports federal funding for cyber and physical security protections, including grants for small utilities. ElectriCities supported passage of the Cybersecurity Act of 2015, which provides policies and procedures for sharing cybersecurity threat information between the federal government and private entities (which includes electric utilities), as well as sharing between private entities while providing limited liability protection for these activities if conducted in accordance with the act.
- We also strongly support the grid security provisions of the Fixing America’s Surface Transportation Act or “FAST Act,” which gave the Secretary of Energy broader authority to address grid security emergencies under the Federal Power Act. It also clarified the ability of FERC and other federal agencies to protect sensitive critical electric infrastructure information (CEII) from public disclosure under the federal Freedom of Information Act (FOIA).
The authorities, regulations, and standards outlined above provide a solid foundation for strengthening the industry’s security posture. As an industry, we will continue to focus on improving on that foundation.
Accordingly, we will remain active as the administration writes rules for implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022, requiring covered entities to report covered cyber incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransomware payments within 24 hours. DHS should harmonize the requirements with existing electric sector reporting rules so that the requirements are not merely duplicative.