US legislation moves to secure critical energy infrastructure

critical energy infrastructure


The U.S. House of Representatives approved last week three bills that aim at strengthening cybersecurity measures in critical energy infrastructure.

One of the bills titled, H.R.3119, ‘Energy Emergency Leadership Act,’ introduced by House Representatives Bobby Rush, a Democrat from Illinois, and Tim Walberg, a Republican from Mississippi, will help elevate energy emergency and cybersecurity responsibilities as a core function for the U.S. Department of Energy (DOE).

The bill will also create a new assistant secretary position at the DOE with jurisdiction over energy emergency and energy security functions, including those related to infrastructure and cybersecurity. The bill would elevate energy emergency and cybersecurity responsibilities as core functions of DOE to better deal with cybersecurity incidents in the critical energy infrastructure.

“Our energy infrastructure is facing major, increasing threats from ransomware attacks, climate change, and bad actors — this reality has been thrown into stark relief in recent months,” Rep. Rush said in a press statement. “By creating a new Assistant Secretary position, the Energy Emergency Leadership Act will boost energy security as a core responsibility of the Department. This is necessary given recent attacks, including on Colonial Pipeline, as well as ongoing threats to our energy infrastructure that we will no doubt continue to face. I’m glad to see this important legislation pass the House in a bipartisan manner, and I am hopeful that the Senate will act on it soon.”

Another bill, titled, H.R. 2931, ‘Enhancing Grid Security through Public-Private Partnerships Act’, was introduced by House Representatives Jerry McNerney, a Democrat from California, and Bob Latta, a Republican from Ohio. The bill directs the Secretary of Energy, in consultation with States, other Federal agencies, and industry stakeholders, to create and implement a program to enhance the physical and cybersecurity of critical energy infrastructure.

Congressmen Latta and McNerney introduced in April another bill, titled, H.R. 2928, ‘Cyber Sense Act of 2021,’ which has cleared the House of Representatives. The bill seeks to create a voluntary DOE ‘Cyber Sense’ program that would identify and promote cyber-secure products for use in the bulk-power system.

The bill also establishes a testing process for the products along with a reporting process of cybersecurity vulnerabilities. It creates a database at the DOE to track products and help provide more information on cyber weaknesses for electric utilities and their potential to cause harm to critical energy infrastructure. This would aid electric utilities that are evaluating products and their potential to cause harm to the electric grid.

“​​The Biden Administration has committed to making cybersecurity a top priority and is now turning its focus towards energy infrastructure, which is widely recognized as vulnerable to cyberattack due to grid control systems,” Leah Kaiser, an associate at law firm Husch Blackwell, wrote in a recent Mondaq blog post.

Last week, a bipartisan group of U.S. senators introduced a bill titled, ‘Cyber Incident Notification Act of 2021,’ which aims to help safeguard the nation’s critical infrastructure networks against cybersecurity threats. The bill would require the Cybersecurity and Infrastructure Security Agency (CISA) to ensure that they can better identify and mitigate threats to industrial control systems (ICS) and operational technology (OT) involved in operating the function of critical infrastructure networks like pipelines, and water and electric utilities.

The bipartisan Cyber Incident Notification Act comes following the SolarWinds supply chain attack, hack of a Florida water treatment facility, and the ransomware attack on Colonial Pipeline. The heightened threat level needs enhanced security focus, as such attacks on operational and critical infrastructure environments can have catastrophic outcomes.

U.S. Senators Mark Warner, a Democrat from Virginia, Gary Peters, a Democrat from Michigan, Rob Portman, a Republican from Ohio, chairman and ranking member of the Homeland Security and Governmental Affairs Committee, and Marco Rubio, a Republican from Florida, chairman and vice chair of the Senate select committee on intelligence, introduced the bipartisan legislation in the Senate.

“The trend over the last decade to interconnect, automate, and in some cases bring online industrial controls has introduced significant cyber vulnerabilities, attack vectors and even potential systemic risk,” Senator Warner said in a statement. “The federal government needs to understand these risks and help our critical infrastructure sectors prepare for and defend against these threats, and this bill takes a good step forward in doing that.”

The bill is the Senate companion to legislation introduced by the U.S. Representative John Katko, ranking member of the House Homeland Security Committee that has already passed the House unanimously.

The developments in the energy sector come at the same time as the U.S. Department of Homeland Security’s Transportation Security Administration (TSA) division released its second security directive that requires TSA-designated critical pipeline owners and operators that transport hazardous liquids and natural gas to enforce a number of urgently needed protections against cyber intrusions.

The U.S. House of Representatives also last week bolstered industrial control cybersecurity, strengthened U.S. critical supply chains, and improved long-term economic security. The DHS Industrial Control Systems Capabilities Enhancement Act of 2021 that addresses critical infrastructure was passed in the House.