As we previously reported, the Senate recently passed the Energy Policy Modernization Act (Act), which promotes renewable energy, improves the energy efficiency of buildings and directs investments towards the research and design of advanced energy technologies and electric grid modernization. The 10-title Act also includes a separate title focused solely on the cybersecurity of the power grid, signaling a continued concern regarding cyber threats to electric utilities and their operating systems. This concern, in turn, is only part of the continuing dialogue around improving cybersecurity for a wide range of critical infrastructure. Such concerns have been sharpened in recent months after a blackout in Ukraine last December was traced to a cyber attack. Verizon reported a similarly worrying incident in March, stating that a cyber attack in an unspecified nation had allowed hackers to gain control over a water treatment facility.
The Act amends Part II of the Federal Power Act to provide the secretary of the Department of Energy (DOE), under direction from the President, with the authority to order “any entity that is registered with the [North American Electric Reliability Corporation (NERC)] as an owner, operator, or user of the bulk-power system to take such actions as the secretary determines will best avert or mitigate” cybersecurity threats.1 In carrying out such an order, the secretary is required under the Act to coordinate with Canada and Mexico on interconnection issues that might arise as a result of the cybersecurity threat, as well as consult with various affected parties (grid operators and generators; NERC; the Electricity Subsector Coordinating Council; and federal and state agencies). Taking into account the added costs that electric utilities and generators might face due to an emergency order, the Act directs the Federal Energy Regulatory Commission (FERC) to adopt regulations that permit affected parties to “seek recovery of prudently incurred costs” from their ratepayers.
Like other provisions of the Act focused on channeling investments in modern grid technologies and infrastructure, the Act directs $100 million worth of funding per year from 2017 to 2025 towards four separate DOE-led programs designed to (i) advance cybersecurity applications and technologies for the energy sector; (ii) identify vulnerabilities of energy sector supply chain products to known cybersecurity threats; (iii) enhance the emergency response capabilities of the DOE and expand cooperation of the DOE with the intelligence communities for energy‑sector-related threat collection and analysis; (iv) and secure energy networks, including electric, natural gas and oil exploration, transmission and delivery.
Finally, the Act exempts critical electric infrastructure information (CEII) from disclosure under the Freedom of Information Act,2 directs FERC to work with the DOE to issue such orders and regulations regarding the proper sharing and designation of CEII, and designates the DOE as the sector-specific agency for cybersecurity for the energy sector.
1 The Act defines a cyber security threat as the “imminent danger of an act that severely disrupts, attempts to severely disrupt, or poses a significant risk of severely disrupting the operation of programmable electronic devices or communications networks (including hardware, software, and data) essential to the reliable operation of the bulk-power system.”
2 5 U.S.C. § 552(b)(3).