Bills now before the House Homeland Security and Energy and Commerce Committees take different approaches toward regulating and strengthening the security of the electric grid against cyberattack.
House legislators have introduced at least two bills to revamp security regulation of the nation’s power grid.
Officials at the Federal Energy Regulatory Commission, which is responsible for regulating the power grid, have complained that current laws do not allow timely, flexible security standards and leaves the grid vulnerable to cyberattack in a quickly evolving, increasingly networked environment.
H.R. 2165, the Bulk Power System Protection Act of 2009, was introduced April 29 by Rep. John Barrow (D-Ga.). H.R. 2195 was introduced April 30 by House Homeland Security Committee chairman Bennie Thompson (D-Miss). Sen. Joseph Lieberman (I-Conn.) introduced a companion bill to Thompson's legislation, S. 946, April 30.
The House bills are similar, but a comparison of the two by the Homeland Security Committee highlights their differences.
The Homeland Security Department's role:
H.R. 2165 does not specify a role for DHS.
H.R. 2195 requires DHS to assess cyber vulnerabilities or threats to electric infrastructure and recommend ways to mitigate them. It also would play the lead role in identifying threats or vulnerabilities that require immediate protective actions. DHS plays a major role in control system cybersecurity, funding the Control Systems Security Program at the Energy Department’s Idaho National Laboratory at $25 million a year.
H.R. 2165 covers the bulk power system, defined in the Federal Power Act as generation and high voltage transmission systems, but does not include distribution substations and lower voltage networks that distribute electricity to customers. Alaska, Hawaii, and Guam are specifically excluded from reliability regulations, as are many major cities, such as New York and Washington.
H.R. 2195 covers all critical electric infrastructure, defined in the legislation as generation, transmission, distribution and metering infrastructure.
Standards to protect against current vulnerabilities:
H.R. 2165 requires FERC, in consultation with Mexico and Canada, to establish measures to protect against specific vulnerabilities and related remote access issues. FERC may issue orders to grid operators to incorporate these measures, subject to notice and comment, until the North American Electric Reliability Corp., a standards-setting body, adopts mandatory standards that replace interim FERC orders.
H.R. 2195 requires FERC, in consultation with DHS, to supplement cybersecurity standards determined to be inadequate against vulnerabilities or threats. Subsequent NERC measures can replace those standards.
Orders for future threats:
Under H.R. 2165, a written directive from the president that a cyberattack is pending will require FERC to issue emergency orders within 30 days to owners, users and operators of the bulk power system or any regional entity. This emergency order would be discontinued if the president, the secretary of Energy or FERC finds that the threat no longer is imminent; when a replacement standard is adopted; or after one year, if the threat has not been reaffirmed.
H.R. 2195 requires DHS to perform ongoing vulnerability and threat assessments to critical electric infrastructure and recommend mitigations to FERC. FERC may issue mitigation orders if it finds that a threat is imminent. These orders apply to any owner or operator of generation, transmission, distribution or metering systems and are effective for 90 days unless continued by FERC.
Protection of information:
H.R. 2165 requires FERC to issue rules and procedures for protecting unclassified sensitive cybersecurity information from disclosure. These rules would not prevent FERC from disclosing this information on a need-to-know basis. The bill contains a list of requirements for handling this information.
H.R. 2195 uses the Homeland Security Act’s “Protected Critical Infrastructure Information Program” to protect information and exempt information submitted to FERC from the Freedom of Information Act and state and local disclosure laws.
Providing assistance to industry:
H.R. 2165 requires the Energy secretary to establish a program to develop expertise in electric grid cybersecurity within industry.
H.R. 2195 has no similar provision, although the Homeland Security Committee might argue that an existing DHS program to secure control systems should be expanded rather than re-established at DOE.
H.R. 2165 requires Alaska, Hawaii and Guam to prepare plans to protect facilities providing electricity to defense facilities from imminent cyberattack. The definition of bulk power system does not include those states and territories.
H.R. 2195 would cover those assets without a specific provision. The bill also would cover cities such as New York and Washington, which are also outside the scope of the Bulk Power System.
NEXT STORY: DOE, NIST aim to secure smart grid