Data Protection Report - Norton Rose Fulbright

Growing concern over the risk of cyberattack on our energy infrastructure continues to spur legislative and administrative action.  In the last two weeks alone, both chambers of Congress and the Federal Energy Regulatory Commission (FERC) have made advancements with regard to proposals for strengthening the security of the national electric grid.

On Wednesday, the House Subcommittee on Energy and Power unanimously approved a proposed energy reform bill. The bill, while not comprehensive, addresses many energy priorities, and reflects the growing desire to provide greater security to the nation’s electric grid. The bill world create a voluntary “Cyber Sense” program to encourage the bulk power system to use cybersecurity products.

The same day, the Senate Energy and Natural Resources Committee released a bipartisan energy package.  The bill, known as the Energy Policy Modernization Act of 2015, contains a number of sweeping reform provisions, including proposals focused on energy cybersecurity and grid protection.  Among other things, the bill directs the Secretary of Energy to carry out programs for cyber-resilience component testing and operational support, as well as to develop an “advanced energy security program to secure energy networks”.

On the administrative front, FERC recently issued a Notice of Proposed Rulemaking recommending the adoption of “Revised Critical Infrastructure Protection Reliability Standards.”  The standards were submitted to FERC for approval by the North American Electric Reliability Corporation (NERC), after the organization made requested changes to standards previously approved by FERC.  Designed to bolster the ability of the bulk electric grid to withstand cyberattack, the measures include new requirements with regard to the security of electronic devices and low impact assets, as well as a directive to NERC to develop communications network and data protection standards.

With the frequency and magnitude of legislative and administrative changes under consideration in Washington, the need for a centralized, comprehensive and strategic approach to cybersecurity risk management is paramount.  For organizations that may be affected by new regulatory mandates, proactive monitoring of the Congressional agenda and participation in administrative rulemakings is the best way to ensure lawmakers give proper consideration to technical and commercial factors that intersect with the public policy interest in safeguarding our critical energy infrastructure against cyberattack.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.