On April 20, the United States Senate passed a sweeping energy bill that would give the Department of Energy authority to step in during a cyber attack and tell electric utilities what to do to protect the nation’s power grid. The bill also authorizes funding for cyber research and testing, and more clearly defines DOE’s role in power grid defense.
The Energy Policy Modernization Act amends several prior bills, including the Energy Independence and Security Act of 2007, the Energy Conservation and Production Act, and the Energy Policy and Conservation Act. The Act received broad approval from both sides of the aisle, ultimately passing 85 to 12.
While the bill covers a wide range of energy topics, a significant portion is devoted specifically to the protection of the U.S. power grid. For example, the legislation would give DOE the authority to step in during a cyber security threat and to mandate that an electric utility “take such actions as the Secretary determines will best avert or mitigate the cyber security threat.” The term “cyber security threat” under the Senate bill means “the imminent danger of an act that severely disrupts, attempts to severely disrupt, or poses a significant risk of severely disrupting the operation of programmable electronic devices or communications networks (including hardware, software, and data) essential to the reliable operation of the bulk-power system.” The Senate bill would cap the number of days that DOE could control an electric utility in the event of an attack, and requires the President to direct the Secretary of DOE to take action.
The bill also provides funding of various cyber security-related elements of overall grid protection. For example, the legislation mandates the creation of a “cyber resilience” program “to establish a cybertesting and mitigation program to identify vulnerabilities of energy sector supply chain products to known threats; to oversee third-party cybertesting; and to develop procurement guidelines for energy sector supply chain components.”
Additionally, the bill requires the DOE to write regulations defining “critical electric infrastructure information” and provides for measures to prevent its unauthorized disclosure, although it would not include any mandatory information sharing.
The cyber security section would be a substantial addition over the last energy bill that passed Congress in 2007. That legislation contained only passing references to cyber security.
The expected next step is for a conference committee, with the House of Representatives, to reconcile the Senate legislation with a more politically contentious House bill. The U.S. House of Representatives passed the North American Energy Security and Infrastructure Act of 2015 by a vote of 249-147. A number of differences do persist between the House and Senate bills. For example, the House bill includes a “Cyber Sense” program that directs the Secretary of Energy to identify and promote cyber-secure products intended for use in the bulk-power system. Nevertheless, it appears that the differences between the two bills related to cyber security are unlikely to pose a threat to the reconciliation process.
The White House has said that President Obama “supports some provisions of the legislation” from the Senate, but has questioned others. More specifically, the White House issued a Statement of Policy noting that the legislation would “omit key security considerations with regard to provisions dealing with cyber security and computing.”