On February 14, 2019, the Senate Committee on Energy and Natural Resources held a hearing to consider the status and outlook for cybersecurity efforts in the energy industry, hosted by Senators Lisa Murkowski and Joe Manchin. Among other witnesses, Federal Energy Regulatory Commission (“FERC”) Chairman Neil Chatterjee and North American Electric Reliability Corporation (“NERC”) President and CEO James Robb provided testimony that addressed cyber risks confronting the energy sector.
NERC CEO Robb and FERC Chairman Chatterjee each discussed the development of NERC mandatory Critical Infrastructure Protection (“CIP”) Reliability Standards. Recently, through Order No. 850, FERC adopted three CIP Standards (CIP-013-1, CIP-010-3, and CIP-005-6) submitted by NERC to address supply chain risk management. Among other anticipated cyber security threat trends, Robb stated that “[r]ecent incidents have demonstrated that nation-state adversaries are targeting the electric sector and other industries by compromising the networks of third parties with which the intended targets have established business relationships. This tactic is a type of supply chain attack, and increases the success rate of tactics used to initially compromise the intended target.” Senator Manchin also briefly highlighted supply chain security, stating: “We have to make sure the companies that build components for our grid are secure. We have to protect against vendors’ remote access of the grid being exploited, and we have to make sure that attackers don’t insert malware into a vendor software update.” The new CIP Standards related to supply chain risk management go into effect in July 2020.
Chairman Chatterjee further raised a need to focus on natural gas pipeline cybersecurity (overseen by Transportation Security Administration “TSA”) in light of the Nation’s reliance on natural gas power generation. While addressing cybersecurity at the NARUC Winter Policy Meeting on February 13, 2019, the Chairman also emphasized natural gas pipeline security for which there are “no comparable set of mandatory standards” as those that apply to electric grid operators. Chairman Chatterjee pointed out that “despite having the authority to enforce mandatory cybersecurity standards, the TSA relies on voluntary standards.” Chatterjee provided that the TSA Administrator has pledged to take further action to improve the TSA’s oversight of pipeline security.
FERC and the Department of Energy will co-host a technical conference on March 28, 2019, to discuss energy infrastructure security practices. During his recent remarks at the NARUC Winter Policy Meeting, Chairman Chatterjee provided that this conference will discuss: (1) current and emerging cyber and physical security threats and how they are addressed by the private sector; and (2) how federal and state authorities can facilitate investments to improve infrastructure security.
The archived video of the Senate Committee hearing and witness testimony is available here
Chairman Chatterjee’s remarks to the NARUC Winter Policy Meeting are available here
Order No. 850 regarding supply chain risk management is available here
For more information on NERC Reliability Standards and the cyber security outlook for the energy sector, please contact: Lisa S. Gast
; Sean M. Neal
; Kristen Connolly McCullough
; Lauren Perkins