Senate panel passes grid security bills

a

The Senate Committee on Energy and Natural Resources approved a pair of bills designed to improve the cyber and physical security for the energy grid at a Sept. 25 meeting.

The Energy Cybersecurity Act of 2019, backed by Sen. Maria Cantwell (D-Wash.), would lean on energy grid stakeholders, including energy providers, states and federal agencies to develop advanced cybersecurity applications and technologies to protect the infrastructure. It also tasks stakeholders with identifying and addressing cross-cutting infrastructure vulnerabilities. The bill also authorizes $900 million over nine years to put new policies in place, including a supply chain protection program and an advanced energy security program covering the transmission and delivery of electric power, natural gas and oil.

"The grid is subject to more than a million cyberattacks every day," Cantwell said at the hearing. "The bill will work to secure energy networks, bolster industry participation, address cyber workforce and expand DOE's cooperation with the intelligence community."

The committee also passed the Enhancing Grid Security through Public-Private Partnerships Act, backed by Sen. Cory Gardner (R-Col.).

That bill would charge Energy Secretary Rick Perry -- in consultation with state energy regulatory authorities, the energy industry, the North American Electric Reliability Organization and federal agencies selected by the secretary -- to develop voluntary protections for grid providers. Under the proposed legislation, the group would develop maturity models, self-assessments and auditing methods for electric companies to gauge physical and cybersecurity and help with threat assessment and cybersecurity training.

The bill would also task the Energy Department with issuing a yearly report on priorities, policies and procedures to address physical and cybersecurity of a number of grid systems, including electricity distribution systems, behind- the-meter generation, storage and load management devices.

Cross-cutting critical infrastructure cybersecurity issues have become a focus for federal cybersecurity guard dogs, including the Department of Energy and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

In August, CISA Assistant Director for Infrastructure Security Brian Harrell said his agency is focused on identifying and assisting critical infrastructure providers manage threats that straddle the physical and cyber worlds. For instance, he said, to CISA an "insider threat" to a critical infrastructure company can be someone exfiltrating data to a competitor, or to a nation state, or in some instances ahead of a violent assault on the facility.