House bill would put grid operators on a short clock for breach reporting

A lawmaker on the House Committee on Energy and Commerce announced plans on Tuesday to introduce legislation to establish a 24-hour mandatory reporting requirement for critical energy infrastructure owners and operators in the wake of a cybersecurity incident.

Rep. Tim Walberg (R-Mich.), said he was planning to re-introduce the bill after cyberattacks on U.S. power grids rose to an all-time high last year.

"More apparently needs to be done to protect our critical energy infrastructure," Rep. Walberg said during a committee hearing focusing on U.S. energy security and supply chains. 

The Critical Electric Infrastructure Cybersecurity Incident Reporting Act would require critical electric infrastructure owners and operators to report cybersecurity incidents to the Department of Energy, which serves as the sector-specific agency for securing critical energy infrastructure, within 24 hours of the discovery of the incident. 

The bill seeks to provide further clarity around reporting requirements by tasking the DOE with developing guidelines about what incidents – and potential incidents – would require reporting to the federal government, and how infrastructure owners and operators can go about the reporting process within the 24-hour window. 

Rep. Cathy McMorris Rodgers (R-Wash.), who now chairs the House Energy and Commerce committee, first introduced the legislation in October last year before Republicans held a majority in the House. She said in a press release at the time that energy infrastructure security requires "the vigilance of experts across the federal government to ensure Americans are safe." 

The subcommittee on energy, climate and grid security convened to discuss a series of bills that GOP lawmakers said were meant to promote U.S. energy reliability and increase energy infrastructure security. 

Rep. Jeff Duncan (R-S.C.), who serves as chair of the subcommittee, said in his opening remarks that the incident reporting act "will increase transparency between critical electric infrastructure owners and the Department of Energy to strengthen our systems.”

Despite a sharp increase in attacks on the U.S. power grid over the last decade, the Federal Energy Regulatory Commission has failed to implement existing mandatory grid cybersecurity standards, according to a Government Accountability Office report published last year. The report said the grid faces a number of vulnerabilities that could allow cybercriminals or other threat actors to gain access and potentially disrupt operations. 

The 24-hour reporting clock is shorter than the 72-hour window mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022. That law puts the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security at the center of rulemaking for critical infrastructure operators. They're in the midst of developing an initial round of regulatory proposals. CISA also circulated a request for public comment in September 2022.

Grid operators are also subject to a reporting regime promulgated by the North American Reliability Corporation which in some ways is more stringent than that proposed by the law, however that reporting system is stakeholder based. Under NERC rules, providers are required to notify the Electricity Information Sharing and Analysis Center and the United States National Cybersecurity and Communications Integration Center within an hour of making a determination of a "reportable cybersecurity incident" or by the next day. 

In comments to CISA on possible new CIRCIA regulations, electricity industry stakeholders frequently alluded to the possibility of overlapping regulatory regimes. 

"To avoid duplicative and inconsistent reporting requirements that could result in additional regulatory burden on electricity sector participants and impair incident response, the ERO Enterprise respectfully requests continued coordination with CISA to ensure harmonization between the ERO Enterprise and CIRCIA incident reporting requirements," the Electronic Reliability Organization, which includes NERC and six regional groups, wrote in comments filed with CISA in November.